| WD-P3P-preferences-19980814 |
Copyright © 1998 W3C (MIT, INRIA, Keio ), All Rights Reserved. W3C liability, trademark, document use and software licensi ng rules apply.
This is a draft working document of the P3P Preference Interchange Language Working Group, for review by W3C members and other interested parties. This document has been produced as part of the P3P Activity, and may eventually be advanced toward W3C Recommendation status. It is inappropriate to use W3C Working Drafts as reference material or to cite them as other than "work in progress."
This working group has considered a number of different approaches to developing a P3P preference interchange language and has decided to document one approach and solicit feedback on it. The group may consider other approaches, including more general-purpose languages (for example, XML or RDF query languages). We encourage the development of experimental implementations and prototypes so as to provide feedback on the specification. However, this Working Group will not allow early implementations to affect their ability to make changes to future versions of this document.
This draft document will be considered by W3C and its members according to W3C process. This document is made public for the purpose of receiving comments that inform the W3C membership and staff on issues likely to affect the implementation, acceptance, and adoption of P3P.
Comments should be sent to p3p-comments@w3.org (archived for Members at http://lists.w3.org/Archives/Member/p3p-comments/).
This document specifies a language for describing collections of preferences regarding P3P proposals between P3P agents. Using this language, a user can express her preferences in a set of preference-rules (called ruleset), which can then be used by her user-agent to make automated or semi-automated decisions regarding the exchange of data with P3P enabled Web sites.
Note: This language is intended as a transmission format; individual implementations must be able to read and write their specifications in this language, but need not use this format internally.
This language complements the P3P1.0 specifications. Much of the underlying logic is based on PICSRules. We hope in time that this will merely be an application of XML (XML-data) and RDF (RDF schema) definition, rules, or query languages.
A basic P3P interaction might proceed as follows:
Primarily, we envision this language will be used to allow users to import preference rulesets created by other parties and to transport their own rulesets files between multiple user agents. User agent implementors might choose to use this language (or some easily-derived variation) to encode user preferences for use by the rule evaluators that serve as the decision-making components of their user agents.
While we do not expect users to be exposed to the expression of the rules themselves, tools that allow them to test their rules may be useful. For instance, a user could make a query, "under what conditions do I give out identifiable information?"
behavior attribute
is mandatory)
The scope of the rule is determined by the opening and closing elements of an APPEL RULE element. The evaluator returns the behavior (as specified in its behavior attribute) of the rule that fired on the basis of the evidence discussed above. In addition, the rule evaluator may optionally return an explanation string (suitable for user display), and the name of a persona.
Applications should interpret the standard outputs as follows:
A ruleset consists of one or more groups, each containing one or more rules. Each group optionally contains an (ordered) list of triggers specifying the conditions under which the group becomes active. Groups and their trigger conditions are evaluated in order they are listed in the ruleset. The first group whose triggers evaluate to true will be the active group and further evaluation of the evidence will use only the rules within the scope of that group (see section 5.1.2 Rulesets for further details).
Each rule in the active group is evaluated in the order in which it appears. Once a rule evaluates to true, the corresponding behavior is returned and rule evaluation ends. User Agents that wish to provide additional information in case a proposal is not accepted (such as listing all reasons why it was rejected, not only the first one that led to "reject") might require further evaluation in order to provide such information to the user.
Rulesets should be written so that there is always a group that will become active and a rule within that group that will fire. A rule evaluator should return an error if it is called without a ruleset, with an empty ruleset, if no group becomes active, or if no rule fires. It is up to the calling program to determine what to do if an error is returned; however, calling programs should not treat an error as they would an "accept".
Further information on rule processing can be found in sections 5.1 "The Rule Evaluator in a nutshell" and 5.2 "Group, triggers and rules ordering".
When multiple simple-expressions and/or data-reference expressions
are placed within the scope of a single expression, all must hold true
within the scope of a single piece of evidence. For example, if a rule
contains a P3P:STATEMENT expression that contains a
simple-expression purpose="3" and a
data-reference-expression name="ID.PUID", the
expression will only evaluate to true if the P3P proposal contains a
statement that both references the ID.PUID data element and declares a
purpose of 3. If both the simple-expression and data-reference
expression are satisfied, but only in separate statements, then the
expression evaluates to false.
The matching of simple- and data-reference expressions, as well as matching attribute names, is described in more detail in section 5.4 Matching. A brief overview is given in the following paragraph.
An implicit = operator applies to data-reference-expressions. Furthermore, data-reference-expressions that contain multiple data-references use one of the following quantifiers during matching: ANY, ONLY, ALL, NOT-ONLY. Quantifiers can be defined individually for each rule. However, rules that result in an "accept" behavior always use the semantics of the ONLY quantifier when matching data-reference-expressions, regardless of the specified quantifier. Further details are described in section 5.4.3 Data Reference Expressions.
APPEL supports a simple set of wildcard metacharacters as found in
many popular operating system shells. Simple-expressions and
data-reference-expressions can use these wildcards to match ranges of
values such as <REF name="User.*"> (any element
from the "User" data set) or discURI="+" (any non-empty
disclosure URI attribute). Details can be found in section 5.4.3 Wildcards.
We will start with a plain text description of the user's (admittedly simple) preferences, followed by a tabular overview of the involved elements and their allowed values. Finally, we will give an example of the corresponding APPEL encoding. For the sake of clarity, the example will use the full XML namespace syntax, but this can easily be abbreviated for a more compact representation (See section 4.1.3 XML Representation). Also note that each listing in this document features line numbers for ease of reference; they are not part of the actual encoding!
