Carolyn A. Brodie
Clare-Marie Karat
John Karat
ABSTRACT
Today organizations do not have good ways of linking their written privacy policies with the implementation of those policies. To assist organizations in addressing this issue, our human-centered research has focused on understanding organizational privacy management needs, and, based on those needs, creating a usable and effective policy workbench called SPARCLE. SPARCLE will enable organizational users to enter policies in natural language, parse the policies to identify policy elements and then generate a machine readable (XML) version of the policy. In the future, SPARCLE will then enable mapping of policies to the organization's configuration and provide audit and compliance tools to ensure that the policy implementation operates as intended. In this paper, we present the strategies employed in the design and implementation of the natural language parsing capabilities that are part of the functional version of the SPARCLE authoring utility. We have created a set of grammars which execute on a shallow parser that are designed to identify the rule elements in privacy policy rules. We present empirical usability evaluation data from target organizational users of the SPARCLE system and highlight the parsing accuracy of the system with the organizations' privacy policies. The successful implementation of the parsing capabilities is an important step towards our goal of providing a usable and effective method for organizations to link the natural language version of privacy policies to their implementation, and subsequent verification through compliance auditing of the enforcement logs.
- Ackerman, M., & Mainwaring, S. (2005). Privacy issues in human-computer interaction. In L. Cranor & S. Garfinkel (Eds.) Security and Usability: Designing Secure Systems That People Can Use, Sebastopol, CA: O'Reilly, 381--400.Google Scholar
- Anderson R. J. A (1996). Security Policy Model for Clinical Information Systems. In the Proceedings of the 1996 IEEE Symposium on Security and Privacy, 30--43. Google ScholarDigital Library
- Anderson R. J. (2000). Privacy Technology Lessons from Healthcare. In the Proceedings of the 2000 IEEE Symposium on Security and Privacy. Google ScholarDigital Library
- Agrawal, R., Kiernan, J., Srikant, R., and Xu, Y. (2003). Implementing P3P Using Database Technology. Proceedings of the 19th International Conference on Data Engineering, Bangalore, India.Google Scholar
- Ashley, P., Hada, S., Karjoth, G., Powers, C., and Schunter, M. (2003). Enterprise Privacy Architecture Language (EPAL 1.2). W3C Member Submission. http://www.w3.org/Submission/EPAL/Google Scholar
- Bohrer, K., Levy, S., Liu, X., and Schonberg, E. (2003). Individual Privacy Policy Based Access Control. In Proceedings of the 6th International Conference on Electronic Commerce Research (ICECR-6).Google Scholar
- Brodie, C., Karat, C., and Karat, J. (2005). Usable Security and Privacy: A Case Study of Developing Privacy Management Tools. Proceedings of the Symposium on Usable Privacy and Security, (SOUPS'05), ACM Digital Library. Google ScholarDigital Library
- CRA Conference on "Grand Research Challenges in Information Security and Assurance". http://www.cra.org/Activities/grand.challenges/security/. November 16-19, 2003.Google Scholar
- Cranor, L. (2002). Web Privacy with P3P. Cambridge: O'Reilly. Google ScholarDigital Library
- Cranor, L. (2005). Privacy policies and privacy preferences. In L. Cranor & S. Garfinkel (Eds.) Security and Usability: Designing Secure Systems That People Can Use, Sebastopol, CA: O'Reilly, 447--472.Google Scholar
- IBM Research UIMA(2005) http://www.research.ibm.com/UIMA/Google Scholar
- IBM Tivoli Privacy Manager for eBusiness (2004). http://www-306.ibm.com/software/tivoli/products/privacy-mgr-e-bus/.Google Scholar
- Karat, C., Karat, J., Brodie, C., and Feng, J. (2006). Evaluating interfaces for privacy policy rule authoring. Proceedings of the Conference on Human Factors in Computing Systems -- CHI 2006, ACM Press, 83--92. Google ScholarDigital Library
- Karat, J., Karat, C., Brodie, C., and Feng, J. (2005). Privacy in information technology: Designing to enable privacy policy management in organizations. International Journal of Human Computer Studies, 63, 1-2, 153--174. Google ScholarDigital Library
- Karjoth, G. and Schunter, M. (2002) A Privacy Policy Model for Enterprises. Proceedings of the 15th IEEE Computer Security Foundations Workshop, 271--281. Google ScholarDigital Library
- Michael, J. B., Ong V. L., and Rowe N. C, (2001) "Natural-language processing support for developing policy-governed software systems", 39th International Conference on Technology for Object-Oriented Languages and Systems, IEEE Computer Society Press, pp. 263--274. Google ScholarDigital Library
- Microsoft Internet Explorer (2004). Help Safeguard your privacy on the web. http://www.microsoft.com/windows/ie/using/howto/privacy/config.mspxGoogle Scholar
- Neff, M., Byrd, R., and Boguraev, B. (2003) The Talent system: TEX-TRACT architecture and data model. In Proceedings of HLT-NAACL Workshop on Software Engineering and Architectures of Language Technology Systems, Edmonton, Alberta, Canada. Google ScholarDigital Library
- OASIS (2005). eXtensible Access Control Markup Language Version 2.0. http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-core-specos.pdf.Google Scholar
- OASIS (2005). Privacy Policy Profile of XACML v2.0. http://docs.oasis-open.org/xacml/2.0/PRIVACY-PROFILE/access_control-xacml-2.0-privacy_profile-specos.pdf.Google Scholar
- Ponemon Institute and IAPP, (2004). 2003 Benchmark Study of Corporate Privacy Practices.Google Scholar
- Smith, J. (1993). Privacy policies and practices: Inside the organizational maze. Communications of the ACM, 36, 12, 105--122. Google ScholarDigital Library
- Whitten, A. and Tygar J. D. (1999) Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0. In Proceedings of the 9th USENIX Security Symposium, August, 1999. Google ScholarDigital Library
- W3C (2002) A P3P Preference Exchange Language 1.0 (APPEL 1.0). http://www.w3.org/TR/P3P-preferences/Google Scholar
Index Terms
- An empirical study of natural language parsing of privacy policy rules using the SPARCLE policy workbench
Recommendations
Usability challenges in security and privacy policy-authoring interfaces
INTERACT'07: Proceedings of the 11th IFIP TC 13 international conference on Human-computer interaction - Volume Part IIPolicies, sets of rules that govern permission to access resources, have long been used in computer security and online privacy management; however, the usability of authoring methods has received limited treatment from usability experts. With the rise ...
A user study of the expandable grid applied to P3P privacy policy visualization
WPES '08: Proceedings of the 7th ACM workshop on Privacy in the electronic societyDisplaying website privacy policies to consumers in ways they understand is an important part of gaining consumers' trust and informed consent, yet most website privacy policies today are presented in confusing, legalistic natural language. Moreover, ...
Building access control policy model for privacy preserving and testing policy conflicting problems
This paper proposes a purpose-based access control model in distributed computing environment for privacy preserving policies and mechanisms, and describes algorithms for policy conflicting problems. The mechanism enforces access policy to data ...
Comments