Abstract
Privacy policies in sectors as diverse as Web services, finance and healthcare often place restrictions on the purposes for which a governed entity may use personal information. Thus, automated methods for enforcing privacy policies require a semantics of purpose restrictions to determine whether a governed agent used information for a purpose. We provide such a semantics using a formalism based on planning. We model planning using Partially Observable Markov Decision Processes (POMDPs), which supports an explicit model of information. We argue that information use is for a purpose if and only if the information is used while planning to optimize the satisfaction of that purpose under the POMDP model. We determine information use by simulating ignorance of the information prohibited by the purpose restriction, which we relate to noninterference. We use this semantics to develop a sound audit algorithm to automate the enforcement of purpose restrictions.
This research was supported by the U.S. Army Research Office grants DAAD19-02-1-0389 and W911NF-09-1-0273 to CyLab, by the National Science Foundation (NSF) grants CCF0424422 and CNS1064688, and by the U.S. Department of Health and Human Services grant HHS 90TR0003/01. The views and conclusions contained in this document are those of the authors and should not be interpreted as representing the official policies, either expressed or implied, of any sponsoring institution, the U.S. government or any other entity.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Bank of America Corp.: Bank of America privacy policy for consumers (2005)
Office for Civil Rights: Summary of the HIPAA privacy rule. OCR Privacy Brief, U.S. Department of Health and Human Services (2003)
Yahoo!: Privacy policy: Yahoo Mail (2013)
FairWarning: Privacy breach detection for healthcare. White Paper (2010)
Taylor, R.: Action and Purpose. Prentice-Hall (1966)
Tschantz, M.C., Datta, A., Wing, J.M.: Formalizing and enforcing purpose restrictions in privacy policies. In: 2012 IEEE Symp. on Security and Privacy, pp. 176–190 (2012)
Goguen, J.A., Meseguer, J.: Security policies and security models. In: IEEE Symp. on Security and Privacy, pp. 11–20 (1982)
Tschantz, M.C., Datta, A., Wing, J.M.: Purpose restrictions on information use. Technical Report CMU-CyLab-13-005 and CMU-CS-13-116, Carnegie Mellon University (June 2013)
Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE Journal on Selected Areas in Communications 21(1), 5–19 (2003)
Vachharajani, N., Bridges, M.J., Chang, J., Rangan, R., Ottoni, G., Blome, J.A., Reis, G.A., Vachharajani, M., August, D.I.: RIFLE: An architectural framework for user-centric information-flow security. In: 37th Annual IEEE/ACM Intl. Symp. on Microarchitecture, pp. 243–254 (2004)
Newsome, J., Song, D.X.: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In: Network and Distributed System Security Symp. The Internet Society (2005)
Venkatakrishnan, V.N., Xu, W., DuVarney, D.C., Sekar, R.: Provably correct runtime enforcement of non-interference properties. In: Ning, P., Qing, S., Li, N. (eds.) ICICS 2006. LNCS, vol. 4307, pp. 332–351. Springer, Heidelberg (2006)
McCamant, S., Ernst, M.D.: A simulation-based proof technique for dynamic information flow. In: 2007 Wksp. on Programming Languages and Analysis for Security, pp. 41–46. ACM (2007)
Yumerefendi, A.R., Mickle, B., Cox, L.P.: Tightlip: keeping applications from spilling the beans. In: 4th USENIX Conf. on Networked Systems Design and Implementation, p. 12 (2007)
Capizzi, R., Longo, A., Venkatakrishnan, V.N., Sistla, A.P.: Preventing information leaks through shadow executions. In: 2008 Annual Computer Security Applications Conf., pp. 322–331. IEEE Computer Society (2008)
Devriese, D., Piessens, F.: Noninterference through secure multi-execution. In: 2010 IEEE Symp. on Security and Privacy, pp. 109–124 (2010)
Agrawal, R., Kiernan, J., Srikant, R., Xu, Y.: Hippocratic databases. In: VLDB 2002: 28th Intl. Conf. on Very Large Data Bases, pp. 143–154. VLDB Endowment (2002)
Byun, J.W., Bertino, E., Li, N.: Purpose based access control of complex data for privacy protection. In: SACMAT 2005: Tenth ACM Symp. on Access Control Models and Technologies, pp. 102–110 (2005)
Al-Fedaghi, S.S.: Beyond purpose-based privacy access control. In: Eighteenth Australasian Database Conf., pp. 23–32. Australian Computer Society, Inc. (2007)
Byun, J.W., Li, N.: Purpose based access control for privacy protection in relational database systems. The VLDB Journal 17(4), 603–619 (2008)
Peng, H., Gu, J., Ye, X.: Dynamic purpose-based access control. In: Intl. Symp. on Parallel and Distributed Processing with Applications, pp. 695–700. IEEE Computer Society (2008)
Jafari, M., Safavi-Naini, R., Sheppard, N.P.: Enforcing purpose of use via workflows. In: WPES 2009: 8th ACM Wksp. on Privacy in the Electronic Society, pp. 113–116 (2009)
Ni, Q., Bertino, E., Lobo, J., Brodie, C., Karat, C.M., Karat, J., Trombetta, A.: Privacy-aware role-based access control. ACM Trans. Inf. Syst. Secur. 13, 24:1–24:31 (2010)
