The internet can be seen as a standard means for a person to perform personal transactions such as online banking, travel reservations and job searches. These online service providers often require a certain amount of information, for instance name, address or credit card details. When giving this personal identiable information (PII), the user may be concerned about how this data will be used by the service and if data protection regulations are followed, for instance, will the service provider retain the information for a long period of time or will it be used by a third party?
Within the Primelife European research project one of the scenarios exposed some challenges related to the policy composition on the data provider / consumer side. We provide here a short, non-exhaustive, list:
represented by a union of a set of policies. On the other hand, we call policy composition, when the policies refer to the same element and conict may arise.
- Negotiation: When the client or the server has a trade-off to make in order to achieve a transaction it is necessary to find a compromise between conflicting rules. For example, in the context of the scenario, the data producer may be willing to provide PII, if a criteria such as salary was above a certain threshold.
- Content-based condition: Policy condition may depend on the content of the data, e.g., data may be used for marketing purpose only if age, as reported on the CV, is greater than 21, or job level may be disclosed to third party only if less than a certain threshold. Such constraints are difficult to be addressed since they introduce an interaction between the data handling policy, which express how the data should be used, and the content of the data itself.
This work was carried out in collarboration with colleagues, Slim Trabelsi and Michele Bezzi and supported in part by the EU PrimeLife project, within the Seventh Framework Programme (FP7/2007-2013).