We present in this blog entry a reference scenario for working on privacy issues. This scenario is related to electronic CVs, and can be used by anyone interested in problems related to privacy. A later entry will propose our technical work on how to solve problems with privacy policy composition.

The Internet is now seen as a standard means for a person to perform personal transactions such as online banking, travel reservations and job searches. Online service providers often require a certain amount of information, for instance, name, address, or credit card details to provide these services. When giving this type of personal identifiable information (PII), the user may be concerned about how this data will be used by the service. For instance, the service provider may retain the information provided for a long period of time or pass it on to a third party. Also the user or data provider may wish to expressly state that certain data should not be revealed, for example, the person’s ethnic background.

A way for data providers to declare how their personal information should be used could be in the form of expressing a condition on each piece of data (privacy policy). On the other side, the user may want to restrict the data usage to certain data handling conditions, for example, it may be specified that the information is not to be transferred to a third party. An approach for ensuring this is to use a set of rules attached to the user data (sticky policies). The user's  policy should match the provider’s policy, and lacking that, some constraints on the user or provider side should be considered (policy negotiation) or the transaction aborts. 

Additional level of complexity arises from the fact that nowadays services are often built on the composition of multiple, possibly third-party, services, each of these coming with their own privacy policy. Similarly, user-content may include aggregation of external information coming from various sources with different, sometimes conflicting, privacy policies. For example, an electronic curriculum may integrate certification from entities such as a university or previous employers.

In the context of European funded research project Primelife [http://www.primelife.eu] we propose  an employment scenario in which users and job providers are able to interact via different web services. A user or job applicant would like to create an electronic CV (eCV) that contains up-to-date information on his personal details, work experience, academic qualifications and a reference. The personal information, such as the person’s gender, age or race, could be entered by the user or provided by an official authority service. The other types of information services, that certify what the user claims, could be a university, a recommendation and previous or existing employer. The latter verifies certain aspects of the user’s record at the company; this could be that the person was an employee for a certain length of time, worked in a role or many roles and participated in a training program. The university certifies on qualifications attained and a recommendation is usually provided by an academic and/or an employer.

Each contributory data provider could have a rule or sticky policy attached to the data that outlines how the data will have to be handled when used by the data producer, data consumer or third party. In order to preserve the policy preferences of these different services , the parts of the eCV that contain their information cannot be altered by the applicant. These constraints, imposed by such data-providers, may restrict the exposure of some information which is related to the company and should not be revealed. For example, a policy could only allow the disclosure of a salary only if a person is applying to an internal job position or it may be the case that the applicant will allow a certain country, like the United Kingdom, to see their race as it is a prerequisite to process the application but will not permit other countries to see the information if this is not a precondition.

The final electronic CV is composed of two parts, namely, the composition of data emanating from the different sources along with the corresponding policies. The policy composition may contain conflicts, for example, applicants may allow personal contact details to be viewed by all services whereas the company they are working for, may state, for security reasons, that it will not permit disclosure of where the employee works.

In this project we are collaborating with the most distinguished industrial  partners like Microsoft (EMIC), IBM Zurich. The eCV scenario is currently being used in the context of developing a privacy policy language and it will also be used in the context of workflow development.

For further information  please visit the website (http://www.primelife.eu/) and contact:
Stuart Short (stuart.short@sap.com)
Dr Michele Bezzi (michele.bezzi@sap.com)
Dr Slim Trabelsi (slim.trabelsi@sap.com)
Gilles Montagnon (gilles.montagnon@sap.com)