Upload
otto-barker
View
24
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Implementing P3P Using Database Technology Rakesh Agrawal Jerry Kiernan Ramakrishnan Srikant Yirong Xu. Presented by Yajie Zhu 03/24/2005. Outline. Introduction Overview of P3P Current P3P implementations Server-centric implementation Algorithms Results of performance experiments - PowerPoint PPT Presentation
Citation preview
Implementing P3P Using Database Technology
Rakesh Agrawal Jerry Kiernan Ramakrishnan Srikant Yirong Xu
Presented by Yajie Zhu
03/24/2005
Outline
• Introduction• Overview of P3P• Current P3P implementations• Server-centric implementation• Algorithms • Results of performance experiments• Conclusion and future work
Introduction
• Platform for Privacy Preferences(P3P)– web users gain control over their private
information– web site owners can express their privacy
policies in a standard format– a user can programmatically check against
her privacy preferences to decide whether to release her data to the web site
• P3P became a W3C Recommendation on April 16, 2002
Overview of P3P
• Privacy Policies:– An XML format in which a web site can
encode its data-collection and data-use practices
• Privacy Preferences: – A machine-readable specification of a user’s
preferences that can be programmatically compared against a privacy policy
Detailed information: http://www.w3c.org/TR/P3P/
P3P Policy Description• P3P policies are described as a sequence of
STATEMENT elements.– CONSEQUENCE: the purpose for collecting
information in human-readable text– PURPOSE: purposes for which information is
collected.12 predefined values. Ex: <current/>,<individual-decision/>, <contact/>
– RECIPIENT: the users of the collected information6 predefined values.Ex: <ours/>, <same/>, <unrelated/>
Opt-in or opt-out values can be assign to the required attribute of PURPOSE and RECIPIENT elements
P3P Policy Description (Cont.)– RETENTION: the duration for which the collected
information will be kept 5 predefined valuesEx: <stated-purpose/>, <business-practice/>, <indefinitely/>
– DATA-GROUP and DATA: the list of individual data items that are collected for stated purposes in the statement.predefined types of data itemsDATA can contain related category information.
– CATEGORIES: provide hints to users as to the intended uses of the data. Ex: <physical/>, <online/>, <purchase/>
An Example Policy
Privacy Preferences
• Privacy preferences are expressed in APPEL as a list of RULEs– Rule behavior: specifies the action to be taken
if the rule fires.
request, block– Rule body: Provides the pattern that is
matched against a policy.
Privacy Preferences (Cont.)• Connective attribute: defines the logical
operators of the language.– And (default): all of the contained expressions can be
found in the policy– Or : one or more of the contained expressions can be
found in the policy– And-exact – Or-exact – Non-and (negated and)– Non-or (negated or)
Every element in an APPEL rule has a connective associated with it.
An Example APPEL Preference
The Reference File• A site may have
multiple privacy policy for different web pages, which may offer various services.
• A site’s reference file assigns individual policies with subsets of the URIs.
• In the reference file, each policy has a set of INCLUDE/EXCLUDE declarations of the URIs.
<META xmlns="http://www.w3.org/2002/01/P3Pv1"> <POLICY-REFERENCES> <EXPIRY max-age="172800"/>
<POLICY-REF about="/P3P/Policies.xml#first"> <INCLUDE>/*</INCLUDE> <EXCLUDE>/catalog/*</EXCLUDE> <EXCLUDE>/cgi-bin/*</EXCLUDE> <EXCLUDE>/servlet/*</EXCLUDE> </POLICY-REF>
<POLICY-REF about="/P3P/Policies.xml#second"> <INCLUDE>/catalog/*</INCLUDE> </POLICY-REF>
<POLICY-REF about="/P3P/Policies.xml#third"> <INCLUDE>/cgi-bin/*</INCLUDE> <INCLUDE>/servlet/*</INCLUDE>
<EXCLUDE>/servlet/unknown</EXCLUDE> </POLICY-REF>
</POLICY-REFERENCES></META>
Current P3P Implementation
• Client-Centric Architecture– Web sites create and install policy files at their
sites.• P3PEdit: a web-based privacy policy generator• IBM Tivoli Privacy Wizard: a web-based GUI tool to
define privacy policies
– The users browse a web site, their preferences are checked against a site’s policy before they access the sit.
