Harshvardhan J. Pandit,Beatriz Esteves

DOI: https://doi.org/10.3233/sw-243583

2024-02-21

Semantic Web

Abstract:The Global Alliance for Genomics and Health is an international consortium that is developing the Data Use Ontology (DUO) as a standard providing machine-readable codes for automation in data discovery and responsible sharing of genomics data. DUO concepts, which are encoded using OWL, only contain the textual descriptions of the conditions for data use they represent, and do not specify the intended permissions, prohibitions, and obligations explicitly – which limits their usefulness. We present an exploration of how the Open Digital Rights Language (ODRL) can be used to explicitly represent the information inherent in DUO concepts to create policies that are then used to represent conditions under which datasets are available for use, conditions in requests to use them, and to generate agreements based on a compatibility matching between the two. We also address a current limitation of DUO regarding specifying information relevant to privacy and data protection law by using the Data Privacy Vocabulary (DPV) which supports expressing legal concepts in a jurisdiction-agnostic manner as well as for specific laws like the GDPR. Our work supports the existing socio-technical governance processes involving use of DUO by providing a complementary rather than replacement approach. To support this and improve DUO, we provide a description of how our system can be deployed with a proof of concept demonstration that uses ODRL rules for all DUO concepts, and uses them to generate agreements through matching of requests to data offers. All resources described in this article are available at: https://w3id.org/duodrl/repo.

computer science, information systems, artificial intelligence, theory & methods

Tobias Dam,Andreas Krimbacher,Sebastian Neumaier

2023-09-20

Abstract:Data-driven technologies have the potential to initiate a transportation related revolution in the way we travel, commute and navigate within cities. As a major effort of this transformation relies on Mobility Data Spaces for the exchange of mobility data, the necessity to protect valuable data and formulate conditions for data exchange arises. This paper presents key contributions to the development of automated contract negotiation and data usage policies in the Mobility Data Space. A comprehensive listing of policy patterns for usage control is provided, addressing common requirements and scenarios in data sharing and governance. The use of the Open Digital Rights Language (ODRL) is proposed to formalize the collected policies, along with an extension of the ODRL vocabulary for data space-specific properties.

Cryptography and Security

Yuzhong Qu,Xiang Zhang,Huiying Li

DOI: https://doi.org/10.1145/1013367.1013457

2004-01-01

Abstract:This paper proposes an Ontology-based Rights Expression Language, called OREL. Based on OWL Web Ontology Language, OREL allows not only users but also machines to handle digital rights at semantics level. The ontology-based rights model of OREL is also presented. The usage of OREL and its advantages against existing RELs are discussed.

Di Wu,Xiyuan Chen,Jian Lin,Miaoliang Zhu

DOI: https://doi.org/10.1007/11836025_19

2006-01-01

Abstract:Today, the formulation, specification, and verification of adequate data protection policies in open distributed environment appear as the main challenge to address concerning authorization Role-based access control models have attracted considerable research interest in recent years due to their innate ability to model organizational structure and their potential to reduce administrative overheads This paper proposes ontology specification to describe Role-based Access Control model and extend it with a general context expression Based on these definitions, the specification for interoperation in distributed environment is introduced The works include a definition of ontology to describe the concepts and a declaration of rules to explicit the relationship between concepts The ontology based approach can express security policy with semantic information and provide a machine interpretation for descriptions of policy in open distributed environment.

D Xu,Z Tang,Y Yu,C Qu

2012-01-01

Abstract:The use license often plays the role of an agreement between the user and the copyright owner. Rights expression language should provide a description of interactive mechanism and license negotiation to avoid the ambiguous transformation between REL and authorization protocols. By extending the ODRL to establish a digital rights expression model of appending, updating and aggregating licenses, the interactive license management mechanism can be described. Some detailed examples of the extended model are also listed in this paper. The proposed scheme can support fine-grained authorization, progressive or updating authorization and combination authorization to achieve dynamic rights management of digital content and provide authorization on demand services.

