Abstract
With the recent adoption of service outsourcing, there have been increasing general demands and concerns for privacy control, in addition to basic requirement of integration. The traditional practice of a bulk transmission of the customers’ information to an external service provider is no longer adequate, especially in the finance and healthcare sectors. From our consultancy experience, application-to-application privacy protection technologies at the middleware layer alone are also inadequate to solve this problem, particularly when human service providers are heavily involved in the outsourced process. Therefore, we propose a layered architecture and a development methodology for enforcing end-to-end privacy control policies of enterprises over the export of personal information. We illustrate how Web services, augmented with updated privacy facilities such as Service Level Agreement (SLA), Platform for Privacy Preferences Project (P3P), and the P3P Preference Exchange Language (APPEL), can provide a suitable interoperation platform for service outsourcing. We further develop a conceptual model and an interaction protocol to send only the required part of a customer’s record at a time. We illustrate our approach for end-to-end privacy control in service outsourcing with a tele-marketing case study and show how the software of the outsourced call center can be integrated effectively with the Web services of a bank to protect privacy.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Agarwal, S., Sprick, B., & Wortmann, S. (2004). Credential based access control for semantic Web services. In AAAI Spring Symposium—Semantic Web Services (March).
AMBer (2003). Network Associates’ AMBer Project. Online: http://www.networkassociates.com/us/nailabs/research_projects/security_infrastructure/amber.asp.
Carminati, B., Ferrari, E., & Hung, P. C. K. (2005). Exploring privacy issues in web services discovery agencies. IEEE Security & Privacy Magazine (September/October).
Cattaneo, G., Faruolo, P., Petrillo, U. F., & Persiano, G. (2004). Providing privacy for Web services by anonymous group identification. In Proceedings of the IEEE International Conference on Web Services (ICWS) (pp. 166–173, 6–9 July).
Cheng, V. S. Y., & Hung, P. C. K. (2005). An integrated privacy framework for HIPAA-compliant web services. International Journal of Health Information Systems and Informatics (IJHIS).
Cheung, S. C., Chiu, D. K. W., & Till, S. (2003). A data-driven methodology to extending workflows across organizations over the internet. In Proceedings of the 35th Annual Hawaii International Conference on System Sciences (HICSS), CDROM, 10 pages, Jan.
CIBC (2005). CIBC’s privacy practices failed in cases of misdirected faxes. In Office of the Privacy Commissioner of Canada, 2005. Online: http://www.privcom.gc.ca/incidents/2005/050418_01_e.asp.
Constantinides, E. (2002). From physical marketing to web marketing: the web-marketing mix. Proceedings of the 35th Annual Hawaii International Conference on System Sciences (HICSS), pp. 2628–2638, 7–10 Jan.
DAML (2003). DAML-S: Semantic markup for Web services. The DAML Services Coalition, Version 0.9. Online: http://www.daml.org/services/daml-s/0.9/daml-s.html.
Davis, J. C. (2000). Protecting privacy in the cyber era. IEEE Technology and Society Magazine, 19(2), 10–22 (Summer).
Diamond (2000). Marketing, Diamond.
Ferraiolo, D. F., Kuhn, D. R., & Chandramouli, R. (2003). Role-based access control. In Computer Security Series. Norwood, MA: Artech House.
Fischer-Hubner, S. (2001). IT-security and privacy. In Lecture Notes on Computer Science 1958.
F-OWL (2004). An OWL inference engine in Flora-2. Online: http://www.fowl.sourceforge.net/.
Hinde, S. (2002). The perils of privacy (pp. 424–432). IS Audit Editor. New York: Elsevier.
Hong, J. I., Ng, J. D., Lederer, S., & Landay, J. A. (2004). Privacy risk models for designing privacy-sensitive ubiquitous computing systems. In Proceedings of the 2004 conference on Designing interactive systems: processes, practices, methods, and techniques (August).
Hung, Patrick C. K., Ferrari, E., & Carminati, B. (2004). Towards standardized Web services privacy technologies. In Proceedings of the 2004 IEEE International Conference on Web Services (ICWS), 6–9 July, pp. 174–181.
