Title: Analysis%20of%20privacy%20risks%20and%20measurement%20of%20privacy%20protection%20in%20Web%20Services%20complying%20with%20privacy%20policy
1Analysis of privacy risks and measurement of
privacy protection in Web Services complying with
privacy policy
- Prepared by
- Ashif Adnan, Omair Alam, Aktar-uz-zaman
- School of Computer Science
- University of Windsor
- ON, Canada
2Outline
- Introduction
- Motivation
- Goal
- Related works
- Our observations
- Our modified method
- Strength and weakness
- Conclusion and future works
- Acknowledgment
- References
3Introduction
- Web Services
- According to web services are self-contained,
modular applications that can be described,
published, located, and invoked over a network,
generally, the World Wide Web. - Extended definition
- Web services can evolve or be adapted to other
platforms - Emerging WS can employ
- XML (eXtensible Markup Language)
- WSDL (Web Service Definition Language)
- SOAP (Simple Object Access Protocol)
- UDDI (Universal Description, Discovery, and
Integration) - Web browsers interacting with web servers
4Motivation
- WS targets
- Consumers
- WS applications
- Banking
- Shopping
- Learning
- Healthcare
- Government online
- WS requires consumers personal information
Here concerns privacy
5Goal
- Protection of personal information
- Ability to
- Analyze privacy risks
- Measure privacy protection
- Develop Privacy policy compliant System (PPCS)
- Improved architecture of PPCS
6Related works
- Privacy and web services
- WS privacy risk analysis
- WS privacy protection measurement
- Privacy policy compliant WS
7Related works (contd)
- Privacy and web services
- Privacy - ability of individuals to control the
collection, use, retention, and distribution of
information about themselves. - privacy policy - a statement that expresses the
users desired control over a web services
collection, use, retention, and distribution of
information about the user. - privacy risk - potential occurrence of any action
or circumstance that will result in a violation
of a users privacy policy.
8Related works(contd)
- Example of user/provider privacy policies (Online
pharmacy)
Policy Use Pharmacy Owner Alice Buyer Valid unlimited Privacy Use Pharmacy Owner A-Z Drugs Inc. Valid unlimited
Collector A-Z Drugs Inc. What name, address, tel Purposes identification Retention Time unlimited Disclose-To none Collector A-Z Drugs Inc. What drug name Purposes purchase Retention Time 2 years Disclose-To none Collector Drugs Dept. What name, address, tel Purposes identification Retention Time 1 year Disclose-To none Collector Drugs Dept. What drug name Purposes sale Retention Time 1 year Disclose-To none
Figure 1. Example user (left) and provider
(right)
9Related works (contd)
- Web service privacy risk analysis
- Web service personal information model (WSPIM)
- Need of users personal information
- Exchange of privacy policy
- Obtain users personal information
- Comply with the users privacy policy
- Make use of the information
10Related works (contd)
- Method for privacy risk analysis
- Determine all the possible locations
- Find out the way of violating privacy policy
11Related works (contd)
- Determine all the possible locations
- Example of Personal Information Map (Book seller
web service)
Figure 2. PIM for a book seller web service
12Related works (contd)
- Find out the ways of violating privacy policy
Field Risk Questions
Collector How can the PII be received by an unintended collector either in addition to or in place of the intended collector?
What How can the user be asked for other PII, either intentionally or inadvertently?
Purpose How can the PII be used for other purposes?
Retention time How can the PII retention time be violated?
Disclose-to How can the PII be disclosed either intentionally or inadvertently to an unintended recipient?
Table 1. Risk questions
13Related works (contd)
(PIIs / locations) Privacy Risks
(1,2,3 / path into A) (2 / path into D) ( 3/ path into E) Man-in-the-middle attack violates collector, purposes, and disclose to for path into A, user could be asked for personal information that violates what
(1, 2, 3 / A, B) (1 /C) (2 / D) (3 / E) Trojan horse, hacker, or SQL attack (for B) violates collector, purposes, and disclose-to for B, information could be kept past retention time
Figure 2. PIM for a book seller web service
Table 2. Partial Privacy Risks Table
corresponding to Figure 2
14Related works (contd)
- WS privacy protection measurement
- Privacy violations
- Internal Violations (IV)
- External Violations (EV)
15Related works (contd)
- Now lets define the measures
- Let M denote the measure of how well a service
provider protects consumer privacy. - It will have 2 components
- mi to account for the provisions used against IV
- me, to account for the provisions used against
EV. - So M as a matrix can be expressed as
- M (mi, me)
16Related works (contd)
- Then for a service provider that has implemented
combination k, of provisions to lessen IV - mi pk , 0 lt pk lt 1
- For EV, we carry out a threat analysis, and we
identify - No of security weaknesses n
- No of weaknesses that have countermeasures in
place q, then - me q/n , if ngt 0, so that 0 lt me lt 1
- 1, if n0
17Related works (contd)
- On a scale of 1 to 10,
- M10 (10.pk , 10.q/n), if ngt0
- (10.pk , 10), if n0
- The minimum acceptable thresholds ti and te are
set for 10.mi and 10.me -
Figure 2. service providers provisions for IV
and EV
18Related works (contd)
- Calculation of the measures
- Calculation of mi
- The below table gives examples of internal
violations provision combinations
Table 3. Example IV provision combinations
19Related works (contd)
- Calculation of me
- Identify threats on the users data.
- Create attack trees for the system.
