Formalizing and Enforcing Purpose Restrictions in Privacy Policies

Privacy policies often place restrictions on the purposes for which a governed entity may use personal information. For example, regulations, such as the Health Insurance Portability and Accountability Act (HIPAA), require that hospital employees use medical information for only certain purposes, such as treatment, but not for others, such as gossip. Thus, using formal or automated methods for enforcing privacy policies requires a semantics of purpose restrictions to determine whether an action is for a purpose or not. We provide such a semantics using a formalism based on planning. We model planning using a modified version of Markov Decision Processes (MDPs), which exclude redundant actions for a formal definition of redundant. We argue that an action is for a purpose if and only if the action is part of a plan for optimizing the satisfaction of that purpose under the MDP model. We use this formalization to define when a sequence of actions is only for or not for a purpose. This semantics enables us to create and implement an algorithm for automating auditing, and to describe formally and compare rigorously previous enforcement methods. To validate our semantics, we conduct a survey to compare our semantics to how people commonly understand the word "purpose".

[1]  Hector J. Levesque,et al.  Intention is Choice with Commitment , 1990, Artif. Intell..

[2]  Clare-Marie Karat,et al.  Usable security and privacy: a case study of developing privacy management tools , 2005, SOUPS '05.

[3]  Elisa Bertino,et al.  Privacy Protection , 2022 .

[4]  J. Knobe Intentional Action and Side Effects in Ordinary Language , 2003 .

[5]  Chris L. Baker,et al.  Action understanding as inverse planning , 2009, Cognition.

[6]  Michael E. Bratman,et al.  Intention, Plans, and Practical Reason , 1991 .

[7]  H. Simon,et al.  A Behavioral Model of Rational Choice , 1955 .

[8]  Aniket Kittur,et al.  Crowdsourcing user studies with Mechanical Turk , 2008, CHI.

[9]  L. Khachiyan Polynomial algorithms in linear programming , 1980 .

[10]  Bill Tomlinson,et al.  Who are the crowdworkers?: shifting demographics in mechanical turk , 2010, CHI Extended Abstracts.

[11]  Jun Gu,et al.  Dynamic Purpose-Based Access Control , 2008, 2008 IEEE International Symposium on Parallel and Distributed Processing with Applications.

[12]  Ravi S. Sandhu,et al.  A conceptual framework for Group-Centric secure information sharing , 2009, ASIACCS '09.

[13]  L. G. H. Cijan A polynomial algorithm in linear programming , 1979 .

[14]  Wenji Mao,et al.  A Utility-Based Approach to Intention Recognition , 2004, AAMAS 2004.

[15]  Kenton O'Hara,et al.  Social Impact , 2019, Encyclopedia of Food and Agricultural Ethics.

[16]  Annie I. Antón,et al.  Analyzing Regulatory Rules for Privacy and Security Requirements , 2008, IEEE Transactions on Software Engineering.

[17]  Clare-Marie Karat,et al.  An empirical study of natural language parsing of privacy policy rules using the SPARCLE policy workbench , 2006, SOUPS '06.

[18]  David E. Kieras,et al.  The GOMS family of user interface analysis techniques: comparison and contrast , 1996, TCHI.

[19]  Mahesh Viswanathan,et al.  Model-Checking Markov Chains in the Presence of Uncertainties , 2006, TACAS.

[20]  Ronald J. Williams,et al.  Tight Performance Bounds on Greedy Policies Based on Imperfect Value Functions , 1993 .

[21]  Michael Carl Tschantz,et al.  On the Semantics of Purpose Requirements in Privacy Policies , 2011, ArXiv.

[22]  P. Tseng Solving H-horizon, stationary Markov decision problems in time proportional to log(H) , 1990 .

[23]  Joshua B. Tenenbaum,et al.  Bayesian models of human action understanding , 2005, NIPS.

[24]  A. Hughes Oxford English Dictionary. , 2008, Isis; an international review devoted to the history of science and its cultural influences.

[25]  John C. Mitchell,et al.  Privacy and Utility in Business Processes , 2007, 20th IEEE Computer Security Foundations Symposium (CSF'07).

[26]  J. Simpson,et al.  The Oxford English Dictionary , 1884 .

[27]  J. Das,et al.  Cognitive planning: The psychological basis of intelligent behavior. , 1998 .

[28]  John Mylopoulos,et al.  Hierarchical hippocratic databases with minimal disclosure for virtual organizations , 2006, The VLDB Journal.

[29]  Lorrie Faith Cranor,et al.  Web Privacy with P3p , 2002 .

[30]  Allen Newell,et al.  The psychology of human-computer interaction , 1983 .

[31]  Frédéric Cuppens,et al.  Recognizing Malicious Intention in an Intrusion Detection Process , 2002, HIS.

