Presentation is loading. Please wait.

Presentation is loading. Please wait.

Università degli Studi di Trento Privacy is Linking Permission to Purpose F.MassacciN. Zannone Presented by Fabio Massacci (DIT - University of Trento.

Published byIrma Edwards Modified over 9 years ago

Similar presentations

Presentation on theme: "Università degli Studi di Trento Privacy is Linking Permission to Purpose F.MassacciN. Zannone Presented by Fabio Massacci (DIT - University of Trento."— Presentation transcript:

1 Università degli Studi di Trento Privacy is Linking Permission to Purpose F.MassacciN. Zannone Presented by Fabio Massacci (DIT - University of Trento - www.dit.unitn.it) (Create-NET - www.create-net.it)

2 Università degli Studi di Trento Privacy On the Web Regulatory solutions –Mandatory - HIPAA –Third Party Certified - TRUSTe Client-based technological solutions –Anonymizers –Remailers Server-based technological solutions –VPNs/Firewalls Client-Server-based technological solutions – P3P –EPAL (a classification borrowed from IEEE Security & Privacy Magazine)

3 Università degli Studi di Trento Observation 1 If private information is not really relevant to the service… No Need of Crypto! –Just create your own fake identity My Identity –Babbo Natale (Santa Claus) –Born in Fortezza BZ (Italy) on 25/12/1900 (or 1901 if 1900 not accepted), –Resident in Fortezza (BZ), via della Stazione 5, –Phone 0472-458772, Fax: 39045, –Email: sono_babbo_natale@libero.it –Social Security Number/Tax Code: NTLBBB00T25D731U (or V)

4 Università degli Studi di Trento Observation 2 If private info really relevant for the service –Eg delivery some goods at your house No crypto can help… –Server must see the plaintext –And once they have it, they have it… Credentials don’t help that much either –Issuer gives credential that somebody has a property –Just shift faith from server to credential issuer –Possibly worse because you are likely to have less issuers than servers (so concentrating data)

5 Università degli Studi di Trento Real life Delegation of permissions can never be as fine grained as you would need them –Cleaning lady has the key to open the room –She can empty the wastebin or look at papers on the desk. Real life contracts or data submissions have purpose tagged to permissions –Special power of attorney for contracts –Privacy statement according EU or Italian Legislation (Our starting point defining policy for Genetic Data for local health authority) –You got that (permission, data, thing) to do that If you breach trust (use for other purposes) then you can be sued

6 Università degli Studi di Trento Alias Privacy=‘ln -s Purpose Permission’ Fact of Life –We want something done –We give private information (or access to it) to get it done If private information is used for the purpose we have given it –Happy user If private information can be used for other purposes –Consent must be sought (eg according Law) –Unhappy or unwilling users

7 Università degli Studi di Trento Privacy & Purpose II All interesting proposals add purpose –Hyppocratic Databases –EPAL –P3P Allow to specify other purposes and other recipients of private info –Marketing, –Analysis etc. Also specify what data is added

8 Università degli Studi di Trento Exercise 1: Spot the Purpose in P3P CatalogExample <DISPUTES resolution-type="independent” service="http://www.PrivacySeal.example.org"

9 Università degli Studi di Trento Solution (??) Thick appropriate Box ØWeb site basic.example.com uses a variety of images, all of which it hosts. It also includes some forms, which are all submitted directly to the site. ØWeb site busy.example.com uses a content distribution network called cdn.example.com to host its images so as to reduce the load on its servers. ØWeb site busy.example.com also has a contract with an advertising company called clickads.example.com to provide banner ads on its site. ØWeb site busy.example.com also has a contract with funchat.example.com to host a chat room for its users. When users enter the chat room they are actually leaving the Busy site. However, the chat room has the Busy logo and is actually covered by the Busy privacy policy. ØWeb site bigsearch.example.com also has a form that allows users to type in a search query and have it simultaneously performed on ten different search engines. Bigsearch submits the queries, gets back the results from each search engine, removes the duplicates, and presents the results to the user. ØWeb site bigsearch.example.com also has banner advertisements provided by a company called adnetwork.example.com. Adnetwork uses cookies to develop profiles of users across many different Web sites so that it can provide them with ads better suited to their interests. Because the data about the sites that users are visiting is being used for purposes other than just serving ads on the Bigsearch Web site, Adnetwork cannot be considered an agent in this context. Adnetwork must create its own P3P policy and use its own policy reference file to indicate what content it applies to. Answer: you have no clue

