Representation and Inference of Privacy Risks Using Semantic Web Technologies Renata Vieira Douglas da Silva Tomas Sander PUCRS PUCRS Systems Security HP Lab Ipiranga Av. 6681, FACIN Ipiranga Av. 6681, FACIN 5 Vaughn Dr, CEP 90619-900 CEP 90619-900 Porto Alegre, Brazil Porto Alegre, Brazil Princeton, NJ 08540, USA renata.vieira@pucrs.br douglas.silva@cpph.pucrs.br tomas.sander@hp.com ABSTRACT Considering the importance of a proper representation of relevant This poster discusses domain ontologies on the privacy field for rules formulated for handling personal information, described in automatic risk identification and project qualification. It presents laws, guidelines, policies, and other normative sources, we an ontology model for describing risks as an interpretation of propose an ontology describing data privacy risk related concepts, privacy policies contextualized in project specifications. based on project actions. In particular, we address the appropriate usage of information under a set of rules based on the identification of privacy risks when dealing with sensitive Categories and Subject Descriptors information. An OWL ontology infers risks in terms of actions of K.4.1 [Computers and Society]: Public Policy Issues – privacy. software projects and the effect of these actions over sensitive information. General Terms Management, Reliability, Security, Legal Aspects. 2. REPRESENTING PRIVACY RISKS Our model includes concepts, such as personally identifiable Keywords information (PII), sensitive information, user actions, location, Ontologies, privacy, accountability, risk assessment. and risk levels. Restrictions and constructors to classify actions in risk actions are described through object properties. Figure 1 shows some of the relevant identified classes. 1. INTRODUCTION Attention to privacy legislation is an important issue in IT (information technology) projects to avoid lawsuits and loss of consumer trust [1]. The privacy domain in IT and accountable privacy management (APM) in organizations are explored in several works, as follows. In [2] a taxonomy describes concepts such as collection, processing, dissemination and invasion of information. Knutson [3] presents basic principles to create privacy awareness in software projects. This is done through the identification of privacy goals that fulfill legal obligations, the definition of a privacy core team with technical and legal experts and the creation of guidelines to help developers to become independent from the privacy experts. Similar concerns for software design are endorsed within other work on privacy awareness [4][5]. The KAoS Policy Ontologies (KPO) [6] defines concepts such as actions, actors, groups, places, entities related to actions, and policies. An integration of policies relating several aspects of security is proposed in [7], including authorization and privacy into semantic web services. The BDSG ontology, mapping law statements to a machine interpretable language is presented in [8] as a way to enforce privacy in enterprises using ontologies to generate XACML [9] policies. Hecker [10] argues that ontologies on the privacy field must enable interoperability, determine the privacy level of a transaction and guide the Figure 1. Privacy domain classes. implementation of privacy functionalities without requiring expertise from the domain. Hecker creates an ontology using These are common concepts in documents, laws and guidelines of terms from privacy notions and concepts from the European the domain for privacy assurance and accountable software Parliament Directive 95/46/EC11. Hu [11] proposes that the semantic model for EPAL privacy policies can be expressed as a variety of combinations of ontologies and rules. development1. Properties are used to relate actions to contextual contexts (time, place) are related to risks. The proposed approach information, examples are: is intended to guide managers with risk assessment. The model is also designed to help privacy experts to formalize risky situations Information Transfer has origin Country Information Transfer has destination Country in organizations. As future work we plan to map our concepts to PII is sensitive information in location Geo other similar ontologies, linking for instance, our action concepts Action involves information Information Action has secondary action Action to action concepts of KAoS. We are also considering the processing of textual knowledge sources such as laws and Based on Argentina’s provision [12], which presents a guidelines to ease the identification of relevant domain classification of risks as low, moderate and high, we exemplify information. risk inference as follows. Figure 2 shows Risk_Action classes. 