Privacy and Utility in Business Processes

Barth, Adam; Mitchell, John C.; Datta, Anupam; Sundaram, Sharada

doi:10.1109/csf.2007.26

Cited by 81 publications

(78 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This differs from purpose restrictions, which do not require the amount of information used to be minimal and often involve purposes that are never fully achieved (e.g., more marketing is always possible). Thus, unlike works on minimal disclosure [28,29], we model purposes as being satisfied to varying degrees. Furthermore, we model probabilistic failures of the agent's plan, which allows us to identify when information use is for a purpose despite not increasing the purpose's satisfaction.…”

Section: Prior Workmentioning

confidence: 99%

Purpose Restrictions on Information Use

Tschantz

Datta

Wing

2013

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Abstract. Privacy policies in sectors as diverse as Web services, finance and healthcare often place restrictions on the purposes for which a governed entity may use personal information. Thus, automated methods for enforcing privacy policies require a semantics of purpose restrictions to determine whether a governed agent used information for a purpose. We provide such a semantics using a formalism based on planning. We model planning using Partially Observable Markov Decision Processes (POMDPs), which supports an explicit model of information. We argue that information use is for a purpose if and only if the information is used while planning to optimize the satisfaction of that purpose under the POMDP model. We determine information use by simulating ignorance of the information prohibited by the purpose restriction, which we relate to noninterference. We use this semantics to develop a sound audit algorithm to automate the enforcement of purpose restrictions.

show abstract

Section: Prior Workmentioning

confidence: 99%

Purpose Restrictions on Information Use

Tschantz

Datta

Wing

2013

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

show abstract

“…We motivate our results by modeling a simple online health system described in [2], which allows patients to interact with their doctors and other healthcare professionals using a web-based message passing system. In the system, users have different roles, such as Patient, Secretary, and Doctor.…”

Section: Examplementioning

confidence: 99%

“…The example MyHealth Portal is described in [2]. We checked if the provenance of a variable is always in the regular language Patient (Secretary + ε) Nurse Doctor + + ε.…”

Section: Case Studies: Message Passing Benchmarksmentioning

confidence: 99%

Static Provenance Verification for Message Passing Programs

2013

View full text Add to dashboard Cite

Abstract. Provenance information records the source and ownership history of an object. We study the problem of provenance tracking in concurrent programs, in which several principals execute concurrent processes and exchange messages over unbounded but unordered channels. The provenance of a message, roughly, is a function of the sequence of principals that have transmitted the message in the past. The provenance verification problem is to statically decide, given a message passing program and a set of allowed provenances, whether the provenance of all messages in all possible program executions, belongs to the allowed set. We formalize the provenance verification problem abstractly in terms of well-structured provenance domains, and show a general decidability result for it. In particular, we show that if the provenance of a message is a sequence of principals who have sent the message, and a provenance query asks if the provenance lies in a regular set, the problem is decidable and EXPSPACE-complete. While the theoretical complexity is high, we show an implementation of our technique that performs efficiently on a set of Javascript examples tracking provenances in Firefox extensions. Our experiments show that many browser extensions store and transmit user information although the user sets the browser to the private mode.

show abstract

“…For example, Abdallah and Khayat [1] provide a set-theoretic semantics in a formal specification language, and Barth et al [4] briefly mentions a parameterized role extension to a temporal logic for reasoning about privacy. We adapt a variant of these generalized RBAC models to an object-oriented language, provide a static type system for enforcing access control, and have implemented and validated the approach in Java.…”

Section: Related Workmentioning

confidence: 99%

“…The emphasis in some prior work [1,15,4] is on clarifying the formal semantics of a parameterized access control model. For example, Abdallah and Khayat [1] provide a set-theoretic semantics in a formal specification language, and Barth et al [4] briefly mentions a parameterized role extension to a temporal logic for reasoning about privacy.…”

Section: Related Workmentioning

confidence: 99%

Fine-Grained Access Control with Object-Sensitive Roles

Fischer

Marino

Majumdar

et al. 2009

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Role-based access control (RBAC) is a common paradigm to ensure that users have sufficient rights to perform various system operations. In many cases though, traditional RBAC does not easily express application-level security requirements. For instance, in a medical records system it is difficult to express that doctors should only update the records of their own patients. Further, traditional RBAC frameworks like Java's Enterprise Edition rely solely on dynamic checks, which makes application code fragile and difficult to ensure correct. We introduce Object-sensitive RBAC (ORBAC), a generalized RBAC model for object-oriented languages. ORBAC resolves the expressiveness limitations of RBAC by allowing roles to be parameterized by properties of the business objects being manipulated. We formalize and prove sound a dependent type system that statically validates a program's conformance to an ORBAC policy. We have implemented our type system for Java and have used it to validate fine-grained access control in the OpenMRS medical records system.

show abstract

Privacy and Utility in Business Processes

Cited by 81 publications

References 21 publications

Purpose Restrictions on Information Use

Purpose Restrictions on Information Use

Static Provenance Verification for Message Passing Programs

Fine-Grained Access Control with Object-Sensitive Roles

Contact Info

Product

Resources

About