Using P3P to Negotiate Access Rights To User Profiles

Wolfgang Woerndl (
Technische Universität München
Munich, Germany

This position paper demonstrates the application of P3P and APPEL in decentral management of user profiles. After a short introduction, our ideas for privacy preserving identity management are summarized. A more detailed presentation can be found in [1]. Finally, some requirements to make P3P more suitable for user profile management are outlined.

1. Introduction

Storing user profiles separately from the (personalization) services that are using them allow reuse of user data for several services. User profile agents or "ID Repositories" [1] manage profile information and distribute it to services such as adaptive Web sites, community support systems or E-Commerce agents. An identity management system allows people to define different identities, roles, associate personal data to it, and decide whom to give data and when to act anonymously. Identity management systems should also empower the user to maintain their privacy and control their digital identity.

Commercial systems such as Microsoft .NET Passport ( or the Open Source Liberty Alliance Project ( are already being used or are under development. However, these applications presently lack strong privacy mechanisms. Users need to control access to their personal data. Access control based on privacy policies and preferences is an integral part of our project to decentral user profile management, that will be outlined in the following section.

2. Identity Management and Privacy


In our project Cobricks ("Bricks for community support systems",, we are exploring ideas for federated user profile management, especially to support (virtual) communities. We are interested in interoperability among systems and nevertheless preserving the privacy of personal information. In our scenario, a service agent requests user profile information from a user profile agent and the system needs to determine whether access should be granted or not. Therefore, an access control system based on the purpose and context of data accesses is needed.

Negotiation of Access Rights

The proposed access control system for user profiles consists of two phases:

  1. Negotiation of access rights using privacy policies and preferences, and generation of an Access Ticket
  2. Data access with the Access Ticket
The negotiation of access rights is based on P3P and APPEL. An user profile agent evaluates the access request and the P3P policy of the service with user preferences. These user preferences are APPEL rules with some extensions to faciliate access control principles such as access modes (e.g. "read" or "write"). If the user profile agent cannot reach a decision, user interaction may be necessary. The result of this semi-automatic negotiation process is an Access Ticket (AT).

Access Tickets

The Access Ticket is a XML document that manifests the access rights of a certain service to the user profile information. The AT is digitally signed by the user profile agent or ID Repository on behalf of the user and must be presented by the service with each data access. The following is a (simple) example:

 <USER LEVEL="pseudonymous">nickname123</USER>
 <ACCESS RESOURCE="/interests/*">
   <READ OPTION="distributable"/>
 <ACCESS RESOURCE="/payment/creditcard/number">
<PURPOSE> is a mandatory element for each access. It is possible to formalize "distribution of profile information", among other options. In addition, secure and/or anonymous communication is integrated in the access control system. For example, a user could state that access to her/his credit card information is allowed only if the data is transmitted over a secure channel such as SSL. Released Access Tickets may be checked and revoked by the user at any time, e.g. if s/he changes her/his mind about her/his privacy preferences or the trustworthiness of a particular service.

Identity Management

In addition to the presented framework, it is possible for a user to manage more than one identity or role. For example, a user might have a "work" and "private" role and maintain different profile attributes such as Email addresses and access rights for each identity.

The access decision is dependent on whether the (real) identity of a user has to be revealed or not. This is done in our approach by introducing several levels of identity, including: "veronymous" (a users’ identity is revealed and proven by a digital certificate where required), "pseudonymous" (transactions can be linked to a pseudonym but not to a particular individual, e.g. nicknames in a discussion forum) and "anonymous" (information cannot be associated with a user at all). Users can specify different set of rules for different identities and/or identity levels.

3. Conclusion

The briefly presented solution to privacy-preserving user profile management tries to combine access control and privacy protection concepts. The Access Tickets are similar to other XML based access control approaches such as XML Access Control Markup Language (XACML,, but tailored for user profil data access. In our project and possibly related work such as the Liberty Alliance Project or eXtensible Name Service (XNS,, P3P and APPEL are used (or could be used) to determine access rights to personal information.

Our goal is to study and contribute towards efforts to make P3P and APPEL more suitable for the presented scenario, in particular:

Realizing some of the proposed enhancements in Appendix A of the current APPEL Working Draft would also help, for example:

We think it is useful to further enhance P3P with regard to identity management requirements, because identity management systems on the Web might become even more important in the near future.


[1] Koch, M.; Woerndl, W.: Community Support and Identity Management. In: Proc. Europ. Conference on Computer-Supported Cooperative Work (ECSCW2001), Bonn, Germany, Sep. 2001.