Distributed management of user profiles allows reuse of profile information for different personalization services but also raises privacy issues. Users need a possibility to control access to their personal information in a sophisticated, yet flexible way. In this project an access control system for user profiles is designed. The core of the proposed solution is a so-called Access Ticket which specifies access rights to user profile information. Mechanisms for negotiation of access rights and identity management are integrated into this framework.
Privacy, user profile, access control, identity management
Personalization of information offerings appears to be a promising concept to help people finding relevant information in the world wide network of information sources. Thus, a variety of systems have already been developed using user data they have collected or information users' have explicitly made available. These systems offer personalized Web pages or make recommendations based on user profiles. User profiles thereby contain information such as demographic data (e.g. age, gender, Email addresses), specified interests or past transactions (e.g. bought books).
However, current services are usually unable to exchange data with each other. A user has to log on to different services manually and provide her profile information again and again. In addition, information gained by one service cannot be used by other services and updates to the information cannot be distributed in one step. A solution to this problem is to store user profiles separately from the services that are using them. User profile agents or ID Repositories  manage profile information and distribute it to services such as adaptive Web sites, community support systems or E-Commerce agents. Commercial solutions for the separation of user profile storage and usage such as Microsoft Passport or the Liberty Alliance Project  are already being used or are under development.
The separation of user profile storage and profile usage raises privacy issues since some services are more trustworthy to users than others. Users want different subsets of the profiles to be visible to different services. The definition of these access rights has to be as easy as possible for the user.
But these issues are not addressed in today's systems. The focus of existing solutions for identity management on the Internet is on identification and authentification, but not on authorization for different services. These system mostly offer rudimentary access control features only that are not profound enough to satisfy users' needs.
In the project Cobricks (see http://www11.in.tum.de/proj/cobricks/) we are currently working on different issues in the context of distributed community support systems. One goal of this project is to design an access control mechanism for distributedly managed user profiles. For designing the solution we started from the requirement that users need means to facilitate effective identity management on the Internet and enforce their personal privacy preferences. These preferences can depend on different context attributes, in particular:
These privacy concerns are valid in E-Commerce and for communication and collaboration support services. Surveys show that users are anxious about their privacy while being online. This is especially true when sensitive data such as credit card information is concerned. Therefore, a powerful access control system could increase trust in E-Commerce systems and users might be willing to provide more and better information about themselves to services.
Our solution to the access control issue both tackles the issues of interoperability among distributed services, and of easy to use (semi-automatic) granting of access rights. In our scenario, a service agent requests profile information from a user profile agent and the system needs to determine whether access should be granted or not.
The proposed solution consists of two phases:
The negotiation of access rights is based on the Platform for Privacy Preferences (P3P) project of the W3C . Hereby, services express privacy policies in machine-readable form. For example, a service can make a statement regarding whether information about the interests of a user are explicitly made available to other users or not. A user profile agent can then check the conformity of the privacy policies of a service with the user's privacy preferences and determine access rights for the requested profile attributes: allowing/disallowing access or requesting user interaction. A concerned user could choose very restraint rule sets or demand her explicit permission for some or most accesses.
The result of the negotiation is an Access Ticket (AT).
The Access Ticket is a XML document that manifests the access rights of a certain service to the user profile information. The AT is digitally signed by the user profile agent or ID Repository on behalf of the user and must be presented by the service with each data access. The following is a (simple) example:
<ACCESSTICKET> <USER LEVEL="pseudonymous">nickname123</USER> <SERVICE>@c=COM@o=AMAZON</SERVICE> <POLICY> http://www.server.com/p3p.xml</POLICY> <VALIDITY>12/31/2003</VALIDITY> <ACCESS RESOURCE="/interests/*"> <READ OPTION="distributable"/><WRITE/> <PURPOSE><p3p:tailoring/></PURPOSE> </ACCESS> <ACCESS RESOURCE="/payment/creditcard/number"> <READ><SECURE TYPE="ssl"/></READ> <PURPOSE><p3p:delivery/></PURPOSE> </ACCESS> </ACCESSTICKET>
<PURPOSE> is a mandatory element for each access. It is possible to formalize "distribution of profile information", among other options. In addition, secure and/or anonymous communication is integrated in the access control system. For example, a user could state that access to her/his credit card information is allowed only if the data is transmitted over a secure channel such as Secure Socket Layer (SSL) for secure transmission on the World Wide Web.
Released Access Tickets may be checked and revoked by the user at any time, e.g. if s/he changes her/his mind about her/his privacy preferences or the trustworthiness of a particular service.
In addition to the presented framework, it is possible for a user to manage more than one identity or role. For example, a user might have a "work" and "private" role and maintain different profile attributes such as Email addresses and access rights for each identity.
An access decision may be dependent on whether the (real) identity of a user has to be revealed or not. This is done in our approach by introducing several levels of anonymity, including: "veronymity" (a users' identity is revealed and proven by a digital certificate where required), "pseudonymous" (transactions can be linked to a pseudonym but not to a particular individual, e.g. nicknames in a discussion forum) and "anonymous" (information cannot be associated with a user at all). Users can specify different set of rules for different identities and/or identity levels.
Users do not necessarily have to formulate privacy preferences (or access rules) by themselves. Suitable sample rule sets for desired privacy levels could be provided by trusted organizations with an option for (advanced) users to adjust particular rules. An easy to use user interface for the presented system is also very important and part of this project.
Our solution to control access for distributed managed user profiles is a combination of (XML-based) access control and privacy technologies such as P3P. The proposed Access Ticket formalizes access control tailored for user profile access.
In the project Cobricks, ideas for user profile management and usage have been implemented and tested in different scenarios. We are currently improving and further integrating access control and negotiation features as presented in this paper into the Cobricks framework.
Access Tickets could be integrated into the Liberty Alliance framework. Authorization is not included in the current version of the specification, but future versions will include permission based attribute sharing whereby Access Tickets would be suitable as a privacy rights language.