10 Università degli Studi di Trento Requirements Eng. Security & Privacy Where’s purpose? –Focus on “modelling and implementing” privacy statements for other services –Privacy Declaration and Authorizations derives from (implicit) (dis)trust relationships for some functional goals different from the original goal the data has been collected for Modelling Trust/Privacy/Functional Model together –In Model-based Development Architecture appropriate privacy declarations and authorizations should be automatically derived from original purpose –All we need is Functional/Trust/Ownership relations

11 Università degli Studi di Trento Exercise 2: Spot Purpose in Hipp. DB Hippocratic Privacy Policy Table That’s better… Yet not linked to design: ex-post addition

12 Università degli Studi di Trento Idea… Specify (Functional) Requirements from the User Perspective –Users have certains goals and delegate some of them to the system Explicit purpose when delegating goals to system –Essentially data submission is a credential mentioning not only the information/permission but also the goal for which the permission can be used You can even make chain of credentials –Each with a refinement of purpose You have the data, but can you show the police a valid chain?

13 Università degli Studi di Trento Requirements Engineering Methodology Agent-Oriented RE Methodology - Tropos –Agents, Roles –Goals, Tasks, Resources –Dependency among agents (A depends on B on G, if A wants G to be done and B agrees to look after that) –Goal Decomposition (AND/OR, positive, negative contribution) Easy to Understand by Users for Early RE Good for Modelling Organizations Formal Reasoning Tools Available

14 Università degli Studi di Trento Security-Aware RE Methodology Add-ons –Distinction between wanting/offering/owning a goal –Trust relationship on Agent/goals/Agents Some agents want some goal/task to be done –Hospital doctor wants to consult medical record Other agents offer this goal/task –Nephrology ward locker stores medical records Another agent owns this goal/task –Patient owns the medical record Agents trust other agents on the goal –Patient trust Hospital to store medical record

15 Università degli Studi di Trento Security-Aware Tropos - Informal II Use Diagram to communicate requirements –Nice drawing with ovals and arrows –Model Dependency and Trust Relationships Patient Obtain Medical Treatment Clinicia n Hospital Analys Pers. Data Obtain Medical Treatment Dep Hosp Deleg Clinician Trust Owns Dep And now derive permissions automatically

16 Università degli Studi di Trento Security-Aware Tropos - Informal III

17 Università degli Studi di Trento Security-Aware Tropos - Informal IV Beware: NOT all “permissions” and “auth. processes” are mapped onto digital certificates Remember –Fabio’s “Real-Life Dominance Rule” –Some “credentials” will be papers signed by an individual –Others corresponds to oral or physical permissions Examples –Permission to use donor’s placenta genetic data for research and “self” usage (collected on the day of childbirth…) –Parents’ or Guardian approval for blood samples to be used in case of unexpected outcome in “wet” surgery –University visiting professor’s request for temp. IP address

18 Università degli Studi di Trento Security-Aware RE Methodology Design Functional Dependency Model Design Trust/Ownership Model Refinements by –Goal Decomposition –Goal (Functional) Delegation to other agents –Modify Trust Relationship Design /Synth Trust Management Implementation –Goal (Permission) Delegation to other agents MENTION functional goal (Computer Supported) Analysis –Goal Fulfillment (Functional Delegation Chain) –Trusted Execution (Trust Chain Match Funct. Deleg. Chain) –Trusted Delegation (Trust Chain Match Permis. Deleg. Chain) –Privacy Protection (Permis. Deleg. Chain match Funct. Deleg Chain)

19 Università degli Studi di Trento Security-Aware Tropos - Formal Model Semi-formal Analysis –Annotate diagrams with formulae Partial checks at type level Eliminate already many errors in the chains Formal Analysis –Full model at instance level Define instances of agents and goals instantiate delegation in many ways –Finite State Model checking and (to be done) infinite state analysis –Allows Discovery of subtler relationships between parties Patient trusts “her” clinician, and hospital –Analys relationships with third parties Delegation of permissions can create unexpected breach of trust “natural & simple” permission chain may not match “natural” trust chain

