How to manage, negotiate, and transfer personal information on the Web.


Table of Contents

Abstract i

Acknowledgments iii

Chapter 1: Introduction 1

1.1 Using the World Wide Web 1

1.2 Personal Information and Privacy 2

1.2.1 Security 3

1.2.2 Current Problems 4

1.2.3 Online Transactions 4

1.3 Motivation and Goals 5

1.3.1 Usage Scenarios 6

1.3.1.1 Seamless Transfer of Information 6

1.3.1.2 Negotiating Terms and Conditions of a Transaction 6

1.3.1.3 Transaction History 7

1.4 Thesis Overview 8

Chapter 2: Agent Architecture 11

2.1 Architectural Overview 11

2.1.1 Basic Concept 11

2.1.2 Agent Context 13

2.2 Components 14

2.2.1 Protocols 14

2.2.2 P3P Module 14

2.2.3 Trust Engine 15

2.2.3.1 Evaluation and Negotiation Module 15

2.2.3.2 Preferences and Negotiation Knowledge Base 16

2.2.3.3 Personal Information Storage 17

2.3 Current Implementation 18

2.3.1 Proxy Implementation 18

2.3.1.1 Web Browser Intelligence (WBI) 19

2.3.2 Modules 20

2.3.2.1 P3P / APPEL Implementation 21

2.3.2.2 Preferences, Negotiation Knowledge Base, and Personal Information 22

2.3.3 Usage 23

2.3.3.1 P3P Test Server 23

2.3.3.2 Setup 23

2.3.3.3 P3P Online Session 24

2.3.4 Advantages and Limitations 31

2.4 Agent Classification 32

2.4.1 Agents Overview 32

2.4.2 Agent Comparison 33

Chapter 3: Management and Transfer of Personal Information 35

3.1 Handling of Protocols and Privacy Information 35

3.1.1 Hypertext Transfer Protocol (HTTP) 35

3.1.2 Platform for Privacy Preferences Project (P3P) 37

3.1.2.1 Overview 37

3.1.2.2 Messages 37

3.1.3 A P3P Preference Exchange Language (APPEL) 38

3.2 Information Management 39

3.2.1 Personal Information 40

3.2.1.1 Managing New Information 41

3.2.2 Transaction History 42

3.3 Transfer of Information 43

3.3.1 Sample P3P Transaction 44

3.3.2 Generic Functional Model 46

3.3.2.1 Interception of the HTTP Stream 46

3.3.2.2 Analysis of Intercepted Requests 48

3.3.2.3 Modification of HTTP Requests 49

3.3.2.4 Extraction of P3P Messages 49

3.3.2.5 Rule Evaluation and Negotiation 50

3.3.2.6 Informing the User 52

3.3.2.7 Creating and Sending P3P Messages 52

3.3.2.8 Additional Comments 54

3.3.3 Current Implementation (WBI) 54

3.3.3.1 WBI Plugins 54

3.3.3.2 The OPA's MEGs 56

Chapter 4: Negotiation of Personal Information 59

4.1 Automated Negotiation 59

4.2 The Concept of Negotiating Sets of Information 61

4.2.1 Terminology 61

4.2.1.1 Information, Rules, Constraints, and Facts 61

4.2.1.2 Rulesets and their Representation as Trees 63

4.2.1.3 Rule Evaluation 64

4.2.1.4 A Sample Rule Evaluation 65

4.2.2 How to Find a Counter-Offer 66

4.2.2.1 Metrics and Distances 67

4.2.2.2 Depth-First-Search 69

4.2.3 Negotiation Strategy 72

4.2.4 Summary 72

4.3 Current Implementation (P3P, APPEL) 73

4.3.1 Conversion of APPEL Rulesets 74

4.3.1.1 Rule Types and Canonical Accept-Trees 74

4.3.1.2 Algorithm 75

4.3.1.3 Combinations of Sets of Information 78

4.3.2 How to Produce a Counter Proposal 79

4.3.2.1 Extracting Facts from P3P Proposals 79

4.3.2.2 Distance Functions and Weights 80

4.3.2.3 Sample Negotiation 81

Chapter 5: Conclusion 83

5.1 Conclusion 83

5.2 Future Work 85

5.2.1 Usability of the OPA 85

5.2.2 Personal Information 85

5.2.3 Proxies and Secured Connections 86

5.2.4 Graphical User Interfaces (GUIs) 87

5.2.5 Negotiation 87

Appendix A: Online Privacy Survey 89

A.1 Survey Methodology 89

A.2 Demographics 89

A.3 User's General Experience with the WWW 90

A.3.1 Questions and Analysis 90

A.4 User's Experience with Online Transactions 90

A.4.1 Questions and Analysis 91

A.5 Privacy Policies 94

A.5.1 Questions and Analysis 94

A.6 Conclusions 96

A.6.1 Questions and Analysis 96

Appendix B: Platform for Privacy Preferences Project (P3P) 99

B.1 Goals and Features 99

B.1.1 Verification and Enforcement 100

B.2 Technical Specification 100

B.2.1 P3P Grammar 101

B.3 Sample P3P Transaction 105

Appendix C: A P3P Preference Exchange Language (APPEL) 109

C.1 Goals and Features 109

C.2 Technical Specification 110

C.2.1 APPEL Level 1 Grammar 111

C.2.1.1 APPEL Level 1 Rule Evaluation 111

C.2.1.2 Sample Ruleset 112

C.2.2 APPEL Level 2 Grammar 114

C.2.2.1 Rule Evaluation 116

C.2.2.2 Sample Ruleset 117

Appendix D: P3P Client Ruleset 119

Glossary 121

Bibliography 123

World Wide Web References 125


April 9, 1999 · Jörg Meyer · jmeyer@almaden.ibm.com