INTERNET SECURITY TOPIC
E N D
Presentation Transcript
A P3P Preference Exchange Language(APPEL) Introduction by W3C working draft
P3P Basic • P3P is designed to inform users about the privacy policies of services(Web sites and applications that declare privacy practices • Policies can be parsed automatically by user agents
Basic P3P interaction process Inform user about policies Fetch P3P policy User agent User service Request a web page
Goal of P3P • It allows Web sites to present their data-collection practices in a standardized, machine-readable, easy-to-locate manner. • It enables Web users to understand what data will be collected by sites they visit, how that data will be used.
<appel:RULE behavior=‘block’ <p3p:POLICY> <p3p:STATEMENT> <p3p:DATA-GROUP> <p3p:DATA> <p3p:CATEGORIES appel:connective=‘or’> <p3p:physical/> <p3p>:demographic/> </p3p:CATEGORIES> </p3p:DATA> </p3p:DATA-GROUP> <p3p:RECEIPTIENT appel:connective=‘or’> <p3p:other-recipient/> <p3p:public/> <p3p:delivery/> </p3p:RECEIPTIENT > </p3p:STATEMENT> </p3p:POLICY> </appel:RULE> Explanation: agent reject the policy ask for personal data under the physical,demographic categories when these information will be shared by the third part.
Sample Ruleset in APPEL 1.0 <appel:RULE behavior=‘request’ <appel:REQUEST-GROUP> <appel:REQUEST uri=http://www/my-bank.com/*/> </appel:REQUEST-GROUP> <p3p:POLICY> <p3p:STATEMENT> <p3p:appel:connective=‘or-excat’> <p3p:ours/> </p3p:RECEIPTIENT > </p3p:STATEMENT> </p3p:POLICY> </appel:RULE> Explanation: This "request" rule only continues to match the policy if it has been fetched while requesting a Web resource from www.my-bank.com. This request element allows the creation of rules that only apply to a certain resource or domain.
Sample Ruleset in APPEL 1.0 <appel:RULE behavior=‘request’ prompt=‘yes’ <p3p:POLICY> <p3p:STATEMENT > <p3p:STATEMENT> <p3p:purpose appel:connective=‘or-exact’> <p3p:develop/> <p3p:admin/> </p3p:purpose> <p3p:DATA-GROUP appel:connective=‘or-exact’> <p3p:DATA ref=‘#User.Name.*’/> </p3p:DATA-GROUP> </p3p:STATEMENT> <p3p:DISPUTES-GROUP> <p3p:DISPUTESservice=‘http://trustus.org’/> </p3p:DISPUTES-GROUP> </p3p:POLICY> </appel:RULE> Explanation: User agree to provide its name under admin purpose (non-marketing purpose assurance from PrivacyProtect and TrustUS) but user still like to supervise all data transfer.
Matching summary(six connective total) • E:expression X:evidence [If an or connective is given in E]at least one of E’s contained expressions(if any) match X’s enclosed elements(additional enclosed elements in evidence X which are not referenced in expression E are ignored) [If an and connective is given in E]all of E’s contained expressions(if any) match X’s enclosed elements(additional enclosed elements in evidence X which are not referenced in expression E are ignored) [If an non-or connective is given in E]none of E’s contained expressions(if any) match X’s enclosed elements(additional enclosed elements in evidence X which are not referenced in expression E are ignored) [If an non-and connective is given in E]not all of E’s contained expressions(if any) match X’s enclosed elements(additional enclosed elements in evidence X which are not referenced in expression E are ignored)
Matching summary(six connective total) [If an or-exact connective is given in E]at least one of E’s contained expressions(if any) match X’s enclosed elements(additional enclosed elements in evidence X which are not referenced in expression E are not ignored) [If an and-exact connective is given in E] all of E’s contained expressions(if any) match X’s enclosed elements(additional enclosed elements in evidence X which are not referenced in expression E are not ignored)
Future work of Current APPEL • Extensible of behaviors • Comparison operators for simple numeric expression • Expiration dates
