formalizing and enforcing purpose restrictions in...
TRANSCRIPT
![Page 1: Formalizing and Enforcing Purpose Restrictions in …course.ece.cmu.edu/~ece734/lectures/3-purpose.pdf}Yahoo!'s practice is notto use the content of messages […] formarketingpurposes.}By](https://reader030.vdocument.in/reader030/viewer/2022040810/5e4fa1701d8b7b665e7f66b5/html5/thumbnails/1.jpg)
Formalizing and Enforcing Purpose Restrictions in Privacy Policies
Giulia FantiBased on slides by Anupam Datta
Carnegie Mellon University18734: Foundations of Privacy
Fall 2019
![Page 2: Formalizing and Enforcing Purpose Restrictions in …course.ece.cmu.edu/~ece734/lectures/3-purpose.pdf}Yahoo!'s practice is notto use the content of messages […] formarketingpurposes.}By](https://reader030.vdocument.in/reader030/viewer/2022040810/5e4fa1701d8b7b665e7f66b5/html5/thumbnails/2.jpg)
Administrative} HW1 – due on Friday at 12:20 pm ET/9:20 am PT
} Submit on Gradescope} DON’T FORGET to associate problems with your answers
} Recitation on Friday at 12:30 pm ET/9:30 am PT} Tutorial on using Docker by Sruti
} Tool for creating/using containers
} Will be used on HW2 (to be released early next week)
2
![Page 3: Formalizing and Enforcing Purpose Restrictions in …course.ece.cmu.edu/~ece734/lectures/3-purpose.pdf}Yahoo!'s practice is notto use the content of messages […] formarketingpurposes.}By](https://reader030.vdocument.in/reader030/viewer/2022040810/5e4fa1701d8b7b665e7f66b5/html5/thumbnails/3.jpg)
Last class assignment: Read HIPAA} Think about at least these questions:
} What are the common concepts in the 80+ clauses of the privacy rule?
} How would you categorize the clauses? } How are the clauses combined to form the entire rule?
} Discussion
3
![Page 4: Formalizing and Enforcing Purpose Restrictions in …course.ece.cmu.edu/~ece734/lectures/3-purpose.pdf}Yahoo!'s practice is notto use the content of messages […] formarketingpurposes.}By](https://reader030.vdocument.in/reader030/viewer/2022040810/5e4fa1701d8b7b665e7f66b5/html5/thumbnails/4.jpg)
4
Detecting Policy Violations
Privacy Policy
Computer-readable privacy policy
Organizational audit log
Detect policy violations
Audit
Complete formalization of HIPAA, GLBA
Automated audit for black-
and-whitepolicy concepts
Oracles to audit for grey
policy concepts
![Page 5: Formalizing and Enforcing Purpose Restrictions in …course.ece.cmu.edu/~ece734/lectures/3-purpose.pdf}Yahoo!'s practice is notto use the content of messages […] formarketingpurposes.}By](https://reader030.vdocument.in/reader030/viewer/2022040810/5e4fa1701d8b7b665e7f66b5/html5/thumbnails/5.jpg)
Purpose Restrictions in Privacy Policies
} Yahoo!'s practice is not to use the content of messages […] for marketing purposes.
} By providing your personal information, you give [Social Security Administration] consent to use the information only for the purpose for which it was collected.
5
Not for
Only for
![Page 6: Formalizing and Enforcing Purpose Restrictions in …course.ece.cmu.edu/~ece734/lectures/3-purpose.pdf}Yahoo!'s practice is notto use the content of messages […] formarketingpurposes.}By](https://reader030.vdocument.in/reader030/viewer/2022040810/5e4fa1701d8b7b665e7f66b5/html5/thumbnails/6.jpg)
Purpose Restrictions are Ubiquitous} OECD’s Privacy Guidelines} US Privacy Laws
} HIPAA, GLBA, FERPA, COPPA,…
} EU Privacy Directive} Organizational Privacy Policies
} Google, Facebook, Yahoo,…} Hospitals, banks, educational institutions, govt} Defense: Mission-based information access
6
![Page 7: Formalizing and Enforcing Purpose Restrictions in …course.ece.cmu.edu/~ece734/lectures/3-purpose.pdf}Yahoo!'s practice is notto use the content of messages […] formarketingpurposes.}By](https://reader030.vdocument.in/reader030/viewer/2022040810/5e4fa1701d8b7b665e7f66b5/html5/thumbnails/7.jpg)
7
What might be the difficulties of auditing for purpose?
