Presentation is loading. Please wait.

Presentation is loading. Please wait.

Contextual Integrity and its Formalization

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Contextual Integrity and its Formalization"— Presentation transcript:

1 Contextual Integrity and its Formalization
18739A: Foundations of Security and Privacy Contextual Integrity and its Formalization Anupam Datta CMU Fall

2 Problem Statement Is an organization’s business process compliant with privacy regulations and internal policies? Examples of organizations Hospitals, financial institutions, other enterprises handling sensitive information Examples of privacy regulations HIPAA, GLBA, COPPA, SB1386 Goal: Develop methods and tools to answer this question

3 Contextual Integrity [N2004]
Philosophical framework for privacy Central concept: Context Examples: Healthcare, banking, education What is a context? Set of interacting agents in roles Roles in healthcare: doctor, patient, … Norms of transmission Doctors should share patient health information as per the HIPAA rules Purpose Improve health

4 Outline Motivating Example Framework Workflows and Responsibility
Model Logic of Privacy and Utility Workflows and Responsibility Algorithmic Results Workflow Design assuming agents responsible Auditing logs when agents irresponsible Conclusions

5 MyHealth@Vanderbilt Workflow
Humans + Electronic system Health Answer Secretary Yes! except broccoli Appointment Request Doctor Health Question Patient Health Question Now that I have cancer, Should I eat more vegetables? Nurse Health Question Health Answer

6 Possible Enhancement Secretary handles every message
Privacy Efficiency Robustness Messages opaque to MyHealth Unable to help secretary route messages Hinders adding features like delegation Suggestion: add short tags to messages

7 MyHealth with Message Tags
Health Answer Secretary Yes! except broccoli Health Answer Appointment Request Doctor Now that I have cancer, Should I eat more vegetables? Health Question Patient Health Question Nurse Health Question Health Answer

8 Robustness to Mistaken Tags
Health Answer Secretary Now that I have cancer, Should I eat more vegetables? Health Question Yes! except broccoli Health Answer Appointment Request Doctor Now that I have cancer, Should I eat more vegetables? Appointment Request Patient Health Question Appointment Request Health Question Nurse Health Question Health Answer

9 Workflow Design Goals Privacy Utility Robustness
Secretary does not get sensitive info Utility Health question eventually answered Robustness Properties hold even with mistakes Workflows Violate Privacy Feasible Workflows Permissiveness Violate Utility

10 Recommendations Add short tags to messages Assign responsibilities
Enhances privacy Increases efficiency Scales with added functionality Assign responsibilities Example: secretary should tag messages with “health question” if needed

11 Outline Motivating Example Framework Workflows and Responsibility
Model Logic of Privacy and Utility Workflows and Responsibility Algorithmic Results Workflow Design assuming agents responsible Auditing logs when agents irresponsible Conclusions

12 Contextual Integrity [N2004]
Informational Norms “In a context, the flow of information of a certain type about a subject (acting in a particular capacity/role) from one actor (could be the subject) to another actor (in a particular capacity/role) is governed by a particular transmission principle.” Contextual Integrity [N2004]

13 Should I eat more vegetables?
Model Now that I have cancer, Should I eat more vegetables? Health Question Bob Alice Communication via send actions: Sender: Bob in role Patient Recipient: Alice in role Nurse Subject of message: Bob Tag: Health Question Message: Now that …. Data model & knowledge evolution: Agents acquire knowledge by: receiving messages deriving additional attributes based on data model Health Question  Protected Health Information Tags may be incorrect Currently data model has only individual attributes, no group attributes. Tags(msg) – machine readable, Contents(msg) – may require human agents contents(msg) vs. tags (msg)

14 Concurrent Game Structure
Model [BDMS2007] State determined by knowledge of each agent Transitions change state Set of concurrent send actions Send(p,q,m) possible only if agent p knows m K0 A13 A11 K13 A12 K11 ... K12 ... k: number of players Q: finite set of states Pi: finite set of observables pi: labeling function -- pi(q) identifies propositions that are true in state q d: number of moves for player a in state q is d(a,q) delta: transition function Concurrent Game Structure G = <k, Q, , , d, >

15 Logic of Privacy and Utility
Syntax  ::= send(p1,p2,m) p1 sends p2 message m | contains(m, q, t) m contains attrib t about q | tagged(m, q, t) m tagged attrib t about q | inrole(p, r) p is active in role r | t  t’ Attrib t is part of attrib t’ |    |  | x.  Classical operators | U | S | O Temporal operators | <<p>> Strategy quantifier Semantics Formulas interpreted over concurrent game structure

