COMPLIANCE OF PRIVACY POLICIES WITH LEGAL REGULATIONS - Compliance of Privacy Policies with Canadian PIPEDA

Nolan Zhang, Peter Bodorik, Dawn Jutla

Abstract

The W3C’s Platform for Privacy Preferences (P3P) is a set of standards that provides for representation of web-sites’ privacy policies using XML so that a privacy policy can be automatically retrieved and inspected by a user’s agent. The agent can compare the site’s policy with the user’s preferences on collection and use of his/her private data. If the site’s privacy policy is incompatible with the user’s preferences, the agent informs the user on the privacy policy’s shortcomings. The P3P specification defines XML tags, schema for data, set of uses, recipients, and other disclosures for expressing web-sites’ privacy policies. It is important for the user’s agent to determine whether the site’s privacy policy actually satisfies privacy regulations that are applicable to the user’s current transaction. We show that the P3P specification is not sufficiently expressive to capture all of the legal requirements that may apply to a transaction. Consequently, to determine whether or not a site’s privacy policy satisfies the requirements of a particular law in question, the site’s privacy policy expressed in the natural language must also be retrieved and examined. To determine which legal requirements of a particular law are satisfied by the site’s P3P privacy policy, which is an XML document, we examine the document’s XML tags - a relatively straight-forward task. To determine whether legal requirements, which cannot be satisfied by using P3P XML tags, are present in the site’s privacy policy expressed in the natural language, we use standard classification algorithms. As a proof of concept, we apply our approach to the Canadian PIPEDA privacy law and show up to 88% accuracy in identifying the legal privacy clauses concerning the Safeguard principle in privacy statements.

References

  1. Ackerman, M. S., Cranor, L., 1999. Privacy Critics: UI components to safeguard users' privacy. Computer Human Interaction, 1999.
  2. Adams, A., 2000. Multimedia information changes the whole privacy ballgame, In Proceedings of the Tenth Conference on Computers, Freedom, and Privacy: Challenging the assumptions. Toronto, Canada, April 2000.
  3. Anton, A. I., Bertino, E., Li, N., Yu, T., 2004. A roadmap for comprehensive online privacy policy. Technical report, CERIAS, Purdue University, West Lafayette, CERIAS-2004-47.
  4. Backes, M., Bagga, W., Karjoth, G., Schunter, M., 2004. Efficient comparison of enterprise privacy policies. In Proceedings of the 19th ACM Symposium on Applied Computing (SAC'04), pages 375-382, Nicosia, Cyprus.
  5. Barth, A., Mitchell, J., 2005. Enterprise privacy promises and enforcement. ACM 1-58113-980-2 Pages: 58 - 66 Bellegarda, J.R., 1998. A multispan language modelling framework for large vocabulary speech recognition. In IEEE Transactions on Speech and Audio Processing, 6, 5, 456-467.
  6. Chen, H., Zhou, H., Hu, X., Yoo, I., 2004. Classification comparison of prediction of solvent accessibility from protein sequences. In Proceedings of the Second Conference on Asia-Pacific Bioinformatics, Australia, 333-338.
  7. Chellappa, R., Pavlou, P.A., 2002. Perceived information security, financial liability, and consumer trust in electronic commerce transactions. Journal of Logistics Information Management, Special Issue on Information Security.
  8. Cranor L.F., 2003. P3P: Making Privacy Policies More Useful. In IEEE Security & Privacy, NovemberDecember 2003 (Vol. 1, No. 6), pp. 50-55.
  9. Gandon, F., Sadeh, N., 2004. Semantic Web Technologies to Reconcile Privacy and Context Awareness. In Web Semantics Journal, Vol. 1, No. 3, 2004.
  10. Hogben, G., 2003. A technical analysis of problems with P3P v1.0 and possible solutions. Position paper for "Future of P3P" Workshop, Dulles, Virginia, USA.
  11. Jutla D.N., Bodorik P, Zhang Y., 2006. PeCAN: An Architecture for Privacy-aware Electronic Commerce User Contexts, Information Systems, (Elsevier), June 2006, Vol. 31, Issue 4-5, pp. 295-320.
  12. Jutla D.N., Xu L., 2004. Regulatory Privacy Agents and Ontology for the Semantic Web. In SIGABIS Minitrack, Americas Conference on Information Systems, AMCIS 2004, Special Interest Group on Agent-based Information Systems, 8 pages.
  13. Karjoth, G. and Schunter, M., 2002. A privacy policy model for enterprises. In Proceedings of the 15th IEEE Computer Security Foundations Workshop.
  14. Karjoth, G., Schunter, M., and Herreweghen, E. V., 2003. Translating privacy practices into privacy promises - how to promise what you can keep. In Proceedings of the 4th IEEE International Workshop on Policies for Distributed Systems and Networks (POLIC'03), Lake Como.
  15. Leisch, F., Jain, L.C., and Hornik, K., 1998. Crossvalidation with active pattern selection for neuralnetwork classifiers. IEEE Transactions on Neural Networks, 9, 1, 35-41.
  16. Partridge, M., Jabri, M., 2000. Robust principal component analysis. In. Proceedings of the 2000 IEEE Signal Processing Society Workshop on Neural Networks for Signal Processing, 289-298.
  17. Privacy Commissioner of Canada, 2000. Personal Information Protection and Electronic Documents Act (PIPEDA). Available from http://laws.justice.gc.ca/ en/P-8.6/text.html; accessed 20 March 2007.
  18. Porter, M. F., 1997. An algorithm for suffix stripping. In Readings in information Retrieval, K. Spark Jones and P. Willett, Eds. Morgan Kaufmann Multimedia Information And Systems Series. Morgan Kaufmann Publishers, San Francisco, CA, 313-316.
  19. Rao, J., Dimitrov, D., Hofmann, P., Sadeh, N., 2006. A Mixed Initiative Framework for Semantic Web Service Discovery and Composition. In Proceedings of the IEEE International Conference on Web Services (ICWS 2006), Sept. 2006.
  20. RDF-Group, 2007. Accessed March 30, 2007; http://www.hypergrove.com/legalrdf.org/index.html Zhang, Z., 2006. Compliance of Privacy Policies with PIPEDA. M. Comp. Sci. thesis, Dalhousie University, Halifax, Nova Scotia, Canada
Download


Paper Citation


in Harvard Style

Zhang N., Bodorik P. and Jutla D. (2007). COMPLIANCE OF PRIVACY POLICIES WITH LEGAL REGULATIONS - Compliance of Privacy Policies with Canadian PIPEDA . In Proceedings of the Second International Conference on e-Business - Volume 1: ICE-B, (ICETE 2007) ISBN 978-989-8111-11-1, pages 277-284. DOI: 10.5220/0002113202770284


in Bibtex Style

@conference{ice-b07,
author={Nolan Zhang and Peter Bodorik and Dawn Jutla},
title={COMPLIANCE OF PRIVACY POLICIES WITH LEGAL REGULATIONS - Compliance of Privacy Policies with Canadian PIPEDA},
booktitle={Proceedings of the Second International Conference on e-Business - Volume 1: ICE-B, (ICETE 2007)},
year={2007},
pages={277-284},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0002113202770284},
isbn={978-989-8111-11-1},
}


in EndNote Style

TY - CONF
JO - Proceedings of the Second International Conference on e-Business - Volume 1: ICE-B, (ICETE 2007)
TI - COMPLIANCE OF PRIVACY POLICIES WITH LEGAL REGULATIONS - Compliance of Privacy Policies with Canadian PIPEDA
SN - 978-989-8111-11-1
AU - Zhang N.
AU - Bodorik P.
AU - Jutla D.
PY - 2007
SP - 277
EP - 284
DO - 10.5220/0002113202770284