[32]  Ben J. A. Kröse,et al.  Learning from delayed rewards , 1995, Robotics Auton. Syst..

[33]  A. Whyte,et al.  The Market's Assessment of the Financial Services Modernization Act of 1999 , 2001 .

[34]  Jim Blythe,et al.  Decision-Theoretic Planning , 1999, AI Mag..

[35]  Narendra Karmarkar,et al.  A new polynomial-time algorithm for linear programming , 1984, Comb..

[36]  J. Mackie,et al.  The cement of the universe : a study of causation , 1977 .

[37]  R Bellman,et al.  On the Theory of Dynamic Programming. , 1952, Proceedings of the National Academy of Sciences of the United States of America.

[38]  N. S. Sridharan,et al.  The Plan Recognition Problem: An Intersection of Psychology and Artificial Intelligence , 1978, Artif. Intell..

[39]  Annie I. Antón,et al.  Analyzing goal semantics for rights, permissions, and obligations , 2005, 13th IEEE International Conference on Requirements Engineering (RE'05).

[40]  Sérgio Shiguemi Furuie,et al.  A contextual role-based access control authorization model for electronic patient record , 2003, IEEE Transactions on Information Technology in Biomedicine.

[41]  Peter Norvig,et al.  Artificial Intelligence: A Modern Approach , 1995 .

[42]  L. Burton Intention , 2011 .

[43]  Adam Feltz,et al.  The Knobe effect: A brief overview. , 2007 .

[44]  Sabah S. Al-Fedaghi,et al.  Beyond Purpose-Based Privacy Access Control , 2007, ADC.

[45]  Robert E. Strom,et al.  Typestate: A programming language concept for enhancing software reliability , 1986, IEEE Transactions on Software Engineering.

[46]  Gerald J. Sussman,et al.  Data-Purpose Algebra: Modeling Data Usage Policies , 2007, Eighth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'07).

[47]  Elisa Bertino,et al.  A conditional purpose-based access control model with dynamic roles , 2011, Expert Syst. Appl..

[48]  Ramakrishnan Srikant,et al.  Hippocratic Databases , 2002, VLDB.

[49]  Wen Zhang,et al.  Role Prediction Using Electronic Medical Record System Audits , 2011, HealthSec.

[50]  Alan R. White,et al.  ACTION AND PURPOSE , 1967 .

[51]  F. d'Epenoux,et al.  A Probabilistic Production and Inventory Problem , 1963 .

[52]  Martín Abadi,et al.  Language-Based Enforcement of Privacy Policies , 2004, Privacy Enhancing Technologies.

[53]  Leslie Pack Kaelbling,et al.  On the Complexity of Solving Markov Decision Problems , 1995, UAI.

[54]  Dov Dori,et al.  Situation-Based Access Control: Privacy management via modeling of patient data access scenarios , 2008, J. Biomed. Informatics.

[55]  Kim Guldstrand Larsen,et al.  Specification and refinement of probabilistic processes , 1991, [1991] Proceedings Sixth Annual IEEE Symposium on Logic in Computer Science.

[56]  Reihaneh Safavi-Naini,et al.  Enforcing purpose of use via workflows , 2009, WPES '09.

[57]  Jorge Lobo,et al.  Privacy-Aware Role-Based Access Control , 2007, IEEE Security & Privacy.

[58]  Q. Mcnemar Note on the sampling error of the difference between correlated proportions or percentages , 1947, Psychometrika.

[59]  Carl A. Gunter,et al.  Experience-Based Access Management: A Life-Cycle Framework for Identity and Access Management Systems , 2011, IEEE Security & Privacy.

[60]  Hector Geffner,et al.  Goal Recognition over POMDPs: Inferring the Intention of a POMDP Agent , 2011, IJCAI.

[61]  R. Selten,et al.  Bounded rationality: The adaptive toolbox , 2000 .

[62]  John R Anderson,et al.  An integrated theory of the mind. , 2004, Psychological review.

[63]  Henry A. Kautz,et al.  Generalized Plan Recognition , 1986, AAAI.

[64]  O. Roy Thinking before acting : intentions, logic, rational choice , 2008 .

[65]  Ninghui Li,et al.  Purpose based access control for privacy protection in relational database systems , 2008, The VLDB Journal.

[66]  Jerome Azarewicz,et al.  Plan Recognition for Airborne Tactical Decision Making , 1986, AAAI.

[67]  Marc Langheinrich,et al.  The platform for privacy preferences 1.0 (p3p1.0) specification , 2002 .

[68]  Robert P. Goldman,et al.  Plan recognition in intrusion detection systems , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[69]  Ravi S. Sandhu Role Hierarchies and Constraints for Lattice-Based Access Controls , 1996, ESORICS.

[70]  M. Orne Demand Characteristics and the Concept of Quasi-Controls1 , 2009 .