ArticlePDF Available

Privacy-Aware Network Client Pattern

Authors:
Mauricio Sadicoff
Mauricio Sadicoff
Mauricio Sadicoff
  • This person is not on ResearchGate, or hasn't claimed this research yet.
María Mercedes Larrondo Petrie at Florida Atlantic University
María Mercedes Larrondo Petrie
Eduardo B. Fernández at Florida Atlantic University
Eduardo B. Fernández
Download full-text PDF
Read full-text
Download citation

Abstract and Figures

This pattern provides a way to make a user of a network site aware of the privacy policies followed by that site. It introduces the concept of a Privacy Proxy to enhance the user's comprehension of any privacy-related concerns. Even though the current uses of this pattern are constrained to the web browsing domain, it can have a more general use. 1. Example The users in our company connect to websites for a variety of purposes, including product search, component purchasing, and looking for general information. Every interaction may require the user to provide some information and our users may unwittingly provide too much information. This extra information could be used later to steal their identities or to send spam to them. We would like our users to be aware of what information the sites really need to collect and to learn to avoid sites that require unnecessary information and do not guarantee privacy. 2. Context Users interacting with Internet sites that sell goods or provide services, where to have access one needs to provide some personal information. 3. Problem A main concern about privacy is the awareness level of the user. A network server can use a standard such as P3P to conveniently publish privacy policies [P3p01], which describe how each connecting user's private data is gathered and utilized. However, how can we ensure that a user connecting through a network client will be made aware of these policies prior to divulging this data? The possible solution is constrained by the following forces: • Privacy policies must be displayed to the user in a form that can be clearly understood. • The user must be able to select what information can be gathered and used through a simple, easy-to-use interface. • Privacy policies may change and the user must be able to see the latest ones; otherwise she might follow obsolete policies that may compromise her privacy.
Figures - uploaded by María Mercedes Larrondo Petrie
Author content
All figure content in this area was uploaded by María Mercedes Larrondo Petrie
Content may be subject to copyright.
Content uploaded by María Mercedes Larrondo Petrie
Author content
All content in this area was uploaded by María Mercedes Larrondo Petrie on Jul 04, 2014
Content may be subject to copyright.
Privacy-Aware Network Client Pattern
Mauricio Sadicoff, Maria M. Larrondo-Petrie, and Eduardo B. Fernandez
Dept. of Computer Science and Engineering
Florida Atlantic University, Boca Raton, FL 33431
mlevy@hypersol.com, petrie@fau.edu, ed@cse.fau.edu
This pattern provides a way to make a user of a network site aware of the privacy policies
followed by that site. It introduces the concept of a Privacy Proxy to enhance the user’s
comprehension of any privacy-related concerns. Even though the current uses of this
pattern are constrained to the web browsing domain, it can have a more general use.
1. Example
The users in our company connect to websites for a variety of purposes, including
product search, component purchasing, and looking for general information. Every
interaction may require the user to provide some information and our users may
unwittingly provide too much information. This extra information could be used later to
steal their identities or to send spam to them. We would like our users to be aware of
what information the sites really need to collect and to learn to avoid sites that require
unnecessary information and do not guarantee privacy.
2. Context
Users interacting with Internet sites that sell goods or provide services, where to have
access one needs to provide some personal information.
3. Problem
A main concern about privacy is the awareness level of the user. A network server can
use a standard such as P3P to conveniently publish privacy policies [P3p01], which
describe how each connecting user’s private data is gathered and utilized. However, how
can we ensure that a user connecting through a network client will be made aware of
these policies prior to divulging this data?
The possible solution is constrained by the following forces:
Privacy policies must be displayed to the user in a form that can be clearly
understood.
The user must be able to select what information can be gathered and used
through a simple, easy-to-use interface.
Privacy policies may change and the user must be able to see the latest ones;
otherwise she might follow obsolete policies that may compromise her privacy.
4. Solution
Define a privacy proxy that will be able to understand the machine-readable policies
made available by the server and translate them to easy-to-use human-readable form for
the user.
Structure
Figure 1 shows a class diagram for the relationships between the user, the server, and the
proxy. Each server can publish many policies and each user can be made aware of many
policies at a time through the proxy.
Figure 1: The Privacy-aware Network Client pattern
Dynamics
In Figure 2, a user wishes to access some information or interact with files on the server,
which publishes its privacy Policy. The access occurs in the following sequence:
The User interacts with the Server through a network Client.
