Integrating Privacy Policies intoBusiness Processes

Michele Chinosijoint work with Alberto Trombetta

Universita degli Studi dell’Insubria (Italy)michele.chinosi@uninsubria.it

BPMN

Business Process Modeling Notation

• graphical notation to model (represent) business processes

• developed by BPMI

• adopted as standard by OMG (2006: 1.0 – 2008: 1.1)

• standard for the “look” of a process

• provides a dictionary of standard shapes with particular meanings

• easily readable – reduces the learning curve

BPMN Elements Set

• Flow Objects• Events• Activities• Gateways

• Connecting Objects• Sequence Flows• Message Flows• Associations

• Swimlanes• Pools• Lanes

• Artifacts• Data Objects• Groups• Text Annotations

BPMN Example 1

BPMN Example 2

P3P

The Platform for Privacy Preferences

• P3P enables Websites to express their privacy practices in a standardformat that can be automatically retrieved and easily interpreted byuser agents

• defines the syntax and semantics of P3P privacy policies

• it is an XML format for expressing a privacy policy

• users are informed of site practices

• users do not need to read the privacy policies

• November 2006: the P3P working group closed

P3P Structure Overview

P3P policies consist on a sequence of STATEMENT elements. EachSTATEMENT includes:

• PURPOSE: the aims for data processing (current, admin, contact,telemarketing, . . . )

• RECIPIENT: the legal entity or domain where data may bedistributed (ours, same, public, . . . )

• RETENTION: the type of retention policy in effect (no-retention,stated-purpose, legal-requirement, . . . )

• DATA-GROUP: describes the data to be transferred or inferred. Itincludes one or more DATATYPE, used to describe the type of datathat a recipient collects.

• CONSEQUENCE and NON-IDENTIFIABLE are optional elements

Standards Overview

BPMN serializations

• BPMN has not an XML linearization

• The two closest formats are WS-BPEL and XPDL

WS-BPEL: Business Process Execution Language

• developed by BEA, IBM, Microsoft and adopted by OASIS asstandard

• execution language for the definition of web services orchestration

XPDL: XML Process Definition Language

• developed by WfMC (Workflow Management Coalition) startingfrom 1998

• file format for storing and exchanging the process diagrams

• supports the BPMN elements set

WS-BPEL and XPDL disadvantages

WS-BPEL: Business Process Execution Language

• independent from BPMN

• less expressive than BPMN

• elements names and structure of the model are completely different

• no graphical support

XPDL: XML Process Definition Language

• lack of native referential integrity

• some elements names differ

• structure of the model is different from the BPMN one

• no execution allowed

BPeX

BPeX: Business Process eXtensions

• Built from scratch with a clearconceptual model

• It supports all BPMN elementsand features

• It has an XML-Schemaserialization

• Static analysis and validation

• Constraints / Metrics /Extensions

Motivating Example

The excerpt of the Google Privacy Policy for a web search requires:

• to collect #dynamic.[clickstream|http|searchtext|cookies]to meet the stated purpose: performing searches, web siteadministration, research and development; collected data will not beshared

• to collect #dynamic.[http|searchtext] to performpseudo-analysis (to understand the interests of a visitor withoutkeeping any personal information), sharing data with other partiesnot related with Google

The Example Privacy Policy written in P3P

<POLICIES> <POLICY name="Google Example Policy"><ENTITY><EXTENSION> <p3p11:data-group>...</p3p11:data-group> </EXTENSION><DATA-GROUP> <DATA ref="...">for backward compatibility</DATA> </DATA-GROUP>

</ENTITY><ACCESS><nonident/></ACCESS><STATEMENT><PURPOSE><admin/><develop/></PURPOSE><RECIPIENT><ours/></RECIPIENT><RETENTION><stated-purpose/></RETENTION><DATA-GROUP><DATA ref="#dynamic.clickstream"/><DATA ref="#dynamic.http"/><DATA ref="#dynamic.searchtext"/><DATA ref="#dynamic.cookies"/>

</DATA-GROUP></STATEMENT><STATEMENT><PURPOSE><pseudo-analysis/></PURPOSE><RECIPIENT><unrelated></RECIPIENT><RETENTION><stated-purpose/></RETENTION><DATA-GROUP><DATA ref="#dynamic.http"/><DATA ref="#dynamic.searchtext"/>

</DATA-GROUP></STATEMENT>

</POLICY> </POLICIES>

P3P Representation in BPeX

Entity

<POOL><NAME><P3PExtension><Entity><orgname/>...

</Entity></P3PExtension>

</NAME>...

</POOL>

P3P Representation in BPeX

Access

<PROCESS><P3PExtension><ACCESS/>

</P3PExtension>...

