Rei+ : Specifying Privacy Policies

Lalana Kagal

July 2007



Decentralized Information Group
MIT Computer Science and Artificial Intelligence Laboratory

Rei+ Policy Language

What is Rei+ ?

• Rei+ is a policy specification language
• Used to model and reason over privacy policies
  • Privacy Act (5 USC § 552a)
  • Health Insurance Portability and Accountability Act (HIPAA)

What do we mean by policy ?

• An explicit representation of social and legal norms of behavior
• Usually restrict actions and data access
• Obligations cause users to behave in a certain way

Privacy Policies

What are privacy policies ?

• Used to protect personal information such as medical, financial data
• Deals with
  • Preventing access to certain information
  • Under what circumstances will private information be accessed, used, and disseminated
  • And for what purpose will the data be used - statistical analysis, research, civil case, criminal investigations, etc.

Some Examples

• Privacy Act (5 USC § 552a)
  • Data collected about US citizens can be used only for the purposes for which it was collected
• Telephone company's privacy policy
  • XPhone permits customers to control how and when their personal information is released except when required by law or when served by a legal process or to protect the health and safety of customers, employees, or property
• HIPAA 45 CFR 164.508
  • A covered entity may not disclose or use protected health information without the authorization of the person who is the subject of the information or the person's representative

Enforcing Privacy Policies

Two approaches

• Specific tools that enforce access control and use restrictions E.g. Provenance Aware Documents: http://dig.csail.mit.edu/TAMI/harveyj/provenance-final/thesis-presentation.html
• Reason over annotated transaction logs and audit trails to check if any violations occured

Enforcement in open systems

• Characteristics of open systems
  • information about individuals is easily obtained - web, public records, etc.
  • difficult to prevent information leakage
  • tools can be bypassed
• Facilitate compliance of privacy policies by reasoning over audit trails
• Aimed at environments where audit trails are usually stored such as government organizations and scientific analysis

Rei+ Policy Language

Rei+ overview

• It is a declarative policy language that uses Semantic Web technologies
  • interoperability
  • re-usability
  • extensibility
• Based on deontic concepts of permission, obligation, prohibition, and dispensation
  • Deontic logic is type of modal logic that is concerned with permissions and obligations
  • Modal logics deal with uses modals to qualify the truth of decision
  • Uses techniques such as meta policies to handle paradoxes

Rei+ Specifications (N3)

Policy attributes

• defaultBehavior: this defines whether everything allowed/prohibited is specified or assumed

  	 E.g. Everything that is not explicitly permitted is prohibited
  	 
  	 APrivacyPolicy policy:defaultBehavior metapolicy:ExplicitPermImplicitProh.
         

• defaultModality: specifies the modality (positive or negative) that holds precedence in case of conflict.

  	 E.g. In case of conflict, rules of negative modality (Prohibitions and
  	 Dispensations) have priority over rules of positive modality (Permissions and Obligations)
  	 
  	 VPrivacyPolicy policy:defaultModality metapolicy:NegativeModalityPrecedence
         

• rulePriority/policyPriority: is used to set priorities between potentially conflicting rules/policies

Rei+ Specifications

Deontic Rule: is used to create permissions, prohibitions, obligations and dispensations that govern the behavior of entities in the policy domain

• actor
• action
• sanction: models consequences of violating the policy
• future-use: describe a permission that will be true after the policy is exercised

Current Scenario

Unknown person collapses and is rushed to the hospital Person, John Doe, is diagnosed with drug resistant tubercolosis John Doe is unconscious so officer checks his wallet to identity him In order to prevent an epidemic, CDC contacts everyone whom the patient could have been in contact with - including people he works with, his choir, the members of his troop CDC gets his phone records from XPhone Sometime later John Doe has phone troubles and calls XPhone to schedule an appt The customer service operator sees that CDC had obtained his records and infers that he must have some contagious disease So she refuses to schedule a repairman

Modeling Privacy Policies

• XPhone's Privacy Policy: XPhone permits customers to control how and when their personal information is released except when required by law, when served with valid legal process, or to protect the health and safety of customers, employees, or property
• Privacy Act: You can only use data in a System of Records (SOR) if you're using it for the purpose for which it was collected

XPhone's Privacy Policy

XPhone permits customers to control how and when their personal information is released except when required by law, when served with valid legal process, or to protect the health and safety of customers, employees, or property.

XPhonePolicy1 a rei:Policy;
    rei:event { ?C a Customer.
                ?RE a ReleaseEvent;
                      source ?S;
                      destination ?D;
                      data [ a DataItem; ownedBy ?C ]
               };
    rei:condition [ rei:constraint { ?RE isrequiredby gov:Law  };
                    rei:result { ?S rei:permitted ?RE } ];
    rei:condition [ rei:constraint { ?RE governedBy [ a gov:Subpoena ] };
                    rei:result { ?S rei:permitted ?RE } ];
    rei:condition [ rei:constraint { ?C rei:delegated { ?S rei:permitted ?RE } };
                    rei:result { ?S rei:permitted ?RE } ].


   

Part of the Privacy Act

You can only use data in a System of Records (SOR) if you're using it for the purpose for which it was collected

PrivacyPolicy1 a rei:Policy;
    rei:event { ?AE a AccessEvent;
                      requester ?R;
                      data ?D.
                      ?D gov:sor ?SOR.
                      ?SOR gov:sorn ?SORN.
               }
    rei:condition [ rei:constraint { ?R a gov:GovEmployee }; 
                    rei:result { ?R rei:permitted ?AE }; 
                    rei:future-use { ?SOR purpose ?PURPOSE. 
                                ?R responsibility ?RESP.
                                ?PURPOSE a ?RESP } ].

   

Role of Rei+

More Information

• TAMI/E2ESA: http://dig.csail.mit.edu/TAMI/
• Scenario: http://dig.csail.mit.edu/TAMI/2007/s9/
• Rei: http://cs.umbc.edu/~lkagal1/rei/
• Rein: http://dig.csail.mit.edu/2006/06/rein/
• N3: http://www.w3.org/DesignIssues/Notation3.html