Rei+ : Specifying Privacy Policies

Lalana Kagal

July 2007

Decentralized Information Group
MIT Computer Science and Artificial Intelligence Laboratory

Rei+ Policy Language

What is Rei+ ?

What do we mean by policy ?

Privacy Policies

What are privacy policies ?

Some Examples

Enforcing Privacy Policies

Two approaches

Enforcement in open systems


Rei+ Policy Language

Rei+ overview

Rei+ Specifications (N3)

Policy attributes

Rei+ Specifications

Deontic Rule: is used to create permissions, prohibitions, obligations and dispensations that govern the behavior of entities in the policy domain

Current Scenario

  • Unknown person collapses and is rushed to the hospital
  • Person, John Doe, is diagnosed with drug resistant tubercolosis
  • John Doe is unconscious so officer checks his wallet to identity him
  • In order to prevent an epidemic, CDC contacts everyone whom the patient could have been in contact with - including people he works with, his choir, the members of his troop
  • CDC gets his phone records from XPhone
  • Sometime later John Doe has phone troubles and calls XPhone to schedule an appt
  • The customer service operator sees that CDC had obtained his records and infers that he must have some contagious disease
  • So she refuses to schedule a repairman
Scenario 9

Modeling Privacy Policies

XPhone's Privacy Policy

XPhone permits customers to control how and when their personal information is released except when required by law, when served with valid legal process, or to protect the health and safety of customers, employees, or property.

XPhonePolicy1 a rei:Policy;
    rei:event { ?C a Customer.
                ?RE a ReleaseEvent;
                      source ?S;
                      destination ?D;
                      data [ a DataItem; ownedBy ?C ]
    rei:condition [ rei:constraint { ?RE isrequiredby gov:Law  };
                    rei:result { ?S rei:permitted ?RE } ];
    rei:condition [ rei:constraint { ?RE governedBy [ a gov:Subpoena ] };
                    rei:result { ?S rei:permitted ?RE } ];
    rei:condition [ rei:constraint { ?C rei:delegated { ?S rei:permitted ?RE } };
                    rei:result { ?S rei:permitted ?RE } ].


Part of the Privacy Act

You can only use data in a System of Records (SOR) if you're using it for the purpose for which it was collected

PrivacyPolicy1 a rei:Policy;
    rei:event { ?AE a AccessEvent;
                      requester ?R;
                      data ?D.
                      ?D gov:sor ?SOR.
                      ?SOR gov:sorn ?SORN.
    rei:condition [ rei:constraint { ?R a gov:GovEmployee }; 
                    rei:result { ?R rei:permitted ?AE }; 
                    rei:future-use { ?SOR purpose ?PURPOSE. 
                                ?R responsibility ?RESP.
                                ?PURPOSE a ?RESP } ].


Role of Rei+

TAMI Architecture

More Information

Creative Commons License