</PROCESS>

In BPMN each POOL havingactivities and flows has also arelationship with one PROCESS.

Purposes

<CategoriesIsP3PPurpose=[true|false]>

... the purpose description ...</Categories>

Every Common Graphical Objecthas a Categories attribute whichcan act as a container for the P3PPurposes element.

P3P Representation in BPeX

Data-Group

<DATAOBJECT><NAME><P3PExtension>...P3P data-group...

</P3PExtension></NAME>...

</DATAOBJECT>

P3P always, opt-in, opt-out canbe mapped to BPMN DATAOBJECTRequiredForStart attribute

Recipient

<MESSAGEFLOW><TARGET P3PRecipient=[...]>...</TARGET>

</MESSAGEFLOW>

P3P does not need to know thetarget entity data, but only if thetarget has the same privacy policiesor if it is the legal entity followingthe practices and so on.

Checking Compliance

• Each BPMN POOL represents a P3P Entity

• First tests are between POOL attributes and POLICY/ENTITY andPOLICY/ACCESS attributes

• All other tests are performed for each P3P STATEMENT• what kind of data the process works on• how the process uses collected data• with whom an entity shares collected data

• One POOL references one POLICY but may have more than oneSTATEMENT

Checking Compliance

1 Policy with 4 Data-Ref elements, 3 Purposes, 2 Recipients

• Each STATEMENT must contains 1 Data-Group node and may havemore than one Purpose or Recipient

• Statement A: uses all the 4 Data-Ref as Data-Group for thePurposes admin and develop sharing data with Recipient ours

• Statement B: uses only 2 of the Data-Ref as Data-Group for thePurpose pseudo-analysis disclosing data to unrelated Recipients

Policies Enforcement

ENTITY verification

1foreach (Pool/Name PN ∈ BPD) do {2if (PN/P3PExtension/ENTITY == ∅)3then ‘‘Error ’’4elseif (PN/P3PExtension/ENTITY 6= P3P:POLICY/ENTITY)5then ‘‘Error ’’;6else ‘‘OK ’’; }

• This check applies on every Pool (row 1)

• The first condition verifies the existence of theP3PExtension/ENTITY nodes (row 2)

• The core of the algorithm compares the P3PExtension/ENTITYsubtree with the P3P:POLICY/ENTITY one (row 4)

1if (// Pool/Name/P3PExtension/ENTITY)2then fn:deep -equal (// Pool/Name/P3PExtension/ENTITY ,3p3p:POLICIES/p3p:POLICY/p3p:ENTITY)

Policies Enforcement

ACCESS verification

1foreach (Pool/Process PP ∈ BPD | PP 6= ∅) do {2if (PP/P3PExtension/ACCESS == ∅) then ‘‘Error ’’;3elseif (PP/P3PExtension/ACCESS 6= P3P:POLICY/ACCESS)4then ‘‘Error ’’5else ‘‘OK ’’; }

PURPOSES verification

1CGO := CommonGraphicalObjects;2CGO∗ := CGO \ (Swimlanes , Group , TextAnnotation );3foreach (Pool P ∈ BPD) do {4foreach (CGOElement ∈ CGO∗) do {5if (CGOElement/Categories@IsP3PPurpose == ∅)6then ‘‘Error ’’

7elseif (CGOElement/Categories * P3P:POLICY // PURPOSES)

8then ‘‘Error ’’9else ‘‘OK ’’; } }

Policies Enforcement

DATA-GROUP verification

1foreach (DATAOBJECT DO ∈ BPD) do {2if (DO/NAME/P3PExtension == ∅) then ‘‘Error ’’

3elseif (DO/NAME/P3PExtension *4P3P:POLICY/STATEMENT/DATA -GROUP)5then ‘‘Error ’’6else ‘‘OK ’’; }

RECIPIENT verification

1foreach (MESSAGEFLOW MF ∈ BPD) do {2if (MF/Target@P3PRecipient == ∅) then ‘‘Error ’’

3elseif (MFM/Target@P3PRecipient *4P3P:POLICY/STATEMENT/RECIPIENT) then ‘‘Error ’’5else ‘‘OK ’’; }

Conclusions

• We proposed a new XML-based notation called BPeX which can beused as a BPMN serialization format

• We extended such representation with the support for P3P policies

• We plan to extend also the graphical representation with markers toshow elements which have privacy policies constraints

• We showed the feasibility to query the BPeX representation of aBPD extended with P3P statements

• We showed some simple algorithms to check the compliance of abusiness process towards a given privacy policy

• We used a clear and simple example to discuss our proposal,showing also some code excerpts

Questions?

Michele Chinosimichele.chinosi@uninsubria.ithttp://bpex.sourceforge.net