Chapter Copyright 2009 Digital Enterprise Research Institute. All rights reserved.
Digital Enterprise Research Institute www.deri.ie
An architecture for privacy-enabled user profile portability on the Web of Data
Benjamin Heitmann, James G. Kim, Alexandre Passant, Conor Hayes, Hong-Gee Kim
Funded by Science Foundation Ireland under Grant No. SFI/08/CE/I1380 (Líon-2)
Digital Enterprise Research Institute www.deri.ie
slide of 11
Motivation
Rec. Systems can benefit from external data sources: e.g. for cold-start
problem
New paradigm shifts require external data: beyond single site
context
beyond single domain
Challenge: sharing of profile data
Maintain privacy of user (“public by default” is not enough)
2
recommendations
?data
sharing
Digital Enterprise Research Institute www.deri.ie
slide of 11
Outline
The challenge: portable and private user profiles
Background: Introducing Linked Data
An architecture to enable portable and private user profiles Foundation standards
Roles
Communication pattern
Qualitative evaluation Related work
3
Digital Enterprise Research Institute www.deri.ie
slide of 11
The challenge: portable and private user profiles
Current eco-systems: hub site: centralised
user profile storage
e.g. Facebook, Twitter users profiles: secure
and private, but no portability.
third party services: can access user profile if authorised, e.g. TweetMeme or Flickr
closed system Users are locked into an
ecosystem, no portability Challenge: open
alternative with portability and privacy! (at the same time)
web site interaction
expresspreference
authentication for user action
recommendations for external site provided by
cross domaindata sharing if authorised
by user
4
Digital Enterprise Research Institute www.deri.ie
slide of 11
Background: The Web of Data and Linked Data
the Web of Data provides: structured data, collaboratively
created, about object centred sociality
domain knowledge through ontologies (e.g. DBpedia ontology)
cross-domain links between sources
Linked Data principles:
1. use URIs “for everything”
2. allow HTTP access to all URIs
3. when accessing a URI, provide relevant data in RDF
4. include links to URIs from third parties (background knowledge)
5
Linking Open Data (LOD) cloud, as of October 2010
Digital Enterprise Research Institute www.deri.ie
slide of 11
Foundation standards
WebIDs: user
authentication without passwords
publish public key in FOAF profile
store private key in browser
decentralised authentication schema
Web Access Control (WAC) vocabulary: resource access
authorisation
defines whitelist for a resource access by third parties
can be used for “private by default” mode
FOAF profiles: domain
independent user profiles
described using the Friend-of-a-Friend (FOAF) vocabulary
can contain any structured data, e.g. activity streams
6
no logo
Digital Enterprise Research Institute www.deri.ie
slide of 11
Alternative: architecture for private and portable user profiles
User profile: Profile data expressed
using RDF (FOAF+SIOC)
WebID provides identity (2 parts)– private SSL Key in user agent– public SSL Key in FOAF profile
Roles: user agents: manage user
identities
profile storage service: stores 1 or many profiles
data consumers: provide services for users
7
WebID
private key public key
user agentFOAF Profile
profile storage site
storedin
retrieves user profileif user authorises itdata consumer
Digital Enterprise Research Institute www.deri.ie
slide of 11
Communication pattern of the proposed architecture
8
WebID
private key public key
user agentFOAF Profile
profile storage site
storedin
Storage URI
Digital Enterprise Research Institute www.deri.ie
slide of 11
Communication pattern of the proposed architecture
Scenario: recommend patients with similar treatments
Assumption: user is logged into Openbook
8
WebID
private key public key
user agentFOAF Profile
profile storage site
storedin
Storage URI
Digital Enterprise Research Institute www.deri.ie
slide of 11
Communication pattern of the proposed architecture
Scenario: recommend patients with similar treatments
Assumption: user is logged into Openbook
1. User searches for PatiensLikeMe
8
WebID
private key public key
user agentFOAF Profile
profile storage site
storedin
Storage URI
Any patientslike me?
