Type Checking Privacy Policies in the π-calculus

In this paper we propose a formal framework for studying privacy. Our framework is based on the π-calculus with groups accompanied by a type system for capturing privacy requirements relating to information collection, information processing and information dissemination. The framework incorporates a privacy policy language. We show that a system respects a privacy policy if the typing of the system is compatible with the policy. We illustrate our methodology via analysis of privacy-aware schemes proposed for electronic traffic pricing.

[1]  Dilsun Kirli Kaynar,et al.  Experiences in the logical specification of the HIPAA and GLBA privacy laws , 2010, WPES '10.

[2]  Ying Liu,et al.  A static compliance-checking framework for business process models , 2007, IBM Syst. J..

[3]  Dilsun Kirli Kaynar,et al.  Understanding and Protecting Privacy: Formal Semantics and Principled Audit Mechanisms , 2011, ICISS.

[4]  Birgit Pfitzmann,et al.  A Toolkit for Managing Enterprise Privacy Policies , 2003, ESORICS.

[5]  Lorrie Faith Cranor,et al.  Web privacy with P3P - the platform for privacy preferences , 2002 .

[6]  Michele Bugliesi,et al.  A type system for Discretionary Access Control , 2009, Math. Struct. Comput. Sci..

[7]  Daniele Gorla,et al.  Role-based access control for a distributed calculus , 2006, J. Comput. Secur..

[8]  Dimitrios Kouzapas,et al.  A Typing System for Privacy , 2013, SEFM Workshops.

[9]  Helen Nissenbaum,et al.  Privacy and contextual integrity: framework and applications , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[10]  Bart Jacobs,et al.  Privacy-Friendly Electronic Traffic Pricing via Commits , 2008, Formal Aspects in Security and Trust.

[11]  Insup Lee,et al.  Run-Time Checking of Dynamic Properties , 2006, Electron. Notes Theor. Comput. Sci..

[12]  Insup Lee,et al.  Privacy APIs: access control techniques to analyze and verify legal privacy policies , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[13]  Michael Carl Tschantz,et al.  Formal Methods for Privacy , 2009, FM.

[14]  Helen Nissenbaum,et al.  Privacy in Context - Technology, Policy, and the Integrity of Social Life , 2009 .

[15]  Limin Jia,et al.  Policy auditing over incomplete logs: theory, implementation and applications , 2011, CCS '11.

[16]  Luca Cardelli,et al.  Secrecy and group creation , 2005, Inf. Comput..

[17]  Mariangiola Dezani-Ciancaglini,et al.  Types for Role-Based Access Control of Dynamic Web Data , 2010, WFLP.

[18]  Adriana B. Compagnoni,et al.  Role-based access control for boxed ambients , 2008, Theor. Comput. Sci..

[19]  Michael Backes,et al.  Type-checking zero-knowledge , 2008, CCS.

[20]  Benjamin C. Pierce,et al.  Linearity and the pi-calculus , 1999, TOPL.

[21]  Daniel J. Solove A Taxonomy of Privacy , 2006 .

[22]  Andrew D. Gordon,et al.  A Type Discipline for Authorization in Distributed Systems , 2007, 20th IEEE Computer Security Foundations Symposium (CSF'07).

[23]  Jorge Lobo,et al.  Privacy-aware role-based access control , 2010 .

[24]  James Riely,et al.  Resource Access Control in Systems of Mobile Agents , 2002, HLCL.

[25]  Matteo Maffei,et al.  Differential Privacy by Typing in Security Protocols , 2013, 2013 IEEE 26th Computer Security Foundations Symposium.

[26]  Mark Ryan,et al.  Model Checking Agent Knowledge in Dynamic Access Control Policies , 2013, TACAS.

[27]  Davide Sangiorgi,et al.  Typing and subtyping for mobile processes , 1993, [1993] Proceedings Eighth Annual IEEE Symposium on Logic in Computer Science.

[28]  Jorge Lobo,et al.  An obligation model bridging access control policies and privacy policies , 2008, SACMAT '08.

[29]  Julian Rathke,et al.  safeDpi: a language for controlling mobile code , 2005, Acta Informatica.