KAPUER: A Decision Support System for Privacy Policies Specification

Ann. Data. Sci. (2014) 1(3–4):369–391 DOI 10.1007/s40745-014-0027-3 KAPUER: A Decision Support System for Privacy Policies Specification Arnaud Oglaza · Pascale Zarate · Romain Laborde Received: 1 November 2014 / Revised: 20 November 2014 / Accepted: 10 December 2014 / Published online: 8 February 2015 © Springer-Verlag Berlin Heidelberg 2015 Abstract We are using more and more devices connected to the Internet. Our smartphones, tablets and now everyday items can share data to make our life easier. Sharing data may harm our privacy and there is a need to control them. However, this task is complex especially for non technical users. To facilitate this task, we present a decision support system, named KAPUER, that proposes high level authorization policies by learning users’ privacy preferences. KAPUER has been integrated into XACML and three learning algorithms have been evaluated. Keywords Decision support · Access control · Privacy 1 Introduction Nowadays, our relation with computers is no more limited to the use of a personal computer that can access the Internet with a wire connection. A study realised by GFK/Mediametrie published in November 2013 [1] shows that the number of houses equipped with more than one device (personal computer + smartphone + tablet) has more than doubled and reached 4.7 millions houses in France. In addition, smartphones and tablets have now enough processing and storage capabilities to host many applications. For example, french people have an average of 32 applications installed A. Oglaza (B) · P. Zarate · R. Laborde Institut de Recherche en Informatique de Toulouse (IRIT), Universite Paul Sabatier, 118 Route de Narbonne, 31062 Toulouse Cedex 9, France e-mail: P. Zarate e-mail: R. Laborde e-mail: 123 370 Ann. Data. Sci. (2014) 1(3–4):369–391 in their Android smartphones according to a survey made by Google in 2013.1 This number grows to 40 in countries like Korea or Switzerland. Furthermore, the number of devices connected to networks is going to increase with the Internet of Things. Various studies show that there are between 15 and 20 billions “things” connected to the Internet and this number is expected to reach between 50 and 80 billions in 2020 [2,3]. All these connected things and applications can process and share data related to their owners. Thus, every owner of these things will have to control them to protect their privacy. It is now a priority to provide people with tools allowing them to understand issues of privacy and the complexity of protecting their personal data. Various initiatives have emerged from this perspective [4]. Some works have proposed to help people to understand the risks attached to the disclosure of data through serious games like 2025 ex-machina [5]. Project Platform for Privacy Preferences [6] has standardized websites privacy policies to allow people understand how websites process their data. These policies are then evaluated with users preferences by an ad hoc mecanism. The same objective is pursued by Kelley et al. [7]. They noticed that people understand nutrition labels found on food package. So they proposed a similar solution to display privacy policies. Inglesant et al. [8] have presented a constrained natural language to ease the understanding of authorization policies. Stiepen et al. [9] worked on a non technical notation to facilitate the understanding of XACML authorization policies. All these works are important to help people to understand the risks they face and to let technical documents like privacy policies or authorization policies understandable to everyone. However, few works focus on helping people to design and write authorization policies to protect their privacy. A first approach to assist in the design and the writing of authorization policies consists in a graphical interface where users can modify their authorization rules. An example of this approach is Privacy Guard Manager, which is a component of an alternative Android distribution called CyanogenMod [10]. This interface provides a dashboard with all information about permissions given to each application. It allows users to set granted and denied permissions to each applications. The benefits of this approach are (1) the use of the graphical interface doesn’t require any technical skills to define the authorization policies and (2) the possibility to manage permissions at a fine grained level. But this approach is grabbling with the issue of scalability. Indeed, Privacy Guard Manager can only express low level rules. To quantify this problem, we have analyzed the average number of permissions to handle on an Android smartphone. Given that there are an average of 32 applications on an Android smartphone owned by french people and an application requests in average of 11.4 permissions where 5.72 have an impact for privacy (we have obtained these values by analyzing the permissions of the 50 most downloaded free applications in the Android market), a user has to manage 364 permissions where 183 have an impact on his privacy. This problem of scalability has already been studied in various research works on access control models. Indeed, administrators have already had this problem. For example, the RBAC model [11] ease the management of permissions by grouping them 1 http://think.withgoogle.com/mobileplanet/fr/. 123 Ann. Data. Sci. (2014) 1(3–4):369–391 371 depending on the role that users have in an organization. The abstraction of roles limits the number of rules. Other notions and abstractions have been introduced in access control models to facilitate the definition and management of authorization policies especially for privacy like the concept of purpose [12], sensitivity of a resource [13], trust [14], accuracy or consent [15]. These access control models offer the possibility to write high level rules that are suited to complex environment. However, manipulating these abstractions is a complex task that requires an analysis step before writing authorization rules. As consequence, it isn’t possible for non technical users to write policies according to these models. Furthermore, defining a generic user interface for easily writing policies with abstract notions is a difficult task [16]. How to avoid beginner mode (simple but limited) versus expert mode (complete but complex)? Based on this observation, we present a new approach that allows a non technical user to write high level policies while limiting the required cognitive load (i.e. design phase and interface specification). Our proposition is a system named KAPUER (KAPUER is an Assistant for Protection of Users pErsonnal infoRmation) who uses techniques from decision support to help users to write abstract authorization rules. KAPUER analyzes low level permissions granted by a user to learn his privacy preferences and proposes to him high level rules corresponding to these preferences. The user can (1) accept a proposed rule that will be i (...truncated)