Implementing P3P Using Database Technology

Rakesh Agrawal Jerry Kiernan Ramakrishnan Srikant Yirong Xu

Presented by Yajie Zhu

03/24/2005

Outline

• Introduction• Overview of P3P• Current P3P implementations• Server-centric implementation• Algorithms • Results of performance experiments• Conclusion and future work

Introduction

• Platform for Privacy Preferences(P3P)– web users gain control over their private

information– web site owners can express their privacy

policies in a standard format– a user can programmatically check against

her privacy preferences to decide whether to release her data to the web site

• P3P became a W3C Recommendation on April 16, 2002

Overview of P3P

• Privacy Policies:– An XML format in which a web site can

encode its data-collection and data-use practices

• Privacy Preferences: – A machine-readable specification of a user’s

preferences that can be programmatically compared against a privacy policy

Detailed information: http://www.w3c.org/TR/P3P/

P3P Policy Description• P3P policies are described as a sequence of

STATEMENT elements.– CONSEQUENCE: the purpose for collecting

information in human-readable text– PURPOSE: purposes for which information is

collected.12 predefined values. Ex: <current/>,<individual-decision/>, <contact/>

– RECIPIENT: the users of the collected information6 predefined values.Ex: <ours/>, <same/>, <unrelated/>

Opt-in or opt-out values can be assign to the required attribute of PURPOSE and RECIPIENT elements

P3P Policy Description (Cont.)– RETENTION: the duration for which the collected

information will be kept 5 predefined valuesEx: <stated-purpose/>, <business-practice/>, <indefinitely/>

– DATA-GROUP and DATA: the list of individual data items that are collected for stated purposes in the statement.predefined types of data itemsDATA can contain related category information.

– CATEGORIES: provide hints to users as to the intended uses of the data. Ex: <physical/>, <online/>, <purchase/>

An Example Policy

Privacy Preferences

• Privacy preferences are expressed in APPEL as a list of RULEs– Rule behavior: specifies the action to be taken

if the rule fires.

request, block– Rule body: Provides the pattern that is

matched against a policy.

Privacy Preferences (Cont.)• Connective attribute: defines the logical

operators of the language.– And (default): all of the contained expressions can be

found in the policy– Or : one or more of the contained expressions can be

found in the policy– And-exact – Or-exact – Non-and (negated and)– Non-or (negated or)

Every element in an APPEL rule has a connective associated with it.

An Example APPEL Preference

The Reference File• A site may have

multiple privacy policy for different web pages, which may offer various services.

• A site’s reference file assigns individual policies with subsets of the URIs.

• In the reference file, each policy has a set of INCLUDE/EXCLUDE declarations of the URIs.

<META xmlns="http://www.w3.org/2002/01/P3Pv1"> <POLICY-REFERENCES> <EXPIRY max-age="172800"/>

<POLICY-REF about="/P3P/Policies.xml#first"> <INCLUDE>/*</INCLUDE> <EXCLUDE>/catalog/*</EXCLUDE> <EXCLUDE>/cgi-bin/*</EXCLUDE> <EXCLUDE>/servlet/*</EXCLUDE> </POLICY-REF>

<POLICY-REF about="/P3P/Policies.xml#second"> <INCLUDE>/catalog/*</INCLUDE> </POLICY-REF>

<POLICY-REF about="/P3P/Policies.xml#third"> <INCLUDE>/cgi-bin/*</INCLUDE> <INCLUDE>/servlet/*</INCLUDE>

<EXCLUDE>/servlet/unknown</EXCLUDE> </POLICY-REF>

</POLICY-REFERENCES></META>

Current P3P Implementation

• Client-Centric Architecture– Web sites create and install policy files at their

sites.• P3PEdit: a web-based privacy policy generator• IBM Tivoli Privacy Wizard: a web-based GUI tool to

define privacy policies

– The users browse a web site, their preferences are checked against a site’s policy before they access the sit.

