Privacy Negotiation in Socio-Technical Systems

Abstract

A socio-technical system (STS) is an approach to complex organizational work design that recognizes the interaction between people and technology in workplaces. The term also refers to the interaction between society’s complex infra-structures and human behavior. In this sense, society itself, and most of its substructures, are complex socio-technical systems. This paper addresses a class of socio-technical systems, represented by web services in a number of domains and attempts to understand the possibility of empowering the web users and consumers to have a say in the develop-ment of privacy agreements. This paper examines the likelihood of the web users and consumers leveraging such a capability, should it exist. This should improve the way privacy agreements are handled that benefits both the service providers and the web users.

Share and Cite:

Rallapalli, M. and Verma, D. (2012) Privacy Negotiation in Socio-Technical Systems. Technology and Investment, 3, 13-17. doi: 10.4236/ti.2012.31003.

1. Introduction

A socio-technical system is defined as a mixture of people and technology. Depending upon what the system is addressing, it can become very complex. The actors in a STS context diagram could include hardware elements, software elements, actual physical surroundings, people, procedures, laws & regulations, data sources and data structures. It is configurable meaning that particular components in the STS can change or adjust in response to new requirements over time. For instance, an e-commerce website may introduce payments by PayPal in addition to a credit card by changing the way customers can make payments. But this change may also be reflected in changes in procedure (e.g. criterion for accepting from PayPal) and people (credit history).

The commonly used web services represent a class of socio-technical system that modern society has become increasingly dependent on. The proliferation of such web services, along with the increase in consumer awareness regarding data privacy and corresponding increases in regulatory and legal requirements for personal privacy have resulted in a heightened focus on the need to protect the personal privacy of web service users. While millions of web users leverage web services, a cohesive approach to tackle data privacy has not kept pace with this usage.

In the following sections, this paper will examine the elements of the STS associated with e-commerce transactions including the web consumer, the service provider, and the web services themselves. This is the first in the series of three papers examining the aspects of the privacy negotiation STS and ways to improve how the system operates.

This paper is organized in the following sections: Section 2 is a discussion on web users & privacy. Section 3 discusses the concept of privacy negotiation. Section 4 describes a model for privacy constraints negotiation. Section 5 includes conclusions and future work.

Literature Review

In the recent Web services research area, there are increasing discussions about automated privacy technologies for supporting privacy data of web user. For example, Yee and Korba’s research [1] (“Privacy Policy Compliance for Web Services”) focuses on privacy compliance of web services, the primary research examines privacy legislation to derive requirements for privacy compliance systems. This research proposes architecture for a privacy policy compliance system that satisfies the requirements and discusses the strengths and weaknesses of the proposed architecture. The research further discusses the strengths and weaknesses of the architecture for Privacy Policy Compliance Systems (PPCS). Wei Xu [2] introduced a framework that addresses consumer privacy concerns in the context of highly customizable composite Web services. Wei’s approach is based on certain automated techniques to check for compliance of consumer privacy policies to realize customizable privacy conscious composite services. In this framework, privacy obligations are respected when the code for the service is executed.

Carminati’s [3] design proposes a model titled publish-find-bind. In this model, the approach is based on service requestors discovering the published web services by the service creators. Privacy control measures are concerned with what happens to data after individuals have released it to organizations for particular purposes.

With each of these solutions is the absence of a trusted third party within their web services architecture. While the reviewed studies do include a model or architecture, this paper proposes a unique model that includes a third party in the architecture that can broker a negotiated privacy agreement between the web user and the service provider. None of the other related research addresses the privacy aspect of an e-commerce transaction. The proposed framework addresses the protection of privacy information in a harmonized e-commerce transaction. Applying a third party approach to the Generic Framework model makes the current work unique in comparison to reviewed research studies. This current framework proposal may lead to a new type of e-commerce on the Internet, where in service providers are segregated on the basis of their privacy data handling.

In addition, there is no indication that any of the principle researchers cited below focused on protecting the consumer’s privacy data rather than the “sale” itself. This research has more focus on protecting the consumer’s privacy data rather than the “sale” itself. It promotes a harmonized framework to protect the privacy data, obviating the service provider from protecting the privacy data.

