Privacy and Contextual Integrity: Framework and Applications Adam Barth, Anupam Datta, John C. Mitchell (Stanford) Helen Nissenbaum (NYU)
Broad Goal Protect privacy of individuals –Restrict transmission of sensitive data –State restrictions in a formal policy language Precisely express privacy legislation –HIPAA (Medical privacy rule) –GLBA (Financial privacy legislation) –COPPA (Privacy protection for children online)
Framework Overview Privacy model: communicating agents –Agents take on roles –Information abstracted by type –Agent reasoning through computation rules –“Alice gives Bob a type of info about Charlie” Language based on Linear Temporal Logic –Temporal conditions essential for privacy Captures opt-in, opt-out, confidentiality, etc –Standard LTL tools applicable
Policy Relations and Operations Policy compliance crystallizes –Strong compliance Agents can meet future requirements Requires computing LTL satisfiability (PSPACE) –Weak compliance Agents need only meet present requirements Computable efficiently using LTL tableau Policy refinement reduces to implication –Combination: conjunction and disjunction
Applications: Privacy in legislation HIPAA –Hospitals can give protected health information about patients to health care providers GLBA –Financial institutions must notify consumers if they share their non-public personal information with non-affiliated companies, but the notification may occur either before or after the information sharing occurs
Related Work Role-based access control –No subjects, attributes, or temporal conditions XACML –Attributes handled incorrectly (inheritance) –Combination occurs functionally, not logically EPAL –Obligations treated as uninterpreted symbols –Can only enforce week compliance P3P –Contains only simple opt-in / opt-out conditions