Accountability and AIR Policy Language

Lalana Kagal

Oshani Seneviratne

13 May 2008

Decentralized Information Group
MIT Computer Science and Artificial Intelligence Laboratory

Protection Strategies for Open Information Systems

Excesses and abuses in the use of information are most commonly considered problems of information security
Access control is simply not enough
Privacy preserving strategies vulnerable
Our solution: Providing accountability by checking policy compliance and identifying violations

Information Accountability

When information has been used, it should to possible to determine what happened, and to pinpoint use that is inappropriate
Rules and law should govern how information is used: "It is illegal to consider health status of applicant or her family in hiring decisions"
Interactions with data are logged in order to provide possibility of machine-assisted human-driven accountability

Information Accountability

Audit logging
Policy specification language
- describe rules governing appropriate use
Accountability reasoning tools

The Web today

The Web with Information Accountability Mechanisms


	Policy Aware Transaction Logs Policy Language Framework (AIR - Accountability In RDF) Policy Reasoning Tools

AIR Policy Language

rule-based policy language for accountability and access control
automatic explanations for policy decisions through dependency tracking
customizable explanations, if required
more efficient and expressive reasoning through the use of goal direction
grounded in Semantic Web technologies for greater interoperability, reusability, and extensibility

Importance of Explanations

Explanations for policy decisions allow users to understand how the results were obtained
Increase trust in the policy reasoning and enforcement process
Used by policy administrators to confirm the correctness of the policy and to check that the result is as expected
In the case of failed queries, they can be used to figure out what additional information is required for success
Dependency tracking during reasoning process provides integrated justification support

DenyServiceEvent is not compatible with MA Disability Discrimination Law
Denial of service based on health information

Dependency Tracking

specific set of premises from which any conclusion/policy decision was derived is an effective explanation for the conclusion
these premises are called the set of dependencies and dependency tracking is the process of maintaining dependency sets for derived conclusions
We use Truth Maintenance System (TMS) for tracking dependencies of conclusions
- keeps track of the logical structure of a derivation
- has ability to assume and retract hypothetical premises
Explanations are automatically generated by extracting and presenting relevant information from dependencies

AIR specifications

Each AIR policy consists of one or more rules
policy = { rule }
A rule is made up of a pattern that when matched causes an action to be fired. Optional: description, justification
rule = { pattern, action [ description justification ]}
An action can either be an assertion, which is a set of facts that are added to the knowledge base or a nested rule
action = { assertion | rule }

     :MyFirstPolicy a air:Policy;
	 air:rule [
	     air:pattern { ... };
	     air:assertion { ... };
	     air:rule [ ... ]
	 ].

Simple AIR Example

All DIG members are allowed to view resources owned by the DIG group

:DIGPolicy a air:Policy;
  air:rule :DAP-1.

:DAP-1 a air:BeliefRule;
   rdfs:label "DIG Rule #1";
   air:variable :REQ, :REQUESTER, :RESOURCE, :MEMBER, :MEMBERLIST;
   air:pattern {
       :REQ a air:Request;
       foaf:openid :REQUESTER;
       air:resource :RESOURCE.
       :DIG data:owns :RESOURCE.
    };
  air:description (:REQ " is a request made by a requester with openid, " :REQUESTER ", for DIG resource " :RESOURCE);
  air:rule :DAP-2.

:DAP-2 a air:BeliefRule;
   rdfs:label "DIG Rule #2";
   air:pattern {
       :DIG foaf:member :MEMBERLIST.
       :MEMBER list:in :MEMBERLIST.
       :MEMBER a foaf:Person;
       foaf:openid :REQUESTER.
    };
    air:description ("The requester with openid, " :REQUESTER ", is a DIG member");
    air:assert{ :REQ air:compliant-with :DIGPolicy }.

Automatic Justification

Overriding Automatic Justification

:SomeOtherRule a air:BeliefRule;
    air:variable :REQ, :G1;
    air:matched-graph :G1;
    air:pattern { :REQ a air:Request; };
    air:rule :DAP-1.

