Privacy and Contextual Integrity: Framework and Applications Adam Barth, Anupam Datta, John C. Mitchell (Stanford) Helen Nissenbaum (NYU)

Privacy in Health Care Patient DoctorSpecialist Electronic Health Record Patient Portal Insurer HIPAA Compliance

Broad Goal Protect privacy –Can a banker tell a marketer a customer’s address? Express policy precisely –Enterprise privacy policies –Privacy provisions from legislation Analyze privacy policies –Action complies with policy? –Policy enforces law?

Approach Privacy model –Agents communicating about each other Logic over model –Linear temporal logic Policies as logical formulas –Control expressive power Apply logical tools –Leverage LTL research

Contextual Integrity Philosophical account of privacy –Transfer of personal information –Describes what people care about Flow governed by norms –Agents act in roles in social contexts –Rejects public/private dichotomy Principles of transmission –Confidentiality, reciprocity, dessert, etc

Privacy Model for CI AliceBob Charlie’s SSN is Restrict messages –Messages about subjects Judgments over traces –Past and future relevant Agents reason about attributes

Access Control vs. Privacy Access control –Subject (= actor) –Object –Action Stateless –Except Chinese wall Discrete elements Privacy policies –Sender –Recipient –Subject (of message) –Attribute –Transmission principle Temporal –Past: Opt-in / opt-out –Future: Notification Structured attributes

Syntax Grammar for logic –  ::= send(p 1,p 2,m)p 1 sends p 2 message m | contains(m, q, t)m contains attrib t about q | inrole(p, r)p is active in role r | incontext(p, c)p is active in context c | t  t’Attrib t is part of attrib t’ |    |  |  x: .  Classical operators |  U  |  S  | O  Temporal operators Policies use a restricted class of formulas

CI Norms and Policies Policy consists of norms (+)inrole(p 1, r 1 )  inrole(p 2, r 2 )  inrole(q, r)  t  t’     (  )inrole(p 1, r 1 )  inrole(p 2, r 2 )  inrole(q, r)  t  t’     –  is an agent constraint –  is a temporal condition Norms assembled into policy formula –  p 1,p 2,q:P.  m:M.  t:T.incontext(p 1, c)  send(p 1, p 2, m)  contains(m, q, t)   {  + |  +  norms + (c) }   {   |    norms  (c) }

Sender roleSubject roleAttribute Transmission principle Gramm-Leach-Bliley Example Recipient role Financial institutions must notify consumers if they share their non-public personal information with non- affiliated companies, but the notification may occur either before or after the information sharing occurs

Expressiveness of CI Evaluated on privacy laws –HIPAA, GLBA, and COPPA Captured most privacy provisions –Missed de-identified health info in HIPAA Laws used most features –Roughly as expressive as required

Structure of Attributes Health Information Psychotherapy Notes Date of Birth AgeZodiac SignTest Results Heath care providers can tell patients their health information Heath care providers can tell patients their psychotherapy notes only if a psychiatrist has approved Sender roleRecipient roleSubject roleAttribute Health Information Psychotherapy NotesTest Results Health Information Psychotherapy Notes

Extensional vs. Intentional Extensional semantics –Equates policies with judgments –Ignores why judgments reached Intentional semantics –Policies as list of rules –Reason for judgment preserved Extensional combination tricky –Attribute inheritance

Difficulties in Combination Date of Birth AgeZodiac Sign Age AND= Date of Birth AgeZodiac Sign Date of Birth AgeZodiac Sign Age OR= Date of Birth AgeZodiac Sign Date of Birth

Refinement and Combination Policy refinement –Basic policy relation –Does hospital policy enforce HIPAA? P 1 refines P 2 if P 1  P 2 –Requires careful handling of attribute inheritance Combination becomes logical conjunction –Defined in terms of refinement

Compliance Strong compliance –Future requirements after action can be met –PSPACE Weak compliance –Present requirements met by action –Polynomial time Policy History Contemplated Action Judgment Future Reqs

Related Languages ModelSenderRecipientSubjectAttributesPastFutureCombination RBACRoleIdentity  XACMLFlexible o  o  EPALFixedRoleFixed  o  P3PFixedRoleFixed  o  o CIRole  Legend:  unsupported opartially supported  full supported CI fully supports attributes and combination

Conclusions Privacy about agents communicating –Different model than access control Sender, recipient, subject, attribute, transmission principle –Past and future important CI: A language for privacy policies –Based on linear temporal logic –Expresses most privacy laws Combination and compliance tractable

Questions?