The Policy Enabled Next geNeration Internet (PENNI) project aims to lay the technical foundations for a policy, trust and transparency enabled decentralised
Next Generation Internet (NGI), that can support intelligent agents that act on behalf of humans.
Our hypothesis being that decentralized applications that are able to understand constraints, in the form of goals, preferences, norms and usage restrictions,
together with trust and transparency mechanisms will give humans more control over how their data is utilised and will foster trustworthiness in NGI applications,
such as intelligent agents and devices.
In this document, we propose representations that are suitable for recording service and thing policies, agent preferences, and organisational norms.
This work builds upon the 'Governance of Autonomous Agents on the Web: Challenges and Opportunities' paper [[TOIT-Governance]], which was co-authored by
Timotheus Kampik, Adnane Mansour, Olivier Boissier, Julian Padget, Terry R. Payne, Munindar P. Singh, Valentina Tamma, Antoine Zimmermann.
We sincerely thank Karen Sollins for her feedback on the initial draft of this document.
Introduction
This document describes an OWL based language that are used to encode service and thing policies, agent preferences, and normative organisation norms.
We start by providing a high level overview of the 'Conceptual Framework for Governing Agents on the Web' [[TOIT-Governance]],
which describes the role of policies, preferences, and norms when it comes to agent based systems.
Following on from this we provide generic OWL based encodings for policies, preferences, and norms, as well as concrete examples.
Finally, we use the motivating use case scenario detailed in 'Intelligent Software Web Agents: A Gap Analysis' [[JWS-Agent-Architecture]]
to demonstrate the potential of the proposed language from a practicality perspective.
Aims of the Specification
The overarching aim of this specification is to provide an OWL based language that are used by agents to reason with respect to policies, preferences, and norms.
The language is inspired by the SPECIAL Policy language [[SPECIAL-Policies]] that are used to express policies that are used to verify compliance with
General Data Protection Regulation (GDPR) obligations, especially those relating to consent for personal data processing.
The examples throughout the document are serialized using the [[OWL Functional Syntax]] and use the following prefixes:
Conceptual framework for Governing Agents on the Web
The primary objective of this section is to provide the necessary background in relation to the 'Conceptual framework for Governing Agents on the
Web' [[TOIT-Governance]], which describes the role of policies, preferences and norms in a multi-agent system. The proposed conceptual framework serves as the theoretical
foundation for the work presented here in.
Conceptual framework for Governing Agents on the Web adapted from [[TOIT-Governance]]
Reactive Things and Services Layer
The reactive things and services layer encapulates non-autonomous entities, in the form of things and services, which are connected to the internet.
Agents use their sensors and actuators in order to interact with such entities. Things and servies are governed by policies that are used to specify both access and
usage restrictions.
Autonomous Agents Layer
The autonomous agents layer encapulates entities, namely agents, which are capable of performing actions autonomously, such as interacting with other agents, things,
and services. Agent actions are guided by various preferences (e.g., goals, agent preferences, service preferences). However these preferences
cannot be considered in isolation, as agents also need to consider policies that govern service and thing usage and legal and social norms that govern organisations.
Normative Organisations Layer
The normative organisations layer encapulates (virtual) organisations that enable agents to interact and collaboration and serve as the basis for developing complex
software agent systems. Organisations are logical groupings of agents that serve a particular business or social purpose. Organisations are governed by legal, regulatory and social norms
that can span multiple organisations.
PPN Foundations
In this section we present the foundational vocabulary elements that are core to the policies, preferences, and norms (PPN) language.
Both access and usage policies are associated with reactive things and services. The former are used to specify who is permitted / prohibited from using services and/or things, whereas the
latter are used to specify usage restrictions that apply after access has been granted.
The following subclasses are core to both access and usage policies:
We model access policies as one or more access rules that are used to state that a given subject (e.g., a user, role, group) is permitted to perform an action (e.g., read, write, share)
on a certain object (e.g., dataset, file, graph). Policies can contain both permissions (positive authorisations) and prohibitions (negative authorisations).
The following subclasses are core to access policies:
Conflicts that arise between rules can be handled via default conflict resolution strategies, for instance permissions override prohibitions or prohibitions override permissions.
Additionally, meta policies can be used to define more elaborate conflict resolution strategies, for instance explicit authorisations override inferred authorisations.
We model usage policies by extending basic access control policies (i.e. permissions and prohibitions) with obligations and
dispensations, aswell as providing support for purpose specification. Thus usage policies are used to specify permitted, prohibited, obligued,
dispensated actions by subjects on target objects, possibly connected to specifc purposes.
The following classes and subclasses are core to usage policies:
For instance, a Usage Policy could be used to specify that Lucy and Pete's Agents are permitted to process Alice's medical data
for medical appointment scheduling purposes, however the permission is only valid if the agents have obtained delegation of authority for medical appointment
scheduling purposes.
In order to enable intelligent devices and agents of the future to interact autonomously via the Internet in a human-centric manner, there is a need to specify not only goals,
but also the preferences of the humans utilising these devices in a machine-readable format.
We model preferences as a set of weak or strong rules that can either be used to: (i) specify service thing selection preferences (in order to help the agent to select the most suitable service/thing);
or (ii) specify actions that should be performed by the agent (in order to guide agent behaviour). Strong rules indicate that the preference must be satisfied, while weak rules indicate that
the preference may be relaxed in favor of other preferences.
The following subclasses are core to preference policies:
Source Preferences are used to specify that a given subject (i.e., thing, service, agent) must meet specific requirements in terms of
thing/service/agent traits that are specified via object relationships.
Specific preference policies are defined as follows:
ClassAssertion( ppn:Preferences SomePreferences )
Specific preferences rules are defined as follows:
For instance, a Preference could be used to specify that a strong prefernce for the selected physiotherapy
provider being covered by Alice's insurance.
