Browse Prior Art Database

Mechanism for Enforcing Corporate Privacy Preferences

IP.com Disclosure Number: IPCOM000004718D
Original Publication Date: 2001-Apr-18
Included in the Prior Art Database: 2001-Apr-18
Document File: 3 page(s) / 40K

Publishing Venue

Motorola

Related People

Kevin Mowry: AUTHOR [+2]

Abstract

Mechanism for Enforcing Corporate Privacy Preferences

This text was extracted from a WORD97 document.
This is the abbreviated version, containing approximately 75% of the total text.

Mechanism for Enforcing Corporate Privacy Preferences

Kevin Mowry, Soeren Thomsen

Problem

In the Platform for Privacy Preferences Project (P3P) (see http://www.w3.org/p3p), policy "negotiation" occurs between a single user's web browser and a single web server.

Browser Server

The only mechanism by which corporations can enforce their privacy preferences is to create a corporate template containing said preferences. People within the enterprise that use a web browser would then be required to include the corporate template with their personal privacy preferences. Corporations, however, typically like to have the ability to enforce their business policies, such as their privacy policy, without having to rely on the good behavior of their employees.

Proposed Solution

In a corporate environment, network traffic to the outside world typically goes through a firewall proxy. To enforce the corporate privacy preferences, this proxy could be enhanced to negotiate the corporate preferences with the web server. This negotiation would take place before the user's web browser is allowed to negotiate the user's preferences with the web server. The proxy could optionally notify the user of any violations of the corporate privacy preferences and allow the user to override (perhaps conditioned on receipt of a valid privacy policy override password from the user), or simply refuse access to web sites that violate the corporate preferences.

Assuming the corporate privacy preferences are satisfied, the user's web browser would continue with negotiation of the user's privacy preferences. To save time, the gateway should maintain a cached copy of the policy reference file and P3P policy it retrieved when negotiating the corporate privacy preferences.

This method allows the corporation to enforce its privacy policies uniformly without relying on individual users to add the corporate privacy preferences to their own.

The following figure provides an illustration of how the proxy would negotiate the corporate privacy preferences prior to allowing the user to negotiate his or her preferences.

Browser Proxy Server

Note that the sequence would only continue past point A if the web server satisfied the corporate privacy preferences. If the server did not satisfy corporate preferences, the user would be notified of the violation and would not be allowed to visit the site or would be given the opportunity to request an override of the corporate privacy preferences, e.g., by providing an appropriate password.

The proxy could also customize the corporate policies on a user or group basis. Assuming each user logs into the corporate proxy with an ID and password, the proxy could use this ID to assign a subset of the privacy preferences. For instance, the corporation might impose fewer restrictions on engineering staff and more restrictions on business development.<...