Presentation is loading. Please wait.

Presentation is loading. Please wait.

Enterprise Privacy Promises and Enforcement Adam Barth John C. Mitchell.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Enterprise Privacy Promises and Enforcement Adam Barth John C. Mitchell."— Presentation transcript:

1 Enterprise Privacy Promises and Enforcement Adam Barth John C. Mitchell

2 Formal Languages for Privacy Protect privacy Protect privacy  State and enforce restrictions on use of data  Using a formal policy language Existing formal languages for privacy Existing formal languages for privacy  W3C’s Platform for Privacy Preferences (P3P)  IBM’s Enterprise Privacy Auth Lang (EPAL) No connection between P3P and EPAL policies No connection between P3P and EPAL policies State and prove precise connection State and prove precise connection  Unified, data-centric model for privacy policies

3 Current Usage Scenario Service ProviderConsumer Reveals Personal Information Accepts or Rejects Consumer bases her decision on announced P3P policy, which is not formally related to operative EPAL policy. P3P Policy Transmits User Agent Configures Respects EPAL Policy

4 Proposed Usage Scenario Service ProviderConsumer Accepts Service provider’s use of consumer’s personal information respects consumer’s preference. Transmits P3P Policy EPAL Policy Generates Enforces Accepts User Agent APPEL Preference Configures

5 Data Hierarchies for Privacy George Walker Bush July 9, 1946 United States President user bdate.ymdname year month day jobtitle given middle family

6 Policies As Sets of Promises user bdate.ymdname year month day jobtitle given middle family View a privacy policy as a set of promises made by a service provider to a consumer View a privacy policy as a set of promises made by a service provider to a consumer  “I will not disclose your birth date, but I might disclose your name.”

7 Can “user” data be disclosed? user bdate.ymdname year month day jobtitle given middle family Service provider reasons: Service provider reasons:  “If I disclose user information, I would disclose the user’s birth date and violate my promise.” He concludes: No He concludes: No

8 Can “user” data be disclosed? user bdate.ymdname year month day jobtitle given middle family Consumer reasons: Consumer reasons:  “The service provider might disclose my name, and in doing so, he would disclose my user information.” She concludes: Yes She concludes: Yes

9 Actually Asking Different Questions Service providers and consumers are actually asking different questions: Service providers and consumers are actually asking different questions:  Service provider: can I disclose all data?  Consumer: can he disclose some data? Formalize as modalities over data hierarchy Formalize as modalities over data hierarchy Semantics of policies as Kripke frames Semantics of policies as Kripke frames “Enforces” defined by comparing modal theories, ensuring reasoning carries over “Enforces” defined by comparing modal theories, ensuring reasoning carries over

10 Application: Compact Policies P3P Compact Policies are terse policy summaries for use in HTTP headers P3P Compact Policies are terse policy summaries for use in HTTP headers W3C definition of compact polices agrees with our model W3C definition of compact polices agrees with our model  Policies enforce their compact representation We give compact policies clear semantics We give compact policies clear semantics  Terms on a compact policy represent the values of certain ◊ terms in our modal logic  Terms answer common consumer queries

11 Application: Privacy Preferences Consumer configures user agent with preference Two languages proposed  APPEL  XPref Both can express non- guaranteed preferences  “Block web sites that do not telemarket.” Less Restrictive More Restrictive APPEL or XPref Preference Rejects Accepts Enforces EPAL Policy P3P Policy Actual Practices

12 Application: Privacy Preferences Consumer configures user agent with preference Two languages proposed  APPEL  XPref Both can express non- guaranteed preferences  “Block web sites that do not telemarket.” Enforces EPAL Policy P3P Policy Actual Practices Less Restrictive More Restrictive APPEL or XPref Preference Accepts Rejects

13 Policy Summarization Algorithm Motivation: Leverage effort spent writing detailed enforcement policy to generate policy summary Motivation: Leverage effort spent writing detailed enforcement policy to generate policy summary Criteria for generated policy summary: Criteria for generated policy summary:  Enforced by detailed policy  Least permissive such policy We provide an algorithm for generating such policy summaries We provide an algorithm for generating such policy summaries  Intuition: walk up summary data hierarchy and ensure all necessary formulae hold

14 Conclusion Proposed a uniform model for privacy Proposed a uniform model for privacy Connected privacy promises with privacy enforcement Connected privacy promises with privacy enforcement Defined clear semantics for P3P compact policies Defined clear semantics for P3P compact policies Discovered anomalies in APPEL and XPref Discovered anomalies in APPEL and XPref Provided an algorithm for summarizing detailed policies (e.g. translating EPAL into P3P) Provided an algorithm for summarizing detailed policies (e.g. translating EPAL into P3P) In privacy, it is important to consider the differing perspectives of the principals involved In privacy, it is important to consider the differing perspectives of the principals involved

15 Questions?

16 Enforces Relation Policy q enforces policy p if every user agent that accepts p also accepts policy q If a service provider’s EPAL policy enforce its P3P policy, a consumer who accepts the P3P policy will also accept the operative EPAL policy Policy qPolicy p Enforces Accept Implies User Agent

17 Modalities Reflect Perspectives Formalize perspectives using modal logic Formalize perspectives using modal logic Modalities ( and ◊) over data hierarchy Modalities ( and ◊) over data hierarchy Postal address ||- Disclose Postal address ||- Disclose  Service provider may disclose all components of consumer’s postal address  Reflects service provider’s perspective Postal address ||- ◊ Disclose Postal address ||- ◊ Disclose  Service provider may disclose some components of consumer’s postal address  Reflects consumer’s perspective

18 Enforcing Privacy Promises Consumers use a class of modal formulae in reasoning about a policy Consumers use a class of modal formulae in reasoning about a policy Formally define “enforces” using modal logic Formally define “enforces” using modal logic  q enforces p if all such positive modal formulae true of q are also true of p Ensures that reasoning carries over from enforced to enforcing policy Ensures that reasoning carries over from enforced to enforcing policy Generalizes previous privacy policy relations Generalizes previous privacy policy relations

19 Transitivity of Enforcement Enforcement relation is transitive Consumer can use compact policy to bound full policy Full P3P policy, in turn, bounds operative EPAL policy Less Restrictive / Less Detailed More Restrictive / More Detailed EPAL Policy P3P Policy Compact Policy Actual Practices Enforces

20 Projection Algorithm (con’t)

Download ppt "Enterprise Privacy Promises and Enforcement Adam Barth John C. Mitchell."

