W3C Workshop on Languages for Privacy Policy Negotiation and Semantics-Driven Enforcement

Candidate Technologies III: Sharing & Credentials

Patricia Charlton, Jonathan Teh, Supporting the users' privacy preferences when sharing personal content

See also: Presentation

AA: What is different from DRM?

PC: Access and usage of privacy preference engine giving more...
... flexibility to the user / DRM is more complicated and ..
... application-specific. Here user-centred stage.

GH: How many users were tested?

PC: 12 users for pre-study, for other components 40 users

GH: Published?

PC: Now first findings (slides)

GH: What does "Personal semantic attack" mean?

PC: E.g. stalking in social networks, i.e. people you know can be the attackers

RI: Comment on DRM: two meanings of in term "sharing": disclosing to...
... outside (public) or having family members which have access to content ...
... with the same rules -> in this case it's not about preferences ...

PG: For people with disabilities it is important to control when to...
... disclose handicap information. Which kind of policies deals with that? ...
... How far are ontologies on that?

Giles Hogben, An open assertion and evidence exchange and query language -- requirements and abstract syntax

See also: Presentation

Jan Camenisch, Thomas Groß, Dieter Sommer, A General Certification Framework with Applications to Privacy-Enhancing Certificate Infrastructures

See also: Presentation

HT: Bunch of related projects, e.g., in OpenID, SXIP, IETF: How is ...
... this work related? Differences? What are the assumptions in this case? ...

GKA: Here theoretical background: sound cryptographic assumptions

GH: Really unlinkability

FW: Please explain second example: Why driver's licence without name?

GKA: You may question whether this is a good example. Take another one, e.g. AIDS test.

LFP: Strength in unlinkability, but weakness: identity theft. Here you ...
... use open transfer of attributes - at least in the current setting.

GKA: Don't agree - it is not about data, but only make a proof about...
... data. Replay not possibility.

PG: Software available? License?

GH: Will be Open Source.

GKA: Will check license and come back to you.

SP: Hard to achieve that people don't work on real data.

GKA: Notion of k-anonymity in databases. But how much information could be used by real attackers?

GH: What we have: For a given piece of knowledge: ...
... if you have a reasoner in the system, you could warn the user about inferences.

DJW: But problem if you move from a closed world to an open world.

AA: Have you really addressed the problem that the query is minimal?

GH: We addressed at least that it is possible to have a minimal...
... query, but not how to generate minimal queries.

GKA: This is also about preferences.

DJW: What do you do with that now? Knowledge is made by a number of queries?

AA: Problem "I want to use a specific application which asks for a lot...
... of data - I cannot afford the time to question these requests." ...

PC: We use ontology model - we have semantic data which we can attach to the data.

MH: Today we are bound to law, tradition, specific purpose requests...
... Solutions by auditing processes, privacy seals, user feedback ...
... processes, information services by third parties or peers (work in being ...
... done in PRIME). No "artificial intelligence semantic application" in sight.

(scribe misses part of discussion)

JH: There will be cases where we cannot do a complex reasoning, but...
... we may use chunking: grouping information into chunks which then enable ...
... reasoning. Then forwarding rest to humans or so to make the decision.

GH: To summarize: We don't know what the minimal assertion is, but we...
... can implement it with this technology.

Candidate Technologies IV: Interoperability across Policy Domains

Makoto Hatakeyama, Hidehito Gomi, Privacy Policy Negotiation Framework for Attribute Exchange

See also: Presentation

SP: privacy policy comparison seems to be key element of approach, provide tech details

MHY: our approach is only protocol, do not work about policy comparison...
... use p3p, compare p3p policies

RW: There was a project from nnda around p3p, that use hashed poicies, that were registered wit MITI....
... are you using the findings of this project?

MHY: no, not aware

LFP: have to consider policy is not the contract...
you cannot define fixed sets, they are oftn changed in the couse of negotiation.

MHY: Framework works for mobile carriers.

DJW: in us and european consumer protection laws the question is, what is the consumer reasonably believed

AA: Are your policies specific to a particular set, do you have different policies for each p3p-option?

MHY: It is a complete set of p3p-options.

