Wirtschaftsuniversität Wien Magisterarbeit - SemanticLab
Wirtschaftsuniversität Wien Magisterarbeit - SemanticLab Wirtschaftsuniversität Wien Magisterarbeit - SemanticLab
Finally, an example should be provided to explain the STATEMENT element and hence the data-specific assertions. Listing 3.8 shows how a statement in a P3P policy may look like when a form is provided to e-mail webmasters comments about the website including an input field to optionally provide an e-mail address so that the webmaster can reply to the inquiry: the statement defines that the data submitted will only be used to improve the website, that the information will be discarded once processed and that the information provided will not be disclosed to any other party. Listing 3.8: Policy statement regarding a e-mail comment form (Source: [Cra02]) As seen in the example above, this statements makes use of the DATA and CATE- GORIES elements. These elements can be used within a policies’ DATA-GROUP element. Within such a DATA-GROUP element, data types which the policy is applied to have to be defined whereas such data types can be grouped in data schemas. P3P specifies a base data schema where the following kind of data is defined: dynamic data, user data, third party data and business data. As the base data schema has a multitude of sub-(sub)-elements, it is not going to be covered in this thesis. Interested readers should especially consult chapter five of the P3P specification for more details. A complete P3P policy with all elements introduced can be found in Appendix A.1 for further reference. So far, predefined vocabularies were introduced which were designed by the P3P working group. Although a lot of effort and time was devoted in creating the vocabulary as short as possible and as long as necessary, it cannot contain every possible concept. That is 30
why extensions were developed. By using the EXTENSION element new concepts can be tested and implemented. This element is very flexible and can be placed almost in all P3P specified elements. Interested readers should consult the P3P specification for more details. 3.1.5. A P3P Preference Exchange Language (APPEL) Although P3P specifies how websites can express their privacy policies, it does not offer a solution for expressing user preferences can be expressed. This is done by a separate W3C specification called APPEL - A P3P Preference Exchange Language. The goal of APPEL (pronounced a-pell) is to save and exchange users’ preferences (which APPEL refers to as rule-sets) in a standardized way. The reason for this is that most P3P useragents probably won’t show all possible P3P settings because there would be too much combinations to be handled by end-users. However, predefined, sensible privacy settings should be made available to and distributed by users and other parties so that end-users are able to easily decide what level of privacy they want to apply. APPEL-files are XMLfiles and contain rule-sets which include a pattern to be matched against a P3P policy and an action which is to be executed when a match is found. Readers interested in this topic should consult the W3C Working Draft on APPEL for more information [W3Cc]. It should also be mentioned that the two biggest P3P user-agents (namely Microsoft’s Internet Explorer and AT&T’s Privacy Bird) do not (fully) support APPEL. 3.1.6. Existing P3P user agents and software tools For users interested in P3P, there are currently two noteworthy implementations: P3P in Microsoft’s Internet Explorer and AT&T’s Privacy Bird 2 which is a plugin for Microsoft Internet Explorer 5.01, 5.5, and 6.0. The Mozilla Suite once supported P3P but P3P support was removed with bug-report 225287 [Moz03]. Neither Mozilla Firefox nor Seamonkey supported P3P. There was an extension available for Firefox but it is not compatible anymore with current versions of Firefox and can be designated as a proofof-concept implementation only (see the Part II of this thesis for more details). For implementors of P3P and website operators there are several tools available which support them in their endeavour: • The website www.p3ptoolbox.org provides a useful implementation guide • The European Commission Joint Research Centre published the JRC Policy Workbench which is a suite to edit and test P3P policies. The project is available at SourceForge 3 . • IBM published its IBM P3P Policy Editor which is available at 4 2 http://www.privacybird.org 3 http://sourceforge.net/projects/jrc-policy-api 4 http://alphaworks.ibm.com/tech/p3peditor 31