Riccardo Pucella,Vicky Weissman

DOI: https://doi.org/10.48550/arXiv.cs/0601085

2006-01-19

Abstract:ODRL is a popular XML-based language for stating the conditions under which resources can be accessed legitimately. The language is described in English and, as a result, agreements written in ODRL are open to interpretation. To address this problem, we propose a formal semantics for a representative fragment of the language. We use this semantics to determine precisely when a permission is implied by a set of ODRL statements and show that answering such questions is a decidable NP-hard problem. Finally, we define a tractable fragment of ODRL that is also fairly expressive.

Logic in Computer Science,Cryptography and Security

Per Runeson,Thomas Olsson,Johan Linåker

DOI: https://doi.org/10.48550/arXiv.2109.01378

2021-09-03

Abstract:Software systems are increasingly depending on data, particularly with the rising use of machine learning, and developers are looking for new sources of data. Open Data Ecosystems (ODE) is an emerging concept for data sharing under public licenses in software ecosystems, similar to Open Source Software (OSS). It has certain similarities to Open Government Data (OGD), where public agencies share data for innovation and transparency. We aimed to explore open data ecosystems involving commercial actors. Thus, we organized five focus groups with 27 practitioners from 22 companies, public organizations, and research institutes. Based on the outcomes, we surveyed three cases of emerging ODE practice to further understand the concepts and to validate the initial findings. The main outcome is an initial conceptual model of ODEs' value, intrinsics, governance, and evolution, and propositions for practice and further research. We found that ODE must be value driven. Regarding the intrinsics of data, we found their type, meta-data, and legal frameworks influential for their openness. We also found the characteristics of ecosystem initiation, organization, data acquisition and openness be differentiating, which we advise research and practice to take into consideration.

Software Engineering

Tim Davies,Fernando Perini

DOI: https://doi.org/10.15353/joci.v12i2.3246

2016-06-21

The Journal of Community Informatics

Abstract:Open data has rapidly moved from being a niche interest, to being part of the global policy mainstream. Government-led open data initiatives have spread across the globe, and civil society or technologist experiments using data to improve governance have been spreading organically, from budget monitoring in Nigeria, to court transparency projects in Argentina. It is increasingly seen as enabler of a “data revolution” in the process of decision-making and accountability. However, understanding how experience of open data will vary from country to country and context to context, and, understanding the common features of open data that are shaping its implementation in these diverse settings, requires broad-based research framework. It requires research that can engage with both existing realities of decision-making in sectors, acknowledging the growing complexity of this process in an increasingly networked society. In this paper we have reviewed the framework of the “Open Data in Developing Countries”(ODDC) project, the largest research project on the impact of open data in developing countries to date. The framework was designed to help explore the link between openness in the data ecosystem, decentralized changes in decision-making, and positive and negative emerging impacts such as transparency and accountability, inclusion and empowerment as well as innovation and economic development. It was tested to generate cross-learning from 17 in-depth cases studies in 14 countries, as well as generate policy-relevant findings. This paper reviews and updates the original framework based on the findings and reflections developed during the research project.

Wang Aihua,SUN Shibing,ZHU Benjun

DOI: https://doi.org/10.3969/j.issn.1007-2179.2005.04.015

2005-01-01

Abstract:The paper introduces several Digital Right Expression Language (DREL), such as XrML (Extensible Rights Markup Language) 、ODRL(Open Digital Right Language)、MPEG-21 REL、OMA(Open Mobile Alliance) DRM-REL、OeBF(Open e-Book Forum) REL. Also, the paper compares the ODRL and MPEG-21 REL from several aspects. It puts forward that DREL for education must be concise, easy to apply, and extensible.

