On Compound Purposes and Compound Reasons for Enabling Privacy

This paper puts forward a verification method for compound purposes and compound reasons to be used during purpose limitation. When it is absolutely necessary to collect privacy related information, it is essential that privacy enhancing technologies (PETs) protect access to data - in general accomplished by using the concept of purposes bound to data. Compound purposes and reasons are an enhancement of purposes used during purpose limitation and binding and are more expressive than purposes in their general form. Data users specify their access needs by making use of compound reasons which are defined in terms of (compound) purposes. Purposes are organised in a lattice with purposes near the greatest lower bound (GLB) considered weak (less specific) and purposes near the least upper bound (LUB) considered strong (most specific). Access is granted based on the verification of the statement of intent (from the data user) against the compound purpose bound to the data; however, because purposes are in a lattice, the data user is not limited to a statement of intent that matches the purposes bound to the data exactly - the statement can be a true reflection of their intent with the data. Hence, the verification of compound reasons against compound purposes cannot be accomplished by current published verification algorithms. Before presenting the verification method, compound purposes and reasons, as well as the structures used to represent them, and the operators that are used to define compounds is presented. Finally, some thoughts on implementation are provided.

[1]  Marc Langheinrich,et al.  The platform for privacy preferences 1.0 (p3p1.0) specification , 2002 .

[2]  Roger Clarke Business Cases for Privacy-Enhancing Technologies , 2008 .

[3]  Martin S. Olivier,et al.  Using Purpose Lattices to Facilitate Customisation of Privacy Agreements , 2007, TrustBus.

[4]  Christos Faloutsos,et al.  Auditing Compliance with a Hippocratic Database , 2004, VLDB.

[5]  Marit Hansen,et al.  Privacy and Identity Management , 2008, IEEE Security & Privacy.

[6]  Martin S. Olivier,et al.  Privacy contracts incorporated in a privacy protection framework , 2006, Comput. Syst. Sci. Eng..

[7]  Silvana Castano,et al.  Database Security , 1997, IFIP Advances in Information and Communication Technology.

[8]  David Chaum,et al.  Untraceable electronic mail, return addresses, and digital pseudonyms , 1981, CACM.

[9]  Günter Karjoth,et al.  A privacy policy model for enterprises , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[10]  John Mylopoulos,et al.  Minimal Disclosure in Hierarchical Hippocratic Databases with Delegation , 2005, ESORICS.

[11]  Simone Fischer Hübner IT-Security and Privacy : Design and Use of Privacy-Enhancing Security Mechanisms , 2001 .

[12]  W. Marsden I and J , 2012 .

[13]  George Danezis,et al.  Mixminion: design of a type III anonymous remailer protocol , 2003, 2003 Symposium on Security and Privacy, 2003..

[14]  David Chaum,et al.  Untraceable electronic mail, return addresses, and digital pseudonyms , 1981, CACM.

[15]  Abhi Shelat,et al.  Privacy and identity management for everyone , 2005, DIM '05.

[16]  Wynand van Staden,et al.  Purpose Organisation , 2005 .

[17]  Elisa Bertino,et al.  Privacy Protection , 2022 .

[18]  J. Meigs,et al.  WHO Technical Report , 1954, The Yale Journal of Biology and Medicine.

[19]  Martin S. Olivier Flocks : distributed proxies for browsing privacy , 2005, South Afr. Comput. J..

[20]  Nick Mathewson,et al.  Tor: The Second-Generation Onion Router , 2004, USENIX Security Symposium.

[21]  Ramakrishnan Srikant,et al.  Hippocratic Databases , 2002, VLDB.