|
 ABSTRACT
Today organizations do not have good ways of linking their written privacy policies with the implementation of those policies. To assist organizations in addressing this issue, our human-centered research has focused on understanding organizational privacy management needs, and, based on those needs, creating a usable and effective policy workbench called SPARCLE. SPARCLE will enable organizational users to enter policies in natural language, parse the policies to identify policy elements and then generate a machine readable (XML) version of the policy. In the future, SPARCLE will then enable mapping of policies to the organization's configuration and provide audit and compliance tools to ensure that the policy implementation operates as intended. In this paper, we present the strategies employed in the design and implementation of the natural language parsing capabilities that are part of the functional version of the SPARCLE authoring utility. We have created a set of grammars which execute on a shallow parser that are designed to identify the rule elements in privacy policy rules. We present empirical usability evaluation data from target organizational users of the SPARCLE system and highlight the parsing accuracy of the system with the organizations' privacy policies. The successful implementation of the parsing capabilities is an important step towards our goal of providing a usable and effective method for organizations to link the natural language version of privacy policies to their implementation, and subsequent verification through compliance auditing of the enforcement logs.
REFERENCES
Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.
| |
1
|
Ackerman, M., & Mainwaring, S. (2005). Privacy issues in human-computer interaction. In L. Cranor & S. Garfinkel (Eds.) Security and Usability: Designing Secure Systems That People Can Use, Sebastopol, CA: O'Reilly, 381--400.
|
| |
2
|
|
| |
3
|
|
| |
4
|
Agrawal, R., Kiernan, J., Srikant, R., and Xu, Y. (2003). Implementing P3P Using Database Technology. Proceedings of the 19th International Conference on Data Engineering, Bangalore, India.
|
| |
5
|
Ashley, P., Hada, S., Karjoth, G., Powers, C., and Schunter, M. (2003). Enterprise Privacy Architecture Language (EPAL 1.2). W3C Member Submission. http://www.w3.org/Submission/EPAL/
|
| |
6
|
Bohrer, K., Levy, S., Liu, X., and Schonberg, E. (2003). Individual Privacy Policy Based Access Control. In Proceedings of the 6th International Conference on Electronic Commerce Research (ICECR-6).
|
 |
7
|
Carolyn Brodie , Clare-Marie Karat , John Karat , Jinjuan Feng, Usable security and privacy: a case study of developing privacy management tools, Proceedings of the 2005 symposium on Usable privacy and security, p.35-43, July 06-08, 2005, Pittsburgh, Pennsylvania
[doi> 10.1145/1073001.1073005]
|
| |
8
|
CRA Conference on "Grand Research Challenges in Information Security and Assurance". http://www.cra.org/Activities/grand.challenges/security/. November 16-19, 2003.
|
| |
9
|
|
| |
10
|
Cranor, L. (2005). Privacy policies and privacy preferences. In L. Cranor & S. Garfinkel (Eds.) Security and Usability: Designing Secure Systems That People Can Use, Sebastopol, CA: O'Reilly, 447--472.
|
| |
11
|
IBM Research UIMA(2005) http://www.research.ibm.com/UIMA/
|
| |
12
|
IBM Tivoli Privacy Manager for eBusiness (2004). http://www-306.ibm.com/software/tivoli/products/privacy-mgr-e-bus/.
|
| |
13
|
Clare-Marie Karat , John Karat , Carolyn Brodie , Jinjuan Feng, Evaluating interfaces for privacy policy rule authoring, Proceedings of the SIGCHI conference on Human Factors in computing systems, April 22-27, 2006, Montréal, Québec, Canada
[doi> 10.1145/1124772.1124787]
|
| |
14
|
|
| |
15
|
|
| |
16
|
|
| |
17
|
Microsoft Internet Explorer (2004). Help Safeguard your privacy on the web. http://www.microsoft.com/windows/ie/using/howto/privacy/config.mspx
|
| |
18
|
|
| |
19
|
OASIS (2005). eXtensible Access Control Markup Language Version 2.0. http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-core-specos.pdf.
|
| |
20
|
OASIS (2005). Privacy Policy Profile of XACML v2.0. http://docs.oasis-open.org/xacml/2.0/PRIVACY-PROFILE/access_control-xacml-2.0-privacy_profile-specos.pdf.
|
| |
21
|
Ponemon Institute and IAPP, (2004). 2003 Benchmark Study of Corporate Privacy Practices.
|
| |
22
|
|
| |
23
|
Whitten, A. and Tygar J. D. (1999) Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0. In Proceedings of the 9th USENIX Security Symposium, August, 1999.
|
| |
24
|
W3C (2002) A P3P Preference Exchange Language 1.0 (APPEL 1.0). http://www.w3.org/TR/P3P-preferences/
|
CITED BY 5
|
|
|
|
|
Kami Vaniea , Clare-Marie Karat , Joshua B. Gross , John Karat , Carolyn Brodie, Evaluating assistance of natural language policy authoring, Proceedings of the 4th symposium on Usable privacy and security, July 23-25, 2008, Pittsburgh, Pennsylvania
|
|
|
|
|
|
|
|
|
|
INDEX TERMS
Primary Classification:
H.
Information Systems
H.5
INFORMATION INTERFACES AND PRESENTATION (I.7)
H.5.2
User Interfaces (D.2.2, H.1.2, I.3.6)
Additional Classification:
K.
Computing Milieux
K.4
COMPUTERS AND SOCIETY
K.4.1
Public Policy Issues
General Terms:
Design,
Human Factors,
Management,
Security
Keywords:
design,
policy,
privacy,
security,
social and legal issues,
usability
|
Adobe Acrobat
QuickTime
Windows Media Player
Real Player
Pdf