The Client consults the Proxy for privacy policies.
The Proxy discovers the correct Policy (or Policies) made available by the Server,
for the information or files in question.
The Proxy displays a user-friendly screen to the User requesting approval of the
Policy, prior to allowing access to the information or permitting the interaction.
The User makes a decision after reviewing the Policy.
Client
Figure 2: Sequence diagram for performing an interaction through a privacy-aware client.
5. Implementation
Design and implement a proxy able to parse and interpret privacy policies written
in some standard language. This proxy could be built as a specialized version of
the Proxy pattern [Gam95]. The proxy could be able to interpret several privacy
languages or just one of them. Successful use of the pattern requires that the
proxy can understand the server’s privacy language.
Design and implement a secure communication channel between network clients
and their proxies. This is necessary to avoid interception of the user choices by
malicious users.
6. Example resolved
With the use of this pattern our users have now a clear view of the privacy policies of the
sites they visit. Unnecessary information is not provided anymore and they know what
sites to avoid.
7. Known uses
JRC P3P Proxy Version 2.0
i. From [P3p01]: “The JRC P3P Proxy Version 2.0 is a P3P user agent, which
acts as an intermediary agent (the middleman) that controls access to
remote web servers dependent upon the privacy preferences a User
specifies.
Mozilla P3P Privacy Policy Viewer
<<actor>>
i. Version 7 of the Mozilla web browser has an extension called Privacy
Policy Viewer [Net01], which implements a P3P reader and displays
privacy policies for each site in human-readable format. Figure 3 shows its
interactions.
ii. From [Net01]: “The new Privacy Policy Viewer lets a user easily locate
and view the privacy policies of P3P-compliant sites.”
AT&T Privacy Bird
i. AT&T’s Privacy Bird implements a complete Proxy for web browsing
which displays warnings when a website gathers private information. Note
that the user’s response may have been previously determined and saved
in a local software profile.
ii. From [Att01]: “The AT&T Privacy Bird lets you see what's really going on
at Web sites. The bird icon alerts you about Web site privacy policies with a
visual symbol and optional sounds.
Internet Explorer 6 for Windows XP (cookie privacy)
i. Internet Explorer is a partial implementation of this pattern. It protects only
cookies and its policy display capabilities are minimal, only supporting
reading of P3P policies.
ii. It allows the user control over cookie privacy, however. From [Mxp01]:
“After reviewing the P3P privacy policy, you can specify how you want
Internet Explorer to handle cookies from the selected Web site. If you want
Internet Explorer to determine whether or not to allow this Web site to save
cookies on your computer by comparing the privacy policy with your
privacy settings, select Use my privacy settings. If you want Internet
Explorer to always allow cookies from this Web site to be saved on your
computer, select Always allow this site to use cookies. If you want Internet
Explorer to never allow cookies from this Web site to be saved on your
computer, select Never allow this site to use cookies.
Figure 3: Privacy-aware Network Client (Mozilla) example
Figure 3 illustrates a typical use of the pattern, using the Mozilla P3P Privacy Policy
Viewer example, which follows the steps:
1. User requests interaction with Server to Network Client.
2. Client consults Proxy, which can be internal to client or an external plug-in.
3. Proxy discovers the Policy published by the server over the Internet.
4. The Server responds to the Client’s request.
5. Proxy seeks the User’s approval to the interaction. This may or may not include a
step in which the Proxy can block the interaction in case the User does not
approve the Policy.
6. Privacy conscious, the User continues the interaction.
8. Consequences
The Privacy-Aware Network Client Pattern has the following advantages:
The User can always be conveniently aware of the privacy policies for a specific
interaction, allowing a better informed decision prior to releasing private
information.
Though it has been used only for web-related activities, it is an appropriate pattern
for general use, such as database access that could potentially deal with private
information.
Changes in privacy policies of the server will automatically be detected through
the Proxy.
The Privacy-Aware Network Client Pattern has the following liabilities:
Extra overhead in network connectivity, since every access to a privacy-sensitive
area needs a separate secure connection for the Proxy. This can potentially be
reduced through the use of a cache.
The pattern’s concern is with the connection to the Server and the network
connectivity issues only. The privacy-related constraints need to be stored locally
in the Client’s operating environment. Any knowledgeable attack to that machine
could potentially compromise privacy.
