Browsing by Author "Jafari, Mohammad"

Now showing 1 - 4 of 4
  • Thumbnail Image
    ItemOpen Access
    A Framework for Expressing and Enforcing Purpose-Based Privacy Policies
    (2013-01-28) Jafari, Mohammad; Fong, Philip; Safavi-Naini, Reihaneh; Barker, Ken
    Purpose is a key concept in privacy policies and has been mentioned in major privacy laws and regulations. Although some models have been proposed for enforcing purpose-based policies, little has been done in de ning formal semantics for purpose and therefore an e ective enforcement mechanism for policies has remained a challenge. In this paper, we develop a framework for formalizing and enforcing purpose-based privacy policies. Purpose is formally de ned as the dynamic situation of an action within the network of inter-related actions in the system. Accordingly, we propose a modal-logic language for formally expressing constraints about purposes of actions which can be used to model purpose-based policies. The semantics of this language are de ned over an abstract model of activities in the system which is directly derivable from business processes. Based on this formal framework, we discuss some properties of purpose and show how some well-known, as well as new forms of purpose constraints can be formalized using the proposed language. We also show how purpose-based constraints can be tied to other access control policies in the system. Finally, we present a model-checking algorithm for verifying whether a given state of the system complies with a given set of policies, followed by a discussion of how this can be used in an actual implementation of a purpose reference monitor.
  • Thumbnail Image
    ItemOpen Access
    Modelling and Enforcing Purpose in Privacy Policies
    (2013-09-06) Jafari, Mohammad; Safavi-Naini, Reyhaneh Alsadat; Barker, Kenneth Edwin
    Privacy concerns are among the most significant side effects of advances in computer and networking technologies. Expressing and enforcing privacy policies is necessary to ensure that processing of personal information in these systems does not violate privacy of individuals. Privacy laws and regulations, as well as various privacy policy languages and privacy-preserving systems show no disagreement in that purpose of use has a key role in privacy policies and is an important factor in controlling access to personal data. In the current literature on privacy, purposes have been treated mostly as opaque labels with little or no semantics. The resulting ambiguities have made purposes susceptible to malicious or inadvertent misinterpretations. Consequently, enforcing purpose-based policies has also remained a challenge. In this research, we address these problems. We develop a framework that defines purposes formally and provides a formal language for expressing purpose constraints, as well as the corresponding method for evaluating them in the context of a workflow. The semantics of this language are defined over an abstract model of business workflows. We show how purpose constraints can be linked to access control rules to form purpose-based policies and develop an enforcement mechanism in the form of a workflow reference monitor to ensure compliance to such policies. We also show how a simple form of such a reference monitor can be implemented using XACML, a common open standard access control system in the industry.
  • Thumbnail Image
    ItemOpen Access
    A Secure Electronic Healthcare Record Infrastructure in the Digital Rights Management Model
    (2009-12-02T17:10:04Z) Sheppard, Nicholas; Safavi-Naini, Reihaneh; Jafari, Mohammad
    Electronic healthcare record systems promise to increase the efficiency and effectiveness of healthcare systems by ensuring that healthcare workers can get timely access to the correct and complete information that they require in order to provide good health services to their patients. Electronic healthcare systems have been investigated in many countries, and numerous research journals and conferences are devoted to their design and evaluation. Greater distribution of information through an electronic healthcare system brings with it a risk that patients’ information will be misused, resulting in invasions of privacy and/or unfair discrimination on the basis of patients’ medical histories. Security and privacy therefore forms an important part of any electronic healthcare system, and numerous designs for security and privacy in the healthcare space have been proposed over the years [4, 5, 10, 15, 18, 19, 20, 21, 23, 43, 45, 50]. Systems for controlling access to sensitive information, both in a healthcare context and others, are typically designed to enforce the principle of least privileges, that is, the principle that the human users of a system should have access to the minimum amount of information required to carry out their assigned job. This principle aims to minimise the potential for information to misused, without interfering with people’s ability to do their jobs. In a privacy context, the principle of consent is widely used in privacy law to restrict the disclosure of sensitive information according to the wishes of the subject of that information. Electronic consent (often shortened to “e-consent”), in particular, allows the subject of some electronic information to permit or deny the disclosure of that information to particular people in particular circumstances [12]. Electronic consent systems have been proposed as a method of controlling the disclosure of electronic healthcare records [3, 34, 35, 44, 49, 53], and (less frequently) for other kinds of personal information in electronic commerce contexts [6, 25, 28]. Electronic consent systems bear some resemblance to digital rights management systems. Digital rights management is best known for its use in the protection of intellectual property [31], but more recently has also been applied to the protection of personal information [26, 47]. Digital rights management technology allows information owners to control the distribution and use of their information by describing a 4 policy in a machine-readable licence. Information is distributed in a protected form such that it can only be accessed by special DRM agents that are trusted to comply with the terms specified licences. Petkovi´c, et al. examine the potential for digital rights management technology in securing electronic healthcare records [40]. They argue that digital rights management technologies already provide many of the features desired in a secure electronic healthcare system, in that they can provide persistent and homogeneous protection of information even when it is disseminated throughout a distributed healthcare system. However, they additionally identify a number of points on which existing digital rights management systems (specifically, those originally designed for managing the distribution of sensitive documents within corporate enterprises) do not meet these needs, including: the parties that access and manipulate documents may come from many different domains and it is difficult to predict in advance who these parties might be; the ownership of data is not clearly defined, as it is shared between healthcare workers and patients; access rights are highly context-dependent and are difficult to determine automatically (for example, is a request an emergency?); small fragments of records (and not just whole documents, as is usually the case in intellectual property protection) may be critical; the membership of roles can change very quickly; healthcare data may be used for research purposes in an anonymised form; and healthcare data is prone to numerous inference channels. In the present document, we describe one possible implementation of a secure electronic healthcare infrastructure modelled on the digital rights management approach to privacy protection [26, 47] and workflow-based access control [2, 24, 45]. Our proposal attempts to address several of the points identified by Petkovi´c, et al., as well as other issues identified by our own research. While many of the features of the proposed system could also be provided by an access control system and/or electronic consent system such as those proposed in earlier work, the proposed system additionally allows for persistent protection of information throughout the global electronic healthcare record infrastructure, local healthcare facilities and mobile healthcare workers; highly expressive consent directives that can be enforced in an automated fashion; and information flows that cross organisational boundaries. 5 Anonymisation and inference channels may additionally be addressed by other work in the iCore Information Security Lab. In addition to our general application of digital rights management in a healthcare context, we introduce some new techniques with wider applications in digital rights management and access control, including the use of workflow information to provide fine control over the purposes for which rights-managed data is used; and the ability to transfer the execution of a task from one device to another (known as session mobility [46]) within the confines of a digital rights management system.
  • Thumbnail Image
    ItemOpen Access
    A Workflow Reference Monitor for Enforcing Purpose-Based Policies
    (2013-09-25) Jafari, Mohammad; Denzinger, Joerg; Safavi-Naini, Reihaneh; Barker, Ken
    Purpose is a key concept in privacy policies. Based on the purpose framework developed in our earlier work [11] we present an access control model for a work ow-based information system in which a work ows reference monitor ( WfRM ) enforces purpose-based policies. We use a generic access control policy language and show how it can be connected to the purpose modal logic language ( PML ) to link purpose constraints to access control rules and how such policies can be enforced. We also present a simple implementation of such a reference monitor based on extending eXtensible Access Control Markup Language( XACML ), a commonly used access control open standard.