Specifying Personal Privacy Policies to Avoid Unexpected Outcomes

1
Specifying Personal Privacy Policies to Avoid
Unexpected Outcomes

• George Yee and Larry Korba
• George.Yee, Larry.Korba_at_nrc.ca
• PST 2005
• October 12-14, 2005

2
Overview

• Introduction
• Privacy policies and e-services
• Unexpected outcomes
• Preventing unexpected outcomes
• Conclusions and future research

3
Introduction

• Drivers for personal privacy policies
• Growth of the Internet
• greater consumer exposure to e-services
• growth of consumer awareness to lack of privacy
• Privacy legislation
• greater consumer awareness of privacy rights
• Privacy policies on the Internet
• Posted privacy policies
• P3P privacy policies for web sites
• Browser plug-in allows checking of personal
  privacy preferences against web sites policy
• Privacy Bird check preferences, display policy
  in easy to understand language, customizable
  warnings

4
Privacy policies and e-services

• Consumer privacy policy
• Necessary content implied by privacy legislation
  (minimal policy)
• Simple so that it can be understood by the
  average e-service consumer
• Machine processable, e.g. using XML-based
  language such as APPEL
• Provider has its own policy

5
Privacy policies and e-services

• Privacy Management Model
• Consumer provider each have a privacy policy
• Prior to engaging a service,
• privacy policies are exchanged between consumer
  and provider to see if they match
• Provider requests private data according to its
  privacy policy
• Consumer may resist any privacy reduction
• may only be willing to provide private data
  according to her preferences
• A match between policies occurs if in the
  respective policies,
• Otherwise, there is a mismatch.

6
Privacy policies and e-services

• Policy mechanics
• A privacy policy is considered upgraded
  (downgraded) if the new version represents more
  (less) privacy than the prior version.
• Where time is involved, a private item held for
  less time is considered more private.
• as long as it is thoroughly expunged!

7
Unexpected outcomes

• Interested in outcomes from the matching of
  privacy policies arising from
• How the match was obtained
• Matching policy content
• Outcomes How the matching was obtained
• A match may have been obtained through an
  upgrade/downgrade (during negotiation)
• Upgrade provider required too much user privacy
  reduction provider upgrades its policy (more
  privacy via less private data)

Unexpected outcome private data left out may
lead to extra costs, e.g. leaving out credit card
requirement leads to more costly means of payment
8
Unexpected outcomes

• Downgrade mismatch due to consumer policy
  allowing too little privacy reduction so consumer
  downgrades her policy (less privacy) to give more
  private data to the provider
• More examples in paper

Unexpected outcome extra private data leads to
provider needing to put more costly data
protection safeguards in place, e.g. highly
sensitive health information
9
Preventing unexpected negative outcomes

• Need well-formed policies
• Definition 1 Unexpected negative outcome
• The use/development of privacy policies such that
  
• a) the outcome is unexpected by both provider and
  consumer, and
• b) the outcome leads to either provider and/or
  consumer experiencing some loss, which could be
  private information, money, time, convenience,
  job, etc., including serious losses.

10
Preventing unexpected outcomes

• Definition 2 A well-formed (WF) privacy policy
  (for either consumer or provider) is one that
  does not lead to unexpected negative outcomes.
• Definition 3 A near well-formed (NWF) privacy
  policy is one in which the attributes valid,
  collector, retention time, and disclose-to have
  each been considered against all known
  misspecifications that can lead to unexpected
  negative outcomes.
• A NWF privacy policy is the best that we can
  achieve at this time
• No guarantee unexpected negative outcomes will
  not occur
• Reduces the probability that they will occur.

11
Preventing Some Rules

• Rule for Valid
• Time period must be gt longest retention time.
• (There is always a consumer privacy policy
  governing the consumer information.)

12
Preventing Some Rules

• Rule for Collector
• Availability of the individual to receive the
  information must be considered.

13
Preventing Some Rules

• Rule for Retention Time
• Consequences of the retention time expiration
  (provider destroys corresponding information)
  must be considered.
• If the consequences do not lead to unexpected
  negative outcomes, proceed to specify the desired
  time. Otherwise, or if there is doubt, specify
  the length of time the service will be used.

14
Preventing Some Rules

• Rule for Disclose-To
• Consequences of successive propagation of your
  information starting with the first party
  mentioned in the Disclose-To must be considered.
• If the consequences do not lead to unexpected
  negative outcomes, proceed with the specification
  of the Disclose-To party or parties. Otherwise,
  or if there is doubt, specify none or name of
  receiving party, no further.

15
Preventing unexpected outcomesApproach

• Incorporate the above rules when specifying
  initial policy
• Use an automatic or semi-automatic specification
  method (e.g. G. Yee and L. Korba, Semi-Automated
  Derivation of Personal Privacy Policies,
  Proceedings, The IRMA International Conference
  2004 (IRMA 2004), New Orleans, May 23-26, 2004.)
• Rules application may employ a combination of
  artificial intelligence and user/provider
  query/response techniques to appreciate
  consequences.
• Apply rules during manual policy specification
  employing a tool for exploring possible
  consequences.

16
Preventing unexpected outcomes

• Use privacy policy negotiation where NWF policies
  from initial specification do not match
• Avoid undoing NWF-ness from initial
  specification upgrades and downgrades may
  inadvertently undo the NWF-ness.
• Take advantage of negotiation to expose a needed
  application of the above rules.
• Paper provides examples

17
Summary

• Summary
• Unexpected outcomes can arise from matching of
  privacy policies
• Proposed an approach using near-well-formed
  policies to minimize unexpected negative outcomes
  
• Approach will work for other privacy policy
  formulations
• Privacy policy formulations
• Must conform to privacy legislation
• Therefore they do not differ substantially
• our approach is a minimal policy that conforms.

18
Conclusions and future research

• Further research
• Explore further unexpected negative outcomes
• Tools for consequences exploration
• Other methods for avoiding or mitigating
  unexpected negative outcomes
• Implement the proposed approach (extend current
  prototype)
• Application in other areas security risk analysis

19

• Thank-you

20
Preventing unexpected outcomes
Example negotiation (read from left to right, top
to bottom) Negotiation guides the application
of the rule for collector, preventing the
unexpected outcome that Alice will be left with
no medical help.