Title: Privacy%20APIs:%20Formal%20Models%20for%20Legislative%20Privacy%20Policies
1Privacy APIs Formal Models for Legislative
Privacy Policies
- Michael J. May
- (mjmay_at_seas.upenn.edu)
- http//www.seas.upenn.edu/mjmay/
- Joint work with Carl A. Gunter (UIUC) Insup Lee
(Penn) - TAMI/Portia Privacy and Accountability Workshop
- June 2006
2Legislation Þ Privacy Policies
Formal Models
3Privacy Laws
- Privacy intrusions are in the news
- Identity theft fastest growing crime in USA
- Companies buying/selling/trading personal
information - One response Legislation!
- Why legislation?
- Its the most effective way to get companies to
respond - Compare the effectiveness of Gramm-Leach-Bliley
and HIPAA to nearly any Privacy Enhancing
Technology - Financial penalties speak louder than bad press
- Problem
- Enterprises cant comply if they dont know what
to comply with!
4Our Approach
- Formalize legal texts and use model checking to
evaluate their static properties - Compare to policy in practice to find compliance
Command set
Selection
Model
Full Text
Privacy commands
English
English
Promela
Reference checking
5Policy languages
- Policy languages define a set of constructs that
can be combined to write a policy - The matrix the policy is the state of the
system - Policy is often written as a rule set, policy
trees or state machines may be used too - Harrison, Ruzzo, and Ullman format to write
policy in a rule set - Protection Commands for operating systems
- Primitive operations are transactional changes to
the state of the access control matrix (ex. Enter
right, create object) - Commands are combinations of primitive operations
with optional guards - Originator Control (ORCON) Graubart89 policy
for controlling information - Rule Only the owner of an object can grant
permission on it - command grant (from, to, object, right)
- if owner in (from, object)
- then enter right in (to, object)
- Rule A permission that is starred is
transferable - command transfer (from, to, object, right)
- if right in (from, object)
- then enter right in (to, object)
6Privacy Fundamentals GMS04
- Transfer What is the right of a principal p to
transfer an object x to a principal q where x is
about a subject r? - Action What is the right of a principal p to
carry out an action that affects the privacy of a
principal q? - Creation Which principals p are allowed to
create objects x whose subject is q? - Right Establishment How are rights established
for a principal p?
7Notation
- Assume we are given the following
- Objects x, y, z ?O
- Principals p, q, r ?P
- Actions a, b, c ?A
- Time t??
- Each object x has a subject subj(x) that the
object is about and a creation time ct(x)??
when it was made - Null object O and null principal P
8Events
- Set policy event p sets s on q for r at t
- Creation event p creates x at t
- Publish/subscribe event p gets x from q at t
- Action event p does a on q at t
9What do we need for legal texts? MGL06
- Tools to add to the system
- Logging
- Notification
- Policy concepts to add
- Actor, Originator
- Object tags
- Environmental evidence
- Concretization
- Policy language that implements them
- Language that reflects the way operations are
done - Policy that can inspect and modify the content of
objects
10Conditions and Obligations
- Level 1 Can be evaluated/enforced from the
matrix state - Alice may use Bobs email address to send him
messages if he has given consent for online
communications - Alice may use her right to email Bob only once
- Level 2 Can be evaluated/enforced from matrix
state plus parameters passed (eg. purpose,
environment flags) - Alice cant use Bobs email address for marketing
communications unless he has given consent for it - Alice may use her right to email Bob, but she
must make a note of it in the system log - Level 3 Cant be evaluated/enforced by the
system - Alice can use Bobs email address for
communicating with him if he has not responded to
phone calls and Alice has reason to believe he
has changed his phone number - Alice may use her right to email Bob, but must
then mail him a letter with the same content
11Environment flags and testimonials
- Environment flags help with Level 2
- Let the system communicate information about the
environment to the policy - Can be Boolean flags, numbers, etc.
