![Page 1: Addressing Data Reuse Issues at the Protocol Level](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681661e550346895dd970e7/html5/thumbnails/1.jpg)
Addressing Data Reuse Issues at the Protocol Level
Oshani Seneviratne and Lalana KagalDIG, MIT CSAIL
June 8, 2011
![Page 2: Addressing Data Reuse Issues at the Protocol Level](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681661e550346895dd970e7/html5/thumbnails/2.jpg)
Issues Addressed
![Page 3: Addressing Data Reuse Issues at the Protocol Level](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681661e550346895dd970e7/html5/thumbnails/3.jpg)
#1: Personal Information on the Web
• Increasing amounts of personal information on the Social Web
• Often times there are unforeseen adverse consequences
• Users become victims of poor design choices: E.g. Facebook Beacon, Google Buzz, etc
![Page 4: Addressing Data Reuse Issues at the Protocol Level](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681661e550346895dd970e7/html5/thumbnails/4.jpg)
#1: Personal Information on the Web
• Users do not understand how to use privacy controls effectively: E.g: Google Lattitude
• Web is an easy medium to copy and paste
• How can we make sure that these information misuses do not happen?
![Page 5: Addressing Data Reuse Issues at the Protocol Level](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681661e550346895dd970e7/html5/thumbnails/5.jpg)
• There’s so much content on the Web– 3.6 billion images on– 20 hours of video uploaded every minute on
• Content reuse is good– Prevents redundant work– Promotes creativity
#2: Reuse of Creative Works
![Page 6: Addressing Data Reuse Issues at the Protocol Level](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681661e550346895dd970e7/html5/thumbnails/6.jpg)
#2: Reuse of Creative Works
• But even with these mechanisms, content misuse is pretty common
• How can you prove that someone has violated your usage restrictions?
![Page 7: Addressing Data Reuse Issues at the Protocol Level](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681661e550346895dd970e7/html5/thumbnails/7.jpg)
Proposed Solution
Accountable Hyper Text Transfer Protocol
HTTPA
![Page 8: Addressing Data Reuse Issues at the Protocol Level](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681661e550346895dd970e7/html5/thumbnails/8.jpg)
Accountability to Supplement Access and Usage Control
![Page 9: Addressing Data Reuse Issues at the Protocol Level](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681661e550346895dd970e7/html5/thumbnails/9.jpg)
![Page 10: Addressing Data Reuse Issues at the Protocol Level](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681661e550346895dd970e7/html5/thumbnails/10.jpg)
Usage Restriction Specification
• Initial Implementation of the protocol will use the RMP (Respect My Privacy) ontology
• Usage Restriction needs terms such as:
– No tracking– No ownership transfer– No commercial use
– No depiction– No employment use– No insurance use
![Page 11: Addressing Data Reuse Issues at the Protocol Level](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681661e550346895dd970e7/html5/thumbnails/11.jpg)
Negotiation of Usage Restrictions and Intentions / Handshake
• Uses HTTP headers ‘usage-restrictions’ and ‘intentions’
• Use ‘negotiate’ when the original usage restrictions and intentions do not match
![Page 12: Addressing Data Reuse Issues at the Protocol Level](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681661e550346895dd970e7/html5/thumbnails/12.jpg)
Data Uploaded to Websites (I)
POST pictureUsage Restrictions: No Ownership Transfer
HTTPA 412 Precondition FailedIntentions: Ownership Transfer
POST pictureNegotiate: No Ownership Transfer
HTTPA 204 No Content
Data Provider
Data Consumer
![Page 13: Addressing Data Reuse Issues at the Protocol Level](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681661e550346895dd970e7/html5/thumbnails/13.jpg)
Data Uploaded to Websites (II)
POST pictureUsage Restrictions: No Ownership Transfer
HTTPA 412 Precondition FailedIntentions: Ownership Transfer
POST pictureData Provider
Data Consumer
![Page 14: Addressing Data Reuse Issues at the Protocol Level](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681661e550346895dd970e7/html5/thumbnails/14.jpg)
Data Uploaded to Websites (III)
POST pictureUsage Restrictions: No Ownership Transfer
HTTPA 412 Precondition FailedIntentions: Ownership Transfer
POST pictureNegotiate: No Ownership Transfer
HTTPA 200 OK
Data Provider
Data Consumer
![Page 15: Addressing Data Reuse Issues at the Protocol Level](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681661e550346895dd970e7/html5/thumbnails/15.jpg)
Data Downloaded from WebsitesGET Alice’s PhotoIntentions: No-Commercial
Usage Restrictions: No Ownership Transfer
GET Alice’s PhotoIntentions: No-Commercial, No Ownership Transfer
HTTPA 200 OKUsage Aware Log: Log URI
Data Provider Data Consumer
![Page 16: Addressing Data Reuse Issues at the Protocol Level](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681661e550346895dd970e7/html5/thumbnails/16.jpg)
Conclusions
• Policy enforcement is not enough to solve security and privacy problems on the web.
• We need a web ecosystem supporting accountability to supplement policy enforcement.