Privacy%20APIs:%20Formal%20Models%20for%20Legislative%20Privacy%20Policies

1
Privacy APIs Formal Models for Legislative
Privacy Policies

• Michael J. May
• (mjmay_at_seas.upenn.edu)
• http//www.seas.upenn.edu/mjmay/
• Joint work with Carl A. Gunter (UIUC) Insup Lee
  (Penn)
• TAMI/Portia Privacy and Accountability Workshop
• June 2006

2
Legislation Þ Privacy Policies

• ?

Formal Models
3
Privacy Laws

• Privacy intrusions are in the news
• Identity theft fastest growing crime in USA
• Companies buying/selling/trading personal
  information
• One response Legislation!
• Why legislation?
• Its the most effective way to get companies to
  respond
• Compare the effectiveness of Gramm-Leach-Bliley
  and HIPAA to nearly any Privacy Enhancing
  Technology
• Financial penalties speak louder than bad press
• Problem
• Enterprises cant comply if they dont know what
  to comply with!

4
Our Approach

• Formalize legal texts and use model checking to
  evaluate their static properties
• Compare to policy in practice to find compliance

Command set
Selection
Model
Full Text
Privacy commands
English
English
Promela
Reference checking
5
Policy languages

• Policy languages define a set of constructs that
  can be combined to write a policy
• The matrix the policy is the state of the
  system
• Policy is often written as a rule set, policy
  trees or state machines may be used too
• Harrison, Ruzzo, and Ullman format to write
  policy in a rule set
• Protection Commands for operating systems
• Primitive operations are transactional changes to
  the state of the access control matrix (ex. Enter
  right, create object)
• Commands are combinations of primitive operations
  with optional guards
• Originator Control (ORCON) Graubart89 policy
  for controlling information
• Rule Only the owner of an object can grant
  permission on it
• command grant (from, to, object, right)
• if owner in (from, object)
• then enter right in (to, object)
• Rule A permission that is starred is
  transferable
• command transfer (from, to, object, right)
• if right in (from, object)
• then enter right in (to, object)

6
Privacy Fundamentals GMS04

• Transfer What is the right of a principal p to
  transfer an object x to a principal q where x is
  about a subject r?
• Action What is the right of a principal p to
  carry out an action that affects the privacy of a
  principal q?
• Creation Which principals p are allowed to
  create objects x whose subject is q?
• Right Establishment How are rights established
  for a principal p?

7
Notation

• Assume we are given the following
• Objects x, y, z ?O
• Principals p, q, r ?P
• Actions a, b, c ?A
• Time t??
• Each object x has a subject subj(x) that the
  object is about and a creation time ct(x)??
  when it was made
• Null object O and null principal P

8
Events

• Set policy event p sets s on q for r at t
• Creation event p creates x at t
• Publish/subscribe event p gets x from q at t
• Action event p does a on q at t

9
What do we need for legal texts? MGL06

• Tools to add to the system
• Logging
• Notification
• Policy concepts to add
• Actor, Originator
• Object tags
• Environmental evidence
• Concretization
• Policy language that implements them
• Language that reflects the way operations are
  done
• Policy that can inspect and modify the content of
  objects

10
Conditions and Obligations

• Level 1 Can be evaluated/enforced from the
  matrix state
• Alice may use Bobs email address to send him
  messages if he has given consent for online
  communications
• Alice may use her right to email Bob only once
• Level 2 Can be evaluated/enforced from matrix
  state plus parameters passed (eg. purpose,
  environment flags)
• Alice cant use Bobs email address for marketing
  communications unless he has given consent for it
• Alice may use her right to email Bob, but she
  must make a note of it in the system log
• Level 3 Cant be evaluated/enforced by the
  system
• Alice can use Bobs email address for
  communicating with him if he has not responded to
  phone calls and Alice has reason to believe he
  has changed his phone number
• Alice may use her right to email Bob, but must
  then mail him a letter with the same content

11
Environment flags and testimonials

• Environment flags help with Level 2
• Let the system communicate information about the
  environment to the policy
• Can be Boolean flags, numbers, etc.
• Are easily codified in policy text
• Conditions check the flags, obligations modify
  them
• Testimonials are needed for Level 3
• Actors make assertions about things in the
  environment
• Conditions check them via flags, may log them
• Obligations communicate back to the user, may
  notify

12
Conditions example
L2 data origination tracking and purpose

• 164.506(a)(3)(i) A covered health care provider
  may, without prior consent, use or disclose
  protected
• health information created or received under
• paragraph (a)(3)(i)(A)-(C) of this section to
  carry out treatment, payment, or health care
  operations
• (C) If a covered health care provider attempts
  to obtain such consent from the individual but is
  unable to obtain such consent due to substantial
  barriers to communicating with the individual,
  and the covered health care provider determines,
  in the exercise of professional judgment, that
  the individual's consent to receive treatment is
  clearly inferred from the circumstances. HIPAA,
  2003

