150 likes | 227 Vues
S 4 P SecPAL for Privacy. Moritz Becker MSRC, Cambridge Alexander Malkis IMDEA, Madrid Laurent Bussard EMIC, Aachen. Scenario. 2.1) S ending allowed by Pol ?. Privacy Pref : TravelBooking services Can use my e-mail address for confirmation
E N D
S4PSecPAL for Privacy Moritz Becker MSRC, Cambridge Alexander Malkis IMDEA, Madrid Laurent Bussard EMIC, Aachen
Scenario • 2.1) Sending allowed by Pol ? Privacy Pref: TravelBooking services • Can use my e-mail address for confirmation • Must delete my e-mail address within 1 year • Privacy Pol: • Is a TravelBooking • Want to use e-mail for confirmation • Promise todelete e-mail within 6 months 1.1) Fix Pref, Pol 2.2) Pol2 sat Pref? Pol2 1.2) Pol sat Pref ? Pref. Privacy Preferences Pol. Privacy Policy • 2.3) data,pref Collected PII • 1.3) data,pref PIIs • 2.4) Sending allowed by Pol2 ? • 3.1) Traces comply with Pol ? • 2.6) data,pref 2.5) Pol4 sat Pref ? traces Pol4 1) User perspective(matching privacy) 2) Service perspective(enforcing privacy) 3) Auditor perspective(controlling privacy) Pol3
Preference • ❬Svc❭will allow Alice to EditParentalControls ? ∧ Alicesays❬Svc❭ complies with COPPA ? (1) • Alicesaysxcan sayy complies with COPPA if xis member of COPPACompliancySchemes (2) • AlicesaysFTCcan sayx is member of COPPACompliancySchemes (3) • FTCsaysTRUSTe is member of COPPACompliancySchemes (4) • Alicesays❬Svc❭may use Cookies for x if ❬Svc❭will revoke Cookies within t wheret≤ 5yr (5) • Alicesays❬Svc❭can say❬Svc❭ will revoke Cookies within t (6) • Alicesays❬Svc❭may allow Aliceto actionobject (7) • Alicesays❬Svc❭may revoke Cookieswithin t (8) • AlicesaysAliceis using software MSNClient version 9.5 (9)
Policy • TRUSTesaysMS complies with COPPA (10) • MSsaysMSwillallow ❬Usr❭to EditParentalControlsif ❬Usr❭ is member of msntype, msntypesupports ParentalControls, ❬Usr❭ is using software MSNClient version v, wherev≤ 9.5 (11) • MSsaysMSNPremium supports ParentalControls(12) • MSsaysMSNPlus supports ParentalControls(13) • MSsaysMSNcan sayxis member of g whereg{MSN,MSNPremium,MSNPlus} (15) • MSNsaysAlice is member of MSNPremium(16) • MSsays❬Usr❭ can say ❬Usr❭ is using software MSNClient version v (17) • MSsaysMSwill revoke Cookies within 2yr(18) • ❬Usr❭ saysMSmay use Cookies for AdTracking?∧ ❬Usr❭ saysMSmay revoke Cookies within 2yr? ∧ ❬Usr❭ saysMSmay allow ❬Usr❭ toEditParentalControls? (19)
AlicesaysMSmayuse Cookies for AdTracking ? MSsaysMSwill revoke Cookies within 2yr (18) + AlicesaysMScan sayMSwillrevoke Cookieswithin t (6) AlicesaysMSwill revoke Cookies within 2yr
AlicesaysMSmayuse Cookies for AdTracking ? AlicesaysMSwill revoke Cookies within 2yr + AlicesaysMSmay use Cookies for x if MSwill revoke Cookies within t wheret≤ 5yr (5) + 2yr ≤ 5yr AlicesaysMSmay use Cookiesfor AdTracking
Behaviours of a tracesatisfying preference AlicesaysMSmay: allowAlicetoxy,revokeCookieswithinx,use Cookiesforx MSsaysMSwill:allow AlicetoEditParentalControls?
Behaviours of a tracesatisfying policy AlicesaysMSmay: allow Alice toEditParentalControls ?,revoke Cookies within 2yr ?,use CookiesforAdTracking? MSsaysMSwill:allow AlicetoEditParentalControls,revoke Cookies within 2yr
Preference satisfies policy Policy traces Preference traces
U → S • ChoosePref, Pol • CheckPref⊧Pol • S keeps a copy ofinstantiatedPref, Pol,and uninstantiatedPref
S → S’ ❬sendEmailtoMarketing❭Beh • Does Pol(S) allow❬send…❭ • CheckPref(U)⊧Pol(S’) • S’ keeps a copy ofinstantiatedPref(U), Pol(S’),and uninstantiatedPref(U)
Policy evolution • S wants: • Disclosetopreviouslyunknownpartyor • Nottonotifytheuserdespitehavingpromised so • Userfeels ok, ifpreferenceisstillsatisfied • S has to: • Amendpolicysuchthat new behaviourscomplyand checkPref⊧NewPol, or • ContinuecomplyingwithOldPol
Guarantees: U → S (and policy evolves) • If PII at S, then U has sentitbefore. • If trace of S complieswith (current) Pol, then trace of S complieswithPref
Guarantees:U→S, S→S’ (and policy evolves) • If PII at S’, then • U has sent PII to S’, or • some S has sent PII to S’, and If trace of S complieswithits (current) Pol, then❬sendPIItoS’❭ allowed by Pref
S4PSecPAL for Privacy Moritz Becker MSRC, Cambridge Alexander Malkis IMDEA, Madrid Laurent Bussard EMIC, Aachen