Dismantling the Twelve Privacy Purposes

1
Dismantling the Twelve Privacy Purposes
Sabah S. Al-Fedaghi Department of Computer
Engineering Kuwait University sabah_at_eng.kuniv.edu
.kw

IFIP 2007
2

• Agenda
• Contribution Focusing fundamental terms of
  informational privacy
• Problems with Purpose
• Definitions
• Purposes and P3P
• Framework for replacing Purpose
• Dismantling CURRENT
• Dismantling ADMIN

3

• Contribution
• The Platform for Privacy Preferences (P3P)
• EPAL
• XACML
• Hippocratic databases
• In spite of these impressive systems,
  insufficient attention is directed to fundamental
  terms of informational privacy.
• P3P is singled out since it is the oldest of
  these projects that is supposed to reach a mature
  foundation of specification however, the
  implication applies similarly to other projects..
  
• I direct my efforts on the most important notion
  in P3P and other systems purpose.

4

• Purpose appears in all privacy guidelines, codes,
  policies, and legislations. It plays a central
  role in many privacy-related systems.
• Purpose commonly is defined in general terms as
  how the collected data can be used, or the
  intended use of the data element, or a
  description of the reason(s) for data collection
  and data access.

5

• Purpose appears as uses (e.g., delivery of
  purchase) of personal information and acts (e.g.,
  research) on personal information
• ? Claim P3P 12 standard purposes mix uses of
  personal information (PI) with acts on personal
  information and mix uses of personal information
  privacy with other states of affairs that have
  several interpretations. Some purposes are not
  even strongly privacy-related purposes.
• ? Proposal to use chains of information
  handling that let the user exercise more control
  on the use of his/her PI and allow the personal
  information (PI) gatherer to excise more control
  on the processing and accessing of information in
  its procession.

6

• Problems with Purpose
• Purpose is defined in the 2006 W3C Working P3P
  Draft as
• The reason(s) for data collection and use.
• Reasons are given in response to
• why questions.

REASON ?
7

Why do you collect my personal information?
Because I want to use it in telemarketing
8

Why do you want to take my money?
Because I want to use it in investment
9

• I need to know how
• However, there remains the equally important
• How do you utilize my money? Acts
  on PI?
• To answer this question, you dont give me
  reasons but actions. For example,
• - I will use it to buy and sell stocks, or
• - I will buy with it old houses to renovate and
  sell for profit.
• I would be foolish if I were satisfied with only
  the answer to the why question.
• This is approximately the logic of personal
  information exchange in P3P. We will propose a
  mechanism to specify the answer to the how and
  why questions concurrently.

10
Why do you want to take my money?
Because I want to use it in investment

OK, here it is.
11

• (2) Separating the why from the how
• The P3P 12 purposes specifications sometimes
  reflect the answer to the how question rather
  than reasons that answer the why question.
• Example, the P3P purpose to determine the
  habits, interests, or other characteristics of
  individuals and combine it with identified data
  to make a decision that directly affects that
  individual
• An answer to the how question (act on PI),
• An answer to the why
  question (use of PI)
• This separation is important because there are a
  limited number (19 acts) of ways of how to act on
  personal information hence, the answer to the
  why question can be specified in a precise manner.

12

• (3) Several interpretations of the same purpose
• The interpretation of the 12 P3P purposes is
  overly verbose. According to Thibadeau,
• We could have hundreds of very specific purposes.
  For people who know about the science of human
  intentionality, it makes sense to be able to list
  many specific purposesand the writers of the 1.0
  working draft specificationunderstand that a
  purpose or intent is actually a simple thing to
  state and evaluate 15.
• Answering the how question uncovers multiple
  interpretations of the answer to the question
  Why are you collecting and using my personal
  information?

13

• (4) Is this a privacy-related purpose?
• The 12 P3P purposes sometimes sway away from
  privacy-related situations. A P3P purpose,
  Information may be used towithout tying
  identified data, doesnt deal with personal
  information defined as personally-identifying
  information. If these purposes are necessary,
  then they should not be mixed in the same basket
  with personal information use purposes.

14

• Definitions
• Personal information is information that
• refers
• to uniquely identifiable individuals.

15

• Personal Information Privacy

   
Privacy
Other types of Privacy E.g., Physical
privacy Communication privacy Non-personal
information privacy
16
What is Personal Information Privacy?
What is personal Information?
Two fundamental types of entities
Persons (natural persons) Non-persons
(e.g., company, government agency, etc.)
17
Information is of two types (i) Non-personal
information Information that has no referent
that signifies persons
ii) Personal information Information that refers
to persons. (a) Atomic Information that
has a single referent that signifies a single
person. (b) Compound Information that
has more than one referent that signifies
persons.
18
Spare part x2345 is in store B5 Non-personal
information John is tall and handsome John,
Alice, and Robert hate each other
Proprietors Theorem Any compound personal
information is privacy-reducible to a set of
atomic personal information. (Al-Fedaghi PST
2005) E.g., John hates someone, Someone hates
John,
19
Non-personal information privacy
   
Non-personal information E.g., architectural
sketches
Informational privacy but not personal
information privacy
20
Types of Personal Information Privacy
   
Jane
Personal information of Jane
John
Personal information of John (he is unaware of
it)
Personal information of Janes friend Alice
Whos privacy is this?
21

• Personal Information Flow Model (PIFM)
• The personal information flow model divides the
  functionality of handling PI in five stages
• ? creating
• ? collecting
• ? processing
• ? disclosing
• ? communicating
• Some stages includes sub-stages

22
Creating
Store
Use
Utilize
Store
Collecting
Store
Use
Mining
Processing
Use
Store
Disclosing
Communicating
Non-Repudiation
Authentication
IFIP 2007
23
Proprietors Region Agents Region


Non-proprietor
Creating
Proprietors Region Agents Region
Store
Use
Use
Store

N

K L M


F A
F O E

I P

J




Non-proprietor
Creating
Utilize
Store
Utilize
Collecting
Collecting
Disclosing
Disclosing
Mining
Store
Processing
Store
Processing
Use
Utilize
Mining
Disclosing
Figure 3. Architecture of Proprietor/Agent PI flow
Store
Collecting
Disclosing
24
Proprietors Region
Agents Regions
Agent 1 Agent 2
Agent 3



Collecting


Collecting
Processing
Proprietors Region Agents Region

N

K L M


F A
F O E

I P

J




Non-proprietor
Creating
Utilize
Store
Disclosing By proprietor
Utilize
Mining
Collecting
Collecting
Disclosing
Mining
Processing
Store
Creating
Processing
Store
Utilize
Disclosing Collected PI
Disclosing processed PI
Disclosing
Disclosing Created PI
Figure 3. Architecture of Proprietor/Agent PI flow
Collecting
25

• Purposes and P3P
• In P3P, we find 12 declared standard purposes
  current, admin, develop, tailoring,
  pseudo-analysis, pseudo-decision,
  individual-analysis, individual-decision,
  contact, historical, telemarketing, and
  other-purpose. The purpose element in P3P
  contains one or more of these pre-defined values
  and can be qualified with values such as opt-in,
  opt-out, and always.
• ? Not specific, since it is possible to produce
  an infinite number of these purposes.
• ? Mixing uses of personal information with acts
  on personal information.
• ? Mixing uses of personal information privacy
  with other states of affairs that have several
  interpretations.
• In order to dismantle these purposes, we need to
  construct a framework for the semantics of acts
  and uses.

26

• Framework for replacing Purpose
• Acts performing an action on something
• Uses putting something to a particular purpose.
• Consider the case of acts and uses with respect
  to grapes
• Acts on grape Plant it Eat it Collect it,
  Store it, Dry it
• (2) Uses of grape Medical treatment of a person,
  Decorating cakes (eyes in a face), Celebrating
  I/others, Teaching students addition and
  subtraction, Fueling cars (bioethanol fuel).