Privacy Policy
Computer-readable privacy policy
Organizational audit log
Detect policy violations
Audit
Complete formalization of HIPAA, GLBA
Automated audit for black-
and-whitepolicy concepts
Oracles to audit for grey
policy concepts
![Page 8: Formalizing and Enforcing Purpose Restrictions in …course.ece.cmu.edu/~ece734/lectures/3-purpose.pdf}Yahoo!'s practice is notto use the content of messages […] formarketingpurposes.}By](https://reader030.vdocument.in/reader030/viewer/2022040810/5e4fa1701d8b7b665e7f66b5/html5/thumbnails/8.jpg)
8
Formalizing and Enforcing Purpose Restrictions in Privacy Policies
M. C. Tschantz (CMU à Berkeley) and Anupam Datta (CMU SV)J. M. Wing (CMU à MSR)
2012 IEEE Symposium on Security & Privacy
![Page 9: Formalizing and Enforcing Purpose Restrictions in …course.ece.cmu.edu/~ece734/lectures/3-purpose.pdf}Yahoo!'s practice is notto use the content of messages […] formarketingpurposes.}By](https://reader030.vdocument.in/reader030/viewer/2022040810/5e4fa1701d8b7b665e7f66b5/html5/thumbnails/9.jpg)
Goal
} Give a semantics to } “Not for” purpose restrictions} “Only for” purpose restrictionsthat is parametric in the purpose
9
• Provide automated enforcement of purpose restrictions for that semantics
![Page 10: Formalizing and Enforcing Purpose Restrictions in …course.ece.cmu.edu/~ece734/lectures/3-purpose.pdf}Yahoo!'s practice is notto use the content of messages […] formarketingpurposes.}By](https://reader030.vdocument.in/reader030/viewer/2022040810/5e4fa1701d8b7b665e7f66b5/html5/thumbnails/10.jpg)
X-ray taken
Send recordX-ray added Diagnosis by specialist
No diagnosis by drug company Send record
Add x-ray
10
Medical Record
Med records used only for
diagnosis
![Page 11: Formalizing and Enforcing Purpose Restrictions in …course.ece.cmu.edu/~ece734/lectures/3-purpose.pdf}Yahoo!'s practice is notto use the content of messages […] formarketingpurposes.}By](https://reader030.vdocument.in/reader030/viewer/2022040810/5e4fa1701d8b7b665e7f66b5/html5/thumbnails/11.jpg)
X-ray taken
Send recordX-ray addedDiagnosis
by specialist
No diagnosis by drug companySend record
Add x-ray
11
Tag actions with purpose
![Page 12: Formalizing and Enforcing Purpose Restrictions in …course.ece.cmu.edu/~ece734/lectures/3-purpose.pdf}Yahoo!'s practice is notto use the content of messages […] formarketingpurposes.}By](https://reader030.vdocument.in/reader030/viewer/2022040810/5e4fa1701d8b7b665e7f66b5/html5/thumbnails/12.jpg)
X-ray taken
Send recordX-ray addedDiagnosis
by specialist
No diagnosis by drug companySend record
Add x-ray
12
Not sufficient
Necessary and sufficient
![Page 13: Formalizing and Enforcing Purpose Restrictions in …course.ece.cmu.edu/~ece734/lectures/3-purpose.pdf}Yahoo!'s practice is notto use the content of messages […] formarketingpurposes.}By](https://reader030.vdocument.in/reader030/viewer/2022040810/5e4fa1701d8b7b665e7f66b5/html5/thumbnails/13.jpg)
X-ray taken
Send recordX-ray addedDiagnosis
by specialist
No diagnosis by drug companySend record
Add x-ray
13
Not sufficient
Necessary action in sufficient sequence of actions
![Page 14: Formalizing and Enforcing Purpose Restrictions in …course.ece.cmu.edu/~ece734/lectures/3-purpose.pdf}Yahoo!'s practice is notto use the content of messages […] formarketingpurposes.}By](https://reader030.vdocument.in/reader030/viewer/2022040810/5e4fa1701d8b7b665e7f66b5/html5/thumbnails/14.jpg)
