Secure E-Commerce – Privacy Right Management

Introduction

The problem of privacy on the internet is one of the most challenging concerns of recent times with the advent and rapid growth of e-commerce and international trade. Many people stay away from e-commerce and doing business on the internet for fear of losing privacy. As a result there is an increasing need for good code that would enable machines to understand privacy policies. Privacy Rights Management is a technology to enable websites to express their privacy policies in machine readable form and help users set their preferences about the sort of data they are willing to share and the sites they are willing to visit.

Since it is difficult to integrate varied legal privacy regulations of different countries, it has been found that companies can follow some simple privacy principle and build fair information practices into the systems architecture. Kenny and Korba (2002) in their paper have first outlined the need for management of personal data for the people in Europe and then have described how to adapt systems that were originally developed for DRM to PRM in such a manner that it reflects the requirements of Directive for the protection of personal data.

Ann Cavoukian (2002) in her paper titled “ Privacy and Digital Rights Management (DRM): An Oxymoron?” focuses on the privacy aspects of DRM. First, the paper elaborates on the concept of DRM and then discusses the impact of DRM on the privacy rights of consumers. Then, Cavoukian suggests seven steps to embed privacy into DRM technologies and finally provides readers with privacy tips for purchasing digital products protected by DRM technologies.

Privacy Rights Management

Review and summarize how PRM is actually implemented? Are there multiple competing methods? What about TEPS?

Korba and Kenny (2002) in their study titled “Applying Digital Rights Management Systems to Privacy Rights management describe the PRM as distributed management of personal information in accordance with EU data protection legislation (3). In particular, they examine the architectural potential of DRM to manage the requirements of the EU Data Protection Directive. Hence their work is more location centered.

According to them the PRM is made up of the data subject, the data controller and the data processors. The data subject is the owner of the personal data managed by PRM (3) and the arrangement is defined by the Directive (3), which outlines the privacy regulations in the European Union. The data controller or the web server manages the overall collection, storage and processing of data. There may be one or many data processors associated with the PRM system dealing with data from many different data controllers (3). After authentication of the client is established, a PRM can provide anonymity through trusted third parties or Private credentials.

The PRM server block provides base PRM services and also maintains several databases. The authors note that while in a DRM there is unlimited scope for user tracking, the data processor and data controller in a PRM are constantly monitored to ensure that subject tracking is in accordance with Article 7 from the Directive (3). Kenny and Korba (2002) note that the three aspects of DRM functionality of particular interest to PRM architectures are Asset Creation, Asset Management and Asset Usage (3).

Asset creation deals with creation and validation of rights. Asset management deals with the access and retrieval of content and metadata in distributed databases and Asset Usage refers to the monitory and tracking of content use. However, recognizing that it is difficult to integrate legal requirements into the development of new systems, they also put forward some simplified privacy principles that companies can use as a starting point for a detailed analysis of the privacy aspects of systems architecture (3).

Ann Cavoukian (2002) suggests seven steps for integrating privacy into DRM technologies and they are: defining the privacy expectations of the public and identify legislated requirements; develop privacy policies and principles; assess human and information resources focusing on personally identifiable data; do a threat risk assessment by completing a privacy impact assessment; deploy ways to manage risk of privacy at the system level; introduce at the source level, rules and controls for implementation; deploy and audit through a model of continuous improvement (5). Of these steps the fifth step deals with the implementation of the PRM.

According to Couvakian, one useful methodology for building privacy into systems architecture is Privacy Rights Management. Couvakian describes PRM or privacy rights management as” the process of integrating a company’s privacy policy into technical practices by developing systems architecture rules and designing controls around the collection of personal information, linkability, access, use and accountability, as well as delineating business processes that use personal data” (5). Cavoukian has emphasized that the methodology rules must be in according with the level of sensitivity of data.