13
Conditions example
L3 Provider has attempted to obtain consent but
cant

• 164.506(a)(3)(i) A covered health care provider
  may, without prior consent, use or disclose
  protected
• health information created or received under
• paragraph (a)(3)(i)(A)-(C) of this section to
  carry out treatment, payment, or health care
  operations
• (C) If a covered health care provider attempts
  to obtain such consent from the individual but is
  unable to obtain such consent due to substantial
  barriers to communicating with the individual,
  and the covered health care provider determines,
  in the exercise of professional judgment, that
  the individual's consent to receive treatment is
  clearly inferred from the circumstances. HIPAA,
  2003

14
Conditions example
L3 - Provider in professional judgment

• 164.506(a)(3)(i) A covered health care provider
  may, without prior consent, use or disclose
  protected
• health information created or received under
• paragraph (a)(3)(i)(A)-(C) of this section to
  carry out treatment, payment, or health care
  operations
• (C) If a covered health care provider attempts
  to obtain such consent from the individual but is
  unable to obtain such consent due to substantial
  barriers to communicating with the individual,
  and the covered health care provider determines,
  in the exercise of professional judgment, that
  the individual's consent to receive treatment is
  clearly inferred from the circumstances. HIPAA,
  2003

15
Privacy APIs

• A set of commands in our Privacy Commands syntax
  combines to make a Privacy API (auditable policy
  interface)
• Set must be closed under references (no outside
  or unresolved references)
• Commands can be private so users can not access
  them
• Policy evaluation
• Single command execution an actor invokes a
  command to execute it
• Evaluation can be command driven or interactive

16
Privacy commands

• Policy atoms are privacy commands akin to HRU
  commands
• We add some primitive operations to the set for
  matrix operations from HRU
• Checking purpose
• Inspecting environmental evidence flags
• References
• Invocation of others commands
• Function like commands that return results
• Commands that have no side effects

17
Command examples

• Rule Creating an object with Originator Control
  (ORCON) rules
• command CreateObject (a, s, o)
• create object o
• and enter originator in (a,o)
• and enter subject in (s,o)
• end
• Rule Copying an object with ORCON rules
• command CopyObject (a, s, o, o)
• if originator in (a, o)
• and subject in (s, o)
• then create object o'
• and enter originator in (a, o)
• and enter subject in (s, o)
• end

18
Translation steps
Command set
Selection
Model
Full Text
English
English
Privacy commands
Promela
Reference checking
19
Example Own use clause

• 164.506(c)(1) A covered entity may use or
  disclose protected health information for its own
  treatment, payment, or health care operations.
  HIPAA, 2003
• Notation for commands
• Let a, s, and r be agents
• Let a be an officer of a covered entity
  (hospital, doctors office, etc)
• Let r be the intended recipient of the file
• Let f be a file which contains protected health
  information
• Let s be the subject of the file with protected
  health information
• Let p be a set of purpose flags
• Let evidence be a set of environment flags

20
Example Own use clause
AllowedAsIn506c1 (a, s, r, p, f, evidence) If
own use' in p then return true else return
false end Disclose506c1 (a, s, r, p, f,
evidence) if AllowedAsIn506c1 (a, s, r, p, f,
evidence) and own in (a, f) then CopyObject (a,
s, f, f') and insert own in (r, f') and
EnterDisclose (a, p, f) end Use506c1 (a, s, r, p,
f, evidence)

• 164.506(c)(1) A covered entity may use or
  disclose protected health information for its own
  treatment, payment, or health care operations.

isTPO (p) if treatment'' in p or payment'' in
p or healthcare operations'' in p then return
true else return false end CopyObject (a, s, o,
o')
21
Example Testimonials
AsIn506a3iC (a, s, r, f, evidence) if attempted
in (a, f) and consent not in (s, f) and
barriers to communication in evidence and
professional judgment in evidence then return
true else return false end

• 164.506(a)(3)(i) A covered health care provider
  may, without prior consent, use or disclose
  protected health information created or received
  under paragraph (a)(3)(i)(A)-(C) of this section
  to carry out treatment, payment, or health care
  operations
• (C) If a covered health care provider attempts
  to obtain such consent from the individual but is
  unable to obtain such consent due to substantial
  barriers to communicating with the individual,
  and the covered health care provider determines,
  in the exercise of professional judgment, that
  the individual's consent to receive treatment is
  clearly inferred from the circumstances.

22
Creating the rule sets

• Using above techniques we translated one section
  (164.506) on consent for disclosure
• 2000 and 2003 versions of the rules very
  different
• Chasing references lead to including a large
  section of text
• Rules designed to follow the structure of the law
  closely
• Semi-automation of the process in the future
• Rule set size
• 2000 60 5 helper 65 rules
• 2003 21 33 (by ref) 5 helper 59 rules

23
Translation steps
Command set
Selection
Model
Full Text
Privacy commands
English
English
Promela
Reference checking
24
Verification using the rule sets

• We use Spin to find the problems previously
  detected by manual inspection. Comments on the
  2000 version consent rules lead to a complete
  rework in the 2003 version
• Ex Ambulance workers must obtain consent for
  services they did for unconscious patients after
  the fact
• Ex Hospitals which usually do pre-operation
  preparations before procedures can not do so
  without the patient coming to sign a special
  designator
• Ex Doctors who render remote diagnoses can not
  do so without having a special paper consent form
  sent or faxed to them first.

