Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
143 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
46 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Perennial Semantic Data Terms of Use for Decentralized Web (2403.07587v1)

Published 12 Mar 2024 in cs.AI, cs.CY, and cs.LO

Abstract: In today's digital landscape, the Web has become increasingly centralized, raising concerns about user privacy violations. Decentralized Web architectures, such as Solid, offer a promising solution by empowering users with better control over their data in their personal Pods'. However, a significant challenge remains: users must navigate numerous applications to decide which application can be trusted with access to their data Pods. This often involves reading lengthy and complex Terms of Use agreements, a process that users often find daunting or simply ignore. This compromises user autonomy and impedes detection of data misuse. We propose a novel formal description of Data Terms of Use (DToU), along with a DToU reasoner. Users and applications specify their own parts of the DToU policy with local knowledge, covering permissions, requirements, prohibitions and obligations. Automated reasoning verifies compliance, and also derives policies for output data. This constitutes a`perennial'' DToU language, where the policy authoring only occurs once, and we can conduct ongoing automated checks across users, applications and activity cycles. Our solution is built on Turtle, Notation 3 and RDF Surfaces, for the language and the reasoning engine. It ensures seamless integration with other semantic tools for enhanced interoperability. We have successfully integrated this language into the Solid framework, and conducted performance benchmark. We believe this work demonstrates a practicality of a perennial DToU language and the potential of a paradigm shift to how users interact with data and applications in a decentralized Web, offering both improved privacy and usability.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (40)
  1. 2013. eXtensible Access Control Markup Language (XACML) Version 3.0. https://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html
  2. 2018. ODRL Information Model 2.2. https://www.w3.org/TR/odrl-model/
  3. 2022a. Access Control Policy (ACP). https://solid.github.io/authorization-panel/acp-specification/
  4. 2022b. Web Access Control. https://solid.github.io/web-access-control-spec/
  5. RDF 1.1 Turtle. https://www.w3.org/TR/turtle/
  6. N3Logic: A logical framework for the World Wide Web. Theory and Practice of Logic Programming 8, 3 (May 2008), 249–269. https://doi.org/10.1017/S1471068407003213 Publisher: Cambridge University Press.
  7. Label-Based Access Control: An ABAC Model with Enumerated Authorization Policy. In Proceedings of the 2016 ACM International Workshop on Attribute Based Access Control (ABAC ’16). Association for Computing Machinery, New York, NY, USA, 1–12. https://doi.org/10.1145/2875491.2875498
  8. Eddy, a formal language for specifying and analyzing data flow specifications for conflicting privacy requirements. Requirements Engineering 19, 3 (Sept. 2014), 281–307. https://doi.org/10.1007/s00766-013-0190-7
  9. Thoth: Comprehensive Policy Compliance in Data Retrieval Systems. In Proceedings of the 25th USENIX Conference on Security Symposium (SEC’16). USENIX Association, Berkeley, CA, USA, 637–654. https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/elnikety
  10. ODRL Profile for Expressing Consent through Granular Access Control Policies in Solid. In 2021 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW). 298–306. https://doi.org/10.1109/EuroSPW54576.2021.00038 ISSN: 2768-0657.
  11. CommunitySolidServer/CommunitySolidServer. https://doi.org/10.5281/zenodo.8410285
  12. RDF Surfaces: Computer Says No. http://arxiv.org/abs/2305.08476 arXiv:2305.08476 [cs].
  13. Jina Huh-Yoo and Emilee Rader. 2020. It’s the Wild, Wild West: Lessons Learned From IRB Members’ Risk Perceptions Toward Digital Research Data. Proceedings of the ACM on Human-Computer Interaction 4, CSCW1 (May 2020), 059:1–059:22. https://doi.org/10.1145/3392868
  14. Enforcing Privacy Policies with Meta-Code. In Proceedings of the 6th Asia-Pacific Workshop on Systems (APSys ’15). ACM Press, Tokyo, Japan, 1–7. https://doi.org/10.1145/2797022.2797040
  15. Home is safer than the cloud! privacy concerns for consumer cloud storage. In Proceedings of the Seventh Symposium on Usable Privacy and Security (SOUPS ’11). Association for Computing Machinery, New York, NY, USA, 1–20. https://doi.org/10.1145/2078827.2078845
  16. Johnson Iyilade and Julita Vassileva. 2014. P2U: A Privacy Policy Specification Language for Secondary Data Sharing and Usage. In 2014 IEEE Security and Privacy Workshops. 18–22. https://doi.org/10.1109/SPW.2014.12
  17. Using Dependency Tracking to Provide Explanations for Policy Management. In 2008 IEEE Workshop on Policies for Distributed Systems and Networks. 54–61. https://doi.org/10.1109/POLICY.2008.51
  18. Platform for Enterprise Privacy Practices: Privacy-Enabled Management of Customer Data. In Privacy Enhancing Technologies (Lecture Notes in Computer Science). Springer, Berlin, Heidelberg, 69–84. https://doi.org/10.1007/3-540-36467-6_6
  19. Usage control in computer security: A survey. Computer Science Review 4, 2 (May 2010), 81–99. https://doi.org/10.1016/j.cosrev.2010.02.002
  20. Aleecia M McDonald and Lorrie Faith Cranor. 2008. The cost of reading privacy policies. Isjlp 4 (2008), 543. Publisher: HeinOnline.