Korba et al (2005) in the paper titled “Scenarios for Privacy Rights Management using Digital Rights Management” discuss a way of protecting copyrights based on data carriers (Digital rights Management). The aim is to provide personal data with an inextricable digital label containing the privacy preferences. Digital rights management (DRM) was basically created “to facilitate controlled distribution of digital content and to combat breaches of copyright law” by several methods such as locking and metering, payment, tracking and record keeping. Korba et al (2005) suggest that PRM can use these same technologies to protect personal data.

There are four entities involved in DRM such as Digital Content, Digital Content Owners, Distributors and Users/Customers. Likewise, there are four entities involved in PRM such as Personal Data, Data Subject, Data Controller and Data Processors (2). In order to adapt a DRM to a PRM, correspondence between their respected entities is established. Personal Data within PRM is treated as Digital Content within DRM, the Data Subjects in PRM are treated similarly to Content Owners within DRM, the Data Controller has similar functions as the Distributor in DRM, while Data Processors in PRM are similar to Users/Customers within DRM.

Within a PRM system, servers handle the functions of the Data Controllers and Data Processors (2). There have been many other competing methods of PRM such as the ones founded by Karjoth et al. called the Enterprise Privacy Architecture Language (EPAL) and that founded by Gunter et al. for privacy management in the context of location-based services (4).

Kenny and Korba (2002) have outlined a Privacy Rights Management system based on digital rights management in accordance with the European Directive. Hence it cannot be applied in the context of other countries. Discussions by Ann Couvakian outlines seven steps to improving privacy within a system but does not detail the implementation of a PRM. Korba et al (2005) is an extension of the work done by Kenny and Korba (2002) and describes in detail the adaptation of a DRM to become a PRM.

All of these privacy enhancing technologies cannot ensure privacy when a vendor operates against his stated privacy policy and anonymity may not be applicable when transactions require identification of participants. Ryoichi Sasaki has proposed a service oriented technically enforceable system (TEPS) that assures privacy for customers who transact with dubious online vendors (4). This system can also extend its support to protect customers even when multiple vendors interact in composite web services. In this method, a semi trusted processor is introduced for safe execution of sensitive customer information in a protected environment and accountability is provided in case of disputed transactions.

The Technically Enforceable Privacy and Security (TEPS) system operates as generalized service at the application level protocol layer and is suitable in service oriented architecture to prevent vendors from ever gaining access to customer privacy information (4). TEPS is made up of

• a client machine operated through a web browser;
• a client computer used by customer in transacting with a vendor;
• semi trusted processor used to process vendor business logic on customer PII data such as payment gateways;
• certification authority and
• accountability authority.

The certificate authority and accountability authority of TEPS are important aspects for the TEPS that guarantees privacy and accountability (4).

In a sense, PRM is also voluntary as there is no enforcement component (unlike TEPS).

However, since PRM involves negotiation (ie a contract), a breach of privacy lawsuit might be more lawfully enforceable. Is P3P a contract also? Discuss.

Korba et al (2005) have explained why in the case of PRM, a breach of privacy lawsuit might be more lawfully enforceable. In the PRM there are processor controller related records of three types: processing agreements, audit information and PII tracking data. Processing agreements refer to “electronic documents containing arrangement details between the controller and processors including: types of data the processor may accept, limits to the processing endorsed by the Controller, time limits for PII access, agreements and details for audits (timing, type of data collected), and, time stamps and approval signatures for the agreements” (13).

Hence, the processing agreements are like legal contracts. In the case of breach of contract there will be proof in the form of audit information and PII data track logs. Audit results will reveal the discrepancies between the data held by the processor as compared to those held by the controller and PII data tacking is done by the controller by tracking PII Data sent to each processor, time of the transfers, and pointers to policies and purposes for processing. Because of the availability of signed documents and concrete evidences of breach when it happens, it is easier to file a lawsuit in the case of PRM.

The Platform for Privacy Preferences (P3P) project enables easy communication about the privacy preferences of internet users in standardized form that can be read by the information system. Even though P3P meets the consent and self determination principles for internet applications, it may not be considered a legal contract as it does not fulfill the legal requirements for its processing to be considered as legally binding.

