contextual integrity & its logical formalization
DESCRIPTION
18739A: Foundations of Security and Privacy. Contextual Integrity & its Logical Formalization. Anupam Datta Fall 2009. Privacy in Organizations. Huge amount of personal information available to various organizations - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Contextual Integrity & its Logical Formalization](https://reader035.vdocument.in/reader035/viewer/2022062409/56814664550346895db38516/html5/thumbnails/1.jpg)
Contextual Integrity & its Logical Formalization
18739A: Foundations of Security and Privacy
Anupam DattaFall 2009
![Page 2: Contextual Integrity & its Logical Formalization](https://reader035.vdocument.in/reader035/viewer/2022062409/56814664550346895db38516/html5/thumbnails/2.jpg)
Privacy in Organizations
2
Huge amount of personal information available to various organizations Hospitals, financial institutions, websites, universities, census
bureau, social networks… Information shared within and across organizational
boundaries to enable useful tasks to be completed Personal health information has to be shared to enable
diagnosis, treatment, billing, …
Fundamental Question: Do organizational processes respect privacy expectations while
achieving purpose?
![Page 3: Contextual Integrity & its Logical Formalization](https://reader035.vdocument.in/reader035/viewer/2022062409/56814664550346895db38516/html5/thumbnails/3.jpg)
Approach
What is Privacy?
Express and Enforce Privacy Policies
Contextual Integrity (CI):- Transfer of personal information governed by contextual norms
Logic of Privacy and Utility:- Formalization of CI; automated methods for checking compliance with privacy regulations (HIPAA, GLBA, COPPA,…)
![Page 4: Contextual Integrity & its Logical Formalization](https://reader035.vdocument.in/reader035/viewer/2022062409/56814664550346895db38516/html5/thumbnails/4.jpg)
Contextual Integrity [Nissenbaum 2004] Philosophical framework for privacy Central concept: Context
Examples: Healthcare, banking, education What is a context?
Set of interacting agents in roles Roles in healthcare: doctor, patient, …
Informational norms Doctors should share patient health information as per the
HIPAA rules Norms have a specific structure (descriptive theory) Systematic method at arriving at contextual norms
(prescriptive theory) Purpose
Improve health Some interactions should happen - patients should share
personal health information with doctors
![Page 5: Contextual Integrity & its Logical Formalization](https://reader035.vdocument.in/reader035/viewer/2022062409/56814664550346895db38516/html5/thumbnails/5.jpg)
Outline
1. Motivating Example2. Framework
Model Logic of Privacy and Utility
3. Workflows and Responsibility4. Algorithmic Results
Workflow Design assuming agents responsible
Auditing logs when agents irresponsible
5. Summary
![Page 6: Contextual Integrity & its Logical Formalization](https://reader035.vdocument.in/reader035/viewer/2022062409/56814664550346895db38516/html5/thumbnails/6.jpg)
MyHealth@Vanderbilt++ Workflow
Health Answer
Health Answer
Health Question
Appointment R
equest
Health Question
Now that I have cancer,Should I eat more vegetables?
HealthQuestion
Yes! except broccoli
HealthAnswer
Humans + Electronic system
Secretary
Nurse
DoctorPatien
t
![Page 7: Contextual Integrity & its Logical Formalization](https://reader035.vdocument.in/reader035/viewer/2022062409/56814664550346895db38516/html5/thumbnails/7.jpg)
Outline
1. Motivating Example2. Framework
Model Logic of Privacy and Utility
3. Workflows and Responsibility4. Algorithmic Results
Workflow Design assuming agents responsible
Auditing logs when agents irresponsible
5. Conclusions
![Page 8: Contextual Integrity & its Logical Formalization](https://reader035.vdocument.in/reader035/viewer/2022062409/56814664550346895db38516/html5/thumbnails/8.jpg)
Informational Norms
“In a context, the flow of information of a certain type about a subject (acting in a particular capacity/role) from one actor (could be the subject) to another actor (in a particular capacity/role) is governed by a particular transmission principle.”
Contextual Integrity [Nis2004]
![Page 9: Contextual Integrity & its Logical Formalization](https://reader035.vdocument.in/reader035/viewer/2022062409/56814664550346895db38516/html5/thumbnails/9.jpg)
Model
Alice
Communication via send actions: Sender: Bob in role Patient Recipient: Alice in role Nurse Subject of message: Bob Tag: Health Question Message: Now that ….
Data model & knowledge evolution: Agents acquire knowledge by:
receiving messages deriving additional attributes based on data model
Health Question Protected Health Information
BobNow that I have cancer,Should I eat more vegetables?