14
X-ray taken
Send recordX-ray added Diagnosis by specialist
No diagnosis (by drug co. or
specialist)Send record
Add x-ray
1/4
3/4
Specialist fails
Choice point
Best choice
![Page 15: Formalizing and Enforcing Purpose Restrictions in …course.ece.cmu.edu/~ece734/lectures/3-purpose.pdf}Yahoo!'s practice is notto use the content of messages […] formarketingpurposes.}By](https://reader030.vdocument.in/reader030/viewer/2022040810/5e4fa1701d8b7b665e7f66b5/html5/thumbnails/15.jpg)
Planning
Thesis: An action is for a purpose iff that action is part of a plan for furthering the purpose
i.e., always makes the best choice for furthering the purpose
15
![Page 16: Formalizing and Enforcing Purpose Restrictions in …course.ece.cmu.edu/~ece734/lectures/3-purpose.pdf}Yahoo!'s practice is notto use the content of messages […] formarketingpurposes.}By](https://reader030.vdocument.in/reader030/viewer/2022040810/5e4fa1701d8b7b665e7f66b5/html5/thumbnails/16.jpg)
16
X-ray taken
No reward
Send recordX-ray added
No reward
Diagnosis by specialist
Reward!
No diagnosis
No reward Send record
Add x-ray
1/4
3/4
![Page 17: Formalizing and Enforcing Purpose Restrictions in …course.ece.cmu.edu/~ece734/lectures/3-purpose.pdf}Yahoo!'s practice is notto use the content of messages […] formarketingpurposes.}By](https://reader030.vdocument.in/reader030/viewer/2022040810/5e4fa1701d8b7b665e7f66b5/html5/thumbnails/17.jpg)
Interlude} Primer on Markov Decision Processes
17
![Page 18: Formalizing and Enforcing Purpose Restrictions in …course.ece.cmu.edu/~ece734/lectures/3-purpose.pdf}Yahoo!'s practice is notto use the content of messages […] formarketingpurposes.}By](https://reader030.vdocument.in/reader030/viewer/2022040810/5e4fa1701d8b7b665e7f66b5/html5/thumbnails/18.jpg)
18
X-ray taken
No reward
Send recordX-ray added
No reward
Diagnosis by specialist
Reward!
No diagnosis
No reward Send record
Add x-ray
1/4
3/4
Markov Decision Process:
States, actions, transitions, rewards
![Page 19: Formalizing and Enforcing Purpose Restrictions in …course.ece.cmu.edu/~ece734/lectures/3-purpose.pdf}Yahoo!'s practice is notto use the content of messages […] formarketingpurposes.}By](https://reader030.vdocument.in/reader030/viewer/2022040810/5e4fa1701d8b7b665e7f66b5/html5/thumbnails/19.jpg)
Auditing
19
Auditee’sbehavior
Purpose restriction
Environment model
Obeyed
Violated
Inconclusive
![Page 20: Formalizing and Enforcing Purpose Restrictions in …course.ece.cmu.edu/~ece734/lectures/3-purpose.pdf}Yahoo!'s practice is notto use the content of messages […] formarketingpurposes.}By](https://reader030.vdocument.in/reader030/viewer/2022040810/5e4fa1701d8b7b665e7f66b5/html5/thumbnails/20.jpg)
20
[ , send record]
Record only for diagnosis
Violated
![Page 21: Formalizing and Enforcing Purpose Restrictions in …course.ece.cmu.edu/~ece734/lectures/3-purpose.pdf}Yahoo!'s practice is notto use the content of messages […] formarketingpurposes.}By](https://reader030.vdocument.in/reader030/viewer/2022040810/5e4fa1701d8b7b665e7f66b5/html5/thumbnails/21.jpg)
21
Violated
MDP Solver
Optimal actions for each state
Actions optimal?