- Page 1: Wirtschaftsuniversität Wien Magist
- Page 4 and 5: Contents Abbreviations vii Listings
- Page 6 and 7: II. Applied part 53 6. Development
- Page 8 and 9: Listings viii 3.1. HTTP response he
- Page 10 and 11: List of Tables x 3.1. PURPOSE sub-e
- Page 12 and 13: 1. Introduction This thesis address
- Page 14 and 15: In addition, the applied part of th
- Page 16 and 17: 2. Privacy Threats Privacy is the
- Page 18 and 19: term friendly fraud relates to legi
- Page 20 and 21: over iGoogle, search Wikipedia via
- Page 22 and 23: collect a lot of personal data abou
- Page 24 and 25: 2.4. Privacy sensitive technologies
- Page 26 and 27: • Data necessary to identify the
- Page 28 and 29: 3. Privacy Standards The following
- Page 30 and 31: The well-known location method (whi
- Page 32 and 33: • User Preferences: User-agents m
- Page 34 and 35: Another important issue for policy
- Page 36 and 37: 1 M i c r o s o f t Way< /DATA> Red
- Page 38 and 39: 28 PURPOSE Plain Language Translati
- Page 42 and 43: • There is a commercial P3P polic
- Page 44 and 45: Element Value ruling allow user cat
- Page 46 and 47: 3.3.1. XACML - an introduction Simi
- Page 48 and 49: 3.3.3. Summary The introduced priva
- Page 50 and 51: specified conditions” [ISO01a]. T
- Page 52 and 53: applied to this characteristic too,
- Page 54 and 55: Figure 5.1.: Microsoft Internet Exp
- Page 56 and 57: 5.1.2. Firefox The Mozilla Foundati
- Page 58 and 59: shortcuts and context-menu, users s
- Page 60 and 61: 5.3. Proxies In this section, proxi
- Page 62 and 63: 52 Figure 5.10.: The settings dialo
- Page 64 and 65: 6. Development of a Privacy Plug-In
- Page 66 and 67: • components directory: this dire
- Page 68 and 69: Speaking of information it has to b
- Page 70 and 71: Figure 6.2.: Displaying the P3P pol
- Page 72 and 73: matches the users preferences befor
- Page 74 and 75: Figure 6.4.: The privacy policy of
- Page 76 and 77: is different from the one available
- Page 78 and 79: access elements in a policy which i
- Page 80 and 81: implementation available although t
- Page 82 and 83: [Dro06] Dennis Drotar, Rachel Green
- Page 84 and 85: [Kob07] Alfred Kobsa. Privacy-enhan
- Page 86 and 87: [Oli04] Nadia Olivero and Peter Lun
- Page 88 and 89: [Woo06] Jisuk Woo. The right not to
Finally, an example should be provided to explain the STATEMENT element and<br />
hence the data-specific assertions. Listing 3.8 shows how a statement in a P3P policy<br />
may look like when a form is provided to e-mail webmasters comments about the website<br />
including an input field to optionally provide an e-mail address so that the webmaster<br />
can reply to the inquiry: the statement defines that the data submitted will only be<br />
used to improve the website, that the information will be discarded once processed and<br />
that the information provided will not be disclosed to any other party.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Listing 3.8: Policy statement regarding a e-mail comment form (Source: [Cra02])<br />
As seen in the example above, this statements makes use of the DATA and CATE-<br />
GORIES elements. These elements can be used within a policies’ DATA-GROUP<br />
element. Within such a DATA-GROUP element, data types which the policy is applied<br />
to have to be defined whereas such data types can be grouped in data schemas.<br />
P3P specifies a base data schema where the following kind of data is defined: dynamic<br />
data, user data, third party data and business data. As the base data schema has a<br />
multitude of sub-(sub)-elements, it is not going to be covered in this thesis. Interested<br />
readers should especially consult chapter five of the P3P specification for more details.<br />
A complete P3P policy with all elements introduced can be found in Appendix A.1 for<br />
further reference.<br />
So far, predefined vocabularies were introduced which were designed by the P3P working<br />
group. Although a lot of effort and time was devoted in creating the vocabulary as short<br />
as possible and as long as necessary, it cannot contain every possible concept. That is<br />
30
Change language