Please note that some of the cells feature a wildcard symbol "*", while others are empty. APPEL distinguishes between non-referenced attributes and those that are referenced but contain only wildcards. In the former case, the user truly does not care about the attribute, even whether it is included in the proposal or not. In the latter case, the user might not care about the attributes value, but at least expects it to have some value. For further details see section 5.4.3 Wildcards
In our example below, the user does not care about the purpose of the collected clickstream data (hence the empty fields in the table), but requires that some form of assurance is present (represented by a wildcard "*" character).
| Behavior | Element/Set | Ent. | Assur. | Purp. | Recip. | Id | Act. | Disc. |
| accept | ID.PUID, Clickstream.Client_ | * | 0 | R | * | |||
| reject | [otherwise] |
behavior attribute) first
checks to see if only non-identifiable clickstream data and/or a
pairwise user ID (PUID) is collected, and accepts if assurance and disclosure
information is available. Otherwise, a "reject"-rule encapsulating the
degenerate expression "OTHERWISE" will fire, rejecting proposals that
contain
requests for data transfer.Alternatively, we could have written an initial "reject"-rule which denied all access to elements other than non-identifiable clickstream and/or the PUID, and then "accept" all proposals that pass the initial reject rule. This method is further explained in section 6. Ruleset Example.
| Listing 1: Simple Ruleset in APPEL |
|---|
|
001: <?xml:namespace ns="http://www.w3.org/TR/1998/WD-P3P-syntax#" prefix="P3P" ?>
002: <?xml:namespace ns="http://www.w3.org/TR/WD-rdf-syntax#" prefix="RDF" ?> 003: <?xml:namespace ns="http://www.w3.org/TR/1998/WD-APPEL10#" prefix="APPEL" ?> 004: <RDF:RDF> 005: <APPEL:APPEL> 006: <APPEL:RULESET crtdby="APPEL WG" crtdon="Wed, 12-Aug-1998 09:12:32 GMT"> 007: <RDF:SEQ> 008: <RDF:LI> 009: <APPEL:GROUP description"Default Group"> 010: <!-- We specify OTHERWISE as the only trigger condition here so that 011: this group is always active --> 012: <APPEL:TRIGGERS> 013: <APPEL:OTHERWISE/> 014: </APPEL:TRIGGERS> 015: <APPEL:RULES> 016: <RDF:SEQ> 017: <RDF:LI> 018: <!-- The ONLY quantifier is the default for "accept" rules. Any 019: other quantifier will be ignored. The description attribute 020: contains optional text that could be displayed by the 021: user agent during transfer or for debugging purposes. --> 022: <APPEL:RULE behavior="accept" quant="ONLY" 023: description="Service only collects clickstream data"> 024: <!-- Make sure the assurance field is present, but accept 025: any value. --> 026: <P3P:PROP assurance="*"> 027: <P3P:USES> 028: <!-- We only allow read access in non-identifiable form --> 029: <P3P:STATEMENT action="r" id="0"> 030: <!-- The ONLY quantifier restricts our user agent to only 031: accept proposals that ask for (any or none of) the two 032: elements below, but not for any other elements. --> 033: <P3P:REF name="ID.PUID"/> 034: <P3P:REF name="ClickStream.Client_"/> 035: </P3P:STATEMENT> 036: </P3P:USES> 037: <!-- We also require a natural language privacy statement --> 038: <P3P:DISCLOSURE discURI="*"/> 039: </P3P:PROP> 040: </APPEL:RULE> 041: </RDF:LI> 042: <RDF:LI> 043: <APPEL:RULE behavior="reject" 044: explanation="I don't want to be identified!"> 045: <APPEL:OTHERWISE/> 046: </APPEL:RULE> 047: </RDF:LI> 048: </RDF:SEQ> 049: </APPEL:RULES> 050: </APPEL:GROUP> 051: </RDF:LI> 052: </RDF:SEQ> 053: </APPEL:RULESET> 054: </APPEL:APPEL> 055: </RDF:RDF> |
|
But APPEL is not limited to matching elements of a P3P proposal only. Any valid XML element can be put as an expression inside an APPEL rule or group in order to test for external schemas (such as PICS label, SSL protocol status, etc.).
| Figure 1: APPLE BNF Syntax |
|---|
[1] ruleset = '<RDF:RDF xmlns="http://www.w3.org/RDF">'
'<APPEL xmlns="http://www.w3.org/APPEL">'
"<RULESET " attributes ">"
gseq
"</RULESET>"
"</APPEL>"
"</RDF:RDF>"
[2] gseq = "<RDF:SEQ>" *("<RDF:LI>" group "</RDF:LI>) "</RDF:SEQ>"
[3] group = "<GROUP" attributes ">"
"<TRIGGERS>" tseq "</TRIGGERS>"
"<RULES>" rseq "</RULES>"
"</GROUP>"
[4] tseq = "<RDF:BAG>" *("<RDF:LI>" expression "</RDF:LI>") "</RDF:BAG>"
[5] rseq = "<RDF:SEQ>" *("<RDF:LI>" rule "</RDF:LI>") "</RDF:SEQ>"
[6] rule = "<RULE>"
" behavior=" `"` behavior *("," behavior) `"`
[" quant=" quantifier]
attributes ">"
body
"</RULE>"
[7] attributes = [" exp=" '"' datetime '"'] ; default is empty value (never)
[" persona=" quoted-string]
[" crtby=" quoted-string]
[" crton=" '"' datetime '"']
[" description=" quoted-string]
[8] body = *optexp | '<OTHERWISE/>'
[9] behavior = "accept" | "reject" | "prompt" | "nop" | string
[10] quantifier = "any" | "all" | "only" | "not-only"
[11] optexp = '<OPTIONAL>' expression '</OPTIONAL>' | expression
[12] expression = <A chunk of RDF code>
[13] quoted-string = `"` string `"`
[14] string = <[UTF-8] string (with " and & escaped)>
[15] datetime = <date/time as per section 3.3 of [RFC 2068]>
|
Details are described in section 4.2 Elements below.
