research-article

Public Access

Formal specification and verification of user-centric privacy policies for ubiquitous systems

Authors:

Rezvan Joshaghani,

Hoda MehrpouyanAuthors Info & Claims

IDEAS '19: Proceedings of the 23rd International Database Applications & Engineering Symposium

Article No.: 31, Pages 1 - 10

https://doi.org/10.1145/3331076.3331105

Published: 10 June 2019 Publication History

Abstract

As our society has become more information oriented, each individual is expressed, defined, and impacted by information and information technology. While valuable, the current state-of-the-art mostly are designed to protect the enterprise/ organizational privacy requirements and leave the main actor, i.e., the user, un-involved or with the limited ability to have control over his/her information sharing practices. In order to overcome these limitations, algorithms and tools that provide a user-centric privacy management system to individuals with different privacy concerns are required to take into the consideration the dynamic nature of privacy policies which are constantly changing based on the information sharing context and environmental variables. This paper extends the concept of contextual integrity to provide mathematical models and algorithms that enables the creations and management of privacy norms for individual users. The extension includes the augmentation of environmental variables, i.e. time, date, etc. as part of the privacy norms, while introducing an abstraction and a partial relation over information attributes. Further, a formal verification technique is proposed to ensure privacy norms are enforced for each information sharing action.

References

[1]

{n. d.}. Spring Expression Language. https://docs.spring.io/spring/docs/3.0.x/reference/expressions.html. Accessed: August 31, 2018.

[2]

Alessandro Acquisti, Laura Brandimarte, and George Loewenstein. 2015. Privacy and human behavior in the age of information. Science 347, 6221 (2015), 509--514.

[3]

Alessandro Acquisti and Jens Grossklags. 2005. Privacy and rationality in individual decision making. IEEE security & privacy 3, 1 (2005), 26--33.

Digital Library

[4]

Paul Ashley, Satoshi Hada, Günter Karjoth, Calvin Powers, and Matthias Schunter. 2003. Enterprise privacy authorization language (EPAL). IBM Research (2003).

[5]

Guillaume Aucher, Guido Boella, and Leendert Van Der Torre. 2011. A dynamic logic for privacy compliance. Artificial Intelligence and Law 19, 2-3 (2011), 187.

Digital Library

[6]

Franz Baader, Ian Horrocks, and Ulrike Sattler. 2008. Description logics. Foundations of Artificial Intelligence 3 (2008), 135--179.

[7]

Christel Baier, Joost-Pieter Katoen, and Kim Guldstrand Larsen. 2008. Principles of model checking. MIT press.

Digital Library

[8]

Adam Barth, Anupam Datta, John C Mitchell, and Helen Nissenbaum. 2006. Privacy and contextual integrity: Framework and applications. In Security and Privacy, 2006 IEEE Symposium on. IEEE, 15--pp.

Digital Library

[9]

Ilan Beer, Shoham Ben-David, and Avner Landver. 1998. On-the-fly model checking of RCTL formulas. In International Conference on Computer Aided Verification. Springer, 184--194.

Digital Library

[10]

Travis D Breaux, Hanan Hibshi, and Ashwini Rao. 2014. Eddy, a formal language for specifying and analyzing data flow specifications for conflicting privacy requirements. Requirements Engineering 19, 3 (2014), 281--307.

Digital Library

[11]

Carole Cadwalladr and Emma Graham-Harrison. 2018. Revealed: 50 million Facebook profiles harvested for Cambridge Analytica in major data breach. The Guardian 17 (2018).

[12]

Federal Trade Commission et al. 2012. Recommendations for Businesses and Policymakers. Washington, DC (http://www.ftc.gov/sites/default/files/documents/reports/federal-trade-commission-report-protecting-consumer-privacy-era-rapid-change-recommendations/120326privacyreport.pdf) (2012).

[13]

Leonardo De Moura and Nikolaj Bjørner. 2008. Z3: An efficient SMT solver. In International conference on Tools and Algorithms for the Construction and Analysis of Systems. Springer, 337--340.

Digital Library

[14]

Henry DeYoung, Deepak Garg, Limin Jia, Dilsun Kaynar, and Anupam Datta. 2010. Experiences in the logical specification of the HIPAA and GLBA privacy laws. In Proceedings of the 9th annual ACM workshop on Privacy in the electronic society. ACM, 73--82.

Digital Library

[15]

Michael D Ekstrand, Rezvan Joshaghani, and Hoda Mehrpouyan. 2018. Privacy for All: Ensuring Fair and Equitable Privacy Protections. In Conference on Fairness, Accountability and Transparency. 35--47.

[16]

Ruth Gavison. 1980. Privacy and the Limits of Law. The Yale Law Journal 89, 3 (1980), 421--471.

[17]

Paul Grace and Michael Surridge. 2017. Towards a model of user-centered privacy preservation. (2017).

[18]

Jamal Greene. 2009. The So-Called Right to Privacy. UC Davis L. Rev. 43 (2009), 715.

