Abstract
Privacy has become a significant concern in modern society as personal information about individuals is increasingly collected, used, and shared, often using digital technologies, by a wide range of organizations. To mitigate privacy concerns, organizations are required to respect privacy laws in regulated sectors (e.g., HIPAA in healthcare, GLBA in financial sector) and to adhere to self-declared privacy policies in self-regulated sectors (e.g., privacy policies of companies such as Google and Facebook in Web services). This article provides an overview of a body of work on formalizing and enforcing privacy policies. We formalize privacy policies that prescribe and proscribe flows of personal information as well as those that place restrictions on the purposes for which a governed entity may use personal information. Recognizing that traditional preventive access control and information flow control mechanisms are inadequate for enforcing such privacy policies, we develop principled accountability mechanisms that seek to encourage policy-compliant behavior by detecting policy violations, assigning blame, and punishing violators. We apply these techniques to several U.S. privacy laws and organizational privacy policies, in particular, producing the first complete logical specification and audit of all disclosure-related clauses of the HIPAA Privacy Rule.
This work was partially supported by the NSF Science and Technology Center TRUST, the NSF Trustworthy Computing grant “Privacy Policy Specification and Enforcement: Information Use and Purpose,” and HHS Grant no. HHS 90TR0003/01. The views and conclusions contained in this document are those of the authors and should not be interpreted as representing the official policies, either expressed or implied, of any sponsoring institution, the U.S. government or any other entity.
Access provided by Autonomous University of Puebla. Download to read the full chapter text
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Wall Street Journal: What they know, http://online.wsj.com/public/page/what-they-know-digital-privacy.html (accessed on September 24, 2013)
Hulme, G.: Steady Bleed: State of HealthCare Data Breaches. InformationWeek (September 2010), http://www.informationweek.com/blog/healthcare/229200720
US Health and Human Services: HIPAA enforcement, http://www.hhs.gov/ocr/privacy/hipaa/enforcement/index.html (accessed September 24, 2013)
Robertson, J.: New data spill shows risk of online health records. Yahoo News (August 2011), http://news.yahoo.com/data-spill-shows-risk-online-health-records-120743449.html
Barth, A., Datta, A., Mitchell, J.C., Nissenbaum, H.: Privacy and contextual integrity: Framework and applications. In: Proceedings of the 27th IEEE Symposium on Security and Privacy, Oakland, pp. 184–198 (2006)
Barth, A., Datta, A., Mitchell, J.C., Sundaram, S.: Privacy and utility in business processes. In: Proceedings of the 20th IEEE Computer Security Foundations Symposium (CSF), pp. 279–294 (2007)
DeYoung, H., Garg, D., Jia, L., Kaynar, D., Datta, A.: Experiences in the logical specification of the HIPAA and GLBA privacy laws. In: Proceedings of the 9th Annual ACM Workshop on Privacy in the Electronic Society, WPES. Full version: Carnegie Mellon University Technical Report CMU-CyLab-10-007 (2010)
Garg, D., Jia, L., Datta, A.: Policy auditing over incomplete logs: Theory, implementation and applications. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS (2011)
Blocki, J., Christin, N., Datta, A., Sinha, A.: Regret minimizing audits: A learning-theoretic basis for privacy protection. In: Proceedings of the 24th IEEE Computer Security Foundations Symposium (CSF), pp. 312–327 (2011)
Tschantz, M.C., Datta, A., Wing, J.M.: Formalizing and enforcing purpose restrictions in privacy policies. In: IEEE Symposium on Security and Privacy, pp. 176–190 (2012)
Tschantz, M.C., Datta, A., Wing, J.M.: Purpose restrictions on information use. In: Crampton, J., Jajodia, S., Mayes, K. (eds.) ESORICS 2013. LNCS, vol. 8134, pp. 610–627. Springer, Heidelberg (2013)
Tschantz, M.C., Datta, A., Wing, J.M.: Information flow investigations. Technical report cmu-cs-13-118, Carnegie Mellon University (2013)
Blocki, J., Christin, N., Datta, A., Sinha, A.: Audit mechanisms for provable risk management and accountable data governance. In: GameSec, pp. 38–59 (2012)
Blocki, J., Christin, N., Datta, A., Procaccia, A.D., Sinha, A.: Audit games. In: IJCAI (2013)
Blocki, J., Christin, N., Datta, A., Sinha, A.: Adaptive regret minimization in bounded-memory games. In: GameSec (to appear, 2013)
Nissenbaum, H.: Privacy in Context: Technology, Policy, and the Integrity of Social Life. Stanford University Press (2010)
House, T.W.: Consumer data privacy in a networked world: A framework for protecting privacy and promoting innovation in the global digital economy (February 2012)
Lampson, B.W.: Computer security in the real world. IEEE Computer 37(6), 37–46 (2004)
Weitzner, D.J., Abelson, H., Berners-Lee, T., Feigenbaum, J., Hendler, J.A., Sussman, G.J.: Information accountability. Commun. ACM 51(6), 82–87 (2008)
Tambe, M.: Security and Game Theory: Algorithms, Deployed Systems, Lessons Learned. Cambridge University Press (2011)
Becker, G.S.: Crime and punishment: An economic approach. Journal of Political Economy 76, 169 (1968)
von Stackelberg, H.: Marktform und Gleichgewicht. Springer, Wien & Berlin (1934); VI, 138 S. 8. J. Springer (1934)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Datta, A. (2014). Privacy through Accountability: A Computer Science Perspective. In: Natarajan, R. (eds) Distributed Computing and Internet Technology. ICDCIT 2014. Lecture Notes in Computer Science, vol 8337. Springer, Cham. https://doi.org/10.1007/978-3-319-04483-5_5
Download citation
DOI: https://doi.org/10.1007/978-3-319-04483-5_5
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-04482-8
Online ISBN: 978-3-319-04483-5
eBook Packages: Computer ScienceComputer Science (R0)