Policy implications
Record only for treatment
No
[ , send record]
![Page 22: Formalizing and Enforcing Purpose Restrictions in …course.ece.cmu.edu/~ece734/lectures/3-purpose.pdf}Yahoo!'s practice is notto use the content of messages […] formarketingpurposes.}By](https://reader030.vdocument.in/reader030/viewer/2022040810/5e4fa1701d8b7b665e7f66b5/html5/thumbnails/22.jpg)
Three steps} Write MDP à Define environment
} Solve MDP to maximize reward (i.e., purpose expressed as a quantity)
} Check if actions are consistent with optimal strategy/strategies
22
![Page 23: Formalizing and Enforcing Purpose Restrictions in …course.ece.cmu.edu/~ece734/lectures/3-purpose.pdf}Yahoo!'s practice is notto use the content of messages […] formarketingpurposes.}By](https://reader030.vdocument.in/reader030/viewer/2022040810/5e4fa1701d8b7b665e7f66b5/html5/thumbnails/23.jpg)
No False Positives} Theorem (Soundness):
If the algorithm returns “violation”, then the actions recorded in the log are not only for the purpose
23
![Page 24: Formalizing and Enforcing Purpose Restrictions in …course.ece.cmu.edu/~ece734/lectures/3-purpose.pdf}Yahoo!'s practice is notto use the content of messages […] formarketingpurposes.}By](https://reader030.vdocument.in/reader030/viewer/2022040810/5e4fa1701d8b7b665e7f66b5/html5/thumbnails/24.jpg)
What are some challenges in this approach?} Defining MDP
} Quantifying purpose
} Users may be trying to satisfy purpose even if they are not acting to maximize it at all stages
} We may not be able to observe the exact state of our users!
25
![Page 25: Formalizing and Enforcing Purpose Restrictions in …course.ece.cmu.edu/~ece734/lectures/3-purpose.pdf}Yahoo!'s practice is notto use the content of messages […] formarketingpurposes.}By](https://reader030.vdocument.in/reader030/viewer/2022040810/5e4fa1701d8b7b665e7f66b5/html5/thumbnails/25.jpg)
26
Purpose Restrictions on Information Use
M. C. Tschantz (CMU à Berkeley)Anupam Datta (CMU)
J. M. Wing (CMU à MSR)
2013 European Symposium on Research in Computer Security
![Page 26: Formalizing and Enforcing Purpose Restrictions in …course.ece.cmu.edu/~ece734/lectures/3-purpose.pdf}Yahoo!'s practice is notto use the content of messages […] formarketingpurposes.}By](https://reader030.vdocument.in/reader030/viewer/2022040810/5e4fa1701d8b7b665e7f66b5/html5/thumbnails/26.jpg)
27
![Page 27: Formalizing and Enforcing Purpose Restrictions in …course.ece.cmu.edu/~ece734/lectures/3-purpose.pdf}Yahoo!'s practice is notto use the content of messages […] formarketingpurposes.}By](https://reader030.vdocument.in/reader030/viewer/2022040810/5e4fa1701d8b7b665e7f66b5/html5/thumbnails/27.jpg)
28
![Page 28: Formalizing and Enforcing Purpose Restrictions in …course.ece.cmu.edu/~ece734/lectures/3-purpose.pdf}Yahoo!'s practice is notto use the content of messages […] formarketingpurposes.}By](https://reader030.vdocument.in/reader030/viewer/2022040810/5e4fa1701d8b7b665e7f66b5/html5/thumbnails/28.jpg)
29
![Page 29: Formalizing and Enforcing Purpose Restrictions in …course.ece.cmu.edu/~ece734/lectures/3-purpose.pdf}Yahoo!'s practice is notto use the content of messages […] formarketingpurposes.}By](https://reader030.vdocument.in/reader030/viewer/2022040810/5e4fa1701d8b7b665e7f66b5/html5/thumbnails/29.jpg)
Google’s Privacy PolicyWhen showing you tailored ads, we will not associate a cookie or anonymous identifier with sensitive categories, such as those based on race, religion, sexual orientation or health.
