Towards End-to-End Privacy Control in the Outsourcing
of Marketing Activities: A Web Service Integration
Patrick C. K. Hung
Dickson K.W. Chiu
W.W. Fung
William K. Cheung
Raymond Wong
Samuel P.M. Choi
Eleanna Kafeza
James Kwok
Jousha C.C. Pun
Vivying S.Y. Cheng
Agenda
1. Introduction
2. Background Information
3. Towards End-to-End Privacy Control
4. Conclusions and Future Works
Introduction
Marketing is a strategy for selling products more efficiently.
This includes sales promotion strategies for making
consumers recognize a product’s existence and persuading
them to take purchase actions, circulation strategies for
efficiently delivering the desired product, and continuation
strategies such as after-sales service and claim processing.
Outsourcing of marketing activities has been widely
adopted and raises the concern of privacy issues.
Introduction (cont.)
Consider a scenario where a bank performs a marketing
campaign by calling its credit card holders.
Due to resource problems or other economic reasons, the
bank would like to outsource the calling activity to a thirdparty service provider.
Usually to make tele-marketing effective, personal
information including the name, credit card number, gender,
age group, salary range, and even addresses might be
needed for the marketing activity.
Introduction (cont.)
Under current practices, all the necessary credit card
holders’ data are transferred in bulk from the bank to the
marketing company.
This inevitably contains a large amount of personal
information.
Therefore, we have conducted a case study in the
outsourcing of tele-marketing activities in a financial
institute.
Background Information
W3C Definition of a Web Service
– has a unique Uniform Resource Identifier (URI)
– can be defined, described, and discovered using
XML
– supports exchange of XML messages via Internetbased protocols
Supported by all major computing companies, e.g.,
IBM, Microsoft, Sun, and etc.
Background Information (cont.)
Web services are based on a set of XML
standards:
Web Services
– WSDL, SOAP, UDDI
– Emerging standards, e.g., BPEL4WS,
WS-Security
XML Messages/HTTP Binding
Web Server
Web Services Clients
Background Information (cont.)
Privacy is a state or condition of limited access to a
person.
Ref: SCHOEMAN, E. D. 1984. Philosophical Dimensions of Privacy: An Anthology. New
York, NY, Cambridge Univ. Press.
Information privacy relates to an individual’s right
to determine how, when, and to what extent
information about the self will be released to
another person or to an organization.
Background Information (cont.)
Retention
Access Control
Request
Permission
Purpose
Input
Obligation
Recipient
Obligation
Retention
Role Based Access Control
Output
Background Information (cont.)
The Enterprise Privacy Authorization Language
(EPAL) is used to encode an enterprise’s privacyrelated data-handling policies and practices.
An EPAL policy defines lists of hierarchies of datacategories, data-users, and purposes, and sets of
actions, obligations, and conditions.
Online: www.zurich.ibm.com/security/enterprise-privacy/
Towards End-to-End Privacy Control
Contracts and
Laws
Audit
Application
Privacy Access
Control Rules
Ontology
Web Services
Secured
transport
Financial Enterprise
Standards / Code of Practice
Monitoring
EPAL
OWL / DAML
WSDL
Internet SSL and PKI
Contracts and
Laws
Provided Seal
Marketing
Application
Privacy Access
Control Rules
Ontology
Web Services
Secured
transport
Outsource Service Provider
A Layered Framework for Tackling Privacy Protection
Towards End-to-End Privacy Control
(cont.)
Response
Record
Marketing
Process
Customer
Transaction
bring
return via
Marketing
Task
call
Bank Web Service
access
Data View
+purpose
peform
Personnel
specify
control
Role
authorize
control
EPAL
specification
A Conceptual Model of Web-Service-Based Privacy Access Control
Towards End-to-End Privacy Control
(cont.)
A Proposed Protocol and Architecture for Tackling Privacy Access Control Issues
Towards End-to-End Privacy Control
(cont.)
Logon
Select
compaign
Bank Web service 1:
get phone number
Dial another
customer
[ get through ]
[ more
customer ]
[ fail ]
Ask customer if
interested
Bank Web service 2:
surname, salutation
[ customer interested ]
[ fail ]
[ fail ]
Record and
housekeeping
Tell details and
pursuate customer
Bank Web service 3: more
demographic data
[ customer agree ]
Confirm
transaction
Bank Web service 4: card
number, perso...
[ logout ]
An example marketing activity of an outsourced call center
Conclusions and Future Works
A layered architecture and methodology for the facilitation of privacy
control based-on Web services.
A conceptual model of Web-service-based privacy access control to
facilitate the design of an implementation architecture
Outsourced marketing companies can be integrated with adequate
control and auditing.
Practicability showing how the call center software for a typical
marketing activity can be integrated effectively with the banks’ Web
service
Only the required part of a customer record is retrieved through the
appropriate data views and sent one at a time to achieve strict end-toend privacy.
Conclusions and Future Works (cont.)
We are currently working on the following technical research issues:
– Ontology: Adopt OWL with EPAL vocabularies;
– Privacy Access Control Policy: Adopt EPAL with extended
assertions; and
– Privacy Access Control Preferences: Adopt A P3P Preference
Exchange Language (APPEL).
From the practical and commercial perspective, we are also
investigating research issues like:
– Critical success factors for the Web services-based end-to-end
privacy control systems;
– Cost and technical requirements for the involved parties;
– The implementation issues of the proposed system; and
– Extending the framework to other applicable scenarios such as
credit reference agencies.