Article

An empirical study of natural language parsing of privacy policy rules using the SPARCLE policy workbench

Authors:

Carolyn A. Brodie,

Clare-Marie Karat,

John KaratAuthors Info & Claims

SOUPS '06: Proceedings of the second symposium on Usable privacy and security

Pages 8 - 19

https://doi.org/10.1145/1143120.1143123

Published: 12 July 2006 Publication History

Abstract

Today organizations do not have good ways of linking their written privacy policies with the implementation of those policies. To assist organizations in addressing this issue, our human-centered research has focused on understanding organizational privacy management needs, and, based on those needs, creating a usable and effective policy workbench called SPARCLE. SPARCLE will enable organizational users to enter policies in natural language, parse the policies to identify policy elements and then generate a machine readable (XML) version of the policy. In the future, SPARCLE will then enable mapping of policies to the organization's configuration and provide audit and compliance tools to ensure that the policy implementation operates as intended. In this paper, we present the strategies employed in the design and implementation of the natural language parsing capabilities that are part of the functional version of the SPARCLE authoring utility. We have created a set of grammars which execute on a shallow parser that are designed to identify the rule elements in privacy policy rules. We present empirical usability evaluation data from target organizational users of the SPARCLE system and highlight the parsing accuracy of the system with the organizations' privacy policies. The successful implementation of the parsing capabilities is an important step towards our goal of providing a usable and effective method for organizations to link the natural language version of privacy policies to their implementation, and subsequent verification through compliance auditing of the enforcement logs.

References

[1]

Ackerman, M., & Mainwaring, S. (2005). Privacy issues in human-computer interaction. In L. Cranor & S. Garfinkel (Eds.) Security and Usability: Designing Secure Systems That People Can Use, Sebastopol, CA: O'Reilly, 381--400.

[2]

Anderson R. J. A (1996). Security Policy Model for Clinical Information Systems. In the Proceedings of the 1996 IEEE Symposium on Security and Privacy, 30--43.

Digital Library

[3]

Anderson R. J. (2000). Privacy Technology Lessons from Healthcare. In the Proceedings of the 2000 IEEE Symposium on Security and Privacy.

Digital Library

[4]

Agrawal, R., Kiernan, J., Srikant, R., and Xu, Y. (2003). Implementing P3P Using Database Technology. Proceedings of the 19th International Conference on Data Engineering, Bangalore, India.

[5]

Ashley, P., Hada, S., Karjoth, G., Powers, C., and Schunter, M. (2003). Enterprise Privacy Architecture Language (EPAL 1.2). W3C Member Submission. http://www.w3.org/Submission/EPAL/

[6]

Bohrer, K., Levy, S., Liu, X., and Schonberg, E. (2003). Individual Privacy Policy Based Access Control. In Proceedings of the 6th International Conference on Electronic Commerce Research (ICECR-6).

[7]

Brodie, C., Karat, C., and Karat, J. (2005). Usable Security and Privacy: A Case Study of Developing Privacy Management Tools. Proceedings of the Symposium on Usable Privacy and Security, (SOUPS'05), ACM Digital Library.

Digital Library

[8]

CRA Conference on "Grand Research Challenges in Information Security and Assurance". http://www.cra.org/Activities/grand.challenges/security/. November 16-19, 2003.

[9]

Cranor, L. (2002). Web Privacy with P3P. Cambridge: O'Reilly.

Digital Library

[10]

Cranor, L. (2005). Privacy policies and privacy preferences. In L. Cranor & S. Garfinkel (Eds.) Security and Usability: Designing Secure Systems That People Can Use, Sebastopol, CA: O'Reilly, 447--472.

[11]

IBM Research UIMA(2005) http://www.research.ibm.com/UIMA/

[12]

IBM Tivoli Privacy Manager for eBusiness (2004). http://www-306.ibm.com/software/tivoli/products/privacy-mgr-e-bus/.

