Design and analysis of privacy policies

Organizations, such as hospitals and financial institutions, that use privacy-sensitive information face the challenge of complying with privacy regulations and their own privacy policies. These regulations and policies are often written in natural language (or legalese), making it difficult for information systems to aid in assuring compliance. In this thesis, we propose a formal language for expressing and reasoning about privacy regulations and policies. Other researchers have proposed other privacy languages, but these languages suffer semantic anomalies due to their handling of the “data hierarchy,” the relation between different attributes about the same individual. We analyze a number of examples of such anomalies in the Platform for Privacy Preferences and in the Enterprise Privacy Authorization Language and lay out a set of criteria for evaluating privacy languages. We present our language, the Logic of Privacy and Utility, which is based on Contextual Integrity, a theory of privacy expectations from the literatures on law and public policy. Our language formalizes a portion of Contextual Integrity as a concurrent game structure of communicating agents. We then use a fragment of the Alternating-time Temporal Logic of this model as our privacy language and identify specific syntactic forms for expressing the norms of Contextual Integrity. We evaluate the privacy features of the language in three ways. First, we present theorems about the complexity of combination and compliance, distinguishing between weak compliance (which does not consider the feasibility of future obligations) and strong compliance (which guarantees that agents can discharge their future obligations). Second, we compare the language with other approaches to codifying privacy policies, finding that our language generalizes a number of other approaches. Third, we show that the language is capable of expressing the privacy requirements from a number of privacy regulations, including the Health Insurance Portability and Accountability Act. To evaluate the utility features, those features that aid in reasoning about the usefulness of various data practices, we offer a theory of organizational workflows, also known as business processes. In this setting, we examine the trade-offs between privacy and utility in workflow design (including notions of “minimum necessary” information disclosure) and offer practical algorithms for auditing workflow execution to discover agents who both violate their workflow responsibilities and cause the organization to violate its privacy policy.

[1]  Leslie Lamport,et al.  Time, clocks, and the ordering of events in a distributed system , 1978, CACM.

[2]  Ramakrishnan Srikant,et al.  An XPath-based preference language for P3P , 2003, WWW '03.

[3]  J. Rachels Why privacy is important , 1985 .

[4]  Wojciech Jamroga,et al.  On Obligations and Abilities , 2004, DEON.

[5]  David A. Bell,et al.  Secure computer systems: mathematical foundations and model , 1973 .

[6]  Helen Nissenbaum,et al.  Privacy and contextual integrity: framework and applications , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[7]  John C. Mitchell,et al.  Conflict and combination in privacy policy languages , 2004, WPES '04.

[8]  Jason Crampton,et al.  On permissions, inheritance and role hierarchies , 2003, CCS '03.

[9]  Ramakrishnan Srikant,et al.  Privacy preserving OLAP , 2005, SIGMOD '05.

[10]  John C. Mitchell,et al.  Enterprise privacy promises and enforcement , 2005, WITS '05.

[11]  Nina Mishra,et al.  Simulatable auditing , 2005, PODS.

[12]  Cynthia Dwork,et al.  Privacy-Preserving Datamining on Vertically Partitioned Databases , 2004, CRYPTO.

[13]  Thomas A. Henzinger,et al.  Alternating-time temporal logic , 2002, JACM.

[14]  Annie I. Antón,et al.  Analyzing Website privacy requirements using a privacy goal taxonomy , 2002, Proceedings IEEE Joint International Conference on Requirements Engineering.

[15]  Michael Backes,et al.  Efficient comparison of enterprise privacy policies , 2004, SAC '04.

[16]  H. Nissenbaum Privacy as contextual integrity , 2004 .

[17]  ASHWIN MACHANAVAJJHALA,et al.  L-diversity: privacy beyond k-anonymity , 2006, 22nd International Conference on Data Engineering (ICDE'06).

[18]  Lorrie Faith Cranor,et al.  The platform for privacy preferences , 1999, CACM.

[19]  Vitaly Shmatikov,et al.  Robust De-anonymization of Large Sparse Datasets , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[20]  Annie I. Antón,et al.  Inside JetBlue's privacy policy violations , 2004, IEEE Security & Privacy Magazine.

[21]  Latanya Sweeney,et al.  k-Anonymity: A Model for Protecting Privacy , 2002, Int. J. Uncertain. Fuzziness Knowl. Based Syst..

[22]  Gerard J. Holzmann,et al.  The SPIN Model Checker - primer and reference manual , 2003 .

[23]  Marlon Dumas,et al.  UML Activity Diagrams as a Workflow Specification Language , 2001, UML.

[24]  John C. Mitchell,et al.  Privacy and Utility in Business Processes , 2007, 20th IEEE Computer Security Foundations Symposium (CSF'07).

[25]  Steven J. DeRose,et al.  XML Path Language (XPath) , 1999 .

[26]  Mark S. Ackerman,et al.  Privacy in e-commerce: examining user scenarios and privacy preferences , 1999, EC '99.

[27]  Zohar Manna,et al.  Temporal verification of reactive systems - safety , 1995 .

[28]  J.E.J. Prins The Propertization of Personal Data and Identities , 2004 .

[29]  Günter Karjoth,et al.  A privacy policy model for enterprises , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[30]  Michael Backes,et al.  An Algebra for Composing Enterprise Privacy Policies , 2004, ESORICS.

[31]  Ninghui Li,et al.  RT: a Role-based Trust-management framework , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[32]  Matt Bishop,et al.  Computer Security: Art and Science , 2002 .

[33]  Vijayalakshmi Atluri,et al.  An Authorization Model for Workflows , 1996, ESORICS.

[34]  Hoeteck Wee,et al.  Toward Privacy in Public Databases , 2005, TCC.

[35]  Reind P. van de Riet,et al.  WorkFlow Analyzed for Security and Privacy in Using Databases , 2003, J. Comput. Secur..

[36]  Colin Potts,et al.  Privacy policies as decision-making tools: an evaluation of online privacy notices , 2004, CHI.

[37]  David J. DeWitt,et al.  Limiting Disclosure in Hippocratic Databases , 2004, VLDB.

[38]  Lorrie Faith Cranor,et al.  Automated analysis of P3P-enabled Web sites , 2003, ICEC '03.

[39]  Sushil Jajodia,et al.  Flexible support for multiple access control policies , 2001, TODS.

[40]  Insup Lee,et al.  Privacy APIs: access control techniques to analyze and verify legal privacy policies , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[41]  Philippe Schnoebelen,et al.  The Complexity of Propositional Linear Temporal Logics in Simple Cases (Extended Abstract) , 1998, STACS.

[42]  F. Schoeman,et al.  Gossip and privacy. , 1994 .

[43]  Peter Sewell,et al.  Cassandra: flexible trust management, applied to electronic health records , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[44]  Emil C. Lupu,et al.  The Ponder Policy Specification Language , 2001, POLICY.

[45]  Pierangela Samarati,et al.  Protecting Respondents' Identities in Microdata Release , 2001, IEEE Trans. Knowl. Data Eng..

[46]  Vijayalakshmi Atluri,et al.  Modeling and Analysis of Workflows Using Petri Nets , 1998, Journal of Intelligent Information Systems.

[47]  Lorrie Faith Cranor,et al.  Web Privacy with P3p , 2002 .

[48]  Birgit Pfitzmann,et al.  A Toolkit for Managing Enterprise Privacy Policies , 2003, ESORICS.

[49]  F. Schoeman,et al.  Philosophical Dimensions of Privacy: Privacy and intimate information , 1984 .