IBM (2003). Web Service Level Agreement (WSLA) Language Specification, Version 1.0.
IBM (2005). IBM Tivoli Privacy Manager for e-business. Online: http://www-306.ibm.com/software/tivoli/products/privacy-mgr-e-bus/.
IBM, & Microsoft (2002). Security in a web services world: A proposed architecture and roadmap. White Paper, Version 1.0.
Lategan, F. A., & Olivier, M. S. (2002). A chinese wall approach to privacy policies for the Web. In Proceedings of the 26th Annual International Computer Software and Applications Conference (COMPSAC’02).
Leino-Kilpi, H., Valimaki, M., Dassen, T., Gasull, M., Lemonidou, C., Scott, A., & Arndt, M. (2001). Privacy: A review of the literature. International Journal of Nursing Studies, 38, 663–671.
Lupu, E. C., & Sloman, M. (1999). Conflicts in policy-based distributed systems management. IEEE Transactions on Software Engineering, 25(6), 852–869.
National Institute of Standard and Technology (NIST) (2005). Role based access control standards roadmap. 12 May 2005. Online: http://www.csrc.nist.gov/rbac/rbac-stds-roadmap.html.
OASIS (2002). Automated Negotiation of Collaboration-Protocol Agreements Specification. ebXML Collaboration Protocol Profile and Agreement Technical Committee, Version 0.04, 2002. Online: http://www.oasis-open.org/committees/ebxml-cppa/negotiation.
OASIS (2003). eXtensible Access Control Markup Language (XACML). Online: http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml.
Power, E. M., & Trope, R. L. (2005). Averting security missteps in outsourcing. IEEE Security & Privacy Magazine, 3(2), 70–73 (March–April).
Ratnasingam, P. (2002). The importance of technology trust in web services security. Information Management & Computer Security, 10(5), 255–260.
Sahai, A., Durante, A., & Machiraju, V. (2002). Towards automated SLA management for web service. In HP Technical Report.
Schoeman, E. D. (1984). Philosophical dimensions of privacy: An anthology. New York, NY: Cambridge University Press.
Senicar, V., Jerman-Blazic, B., & Klobucar, T. (2003). Privacy-enhancing technologies—Approaches and development. Computer Standards & Interfaces, 25, 147–158.
Stoica, A., & Farkas, C. (2004). Ontology guided Security Engine. Journal of Intelligent Information Systems, 23(2), 209–223 (Special issue).
W3C (2002). Web services architecture requirements. World Wide Web Consortium (W3C) Working Draft, 14 November 2002. Online: http://www.w3.org/TR/2002/WD-wsa-reqs-20021114.
W3C (2003). OWL Web Ontology Language. Web-Ontology (WebOnt) Working Group, World Wide Web Consortium (W3C), 2003. Online: http://www.w3.org/2001/sw/WebOnt.
W3C (2005). The platform for privacy preferences 1.1 (P3P1.1) specification. In World Wide Web Consortium (W3C) Recommendation, 1 July.
Yee, G., & Korba, L. (2004). Privacy policy compliance for Web services. In Proceedings of the IEEE International Conference on Web Services (ICWS), 6–9 July, pp. 158–165.
Zhang, L.-J., Li, H., & Lam, H. (2004). Services computing: Grid applications for today. IT Professional, 6(4), 5–7 (July–Aug).
Author information
Authors and Affiliations
Corresponding author
Additional information
A preliminary version of this paper appears in the 7th International Conference of Electronic Commerce (ICEC2005). We have generalized and extended our approach to service outsourcing of human intensive processes. We also found P3P more appropriate in general.
Rights and permissions
About this article
Cite this article
Hung, P.C.K., Chiu, D.K.W., Fung, W.W. et al. End-to-end privacy control in service outsourcing of human intensive processes: A multi-layered Web service integration approach. Inf Syst Front 9, 85–101 (2007). https://doi.org/10.1007/s10796-006-9019-y
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10796-006-9019-y