Policy-Awareness Usecase

Sen. Barack Obama's passport file improperly accessed Not a question of access control - the contractors and trainees had access to this passport info Usage control What purpose are you accessing it for ? Violation caught because system logged accesses to high profile individuals Worked because it was a closed system Logging policy not explicit Policies not well defined - what constitutes high profile individuals What if passport info was used to access tax returns in IRS database ?

Image courtesy of CNN

PAW Challenges

Web-scale policy reasoning and integration Narrow domains such as Flickr as well as large-scale data integration Simple policy languages for web-scale systems as well as expressive languages for smaller systems Policy interoperability Usability ease of policy authoring seamless interaction with existing infrastructures

Image courtesy of http://www.flickr.com/photos/sesh00/ Image courtesy of TimBL

PAW Challenges

• Policy infrastructures that help both people and machines ‘play by the rules’ relevant to social interactions
  • Consistent with the way legal rules work

Image courtesy of Adventure Quest http://www.battleon.com/

PAW Challenges

• Justifications for policy decisions
  • Not just what the answer is, but WHY
  • Why was my access request denied ? Why was John allowed to modify prop.html ? Why is this usage incompliant with my privacy policy ?

Panel Questions

• Does the community accept/need the PAW?
  • Definitely !
  • Needs to be usable and seamlessly integrated

Panel Questions

Will the Semantic Web help or hinder? Semantic Web technologies can cause information leakage as they can be used to discover information linkages Do not disclose my HIV status Ontology states that drug B is only used to treat HIV You tell someone I take drug B SW advantages Grounding in a common model Integration Interoperability

Image courtesy of TimBL

Panel Questions

How will users trust the policy-aware web? Social regulations that provide legal support for holding policy violators accountable Explanations for policy decisions allow users to understand how the results were obtained

Panel Questions

What standards need to be developed? Having a standard policy language with well understood semantics seems to the easiest approach. Is this the best way to start ? RIF dialect for policy - P-RIF Specialized for policy interoperability A policy language must be serializable in P-RIF in order to be supported within PAW Allows policy languages of varying expressivity

More Information

• This presentation: http://dig.csail.mit.edu/2008/Talks/0424-PAWPanel-lk/
• W3C PLING: http://www.w3.org/Policy/pling/wiki/Main_Page
• DIG policy projects
  • Policy Aware Web project: http://www.policyawareweb.org/
  • Transparent Accountable Datamining Initiative: http://dig.csail.mit.edu/TAMI/