Hannes Tschofenig, Henning Schulzrinne, Andrew Newton, Jon Peterson, Allison Mankin, The IETF Geopriv and Presence Architecture Focusing on Location Privacy

See also: Presentation

ED: what about access control. the mobile terminal will notify terminal...
... access control is the other way around, you need to pose conditions...
... how does this fit?

HT: we like to see the end user participate, more of a religious question...
... it would be possible to have the network do the work as well...

LFP: why did you not refer to idlf-work?

<rigo> ...privacy is seen different than OMA and 3GPP

<rigo> Johan: in OMA they are developing a complete different model, and there is some work need to re-converge

HT: There are a number of folks who use O.M.A. in a different way.

JH: You will have to adress this.

<rigo> Danny: It will be hard to have a universally accepted policy framework, not obvious and have to pay attention to fragmentation

DJW: it is only to observe that different groups have different sets of requirements.

... We would like to use everything we can from p3p...

... it would be good if w3c would contribute to ietf.

TLR: proposes to continue this discussion over lunch.

RW: as a warning: we are talking two paradigms...

... service offering services ./. preferences on user side.

<rigo> policies take different sematics than preferences that can be sent forward

HT: I do not think oma is any simpler...
... we tried to talk to them, but the formats are incompatible...
... look at the standards, we use sip...
... their expertise is strong, but there were not a lot of contributions in an ip-based environmet.

Lalana Kagal, Tim Berners-Lee, Dan Connolly, Daniel Weitzner, Promoting Interoperability between Heterogeneous Policy Domains

See also: Presentation

GH: how do you trust the groups (eg. the girlscouts in the example)

DJW: you write the rule, where you specify who to trust. there is no absolute measure of who to trust.
... with reard to authentication, we have put that out of scope, but we can refer to the existing ones, this is not where our problem is
... you could always specify, a rule has to be signed by p3p.

PC: can you also make assertions about devices as opposed to social networks?

DJW: yes.
... it is an enormous HCI challenge.

Discussion

HT: we had to develop a language for privacy rules...
... because we had to transmit possible changes to the presence server...
... (on o.m.a.) you have to be very specific, with some of the items in the picture there is a lot of discussions of not using it...

<rigo> HT: presence work is often used as is...

HT: the difficulties show up, eg. should the endhost really see location.

<rigo> ...privacy is seen different than OMA and 3GPP

<rigo> Johan: in OMA they are developing a complete different model, and there is some work need to re-converge

HT: There are a number of folks who use O.M.A. in a different way.

JH: You will have to adress this.

<rigo> Danny: It will be hard to have a universally accepted policy framework, not obvious and have to pay attention to fragmentation

DJW: it is only to observe that different groups have different sets of requirements.
... We would like to use everything we can from p3p...
... it would be good if w3c would contribute to ietf.

TLR: proposes to continue this discussion over lunch.

RW: as a warning: we are talking two paradigms...
... service offering services ./. preferences on user side.

<rigo> policies take different sematics than preferences that can be sent forward

GH: Also look at the difference between protocol and semantics.

HT: I can see how Rigos comment would fit into a sip environment...
... usually you do not talk to a presence you do not know, because it is your (your providers) server.
... often it is said, the work is too complex.

LFP: you have to manage all of this, you cannot stop at the protocol level.

Wrap-up discussion: Next Steps?

See also: Summary slide; initially prepared during the final session on day 1; further edited during this session.

DJW: Will go through themes that came up repeatedly ...
... some things need more research ...
... "what is user-centric" is likely to be interesting, but lengthy ...
... from several conversations, interest expressed in policy interoperability ...
... mechanisms for expressing mappigs among different policy languages ..
... mobile environment might have one way for describing these ...
... other kinds of ubiquitous computing env might have diff policy language ...
... to express rules over same kind of info ...
... describe how these kinds of policies relate, so one can reason over them ...
... to editorialize, either there's one language, or one needs to talk about ...
... fulfilling interop needs between different kinds of policies ...
... talked about ways in which access control and usage control paradigms relate ...
... synthesize into common framework? ...
... subsumption? ...
... talked about need to express and bundle up user preferences ...
... have pre-defined sets of preferences? ...
... have standard way to express these preferences? ...
... caveat that came up in discussions: ought to be aware of expectations for ...
... deployment, time horizons, implementaton efforts ...
... ought to be aware whether talking about s13n with near-term impact ...
... or whether we're doing work that's way out there and that might be picked up eventually ...
... seemed to hear preference towards near-term focus ...
... how do things relate to company priorities ...
... don't need to debate this ..
... but it's a theme to keep in mind ...
... are people generally comfortable with these topics, policy interop, framework, user preferences ...

