skip to main content
research-article

A Framework for Expressing and Enforcing Purpose-Based Privacy Policies

Published:15 August 2014Publication History
Skip Abstract Section

Abstract

Purpose is a key concept in privacy policies. Although some models have been proposed for enforcing purpose-based privacy policies, little has been done in defining formal semantics for purpose, and therefore an effective enforcement mechanism for such policies has remained a challenge. We have developed a framework for expressing and enforcing such policies by giving a formal definition of purpose and proposing a modal-logic language for formally expressing purpose constraints. The semantics of this language are defined over an abstract model of workflows. Based on this formal framework, we discuss some properties of purpose, show how common forms of purpose constraints can be formalized, how purpose-based constraints can be connected to more general access control policies, and how they can be enforced in a workflow-based information system by extending common access control technologies.

References

  1. A. V. Aho, M. S. Lam, R. Sethi, and J. D. Ullman. 2006. Compilers: Principles, Techniques, and Tools (2nd. Ed.). Addison-Wesley. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. S. S. Al-Fedaghi. 2007. Beyond purpose-based privacy access control. In Proceedings of the 18th Australasian Database Conference (ADC'07). James Bailey and Alan Fekete (Eds.), 23--32. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. V. Atluri and W. K. Huang. 1996. An authorization model for workflows. In Proceedings of the 4th European Symposium on Research in Computer Security (ESORICS'96). Lecture Notes in Computer Science, vol. 1146, Springer, Berlin/Heidelberg, 44--64. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. E. Bertino, E. Ferrari, and V. Atluri. 1999. The specification and enforcement of authorization constraints in workflow management systems. ACM Trans. Inf. Syst. Secur. 2, 1 (1999), 65--104. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. P. A. Bonatti, E. Damiani, S. de Capitani di Vimercati, and P. Samarati. 2001. A component-based architecture for secure data publication. In Proceedings of the 17th Annual Computer Security Applications Conference (ACSAC'01). 309--318. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. M. Bratman. 1987. Intention, Plans, and Practical Reason. Harvard University Press.Google ScholarGoogle Scholar
  7. T. D. Breaux and A. I. Antón. 2005. Deriving semantic models from privacy policies. In Proceedings of the 6th IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'05). 67--76. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. J. W. Byun, E. Bertino, and N. Li. 2005. Purpose-based access control of complex data for privacy protection. In Proceedings of the 10th ACM Symposium on Access Control Models and Technologies (SACMAT'05). ACM, 102--110. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. J. W. Byun and N. Li. 2008. Purpose-based access control for privacy protection in relational database systems. VLDB J. 17 (2008), 603--619. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. W. Cheung and Y. Gil. 2007. Towards privacy aware data analysis workflows for e-Science. In Proceedings of the Workshop on Semantic e-Science (SeS'07). 17--25.Google ScholarGoogle Scholar
  11. K. Connor. 2012. HL7 Harmonization Proposal July 2012 Security WG Purpose of Use. http://wiki.hl7.org/index.php?title=HL7_Security_Document_Library.Google ScholarGoogle Scholar
  12. J. Crampton. 2005. A reference monitor for workflow systems with constrained task execution. In Proceedings of the 10th ACM Symposium on Access Control Models and Technologies (SACMAT'05). 38--47. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. J. Crampton and H. Khambhammettu. 2008. Delegation and satisfiability in workflow systems. In Proceedings of the 13th ACM Symposium on Access Control Models and Technologies (SACMAT'08). 31--40. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. C. Desmarais, X. Shen, S. Shirmohammadi, A. Cameron, N. D. Georganas, and I. Kerr. 2007. PLUTO -- A privacy control protocol for e-Commerce communities. In Proceedings of the 4th IEEE International Conference on Enterprise Computing, E-Commerce and E-Services (CEC). 349--256.Google ScholarGoogle Scholar
