Using P3P in a web services-based context-aware application platform

This paper describes a proposal for a privacy control architecture to be applied in the WASP project. The WASP project aims to develop a context-aware service platform on top of 3G networks, using web services technology. The proposed privacy control architecture is based on the P3P privacy policy description standard defined by W3C. The paper identifies extensions to P3P and its associated preference expression language APPEL that are needed to operate in a context-aware environment

Obligations of trust for privacy and confidentiality in distributed transactions

Purpose – This paper aims to describe a bilateral symmetric approach to authorization, privacy protection and obligation enforcement in distributed transactions. The authors introduce the concept of the obligation of trust (OoT) protocol as a privacy assurance and authorization mechanism that is built upon the XACML standard. The OoT allows two communicating parties to dynamically exchange their privacy and authorization requirements and capabilities, which the authors term a notification of obligation (NoB), as well as their commitments to fulfilling each other's requirements, which the authors term signed acceptance of obligations (SAO). The authors seek to describe some applicability of these concepts and to show how they can be integrated into distributed authorization systems for stricter privacy and confidentiality control. Design/methodology/approach – Existing access control and privacy protection systems are typically unilateral and provider-centric, in that the enterprise service provider assigns the access rights, makes the access control decisions, and determines the privacy policy. There is no negotiation between the client and the service provider about which access control or privacy policy to use. The authors adopt a symmetric, more user-centric approach to privacy protection and authorization, which treats the client and service provider as peers, in which both can stipulate their requirements and capabilities, and hence negotiate terms which are equally acceptable to both parties. Findings – The authors demonstrate how the obligation of trust protocol can be used in a number of different scenarios to improve upon the mechanisms that are currently available today. Practical implications – This approach will serve to increase trust in distributed transactions since each communicating party receives a difficult to repudiate digitally signed acceptance of obligations, in a standard language (XACML), which can be automatically enforced by their respective computing machinery. Originality/value – The paper adds to current research in trust negotiation, privacy protection and authorization by combining all three together into one set of standardized protocols. Furthermore, by providing hard to repudiate signed acceptance of obligations messages, this strengthens the legal case of the injured party should a dispute arise

Expressing Privacy Preferences in terms of Invasiveness

Dynamic context aware systems need highly flexible privacy protection mechanisms. We describe an extension to an existing RBAC-based mechanism that utilises a dynamic measure of invasiveness to determine whether contextual information should be released

A Distributed Context-Aware Trust Management Architecture

The realization of a pervasive context-aware service platform imposes new challenges for the security and privacy aspects of the system in relation to traditional service platforms. One important aspect is related with the management of trust relationships, which is especially hard in a pervasive environment because users are supposed to interact with entities unknown before hand in an ad-hoc and dynamic manner. Current trust management solutions do not adapt nor scale well in this dynamic service provisioning scenario because they require previously defined trust relationships in order to operate. The objective of this thesis is to design, prototype and validate a context-aware distributed trust management architecture in order to address: (a) the lack of integration between available trust solutions and security and privacy management languages, and (b) the dynamic characteristics of a context-aware service platform

An Examination of Privacy Policies of Global University Web Sites

Due to demand in online services, universities throughout the world are increasing the content of their Web sites and adding features, such as online applications and e-learning. However, adding online services requires that personal data is kept within computerized systems, thus putting personal private information at risk. Online consumers express concern about the risk of their personal private data and demand to know how organizations will protect their records. It is imperative that firms have mechanisms to guard their data and publish protection information within online privacy policies to mitigate user distrust. However, although industry privacy groups may recommend better protection and some countries may legislate its use; this is not universal in all university sites. This study analyzes 90 universities site throughout the world to determine the use of privacy protection. The results show a lack of use of certain privacy mechanisms. The research suggests methods for improving protection