Analysis of privacy risks and measurement of privacy

protection in Web Services complying with privacy policy

Prepared by

Ashif Adnan, Omair Alam, Aktar-uz-zaman

School of Computer ScienceUniversity of Windsor

ON, Canada

04/18/23 WS Privacy 2

Outline Introduction Motivation Goal Related works Our observations Our modified method Strength and weakness Conclusion and future works Acknowledgment References

04/18/23 WS Privacy 3

Introduction Web Services

According to “web services are self-contained, modular applications that can be described, published, located, and invoked over a network, generally, the World Wide Web.”

Extended definition… Web services can evolve or be adapted to other

platforms Emerging WS can employ

XML (eXtensible Markup Language) WSDL (Web Service Definition Language) SOAP (Simple Object Access Protocol) UDDI (Universal Description, Discovery, and

Integration) Web browsers interacting with web servers

04/18/23 WS Privacy 4

Motivation WS targets

Consumers

WS applications Banking Shopping Learning Healthcare Government online

WS requires consumer’s personal information

Here concerns privacy

04/18/23 WS Privacy 5

Goal Protection of personal information

Ability to Analyze privacy risks Measure privacy protection Develop Privacy policy compliant System (PPCS)

Improved architecture of PPCS

04/18/23 WS Privacy 6

Related works1. Privacy and web services

2. WS privacy risk analysis

3. WS privacy protection measurement

4. Privacy policy compliant WS

04/18/23 WS Privacy 7

Related works (cont’d) Privacy and web services

• Privacy - ability of individuals to control the collection, use, retention, and distribution of information about themselves.

• privacy policy - a statement that expresses the user’s desired control over a web service’s collection, use, retention, and distribution of information about the user.

• privacy risk - potential occurrence of any action or circumstance that will result in a violation of a user’s privacy policy.

04/18/23 WS Privacy 8

Related works(cont’d) Example of user/provider privacy policies (Online pharmacy)

Policy Use: PharmacyOwner: Alice BuyerValid: unlimited

Privacy Use: PharmacyOwner: A-Z Drugs Inc.Valid: unlimited

Collector: A-Z Drugs Inc.What: name, address, telPurposes: identificationRetention Time: unlimitedDisclose-To: none

Collector: A-Z Drugs Inc.What: drug namePurposes: purchaseRetention Time: 2 yearsDisclose-To: none

Collector: Drugs Dept.What: name, address, telPurposes: identificationRetention Time: 1 yearDisclose-To: none

Collector: Drugs Dept.What: drug namePurposes: saleRetention Time: 1 yearDisclose-To: none

Figure 1. Example user (left) and provider (right)

04/18/23 WS Privacy 9

Related works (cont’d) Web service privacy risk analysis

1. Web service personal information model (WSPIM)

Need of user’s personal information

Exchange of privacy policy

Obtain user’s personal information

Comply with the user’s privacy policy

Make use of the information

04/18/23 WS Privacy 10

Related works (cont’d)2. Method for privacy risk analysis

Determine all the possible locations

Find out the way of violating privacy policy

04/18/23 WS Privacy 11

Related works (cont’d) Determine all the possible locations

Example of Personal Information Map (Book seller web service)

Figure 2. PIM for a book seller web service

04/18/23 WS Privacy 12

Related works (cont’d) Find out the ways of violating privacy policy

Field Risk Questions

Collector How can the PII be received by an unintended collector either in addition to or in place of the intended collector?

What How can the user be asked for other PII, either intentionally or inadvertently?

Purpose How can the PII be used for other purposes?

Retention time How can the PII retention time be violated?

Disclose-to How can the PII be disclosed either intentionally or inadvertently to an unintended recipient?

Table 1. Risk questions

04/18/23 WS Privacy 13

Related works (cont’d)

Table 2. Partial Privacy Risks Table corresponding to Figure 2

(PIIs / locations) Privacy Risks

(1,2,3 / path into A); (2 / path into D); ( 3/ path into E)

Man-in-the-middle attack violates collector, purposes, and disclose to; for path into A, user could be asked for personal information that violates what

(1, 2, 3 / A, B); (1 /C); (2 / D); (3 / E)

Trojan horse, hacker, or SQL attack (for B) violates collector,purposes, and disclose-to; for B, information could be kept past retention time

Figure 2. PIM for a book seller web service

Privacy risk table

04/18/23 WS Privacy 14

Related works (cont’d) WS privacy protection measurement

Privacy violations

Internal Violations (IV)

External Violations (EV)

04/18/23 WS Privacy 15

Related works (cont’d)Now lets define the measures

Let M denote the measure of how well a service provider protects consumer privacy.

