Privacy apis: formal models for analyzing legal privacy requirements

There is a growing interest in establishing rules to regulate the privacy of citizens in the treatment of sensitive personal data such as medical and financial records. Such rules must be respected by software used in these sectors. The regulatory statements are somewhat informal and must be interpreted carefully in the software interface to private data. Another issue of growing interest in establishing and proving that enterprises, their products, workflows, and services are in compliance with relevant privacy legislation. There is a growing industy in the creation of compliance tools that help enterprises self-examine to determine their status, but there is little formalization of what compliance means or how to check for it. To address these issues, we present techniques to formalize regulatory privacy rules and show how we can exploit this formalization to analyze the rules automatically. Our formal language, Privacy Commands which combine to form Privacy APIs, is an extension of classical access control language to include operations for notification and logging, constructs that ease the mapping between legal and formal language, and a robust and expressive system for expressing references and constraints. We develop constructs and evaluation mechanisms for the language which are specially suited to the modeling legal privacy policies and show the usefulness of the language by developing several comparison metrics for Privacy APIs which let us compare the permissiveness of policies. We call the metrics strong licensing and weak licensing and show how they are useful in comparing Privacy APIs. To validate the robustness and flexibility of the language we show several involved case studies with a variety of policies including the US HIPAA Privacy Rule, the US Cable TV Privacy Act, and the Insurance Council of Australia's Privacy Code. To automate the evaluation of policy properties and comparison we develop and prove the correctness of a mapping from Privacy APIs to Promela, the input language for the SPIN model checker.

[1]  Paul Ashley,et al.  From privacy promises to privacy management: a new approach for enforcing privacy throughout an enterprise , 2002, NSPW '02.

[2]  Michael Backes,et al.  An Algebra for Composing Enterprise Privacy Policies , 2004, ESORICS.

[3]  Lorrie Faith Cranor,et al.  Web Privacy with P3p , 2002 .

[4]  Einar Snekkenes,et al.  Concepts for personal location privacy policies , 2001, EC '01.

[5]  Birgit Pfitzmann,et al.  A Toolkit for Managing Enterprise Privacy Policies , 2003, ESORICS.

[6]  Jeffrey D. Ullman,et al.  Protection in operating systems , 1976, CACM.

[7]  Bradley Malin,et al.  Trail re-identification and unlinkability in distributed databases , 2006 .

[8]  Renato Ianella Open Digital Rights Language (ODRL) , 2007 .

[9]  Jaehong Park,et al.  The UCONABC usage control model , 2004, TSEC.

[10]  Helen Nissenbaum,et al.  Privacy and contextual integrity: framework and applications , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[11]  Paul Ashley,et al.  E-P3P privacy policies and privacy authorization , 2002, WPES '02.

[12]  Sushil Jajodia,et al.  Provisional Authorizations , 2001, E-Commerce Security and Privacy.

[13]  David D. Clark,et al.  A Comparison of Commercial and Military Computer Security Policies , 1987, 1987 IEEE Symposium on Security and Privacy.

[14]  Mark Strembeck,et al.  Experiences with the enforcement of access rights extracted from ODRL-based digital contracts , 2003, DRM '03.

[15]  Jaehong Park,et al.  Towards usage control models: beyond traditional access control , 2002, SACMAT '02.

[16]  Peter J. Denning,et al.  Protection: principles and practice , 1972, AFIPS '72 (Spring).

[17]  Annie I. Antón,et al.  A SOCIAL, TECHNICAL, AND LEGAL FRAMEWORK FORPRIVACY MANAGEMENT AND POLICIES , 2002 .

[18]  Michael Backes,et al.  Unification in privacy policy evaluation - translating EPAL into Prolog , 2004, Proceedings. Fifth IEEE International Workshop on Policies for Distributed Systems and Networks, 2004. POLICY 2004..

[19]  Peter Sewell,et al.  Cassandra: flexible trust management, applied to electronic health records , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[20]  Ninghui Li,et al.  A formal semantics for P3P , 2004, SWS '04.

