Team for Research in
Ubiquitous Secure Technology

Formalizing and Enforcing Purpose Restrictions in Privacy Policies
Michael Tschantz, Anupam Datta, Jeanette Wing

Citation
Michael Tschantz, Anupam Datta, Jeanette Wing. "Formalizing and Enforcing Purpose Restrictions in Privacy Policies". Proceedings of 33rd IEEE Symposium on Security and Privacy, IEEE, May, 2012.

Abstract
Privacy policies often place restrictions on the purposes for which a governed entity may use personal information. For example, regulations, such as the Health Insurance Portability and Accountability Act (HIPAA), require that hospital employees use medical information for only certain purposes, such as treatment, but not for others, such as gossip. Thus, using formal or automated methods for enforcing privacy policies requires a semantics of purpose restrictions to determine whether an action is for a purpose or not.We provide such a semantics using a formalism based on planning. We model planning using a modified version of Markov Decision Processes (MDPs), which exclude redundant actions for a formal definition of redundant. We argue that an action is for a purpose if and only if the action is part of a plan for optimizing the satisfaction of that purpose under the MDP model. We use this formalization to define when a sequence of actions is only for or not for a purpose. This semantics enables us to create and implement an algorithm for automating auditing, and to describe formally and compare rigorously previous enforcement methods. To validate our semantics, we conduct a survey to compare our semantics to how people commonly understand the word “purpose”.

Electronic downloads

Citation formats  
  • HTML
    Michael Tschantz, Anupam Datta, Jeanette Wing. <a
    href="http://www.truststc.org/pubs/837.html"
    >Formalizing and Enforcing Purpose Restrictions in
    Privacy Policies</a>, Proceedings of 33rd IEEE
    Symposium on Security and Privacy, IEEE, May, 2012.
  • Plain text
    Michael Tschantz, Anupam Datta, Jeanette Wing.
    "Formalizing and Enforcing Purpose Restrictions in
    Privacy Policies". Proceedings of 33rd IEEE Symposium
    on Security and Privacy, IEEE, May, 2012.
  • BibTeX
    @inproceedings{TschantzDattaWing12_FormalizingEnforcingPurposeRestrictionsInPrivacyPolicies,
        author = {Michael Tschantz and Anupam Datta and Jeanette Wing},
        title = {Formalizing and Enforcing Purpose Restrictions in
                  Privacy Policies},
        booktitle = {Proceedings of 33rd IEEE Symposium on Security and
                  Privacy},
        organization = {IEEE},
        month = {May},
        year = {2012},
        abstract = {Privacy policies often place restrictions on the
                  purposes for which a governed entity may use
                  personal information. For example, regulations,
                  such as the Health Insurance Portability and
                  Accountability Act (HIPAA), require that hospital
                  employees use medical information for only certain
                  purposes, such as treatment, but not for others,
                  such as gossip. Thus, using formal or automated
                  methods for enforcing privacy policies requires a
                  semantics of purpose restrictions to determine
                  whether an action is for a purpose or not.We
                  provide such a semantics using a formalism based
                  on planning. We model planning using a modified
                  version of Markov Decision Processes (MDPs), which
                  exclude redundant actions for a formal definition
                  of redundant. We argue that an action is for a
                  purpose if and only if the action is part of a
                  plan for optimizing the satisfaction of that
                  purpose under the MDP model. We use this
                  formalization to define when a sequence of actions
                  is only for or not for a purpose. This semantics
                  enables us to create and implement an algorithm
                  for automating auditing, and to describe formally
                  and compare rigorously previous enforcement
                  methods. To validate our semantics, we conduct a
                  survey to compare our semantics to how people
                  commonly understand the word âpurposeâ. },
        URL = {http://www.truststc.org/pubs/837.html}
    }
    

Posted by Mary Stewart on 4 Apr 2012.
For additional information, see the Publications FAQ or contact webmaster at www truststc org.

Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.