[13]

Karat, C., Karat, J., Brodie, C., and Feng, J. (2006). Evaluating interfaces for privacy policy rule authoring. Proceedings of the Conference on Human Factors in Computing Systems -- CHI 2006, ACM Press, 83--92.

Digital Library

[14]

Karat, J., Karat, C., Brodie, C., and Feng, J. (2005). Privacy in information technology: Designing to enable privacy policy management in organizations. International Journal of Human Computer Studies, 63, 1-2, 153--174.

Digital Library

[15]

Karjoth, G. and Schunter, M. (2002) A Privacy Policy Model for Enterprises. Proceedings of the 15th IEEE Computer Security Foundations Workshop, 271--281.

Digital Library

[16]

Michael, J. B., Ong V. L., and Rowe N. C, (2001) "Natural-language processing support for developing policy-governed software systems", 39th International Conference on Technology for Object-Oriented Languages and Systems, IEEE Computer Society Press, pp. 263--274.

Digital Library

[17]

Microsoft Internet Explorer (2004). Help Safeguard your privacy on the web. http://www.microsoft.com/windows/ie/using/howto/privacy/config.mspx

[18]

Neff, M., Byrd, R., and Boguraev, B. (2003) The Talent system: TEX-TRACT architecture and data model. In Proceedings of HLT-NAACL Workshop on Software Engineering and Architectures of Language Technology Systems, Edmonton, Alberta, Canada.

Digital Library

[19]

OASIS (2005). eXtensible Access Control Markup Language Version 2.0. http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-core-specos.pdf.

[20]

OASIS (2005). Privacy Policy Profile of XACML v2.0. http://docs.oasis-open.org/xacml/2.0/PRIVACY-PROFILE/access_control-xacml-2.0-privacy_profile-specos.pdf.

[21]

Ponemon Institute and IAPP, (2004). 2003 Benchmark Study of Corporate Privacy Practices.

[22]

Smith, J. (1993). Privacy policies and practices: Inside the organizational maze. Communications of the ACM, 36, 12, 105--122.

Digital Library

[23]

Whitten, A. and Tygar J. D. (1999) Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0. In Proceedings of the 9th USENIX Security Symposium, August, 1999.

Digital Library

[24]

W3C (2002) A P3P Preference Exchange Language 1.0 (APPEL 1.0). http://www.w3.org/TR/P3P-preferences/

Cited By

Jayasundara SGamagedara Arachchilage NRussello G(2024)SoK: Access Control Policy Generation from High-level Natural Language RequirementsACM Computing Surveys10.1145/370605757:4(1-37)Online publication date: 28-Nov-2024
https://dl.acm.org/doi/10.1145/3706057
Spruit MFerati D(2023)Text Mining Business Policy DocumentsResearch Anthology on Business Law, Policy, and Social Responsibility10.4018/979-8-3693-2045-7.ch077(1525-1545)Online publication date: 24-Nov-2023
https://doi.org/10.4018/979-8-3693-2045-7.ch077
Fernandez RCheng PNhlabatsi AKhan KFetais N(2023)Effective Collaboration in the Management of Access Control Policies: A Survey of ToolsIEEE Access10.1109/ACCESS.2023.324286311(13929-13947)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3242863
Show More Cited By

Index Terms

An empirical study of natural language parsing of privacy policy rules using the SPARCLE policy workbench
1. Human-centered computing
  1. Human computer interaction (HCI)
2. Social and professional topics
  1. Computing / technology policy

Recommendations

Usability challenges in security and privacy policy-authoring interfaces
INTERACT'07: Proceedings of the 11th IFIP TC 13 international conference on Human-computer interaction - Volume Part II

Policies, sets of rules that govern permission to access resources, have long been used in computer security and online privacy management; however, the usability of authoring methods has received limited treatment from usability experts. With the rise ...
A user study of the expandable grid applied to P3P privacy policy visualization
WPES '08: Proceedings of the 7th ACM workshop on Privacy in the electronic society