It will have 2 components

mi to account for the provisions used against IV

me, to account for the provisions used against EV.

So M as a matrix can be expressed as M = (mi, me)

04/18/23 WS Privacy 16

Related works (cont’d) Then for a service provider that has implemented combination

k, of provisions to lessen IV mi = pk , 0 <= pk <= 1

For EV, we carry out a threat analysis, and we identify

No of security weaknesses – n

No of weaknesses that have countermeasures in place – q, thenme = q/n , if n> 0, so that 0 <= me <= 1

= 1, if n=0

04/18/23 WS Privacy 17

Related works (cont’d) On a scale of 1 to 10,

M10 = (10.pk , 10.q/n), if n>0

= (10.pk , 10), if n=0

The minimum acceptable thresholds ti and te are set for 10.mi and 10.me

Figure 2. service provider’s provisions for IV and EV

04/18/23 WS Privacy 18

Related works (cont’d) Calculation of the measures

1. Calculation of mi

2. The below table gives examples of internal violations provision combinations

Table 3. Example IV provision combinations

04/18/23 WS Privacy 19

Related works (cont’d) Calculation of me

1. Identify threats on the user’s data.2. Create attack trees for the system.3. Apply weights to the leaves 4. Prune the tree so that only exploitable leaves remain. Count the

number of such leaves or vulnerabilities.5. Count the countermeasures are in place for the vulnerabilities.

After performing the above steps, both q and n are available for calculating me

04/18/23 WS Privacy 20

Related works (cont’d) Privacy policy compliant WS (PPCS)

The Privacy Policy Compliance System for WS which will provide consumer with a promising approach to measure of control over his/her private information through the use of a PPCS (Private Policy Compliance system).

The policies of consumer and provider should match

04/18/23 WS Privacy 21

Related works(cont’d) Privacy Legislation

1. Accountability2. Identify purpose3. Consent 4. Limiting collection 5. Limiting use, disclosure and retention6. Accuracy7. Safeguard8. Openness9. Individual Access10. Challenging compliance

Note: Those are also the requirements for PPCS

04/18/23 WS Privacy 22

Related works (cont’d) An Architecture of PPCS

Figure 3. Privacy policy compliance system architecture

04/18/23 WS Privacy 23

Our observations1. Privacy policy proposed by the author is not complete which

leads to incomplete set of risks questions giving the consumer less confidence to do the transaction.

2. There are no provisions for consumers to set up the measuring standards.

3. Following points need to be considered to build for more effective PPCS for WS:

1. Damaged protection2. Children protection3. Right to transfer4. Right to opt in /opt out5. Lack of scalability6. Lack of knowledge7. Data tempering8. Cost

04/18/23 WS Privacy 24

Our modified method Web service risk analysis – extended method

New fields we have found for privacy policy

Safeguard: Security safeguards by the provider appropriate to the sensitivity of the information.

Individual access: Access by the individual to his/her personal information.

Challenging compliance: Ability of individuals to address a challenge.

Certificate Authority Access: Certificate Authorities to offer consumers a compliance verification service.

04/18/23 WS Privacy 25

Our modified method (cont’d) Online pharmacy example with new fields

Policy Use: PharmacyOwner: Alice BuyerValid: unlimited

Privacy Use: PharmacyOwner: A-Z Drugs Inc.Valid: unlimited

Collector: A-Z Drugs Inc.What: name, address, telPurposes: identificationRetention Time: unlimitedDisclose-To: noneSafeguards: YesIndividual access: YesChallenging compliance: YesCertificate Authority: SB Inc.

Collector: A-Z Drugs Inc.What: drug namePurposes: purchaseRetention Time: 2 yearsDisclose-To: noneSafeguards: YesIndividual access: YesChallenging compliance: YesCertificate Authority: SB Inc.

