Log Analysis for Data Protection Accountability

Accountability is increasingly recognised as a cornerstone of data protection, notably in European regulation, but the term is frequently used in a vague sense. For accountability to bring tangible benefits, the expected properties of personal data handling logs used as "accounts" and the assumptions regarding the logging process must be defined with accuracy. In this paper, we provide a formal framework for accountability and show the correctness of the log analysis with respect to abstract traces used to specify privacy policies. We also show that compliance with respect to data protection policies can be checked based on logs free of personal data, and describe the integration of our formal framework in a global accountability process.

[1]  Radha Jagadeesan,et al.  Towards a Theory of Accountability and Audit , 2009, ESORICS.

[2]  Brent Waters,et al.  Building an Encrypted and Searchable Audit Log , 2004, NDSS.

[3]  Daniel Le Métayer,et al.  Designing Log Architectures for Legal Evidence , 2010, 2010 8th IEEE International Conference on Software Engineering and Formal Methods.

[4]  Daniel Neyland,et al.  Managing Privacy through Accountability , 2012 .

[6]  Jerry den Hartog,et al.  Audit-based compliance control , 2007, International Journal of Information Security.

[7]  Andreas Haeberlen,et al.  A case for the accountable cloud , 2010, OPSR.

[8]  Fred B. Schneider Accountability for Perfection , 2009, IEEE Secur. Priv..

[9]  Bruce Schneier,et al.  Secure audit logs to support computer forensics , 1999, TSEC.

[10]  William J. Kirsch,et al.  The protection of privacy and transborder flows of personal data: the work of the Council of Europe, the Organization for Economic Co-operation and Development and the European Economic Community , 1982, Legal Issues of Economic Integration.

[11]  Sandro Etalle,et al.  A posteriori compliance control , 2007, SACMAT '07.

[12]  D. L. Métayer,et al.  Strong Accountability: Beyond Vague Promises , 2014 .

[13]  Ahmad Husseini,et al.  Canadian standards association , 1993 .

[14]  Paul De Hert Accountability and System Responsibility: New Concepts in Data Protection Law and Human Rights Law , 2012, Managing Privacy through Accountability.

[15]  Fred B. Schneider Labeling-in Security , 2009, IEEE Secur. Priv..

[16]  Peng Ning,et al.  Computer Security - ESORICS 2009, 14th European Symposium on Research in Computer Security, Saint-Malo, France, September 21-23, 2009. Proceedings , 2009, ESORICS.

[17]  Daniel Le Métayer,et al.  Log Design for Accountability , 2013, 2013 IEEE Security and Privacy Workshops.

[18]  Lawrence C. Paulson,et al.  Accountability protocols: Formalized and verified , 2006, TSEC.