Enamul Kabir, M., Wang, H., Bertino, E.: A conditional purpose-based access control model with dynamic roles. Expert Syst. Appl. 38, 1482–1489 (2011)
Jafari, M., Fong, P.W., Safavi-Naini, R., Barker, K., Sheppard, N.P.: Towards defining semantic foundations for purpose-based privacy policies. In: First ACM Conf. on Data and Application Security and Privacy, pp. 213–224 (2011)
Martinelli, F., Morisset, C.: Quantitative access control with partially-observable markov decision processes. In: Second ACM Conf. on Data and Application Security and Privacy, pp. 169–180 (2012)
Hayati, K., Abadi, M.: Language-based enforcement of privacy policies. In: Martin, D., Serjantov, A. (eds.) PET 2004. LNCS, vol. 3424, pp. 302–313. Springer, Heidelberg (2005)
Massacci, F., Mylopoulos, J., Zannone, N.: Hierarchical Hippocratic databases with minimal disclosure for virtual organizations. The VLDB Journal 15(4), 370–387 (2006)
Barth, A., Mitchell, J., Datta, A., Sundaram, S.: Privacy and utility in business processes. In: CSF 2007: 20th IEEE Computer Security Foundations Symp., pp. 279–294 (2007)
Schmidt, C., Sridharan, N., Goodson, J.: The plan recognition problem: An intersection of psychology and artificial intelligence. Artificial Intelligence 11(1-2), 45–83 (1978)
Baker, C.L., Tenenbaum, J.B., Saxe, R.R.: Bayesian models of human action understanding. In: Advances in Neural Information Processing Systems 18, pp. 99–106. MIT Press (2006)
Baker, C.L., Saxe, R., Tenenbaum, J.B.: Action understanding as inverse planning. Cognition 113(3), 329–349 (2009)
Ramírez, M., Geffner, H.: Plan recognition as planning. In: 21st International Joint Conf. on Artificial Intelligence, pp. 1778–1783 (2009)
Ramírez, M., Geffner, H.: Goal recognition over POMDPs: Inferring the intention of a POMDP agent. In: 22nd International Joint Conf. on Artificial Intelligence, pp. 2009–2014. IJCAI/AAAI (2011)
Bellman, R.: On the theory of dynamic programming. National Academy of Sciences 38, 716–719 (1952)
Sondik, E.J.: The optimal control of partially observable Markov processes. PhD thesis, Stanford University (1971)
Monahan, G.E.: A survey of partially observable Markov decision processes: Theory, models, and algorithms. Management Science 28(1), 1–16 (1982)
Papadimitriou, C., Tsitsiklis, J.N.: The complexity of Markov decision processes. Math. Oper. Res. 12, 441–450 (1987)
Zhou, R., Hansen, E.A.: An improved grid-based approximation algorithm for POMDPs. In: 17th International Joint Conf. on Artificial Intelligence, vol. 1, pp. 707–714. Morgan Kaufmann (2001)
Smith, T., Simmons, R.: Point-based POMDP algorithms: Improved analysis and implementation. In: Conf. on Uncertainty in Artificial Intelligence (July 2005)
Kurniawati, H., Hsu, D., Lee, W.S.: SARSOP: Efficient point-based POMDP planning by approximating optimally reachable belief spaces. In: Proc. Robotics: Science and Systems (2008)
Poupart, P., Kim, K.E., Kim, D.: Closing the gap: Improved bounds on optimal POMDP solutions. In: Intl. Conf. on Automated Planning and Scheduling. AAAI (2011)
Madani, O.: Complexity Results for Infinite-Horizon Markov Decision Processes. PhD thesis, University of Washington (2000)
Rummery, G.A., Niranjan, M.: On-line Q-learning using connectionist systems. Technical Report CUEF/F-INFENG/TR 166, Cambridge University Engineering Department (1994)
Kaelbling, L.P., Littman, M.L., Cassandra, A.R.: Planning and acting in partially observable stochastic domains. Artif. Intell. 101, 99–134 (1998)
McCullough, D.: Noninterference and the composability of security properties. In: IEEE Symp. on Security and Privacy, pp. 177–186 (1988)
Wittbold, J.T., Johnson, D.M.: Information flow in nondeterministic systems. In: IEEE Symp. on Security and Privacy, pp. 144–161 (1990)
McLean, J.: A general theory of composition for trace sets closed under selective interleaving functions. In: 1994 IEEE Symp. on Security and Privacy, p. 79 (1994)
Clark, D., Hunt, S.: Non-interference for deterministic interactive programs. In: Degano, P., Guttman, J., Martinelli, F. (eds.) FAST 2008. LNCS, vol. 5491, pp. 50–66. Springer, Heidelberg (2009)
Tschantz, M.C., Wing, J.M.: Extracting conditional confidentiality policies. In: Sixth IEEE Intl. Conferences on Software Engineering and Formal Methods (2008)
Mayer, J.R., Mitchell, J.C.: Third-party web tracking: Policy and technology. In: IEEE Symp. on Security and Privacy, pp. 413–427 (2012)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Tschantz, M.C., Datta, A., Wing, J.M. (2013). Purpose Restrictions on Information Use. In: Crampton, J., Jajodia, S., Mayes, K. (eds) Computer Security – ESORICS 2013. ESORICS 2013. Lecture Notes in Computer Science, vol 8134. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-40203-6_34
Download citation
DOI: https://doi.org/10.1007/978-3-642-40203-6_34
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-40202-9
Online ISBN: 978-3-642-40203-6
eBook Packages: Computer ScienceComputer Science (R0)