GH: no updates since this morning?

DJW: policy interop was talked about a bit more ...

GH: language for evidence and certification ...
... but maybe that was my particular topic ...
... maybe it's not privacy related enough ...
... that's all part of the use idemix area etc ....

DJW: subset of point one, interop between policy languages?
... in order to have interoperable rule sets, need interoperability of what they operate on ...

GH: could be very specific
... if it's gonna be done at all, needs work toward that thing alone, not as part of other stuff ...

DJW: This doesn't assume how the work get done ...

GH: just mention it

DJW: identity assertions?

TLR/RW/GH: no, it's about the evidence that backs these

GH: maybe mention idemix; strong relationship

RW: don't forget what Ernesto said yesterday ....
... conditions, actions, obligations ...

SP: bind follow-ups to original scope of workshop ...
... impression that some of this might be out of scope ...
... can we re-bind to the initial questions of negotiation and enforcement?
... make clear how related to the original topics ...

DJW: suggestions?

SP: see language interoperability -- enforcement over a biz process ...
... if we don't have language interoperability, cannot guarantee privacy enforcement ...
... over a biz process ...
... DRM debate -- connection not evident ...

DJW: Don't think this proposes to have the DRM debate, but asks whether DRM techniques might be useful ...

SP: Make concrete what the relationship between privacy and DRM might be.

DJW: Can keep that in mind, good point.

MCM: related to pont 2 (DRM), talked about common framework ...
... access control, usage control, data handling ...

RW: This is conditions etc

MCM: Framework!

RW: points 2 and 3

PS: ??
... data handling as concept is richer than obligations only

JJB: struck by word "ontologies"
... do we have a world ontologies library?
... make all the ontologies accessible

DJW: several
... we may have too many ...
... we can talk about it more ...

JJB: store them all in a repository ...

DJW: will pose as question under point 1 ...

JCP: negotiation was in the workshop title ...
... negotiation protocol ...
... negotiation will also need metric ...

DJW: negotiation was in the title of the workshop ...
... we might not have heard so much about it ...
... this list reflects what we did talk about, not what we should have talked about ...
... explore negotiation further? ...
... not obvious that standardization is req on negotiation protocol ...
... possible to assert that negotiation can emerge on top of standard policy languages ...
... however, we didn't hear much about it, so we can't conclude a lot ...

JCP: fancy negotiation schemes where you can ask a lot and get agreement ...
... kind of blue sky attractive ...
... don't think we might have people to do it ...

DJW: "negotiation" under "more research" ...

HT: commitment to products and implementations for things that take more time ...
... is tricky ...

DJW: negotiation was in scope for original P3P work ...
... but didn't work out ...
... tremendous amount of knowledge of this in the agent community ...
... that community clearly knows something about it ...

PC: link up with the agent community

HL: privacy vs user convenience / together with user convenience ...
... as well as privacy and authentication ....
... is that covered there? ...
... authentication doesn't always require identification ...
... put that into the research corner ...

DJW: We heard all the work going on in PRIME on privacy-friendly auth{orization,entication} techniques ...
... relevant? ...

HL: not sure whether more research is needed ...
... marit?

MH: giles?

DJW: one piece of it is standard way of describing evidence ...

GH: that might be enough for today

HL: well, question was what requires more research ...

MH: chunking could be very much of interest, not for standardization ...
... but for research ....
... user support ...
... minimization of requests ...

HL: user convenience, too

DJW: research question?

HL: user convenience during data conveyance in combination with privacy.

GH: what's data conveyance?

HL: that's disclosing personal data

GH: vague

HL: thing is that user convenience is incredibly important in mobile world ...
... constraints ...
... small screens ...
... slow devices ...
... little bandwith ...
... store info on device, and make it simple to user to fill in forms ...
... use P3P to do that ...

PC: authentication techniques could be an example, but shouldn't be the heading ...

JJB: economic aspects ... dunno whether possible for W3C to organize special day just to dive into the economic aspects ...

RW: that's research ...

SP: support the idea

RW: DIW to host?