- Are easily codified in policy text
- Conditions check the flags, obligations modify
them - Testimonials are needed for Level 3
- Actors make assertions about things in the
environment - Conditions check them via flags, may log them
- Obligations communicate back to the user, may
notify
12Conditions example
L2 data origination tracking and purpose
- 164.506(a)(3)(i) A covered health care provider
may, without prior consent, use or disclose
protected - health information created or received under
- paragraph (a)(3)(i)(A)-(C) of this section to
carry out treatment, payment, or health care
operations - (C) If a covered health care provider attempts
to obtain such consent from the individual but is
unable to obtain such consent due to substantial
barriers to communicating with the individual,
and the covered health care provider determines,
in the exercise of professional judgment, that
the individual's consent to receive treatment is
clearly inferred from the circumstances. HIPAA,
2003
13Conditions example
L3 Provider has attempted to obtain consent but
cant
- 164.506(a)(3)(i) A covered health care provider
may, without prior consent, use or disclose
protected - health information created or received under
- paragraph (a)(3)(i)(A)-(C) of this section to
carry out treatment, payment, or health care
operations - (C) If a covered health care provider attempts
to obtain such consent from the individual but is
unable to obtain such consent due to substantial
barriers to communicating with the individual,
and the covered health care provider determines,
in the exercise of professional judgment, that
the individual's consent to receive treatment is
clearly inferred from the circumstances. HIPAA,
2003
14Conditions example
L3 - Provider in professional judgment
- 164.506(a)(3)(i) A covered health care provider
may, without prior consent, use or disclose
protected - health information created or received under
- paragraph (a)(3)(i)(A)-(C) of this section to
carry out treatment, payment, or health care
operations - (C) If a covered health care provider attempts
to obtain such consent from the individual but is
unable to obtain such consent due to substantial
barriers to communicating with the individual,
and the covered health care provider determines,
in the exercise of professional judgment, that
the individual's consent to receive treatment is
clearly inferred from the circumstances. HIPAA,
2003
15Privacy APIs
- A set of commands in our Privacy Commands syntax
combines to make a Privacy API (auditable policy
interface) - Set must be closed under references (no outside
or unresolved references) - Commands can be private so users can not access
them - Policy evaluation
- Single command execution an actor invokes a
command to execute it - Evaluation can be command driven or interactive
16Privacy commands
- Policy atoms are privacy commands akin to HRU
commands - We add some primitive operations to the set for
matrix operations from HRU - Checking purpose
- Inspecting environmental evidence flags
- References
- Invocation of others commands
- Function like commands that return results
- Commands that have no side effects
17Command examples
- Rule Creating an object with Originator Control
(ORCON) rules - command CreateObject (a, s, o)
- create object o
- and enter originator in (a,o)
- and enter subject in (s,o)
- end
- Rule Copying an object with ORCON rules
- command CopyObject (a, s, o, o)
- if originator in (a, o)
- and subject in (s, o)
- then create object o'
- and enter originator in (a, o)
- and enter subject in (s, o)
- end
18Translation steps
Command set
Selection
Model
Full Text
English
English
Privacy commands
Promela
Reference checking
19Example Own use clause
- 164.506(c)(1) A covered entity may use or
disclose protected health information for its own
treatment, payment, or health care operations.
HIPAA, 2003 - Notation for commands
- Let a, s, and r be agents
- Let a be an officer of a covered entity
(hospital, doctors office, etc) - Let r be the intended recipient of the file
- Let f be a file which contains protected health
information - Let s be the subject of the file with protected
health information - Let p be a set of purpose flags
- Let evidence be a set of environment flags
20Example Own use clause
AllowedAsIn506c1 (a, s, r, p, f, evidence) If
own use' in p then return true else return
false end Disclose506c1 (a, s, r, p, f,
evidence) if AllowedAsIn506c1 (a, s, r, p, f,
evidence) and own in (a, f) then CopyObject (a,
s, f, f') and insert own in (r, f') and
EnterDisclose (a, p, f) end Use506c1 (a, s, r, p,
f, evidence)
- 164.506(c)(1) A covered entity may use or
disclose protected health information for its own
treatment, payment, or health care operations.
isTPO (p) if treatment'' in p or payment'' in
p or healthcare operations'' in p then return
true else return false end CopyObject (a, s, o,
o')
21Example Testimonials
AsIn506a3iC (a, s, r, f, evidence) if attempted
in (a, f) and consent not in (s, f) and
barriers to communication in evidence and
professional judgment in evidence then return
true else return false end
- 164.506(a)(3)(i) A covered health care provider
may, without prior consent, use or disclose
protected health information created or received
under paragraph (a)(3)(i)(A)-(C) of this section
to carry out treatment, payment, or health care
operations - (C) If a covered health care provider attempts
to obtain such consent from the individual but is
unable to obtain such consent due to substantial
barriers to communicating with the individual,
and the covered health care provider determines,
in the exercise of professional judgment, that
the individual's consent to receive treatment is
clearly inferred from the circumstances.
22Creating the rule sets
- Using above techniques we translated one section
(164.506) on consent for disclosure - 2000 and 2003 versions of the rules very
different - Chasing references lead to including a large
section of text - Rules designed to follow the structure of the law
closely - Semi-automation of the process in the future
- Rule set size
- 2000 60 5 helper 65 rules
- 2003 21 33 (by ref) 5 helper 59 rules
23Translation steps
Command set
Selection
Model
Full Text
Privacy commands
English
English
Promela
Reference checking
24Verification using the rule sets
- We use Spin to find the problems previously
detected by manual inspection. Comments on the
2000 version consent rules lead to a complete
rework in the 2003 version - Ex Ambulance workers must obtain consent for
services they did for unconscious patients after
the fact - Ex Hospitals which usually do pre-operation
preparations before procedures can not do so
without the patient coming to sign a special
designator - Ex Doctors who render remote diagnoses can not
do so without having a special paper consent form
sent or faxed to them first.
