Transcript Implementing P3P Using Database Technology Rakesh Agrawal

Implementing P3P Using Database
Technology
Rakesh Agrawal Jerry Kiernan Ramakrishnan Srikant Yirong Xu
Presented by Yajie Zhu
03/24/2005
Outline
•
•
•
•
•
•
•
Introduction
Overview of P3P
Current P3P implementations
Server-centric implementation
Algorithms
Results of performance experiments
Conclusion and future work
Introduction
• Platform for Privacy Preferences(P3P)
– web users gain control over their private
information
– web site owners can express their privacy
policies in a standard format
– a user can programmatically check against
her privacy preferences to decide whether to
release her data to the web site
• P3P became a W3C Recommendation on
April 16, 2002
Overview of P3P
• Privacy Policies:
– An XML format in which a web site can
encode its data-collection and data-use
practices
• Privacy Preferences:
– A machine-readable specification of a user’s
preferences that can be programmatically
compared against a privacy policy
Detailed information: http://www.w3c.org/TR/P3P/
P3P Policy Description
• P3P policies are described as a sequence of
STATEMENT elements.
– CONSEQUENCE: the purpose for collecting
information in human-readable text
– PURPOSE: purposes for which information is
collected.
12 predefined values.
Ex: <current/>,<individual-decision/>, <contact/>
– RECIPIENT: the users of the collected information
6 predefined values.
Ex: <ours/>, <same/>, <unrelated/>
Opt-in or opt-out values can be assign to the required
attribute of PURPOSE and RECIPIENT elements
P3P Policy Description (Cont.)
– RETENTION: the duration for which the collected
information will be kept
5 predefined values
Ex: <stated-purpose/>, <business-practice/>,
<indefinitely/>
– DATA-GROUP and DATA: the list of individual data
items that are collected for stated purposes in the
statement.
predefined types of data items
DATA can contain related category information.
– CATEGORIES: provide hints to users as to the
intended uses of the data.
Ex: <physical/>, <online/>, <purchase/>
An Example Policy
Privacy Preferences
• Privacy preferences are expressed in
APPEL as a list of RULEs
– Rule behavior: specifies the action to be taken
if the rule fires.
request, block
– Rule body: Provides the pattern that is
matched against a policy.
Privacy Preferences (Cont.)
• Connective attribute: defines the logical
operators of the language.
– And (default): all of the contained expressions can be
found in the policy
– Or : one or more of the contained expressions can be
found in the policy
– And-exact
– Or-exact
– Non-and (negated and)
– Non-or (negated or)
Every element in an APPEL rule has a connective
associated with it.
An Example APPEL Preference
The Reference File
<META xmlns="http://www.w3.org/2002/01/P3Pv1">
• A site may have
<POLICY-REFERENCES>
multiple privacy policy
<EXPIRY max-age="172800"/>
for different web pages,
which may offer various
<POLICY-REF about="/P3P/Policies.xml#first">
<INCLUDE>/*</INCLUDE>
services.
<EXCLUDE>/catalog/*</EXCLUDE>
• A site’s reference file
<EXCLUDE>/cgi-bin/*</EXCLUDE>
assigns individual
<EXCLUDE>/servlet/*</EXCLUDE>
</POLICY-REF>
policies with subsets of
the URIs.
<POLICY-REF about="/P3P/Policies.xml#second">
• In the reference file,
<INCLUDE>/catalog/*</INCLUDE>
each policy has a set of
</POLICY-REF>
INCLUDE/EXCLUDE
<POLICY-REF about="/P3P/Policies.xml#third">
declarations of the
<INCLUDE>/cgi-bin/*</INCLUDE>
URIs.
<INCLUDE>/servlet/*</INCLUDE>
<EXCLUDE>/servlet/unknown</EXCLUDE>
</POLICY-REF>
</POLICY-REFERENCES>
</META>
Current P3P Implementation
• Client-Centric Architecture
– Web sites create and install policy files at their
sites.
• P3PEdit: a web-based privacy policy generator
• IBM Tivoli Privacy Wizard: a web-based GUI tool to
define privacy policies
– The users browse a web site, their preferences
are checked against a site’s policy before they
access the sit.
