from p3p to data licensing

From P3P to Data From P3P to Data LicensingLicensing

Cha, Shi-Cho (Cha, Shi-Cho ( 查士朝查士朝 ) and Joung, Yuh-zer () and Joung, Yuh-zer ( 莊莊裕澤裕澤 ))

Dept. of Information ManagementDept. of Information ManagementNation Taiwan University, Taipei, TaiwanNation Taiwan University, Taipei, Taiwan

csc@mba.ntu.edu.tw csc@mba.ntu.edu.tw joung@ccms.ntu.edu.twjoung@ccms.ntu.edu.tw

22

OutlinesOutlines

IntroductionIntroduction Concept and benefits of Online Concept and benefits of Online

Personal Data Licensing (OPDL)Personal Data Licensing (OPDL) Demonstrations of OPDLDemonstrations of OPDL ConclusionsConclusions

33

IntroductionIntroduction

Personal data are wildly used for Personal data are wildly used for different purposes.different purposes. Some are good for peopleSome are good for people Personal data can also be abused, e.g.Personal data can also be abused, e.g.

Unsolicited commercial e-mailUnsolicited commercial e-mail Credit card fraudCredit card fraud

Many countries have enacted laws to Many countries have enacted laws to protect personal data.protect personal data.

44

Introduction (Cont’d)Introduction (Cont’d)

The consent principleThe consent principle There are different kinds of consentThere are different kinds of consent

Written consent can provide the strongest Written consent can provide the strongest power of evidencepower of evidence

In the cyberspace, to consider the In the cyberspace, to consider the efficiency, passive consent is usually efficiency, passive consent is usually allowed and adoptedallowed and adopted A Web site can only disclose its practices about A Web site can only disclose its practices about

personal data personal data

55

An Example of the Problem An Example of the Problem With Passive ConsentWith Passive Consent

Time

It is hard for the person to prove that he does not know the Privacy Policy 2 !

Policy 1

We do not collect personal data

Policy 2

We collect click-streams

66

Framework of Online Personal Framework of Online Personal Data Licensing Data Licensing (OPDL)(OPDL)

To concretize people’s consents by To concretize people’s consents by letting users issue licenses of letting users issue licenses of collecting and using their data collecting and using their data

Application and service providers Application and service providers must obtain a license from a person must obtain a license from a person before collecting, processing, and before collecting, processing, and using the person’s personal data. using the person’s personal data.

77

Benefits of Using LicensesBenefits of Using Licenses

Licenses can be shown while some Licenses can be shown while some personal data are used.personal data are used.

Gatekeeper Service Provider

License

88

Benefits of Using Licenses Benefits of Using Licenses (Cont’d)(Cont’d)

Licenses can be used in auditing Licenses can be used in auditing processes to prevent data misuseprocesses to prevent data misuse

Data Management Process

Data

License AuditingModule

DateProcessor

99

Benefits of Using Licenses Benefits of Using Licenses (Cont’d)(Cont’d)

Licenses can be used as evidence Licenses can be used as evidence to prove that a site has misused a to prove that a site has misused a person’s data. person’s data.

1. Suspect

Governmentsor Third-PartyOrganizations

ServiceProvider

3. Request aservice provider toshow the license

2. Make acomplaint

4. Adoptappropriate

remedies to stopmisuse

1010

More Benefits of OPDLMore Benefits of OPDL

Permission to collect or use a person’s Permission to collect or use a person’s data is determined and given by the data is determined and given by the person himself/herself.person himself/herself. It also makes users begin to think about the It also makes users begin to think about the

damages when licensed data are misused damages when licensed data are misused when the users set their preferenceswhen the users set their preferences

People can obtain more clear information People can obtain more clear information about who have owned their personal about who have owned their personal data.data.

1111

Demonstrations of OPDLDemonstrations of OPDL

Personal DataLicenser

Personal DataCollector orProcessor

DataSubject

Step 1. Requestlicense through

Licensing Proposals

Step 2. Proposalsprocessing

Step 3.Notification

Step 4.Response

Step 5. Licenses

1212

Licensing ProposalLicensing Proposal

The Licensing Proposal of OPDL is The Licensing Proposal of OPDL is based on the P3P’s privacy policybased on the P3P’s privacy policy

The main modification is adding The main modification is adding security consideration into a proposal. security consideration into a proposal. The security policy, risk assessment and The security policy, risk assessment and

controls against the risks can be provided.controls against the risks can be provided. The requester can be certified by a The requester can be certified by a

certification organization (e.g., based on certification organization (e.g., based on BS7799/ ISO17799)BS7799/ ISO17799)

