Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more ➡
Download
Standard view
Full view
of .
Add note
Save to My Library
Sync to mobile
Look up keyword
Like this
1Activity
×
0 of .
Results for:
No results containing your search query
P. 1
A Collaborative Model for Data Privacy and its Legal Enforcement

A Collaborative Model for Data Privacy and its Legal Enforcement

Ratings: (0)|Views: 374|Likes:
Published by ijcsis
This paper suggests a legalized P3P based approach for privacy protection of data for the Information owner. We put forward a model which creates a trust engine between the operating service and user’s data repository. The trust engine now routinely parses the data read/write queries with the privacy policy of the user and releases data or rejects requests as per its decision. Prior to the trust engine establishment, there has to be a agreement between the Information Owner and Service provider called “Legal Handshake” upon which proper e- contract is generated which is legally binding to both the parties. Any breach to the contract will attract the legal penalties as per IT Act 2000.
This paper suggests a legalized P3P based approach for privacy protection of data for the Information owner. We put forward a model which creates a trust engine between the operating service and user’s data repository. The trust engine now routinely parses the data read/write queries with the privacy policy of the user and releases data or rejects requests as per its decision. Prior to the trust engine establishment, there has to be a agreement between the Information Owner and Service provider called “Legal Handshake” upon which proper e- contract is generated which is legally binding to both the parties. Any breach to the contract will attract the legal penalties as per IT Act 2000.

More info:

Published by: ijcsis on Jun 30, 2010
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See More
See less

06/30/2010

pdf

text

original

 
A Collaborative Model for Data Privacy and its LegalEnforcement
Manasdeep
MSCLISIMS2008023@iiita.ac.inIIIT Allahabad
Damneet Singh Jolly
MSCLISIMS2008011@iiita.ac.inIIIT Allahabad
Amit Kumar Singh
MSCLISIMS2008020@iiita.ac.inIIIT Allahabad
Kamleshwar Singh
MSCLISIMS2008032@iiita.ac.inIIIT Allahabad
Mr. Ashish Srivastava
Faculty, MSCLISashishsri@iiita.ac.inIIIT Allahabad
 Abstract 
—This paper suggests a legalized P3P based approach forprivacy protection of data for the Information owner. We putforward a model which creates a trust engine between theoperating service and user’s data repository. The trust enginenow routinely parses the data read/write queries with the privacypolicy of the user and releases data or rejects requests as per itsdecision. Prior to the trust engine establishment, there has to be aagreement between the Information Owner and Service providercalled “Legal Handshake” upon which proper e- contract isgenerated which is legally binding to both the parties. Any breachto the contract will attract the legal penalties as per IT Act 2000.
Keywords
- Privacy, Privacy Violations, Privacy Norms, Trust Engine, Legal Handshake, P3P Architecture component;
I.
 
I
NTRODUCTION
We propose a legal framework loosely based on P3Parchitecture. Any information owner (IO) wishing to protect hisconfidential data will request service provider (SP) to make adata repository in which he wishes to upload data. The IO willfirst need to establish a “legal handshake” with the SP forgeneration of contract which completely defines all the termsand conditions related to data protection of IO. IO of course,will pay as per the agreement decided mutually between thetwo parties. If any breach of contract occurs within the decidedscope of the contract agreement on either side, then the guiltyproven party will be dealt as per the provisions of the IT Act,2000.II.
 
