s-cube lp: dynamic privacy model for web service

www.s-cube-network.eu

S-Cube Learning Package

Dynamic Privacy Model for Web Service

Université Paris 5, LIPADE, France

Salima Benbernou, Meziane Hassina

© S-Cube

Learning Package Categorization

S-Cube

Quality Definition, Negotiation

and Assurance

Quality Assurance and Quality Prediction

Dynamic Privacy Model for Web Service

Learning Package Overview

Problem Description

Dynamic privacy model for Web service

Solution Validation

Discussion

Conclusions

© S-Cube

Problem Description : Privacy • One of the defining principles [AKSX 2002] of data

privacy, limited disclosure, is based on the premise that

data subjects have control over who is allowed to see

their personal informations and for what purpose

© S-Cube

For example, the billing office may use the patient's

address information to process insurance claims, but the

hospital may not give patient address information to

charities for the purpose of solicitation without consent

[DHHS]

[AKSX 2002] R. Agrawal, J. Kiernan, R. Srikant, and Y. Xu. Hippocratic databases. In VLDB, Hong

Kong, China, August 2002

[DHHS] US Department of Health and Human Services. http://www.hhs.gov/ocr/hipaa

Platform for Privacy Preferences (P3P) enables Websites to express their

privacy practices in a standard format that can be retrieved automatically and

interpreted easily by user agents…

© S-Cube

Problem Description : Standards as Case Study

Enterprise Privacy Autorisation Language (EPAL) is a formal

language for writing enterprise privacy policies to govern data handling

practices in IT systems according to fine-grained positive and negative

authorization rights…

Advertising the capabilities of service providers in templates”

Creating agreements based on creational offers and templates”

Expressing the guarantees regarding QoS.

…”

WS-Agreement - Definition:

“An XML language and a protocol for…

A standards for Web Site – Definitions :

Specifications P3P, EPAL

─ Promises often non respected

─ No reasoning mechanism on it

─ take-it-or-live it model, no negotiation is allowed when

changes occur.

WS-Agreement

─ Limited type of message

─ No interaction protocol

─ Does not handle privacy issue

© S-Cube

Problem Description : Standard Weaknesses

Dynamic Web service Changes

Problem Description : Solutions

© S-Cube

A formal model more legal than promises expressing the

privacy in web services.

Defining preferences of the client and provider policy .

A state machine based model is provided in order to

describe the activation of ach privacy agreement clauses,

that is, it spells out the Private Data Use Flow.

Management of the contract evolution.

Defining Negotiation Protocol when conflit occurs.


Problem Description


Solution Validation

Discussion

Conclusions

© S-Cube

Privacy Agreement : Extension of WS-Agreement

© S-Cube

Agreement

Service-Agreement

Name

Context

Terms

Service description

Guarantee Terms

Privacy-Agreement

Privacy-Agreement : Definition

© S-Cube

Privacy-Agreement (PA) [SM2007, MS2010]a new component in WS-Agreement, supports the privacy structure and the evolution of the privacy.

Privacy-Agreement spells out a set of requirements related to costumer’s privacy rights in terms of how service provider must

handle privacy information.

[MS2007] S. Benbernou, H. Meziane, Y.H. Li, and M. Hacid. A privacy agreement model for web services.

IEEE International Conference on Service Computing SCC’07,July 2007.

[MS2010] H. Meziane and S. Benbernou. A dynamic privacy model for web services. Journal Computer

Standards & Interfaces, ELSEVIER, 32(5-6):288–304, 2010.

Privacy-Agreement : Structure

Policy level specifies clauses on the private data term including

garantees, validity period and a set of penalities.

Negotiation level

− specifies all possible events that may happen in the service behavior

through the validity contract.

− Defines all possible actions to be taken if the guarantee of privacy terms is not respected and a conflict arises. They are used through a negotiation protocol between the service provider and the customer.