SP nods.

JJB: Could also do it in Rotterdam

HL: subject?

JJB: what we need to discuss is whether what we're developing is economically viable ...

DJW: W3C happy to co-sponsor such an event ...
... it's important to our work ...
... but not our main area of expertise ...
... happy to talk about it ...

SP: Didn't see a lot on negotiation or economic aspects at this workshop ...
... need to go deeper into that ...

HL: not questioning the day, just asking what you're envisioning. Clarification.

JJB: draft a program ...
... then limit scope ...
... more than enough to have a small symposion on the economics ...

GH: question that. PRIME spends a lot of money on that topic

GKA: there's more than prime

JJB: PRIME had economics work package ...
... but they haven't achieved more than describing the borders of the problem ...
... won't go deeper ...
... soeren has a lot of material to discuss, deeper than what's in prime ...
... when there's no proper biz model, things will stay in pockets ...

MH: IST conference in Helsinki, workshop on biz models for identity ...
... PRIME, FIDIS, OpenTC ...

GH: don't duplicate!

DJW: suggest to come back to first three topics ...
... sure we'll spin out more new questions as we go ...
... propose to start with first question of policy interoperability ...
... things are likely to happen in a variety of diff policy languages ...
... users gonna have hard time to make choices ...
... user agents gonna have hard time to present useful information ...
... data collectors will have hard time knowing they communicate policies ...
... accurately ...
... some of this is also the problem how back-ends talk to each other ...
... several directions ...
... one is a single language ...
... I'm personally relatively sceptical about that ...
... partially institutional reasons, pratially substantive ...
... promote some degree of greater interoperabiltiy amongst domain-specific ...
... languages? ...
... or is there no solution, and we move on?

PC: there's a number of diff policy languages out there ...
... many of the domain modeling techniques ...
... different ...
... same true for policies ...
... do we know what those sets of policies are that we can abstract from?...
... thinking a bit in line with work that came from Sun ...
... Robin's table ...
... guessing that's the very first step ...
... some big steps before that ...
... inventory and analysis of policy languages ...
... which we have today and of which we might want interop ...

SP: join skepticism about unified language ...
... clarifying interfaces between languages would be big step forward ...

DJW: anne?

AA: There are cleary some things xacml doesn't do, due to lack ...
... of formal semantic framework ...
... found self thinking "XACML can do that" when listening to other presentations ...

DJW: how would xacml approach reasoning over P3P policy language and geopriv language?

AA: mapping between the two?

DJW: trying to give scenario
... run a web site ...
... has a p3p policy ...
... you have a user agent, a browser ...
... with some preferences ...
... it will evaluate preferences against browser ...
... now take the browser and its preferences on mobile device ...
... mobile device also ships location information to me ...
... assume that information includes the name ...
... I'm able to get that information ...
... now, I have your name, that I didn't have before ...
... inferring things about geopriv policy language that I don't know ...
... assume it has a way to say "collect your name, don't" ...
... is there a way to express geopriv and p3p in my browser, and learn whether my p3p preferences have been respected ...

AA: ontology?

ED: exactly what I meant yesterday, preferences to conditions ...

DJW: trying to get to specific question how xacml will deal with things ...

ED: in this scenario, xacml is target language ...
... xacml will have the access conditions to data ...
... preferences don't state this in generic declarative way ...
... so not enforcable as such ...
... could those be enforced by translating ...

DJW: not asking enforcement question, but reasoning question
... what I heard from Anne ...
... is that if there is ontology that links two languages ...
... then XACML interaction (??) ...

AA: what P3P calls a name includes more things ....
... that might be a subset of what another language calls a name ...
... not trivial ...

HT: example explained well what the problem is ...
... usage scenarios are different ...
... so you see where mapping would take place ...

DJW: how are they different?

HT: focusing on SIP-based presence environment ...
... XACML wouldn't fit there, either ...

DJW: why?

HT: in HTTP case, it was somewhat difficult to extend SIP-based mechanisms ...
... of course, possible to extend everything ..
... can do whatever you want ...
... need more investigation before can say whether it makes sense to combine things ...
... and align them ...