In contrast to P3P proposals, APPEL rulesets are not intended to be exchanged in real time by special means such as an HTTP protocol extension. Instead, they should be treated and downloaded like simple files, using any means available depending on the hard- and software setup in use.
Internally, user agents may use any convenient encoding of a user's ruleset (i.e. in binary form), as long as they provide methods to synchronize a user's plain text ruleset file with its internal representation.
<RDF:RDF> tag may be optionally omitted.
The outermost element of an APPEL ruleset takes no additional
attributes. It always appears in conjunction with the
RULESET tag described below. The use of two tags
(<APPEL><RULESET>) instead of just one
(<RULESET>) is due to the fact that we are
employing the RDF encoding.
RULESET elementGROUP and
RULE level.
[1] ruleset = '<RDF:RDF xmlns="http://www.w3.org/RDF">'
'<APPEL xmlns="http://www.w3.org/APPEL">'
"<RULESET " attributes ">"
gseq
"</RULESET>"
"</APPEL>"
"</RDF:RDF>"
[2] gseq = "<RDF:SEQ>" *("<RDF:LI>" group "</RDF:LI>) "</RDF:SEQ>"
[7] attributes = [" exp=" '"' datetime '"'] ; default is empty value (never)
[" persona=" quoted-string]
[" crtby=" quoted-string]
[" crton=" '"' datetime '"']
[" description=" quoted-string] |
GROUP elementGROUP block without any trigger condition
is simply activated if none of the preceding groups are
activated. Such a "default" group should be put at the end of a
ruleset. A ruleset should only contain a single default group.
RULSET element is used. Note that this value can be
overridden by each RULE.
[3] group = "<GROUP" attributes ">"
"<TRIGGERS>" tseq "</TRIGGERS>"
"<RULES>" rseq "</RULES>"
"</GROUP>"
[7] attributes = [" exp=" '"' datetime '"'] ; default is empty value (never)
[" persona=" quoted-string]
[" crtby=" quoted-string]
[" crton=" '"' datetime '"']
[" description=" quoted-string] |
All
expressions in a TRIGGERS element are implicitly ANDed
together.
Please note that a group with an empty list of TRIGGERS
will never get activated. In order to create a default group
which will become active under any conditions you have to use the
degenerate expression <OTHERWISE/>.
[3] group = "<GROUP" attributes ">"
"<TRIGGERS>" tseq "</TRIGGERS>"
"<RULES>" rseq "</RULES>"
"</GROUP>"
[4] tseq = "<RDF:BAG>" *("<RDF:LI>" expression "</RDF:LI>") "</RDF:BAG>" |
RULES element can be
active at a time.
[3] group = "<GROUP" attributes ">"
"<TRIGGERS>" tseq "</TRIGGERS>"
"<RULES>" rseq "</RULES>"
"</GROUP>"
[5] rseq = "<RDF:SEQ>" *("<RDF:LI>" rule "</RDF:LI>") "</RDF:SEQ>" |
RULE elementGROUP or RULESET is used.
Please note that a rule with an empty list of expressions will
never get activated. In order to create a default rule which
will trigger if no other (preceding) rule fired, you have to use the
degenerate expression <OTHERWISE/>.
[6] rule = "<RULE>"
" behavior=" `"` behavior *("," behavior) `"`
[" quant=" quantifier]
attributes ">"
body
"</RULE>"
[7] attributes = [" exp=" '"' datetime '"'] ; default is empty value (never)
[" persona=" quoted-string]
[" crtby=" quoted-string]
[" crton=" '"' datetime '"']
[" description=" quoted-string]
[9] behavior = "accept" | "reject" | "prompt" | "nop" | string
[10] quantifier = "any" | "all" | "only" | "not-only" |
OTHERWISE should be the only expression in a list of triggers or a rule. A ruleset should usually contain one and only one rule featuring the degenerate expression, and such a rule should be the last one in a ruleset. Users should take care not to use the OTHERWISE element in an "accept" behavior, which would result in unlimited access to a user's data repository for sites not covered by the preceding rules! User agents should refuse to accept rulesets with such "catch-all" "accept" rules.
[8] body = *optexp | '<OTHERWISE/>' |
Optional expressions evaluate to true if the contained element can not be found in the evidence. If one or more elements of the enclosed type are available in the evidence, the APPEL rule evaluator will simply try to match each element with the constraints specified in the expression and evaluate the expression to true or false.
[11] optexp = '<OPTIONAL>' expression '</OPTIONAL>' | expression [12] expression = <A chunk of RDF code> |
accept" type (see section 5.6
Extensible Behaviors).
A group with only the degenerate-expression in its trigger set is called the "default group". It will become active if none of its preceding groups was triggered. Each APPEL ruleset should have exactly one (and only one) default group, placed at the end of the list of groups.
Each rule in a ruleset or group is evaluated in the order in which it appears. Once a rule evaluates to true, the corresponding behavior is returned (also see section 5.6 Extensible Behaviors) and rule evaluation ends. If no match occurs and all rules have been processed, an error is returned to the calling program.
How APPEL evaluates multiple groups in a ruleset, or multiple triggers or rules in a groupThere is no need for logic operators among multiple groups or rules in an APPEL ruleset, since all expressions in APPEL are evaluated strictly in order. However, changing a groups triggers or changing the order of the groups in the ruleset, as well as inserting a new rule or changing the order of an existing list of rules within a group, can greatly influence the behavior of the user agent!
Care should be taken that triggerless groups (aka "default group") and
rules containing the degenerate expression
<OTHERWISE> exist only once and are placed at the
end of their respective lists.
