How Usage Control and Provenance Tracking Get Together - A Data Protection Perspective

These days, sensitive and personal information is used within a wide range of applications. The exchange of this information is increasingly faster and more and more unpredictable. Hence, the person concerned cannot determine what happens with his personal data after it has been released. It is highly intransparent who is accountable for data misuse. Usage control and provenance tracking are two different approaches to tackle this problem. This work compares the two concepts from a data protection perspective. The support and fulfillment of data protection requirements are analysed. Models and architectures are investigated for commonalities. Combining the two technologies can increase flexibility and effectiveness of provenance tracking and thereby enhance information accountability in practice, if resulting linkability drawbacks are properly handled. A joint architecture is proposed to support this insight.

[1]  Lalana Kagal,et al.  Access Control is an Inadequate Framework for Privacy Protection , 2010 .

[2]  Tim Moses,et al.  EXtensible Access Control Markup Language (XACML) version 1 , 2003 .

[3]  Oshani Seneviratne,et al.  Usage Restriction Management for Accountable Data Transfer on the Web , 2011 .

[4]  Marc Langheinrich,et al.  The platform for privacy preferences 1.0 (p3p1.0) specification , 2002 .

[5]  Marit Hansen,et al.  Top 10 Mistakes in System Design from a Privacy Perspective and Privacy Protection Goals , 2011, PrimeLife.

[6]  Yogesh L. Simmhan,et al.  The Open Provenance Model core specification (v1.1) , 2011, Future Gener. Comput. Syst..

[7]  Paul T. Groth,et al.  The provenance of electronic data , 2008, CACM.

[8]  Margo I. Seltzer,et al.  Provenance-Aware Storage Systems , 2006, USENIX ATC, General Track.

[9]  Christian Schaefer,et al.  Usage Control Enforcement with Data Flow Tracking for X11 , 2009, STM 2009.

[10]  Andreas Pfitzmann,et al.  Datenschutz-Schutzziele — revisited , 2009, Datenschutz und Datensicherheit - DuD.

[11]  Christian Schaefer,et al.  Mechanisms for usage control , 2008, ASIACCS '08.

[12]  Margo I. Seltzer,et al.  Securing Provenance , 2008, HotSec.

[13]  Christian Schaefer,et al.  A Policy Language for Distributed Usage Control , 2007, ESORICS.

[14]  Hermann de Meer,et al.  Towards Automated Processing of the Right of Access in Inter-organizational Web Service Compositions , 2010, 2010 6th World Congress on Services.

[15]  Luc Moreau,et al.  PROV-Overview. An Overview of the PROV Family of Documents , 2013 .

[16]  Yogesh L. Simmhan,et al.  A survey of data provenance in e-science , 2005, SGMD.

[17]  Shouhuai Xu,et al.  A Characterization of the problem of secure provenance management , 2009, 2009 IEEE International Conference on Intelligence and Security Informatics.

[18]  Cláudio T. Silva,et al.  Provenance for Computational Tasks: A Survey , 2008, Computing in Science & Engineering.

[19]  Oshani Wasana Seneviratne,et al.  Augmenting the web with accountability , 2012, WWW.

[20]  Christian Schaefer,et al.  Usage Control Enforcement: Present and Future , 2008, IEEE Security & Privacy.

[21]  Alexander Pretschner,et al.  Representation-Independent Data Usage Control , 2011, DPM/SETOP.

[22]  Alexander Pretschner,et al.  Flexible Data-Driven Security for Android , 2012, 2012 IEEE Sixth International Conference on Software Security and Reliability.

[23]  Margo I. Seltzer,et al.  Layering in Provenance Systems , 2009, USENIX Annual Technical Conference.

[24]  James A. Hendler,et al.  Information accountability , 2008, CACM.

[25]  Jaehong Park,et al.  Towards usage control models: beyond traditional access control , 2002, SACMAT '02.

[26]  Riccardo Pucella,et al.  A Formal Foundation for ODRL , 2006, ArXiv.

[27]  SandhuRavi,et al.  The UCONABC usage control model , 2004 .

[28]  Yurdaer N. Doganata,et al.  Business Provenance - A Technology to Increase Traceability of End-to-End Operations , 2008, OTM Conferences.

[29]  Brian Demsky Garm: cross application data provenance and policy enforcement , 2009 .

[30]  Jean-Pierre Seifert,et al.  A general obligation model and continuity: enhanced policy enforcement engine for usage control , 2008, SACMAT '08.