Organisations are useful abstractions to structure norms and make them accessible to agents. Although agents have the choice of joining such structures,
they may be subject to conditions that regulate their admission (and exit), as well as there being an expectation to comply with the organisation's norms.
Legal, Regulatory, and Social Norms
We model legal, regulatory, and social norms as a set of (possibly nested) rules that encode permissions, prohibitions, obligations, or dispensations
that relate to actions, subjects (i.e., parties), and objects (i.e., resources).
The following classes, subclasses, properties, and subproperties have already been defined under policies:
Declaration( Class( ppn:Purpose ) )
SubClassOf( ppn:Action ppn:Predicate )
SubClassOf( ppn:AccessIntent ppn:Intent )
SubClassOf( ppn:UsageIntent ppn:Intent )
SubClassOf( ppn:Permission ppn:AccessIntent )
SubClassOf( ppn:Prohibition ppn:AccessIntent )
SubClassOf( ppn:Obligation ppn:UsageIntent )
SubClassOf( ppn:Dispensation ppn:UsageIntent )
Declaration( ObjectProperty( ppn:hasPurpose ) )
SubObjectPropertyOf( ppn:hasAction ppn:hasPredicate )
The following classes and subclasses are core to norm policies:
The original semantic web vision was presented with the help of a motivating use case scenario, revolving around Pete and Lucy and their mother (Alice) who has just found out that
she needs to attend regular physiotherapy sessions. Lucy asks her personal agent to prepare a physiotherapy appointment schedule such that they are able to share
the chauffeuring duties. Lucy's agent is tasked with finding a physiotherapist who: (i) is covered by their mothers insurance; (ii) has a trusted service rating of very good
or excellent; (iii) is located within a 20 mile radius of their mother's home; and (iv) has appointments that work with Lucy and Pete's busy schedules.
Lucy requests that her agent devises a schedule considering the given constraints.
Lucy's agent consults with the doctor's agent in order to retrieve information relating to the prescribed treatment.
Lucy's agent consults with the insurance provider agent in order to find physiotherapists considering the given constraints.
Lucy's agent consults the various physiotheraphy agents in order to retrieve available appointment times.
Lucy's agent asks Pete's agent to give her access to his schedule.
Lucy's agent retrieves here own schedule.
Lucy's agent uses the available appointment times provided by the various physiotherapy service providers, together with Pete's schedule provided by his agent, and Lucy's own
schedule in order to prepare a physiotherapy appointment schedule considering available appointments and Pete's and Lucy's busy schedules.
Lucy's agent shares the proposed schedule with Lucy, and Pete's agent who in turn shares it with Pete.
Unfortunately the original proposal is not satisfactory, given that the physiotherapist is quite far from Pete's work and the appointment times coincide with the lunch time rush hour,
thus Pete instructs his agent to redo the task with stricter constraints on location and time.
Pete requests that his agent propose a new plan that takes into consideration the additional location and time constraints.
Pete's agent obtains all relevant background information relating to the initial proposal from Lucy's agent.
Pete's agent uses the new constraints, together with the available appointment times and information related to Pete's and
Lucy's schedules, in order to prepare a new plan, with two compromises: (i) Pete needs to reschedule some conflicting appointments,
and (ii) the provider was not on the insurance companies list, thus his agent verified that the service provider was eligible for
reimbursement using an alternative mechanism.
Pete's agent shares the proposed plan and the compromises with Pete, and Lucy's agent, who in turn shares it with Lucy.
Although the original motivating scenario didn't mention policies, preferences, and norms specifically it is possible to infer this Information
from an analysis of the textual description.
Policies
The following policies have been derived from the use case scenario outlined in the previous section.
Patient Data Access
The Patient Data Access Policy states that a patient or their representative can obtain patient medical data.
As this is a general policy that relates to all patients, the enforcement engine needs to infer that Alice is a patient and
AlicesAgent is Alices representative and thus is permitted to obtain Alice's medical data.
The Patient Credentials Access Policy states that a patients representative can obtain the patients credential.
As per the previous example, the enforcement engine needs to infer that Alice is a patient and
AlicesAgent is AlicesRepresentative and thus is permitted to obtain Alice's delegated credentials.
The Patient Delegated Authority Usage Policy states that Alices delegated doctor credentials may only be used to
request information about the treatment recommended on date X. Contrary to the above examples this policy does not apply to all patients,
but rather to Alice specifically.
The Physiotherapist Location states that the physiotherapy
provider must be located within a 20 mile radius of Alice's home and near Pete and Lucy's workplaces. Here we assume that
near means within 5 miles.
The Physiotherapy Appointment Scheduling states that the appointments
fit with Lucy or Pete's sechedules and the appointments should not be during morning or evening rush hours or at lunchtime.
The following norms have been derived from the use case scenario outlined in the previous section.
Personal Data Processing Consent
The Personal Data Processing Consent Norm states that data processors must have consent for personal data processing.
As this is a general policy that relates to all data processors, the enforcement engine needs to infer that Alice's agent is a data processor and thus
needs to have Alice's consent for personal data processing.
The Collaborating Agents Information Sharing Norm states that autonomous agents must not share sensitive information.
As this is a general policy that relates to all autonomous agents, the enforcement engine needs to infer that generally speaking agents must not share
sensitive information, unless that sensitive information needs to be shared in order to complete a delegated task.
The Collaborating Agents Information Sharing Norm states that collaboratng autonomous agents must partake in information sharing.
As this is a general policy that relates to all autonomous agents, the enforcement engine needs to infer that Lucy's agent needs to share information with
Pete's agent.
