Privacy%20and%20Contextual%20Integrity:%20Framework%20and%20Applications

1
Privacy and Contextual IntegrityFramework and
Applications

• Adam Barth, Anupam Datta, John C. Mitchell
  (Stanford)
• Helen Nissenbaum (NYU)

2
Privacy in Health Care
Doctor
Specialist
Electronic Health Record
Patient Portal
HIPAA Compliance
Insurer
Patient
3
Broad Goal

• Protect privacy
• Can a banker tell a marketer a customers
  address?
• Express policy precisely
• Enterprise privacy policies
• Privacy provisions from legislation
• Analyze privacy policies
• Action complies with policy?
• Policy enforces law?

4
Approach

• Privacy model
• Agents communicating about each other
• Logic over model
• Linear temporal logic
• Policies as logical formulas
• Control expressive power
• Apply logical tools
• Leverage LTL research

5
Contextual Integrity

• Philosophical account of privacy
• Transfer of personal information
• Describes what people care about
• Flow governed by norms
• Agents act in roles in social contexts
• Rejects public/private dichotomy
• Principles of transmission
• Confidentiality, reciprocity, dessert, etc

6
Privacy Model for CI
Charlies SSN is 078-05-1120
Alice
Bob

• Restrict messages
• Messages about subjects
• Judgments over traces
• Past and future relevant
• Agents reason about attributes

7
Access Control vs. Privacy

• Access control
• Subject ( actor)
• Object
• Action
• Stateless
• Except Chinese wall
• Discrete elements

• Privacy policies
• Sender
• Recipient
• Subject (of message)
• Attribute
• Transmission principle
• Temporal
• Past Opt-in / opt-out
• Future Notification
• Structured attributes

8
Syntax

• Grammar for logic
• ? send(p1,p2,m) p1 sends p2 message m
• contains(m, q, t) m contains attrib t
  about q
• inrole(p, r) p is active in role r
• incontext(p, c) p is active in context
  c
• t ? t Attrib t is part of attrib t
• ? ? ? ?? ?x?.? Classical operators
• ?U? ?S? O? Temporal operators
• Policies use a restricted class of formulas

9
CI Norms and Policies

• Policy consists of norms
• () inrole(p1, r1) ? inrole(p2, r2) ? inrole(q,
  r) ? t?t ? ? ? ?
• (?) inrole(p1, r1) ? inrole(p2, r2) ? inrole(q,
  r) ? t?t ? ? ? ?
• ? is an agent constraint
• ? is a temporal condition
• Norms assembled into policy formula
• ?p1,p2,qP.?mM.?tT.incontext(p1, c) ?
• send(p1, p2, m) ? contains(m, q, t) ?
• ? ? ? ? norms(c) ?
• ? ?? ?? ? norms?(c)

10
Gramm-Leach-Bliley Example
Financial institutions must notify consumers if
they share their non-public personal information
with non-affiliated companies, but the
notification may occur either before or after the
information sharing occurs
11
Expressiveness of CI

• Evaluated on privacy laws
• HIPAA, GLBA, and COPPA
• Captured most privacy provisions
• Missed de-identified health info in HIPAA
• Laws used most features
• Roughly as expressive as required

12
Structure of Attributes
Health Information
Date of Birth
Psychotherapy Notes
Age
Zodiac Sign
Test Results
Heath care providers can tell patients their
health information
Sender role
Recipient role
Subject role
Attribute
Heath care providers can tell patients their
psychotherapy notes only if a psychiatrist has
approved
13
Extensional vs. Intentional

• Extensional semantics
• Equates policies with judgments
• Ignores why judgments reached
• Intentional semantics
• Policies as list of rules
• Reason for judgment preserved
• Extensional combination tricky
• Attribute inheritance

14
Difficulties in Combination
Age
AND

Date of Birth
Age
OR

15
Refinement and Combination

• Policy refinement
• Basic policy relation
• Does hospital policy enforce HIPAA?
• P1 refines P2 if P1 ? P2
• Requires careful handling of attribute
  inheritance
• Combination becomes logical conjunction
• Defined in terms of refinement

16
Compliance
Contemplated Action
Judgment
Policy
Future Reqs
History

• Strong compliance
• Future requirements after action can be met
• PSPACE
• Weak compliance
• Present requirements met by action
• Polynomial time

17
Related Languages
Model Sender Recipient Subject Attributes Past Future Combination
RBAC Role Identity ? ? ? ? ?
XACML Flexible Flexible Flexible o ? o ?
EPAL Fixed Role Fixed ? ? o ?
P3P Fixed Role Fixed ? o ? o
CI Role Role Role ? ? ? ?

• Legend
• ? unsupported
• o partially supported
• ? full supported
• CI fully supports attributes and combination

18
Conclusions

• Privacy about agents communicating
• Different model than access control
• Sender, recipient, subject, attribute,
  transmission principle
• Past and future important
• CI A language for privacy policies
• Based on linear temporal logic
• Expresses most privacy laws
• Combination and compliance tractable

19
Questions?
20
(No Transcript)