A Privacy Controller Approach for Privacy Protection
in Web Services
1

George O.M. Yee
National Research Council Canada
1200 Montreal Road, Building M-50
Ottawa, Ontario, Canada K1A 0R6
1-613-990-4284
george.yee@nrc.ca

ABSTRACT
The growth of the Internet has been accompanied by the growth
of web services (e.g. e-commerce, e-health). This increased use of
web services has meant that more and more user personal
information is being shared with web service providers, leading to
the need to protect the privacy of web service users, as evidenced
by the enactment of privacy legislation in many jurisdictions.
Existing privacy policy approaches for privacy protection, such as
making the service provider’s privacy policy known to the user, or
the use of P3P privacy policies, are inadequate. In the former case,
the user cannot know for sure whether or not the provider will
honor its policy; in the latter case, there is no flexibility for the
user to specify her own policy for governing her own personal
information – the provider’s policy is the only one offered. This
paper proposes the use of privacy controllers together with user
privacy policies to overcome the limitations in current privacy
policy approaches. An example to illustrate the approach is also
given.
Categories and Subject Descriptors
C.2.0 [General]: Security and Protection (e.g., Firewalls)
General Terms
Security
Keywords
Privacy protection, web services, user privacy policy, privacy
controller
1. INTRODUCTION
This work considers web services to be: a) web-based services
that employ XML (eXtensible Markup Language), WSDL (Web
Service Definition Language), SOAP (Simple Object Access
Protocol), and UDDI (Universal Description, Discovery, and
Integration) in a service oriented architecture (SOA) [1], and b)
existing and previous generations of web-based applications that
involve web browsers interacting with web servers that do not
employ XML, WSDL, SOAP or UDDI.







Numerous web services targeting consumers have accompanied
the rapid growth of the Internet. Web services are available for
banking, shopping, learning, healthcare, and Government Online.
However, most of these services require a consumer’s personal
information in one form or another, leading to concerns over
privacy. Web service users are generally required to submit
personal information to web service providers. Web service
providers, on the other hand, generally receive personal
information from web service users. Over time, the quantity of
user personal information in the hands of web service providers
has accumulated to enormous proportions, leading to user
concerns over possible malicious or accidental unauthorized
divulgence of this information. In answer to this concern, various
legislative bodies have enacted privacy legislation that gives
personal information owners certain rights as to how their
personal information is to be treated by service providers.
However, a flexible, practical system for ensuring that these rights
are respected in web services is still missing. Existing privacy
policy approaches for privacy protection, such as making the
service provider’s privacy policy known to the user, or the use of
P3P privacy policies, are inadequate. In the former case, the user
cannot know for sure whether or not the provider will honor its
policy; in the latter case, there is no flexibility for the user to
specify her own policy for governing her own personal
information – the provider’s policy is the only one offered.

The objective of this paper is to present a flexible and practical
user-oriented privacy controller based system that preserves
legislated user privacy rights expressed in the form of user privacy
policies. This work addresses a web services network
environment (see Figure 1) with the following characteristics:
• Computing devices (e.g. laptops, PDAs, cell phones,
workstations) are optionally locally networked (e.g.
Ethernet, Wi-Fi, IrDA, Bluetooth) as well as globally
networked via the Internet.
• The locally networked or standalone computing devices
are owned by a human or an organization.
• Human users employ these devices to make use of web
services, to offer web services, or both. A user who
makes use of a web service shares (or sends) personal
information to a web service and is called a personal data
sharer (data sharer for short). One who offers a web
service observes (or receives) personal information and is
called a personal data observer (data observer for short).
A user who both makes use of web services and offers her
This paper is authored by employees of the National Research Council
Canada and is copyright by the Government of Canada. Non-exclusive
permission to copy and republish the paper is granted, provided that the
authors and the National Research Council Canada are clearly identified
as its source.
SWS’07, November 2, 2007, Fairfax, Virginia, USA.
Copyright 2007 Government of Canada.
ACM 1-59593-892-3/07/0011.
44

own web services is both a data sharer and a data
observer.