Client-Centric Architecture Implementation
• IE6 implementation of Compact P3P policies– IE6 allows a user to specify her privacy preference for
handling cookies
• AT&T Privacy Bird– It accepts user-defined APPEL privacy preference– An APPEL engine compares a user’s APPEL
preference with a web site’s P3P policy
• Other Tools– JRC APPEL Preference Editor: a Java-based editor
for preparing APPEL preferences.– JRC P3P Proxy: a centralized proxy service that
conducts P3P privacy policy checking on behalf of subscribed users
Server-Centric Architecture• A website deploys P3P, and installs its privacy
policies in a database system• Database querying at the server is used for
matching a user’s preferences against privacy policies– Convert privacy policies into relational tables and
convert an APPEL preference into an SQL query for matching.
– Store privacy policies in relational tables, define an XML view over them , and use an XQuery derived from an APPEL preference for matching.
– Store privacy policies in a native XML store and use an XQuery derived from an APPEL preference for matching.
Server-Centric Architecture (Cont.)• Advantages
– The preference checking at the server leads to lean clients (mobile device)
– An upgrade in P3P specification only require an upgrade in all the servers
– As new privacy-sensitive applications emerge, they will reuse checking done at the server
– Site owner can refine their policies, when they know that policies have a conflict with the users’ privacy preferences
– Using databases for preference matching yields additional advantages
• The privacy data tables can serve as meta data for ensuring that polices are followed
• Can reuse the proven database technology for checking preferences against policies.
• Versions of policies can be better managed
Server-Centric Architecture (Cont.)
• Disadvantages– There needs to be a greater amount of trust
on the server• The user has to trust the server• The user has to trust the database software used
by the server
– By using Client-Centric to cache a reference file, the client may avoid some checks, if a user visits many pages that are governed by the same policy
Algorithms for Server-Centric Implementation
• Database Schema for P3P policy
• Populate the tables with the data
Algorithms for Server-Centric Implementation (Cont.)
• Translating APPEL Preferences into SQL Queries– The main() mirrors the
structure of the APPEL rule.– The match() generates the
SQL code for matching an APPEL expression
• Select elements in the P3P policy from the table
• Ensure that the elements belong to their parent elements
• Match any attributes specified in the APPEL expression
• Recursively match any sub expressions with the appropriate connective.
Optimizations
• Reduce the number of tables in order to reduce the number of joins in the generated SQL queries– Store P3P subelements in their parent table, not in
separate tables.– Store the value of RETENTION in STATEMENT
table, since each STATEMENT can have only one RETENTION element.
– Store the value of CONSEQUENCE in a nullable column in STATEMENT table.
Translation Example• Simplified First Rule
from Jane’s APPEL preference
• SQL Translation
Algorithms for Server-Centric Implementation (Cont.)
• Translating APPEL Preferences into XQuery– The main() generates an
XQuery if statement • Return the rule behavior if
the condition expressed by the rule is met by the application policy
– The match() translates the body of the rule
Performance Experiments• Measure the time to match a P3P policy with
an APPEL Preference– Experimental Setup
• A native APPEL engine from the Joint Research Center
• DB2 UDB 7.2 as a database engine• Translating APPEL preference into XQuery, use
the XTABLE prototype
– Data Set• 29 P3P policies (size from 1.6 to 11.9 Kbytes)• 5 APPEL preference with 5 different levels of
sensitivity
Performance Results
Conclusion and Future work• Contributions of the paper
– Identification of P3P as an important application area for database systems.
– Investigation of alternative architectures for implementing P3P.– Proposal for a server-centric architecture based on database
querying technology. – Mapping of a P3P policy schema into a relational schema for storing
policy data. – Algorithms for translating privacy preferences expressed in APPEL
into SQL as well as XQuery.– Performance experiments showing that the proposed architecture
has adequate performance for it to be used in practical deployments of P3P.
• Future work• Explore the use of database query languages for directly expressing
and representing privacy preference• Identify the minimal subset of SQL and XQuery • Develop and implement database mechanisms for ensuring that the
privacy policies are indeed being followed
Questions and Discussions