Formalizing and Reasoning with P3P Policies Using a Semantic Web Ontology

  • Boontawee Suntisrivaraporn
  • Assadarat Khurat
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7080)


Privacy has become a crucial issue in the online services realm. P3P policy, which is a privacy policy, enables websites to express their privacy practices so that users can be well-informed about the data collection and its usage. Besides, this privacy policy can be checked against its users’ privacy preferences to help decide whether or not the service should be used. However, the interpretation of a P3P policy is unwieldy due to the lack of a precise semantics of its descriptions and constraints. For instance, it is admissible to have purpose and recipient values that have inconsistent meaning. There is a need for an explicit formal semantics for P3P policy to mitigate this problem. In this paper, we propose to use an OWL ontology to systematically and precisely describe the structures and constraints inherent in the P3P specification. Additional constraints are also defined and incorporated into the ontology in such a way that P3P policy verification can be automated with the help of an OWL reasoner.


Privacy Policy Description Logic Formal Semantic Composite Service Privacy Preference 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Official Journal of the European Communities (November 1995)Google Scholar
  2. 2.
    Baader, F., Calvanese, D., McGuinness, D., Nardi, D., Patel-Schneider, P. (eds.): The Description Logic Handbook: Theory, Implementation and Applications, 2nd edn. Cambridge University Press (2007)Google Scholar
  3. 3.
    Bechhofer, S., van Harmelen, F., Hendler, J., Horrocks, I., McGuinness, D.L., Patel-Schneider, P.F., Stein, L.A.: OWL Web Ontology Language reference. W3C Recommendation, February 10 (2004)Google Scholar
  4. 4.
    Cranor, L.: P3P 1.1 user agent guidelines. P3P User Agent Task Force Report 23 (May 2003)Google Scholar
  5. 5.
    Cranor, L., Dobbs, B., Egelman, S., Hogben, G., Hamphrey, J., Langheinrich, M., Marchiori, M., Presler-Marshall, M., Reagle, J., Schunter, M., Stampley, D.A., Wenning, R.: The Platform for Privacy Preference 1.1 (P3P1.1) Specification. W3C Working Group Note 13 (November 2006)Google Scholar
  6. 6.
    Cranor, L., Langheinrich, M., Marchiori, M., Presler-Marshall, M., Reagle, J.: The Platform for Privacy Preference 1.0 (P3P1.0) Specification. W3C Recommendation (April 2002)Google Scholar
  7. 7.
    Damiani, E., De Capitani di Vimercati, S., Fugazza, C., Samarati, P.: Semantics-aware privacy and access control: Motivation and preliminary results. In: 1st Italian Semantic Web Workshop, Ancona, Italy (December 2004)Google Scholar
  8. 8.
    Hogben, G.: P3P using the semantic web (web ontology, rdf policy and rdql rules). In: W3C Working Group Note 3 (September 2004)Google Scholar
  9. 9.
    Hogben, G.: Describing the P3P base data schema using OWL. In: WWW 2005, Workshop on Policy Management for the Web (2005)Google Scholar
  10. 10.
    Karjoth, G., Schunter, M., Herreweghen, E.V., Waidner, M.: Amending P3P for clearer privacy promises. In: 14th International Workshop on Database and Expert Systems Applications, IEEE Computer Society (September 2003)Google Scholar
  11. 11.
    Khurat, A., Gollmann, D., Abendroth, J.: A Formal P3P Semantics for Composite Services. In: Jonker, W., Petković, M. (eds.) SDM 2010. LNCS, vol. 6358, pp. 113–131. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  12. 12.
    Li, N., Yu, T., Antón, A.: A semantics-based approach to privacy languages. Technical Report TR2003-28, CERIAS (November 2003)Google Scholar
  13. 13.
    OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. Organisation for Economic Co-operation and Development (OECD) (September 1980)Google Scholar
  14. 14.
    Spackman, K.A., Dionne, R., Mays, E., Weis, J.: Role grouping as an extension to the Description Logic of Ontylog, motivated by concept modeling in Snomed. In: Proceedings of the 2002 AMIA Annual Symposium, Hanley&Belfus (2002)Google Scholar
  15. 15.
    Yu, T., Li, N., Antón, A.: A formal semantics for P3P. In: ACM Workshop on Secure Web Services (October 2004)Google Scholar
  16. 16.
    Li, Y.H., Benbernou, S.: Representing and Reasoning About Privacy Abstractions. In: Ngu, A.H.H., Kitsuregawa, M., Neuhold, E.J., Chung, J.-Y., Sheng, Q.Z. (eds.) WISE 2005. LNCS, vol. 3806, pp. 390–403. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  17. 17.
    Uszok, A., Bradshaw, J., Jeffers, R., Suri, N., Hayes, P., Breedy, M., Bunch, L., Johnson, M., Kulkarni, S., Lott, J.: KAoS Policy and Domain Services: Toward a Description-Logic Approach to Policy Representation, Deconfliction, and Enforcement. In: IEEE Policy Workshop (June 2003)Google Scholar
  18. 18.
    Kagal, L.: Rei Ontology Specifications version 2.0,
  19. 19.
    Agrawal, R., Kiernan, J., Srikant, R., Xu, Y.: Hippocratic Databases. In: Proceedings of the 28th International Conference on Very Large Data Bases, VLDB 2002 (2002)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Boontawee Suntisrivaraporn
    • 1
  • Assadarat Khurat
    • 2
  1. 1.School for Information and Computer TechnologySirindhorn International Institute of Technology, Thammasat UniversityThailand
  2. 2.Institute for Security in Distributed ApplicationsHamburg University of TechnologyGermany

Personalised recommendations