FROM CREATIVE COMMONS TO SMART NOTICES - Designing User Centric Consent Management Systems for the Cloud

Siani Pearson, Prodromos Tsiavos

2012

Abstract

As cloud computing is evolving towards an ecosystem of service provision, in order for end users and customers to retain choice and control, they need to be able to select services, specify their preferences and have these reflected within the contractual framework, ideally enforced via a combination of legal and technical means. This paper presents an approach that builds upon successful methods from initiatives such as Creative Commons in order to improve the process of providing consent for usage of a data subject’s personal data, and for achieving an appropriate balance between complexity and simplicity. This approach enhances the notices provided by service providers to advocate Smart Notices that provide a simple and transparent way of expressing the terms of service and the options available to the data subject before they share personal information with cloud service providers.

References

  1. Agrawal, R., Kiernan, J., Srikant, R., Xu, Y., 2005. Xpref: a preference language for P3P. Computer Networks, 48(5), pp. 809-827.
  2. Alhamad, M., Dillon, T., Chang, E., 2011. A Survey on SLA and Performance Measurement in Cloud Computing. In: OTM 2011, Part II, LNCS 7045, Springer-Verlag, pp. 469-477.
  3. Andersson, C., Camenisch, J., Crane, S., Fischer-Hubner, S., Leenes, R., Pearson, S., Pettersson, J., Sommer, D., 2005. Trust in prime. In Signal Processing and Information Technology, pp. 552-559, IEEE.
  4. Ardagna, C., Vimercati, S., Samarati, P., 2006. Enhancing user privacy through data handling policies. In: DAS, volume 4127, LNCS, pp. 224-236.
  5. Ardagna, C. et al., 2009. PrimeLife Policy Language, ACAS, W3C, http://www.w3.org/2009/policy-ws/
  6. Article 29 Working Party, 2004. Opinion 10/2004 on more harmonised information provisions. 11987/04/EN, WP 100, http://ec.europa.eu/justice/policies/privacu/docs/ wpdocs/2004/wp100\_en.pdf
  7. Becker, M.Y., Malkis, A., Bussard, L., 2009. A Framework for Privacy Preferences and DataHandling Policies, MSR-TR-2009-128 http://research. microsoft.com/apps/pubs/default.aspx?id=102614
  8. Bergmann, M., Rost, M., Pettersson, J.S., 2006. Exploring the feasibility of a spatial user interface paradigm for privacy-enhancing technology. In: Bridging the Gap between Academia and Industry, pp. 437-448.
  9. Bing, J., 2004. Copymarks: A suggestion for simple management for copyrighted material. In: International Review of Law, Computers & Technology. 18(3), pp. 347-374.
  10. Breaux, T. & Antón, A., 2008. Analysing Regulatory Rules for Privacy and Security Requirements. IEEE Transactions on Software Engineering, 34(1), pp. 5- 20.
  11. Bussard, L. Becker, M.Y., 2009. Can access control be extended to deal with data handling in privacy scenarios? ACAS, W3C http://www.w3.org/2009/ policy-ws/
  12. Camenisch, J., Leenes, R., Sommer, D. (eds.), 2011. Digital Privacy: PRIME - Privacy and Identity Management for Europe, LNCS 6545, Springer.
  13. Camenisch, J., Fischer-Hübner, S., Rannenberg, K. (eds.), 2011. Privacy and Identity Management for Life, Springer.
  14. Cranor, L., 2002. Web Privacy with P3P. O'Reilly & Associates.
  15. Cranor, L.F., Guduru, P., Arjula, M., 2006. User interfaces for privacy agents. ACM Trans. Comput.-Hum. Interact., 13(2), pp. 135-178.
  16. Creative Commons, 2012. http://creativecommons.org/
  17. Creative Commons (CC), 2012b. http:// creativecommons.org/choose/
  18. Creative Commons (CC), 2012c. http:// wiki.creativecommons.org/CC_REL
  19. Creative Commons (CC), 2012d. http:// creativecommons.org/licenses/by/3.0/
  20. Creative Commons (CC), 2012e. http:// creativecommons.org/licenses/by/3.0/legalcode
  21. Damianou, N., Dulay, N., Lupu, E., Sloman, M., 2001. The Ponder Policy Specification Language http:// wwwdse.doc.ic.ac.uk/research/policies/index.shtml
  22. Elahi, T.E., Pearson, S., 2007. Privacy assurance: Bridging the gap between preference and practice. In: TrustBus, pp. 65-74.
  23. Electronic Frontier Foundation (EFF), 2012. TOSBack: The Terms of Service Tracker, http:// www.tosback.org/ timeline.php
  24. EnCoRe project, 2012. www.encore-project.info
  25. Gellman, R., 2009. Privacy in the Clouds: Risks to Privacy and Confidentiality from Cloud Computing, World Privacy Forum, www.worldprivacyforum.org/pdf/ WPF_Cloud_Privacy_Report.pdf
  26. Hawkey, K., Inkpen, K. Examining the content and privacy of web browsing incidental information. In WWW 7806, pp. 123-132, New York, NY, USA.
