Formal consistency verification between BPEL process and privacy policy

Despite the increased privacy concerns in the Internet, not much attention has been paid into enforcing privacy policies of organisations who collect and consume personal data using automatic means (e.g., Web services). In this paper, we propose a graph-transformation based framework to check whether an internal business process (implemented using a standard Web service composition language such as BPEL) adheres to the organisation's privacy policies. The graph-based specification formalism combines the advantages of an intuitive visual framework with rigorous semantical foundation that allows consistency checking between a business process and privacy policy. The privacy consistency verification framework is defined by a set of rules to build the system state and sets of constraints (positive and negative) to specify the wanted and unwanted substates.

[1]  Grzegorz Rozenberg,et al.  Handbook of Graph Grammars and Computing by Graph Transformations, Volume 1: Foundations , 1997 .

[2]  Giovanni Della-Libera,et al.  Web Services Trust Language (WS-Trust) , 2002 .

[3]  Günter Karjoth,et al.  Translating privacy practices into privacy promises - how to promise what you can keep , 2003, Proceedings POLICY 2003. IEEE 4th International Workshop on Policies for Distributed Systems and Networks.

[4]  Axel Martens,et al.  Consistency between executable and abstract processes , 2005, 2005 IEEE International Conference on e-Technology, e-Commerce and e-Service.

[5]  Daniel Roth,et al.  Web Services Policy Framework (WS- Policy) , 2002 .

[6]  Joseph Gray Jackson,et al.  Privacy and Freedom , 1968 .

[7]  Salima Benbernou,et al.  Representing and Reasoning About Privacy Abstractions , 2005, WISE.

[8]  C. Powers Privacy Promises, Access Control, and Privacy Management , 2002 .

[9]  Luigi V. Mancini,et al.  Graph-based specification of access control policies , 2005, J. Comput. Syst. Sci..

[10]  Gramm Leach Bliley Privacy Enforcement with an Extended Role-Based Access Control Model , 2006 .

[11]  Francisco Curbera,et al.  Web services description language (wsdl) version 1. 2 , 2001 .

[12]  Luigi V. Mancini,et al.  A Formal Model for Role-Based Access Control Using Graph Transformation , 2000, ESORICS.

[13]  Neha Jain,et al.  Specifying privacy policies with P3P and EPAL: lessons learned , 2004, WPES '04.

[14]  Francesco Parisi-Presicce,et al.  Policy Analysis and Verification by Graph Transformation Tools , 2005, Electron. Notes Theor. Comput. Sci..

[15]  Paolo Baldan,et al.  A Logic for Analyzing Abstractions of Graph Transformation Systems , 2003, SAS.

[16]  Hartmut Ehrig,et al.  Handbook of graph grammars and computing by graph transformation: vol. 3: concurrency, parallelism, and distribution , 1999 .

[17]  Matjaz B. Juric,et al.  Business process execution language for web services , 2004 .

[18]  Laughlin,et al.  Westin: Privacy and Freedom , 1968 .

[19]  Carlos Delgado Kloos,et al.  Formal Verification of BPEL4WS Business Collaborations , 2004, EC-Web.