If the Server administrators can show (based on the user interactions) that a
Privacy-Aware client has been used for a specific access, then any claims of
privacy breaches can be directly blamed on the client.
It requires that all sites use one or a small set of privacy languages.
9. Related patterns
Proxy [Gam95]. The Privacy-Aware Network Client uses a specialized version of the
Proxy pattern.
Web Shopping Process [Fer01]. This is one of the patterns most likely to be combined
with this pattern.
Adaptive Web Applications [Koc02]. These are patterns for web applications that change
their behavior according to the current user. They would display more or less complete
privacy disclosures depending on the type of user.
Acknowledgements
This work was supported by a grant from the US Dept. of Defense (DISA), administered
by Pragmatics, Inc. Our shepherd, Bob Hanmer, provided valuable comments.
References
[Att01] AT&T Privacy Bird, http://www.privacybird.com
[Fer01] E. B. Fernandez, Y. Liu, and R.Y. Pan, “Patterns for Internet shops “, Procs. of
PLoP 2001,
http://jerry.cs.uiuc.edu/~plop/plop2001/accepted_submissions/accepted-papers.html
[Gam95] E. Gamma, R. Helm,R. Johnson, and J. Vlissides, Design patterns –Elements of
reusable object-oriented software, Addison-Wesley 1995.
[Koc02] N. Koch and G. Rossi, “Patterns for adaptive web applications”, Procs. of
EuroPLoP 2002.
[Mxp01] Microsoft Windows XP Professional Product Documentation,
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-
us/privacy_policy_view.mspx
[Net01] Netscape 7 Reviewers Guide,
http://channels.netscape.com/ns/browsers/7/learnmore/NS70pr1_reviewersguide.pdf.
[P3p01] P3P Resources in the Joint Research Centre (JRC), http://p3p.jrc.it/
[W3c01] W3C References for P3P Implementations,
http://www.w3.org/P3P/implementations
... The published patterns [58,59,53] are about general privacy concepts, and provide insufficient guideline for PET development. Other patterns document how to convey privacy policies to end users during online interactions [54,53], but they are not directly about developing PETs. This paper describes a pattern language containing 12 patterns for developing PETs. ...
... Till Schummer, in his paper on information filtering in collaborative systems [59], described patterns that block the transmission of personal information. Sadicoff et al. [54] described one privacy pattern: a privacy proxy that helps inform users of a website's privacy policies. INFORMED CONSENT FOR WEB-BASED TRANSACTIONS pattern in Romanosky and colleague's [53] paper is similar in concept. ...
A pattern language for developing privacy enhancing technologies
Article
  • Jul 2013
SUMMARYA privacy enhancing technology (PET) is an application or a mechanism that allows users to protect the privacy of their personally identifiable information. Early PETs were about enabling anonymous mailing and anonymous browsing, but lately, there have been active research and development efforts in many other problem domains. This paper describes the first pattern language for developing PETs. Currently, it contains 12 patterns. These privacy patterns are not limited to a specific problem domain; they can be applied to design anonymity systems for various types of online communication, online data sharing, location monitoring, voting, and electronic cash management. The pattern language guides a developer when he or she is designing a PET for an existing problem or innovating a solution for a new problem. Copyright © 2011 John Wiley & Sons, Ltd.
View
... Security patterns for privacy have also been proposed [26], [27]. In [26], a protection pattern using a clientside proxy to prevent unnecessary leakage of private information is shown. ...
... Security patterns for privacy have also been proposed [26], [27]. In [26], a protection pattern using a clientside proxy to prevent unnecessary leakage of private information is shown. In addition, Romanosky et al. proposed three privacy patterns, such as "informed consent for web-based transactions," in [27]. ...
As urvey o ns ecurity patterns
Article
Full-text available
Security has become an important topic for many software systems. Security patterns are reusable solutions to security problems. Although many security patterns and techniques for using them have been proposed, it is still difficult to adapt security patterns to each phase of software development. This paper provides a survey of approaches to security patterns. As ar esult of classifying these approaches, a direction for the integration and future research topics is illustrated.
View
... We have considered in our study 24 out of the 29 as they appeared as results of our search string. The remaining 5 papers they coded [53][54][55][56][57] are not indexed by Scopus (3), or does not contain some of the terms used in our search string (2). On the other hand, our study provides 12 papers (ID221, ID384, ID577, ID1726, ID1781, ID1804, ID1808, ID1825, ID1882, ID2126, ID2272, ID2731) related to privacy patterns, useful for the design of IS that have not been considered in this related work. ...
