On Supporting Active User Feedback in P3P V.N. Venkatakrishnan Wei Xu Rishi Kant Sharda Department of Computer Science Department of Computer Science Department of Computer Science University of Illinois at Chicago Stony Brook University University of Illinois at Chicago Chicago, IL 60607 Stony Brook, NY 11790-4400 Chicago, IL 60607 Email: [email protected] Email: [email protected] Email: [email protected] Abstract— We propose an extension to the P3P framework that server-centric one as the compatibility process runs en- enables a consumer and a web service to engage in active policy tirely in the client end under the purview of the consumer. negotiation. In addition, we discuss enforcement strategies for By contrast, in a server-centric approach, the consumer negotiated consumer preferences. needs to transmit her entire preferences to the server and Keywords: P3P, Web Service, Information Privacy, Policy place much trust on the server to correctly match her Negotiation, Policy Enforcement, User Feedback. preferences. Such asymmetric placement of trust violates the preferred security design principle of psychological I. INTRODUCTION acceptability [5]. The development of the world wide web as a platform for • Policy negotiation. Policy negotiation concerns the issue electronic commerce, auctioning and social networking has of negotiating a new policy for the consumer in case of a presented several challenges to end user privacy. Users are policy mismatch. Using a purely client-centric architec- presented with situations that require them to disclose (either ture (such as the P3P original framework) it is impossible implicitly or explicitly) personal information to these web to provide any support for policy negotiation. This is based services. To increase consumer confidence, web sites because policy negotiation needs to engage the server have made efforts to clearly display their policies regarding use for supporting any possible changes to the policy after of private information. Unfortunately, such policy descriptions a policy mismatch. A purely server-centric architecture are verbose and ridden with legal jargon, rendering them can deal with policy negotiation by trying to enforce the ineffective in increasing consumer confidence in the privacy consumer’s policy, which is discussed below. of their personal information. • Policy enforcement. Policy enforcement concerns the To address privacy concerns in web services, the Plat- problem of enforcing any policy that is agreed between form for Privacy Preferences framework (P3P [1]) has been the consumer and the web service. Policy enforcement proposed. P3P enables websites to express their terms of is inherently a server-based operation and hence requires use regarding privacy in a machine-readable format using a the participation of the server. standardized vocabulary. Ever since the standard was officially From the above discussion, it is clear that for reasons of published by the W3C (the WWW consortium) in 2002, policy enforcement, participation from the server is needed, several leading websites have become P3P compliant (a list and a client-side policy compatibility checking is more suitable can be found in [2]), and P3P is expected to be more widely for psychological acceptability. Policy negotiation requires deployed in future. In addition, P3P has been adopted as the participation from both client and the server. This naturally de-facto standard for web-services privacy (WS-privacy) [3]. leads us to an alternative architecture where the client and the The original P3P approach (as defined by the P3P 1.1 draft) server share the following responsibilities: The client performs follows a client-centric mechanism for checking a web site’s policy compatibility checking, and the server performs policy privacy policy against a user’s privacy preferences. A P3P user enforcement. Both the client and server are engaged in policy agent that runs on the client (usually, a browser extension) negotiation. In this paper, we discuss the architecture of this retrieves the P3P privacy policy from a web service, and framework and examine the key design and implementation checks it against the consumer’s privacy preferences. Agrawal issues in realizing this architecture. et al. [4] designed a server-centric P3P architecture mainly for better performance and scenarios involving thin clients. In this Paper organization. The rest of the paper is structured as architecture, the consumer’s entire privacy preferences are sent follows: We first review the related work in Section II. In to the server and are matched with the web site’s P3P policy Section III we use an example service to further motivate at the server side. the need for policy negotiation in P3P. Then we describe our Both the client and server based architectures can be exam- extensions to P3P for policy negotiation and enforcement in ined from three key problem perspectives: Section IV. We conclude the paper in Section V. • Policy compatibility checking. This is the problem of II. RELATED WORK checking whether the client’s preferences match