How to specify what to match in a group trigger or ruleEvery rule and trigger in an APPEL ruleset contains a single expression which must be in valid RDF format. Each expression tries to match a certain piece of evidence, in the form of a P3P proposal or other RDF metadata such as a PICS label.
Expressions over elements that are not in the set of evidence provided by the calling program always evaluate to false. For example, a rule containing a P3P proposal expression and an expression over a PICS label will fail if no PICS label could be found in the evidence set, even though the P3P proposal matches.
However, using the <OPTIONAL> element, expressions
checking for nonexistent evidence can be ignored by the rule
evaluator, just as if they had never been specified.
RDF:Seq,
RDF:Bag and RDF:Alt. However, since the rule
evaluator always ANDs together all available evidence, any
collection is always treated as if being an unordered list of nodes
(i.e., of type RDF:Bag).Since multiple expressions are ANDed together, the rule or trigger will evaluate to true if and only if all of its expressions evaluate to true. If only a single expression evaluates to false the rule or trigger must fail. In order to logically OR multiple expressions one has distribute them among multiple rules.
Order does not matter for rule evaluation: the rule evaluator evaluates all expressions one at a time (in any order), trying to find a match for each element in the evidence. The evaluator does not keep track of which part of the evidence has been successfully matched against an expression before, so multiple expressions in a single rule might match the same single element in the evidence set repeatedly (but for example testing different attributes each time).
As a consequence of this, a rule might for example contain multiple proposals, even though only a single proposal will be in the evidence set at any time (see section 2.1 Inputs and Outputs).
Note: While multiple expressions in a single rule can match a single element in the evidence, a single expression can not match multiple elements in the evidence!
| Figure 2: Multiple expressions in a rule. | |
|---|---|
|
However, if a corresponding element can be found in the evidence set, the rule evaluator must try to match the expression given in the rule. If it fails, the expression (and therefor the rule) must evaluate to false.
| Figure 3: Optional expressions. | |
|---|---|
|
Please note that every element referred to in an expression should have a corresponding XML namespace reference at the beginning of the APPEL ruleset. The rule evaluator should return an error if it is unable to resolve elements referenced in a rule expression, even if the expression was marked as being optional.
| Figure 4: Sub Elements in expressions. | |
|---|---|
|
In figure 4 above, expression 2 and 3 could match the same element in the evidence set, namely a PICS label with an RSACi rating of less than 4 for violence and less than 2 for language. That is because the subelements in expression 2 could be matched to the same single RSACi rating element in the evidence set. However, the two STATEMENT subelements in expression 1 above could only match two different STATEMENT elements in the evidence set because of different values for the action attribute.
How APPEL matches expressions against available evidenceAPPEL contains multiple levels where matching is done during rule evaluation:
The following subsection will define APPEL's matching process in more detail and how it applies to the three different levels of XML structure.
Simple-expressions may take string or numeric values. Only the = operator may be applied to string-valued simple expressions and multi-numeric-valued simple expressions (i.e. simple expressions that test for multiple, numeric values. See below).
Single-numeric-valued simple expressions might also use the following operators: =, <, >, <=, >=. The semantics of each of these operators follows their traditional usage when applied to single values. Note: While the equality operator = is applied outside of the quoted value (i.e. id="0"), all other operators have to appear inside the quotes, preceding the number, in addition to the equality operator outside: purp="<=2". These operators are summarized in table 1 below.
In addition, numeric-valued expressions in APPEL allow for a set of boolean-type operators to govern the type of match, and are described in a special section 5.4.2 Prefix Operators for Simple Expressions below.
The result of applying any operator will be a Boolean value, true or false.
| Table 1: Simple Expression Semantics for single-numeric expressions | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|
|
In order to override this standard mechanism, APPEL allows the use of
the "AND:" operator prefixing the list of values of a
multi-valued expression. Such "AND"ed multi-values evaluate to true
only if there is evidence to satisfy every value given in the
expression.
For example, the simple-expression purp="AND:3,4" would only evaluate to true if a proposal contains a statement in which purposes 3 and 4 are both declared; while the simple expression purp="3,4" would evaluate to true if a proposal contains a statement in which either purpose 3 or purpose 4 (or both) are declared.
In order to limit the allowed values in the evidence, APPEL supports
use of the "ONLY:" operator. When prefixing a list of
values with ONLY:, the expression evaluates to true
if only the values listed in the expression appear in the
evidence. When combining this ONLY: operator with the
above AND: operator, we can in effect force an exact
match between the specified list in our expression and the list of
values in the evidence (order doesn't matter, though).
For example, the simple-expression purp="ONLY:3,4" would evaluate to true if a proposal contained a statement in which only purposes 3 or 4 (or both) are declared; while the simple expression purp="ONLY:AND:3,4" would evaluate to true only if a proposal contained a statement in which both purpose 3 and purpose 4, and no other purposes, were declared.
Finally, both operators (or their combination) can be prefixed by the
NOT: operator, effectively negating the expression. Table
2 summarizes the allowed operators for multi-valued Simple Expressions.
| Table 2: Simple Expression operators for matching multiple values | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Please note again that the standard match performed by the expression
attribute="value" tests only for presence of that value
(or for the ORed combination of multiple values, if given), not for
exclusiveness. This might lead to confusion if the user wants to
restrict rule matches to certain values only. In order to
attain more restrictive matches (i.e. "Match ONLY") the user
has to explicitly make use of the ONLY: operator!
| Table 3: APPEL regular expression metacharacters | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Using these metacharacters with strings allows us to specify ranges of string-values, for example "*.foo.com" for any host in the foo.com domain, or "*://*"" for a URI (or at least something that looks like one). Please note that string values are always matched from the beginning of the string, unless the user specified an initial * star symbol. Forcing a string match from the end is not possible in APPEL.