HealthQuestion
contents(msg) vs. tags (msg)
![Page 10: Contextual Integrity & its Logical Formalization](https://reader035.vdocument.in/reader035/viewer/2022062409/56814664550346895db38516/html5/thumbnails/10.jpg)
Model
State determined by knowledge of each agent
Transitions change state Set of concurrent
send actions Send(p,q,m)
possible only if agent p knows m
K0
K13
K11
......
K12
A11
A12
A13
Concurrent Game Structure
G = <k, Q, , , d, >
[Barth,Datta,Mitchell,Sundaram 2007]
![Page 11: Contextual Integrity & its Logical Formalization](https://reader035.vdocument.in/reader035/viewer/2022062409/56814664550346895db38516/html5/thumbnails/11.jpg)
Logic of Privacy and Utility
Syntax ::= send(p1,p2,m) p1 sends p2 message m
| contains(m, q, t) m contains attrib t about q
| tagged(m, q, t) m tagged attrib t about q
| inrole(p, r) p is active in role r | t t’ Attrib t is part of attrib t’ | | | x. Classical operators | U | S | O Temporal
operators | <<p>> Strategy quantifier
SemanticsFormulas interpreted over concurrent game structure
![Page 12: Contextual Integrity & its Logical Formalization](https://reader035.vdocument.in/reader035/viewer/2022062409/56814664550346895db38516/html5/thumbnails/12.jpg)
Informational Norms
“In a context, the flow of information of a certain type about a subject (acting in a particular capacity/role) from one actor (could be the subject) to another actor (in a particular capacity/role) is governed by a particular transmission principle.”
Contextual Integrity [Nis2004]
![Page 13: Contextual Integrity & its Logical Formalization](https://reader035.vdocument.in/reader035/viewer/2022062409/56814664550346895db38516/html5/thumbnails/13.jpg)
13
Privacy Regulation Example (GLB Act)
Financial institutions must notify consumers if they share their non-public personal information with non-affiliated companies, but the notification may occur either before or after the information sharing occurs
Exactly as CI says!
Sender role Subject role
Attribute
Recipient role
Transmission principle
![Page 14: Contextual Integrity & its Logical Formalization](https://reader035.vdocument.in/reader035/viewer/2022062409/56814664550346895db38516/html5/thumbnails/14.jpg)
Structure of Privacy Rules
Allow message transmission if:
•at least one positive norm is satisfied; and
•all negative norms are satisfied
[Barth,Datta,Mitchell,Nissenbaum 2006]
![Page 15: Contextual Integrity & its Logical Formalization](https://reader035.vdocument.in/reader035/viewer/2022062409/56814664550346895db38516/html5/thumbnails/15.jpg)
HIPAA – Healthcare Privacy
•HIPAA consists primarily of positive norms: share phi if some rule explicitly allows it (2), (3), (5), (6)
•Exception: negative norm about psychotherapy notes (4)
![Page 16: Contextual Integrity & its Logical Formalization](https://reader035.vdocument.in/reader035/viewer/2022062409/56814664550346895db38516/html5/thumbnails/16.jpg)
COPPA – Children Online Privacy
•COPPA consists primarily of negative norms
•children can share their protected info only if parents consent (7) (condition)
•(8) (obligation – future requirements)
![Page 17: Contextual Integrity & its Logical Formalization](https://reader035.vdocument.in/reader035/viewer/2022062409/56814664550346895db38516/html5/thumbnails/17.jpg)
Specifying Privacy
MyHealth@Vanderbilt
In all states, only nurses and doctors receive health questions
G p1, p2, q, m send(p1, p2, m) contains(m, q, health-
question) inrole(p2, nurse) inrole(p2, doctor)
![Page 18: Contextual Integrity & its Logical Formalization](https://reader035.vdocument.in/reader035/viewer/2022062409/56814664550346895db38516/html5/thumbnails/18.jpg)
Specifying Utility MyHealth@Vanderbilt
Patients have a strategy to get their health questions answered
p inrole(p, patient) <<p>> F q, m.
send(q, p, m) contains(m, p, health-answer)
![Page 19: Contextual Integrity & its Logical Formalization](https://reader035.vdocument.in/reader035/viewer/2022062409/56814664550346895db38516/html5/thumbnails/19.jpg)
Outline1. Motivating Example2. Framework
Model Logic of Privacy and Utility
3. Workflows and Responsibility4. Algorithmic Results
Workflow Design assuming agents responsible
Auditing logs when agents irresponsible
5. Conclusions
6. Differentially Private Workflows (WIP)
![Page 20: Contextual Integrity & its Logical Formalization](https://reader035.vdocument.in/reader035/viewer/2022062409/56814664550346895db38516/html5/thumbnails/20.jpg)
Nurse
Secretary
MyHealth@Vanderbilt Improved
Patient
Doctor
Health Answer
Health Answer
Health Question
Appointment R
equest
Health Question
Now that I have cancer,Should I eat more vegetables?
