A Citizen Privacy Protection Model for E-Government Mashup Services The Proceedings of the 9th Annual International Digital Government Research Conference Speaker:房欣漢 指導教授:陳志達 1 Abstract As a primary source of citizen data, the government has the obligation not only to make public data available for citizen access as stated in the Freedom of Information Act, but also to protect the privacy of individual citizen’s records as stated in the Privacy Act. 2 Abstract (cont.) In this paper, we provide a Privacy Protection Model for Mashup Applications, using a mashup related multi-dimensional privacy protection space which includes parameters to specify mashup providers, mashupspecific operators, and mashup purposes. 3 Abstract (cont.) A personal privacy policy network is a distributed architecture where citizens can publish their individual privacy policies that can be applied to the use of their data and consulted by data providers including government agencies. 4 Introduction Mashups are new content created by blending or mashing of data from two or more sources using Web services available on the Internet. Mashups have extended the utility of data, allowing enormous variations. 5 Introduction (cont.) Most current mash-ups combine results from one or more databases with a map service. Mashups are easy to develop by the end users without heavy duty programming. These mashups can, in turn, be used by other content providing services through APIs. 6 Introduction (cont.) 7 Introduction (cont.) Our main concern is the right of individuals to control information about themselves and how it is used. Besides privacy, a government entity needs to be concerned with integrity not only of their data but also of other data sources. This paper provides an approach for privacyprotecting e-government mashups based on finegrained access to government sourced data based on what the content type is, who the recipient is, and what the recipient’s intended use of the data is. 8 E-GOVERNMENT MASH-UP PRIVACY PROTECTION MODEL An E-government mashup service is defined as a Web service or application that combines data from multiple sources including at least one government agency data source to create a single integrated content. 9 E-GOVERNMENT MASH-UP PRIVACY PROTECTION MODEL (cont.) Data content providers could choose not to release data for use in mashup services when the purpose is not acceptable to the individuals whose privacy is being protected. 10 Mashup Privacy Protection Spaces Individual privacy protection may be based on five aspects of the data and mashup service: Data Types (DT), Linking Parameters (LP), Operations (OP), Provider Type (PT) and Mashup Purpose (MP). A privacy protection space is formed by combining specific values specified for these five parameters. 11 Mashup Privacy Protection Spaces(cont.) When a parameter is specified with a “+” sign, it means that only the values listed are covered by the protection space. When a parameter is specified with a “–” sign, it means that all values other than those listed are covered by the protection space. 12 Data Types The data types, DT , describe the individual personal data items that should be protected. A DT to be protected for privacy is specified with a tuple (E, URI, Sign) where E represents the protected element, URI denotes the optional resource URIs where the definition of E can be located, and Sign to show the inclusion in the protection space. 13 Data Types (cont.) For example, the protected information is the name of the person specified in the RDF schema DT=(foaf:name [rdf:resource=“http://xmlns. com/foaf/0.1/#term name”] sign=“+”). 14 Linking Parameters The main purpose of including LP in the protection space is to ensure the integrity of the combination of data linked from different sources. 15 Linking Parameters (cont.) For example, if a person has a very common name such as “Lee”, they might be concerned if their name were used as the key to link data from different sources. The results might include data that is not really associated with them. Therefore, they might want to prevent any mashups created from data linked on the basis of a last name. Thus, they would set up a protection space where LP=(foaf:name [rdf:resource=“http://xmlns.com/ foaf/0.1/#term surname”] sign=“-”). 16 Operations Mashup operations, OP , are those that the mashup providers may perform on a set of data types linked from multiple sources. 17 Provider Type Provider Type (PT) is a tricky aspect to define for protection spaces. It is included as a proxy for “trust” in the provider to use the data only for stated purposes. 18 Personal Privacy Policy (PPP) Network The PPP network will serve as publish and pull infrastructure for personal privacy policies, that the government as a data provider should use in releasing the citizens’ personal data based on the privacy sensitivity level set by the citizens. 19 Personal Privacy Policy (PPP) Network (cont.) The PPP network will allow citizens to have more control over their own private data, through direct participation in protecting the private data. 20 ARCHITECTURE AND IMPLEMENTATION The secure mashup architecture as shown in Fig. 2 implements the proposed privacy model for mashup Web applications. The architecture needs to support two basic functions. 21 ARCHITECTURE AND IMPLEMENTATION (cont.) The first is an interactive data access process that ensures data is not released in conflict with privacy policies of both the government agency and the individual associated with the data. The second is an off-line management process that helps to ensure that data access is provided as efficiently as possible. 22 23 CONCLUSIONS Our model provides fine grained access to anyone whose mashup purpose is of an approved type. In addition, the content from data subjects is considered through personal privacy policies and the compliance with the government agency’s regulatory privacy policies is considered as well. 24