© S-Cube

Privacy-Agreement

Policy Level

Privacy-Data-term (Data-Right, Data-Obligation)

Negotiation Level

Privacy-Event-term (Triggering Events)

Agreement-negotiation-term

Agreement-Right

Agreement-Obligation

Agreement-Negotiation

Events Triggering a set of actions, defined in the Agreement-Negotiation-term, involving

changes in the Privacy-data-term

Negotiation Protocol ANP includes a negotiation language defined in the Agreement–Negotiation-term

which induce changes in the Privacy-data-term

Privacy-Agreement : Structure

Privacy Data Model : Abstractions

© S-Cube

Two abstractions of privacy model are defined in terms of :

data-right, is a predefined action on data, the data-user is authorized to do if he

wishes to. We distinguish two types of actions :

i. actions used to complete the service activity for the current purpose for

which it was provided and are denoted by Opcurrent .

ii. actions used by a service to achieve other activities than those for which

they are provided, called Opextra−activity.

data-obligation, is the expected action to be performed by service provider or

third parties (data-users) when handling personal data. This type of obligation is

related to the management of personal data in terms of their selection, deletion

or transformation.


© S-Cube

Data-Right rd: action on the private data the provider

wishes to do or not .

( u, d, p, ur)

U Data users

D

Personal data

OP

Authorized

opérations

Period of data

retention

remail ( sp, email, send invoice, uremail )


© S-Cube

Data-Obligation od: security action that must be taken by

the provider on data.

occn ( sp, cnn, crypt, [dpay,dpay+1day] )

A set of clauses (rd,od)

(u, d, ao, uo)

A security

Actions Activated

date

U Data users

D Personal data

Privacy Data Model: Privacy-Data Term

© S-Cube

Data-guarantee

A data-guarantee g is a couple (rd,od) with rd ∈ Rd and od ∈ Od, where Rd is a set of rights on

personal data, and Od is a set of obligations on personal data defined in the privacy data model Pd.

Gd ⊆ Rd × Od is a set of guarantees.

Privacy-guarantee term

A privacy-guarantee term td is a couple (d,g) with d ∈ D and g ∈ Gd, where D is a set of personal

data and Gd is a set of data guarantees. Td ⊆ D× Gd is a set of terms td.

Privacy-agreement validity

A privacy agreement validity µ is defined by a tuple (IdA,ds,α), with IdA is an agreement

identifier, and ds is an absolute time indicating when the privacy-agreement was signed,

and α ∈ [ds,t], t ∈ R is an interval time indicating the validity period of the privacy agreement.

Penalty A penalty P = PGd∪ Pn is a set of applicable punitive actions when guarantees on data (PGd) are not satisfied or when negotiation process (Pn) terminates without success.

Privacy-Data Term

A privacy-data term pd is defined by a tuple (T d,µ,P) with T a set of guarantee terms, µ the privacy

agreement validity, and P the set of penalties.

Privacy Model : Privacy Events Term

© S-Cube

Actions dictated

by Changes

Event

A set of events that that can occur in the service behavior and may affect

different elements defined in the privacy-data term. These events trigger a

set of actions dictated by changes.

(e,a)

Privacy Model : Privacy Events Term

© S-Cube

Event triggering changes Action dictated by change

Data-Driven : adding new data.

Create data-guarantee

(data_right,data obligation)

Purpose-Driven : somes changes will affect data use on

data.

Create data-right

Data-User driven :

A new user will use data.

Create data-right

Duration-Driven : the time retention of data may be

changed.

Uptade data-right

Security-Action Driven : to avoid new security threats, some new

security actions on the personal data are

needed.

Create data-obligation

Privacy Model : Agreement-Negotiation term

© S-Cube

Description of actions to be taken when an event occurs and if the

guarantee of privacy terms is not respected or a conflict arises

between signing parties . To make an efficient negotiation, we need :

− A negotiation actions, defining possible actions that each party

might take on,

− A agreement-negotiation protocol, enabling interaction

mechanism between the service provider and the customer by

means of previous set of Actions

Privacy Model : Agreement-Negotiation Term

© S-Cube

The language of the communication defines three types

of actions :

1. Agreement-Right, is an action that the signing entity will achieve if

he wishes during the negotiation time.

2. Agreement-Obligation, defines a set of duty actions that both the

provider and the customer must perform when a type of event e

happens during the agreement life.

