Deriving semantic models from privacy policies

Natural language policies describe interactions between and across organizations, third-parties and individuals. However, current policy languages are limited in their ability to collectively describe interactions across these parties. Goals from requirements engineering are useful for distilling natural language policy statements into structured descriptions of these interactions; however, they are limited in that they are not easy to compare with one another despite sharing common semantic features. In this paper, we propose a process called semantic parameterization that in conjunction with goal analysis supports the derivation of semantic models from privacy policy documents. We present example semantic models that enable comparing policy statements and discuss corresponding limitations identified in existing policy languages. The semantic models are described by a context-free grammar (CFG) that has been validated within the context of the most frequently expressed goals in over 100 Website privacy policy documents. The CFG is supported by a qualitative and quantitative policy analysis tool.

[1]  Michael Waidner,et al.  Platform for Enterprise Privacy Practices: Privacy-Enabled Management of Customer Data , 2002, Privacy Enhancing Technologies.

[2]  Harry S. Delugach,et al.  Specifying multiple-viewed software requirements with conceptual graphs , 1992, J. Syst. Softw..

[3]  Neha Jain,et al.  Specifying privacy policies with P3P and EPAL: lessons learned , 2004, WPES '04.

[4]  Annie I. Antón,et al.  Financial privacy policies and the need for standardization , 2004, IEEE Security & Privacy Magazine.

[5]  Elisa Bertino,et al.  A roadmap for comprehensive online privacy policy management , 2007, CACM.

[6]  Annie I. Antón,et al.  A requirements taxonomy for reducing Web site privacy vulnerabilities , 2004, Requirements Engineering.

[7]  Guy W. Mineau From Actors to Processes: The Representation of Dynamic Knowledge Using Conceptual Graphs , 1998, ICCS.

[8]  Marc Langheinrich,et al.  The platform for privacy preferences 1.0 (p3p1.0) specification , 2002 .

[9]  Russell W. Quong,et al.  ANTLR: A predicated‐LL(k) parser generator , 1995, Softw. Pract. Exp..

[10]  Ninghui Li,et al.  A semantics based approach to privacy languages , 2006, Comput. Syst. Sci. Eng..

[11]  James Bret Michael,et al.  Natural-language processing support for developing policy-governed software systems , 2001, Proceedings 39th International Conference and Exhibition on Technology of Object-Oriented Languages and Systems. TOOLS 39.

[12]  T. Koch,et al.  Policy definition language for automated management of distributed systems , 1996, Proceedings of IEEE International Workshop on System Management.

[13]  Alessandra Russo,et al.  A goal-based approach to policy refinement , 2004, Proceedings. Fifth IEEE International Workshop on Policies for Distributed Systems and Networks, 2004. POLICY 2004..

[14]  Emil C. Lupu,et al.  Ponder: realising enterprise viewpoint concepts , 2000, Proceedings Fourth International Enterprise Distributed Objects Computing Conference. EDOC2000.

[15]  Lorrie Faith Cranor,et al.  The platform for privacy preferences , 1999, CACM.

[16]  Qingfeng He,et al.  The complexity underlying jetblue.s privacy policy violations , 2003 .