Privacy in the Semantic Web: What Policy Languages Have to Offer

Uncontrolled disclosure of sensitive information during electronic transactions may expose users to threats like loss of privacy and identity theft. The means envisioned for addressing protection of security and privacy in the context of the Semantic Web are policy languages for trust establishment and management. Although a number of policy languages have been proposed, it is unclear how well each language can address users' privacy concerns. The contribution of this work is an independent, scenario-based comparison of six prominent policy languages, namely Protune, Rei, Ponder, Trust-X, KeyNote and P3P-APPEL, with respect to the needs that users have in protecting their personal, sensitive data. We present how each language addresses access control for objects, such as user credentials and sensitive policies. We evaluate how each language defines or imports hierarchies of resources, whether the language supports protection of user information after it has been released, whether the language supports the principle of least privilege and more. The evaluation is not only an analytical literature study but also rich in actual implementations in all six languages.

[1]  Joseph Gray Jackson,et al.  Privacy and Freedom , 1968 .

[2]  Joan Feigenbaum,et al.  Decentralized trust management , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[3]  Joan Feigenbaum,et al.  The KeyNote Trust-Management System , 1998 .

[4]  Joan Feigenbaum,et al.  The KeyNote Trust-Management System Version 2 , 1999, RFC.

[5]  Morris Sloman,et al.  A survey of trust in internet applications , 2000, IEEE Communications Surveys & Tutorials.

[6]  Pierangela Samarati,et al.  Regulating service access and information release on the Web , 2000, CCS.

[7]  Emil C. Lupu,et al.  Ponder: A Language for Specifying Security and Management Policies for Distributed Systems , 2000 .

[8]  Emil C. Lupu,et al.  The Ponder Policy Specification Language , 2001, POLICY.

[9]  Marc Langheinrich,et al.  The platform for privacy preferences 1.0 (p3p1.0) specification , 2002 .

[10]  Marianne Winslett,et al.  Requirements for policy languages for trust negotiation , 2002, Proceedings Third International Workshop on Policies for Distributed Systems and Networks.

[11]  Marianne Winslett,et al.  Protecting Privacy during On-Line Trust Negotiation , 2002, Privacy Enhancing Technologies.

[12]  Sun Meifeng,et al.  KeyNote Trust Management System , 2002 .

[13]  Marianne Winslett,et al.  Negotiating Trust on the Web , 2002, IEEE Internet Comput..

[14]  Lalana Kagal Rei : A Policy Language for the Me-Centric Project , 2002 .

[15]  Jeffrey M. Bradshaw,et al.  Semantic Web Languages for Policy Representation and Reasoning: A Comparison of KAoS, Rei, and Ponder , 2003, SEMWEB.

[16]  Timothy W. Finin,et al.  A Policy Based Approach to Security for the Semantic Web , 2003, SEMWEB.

[17]  Marianne Winslett,et al.  PeerTrust: Automated Trust Negotiation for Peers on the Semantic Web , 2004, Secure Data Management.

[18]  Elisa Bertino,et al.  Trust-/spl Xscr/;: a peer-to-peer framework for trust establishment , 2004, IEEE Transactions on Knowledge and Data Engineering.

[19]  Li Ding,et al.  Enhancing Web privacy protection through declarative policies , 2005, Sixth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'05).

[20]  Marianne Winslett,et al.  Negotiating Trust on the Grid , 2005, Semantic Grid.

[21]  Piero A. Bonatti,et al.  Driving and monitoring provisional trust negotiation with metapolicies , 2005, Sixth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'05).

[22]  Elisa Bertino,et al.  Achieving privacy in trust negotiations with an ontology-based approach , 2006, IEEE Transactions on Dependable and Secure Computing.

[23]  Norbert E. Fuchs,et al.  Semantic Web Policies - A Discussion of Requirements and Research Issues , 2006, ESWC.