Data-Purpose Algebra: Modeling Data Usage Policies

Lalana Kagal




Decentralized Information Group
MIT Computer Science and Artificial Intelligence Laboratory

Overview

• Privacy protection in large scale decentralized systems
• Privacy policies
  • Not just about preventing access to certain information
  • Also regulates what you can do with the information - statistical analysis, research, civil case, criminal investigations, etc.
• Must take usage restrictions into consideration while reasoning about privacy
• Possible Enforcement Mechanisms
  • Specific tools that enforce usage restrictions E.g. Provenance Aware Documents: http://dig.csail.mit.edu/TAMI/harveyj/provenance-final/thesis-presentation.html
  • Reason over annotated transaction logs and audit trails to check if any violations occured

Our Approach

• Open systems
  • information about individuals is easily obtained - web, public records, etc.
  • difficult to prevent information leakage
  • tools can be bypassed
• Facilitate compliance of usage policies by reasoning over audit trails
• Aimed at environments where audit trails are usually stored such as government organizations and scientific analysis

TAMI: Transparent Accountable Datamining Initiative

Case Study: Privacy Act(5 USC § 552a) Part of the Privacy Act "Data collected about US citizens can be used only for the purposes for which it was collected"

What is Data Purpose Algebra (DPA) ?

• A model for realizing privacy policies in terms of allowable uses of information
• Subclass of privacy policies that restrict how data can be used in terms of the path by which the data was obtained
  • Examples: Privacy Act, digital rights management

Data Purpose Algebra

What does DPA do ?

• Describes the ways that the use of data may be restricted
• Describes how restrictions are transformed as data is processed and passed from one agent to another

How does it work?

• Restrictions over how and what data can be mined, used, and shared
• Data can be sent from one entity to another. The use of this data is further restricted by sender
• Restrictions on the uses of data can be formulated as algebraic expressions
• Expressions describe how restrictions can be computed from provenance (history) of data

Unary Process

Agent: a' Data item: i Content: Qd(i) Category: Kd(i) Source: Ad(i) Purpose/Use: Pd(i) New purpose/use: function of (Pd(i), Ad(i), a', Kd(i)) Possible to have other attributes of data

Binary Process

Agent: a'' Two data item: i and j Content: Qd(i) and Qd(j) Category: Kd(i) and Kd(j) Purpose/Use: Pd(i) and Pd(j) New purpose/use: function of (Pd(i), Pd(j), Ad(i), Ad(j), a'', Kd(i), Kd(j))

Example Formalization: Privacy Act

• "Data collected about US citizens can be used only for the purposes for which it was collected"
• When an agency collects information (stored in Systems of Records (SOR)) about US citizens, the agency must provide a System of Records Notice (SORN)
• SORN describes what kind of information was collected, for what purpose, what it can be used for

Modeling the Privacy Act

• SOR: r
• Its SORN: n
• Sources: Where the data was obtained from (O_s(n))
• Data categories: Type of data (K_s(n))
• Purposes: What the data was collected for (P_s(n))
• Routine uses: What the data can be used for (U(n))
• Recipients: Who the data can be sent to (O_R(n))
• Category of data: Type of data (K_R(n))
• Purposes: What the data can be used for (P_R(n))

Modeling the Privacy Act (cont)

When information is put into a SOR (collected), or moved from one SOR to another (shared), its uses can be computed as

Purposes of data item in SOR Applicable Routine uses

Authorized purposes New authorized purposes New data item

Implementation Details

DPA: Scheme SORs, SORNs: RDF Transaction data/Audit trail: RDF

Background & Future Work

Related Work

• P3P, APPEL, XPREF
• EPAL
• XACML, KAoS, Rei
• ContextBroker, Semantic eWallet

Future Work

• Conflicting usage restrictions
• Issues related to combining anonymized data
• Modeling privacy policies that are not dependent on the path by which information is obtained

Summary

Summary

• Algebraic approach for modeling allowable uses of information
• Suitable when restrictions on data use are determined by path by which information is obtained
• Not suitable when usage restrictions are independent of path - time or content dependent

More information

• This presentation : http://dig.csail.mit.edu/2007/Talks/0615-IEEEPolicy-lk/
• Privacy act: http://www.usdoj.gov/oip/04 7 1.html
• TAMI: http://dig.csail.mit.edu/TAMI
• Policy Aware Web : http://policyawareweb.org