25
Model example

• Modeled the rule set in Spin
• Trace the path that lead to specific valid and
  invalid states
• Valid and invalid states are inputted as
  invariants
• Designated by experts in health care and privacy
  activists
• Mentioned explicitly in the text
• Derived from comments by stakeholders in the
  laws design

• Use506c1 (a, s, r, p, f, evidence)
• if AllowedAsIn506c1 (a, s, r, p, f, evidence)
• and r a
• and own in (a, f)
• and isTPO(p)
• then EnterUse (a, p, f)
• end
• active proctype Use506c1 ()
• bool result false bool temp
• do
• Use506c1_chan?request(_) -gt
• AllowedAsIn506c1_chan!request(true)
• AllowedAsIn506c1_chan?response(temp)
• result temp
• result result (ra)
• result result (m.mata.objf.own
  1)
• if
• result -gt EnterUse_chan!request(true)
  EnterUse_chan?response(temp)
• else -gt skip

26
Example property check

• Property Can a doctor see a patient record for
  treatment, payment, or health care operations
  without consent in a non-emergency situation?
• Invariant No health care provider can access a
  patient record in a non-emergency situation
  without first gaining consent or obtaining it
  afterward
• File f about Paula (patient). Dan (doctor) can
  not gain any access permissions on f without
  getting consent from Paula first (or after the
  fact in case of inability to gain consent at
  first).

• / initialize the matrix /
• / Dan is a doctor /
• m.matDan.objhealth_care_provider_group.member
  1
• / Paula is a patient and the subject of file1/
• m.matPaula.objfile1.subject 1
• / Dan has the file in his system - he owns it /
• m.matDan.objfile1.own 1
• p.treatment1 p.payment1 p.healthcare_operation
  s1
• / set evidences / evidence.emergency 0
• / check if Dan can get access to the file/
• invariant (m.matDan.objfile1.treat 0)
  (m.matDan.objfile1.pay 0)
  (m.matDan.objfile1.healthops 0)
  (m.matDan.objf_new.treat 0)
  (m.matDan.objf_new.pay 0)
  (m.matDan.objf_new.healthops 0)

27
Related Work

• Access control
• HRUs checking of safety properties
• Fisler, et als Margrave for XACML
• Digital Rights Management
• ODRL
• XrML ContentGuard
• Formal properties Guth, et alWeissman, et al
• Privacy policies
• EPAL IBM, P3P W3C
• Formal properties Yu, et alHayati and Abadi
  04 Karjoth, Schunter, Backes, Powers, et al _at_
  IBM 02-04
• Contextual Integrity Barth, et al 06

28
Conclusion

• Using access control techniques to understand
  legal privacy regulations
• Model of operations on private data and allowed
  information flows
• Translating one to the other reveals similarities
  between them
• Differences require us to rethink some theories
  of access control to usage control and disclosure
  control
• Success in modeling the sections of the
  regulation that have to do with uses and
  disclosures
• Some sections are not addressable
• Ex Typographical rules for writing a privacy
  practices declarations
• Research goal is to use formal models to better
  understand the implementation and evolution of
  regulations

29
References

• Carl A. Gunter, Michael J. May, and Stuart
  Stubblebine. A Formal Privacy System and its
  Application to Location Based Services.  Privacy
  Enhancing Technologies 2004.
• Michael J. May, Carl A. Gunter, and Insup Lee. 
  Privacy APIs Access Control Techniques to
  Analyze and Verify Legal Privacy Policies. To
  Appear in CSFW 2006.
• UPenn IR2FM http//www.cis.upenn.edu/rtg/extract
  -fm/index.php3
• UIUC Formal Privacy http//seclab.uiuc.edu/formal
  privacy/

30
Example Own use clause
AllowedAsIn506c1 (a, s, r, p, f, evidence) If
own use' in p then return true else return
false end Disclose506c1 (a, s, r, p, f,
evidence) if AllowedAsIn506c1 (a, s, r, p, f,
evidence) and own in (a, f) then CopyObject (a,
s, f, f') and insert own in (r, f') and
EnterDisclose (a, p, f) end Use506c1 (a, s, r, p,
f, evidence) if AllowedAsIn506c1 (a, s, r, p, f,
evidence) and r a and own in (a, f) and
isTPO(p) then EnterUse (a, p, f) end

• 164.506(c)(1) A covered entity may use or
  disclose protected health information for its own
  treatment, payment, or health care operations.

isTPO (p) if treatment'' in p or payment'' in
p or healthcare operations'' in p then return
true else return false end CopyObject (a, s, o,
o') if orig in (a, o) and subj in (s, o) then
create object o' and insert orig in (a, o) and
insert subj in (s, o) end