the web service’s policy. For policy compatibility checking, a A complete description about P3P and APPEL can be found client-centric architecture is far superior compared to a at [1] and [6]. Yu et al provided a formal semantics for P3P <STATEMENT> in [7]. Several P3P and APPEL tools have been implemented. <PURPOSE required="opt-out"> The most notable P3P client implementations include AT&T <individual-analysis/> Privacy Bird [8] and the implementation of compact P3P </PURPOSE> <RECIPIENT><other-recipient/></RECIPIENT> policies in the Microsoft Internet Explorer for cookie handling. <RETENTION><stated-purpose/></RETENTION> Many researchers have pointed out the limitations of P3P <DATA-GROUP> and APPEL. Hogben ([9] [10]) noted the limitations of P3P in <DATA ref="#dynamic.clickstream"/> <DATA ref="#dynamic.http"/> areas such as vocabularies as well as the ambiguity of APPEL. </DATA-GROUP> Agrawal et al [11] showed the limitations of APPEL in terms </STATEMENT> of clarity and expressiveness with a set of examples, and The (relevant portions of) P3P policy for abcshop.com then proposed XPref, an XPath-based P3P privacy preference is shown above. It states that the web service collects language, to address these problems. Kolari et al [12] proposed clickstream data and other http data when a user browses a different enhanced P3P privacy preference language called their site. This is done for individual analysis (stated through Rei. They also noted the limitations of the trust model of the PURPOSE tag) by some other third party clickstream P3P and proposed an extensible trust model based on social service, (through the RECIPIENT tag) which is has a different recommendations. Although the P3P extension presented in policy than abcshop.com, suggesting that clickstream infor- this paper is based on APPEL, the similar technique can mation is disseminated to the third party. The visitor has the be applied to other privacy preference languages as well. option to opt-out of this data collection. Meanwhile, the proposed P3P extension can be complimentary We now describe the P3P compliance checking process. to other suggested P3P enhancements. When the consumer receives the web site P3P policy, she Automated trust negotiation[13] and privacy negotia- checks if these match her privacy preferences, which is done tion [14] are well known concepts that have been studied in using a P3P user agent (usually a browser extension). In our broader settings. In this paper, we have provided a framework example, the consumer’s privacy preferences on the use of for realizing such negotiation within the context of P3P, and clickstream information is matched with abcshop.com’s P3P provide details and transition steps to incorporate the privacy policy. Consumer preferences are expressed in APPEL [6]. In policy enforcement within the context of the P3P negotiation APPEL, the preferences are specified in a set of preference- framework. rules (called a rule-set) which can help a user agent (UA) We proposed a framework for building privacy-conscious to make automated or semi-automated decisions regarding the web services in our previous work [15]. The framework allows acceptability of a P3P policy. negotiation and enforcement of privacy policies, but uses its In our example, the users considers her clickstream data as own protocol and is not based on P3P. In this paper, we have private. as given by the APPEL ruleset given below. borrowed some of the ideas from that framework, and have <appel:RULE behavior="block" prompt="yes" applied them to P3P. promptmsg="obligation:other-clickstream"> <p3p:POLICY> III. AMOTIVATING EXAMPLE <p3p:STATEMENT> <p3p:PURPOSE> As a running example to facilitate our discussion, con- <p3p:individual-analysis/> sider a web service www.abcshop.com that provides shop- </p3p:PURPOSE> <p3p:DATA-GROUP> ping services over the web. To improve user experi- <p3p:DATA ref="#dynamic.clickstream"/> ence, the service uses an external “clickstream” service </p3p:DATA-GROUP> www.hintsforclicks.com that aims to dynamically provide <p3p:RECIPIENT> <p3p:other-recipient/> shopping suggestions. It does so by collecting the user’s </p3p:RECIPIENT> browsing pattern and displaying suitable suggestions in the </p3p:STATEMENT> same browser window, but in a separate browser frame. To </p3p:POLICY> </appel:RULE> accomplish this, whenever the user clicks on a link, infor- mation about this link is sent to the clickstream service, The rule set specifies the behavior of the user agent with which compares the current browsing pattern with its (internal) respect to P3P policy. When a rule is matched (evaluated database. This comparison generates suggestions on third- TRUE), there are three possible outcomes, specified in the party websites that are closely related to the current browsing same rule: context such as sponsored links with similar products. These • request : the provided policy is acceptable. external links are then inserted into a dynamically generated • limited : the provided policy is somewhat acceptable. web page, which is rendered in the current browser window.