1 / 15

S 4 P SecPAL for Privacy

S 4 P SecPAL for Privacy. Moritz Becker MSRC, Cambridge Alexander Malkis IMDEA, Madrid Laurent Bussard EMIC, Aachen. Scenario. 2.1) S ending allowed by Pol ?. Privacy Pref : TravelBooking services Can use my e-mail address for confirmation

olin
Télécharger la présentation

S 4 P SecPAL for Privacy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. S4PSecPAL for Privacy Moritz Becker MSRC, Cambridge Alexander Malkis IMDEA, Madrid Laurent Bussard EMIC, Aachen

  2. Scenario • 2.1) Sending allowed by Pol ? Privacy Pref: TravelBooking services • Can use my e-mail address for confirmation • Must delete my e-mail address within 1 year • Privacy Pol: • Is a TravelBooking • Want to use e-mail for confirmation • Promise todelete e-mail within 6 months 1.1) Fix Pref, Pol 2.2) Pol2 sat Pref? Pol2 1.2) Pol sat Pref ? Pref. Privacy Preferences Pol. Privacy Policy • 2.3) data,pref Collected PII • 1.3) data,pref PIIs • 2.4) Sending allowed by Pol2 ? • 3.1) Traces comply with Pol ? • 2.6) data,pref 2.5) Pol4 sat Pref ? traces Pol4 1) User perspective(matching privacy) 2) Service perspective(enforcing privacy) 3) Auditor perspective(controlling privacy) Pol3

  3. Preference • ❬Svc❭will allow Alice to EditParentalControls ? ∧ Alicesays❬Svc❭ complies with COPPA ? (1) • Alicesaysxcan sayy complies with COPPA if xis member of COPPACompliancySchemes (2) • AlicesaysFTCcan sayx is member of COPPACompliancySchemes (3) • FTCsaysTRUSTe is member of COPPACompliancySchemes (4) • Alicesays❬Svc❭may use Cookies for x if ❬Svc❭will revoke Cookies within t wheret≤ 5yr (5) • Alicesays❬Svc❭can say❬Svc❭ will revoke Cookies within t (6) • Alicesays❬Svc❭may allow Aliceto actionobject (7) • Alicesays❬Svc❭may revoke Cookieswithin t (8) • AlicesaysAliceis using software MSNClient version 9.5 (9)

  4. Policy • TRUSTesaysMS complies with COPPA (10) • MSsaysMSwillallow ❬Usr❭to EditParentalControlsif ❬Usr❭ is member of msntype, msntypesupports ParentalControls, ❬Usr❭ is using software MSNClient version v, wherev≤ 9.5 (11) • MSsaysMSNPremium supports ParentalControls(12) • MSsaysMSNPlus supports ParentalControls(13) • MSsaysMSNcan sayxis member of g whereg{MSN,MSNPremium,MSNPlus} (15) • MSNsaysAlice is member of MSNPremium(16) • MSsays❬Usr❭ can say ❬Usr❭ is using software MSNClient version v (17) • MSsaysMSwill revoke Cookies within 2yr(18) • ❬Usr❭ saysMSmay use Cookies for AdTracking?∧ ❬Usr❭ saysMSmay revoke Cookies within 2yr? ∧ ❬Usr❭ saysMSmay allow ❬Usr❭ toEditParentalControls? (19)

  5. AlicesaysMSmayuse Cookies for AdTracking ? MSsaysMSwill revoke Cookies within 2yr (18) + AlicesaysMScan sayMSwillrevoke Cookieswithin t (6)  AlicesaysMSwill revoke Cookies within 2yr

  6. AlicesaysMSmayuse Cookies for AdTracking ? AlicesaysMSwill revoke Cookies within 2yr + AlicesaysMSmay use Cookies for x if MSwill revoke Cookies within t wheret≤ 5yr (5) + 2yr ≤ 5yr  AlicesaysMSmay use Cookiesfor AdTracking

  7. Behaviours of a tracesatisfying preference AlicesaysMSmay: allowAlicetoxy,revokeCookieswithinx,use Cookiesforx MSsaysMSwill:allow AlicetoEditParentalControls?

  8. Behaviours of a tracesatisfying policy AlicesaysMSmay: allow Alice toEditParentalControls ?,revoke Cookies within 2yr ?,use CookiesforAdTracking? MSsaysMSwill:allow AlicetoEditParentalControls,revoke Cookies within 2yr

  9. Preference satisfies policy  Policy traces  Preference traces

  10. U → S • ChoosePref, Pol • CheckPref⊧Pol • S keeps a copy ofinstantiatedPref, Pol,and uninstantiatedPref

  11. S → S’ ❬sendEmailtoMarketing❭Beh • Does Pol(S) allow❬send…❭ • CheckPref(U)⊧Pol(S’) • S’ keeps a copy ofinstantiatedPref(U), Pol(S’),and uninstantiatedPref(U)

  12. Policy evolution • S wants: • Disclosetopreviouslyunknownpartyor • Nottonotifytheuserdespitehavingpromised so • Userfeels ok, ifpreferenceisstillsatisfied • S has to: • Amendpolicysuchthat new behaviourscomplyand checkPref⊧NewPol, or • ContinuecomplyingwithOldPol

  13. Guarantees: U → S (and policy evolves) • If PII at S, then U has sentitbefore. • If trace of S complieswith (current) Pol, then trace of S complieswithPref

  14. Guarantees:U→S, S→S’ (and policy evolves) • If PII at S’, then • U has sent PII to S’, or • some S has sent PII to S’, and If trace of S complieswithits (current) Pol, then❬sendPIItoS’❭ allowed by Pref

  15. S4PSecPAL for Privacy Moritz Becker MSRC, Cambridge Alexander Malkis IMDEA, Madrid Laurent Bussard EMIC, Aachen

More Related