privacy edits

This email addresses my action item regarding privacy. Recall the requirements 
document:

AC020 enables privacy protection for the consumer of a Web service across 
multiple domains and services.
AR020.1 the WSA must enable privacy policy statements to be expressed about 
Web services.
AR020.2 advertised Web service privacy policies must be expressed in P3P 
[P3P].
AR020.3 the WSA must enable a consumer to access a Web service's advertised 
privacy policy statement.
AR020.5 the WSA must enable delegation and propagation of privacy policy.
AR020.6: Web Services must not be precluded from supporting interactions where 
one or more parties of the interaction are anonymous.

To cover these requirements, I suggest that the WSArch doc is modified in sections 
3.6.1 and 3.6.2.2 as detailed below. The changes are single paragraph scope and are 
delimited by a [[...]], hence they only replace the previous paragraph. Additions 
are delimited by a +[...]+ and they occur in place.


3.6.1 Threats to security and privacy

...
Privacy issues tend to revolve around the use of personal information, in particular 
the abuse of personal information; again, this can often be expressed in terms of 
the wrong people having access to the wrong information. We can summarize the threats 
to privacy as:


[[Privacy addresses the misuse of information supplied by the Web services requestor. 
This information is typically personal in nature - such as name, physical address, and 
financial accounts, and as such, represents key identity information of a consumer or
an organization. The scope of keeping this information private starts with the message 
interaction between the requestor and the provider, and through any intermediaries along 
the message path. The privacy risk continues as long as the provider retains the identity 
information of the requestor. In addition to storing directly provided information, a 
service provider or even a message intermediary can capture service trends about the user 
or the service requester. Correlated data is often sold to third parties and should be 
subject to privacy protection. We can summarize the threats to privacy as:
]]


1. Information use. An end user may have the right to know how, when, and to what extent 
their personal or sensitive information will be used by the Web services processing 
nodes. Protected usage includes the sharing of personal or sensitive information 
obtained by a processing node with any third party. These rights are often founded 
on legislation that varies on a global basis.

2. Confidentiality. Similar to above security threat: third party access access to sensitive 
information represents a threat to the privacy of the end user. 

[[2. Confidentiality. Assurance of confidentiality during message transmission between the 
service requestor and the service receiver. This includes messages that are processed by one 
or more intermediary processors before arriving at its ultimate receiver. Privacy, in this 
context, is addressed by message confidentiality technologies and this is one of the facets 
of Web services security. This is similar to above security threat.
]]

Also central is that these practices should be exposed by the processing nodes prior to a 
service invocation, allowing a service requestor to factor a processing node's privacy practices 
in the decision to use a particular Web service or to follow a particular message route. Hence, 
the publishing and accessibility of a Web service processor's privacy practices will aid an end 
user to retain control over his personal information. This is contingent on the compliance to the 
published privacy by the Web service processor and is outside of the scope of technology solutions.

+[Anonymity is often used to ensure privacy. Anonymity in the Web services context is a 
mechanism to ensure that the identity of a user is not disclosed during a Web service invocation. 
Hence, information supplied to the Web services provider will be free of values that can be used 
to identify the user. A Web service provider's identity-oriented fields might only get a pseudonym. 
This is a simple form of identity management and architecturally requires an application intermediary 
that is inside the user's trust boundary. The application intermediary will relay the user request to 
the ultimate receiver after stripping out user sensitive information and replacing any required data 
with intermediary-oriented data, including the pseudonym.
]+

3.6.2.2 Policies and privacy

+[Privacy policies apply to any and all entities that collect or collate personal information 
during Web service messaging. Privacy policies encapsulate the rules that govern the usage, 
management, and potential dissemination of collected or collated personal information. Privacy 
policies define how, when, to whom, and for how long personal information is available to the 
Web service processors
]+ 

Privacy policies are typically much more of the obligatory form than access control policies. A 
policy that requires a Web service provider to properly propagate P3P tags, for example, represents 
an obligation on the provider. It is not possible to prevent a rogue Web service provider from 
leaking private information; it should be possible, however, to monitor the public actions of the 
Web service to ensure that the tags are propagated.

Received on Thursday, 23 October 2003 15:44:34 UTC