Purpose Restrictions on Information Use

Privacy policies in sectors as diverse as Web services, finance and healthcare often place restrictions on the purposes for which a governed entity may use personal information. Thus, automated methods for enforcing privacy policies require a semantics of purpose restrictions to determine whether a governed agent used information for a purpose. We provide such a semantics using a formalism based on planning. We model planning using Partially Observable Markov Decision Processes (POMDPs), which supports an explicit model of information. We argue that information use is for a purpose if and only if the information is used while planning to optimize the satisfaction of that purpose under the POMDP model. We determine information use by simulating ignorance of the information prohibited by the purpose restriction, which we relate to noninterference. We use this semantics to develop a sound audit algorithm to automate the enforcement of purpose restrictions.

[1]  Jorge Lobo,et al.  Privacy-Aware Role-Based Access Control , 2007, IEEE Security & Privacy.

[2]  Joshua B. Tenenbaum,et al.  Bayesian models of human action understanding , 2005, NIPS.

[3]  John Mylopoulos,et al.  Hierarchical hippocratic databases with minimal disclosure for virtual organizations , 2006, The VLDB Journal.

[4]  Richard M. Anderson,et al.  Complexity results for infinite-horizon markov decision processes , 2000 .

[5]  Dominique Devriese,et al.  Noninterference through Secure Multi-execution , 2010, 2010 IEEE Symposium on Security and Privacy.

[6]  Elisa Bertino,et al.  Privacy Protection , 2022 .

[7]  Michael Carl Tschantz,et al.  Extracting Conditional Confidentiality Policies , 2008, 2008 Sixth IEEE International Conference on Software Engineering and Formal Methods.

[8]  Chris L. Baker,et al.  Action understanding as inverse planning , 2009, Cognition.

[9]  David Hsu,et al.  SARSOP: Efficient Point-Based POMDP Planning by Approximating Optimally Reachable Belief Spaces , 2008, Robotics: Science and Systems.

[10]  Theo Dimitrakos,et al.  Formal Aspects in Security and Trust, Fourth International Workshop, FAST 2006, Hamilton, Ontario, Canada, August 26-27, 2006, Revised Selected Papers , 2007, Formal Aspects in Security and Trust.

[11]  Alan R. White,et al.  ACTION AND PURPOSE , 1967 .

[12]  Michael Carl Tschantz,et al.  Formalizing and Enforcing Purpose Restrictions in Privacy Policies , 2012, 2012 IEEE Symposium on Security and Privacy.

[13]  Martín Abadi,et al.  Language-Based Enforcement of Privacy Policies , 2004, Privacy Enhancing Technologies.

[14]  Leslie Pack Kaelbling,et al.  Planning and Acting in Partially Observable Stochastic Domains , 1998, Artif. Intell..

[15]  Kee-Eung Kim,et al.  Closing the Gap: Improved Bounds on Optimal POMDP Solutions , 2011, ICAPS.

[16]  James Newsome,et al.  Dynamic Taint Analysis for Automatic Detection, Analysis, and SignatureGeneration of Exploits on Commodity Software , 2005, NDSS.

[17]  Michael Carl Tschantz,et al.  Purpose Restrictions on Information Use (CMU-CyLab-13-005) , 2013 .

[18]  Eric A. Hansen,et al.  An Improved Grid-Based Approximation Algorithm for POMDPs , 2001, IJCAI.

[19]  Daryl McCullough,et al.  Noninterference and the composability of security properties , 1988, Proceedings. 1988 IEEE Symposium on Security and Privacy.

[20]  Sabrina De Capitani di Vimercati,et al.  Guest Editorial: Special Issue on Computer and Communications Security , 2008, TSEC.

[21]  Mahesan Niranjan,et al.  On-line Q-learning using connectionist systems , 1994 .

[22]  Reid G. Simmons,et al.  Point-Based POMDP Algorithms: Improved Analysis and Implementation , 2005, UAI.

