Challenges of The Policy Aware Web

12 November 2007
Workshop on Privacy Enforcement and Accountability with Semantics
6th International Semantic Web Conferenc

Busan, Korea

Daniel J. Weitzner
Decentralized Information Group
MIT Computer Science and Artificial Intelligence Laboratory

These slides:

To Explore the Challenge

  1. Review Policy Challenges faced by the Web
  2. In-depth look at privacy and information accountability
  3. An Architecture for Information Accountability


The Web is Still Dumb about Policy

  1. Access Control & Authorization
  2. Privacy
  3. Copyright

Privacy Challenges in the Web's first decade

AT&T TSD 3600 gmail

Characteristics of Today's Privacy Challenge

  1. Lots of personal information data
  2. held by lots of parties
  3. huge increase in analytic capacity and data integration techniques
  4. little time and attention to manage uses
  5. unclear rules when data crosses boundaries

Overall transparency is a major factor to query log-related privacy risks.

What Privacy Isn't

Saltzer and Schroeder (The Protection of Information in Computer Systems):

“The term “privacy” denotes a socially defined ability of an individual (or organization) to determine whether, when, and to whom personal (or organizational) information is to be released.”

Privacy's Boundaries - The Home

Historical foundations - the home

The home "The house of everyone is to him as his castle and fortress, as well for his defence against injury and violence, as for his repose...."
Semayne's Case, All ER Rep 62 (Michaelmas Tern 1604)

Privacy's Boundaries - The Home Breached

Early telephones "Ways may some day be developed by which the Government, without removing papers from secret drawers, can reproduce them in court, and by which it will be enabled to expose to a jury the most intimate occurrences of the home.... Can it be that the Constitution affords no protection against such invasions of individual security?"
Olmstead v. United States, 277 U.S. 438, 467 (1928) (Brandeis, J., dissenting)

Privacy's Boundaries - New Privacy Protections

Public phone booth "The Fourth Amendment protects people, not places. What a person knowingly exposes to the public, even in his own home or office, is not a subject of Fourth Amendment protection.... But what he seeks to preserve as private, even in an area accessible to the public, may be constitutionally protected
Katz v. United States. 389 U.S. 347 (1967)

Privacy's Boundaries - New Challenges

The home It would be foolish to contend that the degree of privacy secured to citizens by the Fourth Amendment has been entirely unaffected by the advance of technology...."
Kyllo v. United States. 533 U.S. 27 (2001) (Scalia, J.)

One approach -- Information Hiding: Privacy Sensitive Data Analysis

Goal: construct data base protocol that limits information access according to a formal definition of privacy

Privacy Definition: indistinguishability of the individual from the community

Method: measures epsilon-indistinguishability of a database query transcript

Differential Privacy, Cynthia Dwork, 33rd International Colloquium on Automata, Languages and Programming, ICALP 2006, Part II, pp. 1–12, 2006.

see also Sweeney's k-anonymity work

Questions upon the Success of Privacy Sensitive Data Analysis

A privacy-safe zone: Privacy sensitive data mining establishes a boundary, which, if respected, assures no privacy risk to the individual.

  1. how do you know that data usage remains within the privacy-safe zone:
    • over time?
    • across an institution?
  2. what legal rules outside the privacy-safe zone?

Another approach -- Consent and its limitations

Basic privacy notice & consent model. Can today's privacy model (EU or US) be sufficient going forward?

Key will be purpose limitation, but we have a dilemma...

Dilemma: limited individual and regulatory capacity to control escalating data collection.

Current result of consent dilemma + increased inference power: strict about what's collected but loose about usage

Better result: loose about what is collected and strict about usage

Privacy Re-Defined - Saltzer and Schroeder revisited

Privacy is the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to used by others.

Information Accountability Through Policy Aware Systems

Information Accountability: When information has been used, it should to possible to determine what happened, and to pinpoint use that is inappropriate

Information Accountability an as alternative to secrecy

A Sample Regulatory Paradigm for Semantic Web Data

United States Fair Credit Reporting Act

The Web Today

today's web architecture

The Web with Information Accountability Mechanisms

today's web architecture
  • Policy Aware Transaction Logs
  • Policy Language Framework (AIR - Accountability In RDF)
  • Policy Reasoning Tools (TMS-based forward-chaining with backward goal-direction)


In order of complexity:

Discussion and More Information

For more information see:

Work described here is supported by the US National Science Foundation Cybertrust Program (05-518) and ITR Program (04-012).

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 2.5 License.