30
![Page 30: Formalizing and Enforcing Purpose Restrictions in …course.ece.cmu.edu/~ece734/lectures/3-purpose.pdf}Yahoo!'s practice is notto use the content of messages […] formarketingpurposes.}By](https://reader030.vdocument.in/reader030/viewer/2022040810/5e4fa1701d8b7b665e7f66b5/html5/thumbnails/30.jpg)
Rewards from ads
Depressed NotDepressed
Meds High Low
Party Low High
31
![Page 31: Formalizing and Enforcing Purpose Restrictions in …course.ece.cmu.edu/~ece734/lectures/3-purpose.pdf}Yahoo!'s practice is notto use the content of messages […] formarketingpurposes.}By](https://reader030.vdocument.in/reader030/viewer/2022040810/5e4fa1701d8b7b665e7f66b5/html5/thumbnails/31.jpg)
Show Party ad
Show Meds adDepressedAd: NoneReward: None
32
DepressedAd: MedsReward: High
DepressedAd: PartyReward: Low
![Page 32: Formalizing and Enforcing Purpose Restrictions in …course.ece.cmu.edu/~ece734/lectures/3-purpose.pdf}Yahoo!'s practice is notto use the content of messages […] formarketingpurposes.}By](https://reader030.vdocument.in/reader030/viewer/2022040810/5e4fa1701d8b7b665e7f66b5/html5/thumbnails/32.jpg)
Show Party ad
Show Meds adNot DepressedAd: NoneReward: None
33
Not DepressedAd: MedsReward: Low
Not DepressedAd: PartyReward: High
![Page 33: Formalizing and Enforcing Purpose Restrictions in …course.ece.cmu.edu/~ece734/lectures/3-purpose.pdf}Yahoo!'s practice is notto use the content of messages […] formarketingpurposes.}By](https://reader030.vdocument.in/reader030/viewer/2022040810/5e4fa1701d8b7b665e7f66b5/html5/thumbnails/33.jpg)
34
Depressed Case
Not Depressed Case
Show Party ad
Show Meds adNot DepressedAd: NoneReward: None
Not DepressedAd: MedsReward: Low
Not DepressedAd: PartyReward: High
Show Party ad
Show Meds adDepressedAd: NoneReward: None
DepressedAd: MedsReward: High
DepressedAd: PartyReward: Low
![Page 34: Formalizing and Enforcing Purpose Restrictions in …course.ece.cmu.edu/~ece734/lectures/3-purpose.pdf}Yahoo!'s practice is notto use the content of messages […] formarketingpurposes.}By](https://reader030.vdocument.in/reader030/viewer/2022040810/5e4fa1701d8b7b665e7f66b5/html5/thumbnails/34.jpg)
35
Depressed Case
Not Depressed Case
Show Party ad
Show Meds adNot DepressedAd: NoneReward: None
Not DepressedAd: MedsReward: Low
Not DepressedAd: PartyReward: High
Show Party ad
Show Meds adDepressedAd: NoneReward: None
DepressedAd: MedsReward: High
DepressedAd: PartyReward: Low
DepressedLookup
Not Depressed
Lookup
![Page 35: Formalizing and Enforcing Purpose Restrictions in …course.ece.cmu.edu/~ece734/lectures/3-purpose.pdf}Yahoo!'s practice is notto use the content of messages […] formarketingpurposes.}By](https://reader030.vdocument.in/reader030/viewer/2022040810/5e4fa1701d8b7b665e7f66b5/html5/thumbnails/35.jpg)
36
Depressed Case
Not Depressed Case
Show Party ad
Show Meds adNot DepressedAd: NoneReward: None
Not DepressedAd: Meds
Not DepressedAd: PartyReward!