Johan Linåker,Per Runeson

DOI: https://doi.org/10.48550/arXiv.2208.01694

2022-08-09

Abstract:Motivation. Digital commons is an emerging phenomenon and of increasing importance, as we enter a digital society. Open data is one example that makes up a pivotal input and foundation for many of today's digital services and applications. Ensuring sustainable provisioning and maintenance of the data, therefore, becomes even more important. Aim. We aim to investigate how such provisioning and maintenance can be collaboratively performed in the community surrounding a common. Specifically, we look at Open Data Ecosystems (ODEs), a type of community of actors, openly sharing and evolving data on a technological platform. Method. We use Elinor Ostrom's design principles for Common Pool Resources as a lens to systematically analyze the governance of earlier reported cases of ODEs using a theory-oriented software engineering framework. Results. We find that, while natural commons must regulate consumption, digital commons such as open data maintained by an ODE must stimulate both use and data provisioning. Governance needs to enable such stimulus while also ensuring that the collective action can still be coordinated and managed within the frame of available maintenance resources of a community. Subtractability is, in this sense, a concern regarding the resources required to maintain the quality and value of the data, rather than the availability of data. Further, we derive empirically-based recommended practices for ODEs based on the design principles by Ostrom for how to design a governance structure in a way that enables a sustainable and collaborative provisioning and maintenance of the data. Conclusion. ODEs are expected to play a role in data provisioning which democratize the digital society and enables innovation from smaller commercial actors. Our empirically based guidelines intend to support this development.

Software Engineering

Dongyang Xu,Zhi Tang,Yinyan Yu

DOI: https://doi.org/10.1109/isias.2011.6122817

2011-01-01

Abstract:License often plays the role of an agreement between the user and the copyright owner. Rights expression language should provide a description of interactive mechanism and license negotiation to avoid the ambiguous transformation between REL and authorization protocols. By extending the ODRL to establish a digital rights expression model of appending, updating and aggregating license, the interactive license management mechanism can be described. In this paper, the supposed scheme can support fine-grained authorization, progressive or updating authorization and combination authorization to achieve dynamic rights management of digital content.

Ellie Graeden,David Rosado,Tess Stevens,Mallory Knodel,Rachele Hendricks-Sturrup,Andrew Reiskind,Ashley Bennett,John Leitner,Paul Lekas,Michelle DeMooy

2023-08-25

Abstract:Under the current regulatory framework for data protections, the protection of human rights writ large and the corresponding outcomes are regulated largely independently from the data and tools that both threaten those rights and are needed to protect them. This separation between tools and the outcomes they generate risks overregulation of the data and tools themselves when not linked to sensitive use cases. In parallel, separation risks under-regulation if the data can be collected and processed under a less-restrictive framework, but used to drive an outcome that requires additional sensitivity and restrictions. A new approach is needed to support differential protections based on the genuinely high-risk use cases within each sector. Here, we propose a regulatory framework designed to apply not to specific data or tools themselves, but to the outcomes and rights that are linked to the use of these data and tools in context. This framework is designed to recognize, address, and protect a broad range of human rights, including privacy, and suggests a more flexible approach to policy making that is aligned with current engineering tools and practices. We test this framework in the context of open banking and describe how current privacy-enhancing technologies and other engineering strategies can be applied in this context and that of contract tracing applications. This approach for data protection regulations more effectively builds on existing engineering tools and protects the wide range of human rights defined by legislation and constitutions around the globe.

Computers and Society

Shirley Kempeneer,Ali Pirannejad,Johan Wolswinkel

DOI: https://doi.org/10.1016/j.giq.2023.101823

IF: 8.49

2023-03-01

Government Information Quarterly

Abstract:While the applicable legal framework is often identified as one of the key factors in the success or failure of open government data (OGD), the concrete impact of ‘OGD law’ on actual practices of OGD is often overlooked or hardly addressed in-depth. This contribution therefore aims to disentangle this legal impact based on an AI-driven systematic literature review combining legal and public administration (PA) publications. First, the review shows that OGD law has many faces and cannot be reduced to one single piece of ‘OGD legislation’. Instead, OGD law covers a wide range of topics, dealing with access to information, re-use of information, and conflicting interests (e.g. privacy or copyright). Secondly, the article identifies three main dimensions that structure the assessment of the impact of OGD law on OGD practices: topics of OGD law, sources of OGD law, and levels of OGD law. Finally, the review shows that there is no clear and univocal evidence to answer the question of what regulatory constellation is successful in fostering OGD practices and what is not, partly due to a lack of available empirical research. At the same time, the literature reveals some promising avenues for future research on OGD law in action.

