1 / 20

Privacy and Contextual Integrity: Framework and Applications

Privacy and Contextual Integrity: Framework and Applications. Adam Barth, Anupam Datta, John C. Mitchell (Stanford) Helen Nissenbaum (NYU). Privacy in Health Care. Doctor. Specialist. Electronic Health Record. Patient Portal. HIPAA Compliance. Insurer. Patient. Broad Goal.

tallys
Download Presentation

Privacy and Contextual Integrity: Framework and Applications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Privacy and Contextual Integrity:Framework and Applications Adam Barth, Anupam Datta, John C. Mitchell (Stanford) Helen Nissenbaum (NYU)

  2. Privacy in Health Care Doctor Specialist Electronic Health Record Patient Portal HIPAA Compliance Insurer Patient

  3. Broad Goal • Protect privacy • Can a banker tell a marketer a customer’s address? • Express policy precisely • Enterprise privacy policies • Privacy provisions from legislation • Analyze privacy policies • Action complies with policy? • Policy enforces law?

  4. Approach • Privacy model • Agents communicating about each other • Logic over model • Linear temporal logic • Policies as logical formulas • Control expressive power • Apply logical tools • Leverage LTL research

  5. Contextual Integrity • Philosophical account of privacy • Transfer of personal information • Describes what people care about • Flow governed by norms • Agents act in roles in social contexts • Rejects public/private dichotomy • Principles of transmission • Confidentiality, reciprocity, dessert, etc

  6. Privacy Model for CI Charlie’s SSN is 078-05-1120 Alice Bob • Restrict messages • Messages about subjects • Judgments over traces • Past and future relevant • Agents reason about attributes

  7. Access control Subject (= actor) Object Action Stateless Except Chinese wall Discrete elements Privacy policies Sender Recipient Subject (of message) Attribute Transmission principle Temporal Past: Opt-in / opt-out Future: Notification Structured attributes Access Control vs. Privacy

  8. Syntax • Grammar for logic •  ::= send(p1,p2,m) p1 sends p2 message m | contains(m, q, t) m contains attrib t about q | inrole(p, r) p is active in role r | incontext(p, c) p is active in context c | t  t’ Attrib t is part of attrib t’ |    |  | x:. Classical operators | U | S | O Temporal operators • Policies use a restricted class of formulas

  9. CI Norms and Policies • Policy consists of norms (+) inrole(p1, r1)  inrole(p2, r2)  inrole(q, r)  tt’     () inrole(p1, r1)  inrole(p2, r2)  inrole(q, r)  tt’     •  is an agent constraint •  is a temporal condition • Norms assembled into policy formula • p1,p2,q:P.m:M.t:T.incontext(p1, c)  send(p1, p2, m)  contains(m, q, t)   { + | +  norms+(c) }   {  |   norms(c) }

  10. Sender role Attribute Subject role Transmission principle Recipient role Gramm-Leach-Bliley Example Financial institutions must notify consumers if they share their non-public personal information with non-affiliated companies, but the notification may occur either before or after the information sharing occurs

  11. Expressiveness of CI • Evaluated on privacy laws • HIPAA, GLBA, and COPPA • Captured most privacy provisions • Missed de-identified health info in HIPAA • Laws used most features • Roughly as expressive as required

  12. Health Information Health Information Psychotherapy Notes Psychotherapy Notes Test Results Structure of Attributes Health Information Date of Birth Psychotherapy Notes Test Results Age Zodiac Sign Heath care providers can tell patients their health information Sender role Recipient role Subject role Attribute Heath care providers can tell patients their psychotherapy notes only if a psychiatrist has approved

  13. Extensional vs. Intentional • Extensional semantics • Equates policies with judgments • Ignores why judgments reached • Intentional semantics • Policies as list of rules • Reason for judgment preserved • Extensional combination tricky • Attribute inheritance

  14. Date of Birth Date of Birth Age Zodiac Sign Age Zodiac Sign Date of Birth Date of Birth Age Zodiac Sign Age Zodiac Sign Difficulties in Combination AND Age = Date of Birth OR Age =

  15. Refinement and Combination • Policy refinement • Basic policy relation • Does hospital policy enforce HIPAA? • P1 refines P2 if P1 P2 • Requires careful handling of attribute inheritance • Combination becomes logical conjunction • Defined in terms of refinement

  16. Compliance Contemplated Action Judgment Policy Future Reqs History • Strong compliance • Future requirements after action can be met • PSPACE • Weak compliance • Present requirements met by action • Polynomial time

  17. Related Languages • Legend:  unsupported o partially supported  full supported • CI fully supports attributes and combination

  18. Conclusions • Privacy about agents communicating • Different model than access control • Sender, recipient, subject, attribute, transmission principle • Past and future important • CI: A language for privacy policies • Based on linear temporal logic • Expresses most privacy laws • Combination and compliance tractable

  19. Questions?

More Related