Browse Prior Art Database

Automated Privacy Policy Audits for Web Based Applications

IP.com Disclosure Number: IPCOM000098993D
Original Publication Date: 2005-Mar-08
Included in the Prior Art Database: 2005-Mar-08
Document File: 2 page(s) / 42K

Publishing Venue

IBM

Abstract

A method for running an automatic privacy audit to ensure that a Web based application does not expose private attributes to unauthorized users.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 59% of the total text.

Page 1 of 2

Automated Privacy Policy Audits for Web Based Applications

Disclosed is a mechanism to perform a privacy audit on a Web based application that holds information about people and has multiple user roles. Not all user roles are authorized to view all the attributes for privacy reasons. This tool audits that property to make sure the application keeps it.

Use the following algorithm:

1. Create (manually) at least one dummy entry in each database table. For example, if an HR application you might create the following user:

Name: Dummy_Name

Manager: Dummy_Mgr
SSN: 999-99-9999
Salary: $50,000

2. For every role, get the username and password for a user in that role and a list of attributes that should not be available to that role.

     This stage is also manual. For example, for the role manager, the user/password pair might be joe_ceo/big_boss. The use joe_ceo is not allowed to access the SSN (999-99-9999) in the dummy user example.

3. For every role, run the program to audit privacy automatically. The program performs the following steps:

3.1. Logs in as the user in that role.
3.2. Keep a list of pages visited, start it as empty.
3.3. Keep a list of pages to visit, start it with the front page of the application.
3.4. Retrieve the first page in the list of pages to visit. That's the current page.
3.5. If the current page contains any of the forbidden attributes, then the audit failed. The user is able to access an attribute [s]he shouldn't be able to. Optionally, this algorithm...