27

• To distinguish between acts and uses, utilize the
  structure of agent/action/patient shown in the
  Figure . It includes an agent who acts on a
  patient. Patient is the object that receives
  the action.
• For acts actor/acts-on/patient.
• For uses, the model involves a third entity the
  usee.
• The usee is the one used by the agent to act on a
  patient. For example, a physician uses personal
  information to treat a patient.

28
act Agent
Patient
use agent
usee
act
patient
29

• Dismantling CURRENT
• According to P3P, the purpose current refers
  to
• Completion and Support of Activity For Which Data
  Was Provided Information may be used by the
  service provider to complete the activity for
  which it was provided, whether a one-time
  activity such as returning the results from a Web
  search, forwarding an email message, or placing
  an order or a recurring activity such as
  providing a subscription service or allowing
  access to an online address book or electronic
  wallet.

30

• We show that this purpose
• ? Mixes (infinite) uses and (limited number of)
  acts
• ? Displays uses that have several interpretations
  (several possible chains)
• ? Displays acts that have several interpretations
  (several possible chains)

31

• Mixing Uses and Acts
• The definition of P3P purposes mixes acts and
  uses,

32

• Example Consider the phrase
• Completion and Support of Activity For Which
  Data Was Provided.
• Analogously,
• Taking money to complete and support activities
  for which you give me your money.
• - Taking money to sell laptop.
• Purpose I am taking your money to complete and
  support delivering the laptop to you (use).
• Acts on money can include paying money to my
  employees, paying money for others (DHL,
  manufacturer), charging money, converting money

33
(No Transcript)
34

• Uses have several interpretations
• In P3Ps purpose current uses have several
  interpretations. Figure 5 shows one possible
  interpretation. PI is collected and then used
  without processing it or disclosing it. Yet,
  another interpretation is possible in another
  stage.

Uses Returning the results from a Web
search Placing an order Providing a
subscription service Allowing access to an
online address
Proprietor
Collecting
Disclosing
35
Proprietors Region Agents Region


Non-proprietor
Creating
Proprietors Region Agents Region
Store
Use
Store

N

K L M


F A
F O E

I P

J




Non-proprietor
Creating
Utilize
Store
Utilize
Use
Collecting
Collecting
Disclosing
Disclosing
Mining
Store
Processing
Store
Processing
Use
Utilize
Mining
Disclosing
Figure 3. Architecture of Proprietor/Agent PI flow
Store
Collecting
Disclosing
36
DISMANTLING ADMIN P3P Admin purpose refers
to Web Site and System Administration
Information may be used for the technical support
of the Web site and its computer system. This
would include processing computer account
information, information used in the course of
securing and maintaining the site, and
verification of Web site activity by the site or
its agents. This would include (1) Processing
computer account information, (2) Information
used in the course of securing and maintaining
the site, (3) Verification of Web site activity
by the site or its agents.

37

• This method of description juxtaposes acts and
  uses. In our method, it can be written (or
  graphed) systematically as
• PI is gathered, processed and used acts on PI
  for uses of PI
• ? The technical support of the Web site and its
  computer system
• ? Securing and maintaining the site

38

• Notice how such a statement reflects the
  sub-graph in the PIFM
• gathering ? processing ? using ? different types
  of usage.

Gather
Use
Process
1.The technical support of the Web site and its
computer system 2. Securing and maintaining the
site
39

?
Processing
Using
40
Proprietors Region Agents Region


Creating
Proprietors Region Agents Region
Store
Use
Store

N

K L M


F A
F O E

I P

J




Non-proprietor
Creating
Use
Utilize
Store
Utilize
Collecting
Collecting
Disclosing
Disclosing
Mining
Store
Processing
Store
Processing
Utilize
Mining
Disclosing
Figure 3. Architecture of Proprietor/Agent PI flow
Store
Use
Disclosing
41

• Conclusion
• ? The concept of purpose is a central notion in
  informational privacy.
• ? It can be formalized based on the notions of
• Acts on personal information
• Uses of personal information
• Flow model with specific number of acts on
  personal information
• ? Purpose Acts on PI (sub-graphs) Uses of PI

42
THANK YOU