integrating privacy policies into business processes
DESCRIPTION
Often, the modeled business processes involve sensible information whose disclosure is usually regulated by privacy policies. As such, the interaction between business processes and privacy policies is a critical issue worth to be investigated. Towards this end, we introduce a data model for BPMN and a corresponding XML-based representation (called BPeX) which we use to check whether a BPeX-represented business process is compliant with a P3P privacy policy. Our checking procedures are very efficient and require standard XML technology, such as XPath.TRANSCRIPT
Integrating Privacy Policies intoBusiness Processes
Michele Chinosijoint work with Alberto Trombetta
Universita degli Studi dell’Insubria (Italy)[email protected]
BPMN
Business Process Modeling Notation
• graphical notation to model (represent) business processes
• developed by BPMI
• adopted as standard by OMG (2006: 1.0 – 2008: 1.1)
• standard for the “look” of a process
• provides a dictionary of standard shapes with particular meanings
• easily readable – reduces the learning curve
BPMN Elements Set
• Flow Objects• Events• Activities• Gateways
• Connecting Objects• Sequence Flows• Message Flows• Associations
• Swimlanes• Pools• Lanes
• Artifacts• Data Objects• Groups• Text Annotations
BPMN Example 1
BPMN Example 2
P3P
The Platform for Privacy Preferences
• P3P enables Websites to express their privacy practices in a standardformat that can be automatically retrieved and easily interpreted byuser agents
• defines the syntax and semantics of P3P privacy policies
• it is an XML format for expressing a privacy policy
• users are informed of site practices
• users do not need to read the privacy policies
• November 2006: the P3P working group closed
P3P Structure Overview
P3P policies consist on a sequence of STATEMENT elements. EachSTATEMENT includes:
• PURPOSE: the aims for data processing (current, admin, contact,telemarketing, . . . )
• RECIPIENT: the legal entity or domain where data may bedistributed (ours, same, public, . . . )
• RETENTION: the type of retention policy in effect (no-retention,stated-purpose, legal-requirement, . . . )
• DATA-GROUP: describes the data to be transferred or inferred. Itincludes one or more DATATYPE, used to describe the type of datathat a recipient collects.
• CONSEQUENCE and NON-IDENTIFIABLE are optional elements
Standards Overview
BPMN serializations
• BPMN has not an XML linearization
• The two closest formats are WS-BPEL and XPDL
WS-BPEL: Business Process Execution Language
• developed by BEA, IBM, Microsoft and adopted by OASIS asstandard
• execution language for the definition of web services orchestration
XPDL: XML Process Definition Language
• developed by WfMC (Workflow Management Coalition) startingfrom 1998
• file format for storing and exchanging the process diagrams
• supports the BPMN elements set
WS-BPEL and XPDL disadvantages
WS-BPEL: Business Process Execution Language
• independent from BPMN
• less expressive than BPMN
• elements names and structure of the model are completely different
• no graphical support
XPDL: XML Process Definition Language
• lack of native referential integrity
• some elements names differ
• structure of the model is different from the BPMN one
• no execution allowed
BPeX
BPeX: Business Process eXtensions
• Built from scratch with a clearconceptual model
• It supports all BPMN elementsand features
• It has an XML-Schemaserialization
• Static analysis and validation
• Constraints / Metrics /Extensions
Motivating Example
The excerpt of the Google Privacy Policy for a web search requires:
• to collect #dynamic.[clickstream|http|searchtext|cookies]to meet the stated purpose: performing searches, web siteadministration, research and development; collected data will not beshared
• to collect #dynamic.[http|searchtext] to performpseudo-analysis (to understand the interests of a visitor withoutkeeping any personal information), sharing data with other partiesnot related with Google
The Example Privacy Policy written in P3P
<POLICIES> <POLICY name="Google Example Policy"><ENTITY><EXTENSION> <p3p11:data-group>...</p3p11:data-group> </EXTENSION><DATA-GROUP> <DATA ref="...">for backward compatibility</DATA> </DATA-GROUP>
</ENTITY><ACCESS><nonident/></ACCESS><STATEMENT><PURPOSE><admin/><develop/></PURPOSE><RECIPIENT><ours/></RECIPIENT><RETENTION><stated-purpose/></RETENTION><DATA-GROUP><DATA ref="#dynamic.clickstream"/><DATA ref="#dynamic.http"/><DATA ref="#dynamic.searchtext"/><DATA ref="#dynamic.cookies"/>
</DATA-GROUP></STATEMENT><STATEMENT><PURPOSE><pseudo-analysis/></PURPOSE><RECIPIENT><unrelated></RECIPIENT><RETENTION><stated-purpose/></RETENTION><DATA-GROUP><DATA ref="#dynamic.http"/><DATA ref="#dynamic.searchtext"/>
</DATA-GROUP></STATEMENT>
</POLICY> </POLICIES>
P3P Representation in BPeX
Entity
<POOL><NAME><P3PExtension><Entity><orgname/>...