Client-Centric Architecture Implementation
• IE6 implementation of Compact P3P policies
– IE6 allows a user to specify her privacy preference for
handling cookies
• AT&T Privacy Bird
– It accepts user-defined APPEL privacy preference
– An APPEL engine compares a user’s APPEL
preference with a web site’s P3P policy
• Other Tools
– JRC APPEL Preference Editor: a Java-based editor
for preparing APPEL preferences.
– JRC P3P Proxy: a centralized proxy service that
conducts P3P privacy policy checking on behalf of
subscribed users
Server-Centric Architecture
• A website deploys P3P, and installs its privacy
policies in a database system
• Database querying at the server is used for
matching a user’s preferences against privacy
policies
– Convert privacy policies into relational tables and
convert an APPEL preference into an SQL query for
matching.
– Store privacy policies in relational tables, define an
XML view over them , and use an XQuery derived
from an APPEL preference for matching.
– Store privacy policies in a native XML store and use
an XQuery derived from an APPEL preference for
matching.
Server-Centric Architecture (Cont.)
• Advantages
– The preference checking at the server leads to lean
clients (mobile device)
– An upgrade in P3P specification only require an
upgrade in all the servers
– As new privacy-sensitive applications emerge, they
will reuse checking done at the server
– Site owner can refine their policies, when they know
that policies have a conflict with the users’ privacy
preferences
– Using databases for preference matching yields
additional advantages
• The privacy data tables can serve as meta data for ensuring
that polices are followed
• Can reuse the proven database technology for checking
preferences against policies.
• Versions of policies can be better managed
Server-Centric Architecture (Cont.)
• Disadvantages
– There needs to be a greater amount of trust
on the server
• The user has to trust the server
• The user has to trust the database software used
by the server
– By using Client-Centric to cache a reference
file, the client may avoid some checks, if a
user visits many pages that are governed by
the same policy
Algorithms for Server-Centric
Implementation
• Database Schema for
P3P policy
• Populate the tables
with the data
Algorithms for Server-Centric
Implementation (Cont.)
• Translating APPEL
Preferences into SQL
Queries
– The main() mirrors the structure
of the APPEL rule.
– The match() generates the SQL
code for matching an APPEL
expression
• Select elements in the P3P
policy from the table
• Ensure that the elements
belong to their parent elements
• Match any attributes specified
in the APPEL expression
• Recursively match any sub
expressions with the
appropriate connective.
Optimizations
• Reduce the number of tables in order to reduce
the number of joins in the generated SQL
queries
– Store P3P subelements in their parent table, not in
separate tables.
– Store the value of RETENTION in STATEMENT table,
since each STATEMENT can have only one
RETENTION element.
– Store the value of CONSEQUENCE in a nullable
column in STATEMENT table.
Translation Example
• Simplified First Rule
from Jane’s APPEL
preference
• SQL Translation
Algorithms for Server-Centric
Implementation (Cont.)
• Translating APPEL
Preferences into
XQuery
– The main() generates an
XQuery if statement
• Return the rule behavior if
the condition expressed
by the rule is met by the
application policy
– The match() translates
the body of the rule
Performance Experiments
• Measure the time to match a P3P policy with
an APPEL Preference
– Experimental Setup
• A native APPEL engine from the Joint Research
Center
• DB2 UDB 7.2 as a database engine
• Translating APPEL preference into XQuery, use
the XTABLE prototype
– Data Set
• 29 P3P policies (size from 1.6 to 11.9 Kbytes)
• 5 APPEL preference with 5 different levels of
sensitivity
Performance Results
Conclusion and Future work
• Contributions of the paper
– Identification of P3P as an important application area for database
systems.
– Investigation of alternative architectures for implementing P3P.
– Proposal for a server-centric architecture based on database
querying technology.
– Mapping of a P3P policy schema into a relational schema for storing
policy data.
– Algorithms for translating privacy preferences expressed in APPEL
into SQL as well as XQuery.
– Performance experiments showing that the proposed architecture
has adequate performance for it to be used in practical deployments
of P3P.
• Future work
• Explore the use of database query languages for directly expressing
and representing privacy preference
• Identify the minimal subset of SQL and XQuery
• Develop and implement database mechanisms for ensuring that the
privacy policies are indeed being followed
Questions and Discussions