Using the above symbols with number-valued simple expressions should only be done to replace the whole matching string, such as in <P3P:STATEMENT purp="+"> (for matching a non-empty purpose field in a P3P statement). Wildcard characters can not be used to match single values in a multi-valued string (such as in purp="AND:0,*") or to match part of a number itself (such as in purp="1?").
Please note also that wildcard characters are only allowed within quoted strings, not for matching attribute names or element names! However, they can be applied in the above manner to match ranges of data elements when used in data-reference expressions.
Please note that is not possible in APPEL to write rules that prevent a certain attribute from appearing in an element of the evidence set.
Quantifiers are specified within the RULE element of each rule using the quant attribute. Figure 5 shows an example of using a quantifier to restrict the limit of a "reject" rule.
| Figure 5: Example using a Quantifier. | |
|---|---|
|
APPEL supports four different kind of quantifiers, which are listed in table 4 below. However, these quantifiers can only be used with non-"accept"ing rules, such as a "reject" or "prompt" rule (or any behavior extension which is not tagged as being an "accept" type of rule -- see section 5.6 Extensible Behaviors). "Accept"ing rules always use a default ONLY quantifier. User Agents are free to simply ignore quantifiers in "accept"ing rules, but should preferably inform the user that the specified quantifier is being ignored.
| Table 4: Data Reference Quantifier | ||||||||
|---|---|---|---|---|---|---|---|---|
|
The reason for not allowing ANY, ALL or NOT-ONLY qualifiers to be used in an "accept"ing rule is to prevent unwanted release of data from a user's repository. Having the default quantifier of "accept"ing rules set to ONLY, APPEL effectively requires the user to explicitly enumerate all elements that could be released to a service should the corresponding rule fire. Using the ONLY quantifier, any request for an element not listed in the "accept"ing rule would immediately result in a failure to match.
Also, an "accept" rule should intuitively evaluate to true even in case a proposal is less demanding than the proposal specified in the rule, which is the effect when using the ONLY quantifier (since it matches even if less than the listed elements are requested). A "reject" rule on the other hand should evaluate to true even in case the proposal is more demanding than the proposal specified in the rule. This is the case with the default quantifier ANY for non-"accept"ing rules, which matches already if at least one of the listed data elements is requested. However, since non-"accept"ing rules do not release any data without the user's explicit consent (for example in a "prompt" rule), APPEL allows any of the four quantifiers to be used in these cases.
Table 5 summarizes the default quantifiers for the different behavior elements in APPEL.
| Table 5: Default Quantifiers | |||||||||
|---|---|---|---|---|---|---|---|---|---|
|
APPEL supports the use of categories in its rules by implicitly translating each referenced category into the list of base elements that belong into that category. Figure 6 below shows an example. Any custom data schemes that have been introduced by the service as to belonging to the referenced category will also be matched by this mechanism.
| Figure 6: Category matching. | ||
|---|---|---|
|
The expires attribute specifies a date string that defines the valid life time of that element. Once the expiration date has been reached, the element (ruleset, group, rule) will no longer be used by the APPEL rule evaluator. Expired groups or rules may either be deleted from the ruleset, moved to a "Removed Items" folder, or simply be kept in the ruleset (maybe until the ruleset reaches a certain size). Expired rulesets should require the user agent to prompt the user for an action (e.g., to extend the expiration time, to download a newer version of the ruleset from a Website, etc.).
The date string is formatted as:
Wdy, DD-Mon-YYYY HH:MM:SS GMT
This is based on RFC 822, RFC 850, RFC 1036, and RFC 1123, with the
variations that the only legal time zone is GMT and the separators
between the elements of the date must be dashes.
User agents should verify the ruleset after a rule or group has expired in order to detect missing default rules or groups and inform the user if the ruleset thus has become invalid.
Please note that expires is an optional attribute. If not specified, a ruleset, group or rule will never expire.
behavior attribute of an APPEL:RULE element
and will be returned to the calling program if the corresponding rule
should fire:
| Figure 6: APPEL rule using a behavior extension. | |
|---|---|
|
The rule evaluator will simply return the string specified in the
behavior attribute and let the calling program
(i.e. the user agent) decide what to do. However, in order to better
handle behavior extensions that are not supported by all user agents
yet, APPEL allows the rule creator to define a list of "fallback"
behaviors for unknown extensions. This mechanism is similar to the
current face attribute in the
FONT element in HTML: A list of behaviors is given,
which is evaluated sequentially. The first known behavior is chosen
for the rule:
| Figure 7: APPEL rule using fallback behaviors. | |
|---|---|
|
If none of the behaviors is known to the calling program, a default "prompt" behavior should be exhibited by the user agent.
In order to know which extensions the particular calling program knows about, the rule evaluator expects a list of extensions together with the rule file and the evidence upon invocation. The evaluator compares the list of behaviors of a rule with this list of known extensions and retains only the first known extension for each rule in the rule's (internal) behavior slot. If no extension matches, the empty string is used as the behavior for this rule, which would force user agent to use the fallback (prompt) behavior, should this rule fire at the end of evaluation.
In order to know which behavior extensions will seamlessly give out
data from the user repository (i.e. "accept" the proposal when the
corresponding behavior string is returned), APPEL requires the user
agent to "tag" each behavior extension it supports with the suffix
":accept" in case it is handled as an "accept"ing
behavior in this particular implementation.
| Figure 8: User agent behavior string (non-normative). | |
|---|---|
|
Once the rule evaluator has determined the behavior that will be used for a particular rule (see previous paragraphs) it also adjusts the quantifiers for this rule according to the behavior type the user agent reported for this behavior: "accept"ing rules will be set to use the ONLY quantifiers, while non-"accept"ing rules will either use their specified quantifiers, or ANY should no quantifier be given.
nop. If used as a fallback
behavior at the end of a list of extension behaviors, the system
simply ignores the rule if none of the preceding behaviors is known.