3. Agreement-Negotiation, defines actions of the negotiation that can

be taken by signing parties when conflicts occur between them.

Agreement-Negotiation Term : Example of Action types

© S-Cube

Action Meaning Action Type

Notify The provider notifies the customer that an event

happened at a time point te. agreement-obligation

Relate The provider relates which data in the agreement is

affected by a change and sends a report. agreement-negotiation

Proposal The provider proposes a proposition to the customer

that contains the revised privacy-agreement. agreement-negotiation

Reply The customer must reply by sending an

acknowledgment receipt of the proposition agreement-obligation

Reject The customer rejects the proposition. agreement-right

Justify The customer justifies the refusal reply by some

explanations including additional informations about

his decision.

agreement-negotiation

Accept The customer accepts a proposition. agreement-right

Background: Finite State Machine (FSM)

© Philipp Leitner

FSM is a behavioral model used to design computer programs. It is composed of :

• a set of states (including the initial state),

• a set of input events,

• a set of output events,

• and a state transition function.

The transition function takes the current state and an input event and returns the

new set of output events and the next state. Some states may be designated as

"terminal states".

The state machine can also be viewed as a function which maps an ordered

sequence of input events into a corresponding sequence of (sets of) output events.

http://en.wikipedia.org/wiki/Computer_programs

Background: Finite State Machine (FSM)

© Philipp Leitner

Mathematical model

A deterministic finite state machine is a quintuple (Σ,S,s0,δ,F), where :

• Σ is the input alphabet (a finite, non-empty set of symbols).

• S is a finite, non-empty set of states.

• s0 is an initial state, an element of S.

• δ is the state-transition function: δ : S × Σ S

• F is the set of final states, a subset of S.

http://en.wikipedia.org/wiki/Alphabet_(computer_science)

Privacy Agreement use : Private Data Use Flow

© S-Cube

Private data use flow model is described as a state

machine in the policy level.

Describe the activation of different clauses in PA.

Specify the states of each activated clause in the policy

level.

Identify privacy vulnerabilities, where a service’s

compliance to privacy regulations may be compromised.

Managing Privacy Agreement : Private Data Use Flow

© S-Cube

State Machine

defines all the triggered operations involving private data from the

activation of the agreement Initial state to the end of the

agreement Final state.

Private data use abstractions describe the states in which the

agreement is – (1) which private data

is collected (2) when it is used (3) for

what (4) who use it.

Authorization abstractions Provide the conditions that

must be met for transitions to be fired.

Private Data Use Flow : Formal Definition

© S-Cube

(S, T, C, Ψ, ρ, Φ)

set of states set of

transitions

Φ : C → σ(S)

Associate rights and

obligations with states set of clauses

C⊂ {Rdi ∪ Odj ,di, dj ∈ D}

Ψ :T →S×S

Associate transition with

source and target state

ρ : C.r.op ∪ C.r.μr ∪ C.o.μo T

associate operations and

elapsed time from the obligations

and the rights with transitions

Private Data Use Flow F

,

Max(αccn, αemail) End

Agreement

Agreement-

Failure

B

A

Activation Agreement

date()≤ date-validity

µrccn, µr1email

/µoccn, µoccn

r1email[role,email,Send I.,

p1email ] rccn [role, ccn, payment,

pccn]

µrccn

µoccn

µoccn D1

µr1email

D

D2

r1email[role, email, send I.,

p1email ]

occn[role, ccn, delete, µccn ]

r1email[role,email,

send I., p1email]

C

µrccn

occn[role,ccn,delete, µccn]

µoccn

µr1email

C2

C1

C3

r2email[role, email, send O.,

p2email ]

occn[role,ccn,delete, µccn]

r1email[role, email, send I., p1email]

r2email[role,email,send O., p2email]

Opwrong-use/Forward[ email]

[opcurrent, µrccn, µr1email

[Op marketing,

µr2email

µr2email

r1email[role, email, send I., p1email]

r2email[role,email,send O, p2email]

occn[role, ccn, delete, µccn]

µr2email

µr1email

µr2email

E

occn[role, ccn, delete, µccn ]

oemail[role,email,hide, µemail ]

