Analysis of Privacy Policies to Enhance Informed Consent

Abstract: In this paper, we present an approach to enhance informed consent for the processing of personal data. The approach relies on a privacy policy language used to express, compare and analyze privacy policies. We describe a tool that automatically reports the privacy risks associated with a given privacy policy in order to enhance data subjects' awareness and to allow them to make more informed choices. The risk analysis of privacy policies is illustrated with an IoT example.

“…Cunche et al [9] present a generic information and consent framework for IoT that allows the data subject to express privacy requirements as well as receive the information and associated privacy policy. The privacy policies for subjects and controllers are based on the PILOT semantics [10]. Privacy policies in [10] are more expressive than ours as they also encapsulate contextual information, but the semantics of policy compliance is not discussed in particular.…”

A Formal Framework for Consent Management

“…Cunche et al [9] present a generic information and consent framework for IoT that allows the data subject to express privacy requirements as well as receive the information and associated privacy policy. The privacy policies for subjects and controllers are based on the PILOT semantics [10]. Privacy policies in [10] are more expressive than ours as they also encapsulate contextual information, but the semantics of policy compliance is not discussed in particular.…”

A Formal Framework for Consent Management

“…DS could rank the results according to the matching between their DS policy and the websites' DC policies. In [75], Pardo & Le Métayer present a web interface to inform DS about the potential risks of their privacy policies. The interface is composed of a user-friendly form for DS to input their privacy policies and a set of risk analysis questions, e.g., "Can company X collect my data?".…”

“…Formal privacy languages (formal languages in the following) comprise a different approach to express privacy policies. CI [73], PrivacyAPIs [67], SIMPL [65], PrivacyLFP [33], S4P [17], QPDL [107], and PILOT [75] are languages that have their syntax and semantics defined mathematically. More precisely, they use formal languages such as Linear Temporal Logic [53], First-Order Logic [53] or Authorization Logic [5].…”

“…Automatic consent management can empower DS if managed in a protective way -e.g., by mitigating the burden of choice [98] -and facilitate the retrieving of an informed consent for DC. Cunche et al [71] devise a generic framework to manage informed consent in the IoT, using DS and DC policies based on PI-LOT [75]. Automatic communication of privacy policies also makes P3P [27] XML Informal ✓ Comparison ✓ ✓ CPExchange [18] XML Informal ✓ PRML [115] ✓ XML Informal ✓ APPEL [64] ✓ XML Informal ✓ ✓ ✓ E-P3P [12] XML Formal ✓ ✓ Rei [58] Formal Formal Analysis ✓ Xpref [7] ✓ XML Informal ✓ ✓ XACML [9] XML Informal ✓ ✓ EPAL [11] XML Informal ✓ Comparison ✓ CI [16] Formal Formal ✓ ✓ SIMPL [65] ✓ Formal Formal ✓ ✓ S4P [17] ✓ Formal Formal ✓ ✓ Jeeves [112] Formal Formal ✓ ✓ P2U [56] ✓ XML Informal ✓ QPDL [107] Formal Formal ✓ ✓ RBAC [94] XML Informal ✓ ✓ OSL [51] Formal Formal ✓ ✓ GeoXACML [66] XML Informal ✓ ✓ A-PPL [13] XML Informal ✓ LPL [45] ✓ XML Informal ✓ ✓ ✓ PrivacyAPIs [67] Formal Formal Analysis ✓ ✓ PrivacyLFP [33] Formal Formal ✓ ✓ PILOT [75] ✓ Formal Formal Analysis ✓ ✓…”

“…Users are first presented with a graphical or simplified version of the policy, which can be refined in several steps all the way to the legal notice. SIMPL [65], PILOT [75] and LPL [45] combine natural language and machine-readable privacy policies. They provide an enforceable policy that helps DS to better understand their choices and provide informed consent -as required by the GDPR.…”

SoK

P2Onto: Making Privacy Policies Transparent