information science & library science

Gralf-Peter Calliess,Simon Johannes Heetkamp

DOI: https://doi.org/10.2139/ssrn.3505635

2019-01-01

SSRN Electronic Journal

Abstract:Online Dispute Resolution (‘ODR’) is a dispute resolution service provided on the internet. It combines different means of alternative dispute resolution (‘ADR’) with the use of information and communication technology (‘ICT’). Originally, it was predominantly concerned with conflicts arising from the use of the internet, such as disputes over e-commerce transactions or domain names. More recently, it is gaining importance in the resolution of offline disputes as well. This paper elaborates on the concept and function of ODR and examines its public and private regulation, where the ODR-Regulation and ADR-Directive of the European Union and the UNCITRAL Technical Notes on ODR figure most prominently. After analysing the impact of these regulations, we discuss some crucial issues of the future development of ODR. Since technology is said to take part as a ‘fourth party’, we suggest a more technological rather than purely legal approach to ODR.

Bert-Jaap Koops,Jaap-Henk Hoepman,Ronald Leenes

DOI: https://doi.org/10.1016/j.clsr.2013.09.005

2013-12-01

Abstract:As demonstrated by other papers on this issue, open-source intelligence (OSINT) by state authorities poses challenges for privacy protection and intellectual-property enforcement. A possible strategy to address these challenges is to adapt the design of OSINT tools to embed normative requirements, in particular legal requirements. The experience of the VIRTUOSO platform will be used to illustrate this strategy. Ideally, the technical development process of OSINT tools is combined with legal and ethical safeguards in such a way that the resulting products have a legally compliant design, are acceptable within society (social embedding), and at the same time meet in a sufficiently flexible way the varying requirements of different end-user groups. This paper uses the analytic framework of privacy design strategies (minimise, separate, aggregate, hide, inform, control, enforce, and demonstrate), arguing that two approaches for embedding legal compliance seem promising to explore in particular. One approach is the concept of revocable privacy with spread responsibility. The other approach uses a policy mark-up language to define Enterprise Privacy Policies, which determine appropriate data handling.Both approaches are tested against three requirements that seem particularly suitable for a ‘compliance by design’ approach in OSINT: purpose specification; collection and use limitation and data minimisation; and data quality (up-to-dateness). For each requirement, the paper analyses whether and to what extent the approach could work to build in the requirement in the system. The paper concludes that legal requirements cannot be embedded fully in OSINT systems. However, it is possible to embed functionalities that facilitate compliance in allowing end-users to determine to what extent they adopt a ‘privacy-by-design’ approach when procuring an OSINT platform, extending it with plug-ins, and fine-tuning it to their needs. The paper argues that developers of OSINT platforms and networks have a responsibility to make sure that end-users are enabled to use privacy by design, by allowing functionalities such as revocable privacy and a policy-enforcement language.

law

Ellen Poplavska,Thomas B. Norton,Shomir Wilson,Norman Sadeh

DOI: https://doi.org/10.3233/faia200874

2020-12-01

Abstract:The European Union’s General Data Protection Regulation (GDPR) has compelled businesses and other organizations to update their privacy policies to state specific information about their data practices. Simultaneously, researchers in natural language processing (NLP) have developed corpora and annotation schemes for extracting salient information from privacy policies, often independently of specific laws. To connect existing NLP research on privacy policies with the GDPR, we introduce a mapping from GDPR provisions to the OPP-115 annotation scheme, which serves as the basis for a growing number of projects to automatically classify privacy policy text. We show that assumptions made in the annotation scheme about the essential topics for a privacy policy reflect many of the same topics that the GDPR requires in these documents. This suggests that OPP-115 continues to be representative of the anatomy of a legally compliant privacy policy, and that the legal assumptions behind it represent the elements of data processing that ought to be disclosed within a policy for transparency. The correspondences we show between OPP-115 and the GDPR suggest the feasibility of bridging existing computational and legal research on privacy policies, benefiting both areas.

