Browse Prior Art Database

A Method and Means to Relate Web Page Form Fields to Policy Statements and Other Structured Data

IP.com Disclosure Number: IPCOM000016365D
Original Publication Date: 2002-Oct-18
Included in the Prior Art Database: 2003-Jun-21
Document File: 2 page(s) / 46K

Publishing Venue

IBM

Abstract

A system is disclosed that related Web Page form fields to policy statements and other structured data. We have developed two approaches to relate web page form fields to (P3P) policy statements. The first extends the current P3P data type definition (DTD), and the second (preferred embodiment) makes use of an Resource Description Framework (RDF) binding for P3P which greatly simplifies solution to this problem.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 46% of the total text.

Page 1 of 2

  A Method and Means to Relate Web Page Form Fields to Policy Statements and Other Structured Data

A system is disclosed that related Web Page form fields to policy statements and other structured data. We have developed two approaches to relate web page form fields to (P3P) policy statements. The first extends the current P3P data type definition (DTD), and the second (preferred embodiment) makes use of an Resource Description Framework (RDF) binding for P3P which greatly simplifies solution to this problem.

Motivation:

Privacy management (and legislation) requires that web sites, which gather Personnally Identifiable Information (PII data), store Privacy Policies together with Data Instances (as opposed to relating policies to Data Types or database columns). This is necessary for a variety of reasons. Policies can expire or may be negotiated or changed on a transaction by transaction basis. Therefore, it is essential to attach or relate policy instances to data instances at the time data is acquired by a website. Unfortunately, many sites developed data collection mechanisms over time without a plan to manage privacy policies. Not only must the sites store P3P policy instances together with data instances, they must also:

1. Control Access to the data. Access control restricts the types of users who may gain access to data based on an expressed agreement between the PII data collector and the PII data owner.

2. Honoring obligations expressed by the policy and implementing a process for resolving disputes.

3. Ensuring security of their IT infrastructure (making sure no one steals the data).

The key to ensuring privacy is the establishment of expressed agreements or "contracts" between the users of PII data and the owners of PII data. The P3P standard makes it possible for Web sites to publish their privacy policies in a machine-readable syntax. Using P3P along with other middleware, sites may:

1. Express a Policy that describes how PII data will be used.

2. Attach that policy to PII data instances.

3. Establish and maintain audit records to ensure that they have complied with the policies they declared with respect to PII data at the time the data was acquired.

Solution:

Visitors to a web site are often asked to supply PII data when making a purchase, registering with a Website, etc. Typically they also can change the state of checkboxes and radio buttons to set opt-in / opt-out selections allowed under the site owner's policy to the client's default Policy Preferences. In order for a system to relate data types to form fields, and governing policies to data instances, the current P3P data type definition (DTD) must be extended. This extension requires two operations:

     1. A browser plug in or client proxy must access the site's policy document using a GET request for the resource /w3c/p3p.xml

     2. The same proxy also requires data from a Form-Policy relationship document (extendind P3P) which relates form fields and options (checkbox...