The internet can be seen as a standard means for a person to perform personal transactions such as online banking, travel reservations and job searches. These online service providers often require a certain amount of information, for instance name, address or credit card details. When giving this personal identiable information (PII), the user may be concerned about how this data will be used by the service and if data protection regulations are followed, for instance, will the service provider retain the information for a long period of time or will it be used by a third party?
In most cases this means that the data consumer's privacy policy is shown to the user as natural language text, and the user can accept it or not depending on her privacy preferences. Typically, if the user does not accept it, she is not allowed to proceed. This process should be automated to enable more complex interactions to take place, such as supporting the user in tracking the usage of her PII, facilitating enforcement of her privacy policy and dealing with more intricate cases, where the data exchanged comes from multiple sources, each one with its own privacy policy.
In the latter case, data must be aggregated as well as the privacy policy. To this extent, particularly relevant is the concept of sticky policy: privacy policies are strictly associated to a piece of data and should be composed whenever data aggregation happens. Expressing a condition for each piece of data, could be a means for data providers to declare how their personal information should be used. For instance, it may be specified that the information is not to be transferred to a third party or that it can be used for research purposes only. For example, a job applicant would like to create an electronic CV (eCV) that contains up-to-date information on her personal details (gender, age or race), work experience, academic qualifications and references. This personal information, could be entered either by the user or provided by other services such as a university, previous/current employers or an official entity, each of them containing corresponding privacy and access control constraints (e.g., not to be released for commercial purposes or for internal use only), expressed as privacy policies. The job applicant should be able to compose them in a single document with a single privacy policy, and be able to handle possible conflicts among policies.
On the other side, a job broker service may need to compose job offers from multiple sources and aggregate the corresponding policies. The aggregated policy may be simply the union of the source policies if they express non-conflicting conditions (e.g., one policy defines the purpose as research but it does not impose any condition on retention period) or, in case of conflicting conditions, more complex mechanisms may be needed. Even if privacy policy languages exist, such as P3P, EPAL or PRIME, they lack the notion of sticky policies or the complex composition of services or policies for resolving possible conicts.
Privacy Policy Composition Challenges
Within the Primelife European research project one of the scenarios exposed some challenges related to the policy composition on the data provider / consumer side. We provide here a short, non-exhaustive, list:
This work was carried out in collarboration with colleagues, Slim Trabelsi and Michele Bezzi and supported in part by the EU PrimeLife project, within the Seventh Framework Programme (FP7/2007-2013).
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
3 | |
2 | |
2 | |
1 | |
1 | |
1 | |
1 |