1. Field of the Invention
The present invention relates to privacy controls in identity management systems, and, more particularly, to a client-side user agent that works with an identity selector and includes the combination of a privacy engine, preference editor, and ruleset, to implement privacy controls over user identities managed by the identity selector.
2. Description of the Related Art
The collection of vast amounts of personal data via the Internet has raised a variety of privacy related concerns. Online interactions with web service providers, during which the user discloses information to the service provider to facilitate the transaction, raise issues relating to the collection of personal information, the use of personal information, the level of control exercised over the information, the sharing of personal information, and user access to disclosed personal information.
Privacy over the internet involves the ability to control what information one reveals about oneself during an online session, and to control who can access such information once disclosed. Many e-commerce websites declare their intended use of information they collect in the form of privacy policies. The policies let customers know about a site's privacy practices. Based on an examination of the policy, a user can decide whether or not the practices are acceptable, when to opt-in or opt-out (i.e., specify the conditions under which disclosure is approved), and ultimately who to do business with (i.e., interact with on the internet). The presence of privacy policies increases a user's trust level, especially in a consumer-oriented transaction.
Nevertheless, there are drawbacks. Typical policies are often difficult to understand, hard to find, take a long time to read, and can change without notice. To help the user understand the privacy policies, user agents have become available to parse the policies and present the privacy practices to the user. However, these user agents are browser-based, and so as standardized modules do not give the user any flexibility or robustness to develop user preferences in any kind of tailored or customized fashion.
Some privacy policy models include P3P, APPEL, and EPAL. P3P is a policy definition language that provides, a standard, simple, automated way for users to gain more control over the use of personal information on web sites they visit. It is a web-based language for describing the privacy policy of a web site in XML. APPEL is a privacy preference expression language for P3P. This language is used to allow users to import preference rulesets created by other parties and to transport their own ruleset files between multiple user sets. EPAL is a privacy authorization language used for writing enterprise privacy policies to govern data handling practices.
A privacy policy using P3P specifications requires six elements: purpose, recipient, retention, access, disputes, and remedies. The policy must indicate the purpose of data collection or use of data; identify all intended recipients of the collected data; describe a retention policy that applies to the data; and indicate whether the RP provides access (by the user) to the collected data. The policy must also provide a dispute resolution procedure that may be followed for mediating a dispute about an RP's privacy practices. There must also be a description of possible remedies in case a policy breach occurs.
P3P adopts a peer-to-peer strategy, which can make it difficult for a user to interact with the policy. The policies composed by P3P can have significant amounts of information present in them, much of which a user might not find relevant. Further P3P itself provides no proper algorithm to collect and match user preferences with the policies. Regarding APPEL, this language can be difficult for the average internet user to understand. It is possible, then, that organizations with otherwise good privacy policies may encounter problems having users approve of the policies, without an adequate was for the user to readily evaluate the policy. By default, perhaps, it may happen that if a policy cannot be appropriately examined, especially when a user attempts to subject the policy to a preference test, it might be rejected.
What is therefore needed is an effective mechanism enabling a user to exercise better privacy-related control over disclosures, particularly one that evaluates the privacy policy based on a comparison to user preferences designed by the user. Better still would be a privacy control that could work in conjunction with some of the most sensitive information disclosed over the internet, user identity information.
An identity selector, as part of an identity management system, affords the user control over what information is sent to a relying party. However, the identity selector does not allow users to have control over the information once it is sent to the relying party. For example, the identity selector has no feature that determines how information would be used or the purpose of information collection. The identity selector can manage disclosures at the point of origin, but not at the point of receipt. What is needed is a way for the user to measure the trust of a relationship—the interaction between a user and service provider—that satisfies the privacy requirements of the user.
It would be beneficial to add privacy modules to an identity selector, that could send notifications to the user based on the relationship of the relying party's privacy policy to the user's privacy-related preferences concerning disclosures. In particular, a tool is needed that provides identity management, especially of the user-centric type, and also provides privacy over a user's information, i.e., the disclosure of user identities.
Further, it is important to develop a privacy process more tailored and focused to the precise disclosures that are being contemplated. For example, in applications that use an identity selector to manage a portfolio of information cards (digital user identities), there are no user-managed privacy processes specifically suited to disclosures involving the information cards. The identity selector does indeed have a generalized privacy option available through the user interface (e.g., browser), but this privacy channel may not address the more sensitive privacy concerns surrounding the disclosure of identity information.