[19]

Jason I Hong and James A Landay. 2004. An architecture for privacy-sensitive ubiquitous computing. In Proceedings of the 2nd international conference on Mobile systems, applications, and services. ACM, 177--189.

Digital Library

[20]

White House. 2015. Administration discussion draft: Consumer Privacy Bill of Rights Act of 2015. Retrieved on November 15 (2015), 2015.

[21]

Rezvan Joshaghani, Michael D. Ekstrand, Bart Knijnenburg, and Hoda Mehrpouyan. 2018. Do Different Groups Have Comparable Privacy Tradeoffs? At Moving Beyond a One-Size Fits All Approach: Exploring Individual Differences in Privacy, a workshop at the ACM Conference on Human Factors in Computing Systems (CHI) (2018).

[22]

Rezvan Joshaghani and Hoda Mehrpouyan. 2017. A Model-Checking Approach for Enforcing Purpose-Based Privacy Policies. In 2017 IEEE Symposium on Privacy-Aware Computing (PAC). IEEE, 178--179.

[23]

Egor George Karpenkov, Karlheinz Friedberger, and Dirk Beyer. 2016. JavaSMT: A unified interface for SMT solvers in Java. In Working Conference on Verified Software: Theories, Tools, and Experiments. Springer, 139--148.

[24]

Ivana Kellyérová. 2017. A Real-Time Extension of the Formal Privacy Policy Framework. (2017).

[25]

Dimitrios Kouzapas and Anna Philippou. 2017. Privacy by typing in the pi-calculus. arXiv preprint arXiv:1710.06494 (2017).

[26]

Padmanabhan Krishnan and Kostyantyn Vorobyov. 2013. Enforcement of privacy requirements. In IFIP International Information Security Conference. Springer, 272--285.

[27]

Ki Young Lee, Aleum Kim, Ye Eun Jeon, Jeong Joon Kim, Yong Soon Im, Gyoo Seok Choi, Sang Bong Park, Yun Sik Lim, and Jeong Jin Kang. 2015. Spatio-temporal XACML: the expansion of XACML for access control. International Journal of Security and Networks 10, 1 (2015), 56--63.

Digital Library

[28]

Jiajun Lu, Zhiqiu Huang, and Changbo Ke. 2014. Verification of Behavior-aware Privacy Requirements in Web Services Composition. JSW 9, 4 (2014), 944--951.

[29]

Mary Madden, Aaron Smith, and Jessica Vitak. 2007. Digital Footprints: Online identity management and search in the age of transparency. (2007).

[30]

Hoda Mehrpouyan, Ion Madrazo Azpiazu, and Maria Soledad Pera. 2017. Measuring Personality for Automatic Elicitation of Privacy Preferences. In 2017 IEEE Symposium on Privacy-Aware Computing (PAC). IEEE, 84--95.

[31]

Anders Møller. 2017. dk.brics.automaton - Finite-State Automata and Regular Expressions for Java. http://www.brics.dk/automaton/.

[32]

James H Moor. 1997. Towards a theory of privacy in the information age. ACM SIGCAS Computers and Society 27, 3 (1997), 27--32.

Digital Library

[33]

Tim Moses. 2005. Privacy policy profile of XACML v2. 0. Oasis standard, OASIS 2 (2005).

[34]

Helen Nissenbaum. 2004. Privacy as contextual integrity. Wash. L. Rev. 79 (2004), 119.

[35]

Minolini Nithyanandam. 2016. An active rule-based system for XACML 3.0. (2016).

[36]

Raúl Pardo, Musard Balliu, and Gerardo Schneider. 2017. Formalising privacy policies in social networks. Journal of Logical and Algebraic Methods in Programming (2017).

[37]

Raúl Pardo, César Sánchez, and Gerardo Schneider. 2018. Timed Epistemic Knowledge Bases for Social Networks. In International Symposium on Formal Methods. Springer, 185--202.

[38]

Joseph Phelps, Glen Nowak, and Elizabeth Ferrell. 2000. Privacy concerns and consumer willingness to provide personal information. Journal of Public Policy & Marketing 19, 1 (2000), 27--41.

[39]

Joseph Reagle and Lorrie Faith Cranor. 1999. The platform for privacy preferences. Commun. ACM 42, 2 (1999), 48--55.

Digital Library

[40]

J Rose and C Kalapesi. 2012. Rethinking personal data: Strengthening trust. BCG Perspectives 16, 05 (2012), 2012.

[41]

Herman T Tavani. 2007. Philosophical theories of privacy: Implications for an adequate online privacy policy. Metaphilosophy 38, 1 (2007), 1--22.

[42]

Herman T Tavani and James H Moor. 2001. Privacy protection, control of information, and privacy-enhancing technologies. ACM SIGCAS Computers and Society 31, 1 (2001), 6--11.

Digital Library

[43]

Que Nguyet Tran Thi and Tran Khanh Dang. 2012. X-STROWL: A generalized extension of XACML for context-aware spatio-temporal RBAC model with OWL. In Digital Information Management (ICDIM), 2012 Seventh International Conference on. IEEE, 253--258.