  21. Privacy-preserving AI Services Through Data Decentralization. In Proceedings of The Web Conference 2020. Association for Computing Machinery, New York, NY, USA, 190–200. http://doi.org/10.1145/3366423.3380106
  22. Towards accountable management of identity and privacy: sticky policies and enforceable tracing services. In 14th International Workshop on Database and Expert Systems Applications, 2003. Proceedings. 377–382. https://doi.org/10.1109/DEXA.2003.1232051
  23. Andrew C. Myers and Barbara Liskov. 1997. A Decentralized Model for Information Flow Control. In Proceedings of the Sixteenth ACM Symposium on Operating Systems Principles (SOSP ’97). ACM, New York, NY, USA, 129–142. https://doi.org/10.1145/268998.266669
  24. Jonathan A. Obar and Anne Oeldorf-Hirsch. 2020. The biggest lie on the Internet: ignoring the privacy policies and terms of service policies of social networking services. Information, Communication & Society 23, 1 (Jan. 2020), 128–147. https://doi.org/10.1080/1369118X.2018.1486870
  25. CamFlow: Managed Data-sharing for Cloud Services. IEEE Transactions on Cloud Computing 5, 3 (July 2017), 472–484. https://doi.org/10.1109/TCC.2015.2489211 arXiv: 1506.04391.
  26. S. Pearson and M. Casassa-Mont. 2011. Sticky Policies: An Approach for Managing Privacy across Multiple Parties. Computer 44, 9 (Sept. 2011), 60–68. https://doi.org/10.1109/MC.2011.225
  27. A Survey on Access Control in the Age of Internet of Things. IEEE Internet of Things Journal 7, 6 (June 2020), 4682–4696. https://doi.org/10.1109/JIOT.2020.2969326 Conference Name: IEEE Internet of Things Journal.
  28. Dr.Aid: Supporting Data-governance Rule Compliance for Decentralized Collaboration in an Automated Way. In The 24th ACM Conference on Computer-Supported Cooperative Work and Social Computing (CSCW). https://doi.org/10.1145/3479604
  29. Decentralizing privacy enforcement for Internet of Things smart objects. Computer Networks 143 (Oct. 2018), 112–125. https://doi.org/10.1016/j.comnet.2018.07.019
  30. Solid: A Platform for Decentralized Social Applications Based on Linked Data. MIT CSAIL & Qatar Computing Research Institute, Tech. Rep. (2016). https://www.semanticscholar.org/paper/Solid-%3A-A-Platform-for-Decentralized-Social-Based-Sambra-Mansour/5ac93548fd0628f7ff8ff65b5878d04c79c513c4
  31. Role-based access control models. Computer 29, 2 (Feb. 1996), 38–47. https://doi.org/10.1109/2.485845 Conference Name: Computer.
  32. Ravi Sandhu and Jaehong Park. 2003. Usage Control: A Vision for Next Generation Access Control. In Computer Network Security (Lecture Notes in Computer Science), Vladimir Gorodetsky, Leonard Popyack, and Victor Skormin (Eds.). Springer, Berlin, Heidelberg, 17–31. https://doi.org/10.1007/978-3-540-45215-7_2
  33. R.S. Sandhu and P. Samarati. 1994. Access control: principle and practice. IEEE Communications Magazine 32, 9 (Sept. 1994), 40–48. https://doi.org/10.1109/35.312842 Conference Name: IEEE Communications Magazine.
  34. ‘You are you and the app. There’s nobody else.’: Building Worker-Designed Data Institutions within Platform Hegemony. In Proceedings of the 2023 CHI Conference on Human Factors in Computing Systems (CHI ’23). Association for Computing Machinery, New York, NY, USA, 1–26. https://doi.org/10.1145/3544548.3581114
  35. I Read but Don’t Agree: Privacy Policy Benchmarking using Machine Learning and the EU GDPR. In Companion Proceedings of the The Web Conference 2018 (WWW ’18). International World Wide Web Conferences Steering Committee, Republic and Canton of Geneva, CHE, 163–166. https://doi.org/10.1145/3184558.3186969
  36. Ruben Verborgh and Jos De Roo. 2015. Drawing Conclusions from Linked Data on the Web: The EYE Reasoner. IEEE Software 32, 3 (May 2015), 23–27. https://doi.org/10.1109/MS.2015.63 Conference Name: IEEE Software.
  37. W3C. 2014. RDF 1.1 Concepts and Abstract Syntax. https://www.w3.org/TR/rdf11-concepts/
  38. W3C OWL Working Group. 2012. OWL 2 Web Ontology Language Document Overview (Second Edition). https://www.w3.org/TR/owl2-overview/
  39. Automated Analysis of Privacy Requirements for Mobile Apps. In 2016 AAAI Fall Symposium Series. https://www.aaai.org/ocs/index.php/FSS/FSS16/paper/view/14113
  40. Shoshana Zuboff. 2019. The age of surveillance capitalism: The fight for a human future at the new frontier of power: Barack Obama’s books of 2019. Profile books.
Citations (1)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now