Options
Privacy policies and their enforcement in composite service environment
Citation Link: https://doi.org/10.15480/882.1170
Other Titles
Datenschutzrichtlinien und deren Durchsetzung im Composite-Service Umwelt
Publikationstyp
Doctoral Thesis
Date Issued
2014
Sprache
English
Author(s)
Advisor
Gollmann, Dieter
Title Granting Institution
Technische Universität Hamburg
Place of Title Granting Institution
Hamburg
Examination Date
2014-05-26
TORE-DOI
In their early stage, online services were independent providing services all alone. Online services requiring customers to enter their data through the services’ websites forced privacy issue to be considered. Nowadays, online services tend to cooperate with other existing services to compose new ones. Privacy thus becomes more important due to the increasing amount of user data being collected, stored and shared. Technically, privacy protection can be considered from two perspectives, i.e. before and after the users use the services. From the first viewpoint, it is beneficial for the users that their privacy preferences can be compared automatically with the services’ privacy policies that describe what the services will do with their data. P3P (Platform for Privacy Preferences) is a privacy policy language designed to describe this information so that the users can decide whether to use a service or not. After the users have used the services, which means some user data have been given to the services, the actual enforcement on data usage of online services can be achieved by access control systems. How an access control system reacts to an access request is determined according to policies where XACML (eXtensible Access Control Markup Language) is one of the most widely used policy languages for access control.
The change of services from the single to the composite paradigm impacts on both viewpoints. First, P3P was designed from a single service perspective. For instance, its recipient element cannot express prospective services that will be combined into a composite service. In addition, when a composite service consists of e.g. three single services, the matching of users’ privacy preferences with privacy policies of this composite service has to be done three times, one for each service member. It is thus beneficial to have a privacy policy for the new composite service so that the matching can be done only once. However, there is no mechanism provided in P3P to acquire the privacy policy of composite services. Moreover, there may be conflicts between the P3P policies of service members. P3P does not provide any mechanism regarding this issue either. Furthermore, the P3P policy language has some potential semantic inconsistencies from some combination of values between some elements in the policy.
In this thesis, we extend P3P to be suitable for composite services. To mitigate ambiguities in the P3P policy language, we propose a formal semantics for P3P using OWL (Web Ontology Language) and define constraints to verify potential semantic inconsistencies. In addition, we define constraints for conflict verification occurring from P3P policies of service members. These constraints are specified, instead of logical constraints, in special classes to capture the constraint violations. This way allows us to know the reason for the conflicts of a P3P policy by checking if the policy, viewed as an individual in our model, is inferred as an instance of any of those special classes. All defined constraints can be expressed in the special classes. We have implemented a P3P verification tool and verified five hundred P3P policies collected from actual websites. The verification result shows that more than half of these P3P policies have conflicts. In addition, a combining algorithm is proposed such that we can automatically derive the P3P policy of a composite service.
Secondly, the problem affecting access control systems using XACML as their policy language in a composite service environment is that policy administration can be more complex and policy enforcement can be less efficient. Since there are multiple services cooperating with each other to perform a composite service, there might be the case where a member service normally provides an entire data object, e.g. an XML document, whereas the other member services require only a part of that data object. In order to preserve the collection limitation principle of the OECD Privacy Guidelines, policies at the data provider service governing the data access must be individualized for each data consumer service, which is a burden for policy administration. In addition, this situation could increase the computational cost of authorization decision evaluation in XACML. Because XACML was designed in such a way that it can evaluate one requested resource at a time, its evaluation process, thus, can only be performed for the entire document or for a node in the document. Should only a part of the document be accessed, separate evaluations have to be performed for every node in that part. Therefore, a composite service can highly increase the computational overhead of access control system using XACML especially when the XPath language is used to query nodes in an XML document.
We propose a way to express XACML policies that eases policy administration and a mechanism for reducing the overhead performance costs by applying a post-processing concept. The policy expression is achieved by using meaningful names representing parts of a document instead of all nodes and information details on allowed elements in each part. From this way of expression, our mechanism can provide one time XACML policy evaluation. If the evaluation result is permit, the requested resource will be filtered according to the information details such that only allowed data items are revealed. Therefore, fine-grained access control can also be preserved. We illustrate our proposed solution via a location-based service scenario. The implementation result shows that our mechanism brings better XACML evaluation performance when the number of nodes are high, and especially when XPath is used.
The change of services from the single to the composite paradigm impacts on both viewpoints. First, P3P was designed from a single service perspective. For instance, its recipient element cannot express prospective services that will be combined into a composite service. In addition, when a composite service consists of e.g. three single services, the matching of users’ privacy preferences with privacy policies of this composite service has to be done three times, one for each service member. It is thus beneficial to have a privacy policy for the new composite service so that the matching can be done only once. However, there is no mechanism provided in P3P to acquire the privacy policy of composite services. Moreover, there may be conflicts between the P3P policies of service members. P3P does not provide any mechanism regarding this issue either. Furthermore, the P3P policy language has some potential semantic inconsistencies from some combination of values between some elements in the policy.
In this thesis, we extend P3P to be suitable for composite services. To mitigate ambiguities in the P3P policy language, we propose a formal semantics for P3P using OWL (Web Ontology Language) and define constraints to verify potential semantic inconsistencies. In addition, we define constraints for conflict verification occurring from P3P policies of service members. These constraints are specified, instead of logical constraints, in special classes to capture the constraint violations. This way allows us to know the reason for the conflicts of a P3P policy by checking if the policy, viewed as an individual in our model, is inferred as an instance of any of those special classes. All defined constraints can be expressed in the special classes. We have implemented a P3P verification tool and verified five hundred P3P policies collected from actual websites. The verification result shows that more than half of these P3P policies have conflicts. In addition, a combining algorithm is proposed such that we can automatically derive the P3P policy of a composite service.
Secondly, the problem affecting access control systems using XACML as their policy language in a composite service environment is that policy administration can be more complex and policy enforcement can be less efficient. Since there are multiple services cooperating with each other to perform a composite service, there might be the case where a member service normally provides an entire data object, e.g. an XML document, whereas the other member services require only a part of that data object. In order to preserve the collection limitation principle of the OECD Privacy Guidelines, policies at the data provider service governing the data access must be individualized for each data consumer service, which is a burden for policy administration. In addition, this situation could increase the computational cost of authorization decision evaluation in XACML. Because XACML was designed in such a way that it can evaluate one requested resource at a time, its evaluation process, thus, can only be performed for the entire document or for a node in the document. Should only a part of the document be accessed, separate evaluations have to be performed for every node in that part. Therefore, a composite service can highly increase the computational overhead of access control system using XACML especially when the XPath language is used to query nodes in an XML document.
We propose a way to express XACML policies that eases policy administration and a mechanism for reducing the overhead performance costs by applying a post-processing concept. The policy expression is achieved by using meaningful names representing parts of a document instead of all nodes and information details on allowed elements in each part. From this way of expression, our mechanism can provide one time XACML policy evaluation. If the evaluation result is permit, the requested resource will be filtered according to the information details such that only allowed data items are revealed. Therefore, fine-grained access control can also be preserved. We illustrate our proposed solution via a location-based service scenario. The implementation result shows that our mechanism brings better XACML evaluation performance when the number of nodes are high, and especially when XPath is used.
Subjects
Datenschutzrichtlinien
Zugriffskontrolle
P3P
XACML
Ontology
privacy policies
access control
P3P
XACML
ontology
DDC Class
004: Informatik
Loading...
Name
PhD_Thesis_Khurat.pdf
Size
2.48 MB
Format
Adobe PDF