L
ITERATURE
S
URVEY
 In [1], there has been a healthy discussion regarding theconfidence based privacy protection of an individual personaldata. The author has described the various degrees of confidence levels to control the degree of disclosure of hispersonal information to various third parties he makestransactions with. We are extending the same concept byputting the faith on the legal system instead; for handling of allthe disputes, confidence breaches whenever the mutualagreement between the two parties is compromised by anyside. The advantage of this approach is that we need notemploy privacy protection tools unnecessarily but insteadsmooth transactions can take place even while using our realinformation. It is the legal system that protects everyone. Forservice providers, it is beneficial as they now share strongerrelationship and confidence level with their clients.Similarly, in [2], we came across the cost effective ways of protecting the privacy by giving the minimum protection asprescribed by law to all clients and charging extra premium forthose opting for higher protection. That might be a goodbusiness practice, but overall it yields stagnant results. Further,no major confidence is boosted and data protection risksremain the same.In [3], framework was proposed which spoke of a userdefined policy that governed the disclosure of personal data tothe online services at the client side itself. This suffers from adrawback that in this case, some major services mightmalfunction due to insufficient inputs from client side.Papers [4] and [5] throw a good deal of light on currentweb privacy protection practices and made useful suggestionsesp. in technical aspects by usage of artificial intelligence andsemantic webs to identify pattern recognition and block thepersonal information in real time. These techniques have still tobe matured a lot before commercialization process.We firmly believe that protection of Data Privacy is basedon a strong trust model. If the trust is shaken then it is harmfulto both the service provider and the Information Owner assmooth transactions are difficult. Hence, it is important for boththe parties to respect each other boundaries. The trust is henceplaced on the legal system which ensures that adequateimportance is given to everyone.In this paper, our work is two-folded; Firstly, we suggestcollaborative legal structure model loosely based on P3Pframework to provide data privacy for Information owner fromthe service provider. Next, we wish to create a legal safeenvironment so that the either party can be assured of properlegal protection on contract breach. We hope that, in globaltrade too, having a strong backing of Data privacy framework will enable developing nations to do trade with developed
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 8, No. 1, April 2010176http://sites.google.com/site/ijcsis/ISSN 1947-5500
 
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 7, No. 1, 2010
nations like EU countries, UK, US with ease which alreadyhave well defined privacy laws for the same. Overall, it is awin-win situation for everyone.III.
 
P
RIVACY
V
IOLATION
F
ACTORS
[5]
Unauthorized information transfer
Businesses frequently sell individuals’ private informationto other businesses w/o his explicit consent.
Weak security
Individuals and organizations exploit the vulnerability of Web-based services to access classified information. Often,unauthorized access is the often of weak security.
 Indirectly collecting information
Users can authorize organizations or businesses to collectsome of their private information. However, their privacy canbe implicitly violated if their information undergoes analysisprocesses that produce new knowledge about their personality,wealth, behavior, and so on. This draws conclusions andproduce new facts about the users’ shopping patterns, hobbies,or preferences. In aggressive marketing practices it cannegatively affect customers’ privacy.IV.
 
S
IGNATURES
 
 A.
 
 Legal Purpose of Signature
 
 Evidence
:
A signature authenticates by identifyingthe signer with the signed document. When done in adistinctive manner, the writing becomes attributableto the signer.
 
Commitment
:
The act of signing a shows signer’scommitment and prevents inconsiderateengagements.
 
 Approval:
A signature expresses the signer's approvalor authorization of the writing, to have a legal effect.
 
 Efficiency and logistics
: A signature imparts a senseof clarity and finality to the transaction and lessensinquires beyond scope of a document.
 B.
 
 Advantages of using digital signatures:
 
Signer authentication
:
The digital signature cannotbe forged, unless the signer’s private key iscompromised by some means. If compromised,signer can immediately report to Issuer for revocationand generation of new private & public key pair.
 
 Message authentication
: The digital signature alsoidentifies the signed message, with better precisionthan paper signatures. Verification reveals anytampering, since the hash result comparison capturesany message identity breach
 
 Affirmative act
:
 
Creating a digital signature requiresthe signer to use his private key. It alerts signer thathe is making a transaction abiding with the legalconsequences.
 
 Efficiency:
 
With the help of Electronic DataInterchange, creation and verification processes arecapable of complete automation. Digital signaturesyield a high degree of assurance without addinggreatly to the resources required for processing.
 
 Provides Assurance
: The likelihood of malfunction isfar less than the risk of undetected forgery oralteration on paper or using less secure techniques.V.
 
A
 
P
ROPOSED
S
YSTEM
D
ESIGN
 
D
ATA
P
RIVACY IN
P3P
 
A
RCHITECTURE
 
 A.
 