JCP: ??? is one of worst ideas we had in recent years ...
... event time based trigger not expressible in xacml? ...
... access control perspective ...
... developed ontology, kind of ...
... enter information ...
... to the first point ...
... don't know evolution of xacml ...
... some 200 functions ...
... data type ...
... if we go to ontology, also need to consider functions ...
... if we want to express what you said, will be difficult, but not impossible ...
... go for thinking of ontologies mapping ...

GH: isn't solution to this point what you presented this morning, Rein?

DJW: don't know

GH: It's one solution to that exact problem

DJW: given certain conditions, yes

GH: start from scratch with Rein or do what has community?

HT: Trying to see how xacml fits locational presence ...
... possible to describe conditions and actions ...
... not a big deal ...
... event stuff that was previously mentioned goes beyond access control ...
... requires concept of what do with SIP ...
... when tying geopriv and SIP ...
... presence information ...
... in generic HTTP/web environment, it becomes more difficult ...
... how to send messages? ...
... problem not that things don't work ...
... with some of the mechanisms, it's (from IETF point of view) ...
... tried to get XACML into picture couple years ago; push-back ...
... presence work moving forward and being deployed ...
... operator preferences when deploying ...

AA: If you want to reason across policies, XACML isn't what you need ...
... different abstraction level ...
... talking about different things here ...
... specific languages ...
... how can we reason over communities of languages is different problem, and requires different way of expressing it ...

DJW: We have two sets of questions here ...
... one is, is there a reason to do a broader privacy & access control lang for web ...
... or for some communities on the web ...
... the other is, how do we deal with language interop isues ...
... second question is in a way more fruitful ...
... communities go off and do what they do ...
... if they think their interop reqs are minimal ...
... lightweight ...
... but also allow to fulfill interop requirements ...

RW: specific question; came up in PRIME ...
... protocol paradigm ...
... over years of P3P work, saw misunderstanding again and again ...
... Ernesto said "it's a target language" ...
... expressiveness is a function of protocol ...
... If I use a p3p protocol ...
... ask service, draw policy, policy says what service does ...
... one reason for workshop is change of paradigm ...
... sending data to service, expect service to follow rules sent along with data ...
... "destroy it", things like that ...
... these are a bit different ...
... different from privacy perspective from what we've done so far ...
... big question that came up is whether can push data with xacml ...
... give capabilities, get access ..
... client/server thing ...
... look at data handling paradigm ...
... some web services, acting peer-to-peer ...
... make sure that handling of data item follows rules that were stipulated before ...
... xacml semantics in this case?
... orthogonal to protocol?
... dependent on protocol?
... might need something else/more ...
... XACML major target language of that kind of system ...
... anne?

AA: Really want to apologize ...
... not a theoretical language person ...
... for your question ...
... there is at least one ongoing effort to use XACML in association with data ...
... looked at within trusted computing kind of model ...
... ensure that all access goes through policy ...
... it's not "can XACML do this"?
... but how is it used? What's the security model?
... XACML only a tool ...
... only one component ...

GKA: xacml as any other policy language is no more or less than an oracle ...
... you feed it with credentials, and then it tells you whether access is allowed or not ...
... maybe with obligations attached ...

HT: have to think about architecture ...
... how to attach policy to data ...
... size consideration ...
... large xml documents are an issue in mobile world ...
... have other party online ...
... different ways to use it ...
... implement in a proper way ...
... compiling information in way necessary to get decision ...

(discussion on naming convention)

??: people use in specific way ...
... might have to reconsider a few aspects ...

GKA: deployment question vs. language question

HT: protocol question ...

GKA: differentiate between language as defined by oasis and possible deployments ...

MCM: it can also be a language issue if you cannot describe the right events to give an answer...
... it can be not just based on accesses but other events ...
... you provide a set of attributes ...
... if these attributes encode all the right kind of information, then you are happy with XACML ...
... even data sitting on an enterprise platform needs to be referred to by policies which need ...
... to be enforced all the time even when data is just sitting there

DJW: Wrapping up where we are ...
... there are 2 states ...
.. 1. an application uses the policy lang that is an empirical question which every environment will make. ...
... locally where that's not possible, for whatever reason, some data abstraction is required ...
... ontologies unify different statements from different languages ...
... nobody suggests that we would make progress towards an über rule language ...
... Would it be useful for the W3C policy interest group to bring the communities together ...
... Patricia's suggestion to do a survey of languages out there ..
... who is interested in that ...
... might be relevant to RIF group ...
... that's going on in W3C ...
... work on WS-Policy?

rigo: yes

DJW: work in WS space that's relevant ...
... useful to have point of contact between that group and policy people here ...