16 Specifying Privacy MyHealth@Vanderbilt
In all states, only nurses and doctors receive health questions G  p1, p2, q, m send(p1, p2, m)  contains(m, q, health-question)  inrole(p2, nurse)  inrole(p2, doctor) LTL fragment can express HIPAA, GLBA, COPPA [BDMN2006]

17 Specifying Utility MyHealth@Vanderbilt
Patients have a strategy to get their health questions answered  p inrole(p, patient)  <<p>> F  q, m. send(q, p, m)  contains(m, p, health-answer)

18 Expressing Privacy Allow message transmission if:
at least one positive norm is satisfied; and all negative norms are satisfied

19 HIPAA – Healthcare Privacy
HIPAA consists primarily of positive norms: share phi if some rule explicitly allows it (2), (3), (5), (6) Exception: negative norm about psychotherapy notes (4)

20 COPPA – Children Online Privacy
COPPA consists primarily of negative norms children can share their protected info only if parents consent (7) (condition) (8) (obligation – future requirements)

21 GLBA – Financial Institutions
Sender role Attribute Subject role Financial institutions must notify consumers if they share their non-public personal information with non-affiliated companies, but the notification may occur either before or after the information sharing occurs Transmission principle Recipient role

22 Outline Motivating Example Framework Workflows and Responsibility
Model Logic of Privacy and Utility Workflows and Responsibility Algorithmic Results Workflow Design assuming agents responsible Auditing logs when agents irresponsible Conclusions

23 MyHealth@Vanderbilt Improved
Doctor should answer health questions Health Answer Yes! except broccoli Health Answer Appointment Request Secretary Now that I have cancer, Should I eat more vegetables? Health Question Doctor Patient Health Question Health Question Health Answer Assign responsibilities to roles & workflow engine Nurse

24 Graph-based Workflow Graph Edge-labeling function
(R, R x R), where R is the set of roles Edge-labeling function permit: R x R  2T, where T is the set of attributes Responsibility of workflow engine Allow msg from role r1 to role r2 iff tags(msg)  permit(r1, r2) Responsibility of human agents in roles Tagging responsibilities ensure messages are correctly tagged Progress responsibilities ensure messages proceed through workflow Examples from previous slide

25 MyHealth Responsibilities
Tagging Nurses should tag health questions G p, q, s, m. inrole(p, nurse)  send(p, q, m)  contains(m, s, health-question)  tagged(m, s, health-question) Progress Doctors should answer health questions G p, q, s, m. inrole(p, doctor)  send(q, p, m)  contains(m, s, health-question)  F m’. send(p, s, m’)  contains(m’, s, health-answer)

26  p.   inrole(p, r)  <<p>> r
Abstract Workflow Responsibility of workflow engine LTL formula  Feasible (enforceable) if  is a safety formula without the contains() predicate Responsibility of each role r LTL formula r Feasible if agents have a strategy to discharge their responsibilities  p.   inrole(p, r)  <<p>> r Graph-based workflows are a special case

27 Outline Motivating Example Framework Workflows and Responsibility
Model Logic of Privacy and Utility Workflows and Responsibility Algorithmic Results Workflow Design assuming agents responsible Abstract workflows Auditing logs when agents irresponsible Only graph-based workflows Conclusions

28 MyHealth@Vanderbilt Improved
Health Answer Minimal disclosure Yes! except broccoli Health Answer Appointment Request Secretary Now that I have cancer, Should I eat more vegetables? Health Question Doctor Patient Health Answer Health Question Health Question Privacy: HIPAA compliance+ Utility: Schedule appointments, obtain health answers Responsibility: Doctor should answer health questions Nurse

29 Workflow Design Results
Theorems: Assuming all agents act responsibly, checking whether workflow achieves Privacy is in PSPACE (in the size of the formula describing the workflow) Utility is decidable Definition and construction of minimal disclosure workflow Algorithms implemented in model-checkers, e.g. SPIN, MOCHA

30 Deciding Privacy PLTL model-checking problem is PSPACE decidable
G |= tags-correct U agents-responsible  privacy-policy G: concurrent game structure Result applies to finite models (#agents, msgs,…)

31 MyHealth Privacy workflow satisfies this privacy condition In all states, only nurses and doctors receive health questions G  p1, p2, q, m send(p1, p2, m)  contains(m, q, health-question)  inrole(p2, nurse)  inrole(p2, doctor) Run LTL model-checker, e.g. SPIN

32 Deciding Utility ATL* model-checking of concurrent game structures is
Decidable with perfect information Undecidable with imperfect information Theorem: There is a sound decision procedure for deciding whether workflow achieves utility Intuition: Translate imperfect information into perfect information by considering possible actions from one player’s point of view