Collector: Drugs Dept.What: name, address, telPurposes: identificationRetention Time: 1 yearDisclose-To: noneSafeguards: YesIndividual access: YesChallenging compliance: YesCertificate Authority: SB Inc

Collector: Drugs Dept.What: drug namePurposes: saleRetention Time: 1 yearDisclose-To: none Safeguards: YesIndividual access: YesChallenging compliance: YesCertificate Authority: SB Inc

Figure 4. Modified example user (left) and provider (right) privacy policies

04/18/23 WS Privacy 26

Our modified method (cont’d) Extended Risk questions

Field Risk Questions

... …

Safeguards How can the security safeguard appropriate for PII be affected?

Individual access

How can the personal information by inappropriate individual be accessed?

Challenging compliance

How can the compliance regarding Privacy principles associated with PII be changed intentionally or unintentionally?

Certificate authority

How can the secured logs passed by the certificate authority to customer be accessed by unintended recipient in addition to the intended customer?

Table 5. Extended Risk questions

04/18/23 WS Privacy 27

Our modified method (cont’d) Privacy measurement – customization of

standards

Instead of the standard bodies recommending the percentage rating of the effectiveness of the provisions, the user and the provider determine the provisions that could be used to measure the security of the privacy of the web services.

In this way the user and the provider can decide on some secure ways of transmission, by getting the measures and later on come with a PPCS system which satisfies all of the user’s requirements.

04/18/23 WS Privacy 28

Our modified method (cont’d) Privacy Policy Compliance System (PPCS) – with

compliance verification

Web Interface Privacy Controller

Private Data import/export

Database Controller

Customer Informatin

Consumer Information

Log File

•Service Process

From/To Other PPCS

ppcs

•Certificate Authority

•CA Interface

Fig 5: Modified PPCS Architecture

04/18/23 WS Privacy 29

Weakness and Strengths Strength

Consumer will now have the full confidence to do a transaction with the service provider.

Privacy measurement standards can be customized to make transactions more secured.

The consumer who does not bother or doesn’t know how to check log file to verify the compliancy, they can easily do so by Certified Authority

Weakness PPCS for web service is semi automated, in some cases we need

to

notify respected officers for the non compliance matters, which are not automated.

Cost of PPCS can not be controlled because it depends on the combination of hardware, software and storage.

04/18/23 WS Privacy 30

Conclusion and Future Works Observed steps

Understanding how to analyze the risks to privacy Understanding how to measure privacy protection and Understanding a privacy policy compliant web service.

Steps for our new PPCS system WS risk analysis with extended privacy policy WS privacy protection measurement with customized

standards PPCS with compliance verification

04/18/23 WS Privacy 31

Conclusion and Future Works (cont’d) Plans for future research include

Programming the graphical notation to be machine readable

Protecting the system from occurring damage due to shared personal information

Protecting children from getting affected by shared information by others

Improving the procedure for threat analysis by automating it and making it more foolproof

Investigating other possible methods of privacy protection effectiveness

04/18/23 WS Privacy 32

Acknowledgement We would like to thank our professor for his great support and

giving us the opportunity to learn privacy and security in internet

We would like to thank our audience for listening our presentation

04/18/23 WS Privacy 33

References[1] G. Yee, “Visual Analysis of Privacy Risks in Web Services”, Proceedings, 2007

IEEE International Conference on Web Services (ICWS 2007), July 9- 13, 2007, pp. 671-678.

[2] G. Yee, “Measuring Privacy Protection in Web Services”, Proceedings, 2006 IEEE International Conference on Web Services (ICWS 2006), Sept. , 2006, pp. 647-654.

[3] G. Yee, L. Korba, “Privacy policy compliance for Web services”, Proceedings, 2004 IEEE Intrnation-al Conference on Web Services (ICWS 2004), July, 2006, pp. 158-165.

[4] I. Goldberg, D. Wagner, and E. Brewer, “Privacy-Enhancing Technologies for the Internet”, IEEE COMPCON’97, 1997, pp. 103-109.    

[5] Canadian Standards Association, “Model Code for the Protection of Personal Information”, retrieved Sept. 5, 2003 from: http://www.csa.ca/standards/privacy/code/Default.asp?articleID=5286&language=English

04/18/23 WS Privacy 34

The End

Questions ?