Modelling and Enforcing Purpose in Privacy Policies

Date
2013-09-06
Journal Title
Journal ISSN
Volume Title
Publisher
Abstract
Privacy concerns are among the most significant side effects of advances in computer and networking technologies. Expressing and enforcing privacy policies is necessary to ensure that processing of personal information in these systems does not violate privacy of individuals. Privacy laws and regulations, as well as various privacy policy languages and privacy-preserving systems show no disagreement in that purpose of use has a key role in privacy policies and is an important factor in controlling access to personal data. In the current literature on privacy, purposes have been treated mostly as opaque labels with little or no semantics. The resulting ambiguities have made purposes susceptible to malicious or inadvertent misinterpretations. Consequently, enforcing purpose-based policies has also remained a challenge. In this research, we address these problems. We develop a framework that defines purposes formally and provides a formal language for expressing purpose constraints, as well as the corresponding method for evaluating them in the context of a workflow. The semantics of this language are defined over an abstract model of business workflows. We show how purpose constraints can be linked to access control rules to form purpose-based policies and develop an enforcement mechanism in the form of a workflow reference monitor to ensure compliance to such policies. We also show how a simple form of such a reference monitor can be implemented using XACML, a common open standard access control system in the industry.
Description
Keywords
Computer Science
Citation
Jafari, M. (2013). Modelling and Enforcing Purpose in Privacy Policies (Doctoral thesis, University of Calgary, Calgary, Canada). Retrieved from https://prism.ucalgary.ca. doi:10.11575/PRISM/26953