33 MyHealth Utility workflow satisfies this utility condition Patients have a strategy to get their health questions answered  p inrole(p, patient)  <<p>> F  q, m. send(q, p, m)  contains(m, p, health-answer) Run ATL* model-checker, e.g. MOCHA

34 Minimal Disclosure Workflow
Abstract workflows: W1 (1, R)  W2 (2, R) if G satisfies 1  2 Graph-based workflows: W1 (R, permit1)  W2 (R, permit2) if  r1,r2R. permit1(r1, r2)  permit2(r1, r2) Lemma: If W1  W2 and W2 achieves a privacy goal, then so does W1 Minimal Disclosure Workflow: W is minimal wrt to a utility goal if W achieves the goal and all feasible W’  W fails to achieve the goal

35 MyHealth@Vanderbilt Workflow
Health Answer Yes! except broccoli Health Answer Appointment Request Secretary Health Question Now that I have cancer, Should I eat more vegetables? Health Question Health Question Secure free text messaging system Doctor Patient Health Question Health Answer Nurse

36 MyHealth@Vanderbilt Improved
Health Answer Yes! except broccoli Health Answer Appointment Request Secretary Now that I have cancer, Should I eat more vegetables? Health Question Doctor Patient Health Question Health Question Health Answer Nurse

37 Outline Motivating Example Framework Workflows and Responsibility
Model Logic of Privacy and Utility Workflows and Responsibility Algorithmic Results Workflow Design assuming agents responsible Abstract workflows Auditing logs when agents irresponsible Only graph-based workflows Conclusions

38 Auditing Results Definitions Design of audit log Algorithms
Policy compliance, locally compliant Causality, accountability Design of audit log Algorithms Finding agents accountable for locally-compliant policy violation in graph-based workflows using audit log Finding agents who act irresponsibly using audit log Algorithms use oracle: O(msg) = contents(msg) Minimize number of oracle calls

39 Policy compliance/violation
Contemplated Action Judgment Policy Future Reqs History Strong compliance [BDMN2006] Action does not violate current policy requirements Future policy requirements after action can be met Locally compliant policy Agents can determine strong compliance based on their local view of history

40 Causality Lamport Causality [1978] From original paper.

41 Accountability & Audit Log
Causality + Irresponsibility Audit log design Records all Send(p,q,m) and Receive(p,q,m) events executed Maintains causality structure O(1) operation per event logged

42 Auditing Algorithm Goal Algorithm(Audit log A, Violation v) Theorem:
Find agents accountable for a policy violation Algorithm(Audit log A, Violation v) Construct G, the causality graph for v in A Run BFS on G. At each Send(p, q, m) node, check if tags(m) = O(m). If not, and p missed a tag, output p as accountable Theorem: The algorithm outputs at least one accountable agent for every violation of a locally compliant policy in an audit log of a graph-based workflow that achieves the policy in the responsible model

43 Proof Idea Causality graph G includes all accountable agents
Accountability = Causality + Irresponsibility There is at least one irresponsible agent in G Policy is satisfied if all agents responsible Policy is locally compliant In graph-based workflows, safety responsibilities violated only by mistagging O(msg) = tags(msg) check identifies all irresponsible actions

44 MyHealth Example Policy violation:
Secretary Candy receives health-question mistagged as appointment-request Construct causality graph G and search backwards using BFS Candy received message m from Patient Jorge. O(m) = health-question, but tags(m) = appointment-request. Patient responsible for health-question tag. Jorge identified as accountable

45 Conclusions Framework Business Process as Workflow Algorithmic Results
Concurrent game model Logic of Privacy and Utility Temporal logic (LTL, ATL*) Business Process as Workflow Role-based responsibility for human and mechanical agents Algorithmic Results Workflow design assuming agents responsible Privacy, utility decidable (model-checking) Minimal disclosure workflow constructible Auditing logs when agents irresponsible From policy violation to accountable agents Finding irresponsible agents Autom-ated Using oracle

46 Thanks Questions?

47

48 Local communication game
Quotient structure under invisible actions, Gp States: Smallest equivalence relation K1 ~p K2 if K1  K2 and a is invisible to p Actions: [K]  [K’] if there exists K1 in [K] and K2 in [K’] s.t. K1  K2 Lemma: For all LTL formulas  visible to p, Gp |= <<p>> implies G |= <<p>> a a a

49 Refinement and Combination
Policy refinement Basic policy relation Does hospital policy enforce HIPAA? P1 refines P2 if P1  P2 Requires careful handling of attribute inheritance PSPACE decidable Combination becomes logical conjunction Defined in terms of refinement