RW: semantic web services relevant as well ..
... interest group ...

DJW: to translate, IG is a group that gets together, with relatively minimal support ...
... but group doesn't have charter to produce formal specs ...
... but can produce documents that get reviewed ...
... place to continue conversation in a focused way ...

??: looking at 5, 6, 7 in research points list ...

DJW: let's finish point 1 ...

<Giles> interest in such a thing - patricia, soren,

DJW: had two specific recommendation ...
... standard language for evidence ...
... john on ontology discovery ...
... giles, want to say anything about this aspect ...

GH: evidence stuff?
... I said a lot in my talk ...
... but for anonymous credentials, it's certainly important ...
... emphasize importance of separating evidence and assertions ...
... they have been mixed up badly in the past ...
... as soon as you factor out trust ...
... then it creates a lot more power ...
... can have the same assertion, but different kinds of evidence ...
... bring reputation, community, idemix, what have you ...
... then there's aspect of user friendliness ...

DJW: ongoing discussion in semantic web community ...
... whether to standardize foaf ...
... or some other ontology for describing attributes ...
... names, relationships ...

GH: describe trust, mechanisms to evaluate trust ...
... who said what about who? ...

DJW: interesting area ...
... it's the kind of thing that could profit from informal community ...
... don't wanna use the word standard ...
... foaf has evolved in bottom-up way ...
... other lightweight id technologies that need same set of tools ...
... same sort of consensus on terms ...
... and types of data ...

GH: metalanguage

DJW: yeah

GH: starting point could be paper by Dieter and Giles ...
... ontology sketch ...

DJW: possible use for a policy interest group ...
... boil a paper down into what could be outlines for a tech spec ...
... get review of it ...
... way to get feed-back from immediate community ...
... get people to help ...

GH: interested in doing that ...
... maybe not in three weeks ...

SP: different experts in different languages ...
... bringing these together might be healthy ...

-- short break --

DJW: We can consider #1 wrapped up ...
... record identities of everybody interested in the Interest Group ...

HT: W3C membership considerations?

DJW: open for discussion
... suggest PFIG ...
... interested: ...
... Patricia Charlton ...
... Anne Anderson ...
... Piero Bonatti ...
... Giles Hogben ...
... Renato Ianella ...
... Hannes Tschofenig ...
... Marco Casassa-Mont ...
... Pierangela Samarati ...
... Jean-Christophe Pazzaglia ...
... Marit Hansen ...
... Sören Preibusch ...
... Xavier Huysmans ...
... thanks ...
... this does not constitute the creation of the group ...
... some process to go through, find chair, etc ...
... expect to hear back from us ...
... fact that there's this number of people interested is important sign ...
... before go into item 2, general point ...

GP: disability issues ...
... accessibility ...
... negotiate how far to give information ...
... information often asked in very quick way ...
... sign lots of forms without reading at bank ...
... membership in group and the like is very important ...
... include disability info in passport? ...
... does someone know other group? ...
... european disability card? ...

DJW: useful way to record is as a use case ...
... for preferences and usage rules ...
... use case that want to make sure is satisfied ...

GP: ???

GH: Not relevant to topic.
... this is about policy languages ...

GP: language should accept input from other way of taking care of this information ...

TLR: vocabulary requirement?

GP: more research.
... looking for others who might be interested ...
... language for representing this information ...

RW: Will go to Geneva tomorrow, ICTSB meeting ...
... round table of all the major European standardizers ...
... they have a working group that addresses all kinds of disabilities ...
... wihch is called DABSIG (?) ...
... right forum to address these concerns ...
... addressing disabilities, accessibility ...
... far beyond the web and the languages we are talking about here ...
... happy to give reference ...

GP: thanks

JZ: Also relevant to SC27 SGs on identity management and privacy frameworks.

DJW: Next of our three topics -- talked yesterday about access control, data handling, usage control ...
... are different, same, overlapping, care about this, ...
... think that from my standpoint, there is substantive ...
... functional difference between rules that govern ...
... access conditions on data, and rules that govern ultimate usage conditions ...
... say that from a publc policy perspective ...
... not from rules semantic perspective ...
... interesting question: how do we see the interaction betw access control expr and usage control expr?

