Privacy by typing in the π-calculus

In this paper we propose a formal framework for studying privacy in information systems. The proposal follows a two-axes schema where the first axis considers privacy as a taxonomy of rights and the second axis involves the ways an information system stores and manipulates information. We develop a correspondence between the above schema and an associated model of computation. In particular, we propose the \Pcalc, a calculus based on the $\pi$-calculus with groups extended with constructs for reasoning about private data. The privacy requirements of an information system are captured via a privacy policy language. The correspondence between the privacy model and the \Pcalc semantics is established using a type system for the calculus and a satisfiability definition between types and privacy policies. We deploy a type preservation theorem to show that a system respects a policy and it is safe if the typing of the system satisfies the policy. We illustrate our methodology via analysis of two use cases: a privacy-aware scheme for electronic traffic pricing and a privacy-preserving technique for speed-limit enforcement.

[1]  James Riely,et al.  Resource Access Control in Systems of Mobile Agents , 2002, HLCL.

[2]  Vasco Thudichum Vasconcelos,et al.  Language Primitives and Type Discipline for Structured Communication-Based Programming Revisited: Two Systems for Higher-Order Session Communication , 1998, SecReT@ICALP.

[3]  Marc Langheinrich,et al.  Privacy by Design - Principles of Privacy-Aware Ubiquitous Systems , 2001, UbiComp.

[4]  Lorrie Faith Cranor,et al.  Web privacy with P3P - the platform for privacy preferences , 2002 .

[5]  Birgit Pfitzmann,et al.  A Toolkit for Managing Enterprise Privacy Policies , 2003, ESORICS.

[6]  Elisa Bertino,et al.  Purpose based access control of complex data for privacy protection , 2005, SACMAT '05.

[7]  Julian Rathke,et al.  safeDpi: a language for controlling mobile code , 2005, Acta Informatica.

[8]  Luca Cardelli,et al.  Secrecy and group creation , 2005, Inf. Comput..

[9]  Insup Lee,et al.  Run-Time Checking of Dynamic Properties , 2006, Electron. Notes Theor. Comput. Sci..

[10]  Helen Nissenbaum,et al.  Privacy and contextual integrity: framework and applications , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[11]  Martin Odersky,et al.  A Core Calculus for Scala Type Checking , 2006, MFCS.

[12]  Insup Lee,et al.  Privacy APIs: access control techniques to analyze and verify legal privacy policies , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[13]  Daniele Gorla,et al.  Role-based access control for a distributed calculus , 2006, J. Comput. Secur..

[14]  Daniel J. Solove A Taxonomy of Privacy , 2006 .

[15]  Martín Abadi,et al.  Computational Secrecy by Typing for the Pi Calculus , 2006, APLAS.

[16]  Andrew D. Gordon,et al.  A Type Discipline for Authorization in Distributed Systems , 2007, 20th IEEE Computer Security Foundations Symposium (CSF'07).

[17]  Matthew Hennessy,et al.  A distributed Pi-calculus , 2007 .

[18]  Ying Liu,et al.  A static compliance-checking framework for business process models , 2007, IBM Syst. J..

[19]  Jorge Lobo,et al.  An obligation model bridging access control policies and privacy policies , 2008, SACMAT '08.

[20]  Adriana B. Compagnoni,et al.  Role-based access control for boxed ambients , 2008, Theor. Comput. Sci..

[21]  Michael Backes,et al.  Type-checking zero-knowledge , 2008, CCS.

[22]  Andrew D. Gordon,et al.  Refinement Types for Secure Implementations , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[23]  Bart Jacobs,et al.  Privacy-Friendly Electronic Traffic Pricing via Commits , 2008, Formal Aspects in Security and Trust.

[24]  Jorge Lobo,et al.  Privacy-Aware Role-Based Access Control , 2007, IEEE Security & Privacy.

[25]  Michele Bugliesi,et al.  A type system for Discretionary Access Control , 2009, Math. Struct. Comput. Sci..

[26]  Michael Carl Tschantz,et al.  Formal Methods for Privacy , 2009, FM.

[27]  Mariangiola Dezani-Ciancaglini,et al.  Types for Role-Based Access Control of Dynamic Web Data , 2010, WFLP.

[28]  Felix Klaedtke,et al.  Policy Monitoring in First-Order Temporal Logic , 2010, CAV.

[29]  Dilsun Kirli Kaynar,et al.  Experiences in the logical specification of the HIPAA and GLBA privacy laws , 2010, WPES '10.

[30]  Limin Jia,et al.  Policy auditing over incomplete logs: theory, implementation and applications , 2011, CCS '11.

[31]  Dilsun Kirli Kaynar,et al.  Understanding and Protecting Privacy: Formal Semantics and Principled Audit Mechanisms , 2011, ICISS.

[32]  George C. Necula,et al.  Proof-Carrying Code , 2011, Encyclopedia of Cryptography and Security.

[33]  Michael Carl Tschantz,et al.  Formalizing and Enforcing Purpose Restrictions in Privacy Policies , 2012, 2012 IEEE Symposium on Security and Privacy.

[34]  Mark Ryan,et al.  Model Checking Agent Knowledge in Dynamic Access Control Policies , 2013, TACAS.

[35]  Jeffery von Ronne,et al.  Privacy promises that can be kept: a policy analysis method with application to the HIPAA privacy rule , 2013, SACMAT '13.

[36]  Dimitrios Kouzapas,et al.  A Typing System for Privacy , 2013, SEFM Workshops.

[37]  Matteo Maffei,et al.  Differential Privacy by Typing in Security Protocols , 2013, 2013 IEEE 26th Computer Security Foundations Symposium.

[38]  Elena Ferrari,et al.  Enforcement of Purpose Based Access Control within Relational Database Management Systems , 2014, IEEE Transactions on Knowledge and Data Engineering.

[39]  Peter Schartner,et al.  Privacy-Preserving Speed-Limit Enforcement , 2014 .

[40]  Anna Philippou,et al.  Type Checking Purpose-Based Privacy Policies in the π-Calculus , 2015, WS-FM.

[41]  Nobuko Yoshida,et al.  Practical interruptible conversations: distributed dynamic verification with multiparty session types and Python , 2015, Formal Methods Syst. Des..

[42]  Dimitrios Kouzapas,et al.  Type Checking Privacy Policies in the π-calculus , 2015, FORTE.

[43]  Dimitrios Kouzapas,et al.  Typechecking protocols with Mungo and StMungo , 2016, PPDP.

[44]  Nobuko Yoshida,et al.  Hybrid Session Verification Through Endpoint API Generation , 2016, FASE.