[Op marketing , µr2email]

r1email[role, email,send I.,p1email]

r2email[role, email,send O.,p2emai]

rccn[role, ccn, payment , pccn]

© S-Cube

Private Data Use Flow : Purchase Service Example

Private Data Use Flow : Clarification of Purchase Service Example

© S-Cube

We take a part of private data use flow (path [A-B-C-C1-C2-C3-D2-E]) :

In the state C, three clauses of the privacy agreement policy level are triggered :

1. the current operation for two private data (r1email, rccn) which is payment invoice, is still

activated by the provider to achieve the service aim. The rights are cumulated from the

previous state because the retention times of the rights r1email and rccn associated with

the private data are not elapsed.

2. the send-offer operation (r2email) is activated by entering C for marketing purpose of the

service (not to complete the service), it is an extra-activity of the service.

In the state C2 three clauses of the privacy agreement policy level are triggered :

1. the current operation (r1email) is still activated and then cumulated from the previous state

C1.

2. the extra activity in r2email is still activated and then cumulated in the new state from C1 .

3. the action of security is triggered (occn) because the time of data retention is elapsed

(μrccn).

In the state E two clauses are triggered

1. the obligation occn is still activated and cumulated from the previous state D2 .

2. the obligation oemail is activated because the time μoemail to activate is reached.

Managing Privacy Agreement : Privacy Lifecycle

© S-Cube

Unchanged

[Not-Violated]

Sleep Whipped up

Revised

Activated

Finished

Event

[Rejected]

[Accepted]

[Not-Changed]

[Conflict]

Checked Negotiated

Private data

use flow

Running

Running

Running

Evolution Checking

Privacy Events Term : The Semantics of States

© S-Cube

[[sleep]] The agreement is created and not used monitored

[[activated]] The service involving the agreement is running then the agreement is

activated

[[whipped up]] During the running service an event occurs subject to change the

agreement

[[checked]][Not−violated] The agreement is checked if no conflict exists

[[checked]][Conflict] The agreement is checked when a conflict exists then a negotiation is

started

[[checked]][Not−changed] The checking implies no changes in the agreement

[[negotiated]][Accepted] The agreement is negotiated and accepted by the two parties

[[negotiated]][Rejected] The negotiation fails and starts again until an agreement is defined

[[revised]] The agreement is revised and is running again with new updates

[[unchanged]] After the occurrence of the events, the agreement remains

unchanged

[[finished]] The agreement is terminated

[[private data use flow]] Clauses of the agreement are activated

Privacy Events Term : The Semantics of Transitions

© S-Cube

[[running]] An operation on a private data is running

[[evolution]] An event occurs and an evolution of the agreement is expected

[[checking]] The privacy-agreement is going to be checked whether a conflict arises

or not after the evolution

[[not−changed]] The change does not change the agreement

[[not−violated]] The change does not violate the agreement

[[accepted]] The negotiation is accepted

[[conflict]] The guarantee term is not satisfied

[[rejected]] The proposal is rejected and renegotiate again.

Managing Privacy Agreement : Agreement Negotiation Protocol ANP

© S-Cube

Event needs to start a negotiation Negotiation ANP

ANP is a protocol that govern and structure interactions between

signing parties.

ANP include a negotiation language and an interaction mechanism .

Rubinstein Alternating Offers Protocol , a game theory based

approach.

Weight is used to come up to a good negotiation.

State machine is used to represent the agents behavior.

Agreement Negotiation Protocol ANP

© S-Cube

(S, so, f, M, ∆ ,μn ,P)

set of states initial state

set of penalties

set of messages

f ⊂ S set of final states

(end or penalties)

Negotiation

time

ANP

Δ ⊆ S ×S×M

set of transitions

Provider’s Negotiation Protocol

© S-Cube

Relate

Justify

Proposal

Writing New

proposition

Waitting for

Response

End

Negotiation

(e,te)