[21]  Sushil Jajodia,et al.  A propositional policy algebra for access control , 2003, TSEC.

[22]  Xin Wang,et al.  XrML -- eXtensible rights Markup Language , 2002, XMLSEC '02.

[23]  B. Webber,et al.  Extracting formal specifications from natural language regulatory documents , 2006 .

[24]  Günter Karjoth,et al.  Translating privacy practices into privacy promises - how to promise what you can keep , 2003, Proceedings POLICY 2003. IEEE 4th International Workshop on Policies for Distributed Systems and Networks.

[25]  Grigoris Antoniou,et al.  A tutorial on default logics , 1999, CSUR.

[26]  Ross J. Anderson,et al.  A security policy model for clinical information systems , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[27]  E Callas,et al.  HIPAA compliance readiness assessment: a case study. , 2001, Healthcare financial management : journal of the Healthcare Financial Management Association.

[28]  Michael J. Nash,et al.  The Chinese Wall security policy , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[29]  Matthew W. Vail,et al.  An analysis of web site privacy policy evolution in the presence of HIPAA , 2004 .

[30]  Louis D. Brandeis,et al.  The Right to Privacy , 1890 .

[31]  Alexander Pretschner,et al.  On Obligations , 2005, ESORICS.

[32]  David M. Eyers,et al.  An asynchronous rule-based approach for business process automation using obligations , 2002, RULE '02.

[33]  Carl A. Gunter,et al.  A Formal Privacy System and Its Application to Location Based Services , 2004, Privacy Enhancing Technologies.

[34]  Sushil Jajodia,et al.  Policy algebras for access control: the propositional case , 2001, CCS '01.

[35]  Peter Sewell,et al.  Cassandra: distributed access control policies with tunable expressiveness , 2004, Proceedings. Fifth IEEE International Workshop on Policies for Distributed Systems and Networks, 2004. POLICY 2004..

[36]  Kathi Fisler,et al.  Verification and change-impact analysis of access-control policies , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[37]  Marco Casassa Mont,et al.  Dealing with Privacy Obligations in Enterprises , 2004, ISSE.

[38]  Michael Backes,et al.  Efficient comparison of enterprise privacy policies , 2004, SAC '04.

[39]  Annie I. Antón,et al.  Mining rule semantics to understand legislative compliance , 2005, WPES '05.

[40]  Ramakrishnan Srikant,et al.  Privacy-preserving data mining , 2000, SIGMOD '00.

[41]  Sushil Jajodia,et al.  Provisions and Obligations in Policy Management and Security Applications , 2002, VLDB.

[42]  Christian Timmerer,et al.  MPEG-21 Multimedia Framework , 2008, Encyclopedia of Multimedia.

[43]  Bradley Malin,et al.  Technical Evaluation: An Evaluation of the Current State of Genomic Data Privacy Protection Technology and a Roadmap for the Future , 2004, J. Am. Medical Informatics Assoc..

[44]  Kathleen S. Hartzel,et al.  Exploring the privacy implications of addressable advertising and viewer profiling , 2006, CACM.

[45]  Xin Zhou,et al.  Regulations Expressed As Logical Models (REALM) , 2005, JURIX.

[46]  Martín Abadi,et al.  Language-Based Enforcement of Privacy Policies , 2004, Privacy Enhancing Technologies.

[47]  Michael Jackson,et al.  A Reference Model for Requirements and Specifications , 2000, IEEE Softw..

[48]  Tim Moses,et al.  EXtensible Access Control Markup Language (XACML) version 1 , 2003 .

[49]  David A. Bell,et al.  Secure computer systems: mathematical foundations and model , 1973 .

[50]  Riccardo Pucella,et al.  A Formal Foundation for ODRL , 2006, ArXiv.

[51]  Satoshi Hada,et al.  XML Access Control Language : Provisional Authorization for XML Documents , 2000 .

[52]  Ramakrishnan Srikant,et al.  An XPath-based preference language for P3P , 2003, WWW '03.

[53]  Joseph Y. Halpern,et al.  A formal foundation for XrML , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..