RI: example from rights management perspective ...
... lots of blurring going on ...
... from work in edu sector ...
... want high level licenses ...
... "you can use this content for all students and staff" ...
... what's the access control mechanism to ensure that the folk accessing that content are students & staff ...
... rights license -> low level access control policy ...
... map together, keep closely aligned ...
... don't want to stipulate low-level details ...
... too binding ...
... separate rights and access control ...

PC: from our point of view (applications) ...
... social networking, sharing, content ...
... DRM & standards for commercial content, access, usage ...
... learn from it ...
... need simplified model to map what the users need ...
... this goes back to point 1, policy mapping ...
... at some point, go down to action level ...
... kind of the way we've used it ...
... rather than invent new terminology ...
... link that we saw ...
... in terms of usage ...
... more that can be done ...
... first step that we did ...
... enough challenges ...
... something we can pull in ...

PS: re difference betw drm and dhp ...
... in drm can put any rules on it ...
... any rules that I say applies ...
... when I get songs from itunes, whatever rules are there, enforce ...
... in b2b context, rules that biz imposes have to be accepted ...
... but when user sends stuff to business, can't impose arbitrary rules ...
... some, but not arbitrary ones ...
... Rigo's supermarket example ...
... so there's a difference from DRM ..
... both should be supported ..
... don't know whether same language / same rules ...
... constraints in data handling not related that much to rules, but to data (??) ...

RI: just to follow up on that point ...
... ODRL 2 ...
... that we're modeling now ...
... one of things put in there is ability to negotiate betw parties ...
... so it's not purely that one-way thing ...
... negotiation can occur ...
... want to use someone else's negotiation protocol, if possible ...
... instead of reinventing our own one ...
... can we reuse something in the rights management world?

RW: say: border between drm and data handling blurred -- agree ...
... but they have common characteristic ...
... data is released, but you want to continue to control it ...
... question of how to enforce is the same one ...

DJW: let's remind ourselves, access control vs usage control ...
... it's the case that DRM can cover both ...
... but they're different ...
... shift from usage rules to access rules is what gets DRM its bad reputation ...
...

PS: you say "two kinds of rules, access control and usage" ...
... usage isn't secondary usage, right? ...

DJW: don't mean "usage" in traditional data protection sense ...

AA: examples?

DJW: two examples ...
... you may never use genetic information to make decisions about health insurance coverage ...
... you may not copy more than one paragraph of this document ...
... those are both usage rules ...

PS: secondary usage control?
... constraints should I pass to others?

DJW: I guess those should be expressed as usage rules ...

PS: call secondary usage ...
... data-handling ....
... another kind of world with respect to usage rules ...

DJW: marco, referred to data handling rules ...
... not sure what they mean as distinct from other categories ...

Scribe misses part of conversation.

PS: what I call secondary usage is the policy that goes along with the data ...

DJW: from web perspective, reluctant to divide rules in that way ...
... understand data protection policy purpose for distinguishing between ...
... primary and secondary purpose ...
... important to express ...
... but disinclined to condition or qualify that by notion of transfer ...
... transfer is separate question ...
... can have secondary usage limitation on initial party ...

PS: who is that? ...

DJW: the first guy who gets usage ...

PS: I give health information to you, and you might have to pass it on ...
... I might want to further restrict what that other party can do ...
... not necessarily the same rules that apply to you ...
... sticky policy ..

DJW: happy to call it anything but access control ...

Scribe misses part of discussion.

PB: support latest point ...
... don't expect these differences between data handling and access control to affect shape as language ...
... more relevant to enforcement mechanisms ...
... pretty relevant to enforcement ...

MCM: what was the question to me?

DJW: data handling ... but don't need perfect taxonomy ...

MCM: what we call data handling in PRIME is obligation stuff ...
... not really access control & how you use data ...
... but rather life cycle handling ...
... data retention is an example ...
... notification ...

PC: examples due to usage control, when youhand over to second person, what we'Ve done in system ...
... using policy model conert to rules, write what else can be done to content when handed over ...
... forward or copy content ...
... view, forward to certain environment ....
... encode into sticky policy ...
... that's usage of content ...
... access is already there ...