‘TimeOut’: µn+

Analysing

notify

Proposal

Reject

Reply

M6: (µn+ , p) +

Idle

Accept

Managing Privacy Agreement : Policy Level Change Operations

© S-Cube

Evolution : Operations of Changes

= {AddTransition, AddState, RemoveAddState,...}

AddTransition (t, sp,ss,at)

ss,sp ∈ FP .S and t FP .T

Fn.T = Fp.T∪{t}

╞ P2(t)

Fn.Ψ= Fp.Ψ ∪{t → (sp,ss)}

Fn.ρ = Fp.ρ ∪{{at → t}} where

at ∈ {r.op, o.µo,r.µr,timeout }

AddState(ss,sp,t)

ss FP .S and t FP .T

╞ P1(rs)

Fn.S = Fp.S∪{ss}

Fn.C = Fp.C∪{rs}

Fn.Φ= Fp.Φ ∪{rs → ss}∪{rp → ss}∪{op → ss}

AddTransition(t, sp,ss,at)

…..

Privacy Agreement Negotiation : Realization

© S-Cube

Implementation of the negotiation model and the

interaction between signing parties to manage the

behavior of services when possible events may

happen.

Providing tools to support the negotiation as well

as the detection and analysis of relevant events in

the dynamic environment of web services.

Providing infrastructure to manage, propose and

evaluate the proposition.

Privacy Agreement Negotiation : Architecture

© S-Cube

Acceptation Privacy -

Agreement

Update Privacy agreement

Action Scheduler

Actions didacted by changes AC

Privacy-Data

customer

Privacy -Agreement

provider

Data-Guarantee Controller

active agreement level checking

Event Handler

Event update

Categorization Events

Invocation negotiation

reject

Proposition

proposition

Decision [Justificationt]]

Revision Agreement

Agreement Negotiation Protocol

Proposal Evaluator

Privacy-

Agreement

generator

Negotiation

Mediator

Agent justification

Data- Data- Obligation Ref

Data- Data- Right Ref Conflit /no-conflit

Store& versionning

time checker

Weight

administrator

Environment

Privacy Agreement Negotiation : Architecture

© S-Cube

Event Handler monitors and detects relevant events in the environment.

Data guarantee controller analyzes the events coming from the event handler by means

of the categorization event module and identifies the category of the event

Negotiation Mediator Agent receives message from the Data controller and forwards it

to the Privacy Agreement generator (Invocation negotiation message or a revision

agreement message).

Privacy-Agreement Generator, an editing interface which assists the provider to

generate a proposition, evaluates the proposal regarding the customer preferences and

generates an appropriate response.

Weight Administrator assigns the weight to each proposal by summing separately the

weights affected by the provider and the customer for each term revised or proposed in

the proposal and select the best proposed agreement by calculating for each party the

maximum of the weights affected to the proposition.

Acceptation Privacy-Agreement is the result of the negotiation or revision processes.

Action Scheduler generates a set of actions in the table from document sent by the

Acceptation Privacy-Agreement module and specifies which data-obligations and data-

rights are concerned by these change actions.

Update Privacy agreement executes all the actions defined in the action table on an

appropriate data-right and data-obligation.

Privacy Agreement Negotiation : Evaluation

© S-Cube

Evaluation of the impact of each event in the negotiation.

In the framework we consider many negotiations for a

single running event.

Our experimental measurement is twofold :

1. the number of the solutions proposed by the service

provider to the customer.

2. the time of the negotiation when a change is needed in

the privacy agreement.

The measurements express the persuasion degree to

convince the service customer to agree with the changes in

the privacy agreement.

Privacy Agreement Negotiation : Evaluation

© S-Cube

During the negotiation process, each party assigns a

weight to the proposition and we measure the

approbation degree of the proposed solution as for the

emphasis degree of the private data.

The weight of the provider is uniform and does not

change, we have study the weight of the client side.