[44]

Giuseppe A Veltri and Andriy Ivchenko. 2017. The impact of different forms of cognitive scarcity on online privacy disclosure. Computers in Human Behavior 73 (2017), 238--246.

Digital Library

[45]

Samuel D Warren and Louis D Brandeis. 1890. The right to privacy. Harvard law review (1890), 193--220.

[46]

Alan F Westin. 1968. Privacy and freedom. Washington and Lee Law Review 25, 1 (1968), 166.

Cited By

Mehdy AMehrpouyan H(2021)Modeling of Personalized Privacy Disclosure Behavior: A Formal Method ApproachProceedings of the 16th International Conference on Availability, Reliability and Security10.1145/3465481.3470102(1-13)Online publication date: 17-Aug-2021
https://dl.acm.org/doi/10.1145/3465481.3470102
Mehdy AEkstrand MKnijnenburg BMehrpouyan H(2021)Privacy as a Planned Behavior: Effects of Situational Factors on Privacy Perceptions and PlansProceedings of the 29th ACM Conference on User Modeling, Adaptation and Personalization10.1145/3450613.3456829(169-178)Online publication date: 21-Jun-2021
https://dl.acm.org/doi/10.1145/3450613.3456829
Gao HZhang YMiao HBarroso RYang X(2021)SDTIOA: Modeling the Timed Privacy Requirements of IoT Service Composition: A User Interaction Perspective for Automatic Transformation from BPEL to Timed AutomataMobile Networks and Applications10.1007/s11036-021-01846-xOnline publication date: 10-Nov-2021
https://doi.org/10.1007/s11036-021-01846-x
Show More Cited By

Index Terms

Formal specification and verification of user-centric privacy policies for ubiquitous systems

Recommendations

Privacy protection by typing in ubiquitous computing systems

A novel privacy type system is proposed to protect the privacy of context information in ubiquitous computing systems.The subject reduction property of the proposed type system is formally established to guarantee that a well-typed process can only ...
Formal Verification of Differential Privacy for Interactive Systems (Extended Abstract)

Differential privacy is a promising approach to privacy preserving data analysis with a well-developed theory for functions. Despite recent work on implementing systems that aim to provide differential privacy, the problem of formally verifying that ...
Privacy-preserving trust verification
SACMAT '10: Proceedings of the 15th ACM symposium on Access control models and technologies

Distributed and open environments require flexible, scalable and extendible trust verification mechanisms to access resources. To address this, the use of digital credentials as a means for making access decisions has been promoted. The resource owner ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

IDEAS '19: Proceedings of the 23rd International Database Applications & Engineering Symposium

June 2019

364 pages

ISBN:9781450362498

DOI:10.1145/3331076

General Chairs:
Bipin C. Desai
Concordia University
,
Dimosthenis Anagnostopoulos
Harokopio University of Athens
,
Program Chairs:
Yannis Manolopoulos
Open University of Cyprus
,
Mara Nikolaidou
Harokopio University of Athens

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 10 June 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

National Science Foundation

Conference

IDEAS 2019

IDEAS 2019: 23rd International Database Engineering & Applications Symposium

June 10 - 12, 2019

Athens, Greece

Acceptance Rates

Overall Acceptance Rate 74 of 210 submissions, 35%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

5
Total Citations
View Citations
411
Total Downloads

Downloads (Last 12 months)75
Downloads (Last 6 weeks)17

Reflects downloads up to 01 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Mehdy AMehrpouyan H(2021)Modeling of Personalized Privacy Disclosure Behavior: A Formal Method ApproachProceedings of the 16th International Conference on Availability, Reliability and Security10.1145/3465481.3470102(1-13)Online publication date: 17-Aug-2021
https://dl.acm.org/doi/10.1145/3465481.3470102
Mehdy AEkstrand MKnijnenburg BMehrpouyan H(2021)Privacy as a Planned Behavior: Effects of Situational Factors on Privacy Perceptions and PlansProceedings of the 29th ACM Conference on User Modeling, Adaptation and Personalization10.1145/3450613.3456829(169-178)Online publication date: 21-Jun-2021
https://dl.acm.org/doi/10.1145/3450613.3456829
Gao HZhang YMiao HBarroso RYang X(2021)SDTIOA: Modeling the Timed Privacy Requirements of IoT Service Composition: A User Interaction Perspective for Automatic Transformation from BPEL to Timed AutomataMobile Networks and Applications10.1007/s11036-021-01846-xOnline publication date: 10-Nov-2021
https://doi.org/10.1007/s11036-021-01846-x
Baier DBeyer DFriedberger K(2021)JavaSMT 3: Interacting with SMT Solvers in JavaComputer Aided Verification10.1007/978-3-030-81688-9_9(195-208)Online publication date: 15-Jul-2021
https://doi.org/10.1007/978-3-030-81688-9_9
Kok BSoh H(2020)Trust in Robots: Challenges and OpportunitiesCurrent Robotics Reports10.1007/s43154-020-00029-yOnline publication date: 3-Sep-2020
https://doi.org/10.1007/s43154-020-00029-y

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents