Re: privacy in OWL from Rigo Wenning on 2003-07-16 (public-webont-comments@w3.org from July 2003)

From: Rigo Wenning <rigo@w3.org>
Date: Wed, 16 Jul 2003 11:31:16 +0200
To: Jim Hendler <hendler@cs.umd.edu>
Cc: Dan Connolly <connolly@w3.org>, t-and-s@w3.org, public-webont-comments@w3.org, public-p3p-spec <public-p3p-spec@w3.org>
Message-ID: <20030716093115.GZ1359@rigo.w3.org>
Hi Jim, 

The first paragraph of my suggested wording below was designed to give
people at least a hint of what is important when designing privacy
enhanced systems. Instead of just taking a whole paragraph to describe
one special case and raise the finger saying 'potential for abuse', this
hint should be kept. I compressed it to one sentence.

Additionally talking only about 'abuse' is not strong enough.
In most member-countries of the OECD, such behaviour would be illegal
and even subject to prosecution and penal sanctions. That's why I added
a sentence. 

See the suggested text inline..

Best, 

Rigo


On Tue, Jul 15, 2003 at 10:21:52PM -0400, Jim Hendler wrote:
> Rigo-
>  thanks for your comments to WebOnt about the privacy section in our 
> Guide Document.  We have extended our discussion to integrate your 
> comments -- here is the wording from the Editor's Draft of the Guide 
> document (similar wording in the Editor's Draft of the Reference).
>   Please let us know if this satsifies your comment
>    thanks
>     Jim Hendler for WebOnt
> 
> 2.3 Data Aggregation and Privacy OWL's ability to express ontological 
> information about instances appearing in multiple documents supports 
> linking of data from diverse sources in a principled way. The 
> underlying semantics provides support for inferences over this data 
> that may yield unexpected results. In particular, the ability to 
> express equivalences using owl:sameAs can be used to state that 
> seemingly different individuals are actually the same. 
> Owl:InverseFunctionalProperty can also be used to link individuals 
> together. For example, if a property such as "SocialSecurityNumber" 
> is an owl:InverseFunctionalProperty, then two separate individuals 
> could be inferred to be identical based on having the same value of 
> that property. When individuals are determined to be the same by such 
> means, information about them from different sources can be merged. 
> This aggregation can be used to determine facts that are not directly 
> represented in any one source. The ability of the Semantic Web to 
> link information from multiple sources is a desirable and powerful 
> feature that can be used in many applications. However, the 
> capability to merge data from multiple sources, combined with the 
> inferential power of OWL, does have potential for abuse. 

It might be  illegal to create or process such linked information in
countries with data protection laws, especially in the EU, without
having a valid legal reason for the processing. Therefor it is
recommended to avoid generating a complete transparency of a natural 
person by accident of privacy unaware design. 

> Users of OWL should be alert to the potential privacy implications.
> Detailed security solutions were considered out of scope for the
> Workng Group.  Work currently underway is expected to address these
> issues with a variety of security and preference solutions. See for
> example SAML and P3P.
> 
> 
> 
> At 3:44 PM +0200 5/6/03, Rigo Wenning wrote:
> >On Thu, May 01, 2003 at 09:53:12AM -0500, Dan Connolly wrote:
> >> If you have any comments on it, please send them
> >> to public-webont-comments@w3.org
> >
> >
> >Comment on Privacy in Web-ont
> >
> >It is honorable, that the Webont Working Group thought about
> >including something about Privacy into their guide.
> >
> ><for the impatient>
> >As usual in privacy, nearly everybody is aware of potential
> >privacy issues or has some kind of bad conciousness about it.
> >In the absence of real solutions, this bad consciousness is
> >discharged by some rather general privacy warning. The result is
> >that implementers of OWL will share bad consciousness, but lack a
> >solution.
> >
> >The good news is, that there might be some remedy. The remedy
> >lies in OWL itself, as the approach is mainly based on metadata.
> >The P3P Specification WG has thought about integrating the P3P
> >semantics into the Semantic Web. For this reason -in cooperation
> >with the RDF IG- a RDF-Schema representing P3P was developed[1]. It
> >might be good to reference this schema and verify, whether it is
> >importable into OWL (or what is missing/has to be changed, 
> >to make it importable). This way, OWL-Ontologies treating persons
> >would be able to also include those persons' preferences. This
> >way, the inference engine can respect those preferences (or
> >policies attached to an individual).
> >
> >In the future, we might want to use the preference-language
> >APPEL[2] but I'm actually not able to determine if it would
> >better fit into OWL.
> ></for the impatient>
> >
> >I would suggest the following text. You can still change it as
> >you like:
> >
> >OWL's ability to express ontological information about
> >individuals -even appearing in multiple documents-, it's
> >support for linking of data about individuals from diverse
> >sources in a principled way may raise privacy issues.
> >Privacy, by it's definition, protects individuals. Only if
> >dealing with natural persons, one must be aware of the privacy
> >implications. Goal is to protect against the disclosure of
> >sensitive personal data but also against the creation of profiles
> >making the individual and it's personality completly transparent
> >to others. If we talk about privacy, we want to the opaqueness of
> >someones personality and intimacy to the outside world. This can
> >be overturned by the individual's will to disclose information.
> >As a consequence, there is a need for the individuals kept in an
> >ontology to be able to express their preferences. This can be
> >done using the RDF-syntax for P3P [link] or APPEL [link].
> >
> >In particular, the ability to express equivalences using
> >owl:sameIndividualAs can be used to state that seemingly
> >different individuals are actually the same.
> >Owl:InverseFunctionalProperty can also be used to link
> >individuals together. For example, if a property such as
> >"SocialSecurityNumber" is an owl:InverseFunctionalProperty, then
> >two separate individuals could be inferred to be identical based
> >on having the same value of that property. When individuals are
> >determined to be the same by such means, information about them
> >from different sources can be merged. This aggregation can be
> >used to determine facts that are not directly represented in any
> >one source.
> >
> >The ability of the Semantic Web to link information from multiple
> >sources is a desirable and powerful feature that can be used in
> >many applications. However, the capability to merge data from
> >multiple sources, combined with the inferential power of OWL,
> >does have potential for abuse. Users of OWL should be alert to
> >the potential privacy implications.
> >
> >
> >
> >  1. http://www.w3.org/TR/p3p-rdfschema/
> >  2. http://www.w3.org/TR/P3P-preferences/
> >
> >Best,
> >
> >--
> >Rigo Wenning            W3C/ERCIM
> >Policy Analyst          Privacy Activity Lead
> >mail:rigo@w3.org        2004, Routes des Lucioles
> >http://www.w3.org/      F-06902 Sophia Antipolis
> 
> -- 
> Professor James Hendler				  hendler@cs.umd.edu
> Director, Semantic Web and Agent Technologies	  301-405-2696
> Maryland Information and Network Dynamics Lab.	  301-405-6707 (Fax)
> Univ of Maryland, College Park, MD 20742	  *** 240-277-3388 (Cell)
> http://www.cs.umd.edu/users/hendler      *** NOTE CHANGED CELL NUMBER ***
Received on Wednesday, 16 July 2003 05:33:56 UTC