Please note that rules featuring nop as their only
behavior will simply be ignored. User agents should detect such rules
and prompt the user for action before installing such a ruleset.
behavior tag of the
<RULE> element. These behaviors can be one of
the four standard behaviors (accept,
reject, prompt, or nop),
or any other string which would be interpreted as an extension.
behavior attribute can contain a comma
separated list of behaviors, which are tried
sequentially from left to right until a known behavior is found
(similar to the FACE attribute in the HTML
FONT element):
<APPEL:RULE behavior="foo,bar,baz,accept">
Known_Extensions: "baz,bar:accept"
accept" behavior itself or it is tagged
":accept" by the calling program in the list of
known extension, the rule evaluator will apply the "ONLY"
quantifier to the rule, regardless of the quantifier specified
(This quantifier will match zero or more elements, but fail if
any unknown element is encountered in the proposal sent.)
Creating an APPEL ruleset is basically a three step process:
The members of this working group have found two alternative approaches to creating rulesets most helpful, and we will describe one of them (the less confusing one) in this section in more detail. Nevertheless, it will be necessary for implementations to support this task with well crafted user interfaces and useful debugging tools in order to avoid the unwanted disclosure of data elements from the user's repository.
The main idea in this approach is to start one's privacy preferences with a list of unacceptable conditions, i.e. situations in which we are never to release our data elements. Once we have enumerated all non-conformal conditions, we list those that we are willing to consider (i.e. those that we want to be prompted for), followed by the list of data elements we are willing to give out in all other cases (i.e. when non of our unacceptable conditions holds true).
| Figure 9: Fictional User Preferences (using filtering). | |
|---|---|
|
Figure 9 shows a number of fictional user preferences, enumerated according to the recipe described above:
Once we have reached the third part of the list (elements we are willing to disclose), we usually need not specify any more conditions for our rules, since we already filtered out all unacceptable (or questionable) conditions in steps one and two. This can be seen in figure 10, where we translate our preferences above into APPEL pseudo-rules using the three standard behaviors "accept", "reject" and "prompt":
| Figure 10: Filtering Rules corresponding to figure 9. | |
|---|---|
|
Rule 9 summarizes our "generic" preferences (i.e. preferences to apply to all unknown sites; in contrast to "specific" preferences such as rule 10 that applies only to my bank) in a way that it lists all elements we are willing to disclose if none of the above reject rule has fired so far. This is a good demonstration on how rule ordering plays an important role in APPEL: if we would have placed rule 9 somewhere in the middle of the reject rules (or even at the top), we would have accepted proposals even though they wouldn't fulfill our necessary conditions listed in our preferences!
| Don't give out my zip code in identifiable form or for marketing purposes | -->
|
Reject if zipcode data is used in
identifiable form. Reject if zipcode data is used for marketing purposes. |
| Don't give out demographics in identifiable form or over an insecure line. | -->
| Reject if demographics data is used in identifiable
form. Reject if demographics is collected over an insecure line. |
Take for example preferences 9 and 10 in figure 9. A straightforward translation of the preferences would have resulted in the following rules:
Although one of these two rules would certainly match if either clickstream or my account number would be requested by my bank, none of them would match if the bank would request both clickstream and my account number in a single proposal!
The solution is to enumerate all allowed data elements for each condition (condition being in our case whether it's my bank requesting the data or not). Thus, we have to duplicate all elements listed in preference 9 and copy them into preference 10:
In an optional step we can now group together rules with identical conditions in order to reduce the overall size of our ruleset, as shown in figure 11 below (in our example this only applies to the "reject"-rules, but it could in practice be applied to all kind of behaviors). Sometimes we can make use of the element hierarchy and collate single elements with their corresponding sets, or group rules with conditions that subsume each other (for example when grouping the second part of rule 2 together with rule 4 of figure 10 into the new rule 2 below).
| Figure 11: Collated Filtering Rules. | |
|---|---|
|
These rules can now be written out as APPEL rules using the syntax described previously. Please note that the listing below also features some additional examples not explicitly described in the previous paragraphs but which are sufficiently documented in the source code:
| Listing 2: Example Ruleset in APPEL |
|---|
000: <?xml:namespace ns="http://www.w3.org/TR/1998/WD-P3P-syntax#" prefix="P3P" ?>
001: <?xml:namespace ns="http://www.w3.org/TR/WD-rdf-syntax#" prefix="RDF" ?>
002: <?xml:namespace ns="http://www.w3.org/TR/1998/WD-APPEL10#" prefix="APPEL" ?>
003: <!-- Custom Schemas -->