20 Università degli Studi di Trento Implementation Submission of data to server is delegation cert –Data –Purpose Need common language to define purpose –Semantic web… Needed PKI from servers. –Server needs to sign acknolwedgement of data & policy –But they already have it (if they have HTTPS…) Is a PKI needed from the client? –Maybe a MAC with a secret value is enough –Maybe a full signature is needed

21 Università degli Studi di Trento SIC LECTIO FINITA EST Questions? Suggestions? Comments? Dead cats? …

Download ppt "Università degli Studi di Trento Privacy is Linking Permission to Purpose F.MassacciN. Zannone Presented by Fabio Massacci (DIT - University of Trento."

Similar presentations

Privacy and Information Security Training (2006-07) VUMC Privacy Website www.mc.vanderbilt.edu/privacy.

Privacy and Information Security Training ( ) VUMC Privacy Website
Criteria For Approval 45 CFR 46.111 25 CFR 56.111 Minimized risks Reasonable risk/benefit ratio Equitable subject selection Informed consent process Informed.

Criteria For Approval 45 CFR CFR Minimized risks Reasonable risk/benefit ratio Equitable subject selection Informed consent process Informed.
THE BASICS OF CONSENT LAW Sheniece Smith, Esq.. BASICS State and federal laws require patients to have the right to consent to health care decisions.

THE BASICS OF CONSENT LAW Sheniece Smith, Esq.. BASICS State and federal laws require patients to have the right to consent to health care decisions.
Giorgini P., EuroPKI 20041 Filling the gap between Requirements Engineering and Public Key/Trust Management Infrastructures Paolo Giorgini Department of.

Giorgini P., EuroPKI Filling the gap between Requirements Engineering and Public Key/Trust Management Infrastructures Paolo Giorgini Department of.
Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.

Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.
Minding Your Own Business The Platform for Privacy Preferences Project and Privacy Minder Lorrie Faith Cranor AT&T Labs-Research

Minding Your Own Business The Platform for Privacy Preferences Project and Privacy Minder Lorrie Faith Cranor AT&T Labs-Research
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Technological Implications for Privacy David Kotz Department of Computer Science Dartmouth College

Technological Implications for Privacy David Kotz Department of Computer Science Dartmouth College
Version 6.0 Approved by HIPAA Implementation Team April 14, 2003 1 HIPAA Learning Module The following is an educational Powerpoint presentation on the.

Version 6.0 Approved by HIPAA Implementation Team April 14, HIPAA Learning Module The following is an educational Powerpoint presentation on the.
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Application Process USAJOBS – Application Manager USA STAFFING ® —OPM’S AUTOMATED HIRING TOOL FOR FEDERAL AGENCIES.

Application Process USAJOBS – Application Manager USA STAFFING ® —OPM’S AUTOMATED HIRING TOOL FOR FEDERAL AGENCIES.
Taking Steps to Protect Privacy A presentation to Hamilton-area Physiotherapy Managers by Bob Spence Communications Co-ordinator Office of the Ontario.

Taking Steps to Protect Privacy A presentation to Hamilton-area Physiotherapy Managers by Bob Spence Communications Co-ordinator Office of the Ontario.
The Privacy Tug of War: Advertisers vs. Consumers Presented by Group F.

The Privacy Tug of War: Advertisers vs. Consumers Presented by Group F.
APACHE SERVER By Innovationframes.com »

APACHE SERVER By Innovationframes.com »
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
Chapter 10: Authentication Guide to Computer Network Security.

Chapter 10: Authentication Guide to Computer Network Security.
CPS Acceptable Use Policy Day 2 – Technology Session.

CPS Acceptable Use Policy Day 2 – Technology Session.
SWIS Digital Inspections Project (SWIS DIP) Chris Allen, Information Management Branch California Integrated Waste Management Board November 5, 2008 The.

SWIS Digital Inspections Project (SWIS DIP) Chris Allen, Information Management Branch California Integrated Waste Management Board November 5, 2008 The.

Similar presentations

Ads by Google