Reusable Elements for the Systematic Design of Privacy-Friendly Information Systems: A Mapping Study
Article
Full-text available
  • May 2019
Privacy by design is a new paradigm that promotes embedding privacy considerations throughout the development of information systems, to protect user privacy. Privacy engineering is the nascent field of research and practice that aims to realize this new paradigm systematically and efficiently, by delivering reusable elements such as methods, techniques and tools that software and systems engineers can apply in their daily work. However, as a new field, its contributions are still scattered, and there is little information on their quantity or maturity. To bridge this gap, we have carried out a systematic mapping study to provide engineers and researchers with a snapshot of the reusable elements available for the systematic design of privacy-friendly software-based information systems. The results show that there is an emerging and growing interest in the field, being privacy patterns the hottest research topic. However, the maturity of some of the contributions found is still low as they usually lack empirical evidence that demonstrates their benefits, which may hinder their adoption in practice. In this paper, we describe the most advanced research areas and discuss some of the gaps found, suggesting areas where researchers and funding institutions can focus their efforts.
View
... Nevertheless, a number of privacy patterns have been proposed at varying levels of abstraction to provide anonymity solutions in various problem domains [16,17]. Privacy patterns can be classified into three categories [17]: the first category concerns patterns that document general privacy concepts [32,33]; the second category concerns patterns that ensure compliance with privacy policies [30,31]; and the third category concerns patterns that provide sufficient guideline for PET development [17]. ...
Privacy Architectural Strategies: An Approach for Achieving Various Levels of Privacy Protection
Conference Paper
  • Oct 2018
A wide array of Privacy-Enhancing Technologies (PETs) have been proposed as technical measures to provide various levels of privacy protection. Each technical measure is a building block that addresses specific privacy issues and is applicable to specific contexts. Existing approaches, however, do not provide step-by-step guidance to illustrate how these PETs can be appropriately adopted in a contextual and structured manner. From an engineering perspective, it is important to illustrate precisely how to design and implement privacy requirements and incorporate them into software architectures, as well as to choose between alternative PETs. We present an engineering approach to Privacy by Design (PbD) that uses the concept of architectural strategies to support the adoption of PETs in the early stages of the design process to achieve various levels of privacy protection. These strategies are collections of architectural tactics, which are described through design patterns and realised by PETs. We illustrate the approach's use in the context of eToll pricing systems and argue that this contribution lays the foundation for developing appropriate privacy engineering methodologies.
View
... None as we focus on systems that already have access to user data. For other kinds of systems (such as network systems), there are existing privacy patterns [44], [45]. ...
Money for Nothing and Privacy for Free?
Article
Privacy in the context of ubiquitous social com-puting systems has become a major concern for the society at large. As the number of online social computing systems that collect user data grows, this privacy threat is further exacerbated. There has been some work (both, recent and older) on addressing these privacy concerns. These approaches typically require extra computational resources, which might be beneficial where privacy is concerned, but when dealing with Green Computing and sustainability, this is not a great option. Spending more computation time results in spending more energy and more resources that make the software system less sustainable. Ideally, what we would like are techniques for designing software systems that address these privacy concerns but which are also sustainable -systems where privacy could be achieved "for free," i.e., without having to spend extra computational effort. In this paper, we describe how privacy can be achieved for free -an accidental and beneficial side effect of doing some existing computation -and what types of privacy threats it can mitigate. More precisely, we describe a "Privacy for Free" design pattern and show its feasibility, sustainability, and utility in building complex social computing systems.
View
... There is a lot of pattern literature available about security patterns, e.g., [210], [197], [195], [76], [21], [95], [186], an evaluation in [138] and one of the earliest works in [232]. Privacy patterns are described, e.g., in [187], [196], [188], [194], [94]. ...
View
... Network [45], [46], [21], [47], [48], [49], [50], [51], [52], [20], [53], [54], [55], [56], [57], [11], [58], [59], [60] 56 ...
Application-Domain Classification for Security Patterns
Conference Paper
Full-text available
  • Jan 2011
Security patterns are best practices to handle re-curring security problems. Existing classifications for security patterns consider only a small number of patterns, and their purpose is often focused on implementations issues. Therefore we identify missing aspects in existing classifications and introduce a new classification scheme based on application domains. This scheme is based on a literature survey on security patterns published in the period of 1997 to 2010 to cover the whole bandwidth of exiting security pattern. Index Terms—Security Patterns.