A TCSEC-like tag can be usedA TCSEC-like tag can be used

1313

Example Licensing ProposalExample Licensing Proposal

<?xml version="1.0" encoding="UTF-8" ?><PROPOSAL ID="f3eb4bc166"><POLICY name="Test Proposal" discuri="http://exampleshop/privacypolicy.html"><ENTITY><DATA-GROUP><DATA ref="#business.name">Example Enterprise</DATA></DATA-GROUP></ENTITY><SECURITY-POLICY discuri="http://exampleshop/securitypolicy.html" risks="http://exampleshop/risks.html" controls="http://exampleshop/controls.html"><POLICY-TAG><MANDATORY></POLICY-TAG></SECURITY-POLICY><DISPUTES-GROUP><DISPUTES service="Trust Certification Organization"></DISPUTES></DISPUTES-GROUP><STATEMENT><PURPOSE><pseudo-analysis></pseudo-analysis></PURPOSE><RETENTION><indefinitely></indefinitely></RETENTION><DATA-GROUP><DATA ref="#user.name.nickname"></DATA></DATA-GROUP></STATEMENT></POLICY><SIGNATURE algorithm="DSA">MCwCFEC6jCCVmJoU/MNVLgkbOSHxTO8QAhRld6MRdFpi9MvtzD/f91U1aNC81g==</SIGNATURE></PROPOSAL>

The information about the requester of the proposal:<ENTITY><DATA-GROUP><DATA ref="#business.name">Example Enterprise</DATA></DATA-GROUP></ENTITY>

The requester’s security policy:<SECURITY-POLICY discuri="http://exampleshop/securitypolicy.html" risks="http://exampleshop/risks.html" controls="http://exampleshop/controls.html"><POLICY-TAG><MANDATORY /></POLICY-TAG></SECURITY-POLICY>

Which organization certifies the requester:<DISPUTES-GROUP><DISPUTES service="Trust Certification Organization"></DISPUTES></DISPUTES-GROUP>

Data Requested:<STATEMENT><PURPOSE><pseudo-analysis></pseudo-analysis></PURPOSE><RETENTION><indefinitely></indefinitely></RETENTION><DATA-GROUP><DATA ref="#user.name.nickname"></DATA></DATA-GROUP></STATEMENT>

1414

Personal DataLicenser

Personal DataCollector orProcessor

DataSubject

Step 1. Requestlicense through

Licensing Proposals

Step 2. Proposalsprocessing

Step 3.Notification

Step 4.Response

Step 5. Licenses

1515

Proposal ProcessingProposal Processing

The PDL processes a proposal based on the data subject’s The PDL processes a proposal based on the data subject’s preferencespreferences

The preferences are based on APPEL. For each preference The preferences are based on APPEL. For each preference rule, it contains the following components:rule, it contains the following components: Action taken when a rule is matchingAction taken when a rule is matching The rule’s target The rule’s target

The rule is specified to what dataThe rule is specified to what data The rule is applied to whomThe rule is applied to whom The requirement of certificationThe requirement of certification The security level requirementThe security level requirement The purposes constraintsThe purposes constraints The retention policies constraintsThe retention policies constraints

1616

Flow Chart of Proposal Flow Chart of Proposal ProcessingProcessing

Receive a LicensingProposal P

More rule Ri in the user'spreference rule set?

Accept P withoutnotification

no

Get Ri from the user'spreference ruleset

Ri matches P?no

yes

The prompt value of Ri is yes?

The behavior value of Ri isblock?

yes

yes

yes

no

no

Set StatusP = accept,MeetRule = FALSE

StatusP = accept?

no

yes

Set MeetRule = TRUE

MeetRule = TURE?

yes

no

Inform the user

Reject P withoutnotification

Set StatusP = notify

Inform the user

Receive a LicensingProposal P

More rule Ri in the user'spreference rule set?

Accept P withoutnotification

no

Get Ri from the user'spreference ruleset

Ri matches P?no

yes

The prompt value of Ri is yes?

The behavior value of Ri isblock?

yes

yes

yes

no

no

Set StatusP = accept,MeetRule = FALSE

StatusP = accept?

no

yes

Set MeetRule = TRUE

MeetRule = TURE?

yes

no

Inform the user

Reject P withoutnotification

Set StatusP = notify

Inform the user

1717

Personal DataLicenser

Personal DataCollector orProcessor

DataSubject

Step 1. Requestlicense through

Licensing Proposals

Step 2. Proposalsprocessing

Step 3.Notification

Step 4.Response

Step 5. Licenses

1818

User NotificationUser Notification

1919

Personal DataLicenser

Personal DataCollector orProcessor

DataSubject

Step 1. Requestlicense through

Licensing Proposals

Step 2. Proposalsprocessing

Step 3.Notification

Step 4.Response

Step 5. Licenses

2020

License IssuingLicense Issuing

A decomposable license format is used:A decomposable license format is used: Auditing or gate-keeping mechanism may Auditing or gate-keeping mechanism may

only need part of a license. only need part of a license. If a person wishes to update some part of If a person wishes to update some part of

his issued license, the person can update his issued license, the person can update necessary parts instead of reissuing the necessary parts instead of reissuing the whole license. whole license.