2. Web Users & Privacy

As Web services become more prevalent in SOA based applications, the protection of privacy data of web service users is becoming an increasingly important concern. Lack of awareness on the web user’s side gives rise to monopolistic attitudes on behalf of service providers regarding how to treat web user privacy data. Two-thirds of the people surveyed by the UK privacy watchdog (UK Information Commissioner’s Office) organization want marketing opt-outs to be clearer, while 62% want a clearer explanation of how personal information will actually be used. The survey found that 71% did not read or understand privacy policies [4]. When the web users are not serious or care about their privacy data, there is little incentive for the service provider to tighten up privacy policies.

In the prevailing state of web services, privacy constraints and the associated agreement definitions is the responsibility of the service provider. The web user is limited to either accepting or declining this agreement. This is reflected in Figure 1.

This current environment offers us the opportunity to consider the following questions:

Figure 1. Privacy agreement by a service provider.

•    Should the web user have an ability to negotiate the privacy agreement with the service provider?

•    Should such ability exist, will it help get web service users and consumers to care more about their privacy and engage in the negotiating process?

•    Is it possible to develop a generic framework to facilitate the above?

Figure 1 is an example of a typical privacy agreement provided by the service provider. Choices for the web user are limited to either “Accept” or “Decline”. This indicates the upper hand the service provider has in dictating the privacy terms.

Conflicts of Interest

The authors declare no conflicts of interest.

References

[1] G. Yee and L. Korba, “Privacy Policy Compliance for Web Services,” IEEE International Conference on Web Services (ICWS’04), San Diego, 6-9 June 2004, pp. 158-165. doi:10.1109/ICWS.2004.1314735
[2] W. Xu, R. Sekar, I. V. Ramakrishna and V. N. Venkatakrishnan, “A Framework for Building Privacy-Conscious Composite Web Services,” IEEE International Conference on Web Services (ICWS’06), Chicago, 18-22 September 2006, pp. 655-662. doi:10.1109/ICWS.2006.4
[3] B. Carminati, E. Ferrari and P. C. K. Hung, “Exploring Privacy Issues in Web Services Discovery Agencies,” IEEE Security and Privacy, Vol. 3, No. 5, 2005, pp. 14-21. doi:10.1109/MSP.2005.121
[4] OUT-LAW News, “Regulators Demand Clearer Privacy Policies,” 2009. http://www.out-law.com//default.aspx?page=9795
[5] A. Figueroa, “Privacy Issues Hit Facebook Again,” 2010. http://www.csmonitor.com/Business/new-economy/2010/0730/Privacy-issues-hit-Facebook-again
[6] Nick O’Neill, “10 Privacy Settings Every Facebook User Should Know,” 2009. http://www.allfacebook.com/facebook-privacy-2009-02
[7] Federal Trade Commission, “ChoicePoint Settles Data Security Breach Charges; to Pay $10 Million in Civil Penalties, $5 Million for Consumer Redress,” 2011. http://www.ftc.gov/opa/2006/01/choicepoint.shtm
[8] EPIC Staff Publication, “Choice Point: Introduction and Background,” 2001. http://epic.org/privacy/choicepoint/
[9] K. Tedder, “Don’t Wait for a Data Compromise,” 2010. https://www.firstdata.com/downloads/thought-leadership/fd-data-compromise-wp.pdf
[10] Ponemon Institute, “Ponemon Institute Research,” 2010. http://www.ponemon.org/about-ponemon-research
[11] PrivacyRights Group Compilation, “Chronology of Data Breaches Security Breaches 2005 to Present,” 2011. http://www.privacyrights.org/data-breach
[12] Pew Research Center Report, “Internet & American Life Project,” http://www.pewinternet.org/Press-Releases/2000/86-of-Intenet-Users-Want-to-Prohibit-Online-Companies-From-Disclosing-Their-Personal-Inf.aspx

Journals Menu
Follow SCIRP
Contact us
+1 323-425-8868
customer@scirp.org
WhatsApp +86 18163351462(WhatsApp)
Click here to send a message to me 1655362766
Paper Publishing WeChat

Copyright © 2024 by authors and Scientific Research Publishing Inc.

Creative Commons License

This work and the related PDF file are licensed under a Creative Commons Attribution 4.0 International License.