Yang Luo,Hongbo Zhou,Qingni Shen,Anbang Ruan,Zhonghai Wu

DOI: https://doi.org/10.1109/icws.2016.92

2016-01-01

Abstract:Recently an increasing number of web applications especially cloud computing systems utilize representational state transfer (REST) API to deploy their services for simplicity and clarity. Users can employ the same interface to invoke various applications from the Internet. For security purposes, service providers would control the access to the provided interface through policy enforcement. Yet the access control of REST interfaces lacks a uniform standard regarding the policy language and corresponding enforcement implementation, which brings two limitations: i) Users have to deal with totally different types of policies to accommodate certain systems. ii) Service providers have to design their own platform-specific authorization policy language and the related enforcement mechanisms. In this paper, we propose a REST Policy Language (RestPL) to express the authorization policies especially for REST APIs. RestPL is ensured to be request-oriented, based on our definition of the standard request form. This indicates that a RestPL policy can be automatically generated from an actual request, which helps mitigate a user's pressure during policy designing. Furthermore, we also provide a reference implementation for the enforcement code of RestPL based on regular expressions and deploy it on OpenStack Liberty to demonstrate its feasibility. The experimental results indicate the enforcement overhead of RestPL can be reduced to 80.6% compared with the original policy. In addition, we show that an end-user can also benefit from RestPL for reducing the learning effort by at least 41.6%.

François Hublet,Alexander Kvamme,Srđan Krstić

2024-02-27

Abstract:While Privacy by Design (PbD) is prescribed by modern privacy regulations such as the EU's GDPR, achieving PbD in real software systems is a notoriously difficult task. One emerging technique to realize PbD is Runtime enforcement (RE), in which an enforcer, loaded with a specification of a system's privacy requirements, observes the actions performed by the system and instructs it to perform actions that will ensure compliance with these requirements at all times. To be able to use RE techniques for PbD, privacy regulations first need to be translated into an enforceable specification. In this paper, we report on our ongoing work in formalizing the GDPR. We first present a set of requirements and an iterative methodology for creating enforceable formal specifications of legal provisions. Then, we report on a preliminary case study in which we used our methodology to derive an enforceable specification of part of the GDPR. Our case study suggests that our methodology can be effectively used to develop accurate enforceable specifications.

Cryptography and Security,Computers and Society

Stian Soiland-Reyes,Leyla Jael Castro,Daniel Garijo,Marc Portier,Carole Goble,Paul Groth

