Eddy, a formal language for specifying and analyzing data flow specifications for conflicting privacy requirements

Increasingly, companies use multi-source data to operate new information systems, such as social networking, e-commerce, and location-based services. These systems leverage complex, multi-stakeholder data supply chains in which each stakeholder (e.g., users, developers, companies, and government) must manage privacy and security requirements that cover their practices. US regulator and European regulator expect companies to ensure consistency between their privacy policies and their data practices, including restrictions on what data may be collected, how it may be used, to whom it may be transferred, and for what purposes. To help developers check consistency, we identified a strict subset of commonly found privacy requirements and we developed a methodology to map these requirements from natural language text to a formal language in description logic, called Eddy. Using this language, developers can detect conflicting privacy requirements within a policy and enable the tracing of data flows within these policies. We derived our methodology from an exploratory case study of the Facebook platform policy and an extended case study using privacy policies from Zynga and AOL Advertising. In this paper, we report results from multiple analysts in a literal replication study, which includes a refined methodology and set of heuristics that we used to extract privacy requirements from policy texts. In addition to providing the method, we report results from performing automated conflict detection within the Facebook, Zynga, and AOL privacy specifications, and results from a computer simulation that demonstrates the scalability of our formal language toolset to specifications of reasonable size.

[1]  Jacob Cohen,et al.  Weighted kappa: Nominal scale agreement provision for scaled disagreement or partial credit. , 1968 .

[2]  H. Nissenbaum Privacy as contextual integrity , 2004 .

[3]  Annie I. Antón,et al.  A requirements taxonomy for reducing Web site privacy vulnerabilities , 2004, Requirements Engineering.

[4]  Ninghui Li,et al.  A formal semantics for P3P , 2004, SWS '04.

[5]  Jeffrey M. Bradshaw,et al.  New Developments in Ontology-Based Policy Management: Increasing the Practicality and Comprehensiveness of KAoS , 2008, 2008 IEEE Workshop on Policies for Distributed Systems and Networks.

[6]  Jeffrey M. Bradshaw,et al.  Semantic Web Languages for Policy Representation and Reasoning: A Comparison of KAoS, Rei, and Ponder , 2003, SEMWEB.

[7]  Ashwini Rao,et al.  Formal analysis of privacy requirements specifications for multi-tier applications , 2013, 2013 21st IEEE International Requirements Engineering Conference (RE).

[8]  Annie I. Antón,et al.  Financial privacy policies and the need for standardization , 2004, IEEE Security & Privacy Magazine.

[9]  Lalana Kagal,et al.  A Policy-Based Approach to Governing Autonomous Behavior in Distributed Environments , 2004 .

[10]  John F. Horty,et al.  Deontic logic as founded on nonmonotonic logic , 1993, Annals of Mathematics and Artificial Intelligence.

[11]  Andreas Matheus,et al.  How to Declare Access Control Policies for XML Structured Information Objects using OASIS' eXtensible Access Control Markup Language (XACML) , 2005, Proceedings of the 38th Annual Hawaii International Conference on System Sciences.

[12]  Guido Boella,et al.  Privacy Policies with Modal Logic: The Dynamic Turn , 2010, DEON.

[13]  Paul Ashley,et al.  E-P3P privacy policies and privacy authorization , 2002, WPES '02.

[14]  Klaus Krippendorff,et al.  Content Analysis: An Introduction to Its Methodology , 1980 .

[15]  Dilsun Kirli Kaynar,et al.  Experiences in the logical specification of the HIPAA and GLBA privacy laws , 2010, WPES '10.

[16]  Jon Doyle,et al.  Semantic parameterization: A process for modeling domain descriptions , 2008, TSEM.

[17]  Annie I. Antón,et al.  Towards Regulatory Compliance: Extracting Rights and Obligations to Align Requirements with Regulations , 2006, 14th IEEE International Requirements Engineering Conference (RE'06).

[18]  Evren Sirin,et al.  Pellint - A Performance Lint Tool for Pellet , 2008, OWLED.

[19]  Brett Benyo,et al.  Representation and reasoning for DAML-based policy and domain services in KAoS and nomads , 2003, AAMAS '03.

[20]  Anne H. Anderson,et al.  A comparison of two privacy policy languages: EPAL and XACML , 2006, SWS '06.

[21]  Emil C. Lupu,et al.  Ponder: realising enterprise viewpoint concepts , 2000, Proceedings Fourth International Enterprise Distributed Objects Computing Conference. EDOC2000.

[22]  Latanya Sweeney,et al.  k-Anonymity: A Model for Protecting Privacy , 2002, Int. J. Uncertain. Fuzziness Knowl. Based Syst..

[23]  Maike Gilliot,et al.  Automating Privacy Compliance with ExPDT , 2008, 2008 10th IEEE Conference on E-Commerce Technology and the Fifth IEEE Conference on Enterprise Computing, E-Commerce and E-Services.

[24]  Feng Wan,et al.  Formalizing and achieving multiparty agreements via commitments , 2005, AAMAS '05.

[25]  Jessica D. Young Commitment analysis to operationalize software requirements from privacy policies , 2010, Requirements Engineering.

[26]  Carsten Lutz,et al.  Temporal Description Logics: A Survey , 2008, 2008 15th International Symposium on Temporal Representation and Reasoning.

[27]  Insup Lee,et al.  Privacy apis: formal models for analyzing legal privacy requirements , 2008 .

[28]  Helen Nissenbaum,et al.  Privacy and contextual integrity: framework and applications , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[29]  Sanjay Ghemawat,et al.  MapReduce: Simplified Data Processing on Large Clusters , 2004, OSDI.

[30]  Travis D. Breaux,et al.  Legally "reasonable" security requirements: A 10-year FTC retrospective , 2011, Comput. Secur..

[31]  Annie I. Antón,et al.  Analyzing goal semantics for rights, permissions, and obligations , 2005, 13th IEEE International Conference on Requirements Engineering (RE'05).

[32]  Jaehong Park,et al.  The UCONABC usage control model , 2004, TSEC.

[33]  Diego Calvanese,et al.  The Description Logic Handbook: Theory, Implementation, and Applications , 2003, Description Logic Handbook.

[34]  Lorrie Faith Cranor,et al.  Platform for Privacy Preferences - P3P , 2000, Datenschutz und Datensicherheit.

[35]  Lorrie Faith Cranor,et al.  Token attempt: the misrepresentation of website privacy policies through the misuse of p3p compact policy tokens , 2010, WPES '10.

[36]  Gerald J. Sussman,et al.  Data-Purpose Algebra: Modeling Data Usage Policies , 2007, Eighth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'07).

[37]  Annie I. Antón,et al.  Analyzing Regulatory Rules for Privacy and Security Requirements , 2008, IEEE Transactions on Software Engineering.