Displaying website privacy policies to consumers in ways they understand is an important part of gaining consumers' trust and informed consent, yet most website privacy policies today are presented in confusing, legalistic natural language. Moreover, ...
Building access control policy model for privacy preserving and testing policy conflicting problems

This paper proposes a purpose-based access control model in distributed computing environment for privacy preserving policies and mechanisms, and describes algorithms for policy conflicting problems. The mechanism enforces access policy to data ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

SOUPS '06: Proceedings of the second symposium on Usable privacy and security

July 2006

168 pages

ISBN:1595934480

DOI:10.1145/1143120

General Chair:
Lorrie Faith Cranor
Carnegie Mellon University

Copyright © 2006 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 12 July 2006

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Acceptance Rates

Overall Acceptance Rate 15 of 49 submissions, 31%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

98
Total Citations
View Citations
1,139
Total Downloads

Downloads (Last 12 months)25
Downloads (Last 6 weeks)6

Reflects downloads up to 07 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Jayasundara SGamagedara Arachchilage NRussello G(2024)SoK: Access Control Policy Generation from High-level Natural Language RequirementsACM Computing Surveys10.1145/370605757:4(1-37)Online publication date: 28-Nov-2024
https://dl.acm.org/doi/10.1145/3706057
Spruit MFerati D(2023)Text Mining Business Policy DocumentsResearch Anthology on Business Law, Policy, and Social Responsibility10.4018/979-8-3693-2045-7.ch077(1525-1545)Online publication date: 24-Nov-2023
https://doi.org/10.4018/979-8-3693-2045-7.ch077
Fernandez RCheng PNhlabatsi AKhan KFetais N(2023)Effective Collaboration in the Management of Access Control Policies: A Survey of ToolsIEEE Access10.1109/ACCESS.2023.324286311(13929-13947)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3242863
Tanoli IAmin IJunejo FYusoff N(2022)Systematic Machine Translation of Social Network Data Privacy PoliciesApplied Sciences10.3390/app12201049912:20(10499)Online publication date: 18-Oct-2022
https://doi.org/10.3390/app122010499
Contu FDemontis ADessì SMuscas MRiboni D(2021)AI-Based Analysis of Policies and Images for Privacy-Conscious Content SharingFuture Internet10.3390/fi1306013913:6(139)Online publication date: 21-May-2021
https://doi.org/10.3390/fi13060139
Jakobi TAlizadeh FMarburger MStevens G(2021)A Consumer Perspective on Privacy Risk Awareness of Connected Car Data UseProceedings of Mensch und Computer 202110.1145/3473856.3473891(294-302)Online publication date: 5-Sep-2021
https://dl.acm.org/doi/10.1145/3473856.3473891
Yu LLuo XChen JZhou HZhang TChang HLeung H(2021)PPChecker: Towards Accessing the Trustworthiness of Android Apps’ Privacy PoliciesIEEE Transactions on Software Engineering10.1109/TSE.2018.288687547:2(221-242)Online publication date: 1-Feb-2021
https://doi.org/10.1109/TSE.2018.2886875
Bhada SKrishnan R(2021)A Model Centric Framework and Approach for Complex Systems PolicyIEEE Systems Journal10.1109/JSYST.2020.300320415:1(215-225)Online publication date: Mar-2021
https://doi.org/10.1109/JSYST.2020.3003204
Yu XYang YWang WZhang Y(2021)Whether the sensitive information statement of the IoT privacy policy is consistent with the actual behavior2021 51st Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshops (DSN-W)10.1109/DSN-W52860.2021.00025(85-92)Online publication date: Jun-2021
https://doi.org/10.1109/DSN-W52860.2021.00025
Roy ARoy P(2021)You Are Known by Your Mood: A Text‐Based Sentiment Analysis for Cloud SecurityMachine Learning Techniques and Analytics for Cloud Security10.1002/9781119764113.ch7(129-147)Online publication date: 3-Dec-2021
https://doi.org/10.1002/9781119764113.ch7
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten