Skip to main content

Semantic Web Reasoning Technologies for Web Privacy

Researcher: Norman Sadeh

Abstract

Semantic Web Reasoning Technologies for Web Privacy

Over the past two years, my group has developed Semantic Web reasoning technology that enables users to specify privacy preferences by referring to any set of domain-specific ontologies, including context-sensitive preferences. Our Semantic eWallet technology has been validated in the context of pervasive computing scenarios on Carnegie Mellon’s campus. We propose to demonstrate that this technology can be extended to support the evaluation of website P3P policies subject to user preferences expressed in the APPEL language as well as subject to more complex, context-sensitive preferences (e.g. “I’m only willing to disclose my location to nearby stores when I am in a shopping mall”). The product of the proposed research will be a software prototype along with a scientific article evaluating the benefits of our Semantic Web reasoning technology for Web privacy in terms of expressiveness, accuracy and performance. Our existing Semantic eWallet technology allows a user to specify privacy preferences in the form of:

  • Access control policies – to specify what entities have the right to request information about the user under different sets of conditions (including context-sensitive conditions)
  • Obfuscation policies – to specify the level of detail at which information about the user will be disclosed (e.g. disclosing information about the city the user is in versus the building he is, versus the room he is in)

Upon receiving a request for information about the user (“query”), the eWallet’s reasoning engine evaluates the specifics of the query (i.e. what information is being requested, by whom, under what particular conditions) against the user’s privacy preferences. If the request is deemed allowable (i.e. it satisfies relevant access control policies), the answer is post-processed to enforce any relevant obfuscation policies. Access control policies and obfuscation policies can refer to any domain concept specified in relevant ontologies  (e.g. an ontology of locations to differentiate between malls, offices and private homes). Ontologies are expressed in the OWL language, a W3C recommendation as of February 2004 (W3C, 2004).

In contrast to the above, a P3P policy is typically not a request for a single piece of information but rather a statement about the type of information a website is likely to request, for what purpose, how that information will be treated (e.g. shared with third parties), the type of business operating the website, etc. We propose to develop a reasoning engine based on our semantic web technology that will be capable of automatically evaluating a website’s P3P policy against a user’s privacy preferences. This will be done by developing OWL ontologies to capture relevant domain concepts introduced in P3P and APPEL, loading them into our engine along with relevant annotations capturing the website’s policy and the user’s preferences. In addition, we propose to demonstrate extensions of these ontologies that enable users to specify finer, more nuanced privacy preferences, including context-sensitive privacy preferences.