HealthQuestion
Yes! except broccoli
HealthAnswer
Assign responsibilities to roles & workflow engine
Doctor should answer health questions
![Page 21: Contextual Integrity & its Logical Formalization](https://reader035.vdocument.in/reader035/viewer/2022062409/56814664550346895db38516/html5/thumbnails/21.jpg)
Graph-based Workflow
Graph (R, R x R), where R is the set of roles
Edge-labeling function permit: R x R 2T, where T is the set of attributes
Responsibility of workflow engineAllow msg from role r1 to role r2 iff tags(msg) permit(r1, r2)
Responsibility of human agents in rolesTagging responsibilities
ensure messages are correctly taggedProgress responsibilities
ensure messages proceed through workflow
![Page 22: Contextual Integrity & its Logical Formalization](https://reader035.vdocument.in/reader035/viewer/2022062409/56814664550346895db38516/html5/thumbnails/22.jpg)
MyHealth Responsibilities Tagging
Nurses should tag health questionsG p, q, s, m. inrole(p, nurse) send(p, q, m)
contains(m, s, health-question) tagged(m, s, health-question)
Progress Doctors should answer health questions
G p, q, s, m. inrole(p, doctor) send(q, p, m) contains(m, s, health-question)
F m’. send(p, s, m’) contains(m’, s, health-answer)
![Page 23: Contextual Integrity & its Logical Formalization](https://reader035.vdocument.in/reader035/viewer/2022062409/56814664550346895db38516/html5/thumbnails/23.jpg)
Abstract Workflow Responsibility of workflow engine
LTL formula Feasible (enforceable) if is a safety formula
without the contains() predicate
Responsibility of each role r LTL formula r
Feasible if agents have a strategy to discharge their responsibilities
p. inrole(p, r) <<p>> r
Graph-based workflows are a special case
![Page 24: Contextual Integrity & its Logical Formalization](https://reader035.vdocument.in/reader035/viewer/2022062409/56814664550346895db38516/html5/thumbnails/24.jpg)
Outline1. Motivating Example2. Framework
Model Logic of Privacy and Utility
3. Workflows and Responsibility4. Algorithmic Results
Workflow Design assuming agents responsible
Abstract workflows Auditing logs when agents irresponsible
Only graph-based workflows
5. Conclusions
![Page 25: Contextual Integrity & its Logical Formalization](https://reader035.vdocument.in/reader035/viewer/2022062409/56814664550346895db38516/html5/thumbnails/25.jpg)
Workflow Design Results Theorems:
Assuming all agents act responsibly, checking whether workflow achieves
Privacy is in PSPACE (in the size of the formula describing the workflow)
Utility is decidable
Algorithms implemented in model-checkers, e.g. SPIN, MOCHA
Potential for small model theorems
![Page 26: Contextual Integrity & its Logical Formalization](https://reader035.vdocument.in/reader035/viewer/2022062409/56814664550346895db38516/html5/thumbnails/26.jpg)
Outline1. Motivating Example2. Framework
Model Logic of Privacy and Utility
3. Workflows and Responsibility4. Algorithmic Results
Workflow Design assuming agents responsible
Abstract workflows Auditing logs when agents irresponsible
Only graph-based workflows
5. Summary
![Page 27: Contextual Integrity & its Logical Formalization](https://reader035.vdocument.in/reader035/viewer/2022062409/56814664550346895db38516/html5/thumbnails/27.jpg)
Auditing Results: Summary
Definitions Accountability = Causality + Irresponsibility
Design of audit log Captures causality relation
Algorithm Finding agents accountable for policy violation
in graph-based workflows using audit log Algorithm uses oracle:
O(msg) = contents(msg)
![Page 28: Contextual Integrity & its Logical Formalization](https://reader035.vdocument.in/reader035/viewer/2022062409/56814664550346895db38516/html5/thumbnails/28.jpg)
Policy compliance/violation
Strong compliance [BDMN2006, BDMS 2007] Action does not violate current policy requirements Future policy requirements after action can be met Formally,
Policy
History
Contemplated ActionJudgment
Future Reqs
![Page 29: Contextual Integrity & its Logical Formalization](https://reader035.vdocument.in/reader035/viewer/2022062409/56814664550346895db38516/html5/thumbnails/29.jpg)
Local Compliance
Locally compliant policy Agents can determine strong compliance based on
their local view of history
![Page 30: Contextual Integrity & its Logical Formalization](https://reader035.vdocument.in/reader035/viewer/2022062409/56814664550346895db38516/html5/thumbnails/30.jpg)
Causality Lamport Causality [1978]