Similar presentations

1 Knowledge Representation Introduction KR and Logic.

1 Knowledge Representation Introduction KR and Logic.
Kees van Deemter Matthew Stone Formal Issues in Natural Language Generation Lecture 4 Shieber 1993; van Deemter 2002.

Kees van Deemter Matthew Stone Formal Issues in Natural Language Generation Lecture 4 Shieber 1993; van Deemter 2002.
1 Long term changes to P3P Long Term Future of P3P Workshop Giles Hogben Joint Research Centre European Commission.

1 Long term changes to P3P Long Term Future of P3P Workshop Giles Hogben Joint Research Centre European Commission.
Integration of business modeling and IT modeling Girts Karnitis, Janis Bicevskis, Jana Cerina-Berzina The work is supported by a European Social Fund Project.

Integration of business modeling and IT modeling Girts Karnitis, Janis Bicevskis, Jana Cerina-Berzina The work is supported by a European Social Fund Project.
Possible World Semantics for Modal Logic

Possible World Semantics for Modal Logic
Logic Programming Automated Reasoning in practice.

Logic Programming Automated Reasoning in practice.
Safety Planning. Safety Plan KNOW THE FAMILY D1: Extent of Maltreatment D2: Surrounding Circumstances D3: Child Functioning D4: Adult Functioning D5:

Safety Planning. Safety Plan KNOW THE FAMILY D1: Extent of Maltreatment D2: Surrounding Circumstances D3: Child Functioning D4: Adult Functioning D5:
“Comments” on Modeling Bounded Rationality Ariel Rubinstein Tel Aviv and New York Universities Leiden, Nov 14 th, 2014.

“Comments” on Modeling Bounded Rationality Ariel Rubinstein Tel Aviv and New York Universities Leiden, Nov 14 th, 2014.
Privacy Policy, Law and Technology Carnegie Mellon University Fall 2005 Lorrie Cranor 1 Privacy Authorization Languages.

Privacy Policy, Law and Technology Carnegie Mellon University Fall 2005 Lorrie Cranor 1 Privacy Authorization Languages.
Critical Thinking Course Introduction and Lesson 1

Critical Thinking Course Introduction and Lesson 1
Privacy: Accountability and Enforceability Jamie Yoo April 11, 2006 CPSC 457: Sensitive Information in a Wired World.

Privacy: Accountability and Enforceability Jamie Yoo April 11, 2006 CPSC 457: Sensitive Information in a Wired World.
Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.

Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.
Minding Your Own Business The Platform for Privacy Preferences Project and Privacy Minder Lorrie Faith Cranor AT&T Labs-Research

Minding Your Own Business The Platform for Privacy Preferences Project and Privacy Minder Lorrie Faith Cranor AT&T Labs-Research
Privacy and Contextual Integrity: Framework and Applications Adam Barth, Anupam Datta, John C. Mitchell (Stanford), and Helen Nissenbaum (NYU) TRUST Winter.

Privacy and Contextual Integrity: Framework and Applications Adam Barth, Anupam Datta, John C. Mitchell (Stanford), and Helen Nissenbaum (NYU) TRUST Winter.
Reviewer Disclosure Guide 1) Ensure disclosed information is complete Reviewer Responsibilities 2) Assign a conflict of interest category 3) Develop management.

Reviewer Disclosure Guide 1) Ensure disclosed information is complete Reviewer Responsibilities 2) Assign a conflict of interest category 3) Develop management.
Train Control Language Teaching Computers Interlocking By: J. Endresen, E. Carlson, T. Moen1, K. J. Alme, Haugen, G. K. Olsen & A. Svendsen Synthesizing.

Train Control Language Teaching Computers Interlocking By: J. Endresen, E. Carlson, T. Moen1, K. J. Alme, Haugen, G. K. Olsen & A. Svendsen Synthesizing.
Enterprise Privacy Promises and Enforcement Adam Barth John C. Mitchell.

Enterprise Privacy Promises and Enforcement Adam Barth John C. Mitchell.
P3P: Platform for Privacy Preferences Charlin Lu Sensitive Information in a Wired World November 11, 2003.

P3P: Platform for Privacy Preferences Charlin Lu Sensitive Information in a Wired World November 11, 2003.
Implementing P3P Using Database Technology Rakesh Agrawal Jerry Kiernan Ramakrishnan Srikant Yirong Xu Presented by Yajie Zhu 03/24/2005.

Implementing P3P Using Database Technology Rakesh Agrawal Jerry Kiernan Ramakrishnan Srikant Yirong Xu Presented by Yajie Zhu 03/24/2005.
PROMPT: Algorithm and Tool for Automated Ontology Merging and Alignment Natalya F. Noy and Mark A. Musen.

PROMPT: Algorithm and Tool for Automated Ontology Merging and Alignment Natalya F. Noy and Mark A. Musen.

Similar presentations

Ads by Google