6. ACKNOWLEDGMENTS This paper was done in cooperation with Hewlett-Packard Brasil Ltda. using incentives of Brazilian Informatics Law (Law nº 8.2.48 of 1991). 7. ADDITIONAL AUTHORS Figure 2. Risk classes. Additional authors: Alexandre Agustini (PUCRS), Caio Northfleet (HP), Fernando Castilho (PUCRS), Mírian Bruckschen In our model, privacy risks are inferred from project related (PUCRS), Patrícia Pizzinato (PUCRS), Paulo Bridi (PUCRS), information. Consider an instance of a project in the ontology, Prasad Rao (HP), Roger Granada (PUCRS). which refers to actions that manipulate information, such as name, address and social security number. This project instance is 8. REFERENCES [1] Mont, M., Thyne, R.: Privacy policy enforcement in asserted using the relations: involves action, involves enterprises with identity management solutions. In: PST '06, information, has origin, has destination, and is sensitive vol. 380, pp. 1--12. ACM, New York (2006). information in location, as shown below. [2] Solove, D. J.: A Taxonomy of Privacy. University of project involves action Pennsylvania Law Review, vol. 154, no. 3, p. 477, (2006). information access [3] Knutson, T. R. 2007. Building Privacy into Software information transfer information access involves information Products and Services. IEEE Security and Privacy, vol. 5, name no. 3, pp. 72--74 (2007) address social security number [4] Duncan, G.: ENGINEERING: Privacy By Design. Science information transfer involves information 317 (5842), 1178, (2007) name address [5] Ye, X., Zhu, Z., Peng, Y., Xie, F.: Privacy Aware social security number information transfer has origin Engineering: A Case Study. Journal of Software, vol. 4, no. USA information transfer has destination 3, pp. 218--225 (2009) Portugal [6] Bradshaw, J. et al.: Representation and reasoning for social security number is sensitive information in location USA DAML-based policy and domain services in KAoS and nomads. In: AAMAS '03. Melbourne, Australia (2003) With these facts asserted in the ontology, an instance involving [7] Kagal, L., Paoucci, M., Srinivasan, N., Denker, G., Finin, social security number will be classified as Sensitive T., and Sycara, T.: Authorization and Privacy for Semantic Information in the USA as a consequence of a SWRL codified Web Services, In: AAAI Spring Symposium on Semantic rule. In this way, the action will be inferred as high risk action: Web Services (2004) Sensitive Information Access and Sensitive Information [8] Abou-Tair, D.D., Berlik, S., Kelter, U.: Enforcing Privacy by Means of an Ontology Driven XACML Framework. In: Transfer. IAS 2007, Third International Symposium on Information 3. FINAL REMARKS Assurance and Security, pp. 279--284 (2007) [9] OASIS XACML Technical Committee.: eXtensible Access Ontologies on the privacy domain are useful to provide ways to Control Markup Language (2003) share vocabulary and better understand a particular domain and its [10] Hecker, M., Dillon, T. S., Chang, E. Privacy Ontology related concepts. Our research is aimed at building models that Support for E-Commerce, IEEE Internet Computing, vol. infer risks automatically from the specification of project features. 12, no. 2, pp. 54--61 (2008) Such knowledge intensive areas require advanced knowledge [11] Hu, Y., Guo, H., and Lin, A. G.: Semantic Enforcement of management technologies. A privacy core team is necessary to Privacy Protection Policies via the Combination of create and maintain such systems based on dynamically changing Ontologies and Rules. In: SUTC 2008, vol. 00. IEEE knowledge. Our model presents concepts and relations where Computer Society, Washington, DC, pp. 400--407 (2008) actions involving data related to personal information and their [12] Ministerio de Justicia, Seguridad e Derechos Humanos, Presidencia de la Nación Argentina. Dirección Nacional de 1 Protección de Datos Personales (2006) A hyperbolic view of the ontology is available at http://www.inf.pucrs.br/~ontolp/Visualizacao/Privacy_Risks/Privacy_risks.html.