004: <?xml:namespace ns="http://www.w3.org/TR/WD-SSL-schema#" prefix="SSL" ?>
005: <RDF:RDF>
006: <APPEL:APPEL>
007: <APPEL:RULESET crtdby="APPEL WG" crtdon="Wed, 12-Aug-1998 21:32:02 GMT">
008: <RDF:SEQ>
009: <RDF:LI>
010: <APPEL:GROUP description"Default Group">
011: <!-- We specify OTHERWISE as the only trigger condition
012: here so that this group is always active -->
013: <APPEL:TRIGGERS>
014: <APPEL:OTHERWISE/>
015: </APPEL:TRIGGERS>
016: <APPEL:RULES>
017: <RDF:SEQ>
018: <!-- Rule 1: Reject if clickstream, zipcode, demographics
019: data or search text is used in identifiable form. -->
020: <RDF:LI>
021: <!-- The ANY quantifier is the default for non-"accept"ing rules,
022: but we list it here for clarity. -->
023: <APPEL:RULE behavior="reject" quant="ANY"
024: description="Service collects clickstream, zipcode,
025: demographic data or search text in
026: identifiable form">
027: <P3P:PROP>
028: <P3P:USES>
029: <!-- We reject any access to the elements below in
030: identifiable form. -->
031: <P3P:STATEMENT id="1" category="8">
032: <P3P:REF name="ClickStream.Client_"/>
033: <P3P:REF name="*.Postal.PostalCode"/>
034: <P3P:REF category="8"/> <!-- will be expanded -->
035: <!-- "8" == "Demographics and SocioEconomic Data" -->
036: <P3P:REF name="Form.SearchText_"/>
037: </P3P:STATEMENT>
038: </P3P:USES>
039: </P3P:PROP>
040: </APPEL:RULE>
041: </RDF:LI>
042: <!-- Rule 2: Reject if zipcode, shipping or billing
043: information is collected for purposes other than
044: completion of the current activity purposes. -->
045: <RDF:LI>
046: <APPEL:RULE behavior="reject"
047: description="Service collects zipcode, shipping
048: or billing information for
049: purposes other than completion of
050: current activity.">
051: <P3P:PROP>
052: <P3P:USES>
053: <!-- We reject any access to the elements below for
054: non-zero purposes (0 == completion of activities). -->
055: <P3P:STATEMENT id="1" purp=">0">
056: <P3P:REF name="*.Postal.PostalCode"/>
057: <P3P:REF name="ShipTo.*"/>
058: <P3P:REF name="BillTo.*"/>
059: </P3P:STATEMENT>
060: </P3P:USES>
061: </P3P:PROP>
062: </APPEL:RULE>
063: </RDF:LI>
064: <!-- Rule 3: Reject if demographics or account information is
065: collected (or written) over an insecure line. -->
066: <RDF:LI>
067: <APPEL:RULE behavior="reject"
068: description="Demographics or account
069: information is collected (or written) over an
070: insecure line.">
071: <!-- We need to enumerate multiple conditions here, so
072: we use the RDF:BAG element. -->
073: <RDF:BAG>
074: <!-- First, we express what data this rule concerns -->
075: <RDF:LI>
076: <P3P:PROP>
077: <P3P:USES>
078: <P3P:STATEMENT action="*">
079: <P3P:REF name="*.Postal.PostalCode"/>
080: <P3P:REF name="ShipTo.*"/>
081: <P3P:REF name="BillTo.*"/>
082: </P3P:STATEMENT>
083: </P3P:USES>
084: </P3P:PROP>
085: </RDF:LI>
086: <!-- Next, we identify an insecure line. -->
087: <RDF:LI>
088: <!-- Since we want this rule to reject the request
089: even if the protocol format cannot be established
090: at all, we enclose the element below in an
091: OPTIONAL tag. Otherwise a missing SSL extension
092: would make this rule fail (i.e. _not_ reject). -->
093: <APPEL:OPTIONAL>
094: <!-- The SSL data schema is defined in our xml name-
095: space header at the beginning of this file. -->
096: <SSL:PROTOCOL active="no">
097: </APPEL:OPTIONAL>
098: </RDF:LI>
099: </RDF:BAG>
100: </APPEL:RULE>
101: </RDF:LI>
102: <!-- Rule 4: Prompt me if credit card information is
103: collected over a secure line for completion of
104: the current activities. -->
105: <RDF:LI>
106: <APPEL:RULE behavior="prompt"
107: description="Credit Card information is
108: collected over a secure line for completion of
109: the current activities. You might want to
110: consider releasing it.">
111: <!-- We need to enumerate multiple conditions here, so
112: we use the RDF:BAG element. -->
113: <RDF:BAG>
114: <!-- Although Credit Card information is not in the P3P
115: base set of elements, we can simply reference here
116: any kind of element we expect to be contained in a
117: proposal. -->
118: <RDF:LI>
119: <P3P:PROP>
120: <P3P:USES>
121: <!-- purp="0" == "Completion of current activities" -->
122: <P3P:STATEMENT action="*" purp="0">
123: <!-- matches: "Visa.CreditCard.Number"
124: or "MC.CreditCard.ExpirationDate" -->
125: <P3P:REF name="*.CreditCard.*"/>
126: <!-- we can also use categories for unknown
127: elements, although this might match more
128: than just credit card information. -->
129: <P3P:REF category="3"/>
130: <!-- "3" == "Financial Account Identifiers" -->
131: </P3P:STATEMENT>
132: </P3P:USES>
133: </P3P:PROP>
134: </RDF:LI>
135: <!-- Next, we identify an secure line. -->
136: <RDF:LI>
137: <!-- Since we want this rule to prompt only if the
138: secure protocol can reliably be established, we do
139: _not_ use OPTIONAL tags. -->
140: <SSL:PROTOCOL active="yes">
141: </RDF:LI>
142: </RDF:BAG>
143: </APPEL:RULE>
144: </RDF:LI>
145: <!-- Rule 5: Prompt me if form data is collected for
146: marketing purposes or if it asks for elements
147: from the Financial Account Category. -->
148: <!-- "OR"ed rules effectively translate into two separate
149: rules in APPEL -->
150: <RDF:LI>
151: <APPEL:RULE behavior="prompt"
152: description="form data is collected for
153: marketing purposes.">
154: <P3P:PROP>
155: <P3P:USES>
156: <P3P:STATEMENT purp="4">
157: <P3P:REF name="Form.Data_"/>
158: </P3P:STATEMENT>