![Page 31: Contextual Integrity & its Logical Formalization](https://reader035.vdocument.in/reader035/viewer/2022062409/56814664550346895db38516/html5/thumbnails/31.jpg)
Accountability & Audit Log Accountability
Causality + Irresponsibility Audit log design
Records all Send(p,q,m) and Receive(p,q,m) events executed
Maintains causality structure O(1) operation per event logged
![Page 32: Contextual Integrity & its Logical Formalization](https://reader035.vdocument.in/reader035/viewer/2022062409/56814664550346895db38516/html5/thumbnails/32.jpg)
Auditing Algorithm
![Page 33: Contextual Integrity & its Logical Formalization](https://reader035.vdocument.in/reader035/viewer/2022062409/56814664550346895db38516/html5/thumbnails/33.jpg)
Central Lemma
![Page 34: Contextual Integrity & its Logical Formalization](https://reader035.vdocument.in/reader035/viewer/2022062409/56814664550346895db38516/html5/thumbnails/34.jpg)
Main Theorem
![Page 35: Contextual Integrity & its Logical Formalization](https://reader035.vdocument.in/reader035/viewer/2022062409/56814664550346895db38516/html5/thumbnails/35.jpg)
MyHealth Example
1. Policy violation: Secretary Candy receives health-question
mistagged as appointment-request
2. Construct causality graph G and search backwards using BFS
Candy received message m from Patient Jorge.
O(m) = health-question, but tags(m) = appointment-request.
Patient responsible for health-question tag. Jorge identified as accountable
![Page 36: Contextual Integrity & its Logical Formalization](https://reader035.vdocument.in/reader035/viewer/2022062409/56814664550346895db38516/html5/thumbnails/36.jpg)
Summary
1. Framework Concurrent game model Logic of Privacy and Utility
Temporal logic (LTL, ATL*)
2. Organizational Process as Workflow Role-based responsibility for human and
mechanical agents
3. Algorithmic Results Workflow design assuming agents
responsible Privacy, utility decidable (model-checking)
Auditing logs when agents irresponsible From policy violation to accountable agents
Using oracle
Automated
![Page 37: Contextual Integrity & its Logical Formalization](https://reader035.vdocument.in/reader035/viewer/2022062409/56814664550346895db38516/html5/thumbnails/37.jpg)
Thanks
Questions?
![Page 38: Contextual Integrity & its Logical Formalization](https://reader035.vdocument.in/reader035/viewer/2022062409/56814664550346895db38516/html5/thumbnails/38.jpg)
![Page 39: Contextual Integrity & its Logical Formalization](https://reader035.vdocument.in/reader035/viewer/2022062409/56814664550346895db38516/html5/thumbnails/39.jpg)
Deciding Privacy PLTL model-checking problem is PSPACE
decidable
G |= tags-correct U agents-responsible privacy-policy
G: concurrent game structure
Result applies to finite models (#agents, msgs,…)
![Page 40: Contextual Integrity & its Logical Formalization](https://reader035.vdocument.in/reader035/viewer/2022062409/56814664550346895db38516/html5/thumbnails/40.jpg)
Deciding Utility ATL* model-checking of concurrent game
structures is Decidable with perfect information Undecidable with imperfect information
Theorem:There is a sound decision procedure for deciding
whether workflow achieves utility
Intuition: Translate imperfect information into perfect
information by considering possible actions from one player’s point of view
![Page 41: Contextual Integrity & its Logical Formalization](https://reader035.vdocument.in/reader035/viewer/2022062409/56814664550346895db38516/html5/thumbnails/41.jpg)
Local communication game Quotient structure under invisible actions, Gp
States:Smallest equivalence relation K1 ~p K2 if K1 K2 and a is invisible to p
Actions:[K] [K’] if there exists K1 in [K] and K2 in [K’] s.t. K1 K2
Lemma: For all LTL formulas visible to p, Gp |= <<p>> implies G |= <<p>>
The truth value of formulas visible to p depends only on actions that p can observe, e.g. send (*, p, *), send(p, *, *)Locality again!
![Page 42: Contextual Integrity & its Logical Formalization](https://reader035.vdocument.in/reader035/viewer/2022062409/56814664550346895db38516/html5/thumbnails/42.jpg)
Related Languages
Model Sender Recipient Subject Attributes Past FutureCombinatio
n
RBAC Role Identity
XACML Flexible Flexible Flexible o o
EPAL Fixed Role Fixed o
P3P Fixed Role Fixed o o
LPU Role Role Role
Legend: unsupportedo partially supported fully supported
LPU fully supports attributes, combination, temporal conditions, and utility