Vivying S. Y. Cheng

End-to-end privacy control in service outsourcing of human intensive processes: A multi-layered Web service integration approach

With the recent adoption of service outsourcing, there have been increasing general demands and concerns for privacy control, in addition to basic requirement of integration. The traditional practice of a bulk transmission of the customers’ information to an external service provider is no longer adequate, especially in the finance and healthcare sectors. From our consultancy experience, application-to-application privacy protection technologies at the middleware layer alone are also inadequate to solve this problem, particularly when human service providers are heavily involved in the outsourced process. Therefore, we propose a layered architecture and a development methodology for enforcing end-to-end privacy control policies of enterprises over the export of personal information. We illustrate how Web services, augmented with updated privacy facilities such as Service Level Agreement (SLA), Platform for Privacy Preferences Project (P3P), and the P3P Preference Exchange Language (APPEL), can provide a suitable interoperation platform for service outsourcing. We further develop a conceptual model and an interaction protocol to send only the required part of a customer’s record at a time. We illustrate our approach for end-to-end privacy control in service outsourcing with a tele-marketing case study and show how the software of the outsourced call center can be integrated effectively with the Web services of a bank to protect privacy.

Enabling Web Services Policy Negotiation with Privacy preserved using XACML

In recent Web services research, there are increasing demands and discussions about negotiation technologies for different Web services applications. One of the important topics is the policy negotiation. As many business activities become automated, policy compliance negotiation between human agents can be a bottleneck. In this paper, we focus on the policy negotiation research issues in privacy policy. We adopt the extensible Access Control Markup Language (XACML) as a policy description language and explore its potential in privacy policy negotiation. We first formalize the negotiation process in the context of Web services. Then, we illustrate the policy negotiation model by introducing a policy negotiation point (PNP) between the policy enforcement point (PEP) and policy decision point (PDP) in the XACML policy management architecture. We discuss different phases in a privacy policy negotiation and finally we illustrate how PNP can help on negotiating policies through an example scenario

Health Insurance Portability and Accountability Act (HIPPA) Compliant Access Control Model for Web Services

Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a set of rules to be followed by health plans, doctors, hospitals, and other healthcare providers in the U.S. HIPAA privacy rules create national standards to protect individuals’ health information. Recently, there have been increasing demands and discussions about Web services-based healthcare applications. It is, therefore, necessary for HIPAA privacy rules to be standardized in Web services. However, so far no comprehensive solutions to the various privacy issues have been defined in this area. This paper summarizes the HIPAA privacy rules and surveys the topic of protecting health data privacy under the HIPAA. We propose a vocabulary-based Web services privacy framework with Role-based Access Control (RBAC) with privacy extensions and argue the HIPAA compliance for such framework. For illustration, we present the first two HIPAA rules in the extended RBAC model and embed into the HIPAA-compliant technical architecture for implementation of Web services.

Towards an integrated privacy framework for HIPAA-compliant Web services

A Web service is a software system designed to support interoperable application-to-application interaction over the Internet. Web services are based on a set of XML standards, such as universal description, discovery and integration (UDDI), Web services description language (WSDL), and simple object access protocol (SOAP). Based on prior studies, this paper proposes a vocabulary-based Web services privacy framework for protecting health data privacy under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

The gong system: web-based learning for multiple languages, with special support for the Yale representation of Cantonese

This paper introduces the Gong system, an Internet-based voice board system designed primarily for language learners which includes special support for Cantonese. The Gong system is a client/server design which may be used to complement or, in some contexts, to replace face to face learning. The system supports Unicode input, storage and display of multiple character sets. Furthermore, we have developed a unique storage and display method for the Yale romanized representation of Cantonese, which is the most popular written method used for teaching Cantonese.

Protecting the Exchange of Document Images in Cross-Enterprise Process Integration with Web Services

There is now an increasing demand for sharing document images and image data for process integration among enterprises. Web services technology has recently been widely proposed and gradually adopted as a platform for supporting integrations. There are so far no holistic solutions to tackle the various protection issues in this area, especially regarding the security and privacy protection requirements in cross-enterprise progress integration. We propose the exchange of document images through a Document Image Exchange Platform (DIEP), replacing ad-hoc and manual exchange practices. We show how contemporary technologies of Web services and watermarking can help archive images with layered implementation architecture. Through dedicated Web services technologies with watermarking mechanism, not only can the development, deployment, and maintenance of software be streamlined, the privacy protection in document image exchanges as required by disparate processes can also be much facilitated.