1 / 20

Enterprise Privacy Promises and Enforcement

Enterprise Privacy Promises and Enforcement. Adam Barth John C. Mitchell. Formal Languages for Privacy. Protect privacy State and enforce restrictions on use of data Using a formal policy language Existing formal languages for privacy W3C’s Platform for Privacy Preferences (P3P)

emmett
Télécharger la présentation

Enterprise Privacy Promises and Enforcement

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Enterprise PrivacyPromises and Enforcement Adam Barth John C. Mitchell

  2. Formal Languages for Privacy • Protect privacy • State and enforce restrictions on use of data • Using a formal policy language • Existing formal languages for privacy • W3C’s Platform for Privacy Preferences (P3P) • IBM’s Enterprise Privacy Auth Lang (EPAL) • No connection between P3P and EPAL policies • State and prove precise connection • Unified, data-centric model for privacy policies

  3. Service Provider Consumer Transmits User Agent Configures P3P Policy Accepts or Rejects Reveals Personal Information Respects EPAL Policy Current Usage Scenario Consumer bases her decision on announced P3P policy, which is not formally related to operative EPAL policy.

  4. Service Provider Consumer Transmits User Agent Configures P3P Policy Accepts Generates Enforces APPEL Preference EPAL Policy Accepts Proposed Usage Scenario Service provider’s use of consumer’s personal information respects consumer’s preference.

  5. Data Hierarchies for Privacy user name bdate.ymd jobtitle given year month family middle day George Walker Bush July 9, 1946 United States President

  6. Policies As Sets of Promises user • View a privacy policy as a set of promises made by a service provider to a consumer • “I will not disclose your birth date, but I might disclose your name.” name bdate.ymd jobtitle given year month family middle day

  7. Can “user” data be disclosed? user name bdate.ymd jobtitle given year month family middle day • Service provider reasons: • “If I disclose user information, I would disclose the user’s birth date and violate my promise.” • He concludes: No

  8. Can “user” data be disclosed? user name bdate.ymd jobtitle given year month family middle day • Consumer reasons: • “The service provider might disclose my name, and in doing so, he would disclose my user information.” • She concludes: Yes

  9. Actually Asking Different Questions • Service providers and consumers are actually asking different questions: • Service provider: can I disclose all data? • Consumer: can he disclose some data? • Formalize as modalities over data hierarchy • Semantics of policies as Kripke frames • “Enforces” defined by comparing modal theories, ensuring reasoning carries over

  10. Application: Compact Policies • P3P Compact Policies are terse policy summaries for use in HTTP headers • W3C definition of compact polices agrees with our model • Policies enforce their compact representation • We give compact policies clear semantics • Terms on a compact policy represent the values of certain ◊ terms in our modal logic • Terms answer common consumer queries

  11. Less Restrictive Rejects APPEL or XPref Preference Accepts P3P Policy Enforces EPAL Policy Actual Practices More Restrictive Application: Privacy Preferences • Consumer configures user agent with preference • Two languages proposed • APPEL • XPref • Both can express non-guaranteed preferences • “Block web sites that do not telemarket.”

  12. Less Restrictive P3P Policy Accepts APPEL or XPref Preference Rejects Enforces EPAL Policy Actual Practices More Restrictive Application: Privacy Preferences • Consumer configures user agent with preference • Two languages proposed • APPEL • XPref • Both can express non-guaranteed preferences • “Block web sites that do not telemarket.”

  13. Policy Summarization Algorithm • Motivation: Leverage effort spent writing detailed enforcement policy to generate policy summary • Criteria for generated policy summary: • Enforced by detailed policy • Least permissive such policy • We provide an algorithm for generating such policy summaries • Intuition: walk up summary data hierarchy and ensure all necessary formulae hold

  14. Conclusion • Proposed a uniform model for privacy • Connected privacy promises with privacy enforcement • Defined clear semantics for P3P compact policies • Discovered anomalies in APPEL and XPref • Provided an algorithm for summarizing detailed policies (e.g. translating EPAL into P3P) • In privacy, it is important to consider the differing perspectives of the principals involved

  15. Questions?

  16. Enforces Policy q Policy p Implies Accept Accept Enforces Relation User Agent • Policy q enforces policy p if every user agent that accepts p also accepts policy q • If a service provider’s EPAL policy enforce its P3P policy, a consumer who accepts the P3P policy will also accept the operative EPAL policy

  17. Modalities Reflect Perspectives • Formalize perspectives using modal logic • Modalities ( and ◊) over data hierarchy • Postal address ||- Disclose • Service provider may disclose all components of consumer’s postal address • Reflects service provider’s perspective • Postal address ||- ◊ Disclose • Service provider may disclose some components of consumer’s postal address • Reflects consumer’s perspective

  18. Enforcing Privacy Promises • Consumers use a class of modal formulae in reasoning about a policy • Formally define “enforces” using modal logic • q enforces p if all such positive modal formulae true of q are also true of p • Ensures that reasoning carries over from enforced to enforcing policy • Generalizes previous privacy policy relations

  19. Less Restrictive / Less Detailed Compact Policy Enforces P3P Policy Enforces EPAL Policy More Restrictive / More Detailed Transitivity of Enforcement • Enforcement relation is transitive • Consumer can use compact policy to bound full policy • Full P3P policy, in turn, bounds operative EPAL policy Actual Practices

  20. Projection Algorithm (con’t)

More Related