DOI: https://doi.org/10.3897/rio.8.e94501

2022-10-13

Research Ideas and Outcomes

Abstract:BackgroundThe FAIR principles (Wilkinson et al. 2016) are fundamental for data discovery, sharing, consumption and reuse; however their broad interpretation and many ways to implement can lead to inconsistencies and incompatibility (Jacobsen et al. 2020).The European Open Science Cloud (EOSC) has been instrumental in maturing and encouraging FAIR practices across a wide range of research areas. Linked Data in the form of RDF (Resource Description Framework) is the common way to implement machine-readability in FAIR, however the principles do not prescribe RDF or any particular technology (Mons et al. 2017).FAIR Digital ObjectFAIR Digital Object (FDO) (Schultes and Wittenburg 2019) has been proposed to improve researcher's access to digital objects through formalising their metadata, types, identifiers and exposing their computational operations, making them actionable FAIR objects rather than passive data sources. FDO is a set of principles (Bonino et al. 2019), implementable in multiple ways. Current realisations mostly use Digital Object Interface Protocol (DOIPv2) (DONA Foundation 2018), with the main implementation CORDRA. We can consider DOIPv2 as a simplified combination of object-oriented (CORBA, SOAP) and document-based (HTTP, FTP) approaches.More recently, the FDO Forum has prepared detailed recommendations, currently open for comments, including a DOIP endorsement and updated FDO requirements. These point out Linked Data as another possible technology stack, which is the focus of this work.Linked DataLinked Data standards (LD), based on the Web architecture, are commonplace in sciences like bioinformatics, chemistry and medical informatics – in particular to publish Open Data as machine-readable resources. LD has become ubiquitous on the general Web, the schema.org vocabulary is used by over 10 million sites for indexing by search engines – 43% of all websites use JSON-LD.Although LD practices align to FAIR (Hasnain and Rebholz-Schuhmann 2018), they do not fully encompass active aspects of FDOs. The HTTP protocol is used heavily for applications (e.g. mobile apps and cloud services), with REST APIs of customised JSON structures. Approaches that merge the LD and REST worlds include Linked Data Platform (LDP), Hydra and Web Payments.Meeting FDO principles using Linked Data standardsConsidering the potential of FDOs when combined with the mature technology stack of LD, here we briefly discuss how FDO principles in Bonino et al. (2019) can be achieved using existing standards. The general principles (G1–G9) apply well: Open standards with HTTP being stable for 30 years, JSON-LD is widely used, FAIR practitioners mainly use RDF, and a clear abstraction between the RDF model with stable bindings available in multiple serialisations. However, when considering the specific principles (FDOF1–FDOF12) we find that additional constraints and best practices need to be established – arbitrary LD resources cannot be assumed to follow FDO principles. This is equivalent to how existing use of DOIP is not FDO-compliant without additional constraints.Namely, persistent identifiers (PIDs) (McMurry et al. 2017) (FDOF1) are common in LD world (e.g. using http://purl.org/ or https://w3id.org/), however they don't always have a declared type (FDOF2), or the PID may not even appear in the metadata. URL-based PIDs are resolvable (FDOF3), typically over HTTP using redirections and content-negotiation. One great advantage of RDF is that all attributes are defined semantic artefacts with PIDs (FDOF4), and attributes can be reused across vocabularies. While CRUD operations (FDOF6) are supported by native HTTP operations (GET/PUT/POST/DELETE) as in LDP , there is little consistency on how to define operation interfaces in LD (FDOF5). Existing REST approaches like OpenAPI and URI templates are mature and good candidates, and should be related to defined types to support machine-actionable composition (FDOF7). HTTP error code 410 Gone is used in tombstone pages for removed resources (FDOF12), although more frequent is 404 Not Found.Metadata is resolved to HTTP documents with their own URIs, but these frequently don't have their own PID (FDOF8). RDF-Star and nanopublications (Kuhn et al. 2021) give ways to identify and trace provenance of individual assertions. Different metadata levels (FDOF9) are frequently developed for LD vocabularies across different communities (FDOF10), such as FHIR for health data, Bioschemas for bioinformatics and >1000 more specific bioontologies. Increased declaration and navigation of profiles is therefore essential for machine-actionability and consistent consumption across FAIR endpoints. Several standards exist for rich collections (FDOF11), e.g. OAI-ORE, DCAT, RO-Crate, LDP. These are used and extended heterogeneously across the Web, but consistent machine-actionable FDOs will need specific choices of core -Abstract Truncated-

Nadzeya Kiyavitskaya,Nicola Zeni,Travis D. Breaux,Annie I. Antón,James R. Cordy,Luisa Mich,John Mylopoulos

DOI: https://doi.org/10.1007/978-3-540-87877-3_13

2008-01-01

Abstract:Government regulations are increasingly affecting the security, privacy and governance of information systems in the United States, Europe and elsewhere. Consequently, companies and software developers are required to ensure that their software systems comply with relevant regulations, either through design or re-engineering. We previously proposed a methodology for extracting stakeholder requirements, called rights and obligations, from regulations. In this paper, we examine the challenges to developing tool support for this methodology using the Cerno framework for textual semantic annotation. We present the results from two empirical evaluations of a tool called “Gaius T.” that is implemented using the Cerno framework and that extracts a conceptual model from regulatory texts. The evaluation, carried out on the U.S. HIPAA Privacy Rule and the Italian accessibility law, measures the quality of the produced models and the tool’s effectiveness in reducing the human effort to derive requirements from regulations.