159: </P3P:USES>
160: </P3P:PROP>
161: </APPEL:RULE>
162: </RDF:LI>
163: <RDF:LI>
164: <APPEL:RULE behavior="prompt"
165: description="form data asks for elements
166: from the Financial Account
167: Category.">
168: <P3P:PROP>
169: <P3P:USES>
170: <P3P:STATEMENT>
171: <!-- Note that the category in the proposal only
172: has to _include_ "3", but can also reference
173: other categories. -->
174: <P3P:REF name="Form.Data_" category="3"/>
175: </P3P:STATEMENT>
176: </P3P:USES>
177: </P3P:PROP>
178: </APPEL:RULE>
179: </RDF:LI>
180: <!-- Rule 6: Accept proposals asking for read access to
181: clickstream data, zipcode, demographics,
182: shipping information, billing information,
183: search text, credit card information or form
184: data. -->
185: <RDF:LI>
186: <APPEL:RULE behavior="accept"
187: description="verified access to clickstream
188: data, zipcode, demographics,
189: shipping information, billing
190: information, search text, credit
191: card information or form data ">
192: <P3P:PROP>
193: <P3P:USES>
194: <!-- Make sure we set action to "read" here, otherwise
195: we might allow write access to the elements below! -->
196: <P3P:STATEMENT action="r">
197: <P3P:REF name="ClickStream.Client_"/>
198: <P3P:REF name="*.Postal.PostalCode"/>
199: <P3P:REF category="8"/>
200: <!-- "8" == "Demographics and SocioEconomic Data" -->
201: <P3P:REF name="ShipTo.*"/>
202: <P3P:REF name="BillTo.*"/>
203: <P3P:REF name="Form.SearchText_"/>
204: <P3P:REF name="*.CreditCard.*"/>
205: <P3P:REF name="Form.Data_"/>
206: </P3P:STATEMENT>
207: </P3P:USES>
208: </P3P:PROP>
209: </APPEL:RULE>
210: </RDF:LI>
211: <!-- Rule 7: Accept proposals from my bank asking for read
212: access to clickstream data, zipcode,
213: demographics, shipping information, billing
214: information, search text, credit card
215: information or form data, and read & write
216: access to my account number. -->
217: <RDF:LI>
218: <APPEL:RULE behavior="accept"
219: description="bank access to clickstream
220: data, zipcode, demographics,
221: shipping information, billing
222: information, search text, credit
223: card information, form data and
224: account information">
225: <P3P:PROP realm="*.mybank.com">
226: <P3P:USES>
227: <!-- Make sure we set action to "read" here, otherwise
228: we might allow write access to the elements below! -->
229: <P3P:STATEMENT action="r">
230: <P3P:REF name="ClickStream.Client_"/>
231: <P3P:REF name="*.Postal.PostalCode"/>
232: <P3P:REF category="8"/>
233: <!-- "8" == "Demographics and SocioEconomic Data" -->
234: <P3P:REF name="ShipTo.*"/>
235: <P3P:REF name="BillTo.*"/>
236: <P3P:REF name="Form.SearchText_"/>
237: <P3P:REF name="*.CreditCard.*"/>
238: <P3P:REF name="Form.Data_"/>
239: </P3P:STATEMENT>
240: <P3P:STATEMENT action="rw">
241: <P3P:REF category="3"/>
242: <!-- "3" == "Financial Account Identifiers" -->
243: </P3P:STATEMENT>
244: </P3P:USES>
245: </P3P:PROP>
246: </APPEL:RULE>
247: </RDF:LI>
248: <!-- Rule 8: Accept proposals from my computer retailer
249: asking for read access for my home contact
250: information and read & write access to my
251: computer related information, until November
252: 1st, 1999. -->
253: <RDF:LI>
254: <APPEL:RULE behavior="accept"
255: expires="Mon, 01-Nov-1998 00:00:00 GMT"
256: description="service contract with my
257: computer retailer">
258: <P3P:PROP realm="*.myretail.com">
259: <P3P:USES>
260: <!-- Make sure we set action to "read" here, otherwise
261: we might allow write access to the elements below! -->
262: <P3P:STATEMENT action="r">
263: <P3P:REF name="Home.*"/>
264: </P3P:STATEMENT>
265: <P3P:STATEMENT action="rw">
266: <P3P:REF category="4"/>
267: <!-- "4" == "Computer Information" -->
268: </P3P:STATEMENT>
269: </P3P:USES>
270: </P3P:PROP>
271: </APPEL:RULE>
272: </RDF:LI>
273: <!-- Rule 9: Implicit default reject rule. -->
274: <RDF:LI>
275: <APPEL:RULE behavior="reject"
276: explanation="Proposal not acceptable">
277: <APPEL:OTHERWISE/>
278: </APPEL:RULE>
279: </RDF:LI>
280: </RDF:SEQ>
281: </APPEL:RULES>
282: </APPEL:GROUP>
283: </RDF:LI>
284: </RDF:SEQ>
285: </APPEL:RULESET>
286: </APPEL:APPEL>
287: </RDF:RDF> |
The idea is to use "accept" preferences directly without translating them into "reject"/"accept" pairs first (as described in the previous section). The rulesets created this way grow bigger in size than their counterparts written according to the previous recipe, but have the advantage that we can use positive privacy assertions from the user, which is for many people easier to specify than the filtering rules described above.
However, what has been briefly described before using two accept rules now grows laborious when we have to combine a larger number of "accept"ing rules, due to the combinatorial explosion: For each possible combination of conditions we have to explicitly write an accept rule enumerating the list of elements that should be released under these conditions
That is why the first approach, using reject rules in conjunction with accept rules, will be preferred by human rule authors. Automated processes though should be able to follow a simple mechanical recipe for constructing such rulesets using such explicit disclosure (i.e. "accept"ing/"prompt"ing rules only).
| Lorrie Cranor | AT&T Labs-Research |
| Marc Langheinrich (Editor) | NEC |
| Massimo Marchiori | W3C |
| Joseph Reagle | W3C |
| Drummond Reed | Intermind |
| Mary Ellen Zurko (Chair) | Iris |