SP: wonder if there may be usage of data without having access ...
... relation between access rules and usage rules ...

XH: makes sense to make difference between first usage and secondary usage ...
... access control to data ...
... which entities are allowed to access data ...
... usage ...
... user preferences ...
... if you talk about secondary usage, talking about legislation there ...
... again, if I draw the parallel with own experience ...
... in egov ...
... really have specific regulations ...
... scientific purposes: even though you have collected data for specific purpose, can do other stuff when anonymizing data ...
... important to make the difference ...
... able to talk about other things ...
... not just usage and access control (??) ...

PS: agree on enforcement problem ...
... specific techniques to make sure policies get enforced ...
... not just enforcement ...
...
... before was talking about secondary usage, but have to correct self ...
... P3P was known as secondary usage control language ...
... can't do everything, only some things -- usage controls ...
... not sure what P3P does, but think it might capture this ...
... hospital example ..
... if my data leave the hospital, there should be constraints ...
... originator control ...
... all my data should be controlled by me ...

DJW: probably explored as far as we need to ...
... people have talked about diff kinds of rules, and they seemed to fall into these categories ...
... not sure we need to recognize anything momentous ....

Scribe misses part of discussion.

DJW: we have recognized there's more than one ...

XH: continue discussion about what renato said ...
... DRM v2 with domains and specs of devices ...

DJW: sorry to be rude -- want some time to talk about #3 ...
... lots of opportunities to talk about what >1 means ...
... user preferences ...
... questions raised in the 2 days about whether we need a way to express user preferences ...
... group them, predefined sets ...
... comment, suggested direction? ...

PC: one of the things that have come up from discussion ...
... ease of use ...
... lots of complexity ...
... map things to predefined set for certain set of applications ...
... other part is getting a privacy model ...
... in a sense that also maps back ...
... pertinent to application sets ...
... unify across different policy languages ...
... express preferences over these abstractions ...
... would help with simplifying things from user standpoint ...

SP: privacy preferences are private info as well ...
... there may be orgs such as consumer councils that might publish predefined sets ...
... see that there are languages that are centered on interactions ...
... like P3P, DRM langs, XACML, ...
... these don't reveal preferences

RW: important part of discussion ...
... perhaps try to conclude ...
... can we leverage XACML in user preference discussion?
... what it does, what it doesn't ...
... important point in workshop ...
... was important in PRIME ...
... will be important in other contexts ...
... mapping ...

AA: Example for XACML use to express user preferences ...
... perfectly possible to say "I'm willing to give credit card information if target is in certain domain" ...
... another one might be "willing to give name, if other party is willing not to pass on info" ...
... there's question of matching those against what target says it's able to do...
... that, too, can be expressed ...
... neither one of these is XACML policy ...
... expressed using these collections of constraints ...
... expressing sets of preferences ...
... combinations of things you're willing to accept ...
... perfectly possible to express in XACML ...
... possible for target to express capabilities ...

DJW: what do you mean by "not exactly XACML policy"?

AA: It's not possible to match 2 xacml policies in general ...
... semantics of policies are not something that let you determine that one is subset of another ...
... but it is possible to match collections of individual constraints that are expressed using the XACML constraint language ...

GH: would say preferences are just another kind of rule ...
... don't make them into something special ...
... difficulty is HCI ...
... use standards rule language to express query and event and match on this ...
... then do user-friendly abstraction (which is the hard part) ...
... been there with P3P ...
... APPEL ...
... could have used XPath and added user abstraction ...

DJW: we're right at end of our alotted time, esteemed co-chair has to leave ...
... don't think we'll get much further on preferences ...
... policy interoperability ...
... hci issues are very real ...
... semantic and computation closely related to policy inteorperability ...
... come back to that ...
... going to suggest that we conclude ...
... unless anyone has anything that they think should cause co-chair to miss taxi ...
... thanks to Giles & JRC ...

(applause)

DJW: also acknowledge Rigo and Thomas who pulled that together ...

(applause)

(applause for chairs)

DJW: we'll circulate draft summary report, give you opportunity to comment ...
... will create list for everyone to circulate report, comments, etc ...

RW: would ask whether anyone opposed to being added to list ...

DJW: adequate consent

adjourned

<rigo> noted

<rigo> Kriegelstein wants to be on the mailing list too