View
... Network [20], [29], [39], [30], [41], [59], [60], [61], [62], [63], [64], [65], [66], [67], [68], [69], [70], [71], [72], [73] 56 ...
Organizing Security Patterns Related to Security and Pattern Recognition Requirements
Article
Full-text available
  • Jul 2012
Software security is an emerging area in software development. More and more vulnerabilities are published and highlight the endangerment of systems. Hence, software designers and programmers are increasingly faced with the need to apply security solutions to software systems. Security patterns are best practices to handle recurring security prob-lems. The abundance of documented security patterns calls for meaningful classifications to ease searching and assessing the right pattern for a security problem at hand. Existing classifications for security patterns consider only a small number of patterns and their purpose is often focused on implementation issues. Therefore, we identify missing aspects in existing classifications and the similarities between design and security pattern classifications. Based on that, we introduce two new classification schemes. The first is based on application domains formed by a literature survey on security patterns published in the period of 1997 to mid-2012 to cover the whole bandwidth of existing security patterns. The second is based on a subset of the collected patterns that are concerned with software and combines pattern-recognition needs and security aspects.
View
A Literature Study on Privacy Patterns Research
Conference Paper
  • Aug 2017
Context: Facing the implementation of the EU General Data Protection Regulation in May 2018, many commercial software providers will soon need to adapt their products to new privacy-related constraints. Privacy patterns defined for different aspects of the software engineering process promise to be a useful concept for this task. In this situation, it seems valuable to characterize the state of the research related to privacy patterns. Objective: To identify, characterize and classify the contributions made by published research results related to patterns in the context of considering privacy concerns in engineering software. Method: A literature review in form of a mapping study of scientific articles was performed. The resulting map structures the relevant body of work into multiple dimensions, illustrating research focuses and gaps. Results: Results show that empirical evidence in this field is scarce and that holistic approaches to engineering privacy into software based on patterns are lacking. This potentially hinders industrial adoption. Conclusion: Based on these results, we recommend to empirically validate existing privacy patterns, to consolidate them in pattern catalogues and languages, and to move towards seamless approaches from engineering privacy requirements to implementation.
View
PIP: An Injection Pattern for Inserting Privacy Patterns and Services in Software
Conference Paper
  • Mar 2016
  • Lect Notes Comput Sci
Increasingly, software engineers in organizations complying with privacy regulations are looking for repeatable ways to embed privacy in their code. We propose the concept of a Privacy Injection Pattern (PIP) for software engineers to use to automate dynamically “injecting” existing privacy patterns in existing or new code. The PIP is composed of a novel tri-abstraction combination of aspect-oriented programming, dependency injection, and mocking. Related work reveals fragmentation in using the software engineering abstractions separately to address privacy, as well as an absence of software injection patterns for privacy. We illustrate our new Privacy Injection Pattern and the simplicity of its implementation with a use case, and downloadable example code, that injects well-known de-identification patterns in a banking application. Adoption of our higher-level privacy injection pattern is expected to help software engineers comply more readily with Privacy by Design principles and to enable Privacy by Default. Early evaluation results for the PIP from practising software engineers are yet inconclusive.
View
Patterns for Internet shops
Article
Full-text available
  • Jan 2001
Shopping on the Internet has become common and any web site must provide convenient user interfaces for this purpose. An appropriate infrastructure is needed to support a variety of navigational views. We present two patterns that are part of the infrastructure of web shops: the Catalog pattern and the Shopping Process pattern. The Catalog pattern describes how to organize the information about products for a web shop, the Shopping Process pattern describes the steps required to buy something in the Internet. We also show the combination of these patterns in a web shop.
View
Patterns for Adaptive Web Applications
Article
Full-text available
  • Nov 2002
In this paper we present some patterns for adaptive Web applications, i.e. those Web applications that may change their behavior regarding the current user. These patterns refine the coarse grained personalization patterns in [Rossi 01], focusing on how adaptation can be implemented through the manipulation of links, and content and presentation of nodes. We first introduce the problem of building adaptive Web applications; next we introduce the patterns Adaptive Anchor Annotation, Anchor Selection, Sorting of Anchors and Conditional Fragments.
View
View