The Value of Privacy Exploring Privacy Issues in Web Services Discovery Agencies The increasing discussions concerning Web services privacy often neglect a key building block of the Web services architecture: discovery agencies. This overview of discovery agency privacy issues highlights the various challenges and proposes different technical approaches for addressing them. BARBARA eb services let individuals and organizations this topic is rele- CARMINATI AND do business over the Internet using standard- vant not only to ELENA FERRARI ized protocols to facilitate application-to- those working with the Web services architecture, but to University of W application interaction. This offers many IT managers and security administrators as well. Insubria at benefits, including platform and vendor independence, Como, Italy faster time to production, and convergence of disparate Web services overview business functionalities. However, Web services also raise There are three major entities in the Web services model: PATRICK C.K. significant privacy concerns over the confidentiality of HUNG business information. •A provider is the person or organization that provides University of Discussions of such concerns are increasing in the in- an appropriate Web service for a particular business Ontario dustry and research communities. Because information purpose. Institute of privacy is a key issue, these discussions often focus on •A requestor is a person or organization that seeks to use a Technology Web services’ privacy policies. Such policies express clear provider’s Web service to meet business requirements. (UOIT), and concise goals for data protection mechanisms, in- •A broker, or discovery agency, acts as a matchmaker be- Canada cluding what the Web services requestor expects Web tween the Web services provider and requestor. services to enforce. To enable privacy protection for Web services consumers across multiple domains and services, The publish-find-bind model the World Wide Web Consortium’s working draft Web Figure 1 shows how the Web services’ entities interact Services Architecture (WSA) Requirements has defined spe- using a publish-find-bind model. In the publish phase, cific privacy requirements for Web services.1 However, the Web services provider uses the Web Services De- these WSA requirements don’t cover all the privacy issues scription Language2 to describe its service’s technical that might arise in a real scenario. In particular, none of details. A WSDL document describes the Web ser- the requirements address privacy concerns related to dis- vice’s interface, such as which operations the Web ser- covery agencies. vice supports, which protocols to use, and how to pack Discovery agencies manage the registries that contain the exchanged data. Eventually, this WSDL document Web services descriptions, thereby helping service re- will serve as a sort of contract between the Web questors find appropriate services. As such, discovery service’s provider and requestor. The provider pub- agencies are a primary building block of the WSA and lishes the WSDL document to a Web services broker have particular privacy challenges. Here, we discuss such via universal description, discovery, and integration privacy issues and propose different technical approaches registries.3 to tackle privacy concerns relating to publishing service UDDI is like a “yellow pages” of WSDL documents. descriptions at different types of registries. Because pri- In the find phase, UDDI provides a standard means for or- vacy is a major requirement in any information system, ganizations to describe their businesses and services and 14 PUBLISHED BY THE IEEE COMPUTER SOCIETY ■ 1540-7993/05/$20.00 © 2005 IEEE ■ IEEE SECURITY & PRIVACY The Value of Privacy publish them so requestors can discover them online. In Web services requestor this scenario, the Web services broker serves as a discov- Find ery agency—much like the Google and Yahoo search en- gines—to help requestors find Web services that match their specific requirements. Bind Web services broker Once requestors find a Web service at the UDDI registries, they enter the bind phase, requesting the ser- vice’s corresponding WSDL document so that they can Publish attempt to bind with the service via a Simple Object Ac- Web services provider cess Protocol4 message. SOAP, an XML-based messag- ing protocol, is independent of the underlying transport protocol (HTTP, SMTP, FTP, and so on). Service re- Figure 1. The publish-find-bind model. Web services providers questors use SOAP messages to invoke Web services; publish their services through brokers, who act as matchmakers Web services use SOAP messages to answer the requests. with requestors looking for services that meet specific business The Web service thus receives the input SOAP message requirements. from the requestor and generates an output SOAP mes- sage to the requestor. Technical framework Web service As Figure 2 shows, Web services each have a unique Uni- form Resource Identifier (URI) located at a Web server on the Internet. Services can be defined, described, and SOAP messages/HTTP binding discovered using SOAP messages, which are typically HTTP binding. On the other side, the Web services Web services Web server clients can be any device: a computer, PDA, or even a cell clients phone. Different systems interact with the Web service using SOAP messages, in a manner prescribed by the ser- vice description.5 Today, nearly all major computing Figure 2. Web services’ technical framework. An Internet Web server companies, including Microsoft, IBM, Sun, Oracle, and hosts each Web service’s unique Uniform Resource Identifier. SOAP Hewlett-Packard, provide Web services tools. Early Web messages, which are typically HTTP binding, can be used to define, services adopters include several industries, such as the fi- describe, and discover services. nancial sector, in which diverse trading partners work closely together over the Internet. There are several key Web services properties: Database technologies The conventional database community generally inter- • Loosely coupled. Web services can run independently of prets privacy as the confidentiality of the user’s personal each other on entirely different implementation plat- information. Access to database information is typically forms and runtime environments. achieved through an access control mechanism, a software • Encapsulated. The only visible part of a Web service is module (called the reference monitor) that regulates data the public interface, such as WSDL and SOAP. accesses using access control policies. These policies are • Standard protocols and data formats. Interfaces are based on enforced through a set of authorizations: the subject a set of standards, such as XML, UDDI, WSDL, and identified by sbj-id can access the object identified by SOAP. obj-id under the specified access mode. Thus, by • Invoked over an intranet or the Internet. Web services can using the appropriate languages (such as SQL for rela- be executed within or outside a firewall. tional databases) the database administrator can specify • Components. Web services composition can enable authorizations to enforce various privacy policies. business-to-business transactions or connect separate Clearly, this scheme assumes that the reference moni- enterprise systems, such as those related to workflow. tor’s code is trusted; barring this, there’s no guarantee that • Ontology. All interacting entities must understand the the mechanism can meet policy requirements. The ac- functionality behind the data value computations. cess control mechanism must therefore be hosted in a • Business-oriented. Web services are not end-user software. trusted component of the architecture. With the WSA, however, it’s not always possible to ensure such a trusted Privacy technologies party for UDDI registry management. We therefore Strategies for ensuring privacy issues have been actively must extend the conventional database solutions when investigated both in the database and Web environments. we move to Web services. www.computer.org/security/ ■ IEEE SECURITY & PRIVACY 15 The Value of Privacy Privacy and the Web the privacy issues that might arise in a real scenario. In Obviously, researchers have been investigating privacy particular, none of the AC020 requirements show any technologies for the Web environment for some time. privacy concern regarding discovery agencies. One example is the efforts of the World Wide Web Con- sortium’s Platform for Privacy Preferences (P3P) work- Privacy and Web ing group.6 P3P user agents automatically inform users of services discovery agencies a site’s privacy practices and automate decision-making In the Web service publish-find-bind model, discovery based on those practices. P3P also provides a language, agencies support the description and discovery of P3P Preference Exchange Language 1.0 (APPEL1.0),7 to express the user’s preferences for making automated or • businesses, organizations, and other Web services semi-automated decisions regarding the acceptability of providers; machine-readable privacy policies from P3P-enabled • their available Web services; and Web sites. Although not originally designed for tackling • the technical interfaces to those Web services.3 Web services privacy issues, the P3P framework can serve as a fundamental model for tackling privacy concerns. Discovery agencies provide a searchable set of Web service Within the Web services industry, WS-Privacy8 is descriptions in centralized or distributed UDDI registries.