:DAP-1 a air:BeliefRule; 
  ...
    air:rule :DAP-2.

:DAP-2 a air:BeliefRule;
   rdfs:label "DIG Rule #2";
   air:pattern {
       :DIG foaf:member :MEMBERLIST.
       :MEMBER list:in :MEMBERLIST.
       :MEMBER a foaf:Person;
       foaf:openid :REQUESTER.
    };
    air:description ("The request is valid");
    air:assertion [
         air:statement {  :REQ air:compliant-with :DIGPolicy };
         air:justification [
           air:rule-id :SomeOtherRule;
           air:antecedent :G1
         ]
    ].

Overriding Automatic Justification

How AIR fits into our accountability framework

Accountability allows violators of applicable privacy policies to be identified and held accountable
Privacy usage restrictions and resource access control policies are specified in AIR
User's actions within the framework are captured and annotated transaction logs are maintained
Policy compliance over transaction logs can be checked using the AIR reasoner

Demo Scenario

In order to prevent an epidemic, CDC contacts everyone whom an unconscious tubercolsis patient could have been in contact with
- people he works with, his choir, the members of his scout troop, people he has called, who have called him
CDC gets his phone records from XPhone
Sometime later Bob Same has phone troubles and calls XPhone to schedule an appt
The customer service operator sees that CDC had obtained his records and infers that he must have some contagious disease
So she refuses to schedule a repairman

MA Disability Discrimination Law

No otherwise qualified handicapped individual shall, solely by reason of his handicap, be excluded from participation in, be denied the benefits of, or be subject to discrimination under any program or activity within the Commonwealth

More info: http://www.mass.gov/legis/const.htm#cart114.htm

:MA_Disability_Discrimination_Policy a air:Policy;
   air:variable :EVENT, :REQUESTER, :ACTOR, :REASON, :REQUEST, :INSTRUCTION;
   air:rule [
       air:pattern {
          :EVENT a tami:RefuseRequest;
              tami:reply-to :REQUEST;
              tami:receiver :REQUESTER;
              tami:reason :REASON.
       };
       air:rule [
           air:pattern {
                :REQUEST tami:instruction :INSTRUCTION;
                                    a tami:Request.
                 :INSTRUCTION tami:intended_beneficiary :REQUESTER;
                                    a tami:BenefitInstruction.
                 :REQUESTER tami:location tami:MA.
           };
           air:rule [
               air:pattern { :EVENT a tami:RefuseRequest;
                                tami:reason :REASON.
                             :REASON tami:category tami:HealthInformation };
               air:assert { :EVENT air:non-compliant-with :MA_Disability_Discrimination_Policy }
           ]
      ];
   ].

AIR Demo

Install Tabulator Extension: http://dig.csail.mit.edu/2007/tab/
Remote
- Call reasoner on web server with remote log and policy
- Invoking reasoner:
```
http://mr-burns.w3.org/cgi-bin/server_cgi.py?logFile="name of log file"&rulesFile="name of policy file"
```
- View justification: JustificationUI
Local
- execute python reasoner on commandline with local log and policy
- load output generated in firefox extension (load)

AIR Demo Screenshot - Log

AIR Demo Screenshot - Policy

AIR Demo Screenshot (Regular View)

AIR Demo Screenshot (Lawyer View)

AIR Contributions

automated explanations for policy decisions
more efficient and expressive reasoning
extraction of relevant explanation for policy decision
presenting explanations in Justification UI

More Information

AIR specifications: http://dig.csail.mit.edu/TAMI/2007/AIR/
AIR ontology: http://dig.csail.mit.edu/TAMI/2007/amord/air.ttl
IEEE Policy Paper on AIR : Using Dependency Tracking to Provide Explanations for Policy Management
TAMI/E2ESA: http://dig.csail.mit.edu/TAMI/
Details of scenario: http://dig.csail.mit.edu/TAMI/2007/s9/
How to use the Justification UI http://dig.csail.mit.edu/TAMI/2008/JustificationUI/howto.html