L

H

C1 D1 V1

......

SIGNSKx(H,C1)

SKX

SIGNSKx(H,Cn)

P1 S1 T1

Cn Dn VnPn Sn Tn

2121

An Example of a LicenseAn Example of a License

<?xml version="1.0" encoding="UTF-8"?><LICENSE>

<LICENSE-HEADER><LICENSER><NAME>CN=CSC, OU=CSC, O=CSC, L=Taipei, ST=Taipei, C=TW</NAME><CERT-ISSUER>CN=CSC, OU=CSC, O=CSC, L=Taipei, ST=Taipei, C=TW</CERT-ISSUER><CERT-SERIAL>1042957664</CERT-SERIAL></LICENSER><ISSUE-DATE>Sun Mar 16 00:11:22 CST 2003</ISSUE-DATE><ENTITY><DATA-GROUP><DATA ref="#business.name">Example Enterprise</DATA></DATA-GROUP></ENTITY><SECURITY-POLICY discuri="http://exampleshop/securitypolicy.html" risks="http://exampleshop/risks.html" controls="http://exampleshop/controls.html"><POLICY-TAG><MANDATORY /></POLICY-TAG></SECURITY-POLICY><DISPUTES-GROUP><DISPUTES service="Trust Certification Organization"></DISPUTES></DISPUTES-GROUP></LICENSE-HEADER><LICENSE-BODY>

<CLAUSE ID="f3f2731bb9"><STATEMENT><CONSEQUENCE>Gender</CONSEQUENCE><PURPOSE><current /><admin /><develop /><customization /></PURPOSE><RETENTION><indefinitely /></RETENTION><DATA-GROUP><DATA ref="#user.gender">Male</DATA></DATA-GROUP></STATEMENT><SIGNATURE algorithm="DSA">MCwCFBZYtH/xneRtEgVVjdCBCypfeWCVAhRWH8jm1xvETkYSfrrHNPpma2t9Uw== </SIGNATURE></CLAUSE>

<CLAUSE ID="f3f2731bd8"><STATEMENT><CONSEQUENCE>Jobtitle</CONSEQUENCE><PURPOSE><develop /><customization /><tailoring /></PURPOSE><RETENTION><indefinitely /></RETENTION><DATA-GROUP><DATA ref="#user.jobtitle">Test</DATA></DATA-GROUP></STATEMENT><SIGNATURE algorithm="DSA">MC0CFCoA678dpmVlEaNnBwPfBmoDPmKYAhUAgrEg3BoVKiZVsWcx1Fo1dSOUUmU= </SIGNATURE></CLAUSE>

</LICENSE-BODY></LICENSE>

Header

Clause 1

Clause 2

2222

ConclusionsConclusions

OPDL requires service providers to obtain OPDL requires service providers to obtain licenses before collecting, processing and licenses before collecting, processing and using their users’ datausing their users’ data

Compared to P3P, OPDL not only lets Compared to P3P, OPDL not only lets individuals know the privacy practices of a individuals know the privacy practices of a Web site, but also enforce the practices.Web site, but also enforce the practices.

OPDL brings the control of personal data OPDL brings the control of personal data back to the owner of data.back to the owner of data.

Licenses of OPDL can provide the same Licenses of OPDL can provide the same power of evidence as written consentpower of evidence as written consent

2323

Questions?Questions?

Contact information: csc@mba.ntu.edu.twhttp://www.mba.ntu.edu.tw/~csc/

2424

Suggested Future WorkSuggested Future Work

Legislation RequirementLegislation Requirement To enhance the concept to other To enhance the concept to other

conditions (because Internet is not the conditions (because Internet is not the only source that a enterprise can collect only source that a enterprise can collect personal data).personal data).

Interface designInterface design A more complex negotiation model (e.g., A more complex negotiation model (e.g.,

to enable a person to “sell” his/her to enable a person to “sell” his/her personal data)personal data)

2525

Appendix: The Role of OPDL in Appendix: The Role of OPDL in Misuse RegulationMisuse Regulation

Misuse ofPersonal

Data

OPDL

Legal Measures

NormativeRemedies

Market