Towards Compliance and Accountability: a Framework for Privacy Online

Over the last twenty years, there has been a tremendous growth in the amount of data collected about individuals. Most existing privacy enhancing technologies could not prevent privacy breach effectively, since the real threat is not the control of private data access but the control of usage. While "access control" is well understood, how to achieve "usage control" is still unclear. In the online environment, information is easily copied or delivered. UCONABC, as the next generation of access control, is inadequate to cover the entire privacy information life cycle. As an alternative, accountability may become a candidate means to judge the correctness of individual data’s usage. In this paper, we give a framework with the goal of privacy promise compliance and accountability, which may help to such kind of situation before sound privacy answers may be realized. Besides, we discuss some relevant technical and non-technical components which are needed in the privacy scenario. In the end, we state several research challenges towards the implementation of our framework.

[1]  Jaehong Park,et al.  Usage Control: A Vision for Next Generation Access Control , 2003, MMM-ACNS.

[2]  Robert Boguslaw,et al.  Privacy and Freedom , 1968 .

[3]  Ravi S. Sandhu,et al.  A usage-based authorization framework for collaborative computing systems , 2006, SACMAT '06.

[4]  James A. Hendler,et al.  Information accountability , 2008, CACM.

[5]  M. Culnan,et al.  Information Privacy Concerns, Procedural Fairness, and Impersonal Trust: An Empirical Investigation , 1999 .

[6]  Bruce Schneier,et al.  Secure audit logs to support computer forensics , 1999, TSEC.

[7]  J CulnanMary,et al.  Information Privacy Concerns, Procedural Fairness, and Impersonal Trust , 1999 .

[8]  S. Fischer-h bner IT-Security and Privacy: Design and Use of Privacy-Enhancing Security Mechanisms , 2001 .

[9]  P. Lunt,et al.  Privacy versus willingness to disclose in e-commerce exchanges: The effect of risk awareness on the relative role of trust and control , 2004 .

[10]  Rakesh Agrawal,et al.  Extending relational database systems to automatically enforce privacy policies , 2005, 21st International Conference on Data Engineering (ICDE'05).

[11]  SandhuRavi,et al.  The UCONABC usage control model , 2004 .

[12]  Jaehong Park,et al.  Formal model and policy specification of usage control , 2005, TSEC.

[13]  Ninghui Li,et al.  A semantics based approach to privacy languages , 2006, Comput. Syst. Sci. Eng..

[14]  Ravi S. Sandhu,et al.  Secure information sharing enabled by Trusted Computing and PEI models , 2006, ASIACCS '06.

[15]  Donna L. Hoffman,et al.  Building consumer trust online , 1999, CACM.

[16]  Joseph Y. Halpern,et al.  Using First-Order Logic to Reason about Policies , 2008, TSEC.

[17]  John Leubsdorf,et al.  Privacy and Freedom , 1968 .

[18]  Ninghui Li,et al.  Purpose based access control for privacy protection in relational database systems , 2008, The VLDB Journal.

[19]  Rafael Accorsi,et al.  Personalization in privacy-aware highly dynamic systems , 2006, CACM.

[20]  Jennifer Widom,et al.  Database Systems: The Complete Book , 2001 .