  15. L. L. Dimitropoulos. 2006. Privacy and security solutions for interoperable health information exchange. http://www.rti.org/pubs/nationwide_summary.pdf.Google ScholarGoogle Scholar
  16. C. A. Ellis and G. J. Nutt. 1993. Modeling and enactment of workflow systems. In Proceedings of the 14th International Conference on Application and Theory of Petri Nets. Lecture Notes in Computer Science, vol. 691, Springer, Berlin/Heidelberg, 1--16. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. J. Fan, K. Barker, B. Porter, and P. Clark. 2001. Representing roles and purpose. In Proceedings of the 1st International Conference on Knowledge Capture (K-CAP'01). 38--43. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. S. Fischer-Hübner. 2001. IT-Security and Privacy: Design and Use of Privacy-Enhancing Security Mechanisms, Chapter 5: A task-based privacy model. Springer, Berlin.Google ScholarGoogle Scholar
  19. J. H. Gallier. 1985. Logic for Computer Science: Foundations of Automatic Theorem Proving. Harper & Row Publishers, Inc., New York, NY. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. H. Haygood, Q. He, S. Smith, and J. Snare. 2003. A privacy-aware database interface. Technical Report TR-2003-05, North Carolina State University. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. Q. He. 2003. Privacy enforcement with an extended role-based access control model. Technical Report TR-2003-09, North Carolina State University. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. Q. He and A. I. Antón. 2003. A framework for modeling privacy requirements in role engineering. In Proceedings of the International Workshop on Requirements Engineering. 115--124.Google ScholarGoogle Scholar
  23. M. Hilty, D. Basin, and A. Pretschner. 2005. On obligations. In Proceedings of the 10th European Symposium on Research in Computer Security (ESORICS'05). 98--117. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. D. Hollingsworth. 1995. The workflow reference model. Technical Report TC00-1003, Workflow Management Coalition.Google ScholarGoogle Scholar
  25. M. Huth and M. Ryan. 2004. Logic in Computer Science: Modelling and Reasoning about Systems. Cambridge University Press. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. IBM. 2003. The Enterprise Privacy Authorization Language (EPAL 1.1). IBM.Google ScholarGoogle Scholar
  27. IHTSDO. 2012. SNOMED CT, Systematized Nomenclature of Medicine-Clinical Terms. IHTSDO, International Health Terminology Standards Development Organisation. http://www.ihtsdo.org/snomed-ct/.Google ScholarGoogle Scholar
  28. K. Irwin, T. Yu, and W. H. Winsborough. 2006. On the modeling and analysis of obligations. In Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS'06). 134--143. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. ISO. 2011. ISO/TS 14265:2011 Health Informatics - Classification of Purposes for Processing Personal Health Information. ISO, International Organization for Standardization.Google ScholarGoogle Scholar
  30. ISO. 2009. Data Exchange Standards -- HL7 Clinical Document Architecture, Release 2. ISO/HL7 27932:2009. ISO, International Organization for Standardization.Google ScholarGoogle Scholar
  31. ISO. 2003. HL7 Reference Information Model, ANSI/HL7 V3 RIM, R1-2003. ISO, International Organization for Standardization.Google ScholarGoogle Scholar
  32. M. Jafari, Jörg Denzinger, R. Safavi-Naini, and K. Barker. 2013a. A workflow authorization framework for enforcing purpose-based privacy policies. Technical Report 2013-1046-13, University of Calgary.Google ScholarGoogle Scholar
  33. M. Jafari, P. W. L. Fong, R. Safavi-Naini, and K. Barker. 2013b. A framework for expressing and enforcing purpose-based privacy policies. Technical Report 2013-1037-04, University of Calgary.Google ScholarGoogle Scholar