Show Party ad
Show Meds adDepressedAd: NoneReward: None
DepressedAd: MedsReward!
DepressedAd: Party
DepressedLookup
Not Depressed
Lookup
LookupDepressed
LookupNot Depressed
![Page 36: Formalizing and Enforcing Purpose Restrictions in …course.ece.cmu.edu/~ece734/lectures/3-purpose.pdf}Yahoo!'s practice is notto use the content of messages […] formarketingpurposes.}By](https://reader030.vdocument.in/reader030/viewer/2022040810/5e4fa1701d8b7b665e7f66b5/html5/thumbnails/36.jpg)
Party
Meds
Lookup
37
Depressed
Initial BeliefsDepressed Case: 10%
Not Depressed Case: 90%
Updated BeliefsDepressed Case: 100%
Not Depressed Case: 0%
![Page 37: Formalizing and Enforcing Purpose Restrictions in …course.ece.cmu.edu/~ece734/lectures/3-purpose.pdf}Yahoo!'s practice is notto use the content of messages […] formarketingpurposes.}By](https://reader030.vdocument.in/reader030/viewer/2022040810/5e4fa1701d8b7b665e7f66b5/html5/thumbnails/37.jpg)
38
Depressed Case
Not Depressed Case
Show Party ad
Show Meds adNot DepressedAd: NoneReward: None
Not DepressedAd: Meds
Not DepressedAd: PartyReward!
Show Party ad
Show Meds adDepressedAd: NoneReward: None
DepressedAd: MedsReward!
DepressedAd: Party
DepressedLookup
Not Depressed
Lookup
LookupDepressed
LookupNot Depressed
![Page 38: Formalizing and Enforcing Purpose Restrictions in …course.ece.cmu.edu/~ece734/lectures/3-purpose.pdf}Yahoo!'s practice is notto use the content of messages […] formarketingpurposes.}By](https://reader030.vdocument.in/reader030/viewer/2022040810/5e4fa1701d8b7b665e7f66b5/html5/thumbnails/38.jpg)
39
Depressed Case
Not Depressed Case
Show Party ad
Show Meds adNot DepressedAd: NoneReward: None
Not DepressedAd: Meds
Not DepressedAd: PartyReward!
Show Party ad
Show Meds adDepressedAd: NoneReward: None
DepressedAd: MedsReward!