25Model example
- Modeled the rule set in Spin
- Trace the path that lead to specific valid and
invalid states - Valid and invalid states are inputted as
invariants - Designated by experts in health care and privacy
activists - Mentioned explicitly in the text
- Derived from comments by stakeholders in the
laws design
- Use506c1 (a, s, r, p, f, evidence)
- if AllowedAsIn506c1 (a, s, r, p, f, evidence)
- and r a
- and own in (a, f)
- and isTPO(p)
- then EnterUse (a, p, f)
- end
- active proctype Use506c1 ()
- bool result false bool temp
- do
- Use506c1_chan?request(_) -gt
- AllowedAsIn506c1_chan!request(true)
- AllowedAsIn506c1_chan?response(temp)
- result temp
- result result (ra)
- result result (m.mata.objf.own
1) - if
- result -gt EnterUse_chan!request(true)
EnterUse_chan?response(temp) - else -gt skip
26Example property check
- Property Can a doctor see a patient record for
treatment, payment, or health care operations
without consent in a non-emergency situation? - Invariant No health care provider can access a
patient record in a non-emergency situation
without first gaining consent or obtaining it
afterward - File f about Paula (patient). Dan (doctor) can
not gain any access permissions on f without
getting consent from Paula first (or after the
fact in case of inability to gain consent at
first).
- / initialize the matrix /
- / Dan is a doctor /
- m.matDan.objhealth_care_provider_group.member
1 - / Paula is a patient and the subject of file1/
- m.matPaula.objfile1.subject 1
- / Dan has the file in his system - he owns it /
- m.matDan.objfile1.own 1
- p.treatment1 p.payment1 p.healthcare_operation
s1 - / set evidences / evidence.emergency 0
- / check if Dan can get access to the file/
- invariant (m.matDan.objfile1.treat 0)
(m.matDan.objfile1.pay 0)
(m.matDan.objfile1.healthops 0)
(m.matDan.objf_new.treat 0)
(m.matDan.objf_new.pay 0)
(m.matDan.objf_new.healthops 0)
27Related Work
- Access control
- HRUs checking of safety properties
- Fisler, et als Margrave for XACML
- Digital Rights Management
- ODRL
- XrML ContentGuard
- Formal properties Guth, et alWeissman, et al
- Privacy policies
- EPAL IBM, P3P W3C
- Formal properties Yu, et alHayati and Abadi
04 Karjoth, Schunter, Backes, Powers, et al _at_
IBM 02-04 - Contextual Integrity Barth, et al 06
28Conclusion
- Using access control techniques to understand
legal privacy regulations - Model of operations on private data and allowed
information flows - Translating one to the other reveals similarities
between them - Differences require us to rethink some theories
of access control to usage control and disclosure
control - Success in modeling the sections of the
regulation that have to do with uses and
disclosures - Some sections are not addressable
- Ex Typographical rules for writing a privacy
practices declarations - Research goal is to use formal models to better
understand the implementation and evolution of
regulations
29References
- Carl A. Gunter, Michael J. May, and Stuart
Stubblebine. A Formal Privacy System and its
Application to Location Based Services. Privacy
Enhancing Technologies 2004. - Michael J. May, Carl A. Gunter, and Insup Lee.
Privacy APIs Access Control Techniques to
Analyze and Verify Legal Privacy Policies. To
Appear in CSFW 2006. - UPenn IR2FM http//www.cis.upenn.edu/rtg/extract
-fm/index.php3 - UIUC Formal Privacy http//seclab.uiuc.edu/formal
privacy/
30Example Own use clause
AllowedAsIn506c1 (a, s, r, p, f, evidence) If
own use' in p then return true else return
false end Disclose506c1 (a, s, r, p, f,
evidence) if AllowedAsIn506c1 (a, s, r, p, f,
evidence) and own in (a, f) then CopyObject (a,
s, f, f') and insert own in (r, f') and
EnterDisclose (a, p, f) end Use506c1 (a, s, r, p,
f, evidence) if AllowedAsIn506c1 (a, s, r, p, f,
evidence) and r a and own in (a, f) and
isTPO(p) then EnterUse (a, p, f) end
- 164.506(c)(1) A covered entity may use or
disclose protected health information for its own
treatment, payment, or health care operations.
isTPO (p) if treatment'' in p or payment'' in
p or healthcare operations'' in p then return
true else return false end CopyObject (a, s, o,
o') if orig in (a, o) and subj in (s, o) then
create object o' and insert orig in (a, o) and
insert subj in (s, o) end