  34. M. Jafari, P. W. L. Fong, R. Safavi-Naini, K. Barker, and N. P. Sheppard. 2011. Towards defining semantic foundations for purpose-based privacy policies. In Proceedings of the 1st ACM Conference on Data and Application Security and Privacy (CODASPY'11). ACM, 213--224. Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. M. Jafari, R. Safavi-Naini, C. Saunders, and N. P. Sheppard. 2010. Using digital rights management for securing data in a medical research environment. In Proceedings of the 19th Annual ACM Workshop on Digital Rights Management (DRM'10). ACM, 55--60. Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. M. Jafari, R. Safavi-Naini, and N. P. Sheppard. 2009. Enforcing purpose of use via workflows. In Proceedings of the 8th ACM Workshop on Privacy in the Electronic Society (WPES'09). ACM, 113--116. Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. M. Jawad, P. S. Alvaredo, and P. Valduriez. 2008. Design of PriServ, a privacy service for DHTs. In Proceedings of the International Workshop on Privacy and Anonymity in the Information Society. 21--26. Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. T. Jensen, D. Le Metayer, and T. Thorn. 1999. Verification of control flow based security properties. In Proceedings of the IEEE Symposium on Security and Privacy. 89--103.Google ScholarGoogle Scholar
  39. M. E. Kabir, H. Wang, and E. Bertino. 2012. A role-involved purpose-based access control model. Inform. Syst. Frontiers 14 (2012), 3, 809--822. Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. S. Kripke. 1963. Semantical considerations on modal logic. Acta Philosophica Fennica 16, 1963 (1963), 83--94.Google ScholarGoogle Scholar
  41. N. Lohmann, E. Verbeek, and R. Dijkman. 2009. Petri net transformations for business processes—A survey. In Transactions on Petri Nets and Other Models of Concurrency II. Lecture Notes in Computer Science, vol. 5460, Springer, Berlin/Heidelberg, 46--63. Google ScholarGoogle ScholarDigital LibraryDigital Library
  42. A. Masoumzadeh and J. B. D. Joshi. 2008. PuRBAC: Purpose-aware role-based access control. In On the Move to Meaningful Internet Systems, Part II, Lecture Notes in Computer Science, vol. 5332, Springer, Berlin, 1104--1121. Google ScholarGoogle ScholarDigital LibraryDigital Library
  43. NCI. 2012. NCI Thesaurus v.12.04e. http://nciterms.nci.nih.gov. NCI.Google ScholarGoogle Scholar
  44. OASIS. 2013. eXtensible Access Control Markup Language (XACML) Version 3.0. OASIS.Google ScholarGoogle Scholar
  45. OASIS. 2005. Privacy Policy Profile of XACML v2.0. OASIS.Google ScholarGoogle Scholar
  46. OASIS. 2009. Cross-Enterprise Security and Privacy Authorization (XSPA) Profile of Security Assertion Markup Language (SAML) for Healthcare, Version 1.0. OASIS.Google ScholarGoogle Scholar
  47. OECD. 1980. OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. OECD.Google ScholarGoogle Scholar
  48. H. Peng, J. Gu, and X. Ye. 2008. Dynamic purpose-based access control. In Proceedings of the International Symposium on Parallel and Distributed Processing with Applications. 695--700. Google ScholarGoogle ScholarDigital LibraryDigital Library
  49. J. L. Peterson. 1977. Petri nets. ACM Comput. Surv. 9, 3 (1977), 223--252. Google ScholarGoogle ScholarDigital LibraryDigital Library
  50. C. S. Powers, P. Ashley, and M. Schunter. 2002. Privacy promises, access control, and privacy management. In Proceedings of the 3rd International Symposium on Electronic Commerce (ISEC'02). IEEE Computer Society, 13--21. Google ScholarGoogle ScholarDigital LibraryDigital Library
  51. S. J. Russell and P. Norvig. 2009. Artificial Intelligence: A Modern Approach (3rd. Ed.). Prentice Hall. Google ScholarGoogle ScholarDigital LibraryDigital Library
  52. L. Torre. 2012. Logics for security and privacy. In Proceedings of the 26th Annual IFIP WG 11.3 Conference on Data and Applications Security and Privacy XXVI. Lecture Notes and Computer Science, vol. 7371, Springer, Berlin/Heidelberg, 1--7. Google ScholarGoogle ScholarDigital LibraryDigital Library