50 Related Languages Legend:
Model Sender Recipient Subject Attributes Past Future Combination RBAC Role Identity XACML Flexible o EPAL Fixed P3P LPU Legend:  unsupported o partially supported  fully supported LPU fully supports attributes, combination, temporal conditions

51 Why Not Use P3P? Different application Not expressive enough
P3P understood by web browsers LPU intended for internal policy enforcement Not expressive enough P3P cannot express HIPAA, GLBA, COPPA Each policy only has one sender and one subject Missing temporal conditions; only has simple opt-in / opt-out

52 Structure of Attributes
Health Information Psychotherapy Notes Health Information Psychotherapy Notes Test Results Health Information Date of Birth Psychotherapy Notes Test Results Age Zodiac Sign Heath care providers can tell patients their health information Sender role Recipient role Subject role Attribute Heath care providers can tell patients their psychotherapy notes only if a psychiatrist has approved

Download ppt "Contextual Integrity and its Formalization"

Similar presentations

QUN NI 1, SHOUHUAI XU 2, ELISA BERTINO 1, RAVI SANDHU 2, AND WEILI HAN 3 1 PURDUE UNIVERSITY USA 2 UT SAN ANTONIO USA 3 FUDAN UNIVERSITY CHINA PRESENTED.

QUN NI 1, SHOUHUAI XU 2, ELISA BERTINO 1, RAVI SANDHU 2, AND WEILI HAN 3 1 PURDUE UNIVERSITY USA 2 UT SAN ANTONIO USA 3 FUDAN UNIVERSITY CHINA PRESENTED.
H OGAN & H ARTSON, L.L.P.

H OGAN & H ARTSON, L.L.P.
Completeness and Expressiveness

Completeness and Expressiveness
Policy Auditing over Incomplete Logs: Theory, Implementation and Applications Deepak Garg 1, Limin Jia 2 and Anupam Datta 2 1 MPI-SWS (work done at Carnegie.

Policy Auditing over Incomplete Logs: Theory, Implementation and Applications Deepak Garg 1, Limin Jia 2 and Anupam Datta 2 1 MPI-SWS (work done at Carnegie.
Design by Contract.

Design by Contract.
Directory and Trust Services (D&TS) Define an Abstract Model Purpose: Document a common terminology that the group can use between the various tracks Identify.

Directory and Trust Services (D&TS) Define an Abstract Model Purpose: Document a common terminology that the group can use between the various tracks Identify.
Operating System Security

Operating System Security
Formalization of Health Information Portability and Accountability Act (HIPAA) Simon Berring, Navya Rehani, Dina Thomas.

Formalization of Health Information Portability and Accountability Act (HIPAA) Simon Berring, Navya Rehani, Dina Thomas.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
 Original Intent: ◦ Act passed in 1996 with two main goals: 1.Ensure individuals would be able to maintain their health insurance between jobs (the “portability”

 Original Intent: ◦ Act passed in 1996 with two main goals: 1.Ensure individuals would be able to maintain their health insurance between jobs (the “portability”
CHAPTER © 2011 The McGraw-Hill Companies, Inc. All rights reserved. 2 The Use of Health Information Technology in Physician Practices.

CHAPTER © 2011 The McGraw-Hill Companies, Inc. All rights reserved. 2 The Use of Health Information Technology in Physician Practices.
Formalizing and Enforcing Privacy: Semantics and Audit Mechanisms Anupam Datta Carnegie Mellon University Verimag January 13, 2012.

Formalizing and Enforcing Privacy: Semantics and Audit Mechanisms Anupam Datta Carnegie Mellon University Verimag January 13, 2012.
Privacy and Contextual Integrity: Framework and Applications Adam Barth, Anupam Datta, John C. Mitchell (Stanford), and Helen Nissenbaum (NYU) TRUST Winter.

Privacy and Contextual Integrity: Framework and Applications Adam Barth, Anupam Datta, John C. Mitchell (Stanford), and Helen Nissenbaum (NYU) TRUST Winter.
Developing a Records & Information Retention & Disposition Program:

Developing a Records & Information Retention & Disposition Program:
Lecture 6 Personal Health Record (Chapter 16)

Lecture 6 Personal Health Record (Chapter 16)
Www.oaic.gov.au Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.

Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.
Introduction To System Analysis and Design

Introduction To System Analysis and Design
Course Review Anupam Datta CMU Fall 2007-08 18739A: Foundations of Security and Privacy.

Course Review Anupam Datta CMU Fall A: Foundations of Security and Privacy.

Similar presentations

Ads by Google