 XML P3P Schema Format 
The following XML P3P schema depicts the elementswhich play an important role in the traceability of the legalagreement. These element fields in electronic court serve as avital piece of evidence. Various <element ref=....> tags serve asreference XML templates enabling us to derive theircharacteristics.
 a) XML Schema
<? xml version =”1.0” encoding =.8”<schematargetNamespace=”http://www.w3.org/TR/2001/NOTE-xmldsig-p3p-profile/proposed-legalp3p”<importnamespace="http://www.w3.org/XML/1998/namespace"schemaLocation="http://www.w3.org/2001/xml.xsd"/>
 b) Proposed Extended Legal P3P XML Abstraction
<element ref="p3p: EXTENSION"><element ref="p3p: e-LEGAL-DICTIONARYREFERENCES"/><element name="REGULATORY POLICIES"><element name="Legal POLICY-REF"><element name=”legalp3p: regulations”><element ref="p3p: LEGALP3P"/><sequence><element name="DEFINED LAWS OF STATEJURIDSICATION"<element name="EXCLUDED CASES" " type="anyURI"<element name="INCLUDED CASES"type="legalp3p:element"/>
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 8, No. 1, April 2010177http://sites.google.com/site/ijcsis/ISSN 1947-5500
 
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 7, No. 1, 2010
<element name="DATA PROTECTIONLAW”type="anyURI"/></sequence><element name="CONTRACT"><element ref="legalp3p: P3Ppolicy"/><complexType><sequence><attribute name="creation_date"type="nonNegativeInteger" use="optional" default="86400"/><attribute name="Validity" type="string" use="optional"/><attribute name="expiry_date"><attribute name=”scope”><attribute name=”purpose”><attribute name=”terms & conditions”></sequence></complexType><element name=”First Party Signature” ><element name="SIGNATURE”><element ref="legalp3p: digital signature/"><complexType><element name ="KeyInfo” type= “legalp3p:SIGNATURE-value”/><element name="ISSUER” type="legalp3p:SIGNATURE-value"/><element name="EXPIRY” type="legalp3p:SIGNATURE-value"/><element name="SIGNATURE ALGORITHM”type="legalp3p: SIGNATURE-value"/></complexType><element name=”First Party Signature”/ ></element></element><element name=”SECOND Party Signature” ><!.....></element>
 c) User XML Data
The user data includes general information about the user.<DATA ref="#io.name"/> //Information Owner's Name<DATA ref="#io.bdate"/> //Information Owner's Birth Date<DATA ref="#io.gender"/> //Information Owner's Gender (male or female)<DATA ref="#io.business-info"/> //Information Owner's Business Contact Information<DATA ref="#io.business-info.postal"/> //Postal details<DATA ref="#io.business-info.telecom"/> //Telecommunication details
 d) Third Party Data
The third party information needs to be exchanged whenordering a present online that should be sent to another person.It can be stored in repository alongside with user dataset.<DATA ref="#thirdparty.name"/> //Information Owner's Name<DATA ref="#thirdparty.tid"/> //Transaction ID<DATA ref="#thirdparty.ds"/> //Digital Signature<DATA ref="#thirdparty.sid"/> //Service ID<DATA ref="#thirdparty.certificate”/> //X.509 Certificate No.<DATA ref="#thirdparty.business-info"/> //InformationOwner's Business Contact Information<DATA ref="#thirdparty.business-info.postal"/> //Postaldetails<DATA ref="#thirdparty.business-info.telecom"/> //Telecommunication details
e) Dynamic Data
We sometimes need to specify variable data elements that auser might type in or store in a repository. In P3P all thesevalues are stored in Dynamic data set.
 XML description
<DATA ref="#dynamic.clickstream"/> //Click-stream information structure<DATA ref="#dynamic.clickstream.url.querystring"><CATEGORIES>category</CATEGORIES></DATA> //Query-string portion of URL<DATA ref="#dynamic.clickstream.timestamp"/> //Request timestamp<DATA ref="#dynamic.clickstream.clientip"/> //Client's IP address or hostname structure<DATA ref="#dynamic.clickstream.clientip.hostname"/> //Complete host and domain name
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 8, No. 1, April 2010178http://sites.google.com/site/ijcsis/ISSN 1947-5500

You're Reading a Free Preview

Download
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->