Enterprise Privacy Promises and Enforcement Adam Barth John C. Mitchell.

Slides:



Advertisements
Similar presentations
1 Knowledge Representation Introduction KR and Logic.
Advertisements

Kees van Deemter Matthew Stone Formal Issues in Natural Language Generation Lecture 4 Shieber 1993; van Deemter 2002.
1 Long term changes to P3P Long Term Future of P3P Workshop Giles Hogben Joint Research Centre European Commission.
Integration of business modeling and IT modeling Girts Karnitis, Janis Bicevskis, Jana Cerina-Berzina The work is supported by a European Social Fund Project.
Possible World Semantics for Modal Logic
Logic Programming Automated Reasoning in practice.
Safety Planning. Safety Plan KNOW THE FAMILY D1: Extent of Maltreatment D2: Surrounding Circumstances D3: Child Functioning D4: Adult Functioning D5:
“Comments” on Modeling Bounded Rationality Ariel Rubinstein Tel Aviv and New York Universities Leiden, Nov 14 th, 2014.
Privacy Policy, Law and Technology Carnegie Mellon University Fall 2005 Lorrie Cranor 1 Privacy Authorization Languages.
Critical Thinking Course Introduction and Lesson 1
Privacy: Accountability and Enforceability Jamie Yoo April 11, 2006 CPSC 457: Sensitive Information in a Wired World.
Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.
Minding Your Own Business The Platform for Privacy Preferences Project and Privacy Minder Lorrie Faith Cranor AT&T Labs-Research
Privacy and Contextual Integrity: Framework and Applications Adam Barth, Anupam Datta, John C. Mitchell (Stanford), and Helen Nissenbaum (NYU) TRUST Winter.
Reviewer Disclosure Guide 1) Ensure disclosed information is complete Reviewer Responsibilities 2) Assign a conflict of interest category 3) Develop management.
Train Control Language Teaching Computers Interlocking By: J. Endresen, E. Carlson, T. Moen1, K. J. Alme, Haugen, G. K. Olsen & A. Svendsen Synthesizing.
Enterprise Privacy Promises and Enforcement Adam Barth John C. Mitchell.
P3P: Platform for Privacy Preferences Charlin Lu Sensitive Information in a Wired World November 11, 2003.
Implementing P3P Using Database Technology Rakesh Agrawal Jerry Kiernan Ramakrishnan Srikant Yirong Xu Presented by Yajie Zhu 03/24/2005.
PROMPT: Algorithm and Tool for Automated Ontology Merging and Alignment Natalya F. Noy and Mark A. Musen.
Describing Syntax and Semantics
Privacy Policy, Law and Technology Carnegie Mellon University Fall 2007 Lorrie Cranor 1 Privacy Policy.
11 World-Leading Research with Real-World Impact! Role and Attribute Based Collaborative Administration of Intra-Tenant Cloud IaaS (Invited Paper) Xin.
Audumbar Chormale Advisor: Dr. Anupam Joshi M.S. Thesis Defense
Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Privacy Preferences Edgardo Vega Usable Security – CS 6204 – Fall, 2009 – Dennis.
An OWL based schema for personal data protection policies Giles Hogben Joint Research Centre, European Commission.
Cooperative Query Answering Based on a talk by Erick Martinez.
COMMON CORE Argument Paragraph Writing Unit Grade 7.
An XPath-based Preference Language for P3P IBM Almaden Research Center Rakesh Agrawal Jerry Kiernan Ramakrishnan Srikant Yirong Xu.
Web Policy Zeitgeist Panel SWPW 2005 – Galway, Ireland Piero Bonatti, November 7th, 2005.
RMP Specification SP005-1 TV-Anytime Rights Management and Protection Information for Broadcast Applications TV Anytime IDE, September 20, 2004, Sony in.
Project Management Methodology Project Closing. Project closing stage Must be performed for all projects, successfully completed or shut off by management.
Requirements Elicitation. Who are the stakeholders in determining system requirements, and how does their viewpoint influence the process? How are non-technical.
Privacy, P3P and Internet Explorer 6 P3P Briefing – 11/16/01.
Ming Fang 6/12/2009. Outlines  Classical logics  Introduction to DL  Syntax of DL  Semantics of DL  KR in DL  Reasoning in DL  Applications.
Privacy and Contextual Integrity: Framework and Applications Adam Barth, Anupam Datta, John C. Mitchell (Stanford) Helen Nissenbaum (NYU)
Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.
1 WS-Privacy Paul Bui Ryan Dickey. 2 Agenda  WS-Privacy  Introduction to P3P  How P3P Works  P3P Details  A P3P Scenario  Conclusion  References.
HTTPA (Accountable Hyper Text Transfer Protocol) PhD Proposal Talk Oshani Seneviratne DIG, MIT CSAIL May 31, 2011.
Legal localization of P3P as a requirement for its privacy enhancing effect 1 W3C Workshop on the long term Future of P3P and Enterprise Privacy Languages.
From P3P to Data Licensing Cha, Shi-Cho ( 查士朝 ) and Joung, Yuh-zer ( 莊裕澤 ) Dept. of Information Management Nation Taiwan University, Taipei, Taiwan
What’s MPEG-21 ? (a short summary of available papers by OCCAMM)
FDT Foil no 1 On Methodology from Domain to System Descriptions by Rolv Bræk NTNU Workshop on Philosophy and Applicablitiy of Formal Languages Geneve 15.
3.2 Semantics. 2 Semantics Attribute Grammars The Meanings of Programs: Semantics Sebesta Chapter 3.
Chapter 1.  Laws regulating the employment relationship  Evolutionary in nature  Importance of understanding employment law.
Personal Information Management in a Ubiquitous Computing Environment Institute of Systems & Information Technologies/KYUSHU Kenichi Takahashi.
Of 33 lecture 1: introduction. of 33 the semantic web vision today’s web (1) web content – for human consumption (no structural information) people search.
Towards End-to-End Privacy Control in the Outsourcing of Marketing Activities: A Web Service Integration Patrick C. K. HungDickson K.W. Chiu W.W. FungWilliam.
ShareNet Integrating Trust and Privacy policy Li Ding.
Goodness-of-FitSlide #1 Goodness-of-Fit Test Examples – –Test whether responses are “random” (e.g., preference) –Test Mendelian genetics (e.g., 3:1 and.
Privacy and Contextual Integrity: Framework and Applications Adam Barth, Anupam Datta, John C. Mitchell (Stanford) Helen Nissenbaum (NYU)
Privacy rules over JPEG images Jaime Delgado DMAG UPC BarcelonaTECH October 2015.
Towards End-to-End Privacy Control in the Outsourcing of Marketing Activities: A Web Service Integration Patrick C. K. Hung Dickson K.W. Chiu W.W. Fung.
Copyright © Cengage Learning. All rights reserved. Line and Angle Relationships 1 1 Chapter.
1 Review of report "LSDX: A New Labeling Scheme for Dynamically Updating XML Data"
 IS A COLLECTION OF PROGRAMS THAT MANAGES THE DATABASES STRUCTURE AND CONTROL ACCESS TO THE DATA STORED IN THE DATABASE.
DBC NOTES. Design By Contract l A contract carries mutual obligations and benefits. l The client should only call a routine when the routine’s pre-condition.
Understanding Student Thinking in Algebra. Opener At your tables, read one item from your reading that was an important statement. Continue until all.
Copyright © 2011 Wolters Kluwer Health | Lippincott Williams & Wilkins Chapter 1 Research: An Overview.
Mathematical Service Matching Using Description Logic and OWL Kamelia Asadzadeh Manjili
CMPE 494 Service-Oriented Architectures and Web Services Platform for Privacy Preferences Project (P3P) İDRİS YILDIZ
Model Checking Early Requirements Specifications in Tropos Presented by Chin-Yi Tsai.
18 January 2006 Copenhagen ERO - TISPAN WG4 meeting
Audit and Assurance Introduction. Requirement  Preview before class. Ask more, and discuss more. Ask more, and discuss more. Make notes. Make notes.
CIS-2005 : Xi’an - China 1 A New Conceptual Framework within Information Privacy: Meta Privacy Mr. Geoff Skinner Dr Song Han Prof. Elizabeth Chang Curtin.
D-Link Wireless AP with NAP 802.1x solution
Enforcing Privacy Policies for RFID Data Collection and Processing
Research Challenges in Enterprise Privacy Authorization Language
Dipping Our Toes in the Ethical Waters
Presentation transcript:

Enterprise Privacy Promises and Enforcement Adam Barth John C. Mitchell

Formal Languages for Privacy Protect privacy Protect privacy  State and enforce restrictions on use of data  Using a formal policy language Existing formal languages for privacy Existing formal languages for privacy  W3C’s Platform for Privacy Preferences (P3P)  IBM’s Enterprise Privacy Auth Lang (EPAL) No connection between P3P and EPAL policies No connection between P3P and EPAL policies State and prove precise connection State and prove precise connection  Unified, data-centric model for privacy policies

Current Usage Scenario Service ProviderConsumer Reveals Personal Information Accepts or Rejects Consumer bases her decision on announced P3P policy, which is not formally related to operative EPAL policy. P3P Policy Transmits User Agent Configures Respects EPAL Policy

Proposed Usage Scenario Service ProviderConsumer Accepts Service provider’s use of consumer’s personal information respects consumer’s preference. Transmits P3P Policy EPAL Policy Generates Enforces Accepts User Agent APPEL Preference Configures

Data Hierarchies for Privacy George Walker Bush July 9, 1946 United States President user bdate.ymdname year month day jobtitle given middle family

Policies As Sets of Promises user bdate.ymdname year month day jobtitle given middle family View a privacy policy as a set of promises made by a service provider to a consumer View a privacy policy as a set of promises made by a service provider to a consumer  “I will not disclose your birth date, but I might disclose your name.”