data consumer
Digital Enterprise Research Institute www.deri.ie
slide of 11
Communication pattern of the proposed architecture
Scenario: recommend patients with similar treatments
Assumption: user is logged into Openbook
1. User searches for PatiensLikeMe
2. PatientsLikeMe (PLM) gets profile storage URI via Firefox
8
WebID
private key public key
user agentFOAF Profile
profile storage site
storedin
Firefoxprovides
storage URI
Storage URI
data consumer
Digital Enterprise Research Institute www.deri.ie
slide of 11
Communication pattern of the proposed architecture
Scenario: recommend patients with similar treatments
Assumption: user is logged into Openbook
1. User searches for PatiensLikeMe
2. PatientsLikeMe (PLM) gets profile storage URI via Firefox
3. PLM redirects Firefox to Openbook for authorisation
8
WebID
private key public key
user agentFOAF Profile
profile storage site
storedin
redirect to openbook
for authorisation
Storage URI
data consumer
Digital Enterprise Research Institute www.deri.ie
slide of 11
Communication pattern of the proposed architecture
Scenario: recommend patients with similar treatments
Assumption: user is logged into Openbook
1. User searches for PatiensLikeMe
2. PatientsLikeMe (PLM) gets profile storage URI via Firefox
3. PLM redirects Firefox to Openbook for authorisation
4. User authorises Openbook to show some profile parts to PLM (new WAC entry gets created)
8
WebID
private key public key
user agentFOAF Profile
profile storage site
storedin
Storage URI
User authorises Openbook to show parts of profile to PLM
data consumer
Digital Enterprise Research Institute www.deri.ie
slide of 11
Communication pattern of the proposed architecture
Scenario: recommend patients with similar treatments
Assumption: user is logged into Openbook
1. User searches for PatiensLikeMe
2. PatientsLikeMe (PLM) gets profile storage URI via Firefox
3. PLM redirects Firefox to Openbook for authorisation
4. User authorises Openbook to show some profile parts to PLM (new WAC entry gets created)
5.Openbook redirects to PLM
8
WebID
private key public key
user agentFOAF Profile
profile storage siteredirect back toPatientsLikeMe
storedin
Storage URI
data consumer
Digital Enterprise Research Institute www.deri.ie
slide of 11
Communication pattern of the proposed architecture
Scenario: recommend patients with similar treatments
Assumption: user is logged into Openbook
1. User searches for PatiensLikeMe
2. PatientsLikeMe (PLM) gets profile storage URI via Firefox
3. PLM redirects Firefox to Openbook for authorisation
4. User authorises Openbook to show some profile parts to PLM (new WAC entry gets created)
5.Openbook redirects to PLM
6.Now PLM accesses parts of profile data on openbook
8
WebID
private key public key
user agentFOAF Profile
profile storage site
PatientsLikeMe retrieves profile parts now
storedin
Storage URI
data consumer
Digital Enterprise Research Institute www.deri.ie
slide of 11
Qualitative evaluation
Based on evaluation framework for privacy enhanced technologies by Wang+Kobsa [20,15]
Protection of identity: user can create and choose identities without constraints
allows pseudonymity, unobservability, deniability, anonymity
alternatively identities can be assigned by organisations
Control over user data: profile data can be optionally self-hosted
open standards allow portability, no lock-in to any ecosystem
Non-functional requirements: Universality: one universal, standards based eco-system
Scalability: no bottlenecks or central points of failure
Reuse of infrastructure: standards from WWW and Web of Data are reused
9
Digital Enterprise Research Institute www.deri.ie
slide of 11
Related work (“the competition”)
10
OpenID: user authentication
without passwords
1 billion accounts, 9 million sites
requires user interaction
not scalable, due to number of HTTP connections required
OAuth: resource access
authorisation
defines protocol for 3rd parties to access resources
manages access via tokens
high HTTP connection overhead
fragmentation (Twitter vs Facebook)
OpenID attribute exchange: protocol for
exchanging profile data
very limited vocabulary
inflexible and hard to extend
has not reached industry adoption
no logo
Digital Enterprise Research Institute www.deri.ie
slide of 11
Summary
coming paradigm shifts towards social eco-systems: recommendations in a multi-site and cross-domain context
current eco-systems are built around centralised and closed hub sites
alternative: eco-systems centred around secure and portable user profiles (“private by default”) foundation: WebIDs and FOAF profiles
provides incentives for users to share their profile data
can enable a universal, decentralised social eco-system
Future work: implement and evaluate prototype with all parties in a cross-domain setting
11