- Apply weights to the leaves
- Prune the tree so that only exploitable leaves
remain. Count the number of such leaves or
vulnerabilities. - Count the countermeasures are in place for the
vulnerabilities. -
- After performing the above steps, both q and n
are available for calculating me
20Related works (contd)
- Privacy policy compliant WS (PPCS)
- The Privacy Policy Compliance System for WS which
will provide consumer with a promising approach
to measure of control over his/her private
information through the use of a PPCS (Private
Policy Compliance system). - The policies of consumer and provider should
match
21Related works(contd)
- Privacy Legislation
- Accountability
- Identify purpose
- Consent
- Limiting collection
- Limiting use, disclosure and retention
- Accuracy
- Safeguard
- Openness
- Individual Access
- Challenging compliance
- Note Those are also the requirements for PPCS
22Related works (contd)
Figure 3. Privacy policy compliance system
architecture
23Our observations
- Privacy policy proposed by the author is not
complete which leads to incomplete set of risks
questions giving the consumer less confidence to
do the transaction. - There are no provisions for consumers to set up
the measuring standards. - Following points need to be considered to build
for more effective PPCS for WS - Damaged protection
- Children protection
- Right to transfer
- Right to opt in /opt out
- Lack of scalability
- Lack of knowledge
- Data tempering
- Cost
24Our modified method
- Web service risk analysis extended method
- New fields we have found for privacy policy
- Safeguard Security safeguards by the provider
appropriate to the sensitivity of the
information. - Individual access Access by the individual to
his/her personal information. - Challenging compliance Ability of individuals to
address a challenge. - Certificate Authority Access Certificate
Authorities to offer consumers a compliance
verification service. -
-
25Our modified method (contd)
- Online pharmacy example with new fields
Policy Use Pharmacy Owner Alice Buyer Valid unlimited Privacy Use Pharmacy Owner A-Z Drugs Inc. Valid unlimited
Collector A-Z Drugs Inc. What name, address, tel Purposes identification Retention Time unlimited Disclose-To none Safeguards Yes Individual access Yes Challenging compliance Yes Certificate Authority SB Inc. Collector A-Z Drugs Inc. What drug name Purposes purchase Retention Time 2 years Disclose-To none Safeguards Yes Individual access Yes Challenging compliance Yes Certificate Authority SB Inc. Collector Drugs Dept. What name, address, tel Purposes identification Retention Time 1 year Disclose-To none Safeguards Yes Individual access Yes Challenging compliance Yes Certificate Authority SB Inc Collector Drugs Dept. What drug name Purposes sale Retention Time 1 year Disclose-To none Safeguards Yes Individual access Yes Challenging compliance Yes Certificate Authority SB Inc
Figure 4. Modified example user (left) and
provider (right) privacy policies
26Our modified method (contd)
Field Risk Questions
...
Safeguards How can the security safeguard appropriate for PII be affected?
Individual access How can the personal information by inappropriate individual be accessed?
Challenging compliance How can the compliance regarding Privacy principles associated with PII be changed intentionally or unintentionally?
Certificate authority How can the secured logs passed by the certificate authority to customer be accessed by unintended recipient in addition to the intended customer?
Table 5. Extended Risk questions
27Our modified method (contd)
- Privacy measurement customization of standards
- Instead of the standard bodies recommending the
percentage rating of the effectiveness of the
provisions, the user and the provider determine
the provisions that could be used to measure the
security of the privacy of the web services. - In this way the user and the provider can decide
on some secure ways of transmission, by getting
the measures and later on come with a PPCS system
which satisfies all of the users requirements.
28Our modified method (contd)
- Privacy Policy Compliance System (PPCS) with
compliance verification
Fig 5 Modified PPCS Architecture
29Weakness and Strengths
- Strength
- Consumer will now have the full confidence to do
a transaction with the service provider. - Privacy measurement standards can be customized
to make transactions more secured. - The consumer who does not bother or doesnt know
how to check log file to verify the compliancy,
they can easily do so by Certified Authority - Weakness
- PPCS for web service is semi automated, in some
cases we need to - notify respected officers for the non
compliance matters, which are not automated. - Cost of PPCS can not be controlled because it
depends on the combination of hardware, software
and storage.
30Conclusion and Future Works
- Observed steps
- Understanding how to analyze the risks to privacy
- Understanding how to measure privacy protection
and - Understanding a privacy policy compliant web
service. - Steps for our new PPCS system
- WS risk analysis with extended privacy policy
- WS privacy protection measurement with customized
standards - PPCS with compliance verification
-
-
31Conclusion and Future Works (contd)
- Plans for future research include
- Programming the graphical notation to be machine
readable - Protecting the system from occurring damage due
to shared personal information - Protecting children from getting affected by
shared information by others - Improving the procedure for threat analysis by
automating it and making it more foolproof - Investigating other possible methods of privacy
protection effectiveness
32Acknowledgement
- We would like to thank our professor for his
great support and giving us the opportunity to
learn privacy and security in internet - We would like to thank our audience for listening
our presentation
33References
- 1 G. Yee, Visual Analysis of Privacy Risks in
Web Services, Proceedings, 2007 IEEE
International Conference on Web Services (ICWS
2007), July 9- 13, 2007, pp. 671-678. - 2 G. Yee, Measuring Privacy Protection in Web
Services, Proceedings, 2006 IEEE International
Conference on Web Services (ICWS 2006), Sept. ,
2006, pp. 647-654. - 3 G. Yee, L. Korba, Privacy policy compliance
for Web services, Proceedings, 2004 IEEE Intrnati
on-al Conference on Web Services (ICWS 2004),
July, 2006, pp. 158-165. - 4 I. Goldberg, D. Wagner, and E. Brewer,
Privacy-Enhancing Technologies for the
Internet, IEEE COMPCON97, 1997, pp.
103-109. - 5 Canadian Standards Association, Model Code
for the Protection of Personal Information,
retrieved Sept. 5, 2003 from http//www.csa.ca/st
andards/privacy/code/Default.asp?articleID5286la
nguageEnglish
34The End