Client-Centric Architecture Implementation

• IE6 implementation of Compact P3P policies– IE6 allows a user to specify her privacy preference for

handling cookies

• AT&T Privacy Bird– It accepts user-defined APPEL privacy preference– An APPEL engine compares a user’s APPEL

preference with a web site’s P3P policy

• Other Tools– JRC APPEL Preference Editor: a Java-based editor

for preparing APPEL preferences.– JRC P3P Proxy: a centralized proxy service that

conducts P3P privacy policy checking on behalf of subscribed users

Server-Centric Architecture• A website deploys P3P, and installs its privacy

policies in a database system• Database querying at the server is used for

matching a user’s preferences against privacy policies– Convert privacy policies into relational tables and

convert an APPEL preference into an SQL query for matching.

– Store privacy policies in relational tables, define an XML view over them , and use an XQuery derived from an APPEL preference for matching.

– Store privacy policies in a native XML store and use an XQuery derived from an APPEL preference for matching.

Server-Centric Architecture (Cont.)• Advantages

– The preference checking at the server leads to lean clients (mobile device)

– An upgrade in P3P specification only require an upgrade in all the servers

– As new privacy-sensitive applications emerge, they will reuse checking done at the server

– Site owner can refine their policies, when they know that policies have a conflict with the users’ privacy preferences

– Using databases for preference matching yields additional advantages

• The privacy data tables can serve as meta data for ensuring that polices are followed

• Can reuse the proven database technology for checking preferences against policies.

• Versions of policies can be better managed

Server-Centric Architecture (Cont.)

• Disadvantages– There needs to be a greater amount of trust

on the server• The user has to trust the server• The user has to trust the database software used

by the server

– By using Client-Centric to cache a reference file, the client may avoid some checks, if a user visits many pages that are governed by the same policy

Algorithms for Server-Centric Implementation

• Database Schema for P3P policy

• Populate the tables with the data

Algorithms for Server-Centric Implementation (Cont.)

• Translating APPEL Preferences into SQL Queries– The main() mirrors the

structure of the APPEL rule.– The match() generates the

SQL code for matching an APPEL expression

• Select elements in the P3P policy from the table

• Ensure that the elements belong to their parent elements

• Match any attributes specified in the APPEL expression

• Recursively match any sub expressions with the appropriate connective.

Optimizations

• Reduce the number of tables in order to reduce the number of joins in the generated SQL queries– Store P3P subelements in their parent table, not in

separate tables.– Store the value of RETENTION in STATEMENT

table, since each STATEMENT can have only one RETENTION element.

– Store the value of CONSEQUENCE in a nullable column in STATEMENT table.

Translation Example• Simplified First Rule

from Jane’s APPEL preference

• SQL Translation

Algorithms for Server-Centric Implementation (Cont.)

• Translating APPEL Preferences into XQuery– The main() generates an

XQuery if statement • Return the rule behavior if

the condition expressed by the rule is met by the application policy

– The match() translates the body of the rule

Performance Experiments• Measure the time to match a P3P policy with

an APPEL Preference– Experimental Setup

• A native APPEL engine from the Joint Research Center

• DB2 UDB 7.2 as a database engine• Translating APPEL preference into XQuery, use

the XTABLE prototype

– Data Set• 29 P3P policies (size from 1.6 to 11.9 Kbytes)• 5 APPEL preference with 5 different levels of

sensitivity

Performance Results

Conclusion and Future work• Contributions of the paper

– Identification of P3P as an important application area for database systems.

– Investigation of alternative architectures for implementing P3P.– Proposal for a server-centric architecture based on database

querying technology. – Mapping of a P3P policy schema into a relational schema for storing

policy data. – Algorithms for translating privacy preferences expressed in APPEL

into SQL as well as XQuery.– Performance experiments showing that the proposed architecture

has adequate performance for it to be used in practical deployments of P3P.

• Future work• Explore the use of database query languages for directly expressing

and representing privacy preference• Identify the minimal subset of SQL and XQuery • Develop and implement database mechanisms for ensuring that the

privacy policies are indeed being followed

Questions and Discussions