1. Privacy and Contextual Integrity: Framework and Applications Adam Barth, Anupam Datta, John C. Mitchell (Stanford), and Helen Nissenbaum (NYU) TRUST Winter Retreat January 2006

2. Broad Goal uProtect privacy State and enforce restrictions on use of data Using a formal policy language uExample: Systems enforcing the HIPAA rule for medical privacy

3. Outline Framework for privacy: Contextual integrity Formalization in Linear Temporal Logic Policy Relations and Operations Application to privacy laws: HIPAA, GLBA, COPPA Related Work RBAC, XACML, P3P, EPAL Future Work Connections with database privacy

4. Contextual Integrity [Nissenbaum04] Philosophical account of privacy Transfer of information between agents “Alice give Bob information about Charlie” Agents abstracted into roles (e.g. doctor, patient) Particular information abstracted into types (e.g., height, age, medical condition) Norms state what is allowed and what is disallowed Transmission principles impose past and future requirements on history of agent interaction

5. Formalization in Temporal Logic Syntax of logic Formula representing contextual norms where norm + and norms - are as follows

6. Policy Operations and Relations Policy consistency reduces to LTL satisfiability Refinement of policies reduces to logical implication Combination is then conjunction and disjunction Strong compliance reduces to satisfiability Weak compliance computable efficiently using techniques from LTL runtime verification Standard automated LTL tools are applicable

7. Applications Example from HIPAA Privacy Rule Covered entities (e.g. hospitals) can give protected health information about patients to health care providers Sender role: Covered entity Recipient role: Health care provider Subject role: Patient Information type: Protected health information Legislative statement expressed as positive norm Positive norms enumerate permissible actions

8. Applications Example from GLBA Privacy Rule Financial institutions must notify consumers if they share their non-public personal information with non- affiliated companies, but the notification may occur either before or after the information sharing occurs. Sender role: Financial institution Recipient role: Non-affiliated company Subject role: Consumer Information type: Non-public personal information Temporal condition: Notify data subject Legislative statement expressed as negative norm

9. Related Work ModelSenderRecipientSubjectAttributesPastFutureCombination RBACRoleIdentity  XACMLFlexible o  o  EPALFixedRoleFixed  o  P3PFixedRoleFixed  o  o CIRole 

10. Related Work RBAC lacks notion of “attribute” Insufficient for expressing privacy policies XACML does not correctly handle permission inheritance across data hierarchy EPAL contains only negative norms and uninterpreted temporal conditions Cannot express GLBA example because it contains a temporal condition that restricts both past and future actions Cannot answer consistency or strong compliance queries P3P contains only simple “opt-in” / “opt-out” temporal conditions CI can express most conditions from HIPAA, GLBA, and COPPA Fails to capture some group privacy provisions

11. Conclusions and Future Work Framework for privacy: Starting point: Contextual integrity – a philosophical account of privacy. Core: principles of transmission of personal information between agents Formalization in Linear Temporal Logic Consistency, refinement, combination, compliance reduce to standard LTL problems Application to privacy laws: HIPAA, GLBA, COPPA,… Future Work: Combine privacy policy work with database privacy work – Include data value in addition to data type – Extend attributes from individuals to groups – Interpret concepts like “de-identified information”