The approach proposed in this work can be applied to all types of
e-services, not just web services. For all e-services, including web
services, the approach is applied at the application level prior to
service invocation. More details on this aspect are given below in
the Implementation Notes section.
The remainder of this paper is organized as follows. Section 2
looks at privacy and the use of privacy policies. Section 3 presents
the proposed approach. Section 4 gives an example of applying
the approach. Section 5 evaluates the approach by discussing
some strengths and weaknesses. Section 6 examines related work.
Section 7 concludes the paper and lists some ideas for future
research.
2. PRIVACY POLICIES
2.1 Privacy
As defined by Goldberg et al. in 1997 [2], privacy refers to the
ability of individuals to control the collection, retention, and
distribution of information about themselves. This is the definition
of privacy used for this work. Protecting an individual’s privacy
then involves endowing the individual with the ability to control
the collection, retention, and distribution of her personal
information.
2.2 Use of Privacy Policies
In this work, giving an individual or data sharer control over her
private information is achieved as follows. The data sharer
specifies in a user privacy policy how she wants her personal
information handled by the data observer; the data observer, on
the other hand, specifies in her provider privacy policy what
personal information she requires from the data sharer and how
she plans to handle the data sharer’s information. The data
sharer’s policy has to be compatible or match the data observer’s
policy before information sharing can begin. If the policies do not
match, the data sharer can either negotiate with the data observer
to try to resolve the disagreement or choose a different data
observer. Once the sharing begins, the data observer has to
comply with her privacy policy (which is compatible with the data
sharer’s user privacy policy). Foolproof mechanisms must be in
place to ensure compliance. The matching (e.g. [3]) and
negotiation (e.g. [4]) of privacy policies, as well as foolproof
policy compliance mechanisms (e.g. [5]), are outside the scope of
this work. Yee [6] suggests data sharer / data observer privacy
policies (Figure 2) that may be used for information sharing in
ubiquitous computing environments. This work employs these
policies.
As shown in Figure 2, a privacy policy for sharing personal
information consists of a header section (shaded) followed by one
or more privacy rules, where there is one rule for each item of
personal information. Within the header, the fields have the fol-



































lowing meaning: Policy Use identifies the data sharing application
(e.g. medical consulting), Data Sharer / Data Observer gives the
name of the user who owns the policy, and Valid indicates the
period of time during which the policy is valid. The fields in each
privacy rule have the following meaning: Data Observer
identifies the user who wishes to observe or collect the
information, what describes the nature of the information,
purposes identifies the purposes for which the information is
being collected, retention time pinpoints the amount of time for
the data observer to keep the information, and disclose-to
identifies any parties who will receive the information from the
data observer. Yee [6] also claims that the policies in Figure 2
conform to Canadian privacy legislation, which is representative
Figure 1. Web services network environment (ISP =
Internet Service Provider, circles are computing devices)
Internet
Local network
ISP
ISP
Local network Local network
Local standalone nodes
Figure 2. Example data sharer / data observer privacy
policies for sharing personal information
Data Observers: John
What: name, address, tel
Purposes: identification
Retention Time: unlimited
Disclose-To: none

Data Observers: John
What: # years of experience
Purposes: records
Retention Time: 2 years
Disclose-To: none
Header
Privacy
Rule
Privacy
Rule
Policy Use: Project kick-off
Data Sharer: Alice
Valid: unlimited
What: name, address, tel
Purposes: identification
Retention Time: unlimited
Disclose-To: none

What: # years of experience
Purposes: records
Retention Time: 1 year
Disclose-To: none
Header
Privacy
Rule
Privacy
Rule
Policy Use: Project kick-off
Data Observer: John
Valid: unlimited
a) Data
Sharer
Policy
b) Data
Observer
Policy
45