DepressedAd: Party
Depressed orNot Depressed
Lookup
Depressed orNot Depressed
Lookup
Lookup
Depressed orNot Depressed
Lookup
Depressed orNot Depressed
![Page 39: Formalizing and Enforcing Purpose Restrictions in …course.ece.cmu.edu/~ece734/lectures/3-purpose.pdf}Yahoo!'s practice is notto use the content of messages […] formarketingpurposes.}By](https://reader030.vdocument.in/reader030/viewer/2022040810/5e4fa1701d8b7b665e7f66b5/html5/thumbnails/39.jpg)
Party
Lookup
40
Depressed orNot Depressed
Initial BeliefsDepressed Case: 10%
Not Depressed Case: 90%
Updated BeliefsDepressed Case: 10%
Not Depressed Case: 90%
![Page 40: Formalizing and Enforcing Purpose Restrictions in …course.ece.cmu.edu/~ece734/lectures/3-purpose.pdf}Yahoo!'s practice is notto use the content of messages […] formarketingpurposes.}By](https://reader030.vdocument.in/reader030/viewer/2022040810/5e4fa1701d8b7b665e7f66b5/html5/thumbnails/40.jpg)
Auditing
42
Obeyed
Violated
Purpose restriction
Auditee’s behavior
Environment model
Inconclusive
![Page 41: Formalizing and Enforcing Purpose Restrictions in …course.ece.cmu.edu/~ece734/lectures/3-purpose.pdf}Yahoo!'s practice is notto use the content of messages […] formarketingpurposes.}By](https://reader030.vdocument.in/reader030/viewer/2022040810/5e4fa1701d8b7b665e7f66b5/html5/thumbnails/41.jpg)
Auditing
43
Obeyed
Violated
Equivalence over observations
List of beliefs, actions, and observations
POMDP
Inconclusive
![Page 42: Formalizing and Enforcing Purpose Restrictions in …course.ece.cmu.edu/~ece734/lectures/3-purpose.pdf}Yahoo!'s practice is notto use the content of messages […] formarketingpurposes.}By](https://reader030.vdocument.in/reader030/viewer/2022040810/5e4fa1701d8b7b665e7f66b5/html5/thumbnails/42.jpg)
Auditing
44
Obeyed
Violated
Depressed ºNot Depressed
[ , lookup, depressed, meds]
Inconclusive
![Page 43: Formalizing and Enforcing Purpose Restrictions in …course.ece.cmu.edu/~ece734/lectures/3-purpose.pdf}Yahoo!'s practice is notto use the content of messages […] formarketingpurposes.}By](https://reader030.vdocument.in/reader030/viewer/2022040810/5e4fa1701d8b7b665e7f66b5/html5/thumbnails/43.jpg)
45
Ignorance Simulator
Depressed ºNot Depressed
Optimal actions ignoring health
No
POMDP Solver
ActionsOptimal?[ , lookup, depressed
, meds]
![Page 44: Formalizing and Enforcing Purpose Restrictions in …course.ece.cmu.edu/~ece734/lectures/3-purpose.pdf}Yahoo!'s practice is notto use the content of messages […] formarketingpurposes.}By](https://reader030.vdocument.in/reader030/viewer/2022040810/5e4fa1701d8b7b665e7f66b5/html5/thumbnails/44.jpg)
Implications
} The actions were not for the purpose of marketing without using health data} Violates: “marketing without using health data”
} Either (1) used health data for marketing or (2) performed actions for some other purpose} In case (1) violates: “health data not for marketing”
46
![Page 45: Formalizing and Enforcing Purpose Restrictions in …course.ece.cmu.edu/~ece734/lectures/3-purpose.pdf}Yahoo!'s practice is notto use the content of messages […] formarketingpurposes.}By](https://reader030.vdocument.in/reader030/viewer/2022040810/5e4fa1701d8b7b665e7f66b5/html5/thumbnails/45.jpg)
Prior Approaches
} Prior approaches:} Labeling actions (industry practice)} Labeling sequences of actions (Al-Fedaghi 07, Jafari et al. 09)
} Labeling roles (Byun et al. 05, 08, 10)
} Labeling code (Hayati and Abadi 05)
} This work provides a semantic foundation} Shows the expressiveness of each approach
47
![Page 46: Formalizing and Enforcing Purpose Restrictions in …course.ece.cmu.edu/~ece734/lectures/3-purpose.pdf}Yahoo!'s practice is notto use the content of messages […] formarketingpurposes.}By](https://reader030.vdocument.in/reader030/viewer/2022040810/5e4fa1701d8b7b665e7f66b5/html5/thumbnails/46.jpg)
51
Summary: Audit Approach
Privacy Policy
Computer-readable privacy policy
Organizational audit log
Detect policy violations
Audit
Complete formalization of HIPAA, GLBA
Automated audit for black-
and-whitepolicy concepts
Oracles to audit for grey
policy conceptsEnvironment
Model