[23]  J. Todd Wittbold,et al.  Information flow in nondeterministic systems , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[24]  Reihaneh Safavi-Naini,et al.  Enforcing purpose of use via workflows , 2009, WPES '09.

[25]  Stephen McCamant,et al.  A simulation-based proof technique for dynamic information flow , 2007, PLAS '07.

[26]  John N. Tsitsiklis,et al.  The Complexity of Markov Decision Processes , 1987, Math. Oper. Res..

[27]  Landon P. Cox,et al.  TightLip: Keeping Applications from Spilling the Beans , 2007, NSDI.

[28]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[29]  Ninghui Li,et al.  Purpose based access control for privacy protection in relational database systems , 2008, The VLDB Journal.

[30]  John McLean,et al.  A general theory of composition for trace sets closed under selective interleaving functions , 1994, Proceedings of 1994 IEEE Computer Society Symposium on Research in Security and Privacy.

[31]  John C. Mitchell,et al.  Third-Party Web Tracking: Policy and Technology , 2012, 2012 IEEE Symposium on Security and Privacy.

[32]  Sabah S. Al-Fedaghi,et al.  Beyond Purpose-Based Privacy Access Control , 2007, ADC.

[33]  G. Monahan State of the Art—A Survey of Partially Observable Markov Decision Processes: Theory, Models, and Algorithms , 1982 .

[34]  Hector Geffner,et al.  Goal Recognition over POMDPs: Inferring the Intention of a POMDP Agent , 2011, IJCAI.

[35]  Elisa Bertino,et al.  A conditional purpose-based access control model with dynamic roles , 2011, Expert Syst. Appl..

[36]  Ramakrishnan Srikant,et al.  Hippocratic Databases , 2002, VLDB.

[37]  Hector Geffner,et al.  Plan Recognition as Planning , 2009, IJCAI.

[38]  Edward J. Sondik,et al.  The optimal control of par-tially observable Markov processes , 1971 .

[39]  Michael F. P. O'Boyle,et al.  Portable compiler optimisation across embedded programs and microarchitectures using machine learning , 2009, 2009 42nd Annual IEEE/ACM International Symposium on Microarchitecture (MICRO).

[40]  David Clark,et al.  Non-Interference for Deterministic Interactive Programs , 2009, Formal Aspects in Security and Trust.

[41]  A. Prasad Sistla,et al.  Preventing Information Leaks through Shadow Executions , 2008, 2008 Annual Computer Security Applications Conference (ACSAC).

[42]  Wei Xu,et al.  Provably Correct Runtime Enforcement of Non-interference Properties , 2006, ICICS.

[43]  R Bellman,et al.  On the Theory of Dynamic Programming. , 1952, Proceedings of the National Academy of Sciences of the United States of America.

[44]  Reihaneh Safavi-Naini,et al.  Towards defining semantic foundations for purpose-based privacy policies , 2011, CODASPY '11.

[45]  Wolfram Burgard,et al.  Robotics: Science and Systems XV , 2010 .

[46]  Jun Gu,et al.  Dynamic Purpose-Based Access Control , 2008, 2008 IEEE International Symposium on Parallel and Distributed Processing with Applications.

[47]  George E. Monahan,et al.  A Survey of Partially Observable Markov Decision Processes: Theory, Models, and Algorithms , 2007 .

[48]  John C. Mitchell,et al.  Privacy and Utility in Business Processes , 2007, 20th IEEE Computer Security Foundations Symposium (CSF'07).

[49]  Guilherme Ottoni,et al.  RIFLE: An Architectural Framework for User-Centric Information-Flow Security , 2004, 37th International Symposium on Microarchitecture (MICRO-37'04).

[50]  N. S. Sridharan,et al.  The Plan Recognition Problem: An Intersection of Psychology and Artificial Intelligence , 1978, Artif. Intell..

[51]  Fabio Martinelli,et al.  Quantitative access control with partially-observable Markov decision processes , 2012, CODASPY '12.

[52]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[53]  Jianying Zhou,et al.  Information and Communications Security , 2013, Lecture Notes in Computer Science.