Can “user” data be disclosed? user bdate.ymdname year month day jobtitle given middle family Service provider reasons: Service provider reasons:  “If I disclose user information, I would disclose the user’s birth date and violate my promise.” He concludes: No He concludes: No

Can “user” data be disclosed? user bdate.ymdname year month day jobtitle given middle family Consumer reasons: Consumer reasons:  “The service provider might disclose my name, and in doing so, he would disclose my user information.” She concludes: Yes She concludes: Yes

Actually Asking Different Questions Service providers and consumers are actually asking different questions: Service providers and consumers are actually asking different questions:  Service provider: can I disclose all data?  Consumer: can he disclose some data? Formalize as modalities over data hierarchy Formalize as modalities over data hierarchy Semantics of policies as Kripke frames Semantics of policies as Kripke frames “Enforces” defined by comparing modal theories, ensuring reasoning carries over “Enforces” defined by comparing modal theories, ensuring reasoning carries over

Application: Compact Policies P3P Compact Policies are terse policy summaries for use in HTTP headers P3P Compact Policies are terse policy summaries for use in HTTP headers W3C definition of compact polices agrees with our model W3C definition of compact polices agrees with our model  Policies enforce their compact representation We give compact policies clear semantics We give compact policies clear semantics  Terms on a compact policy represent the values of certain ◊ terms in our modal logic  Terms answer common consumer queries

Application: Privacy Preferences Consumer configures user agent with preference Two languages proposed  APPEL  XPref Both can express non- guaranteed preferences  “Block web sites that do not telemarket.” Less Restrictive More Restrictive APPEL or XPref Preference Rejects Accepts Enforces EPAL Policy P3P Policy Actual Practices

Application: Privacy Preferences Consumer configures user agent with preference Two languages proposed  APPEL  XPref Both can express non- guaranteed preferences  “Block web sites that do not telemarket.” Enforces EPAL Policy P3P Policy Actual Practices Less Restrictive More Restrictive APPEL or XPref Preference Accepts Rejects

Policy Summarization Algorithm Motivation: Leverage effort spent writing detailed enforcement policy to generate policy summary Motivation: Leverage effort spent writing detailed enforcement policy to generate policy summary Criteria for generated policy summary: Criteria for generated policy summary:  Enforced by detailed policy  Least permissive such policy We provide an algorithm for generating such policy summaries We provide an algorithm for generating such policy summaries  Intuition: walk up summary data hierarchy and ensure all necessary formulae hold

Conclusion Proposed a uniform model for privacy Proposed a uniform model for privacy Connected privacy promises with privacy enforcement Connected privacy promises with privacy enforcement Defined clear semantics for P3P compact policies Defined clear semantics for P3P compact policies Discovered anomalies in APPEL and XPref Discovered anomalies in APPEL and XPref Provided an algorithm for summarizing detailed policies (e.g. translating EPAL into P3P) Provided an algorithm for summarizing detailed policies (e.g. translating EPAL into P3P) In privacy, it is important to consider the differing perspectives of the principals involved In privacy, it is important to consider the differing perspectives of the principals involved

Questions?

Enforces Relation Policy q enforces policy p if every user agent that accepts p also accepts policy q If a service provider’s EPAL policy enforce its P3P policy, a consumer who accepts the P3P policy will also accept the operative EPAL policy Policy qPolicy p Enforces Accept Implies User Agent

Modalities Reflect Perspectives Formalize perspectives using modal logic Formalize perspectives using modal logic Modalities ( and ◊) over data hierarchy Modalities ( and ◊) over data hierarchy Postal address ||- Disclose Postal address ||- Disclose  Service provider may disclose all components of consumer’s postal address  Reflects service provider’s perspective Postal address ||- ◊ Disclose Postal address ||- ◊ Disclose  Service provider may disclose some components of consumer’s postal address  Reflects consumer’s perspective

Enforcing Privacy Promises Consumers use a class of modal formulae in reasoning about a policy Consumers use a class of modal formulae in reasoning about a policy Formally define “enforces” using modal logic Formally define “enforces” using modal logic  q enforces p if all such positive modal formulae true of q are also true of p Ensures that reasoning carries over from enforced to enforcing policy Ensures that reasoning carries over from enforced to enforcing policy Generalizes previous privacy policy relations Generalizes previous privacy policy relations

Transitivity of Enforcement Enforcement relation is transitive Consumer can use compact policy to bound full policy Full P3P policy, in turn, bounds operative EPAL policy Less Restrictive / Less Detailed More Restrictive / More Detailed EPAL Policy P3P Policy Compact Policy Actual Practices Enforces

Projection Algorithm (con’t)