Experimental Results

© S-Cube

sp weight

cu weight

0

2

4

6

8

10

p1 p2 p3 p4 p5 p6

we

igh

t

no.proposition

Event data-driven.new purpose.new third part

sp weightcu weight

1. The evaluation of the acceptance degree of the propositions by the

customer :

a. the figure shows that the more the client accepts the proposed solution

by the provider with a high weight, the more the exchange of the proposition

decreases through time and both sides agree about a solution quickly


© S-Cube

sp weight0

2

4

6

8

10

p1 p2 p3 p4 p5 p6 p7 p8 p9 p10 p11 p12

we

igh

t

no.proposition

Event data-user-driven.new third part

sp weight

cu weight

b. In the figure , we can observe that the lower the assigned weight, the

less the client is able to accept the solution and the more he needs

propositions


© S-Cube

2. The graph shows for each event the time taken for the negotiation and the number of the

propositions proposed by the provider to persuade the customer to make the revision. As

we can see, the increasing number of the propositions causes a linear increase in the time

taken for the negotiation instance :

time negotiation (mn)

nbr.propostions

000

005

010

015

data

-d

riven

.ne

wp

urp

ose

.new

thir

d p

art

y

pu

rpo

se

-d

riven

.ne

wp

urp

ose

.new

thir

d p

art

y

du

rati

on

-d

riven

data

-use

r-d

riven

.ne

wth

ird

pa

rt

data

-use

r-d

riven

.ch

an

ge t

hir

d p

art

Event/no.Negotiation. Negotiation time and nbr. propositions

time negotiation (mn)

nbr.propostions

Conclusion

We have proposed a formal model for privacy called privacy agreement which is an extension of WS-Agreement specifications, that both customer and provider might agree before any running process.

We have emphasized a lifecycle of privacy which is an important issue

to date which has not been addressed.

Based on a formalization of the private data use flow model, we have

presented privacy policy evolution primitives and an agreement

negotiation protocol that allow to evolve the privacy agreement to a new

one.

we point out that the framework is one component of a Broader CASE

tool in ServiceMosaic platform, that manages the entire service development

lifecycle.

© S-Cube

Further S-Cube Reading

© S-Cube

[Benbernou 2010] H. Meziane and S. Benbernou. A dynamic privacy

model for web services. Journal Computer Standards & Interfaces,

ELSEVIER, 32(5-6):288–304, 2010.

References

© S-Cube

[Benbernou 2007] S. Benbernou, H. Meziane, Y.H. Li, and M. Hacid. A privacy agreement model for web

services. IEEE International Conference on Service Computing SCC’07,July 2007.

[Oberholze 2005] H. Oberholzer, M. S. Olivier, Privacy contracts as an extension of privacy policies, in:

IProceedings of the 21st International Conference on Data Engineering, ICDE 2005, IEEE Computer

Society, Tokyo, Japan, 2005, p. 1192.

[Osborne 1990] M. Osborne, A. Rubinstein, Bargaining and markets, The Academic Press, 1990.

[. Karjoth 2002] G. Karjoth, M. Schunter, A privacy policy model for enterprises, in: 15th IEEE

Computer Security Foundations Workshop (CSFW-15 2002), IEEE Computer Society, Cape Breton, Nova

Scotia, Canada, 2002, pp. 271–281.

[Ashley2002] P. Ashley, S. Hada, G. Karjoth, M. Schunter, E-p3p privacy policies and privacy authorization,

in: Proceedings of the 2002 ACM Workshop on Privacy in the Electronic Society, WPES 2002, ACM,

Washington, DC, USA, 2002, pp. 103–109.

[Bertino 2009] Q. Ni, E. Bertino, J. Lobo, S. B. Calo, Privacy-aware role-based access control, IEEE

Security & Privacy 7 (4) (2009) 35–43.

[Bertino 2004] E. Bertino, E. errari, A. Squicciarini, Trust negotiations: Concepts, systems, and languages,

Computing in Science and Engg. 6 (4) (2004) 27–34.

[Parkin 2006] M. Parkin, D. Kuo, J. Brooke, A framework and negotiation protocol for service contracts, in:

IEEE International Conference on Service Computing SCC’06, IEEE Computer Society, Chicago, Illinois,

USA, 2006, pp. 253–256.

Acknowledgements

The research leading to these results has

received funding from the European

Community’s Seventh Framework

Programme [FP7/2007-2013] under grant

agreement 215483 (S-Cube).

© S-Cube

s-cube lp: dynamic privacy model for web service

Technology