</Entity></P3PExtension>
</NAME>...
</POOL>
P3P Representation in BPeX
Access
<PROCESS><P3PExtension><ACCESS/>
</P3PExtension>...
</PROCESS>
In BPMN each POOL havingactivities and flows has also arelationship with one PROCESS.
Purposes
<CategoriesIsP3PPurpose=[true|false]>
... the purpose description ...</Categories>
Every Common Graphical Objecthas a Categories attribute whichcan act as a container for the P3PPurposes element.
P3P Representation in BPeX
Data-Group
<DATAOBJECT><NAME><P3PExtension>...P3P data-group...
</P3PExtension></NAME>...
</DATAOBJECT>
P3P always, opt-in, opt-out canbe mapped to BPMN DATAOBJECTRequiredForStart attribute
Recipient
<MESSAGEFLOW><TARGET P3PRecipient=[...]>...</TARGET>
</MESSAGEFLOW>
P3P does not need to know thetarget entity data, but only if thetarget has the same privacy policiesor if it is the legal entity followingthe practices and so on.
Checking Compliance
• Each BPMN POOL represents a P3P Entity
• First tests are between POOL attributes and POLICY/ENTITY andPOLICY/ACCESS attributes
• All other tests are performed for each P3P STATEMENT• what kind of data the process works on• how the process uses collected data• with whom an entity shares collected data
• One POOL references one POLICY but may have more than oneSTATEMENT
Checking Compliance
1 Policy with 4 Data-Ref elements, 3 Purposes, 2 Recipients
• Each STATEMENT must contains 1 Data-Group node and may havemore than one Purpose or Recipient
• Statement A: uses all the 4 Data-Ref as Data-Group for thePurposes admin and develop sharing data with Recipient ours
• Statement B: uses only 2 of the Data-Ref as Data-Group for thePurpose pseudo-analysis disclosing data to unrelated Recipients
Policies Enforcement
ENTITY verification
1foreach (Pool/Name PN ∈ BPD) do {2if (PN/P3PExtension/ENTITY == ∅)3then ‘‘Error ’’4elseif (PN/P3PExtension/ENTITY 6= P3P:POLICY/ENTITY)5then ‘‘Error ’’;6else ‘‘OK ’’; }
• This check applies on every Pool (row 1)
• The first condition verifies the existence of theP3PExtension/ENTITY nodes (row 2)
• The core of the algorithm compares the P3PExtension/ENTITYsubtree with the P3P:POLICY/ENTITY one (row 4)
1if (// Pool/Name/P3PExtension/ENTITY)2then fn:deep -equal (// Pool/Name/P3PExtension/ENTITY ,3p3p:POLICIES/p3p:POLICY/p3p:ENTITY)
Policies Enforcement
ACCESS verification
1foreach (Pool/Process PP ∈ BPD | PP 6= ∅) do {2if (PP/P3PExtension/ACCESS == ∅) then ‘‘Error ’’;3elseif (PP/P3PExtension/ACCESS 6= P3P:POLICY/ACCESS)4then ‘‘Error ’’5else ‘‘OK ’’; }
PURPOSES verification
1CGO := CommonGraphicalObjects;2CGO∗ := CGO \ (Swimlanes , Group , TextAnnotation );3foreach (Pool P ∈ BPD) do {4foreach (CGOElement ∈ CGO∗) do {5if (CGOElement/Categories@IsP3PPurpose == ∅)6then ‘‘Error ’’
7elseif (CGOElement/Categories * P3P:POLICY // PURPOSES)
8then ‘‘Error ’’9else ‘‘OK ’’; } }
Policies Enforcement
DATA-GROUP verification
1foreach (DATAOBJECT DO ∈ BPD) do {2if (DO/NAME/P3PExtension == ∅) then ‘‘Error ’’
3elseif (DO/NAME/P3PExtension *4P3P:POLICY/STATEMENT/DATA -GROUP)5then ‘‘Error ’’6else ‘‘OK ’’; }
RECIPIENT verification
1foreach (MESSAGEFLOW MF ∈ BPD) do {2if (MF/Target@P3PRecipient == ∅) then ‘‘Error ’’
3elseif (MFM/Target@P3PRecipient *4P3P:POLICY/STATEMENT/RECIPIENT) then ‘‘Error ’’5else ‘‘OK ’’; }
Conclusions
• We proposed a new XML-based notation called BPeX which can beused as a BPMN serialization format
• We extended such representation with the support for P3P policies
• We plan to extend also the graphical representation with markers toshow elements which have privacy policies constraints
• We showed the feasibility to query the BPeX representation of aBPD extended with P3P statements
• We showed some simple algorithms to check the compliance of abusiness process towards a given privacy policy
• We used a clear and simple example to discuss our proposal,showing also some code excerpts
Questions?
Michele [email protected]://bpex.sourceforge.net