Monitoring Data Minimisation

Data minimisation is a privacy enhancing principle, stating that personal data collected should be no more than necessary for the specific purpose consented by the user. Checking that a program satisfies the data minimisation principle is not easy, even for the simple case when considering deterministic programs-as-functions. In this paper we prove (im)possibility results concerning runtime monitoring of (non-)minimality for deterministic programs both when the program has one input source (monolithic) and for the more general case when inputs come from independent sources (distributed case). We propose monitoring mechanisms where a monitor observes the inputs and the outputs of a program, to detect violation of data minimisation policies. We show that monitorability of (non) minimality is decidable only for specific cases, and detection of satisfaction of different notions of minimality in undecidable in general. That said, we show that under certain conditions monitorability is decidable and we provide an algorithm and a bound to check such properties in a pre-deployment controlled environment, also being able to compute a minimiser for the given program. Finally, we provide a proof-of-concept implementation for both offline and online monitoring and apply that to some case studies.

[1]  Volker Diekert,et al.  Topology, monitorable properties and runtime verification , 2014, Theor. Comput. Sci..

[2]  David Sands,et al.  Data Minimisation: A Language-Based Approach , 2017, SEC.

[3]  Amir Pnueli,et al.  PSL Model Checking and Run-Time Verification Via Testers , 2006, FM.

[4]  Engineering Trustworthy Software Systems - Second International School, SETSS 2016, Chongqing, China, March 28 - April 2, 2016, Tutorial Lectures , 2017, SETSS.

[5]  Martin Leucker,et al.  A brief account of runtime verification , 2009, J. Log. Algebraic Methods Program..

[6]  Gordon J. Pace,et al.  Dynamic Event-Based Runtime Monitoring of Real-Time and Contextual Properties , 2009, FMICS.

[7]  Geoffrey Smith,et al.  On the Foundations of Quantitative Information Flow , 2009, FoSSaCS.

[8]  Darren Cofer,et al.  Formal Methods for Industrial Critical Systems, 13th International Workshop, FMICS 2008, L'Aquila, Italy, September 15-16, 2008, Revised Selected Papers , 2009, FMICS.

[9]  Martin Leucker,et al.  Runtime Verification for LTL and TLTL , 2011, TSEM.

[10]  Martin Leucker,et al.  Runtime Verification for Linear-Time Temporal Logic , 2016, SETSS.

[11]  Jan Olaf Blech,et al.  Towards Certified Runtime Verification , 2012, ICFEM.

[12]  Bernd Finkbeiner,et al.  Algorithms for Model Checking HyperLTL and HyperCTL ^* , 2015, CAV.

[13]  Michael R. Clarkson,et al.  Hyperproperties , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[14]  Ellis S. Cohen Information transmission in computational systems , 1977, SOSP '77.

[15]  Klaus Havelund,et al.  Verify Your Runs , 2005, VSTTE.

[16]  Yliès Falcone,et al.  Runtime Verification of Safety-Progress Properties , 2009, RV.