  27. Holtz, L.E., Zwingelberg, H., Hansen, M., 2011. Privacy Policy Icons. In: Privacy and Identity Management for Life, Camenisch, J., Fischer-Hübner, S., Rannenberg, K. (eds.), Springer, pp. 279-285.
  28. Holtz, L.E., Schallaböck, 2011. Legal Policy Mechanisms. In: Privacy and Identity Management for Life, Camenisch, J., Fischer-Hübner, S., Rannenberg, K. (eds.), Springer, pp. 343-354.
  29. IBM, 2004. The Enterprise Privacy Authorization Language (EPAL), EPAL specification, v1.2, http:// www.zurich.ibm.com/security/enterprise-privacy/epal/
  30. IBM, 2006. REALM project, http://www.zurich.ibm.com/ security/publications/2006/REALM-at-IRIS2006-2006 0217.pdf
  31. IBM, 2007. Sparcle project, http://domino.research. ibm.com/comm/research_projects.nsf/pages/sparcle.in dex.html
  32. Iachello, G., Hong, J. End-User Privacy in HumanComputer Interaction. Now Publishers Inc., Hanover, MA, USA, 2007.
  33. Irwin, K., Yu, T., 2005. Determining user privacy preferences by asking the right questions: an automated approach. In WPES 7805: Proceedings of the 2005 ACM workshop on Privacy in the electronic society, pp. 47-50, New York, NY, USA, ACM.
  34. Jaatun, M.G., T?ndel, I.A., Bernsmed, K., Nyre, A.A., 2012. Privacy Enhancing Technologies for Information Control. In: Privacy Protection Measures and Technologies in Business Organisations, G. Yee (ed.), pp. 1-31, IGI Global.
  35. Kelley, P.G., Bresee, J., Cranor, L.F., Reeder, R.W., 2009. A “nutrition label” for privacy. In: SOUPS 7809: Proceedings of the 5th Symposium on Usable Privacy and Security, pp. 1-12, New York, NY, USA.
  36. Kenny, S., Borking, J., 2002. The Value of Privacy Engineering. Journal of Information, Law and Technology (JILT), 1. http://elj.warwick.ac.uk/jilt/02-/ kenny.html.
  37. Kobsa, A., 2003. A component architecture for dynamically managing privacy constraints in personalized web-based systems. In Privacy Enhancing Technologies, Third International Workshop, PET 2003, Dresden, Germany, March 26- 28, 2003, Revised Papers, LNCS 2760, Springer, pp. 177-188.
  38. Mowbray, M., 2009. The Fog over the Grimpen Mire: Cloud Computing and the Law. SCRIPT-ed J Law Technol Soc, 6(1), pp. 132-146.
  39. OASIS, 2012. XACML, http://www.oasis-open.org/ committees/tc_home.php?wg_abbrev=xacml
  40. Organisation for Economic Co-operation and Development (OECD), 1980. Guidelines Governing the Protection of Privacy and Transborder Flow of Personal Data, OECD, Geneva.
  41. Papanikolaou, N., Creese, S., Goldsmith, M., Casassa Mont, M., Pearson, S., 2010. ENCORE: Towards a holistic approach to privacy, Proc. SECRYPT.
  42. Papanikalaou, N., Pearson, S., Casassa Mont, M., 2011. Towards Natural-Language Understanding and Automated Enforcement of Privacy Rules and Regulations in the Cloud: Survey and Bibliography. Secure and Trust Computing, Data Management and Applications, Communications in Computer and Information Science, 187, Springer, pp. 166-173.
  43. Patrick, A.S., Kenny, S., 2003. From privacy legislation to interface design: Implementing information privacy in human-computer interactions. In Privacy Enhancing Technologies, LNCS 2760, Springer, pp. 107-124.
  44. Parsons, C., 2010. APIs, End-Users, and the Privacy Commons, http://www.christopher-parsons.com/blog/ privacy/apis-end-users-and-the-privacy-commons/
  45. Pearson, S., 2011. Privacy Models and Languages: Assurance Checking Policies. Digital Privacy, ed. J. Camenisch, D. Sommer and R. Leenes, LNCS 6545, Springer, pp. 363-375.
  46. Pearson, S., Casassa Mont, M., Chen, L., Reed, A., 2011. End-to-End Policy-Based Encryption and Management of Data in the Cloud. In: Proc. CloudCom 2011, IEEE.
  47. Pearson, S., Casassa Mont, M., 2011. Sticky Policies: An Approach for Privacy Management across Multiple Parties, IEEE Computer, 44(9), IEEE, pp. 60-68.
  48. Pearson, S., 2010. Addressing Complexity in a Privacy Expert System. In: E. Hüllermeier, R. Kruse, and F. Hoffmann (Eds.), Proc. IPMU 2010, Part II, CCIS 81, Springer, pp. 612-621.
  49. Pettersson, J.S., et al, 2005. Making PRIME Usable. In SOUPS 7805, New York, pp. 53-64.
  50. Privacy Commons, 2012. Privacy Commons Incubator, http://groups.google.com/group/privacy-commons-in cubator/browse_thread/thread/28c56ad776f37cb2?hl= en
  51. Rundle, M., 2006. International data protection and digital identity management tools. Presentation at IGF 2006, Privacy Workshop 1, Athens.
  52. Schunter, M., Waidner, M., 2003.Platform for Enterprise Privacy Practices, PET, LNCS 2482.
  53. Spiekermann, S., Cranor, L., 2009. Engineering Privacy. IEEE Transactions on Software Engineering, 35(1), January/February.
  54. Stanford University, 2012. WhatApp project. https:// whatapp.org/about
Download


Paper Citation


in Harvard Style

Pearson S. and Tsiavos P. (2012). FROM CREATIVE COMMONS TO SMART NOTICES - Designing User Centric Consent Management Systems for the Cloud . In Proceedings of the 2nd International Conference on Cloud Computing and Services Science - Volume 1: CloudSecGov, (CLOSER 2012) ISBN 978-989-8565-05-1, pages 647-660. DOI: 10.5220/0003979206470660


in Bibtex Style

@conference{cloudsecgov12,
author={Siani Pearson and Prodromos Tsiavos},
title={FROM CREATIVE COMMONS TO SMART NOTICES - Designing User Centric Consent Management Systems for the Cloud},
booktitle={Proceedings of the 2nd International Conference on Cloud Computing and Services Science - Volume 1: CloudSecGov, (CLOSER 2012)},
year={2012},
pages={647-660},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0003979206470660},
isbn={978-989-8565-05-1},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 2nd International Conference on Cloud Computing and Services Science - Volume 1: CloudSecGov, (CLOSER 2012)
TI - FROM CREATIVE COMMONS TO SMART NOTICES - Designing User Centric Consent Management Systems for the Cloud
SN - 978-989-8565-05-1
AU - Pearson S.
AU - Tsiavos P.
PY - 2012
SP - 647
EP - 660
DO - 10.5220/0003979206470660