Robert Thibadeau says that P3P “lacks a mechanism to allow sites to offer a choice of P3P policies to visitors, a mechanism to allow visitors (through their user agents) to explicitly agree to a P3P policy, mechanisms to allow for non-repudiation of agreements between visitors and websites and a mechanism to allow user agents to transfer user data to services” (1). This means that P3P does not have the ability to negotiate with the Web Server on a contract that could be legally binding. According to Bergkamp, in the US, privacy is conceived more as an interest that can be negotiated away and hence P3P is not generally the basis of lawsuits (6).

But, such a contractual waiver would not necessarily be effective in Europe where privacy is conceived as a fundamental right. In this regard, the EU privacy Working Party has said that a technical platform for privacy protection will in itself is sufficient to protect privacy on the Web. Use of P3P risks shifting the onus primarily onto the individual user to protect him (6). There is also the risk that P3P could mislead EU based operations into believing that they can be discharged of certain of their legal obligations if the individual user consents to this as part of the online negotiation. Overall, it is true that PRM is more bound by contractual laws than P3P.

Privacy laws differ in different jurisdictions. Discuss how these can be implemented in terms of PRM, What about layers of templates?

Korba et al (2005) point to the fact that it is very challenging for organizations to comply with existing and emerging privacy laws as compliance with legal privacy regulations may involve having to deal with clients from different countries with differing legislations regarding privacy and different types of data sets to be handled (2). They suggest that ideally information systems should automate at least some of the legal privacy requirements. This is a complicated task.

The development of meta-languages to describe data permissions for usage and Digital Rights Management (DRM) for controlling access to files are both technologies that are moving toward the automation of privacy compliance in PRM (2). Ann Cavoukian says that there is no comprehensive national privacy legislation in the U.S. that applies to the private sector in the context of DRM or PRM and violation of privacy rights is most often addressed by consumer protection statutes or state privacy laws.

But there is clear privacy legislation in other countries (5). The European Union (EU) in 1995 passed the Data Protection Directive that lists rules for protecting privacy of personal data held by government and private sector agencies (5). The directive also holds that data must be transferred only to countries that provide privacy protection. In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) is applied to federally regulated private-sector organizations that collect, use or disclose personal information, either in paper or electronic format, in the course of their commercial activities.

Hence PIPEDA is not applicable for US companies that use DRM technology except in cases involving personal information (5). Ann Cavoukian concludes that when there is not privacy legislation in a country, fair information practices must be adopted. Though what Ann Cavoukian has said is mostly in the context of DRM technology it is equally applicable to PRM as both are related factors (5).

Conclusion and Recommendation

Privacy rights management is acquiring increasing importance in the twenty first century with the advent and growth of e-commerce. Personally Identifying Information (PII) is collected on a daily basis on websites. To ensure privacy of the clients, privacy rights management must be incorporated into existing system architectures. One of the most popular methods of privacy rights management is based on the privacy methods used in DRM technology.

The organization’s written privacy policies must first be entered into the privacy management system and then they must be integrated into the processes. The client must be allowed to make his choices regarding data privacy and is kept informed whether his wishes are complied with by the website. It is ideal that the PRM is automated to include legislative privacy regulations.

References

1. Thibadeau, Robert. A Critique of P3P: Privacy on the Web. 2000. p. 1-9. Web.
2. Korba, L.; Song, R.; Yee, G. and Chen, Y-C (2005). Scenarios for Privacy Rights Management using Digital Rights Management. Web.
3. Korba, L. and Kenny, S. (2002). Applying Digital Rights Management Systems to Privacy Rights Management. National Research Council Canada. Web.
4. Sasaki, Ryoichi (2005). Security and Privacy in the Age of Ubiquitous Computing: IFIP TC11 20th International Information Security Conference, Chiba, Japan. Springer Publications. Web.
5. Cavoukian, Ann (2002). Privacy and Digital Rights Management (DRM): An Oxymoron? Web.
6. Bergkamp, Lucas (2003). European Community law for the new economy. Intersentia nv.