  53. M. C. Tschantz, A. Datta, and J. M. Wing. 2012. Formalizing and enforcing purpose restrictions in privacy policies. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 176--190. Google ScholarGoogle ScholarDigital LibraryDigital Library
  54. W. M. P. van der Aalst and A. H. M. ter Hofstede. 2002. Workflow patterns: On the expressive power of (Petri-net based) workflow languages. In Proceedings of the 4th International Workshop on Practical Use of Coloured Petri Nets and the CPN Tools (CPN'02). 1--20.Google ScholarGoogle Scholar
  55. W. M. P. van der Aalst and A. H. M. ter Hofstede. 2005. YAWL: Yet another workflow language. J. Inform. Syst. 30, 4 (2005), 245--275. Google ScholarGoogle ScholarDigital LibraryDigital Library
  56. W. M. P. van der Aalst, A. H. M. ter Hofstede, B. Kiepuszewski, and A. P. Barros. 2003. Workflow patterns. Distrib.Parallel Datab. 14 (2003), 1, 5--51. Google ScholarGoogle ScholarDigital LibraryDigital Library
  57. W. M. P. van der Aalst, K. M. van Hee, and G. J. Houben. 1994. Modelling workflow management systems with high-level Petri nets. In Proceedings of the 2nd Workshop on Computer-Supported Cooperative Work, Petri Nets and Related Formalisms. 31--50.Google ScholarGoogle Scholar
  58. W. van Staden and M. S. Olivier. 2005. Purpose organisation. In Proceedings of the 5th Annual Information Security South Africa Conference (ISSA'05).Google ScholarGoogle Scholar
  59. W. van Staden and M. S. Olivier. 2006. Extending SQL to allow the active usage of purposes. In Proceedings of the 3rd International Conference on Trust, Privacy and Security in Digital Business. Lecture Notes in Computer Science, vol. 4083, Springer, Berlin/Heidelberg, 123--131. Google ScholarGoogle ScholarDigital LibraryDigital Library
  60. W. van Staden and M. S. Olivier. 2007. Using purpose lattices to facilitate customisation of privacy agreements. In Proceedings of the 4th International Conference on Trust, Privacy and Security in Digital Business. Lecture Notes in Computer Science, vol. 4657, Springer, Berlin/Heidelberg, 201--209. Google ScholarGoogle ScholarDigital LibraryDigital Library
  61. W3C. 2006. The Platform for Privacy Preferences 1.1 (P3P1.1) Specification. W3C.Google ScholarGoogle Scholar
  62. G. Winskel. 1993. Formal Semantics of Programming Languages. The MIT Press. Google ScholarGoogle ScholarDigital LibraryDigital Library
  63. N. Yang, H. Barringer, and N. Zhang. 2007. A purpose-based access control model. In Proceedings of the International Symposium on Information Assurance and Security. 143--148. Google ScholarGoogle ScholarDigital LibraryDigital Library
  64. M. Yasuda, T. Tachikawa, and M. Takizawa. 1998. A purpose-oriented access control model. In Proceedings of the 12th International Conference on Information Networking. 168--173. Google ScholarGoogle ScholarDigital LibraryDigital Library
  65. G. Zhan, Z. Li, X. Ye, and J. Wang. 2006. Privacy preservation and protection by extending generalized partial indices. In Proceedings of the British National Conference on Databases. 102--114. Google ScholarGoogle ScholarDigital LibraryDigital Library

Recommendations

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Sign in

Full Access

  • Published in

    cover image ACM Transactions on Information and System Security
    ACM Transactions on Information and System Security  Volume 17, Issue 1
    August 2014
    118 pages
    ISSN:1094-9224
    EISSN:1557-7406
    DOI:10.1145/2660572
    • Editor:
    • Gene Tsudik
    Issue’s Table of Contents

    Copyright © 2014 ACM

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    • Published: 15 August 2014
    • Accepted: 1 April 2014
    • Revised: 1 September 2013
    • Received: 1 February 2013
    Published in tissec Volume 17, Issue 1

    Permissions

    Request permissions about this article.

    Request Permissions

    Check for updates

    Qualifiers

    • research-article

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader
About Cookies On This Site

We use cookies to ensure that we give you the best experience on our website.

Learn more

Got it!