Privacy Architectures: Reasoning About Data Minimisation and Integrity

Privacy by design will become a legal obligation in the European Community if the Data Protection Regulation eventually gets adopted. However, taking into account privacy requirements in the design of a system is a challenging task. We propose an approach based on the specification of privacy architectures and focus on a key aspect of privacy, data minimisation, and its tension with integrity requirements. We illustrate our formal framework through a smart metering case study.Comment: appears in STM - 10th International Workshop on Security and Trust Management 8743 (2014

Privacy in an Ambient World

Privacy is a prime concern in today's information society. To protect\ud the privacy of individuals, enterprises must follow certain privacy practices, while\ud collecting or processing personal data. In this chapter we look at the setting where an\ud enterprise collects private data on its website, processes it inside the enterprise and\ud shares it with partner enterprises. In particular, we analyse three different privacy\ud systems that can be used in the different stages of this lifecycle. One of them is the\ud Audit Logic, recently introduced, which can be used to keep data private when it\ud travels across enterprise boundaries. We conclude with an analysis of the features\ud and shortcomings of these systems

Privacy by Design: From Technologies to Architectures (Position Paper)

Existing work on privacy by design mostly focus on technologies rather than methodologies and on components rather than architectures. In this paper, we advocate the idea that privacy by design should also be addressed at the architectural level and be associated with suitable methodologies. Among other benefits, architectural descriptions enable a more systematic exploration of the design space. In addition, because privacy is intrinsically a complex notion that can be in tension with other requirements, we believe that formal methods should play a key role in this area. After presenting our position, we provide some hints on how our approach can turn into practice based on ongoing work on a privacy by design environment

A service-oriented privacy model for smart home environments

Smart home technology is an application of ubiquitous computing that equips living environments with different types of sensors, actuators, and appliances under computer control to improve the quality of life for inhabitants. Services such as health and behavior monitoring, personalized customization of home operation, control and automation of the environment, and assistance with physical or mental tasks enable inhabitants to live safer, more comfortable, and more independent lives. Many commercial and research efforts are investigating the vast potential that smart homes and related products provide to assist the activities of daily living. However, the resulting efforts frequently suffer from two main limitations that hinder their widespread use. First, resulting products are usually proprietary, offering closed services that are tailored to specific applications and cannot be easily reused or extended by other services in the smart home. Second, the invasiveness of the technology and use of personal information may allow the privacy of the inhabitants to be violated.;We have previously addressed the privacy issue by calling for a privacy policy-based framework [1][2] to control the collection, storage, use and dissemination of personal information in smart home environments. This framework supports several high level goals, including promoting inhabitant awareness of the abilities of devices/services contained in the smart home space, using privacy policies that express the contextual nature of privacy, providing mechanisms and tool support for the authoring, deployment, enforcement, and auditing of privacy policies, as well as creating and verifying policy models to detect conflicts and incorrect specification of privacy policies. In this thesis, we focus on the modeling and verification of policies by proposing a combination of the service-oriented computing and privacy policy paradigms to create a preliminary privacy model for smart homes. We then offer an example scenario and discuss how we employ model checking techniques to verify various aspects of our proposed policy model. The major contributions of this work are four-fold: (1) We extend the notion of personal privacy to include the control of how household objects are used by smart home services. (2) We introduce the use of service-oriented computing to bind resources to the policy space. (3) We define a novel service-oriented privacy policy model that authorizes both the flow of personally sensitive data and the control of environment objects based on inhabitant preferences and various system contexts. (4) We introduce the use of model checking techniques to verify correctness properties of privacy policy models and their enforcement.;The rest of the paper is organized as follows: section 2 gives background information about smart homes, information privacy, policy-based management in distributed systems, and model checking, section 3 presents existing privacy analyses and policy models, section 4 presents our novel privacy model, section 5 illustrates with an example scenario how model checking can be used to verify our privacy model, and section 6 concludes with discussion and future work. Appendix A contains model implementation files, and Appendix B contains property specification files

Privacy by Design: a Formal Framework for the Analysis of Architectural Choices (extended version)

The privacy by design approach has already been put into practice in different application areas. We believe that the next challenge today is to go beyond individual cases and to provide methodologies to explore the design space in a systematic way. As a first step in this direction, we focus in this report on the data minimization principle and consider different options using decentralized architectures in which actors do not necessarily trust each other. We propose a framework to express the parameters to be taken into account (the service to be performed, the actors involved, their respective requirements, etc.) and an inference system to derive properties such as the possibility for an actor to detect potential errors (or frauds) in the computation of a variable. This inference system can be used in the design phase to check if an architecture meets the requirements of the parties or to point out conflicting requirements.La démarche de protection de la vie privée par conception (ou "privacy by design") a déjà été mise en pratique dans différents domaines d'applications. Le prochain défi en la matière est de dépasser le traitement au cas par cas pour fournir des méthodes de conception plus systématiques. Dans ce rapport, nous proposons à cet effet une méthode mettant en oeuvre le principe de minimisation des données. Elle permet d'analyser différents choix de conception reposant sur des architectures décentralisées dans lesquelles les acteurs ne s'accordent pas forcément une totale confiance. Le cadre proposé permet d'exprimer les paramètres à prendre en compte (service à assurer, acteurs impliqués, exigences en terme de protection des données ou d'accès aux informations, etc.) et d'analyser les choix d'architectures à l'aide d'un système d'inférence. Ce système peut être utilisé dans la phase de conception pour montrer qu'une architecture satisfait toutes les propriétés requises ou pour détecter des exigences inconciliables

1st doctoral symposium of the international conference on software language engineering (SLE) : collected research abstracts, October 11, 2010, Eindhoven, The Netherlands

The first Doctoral Symposium to be organised by the series of International Conferences on Software Language Engineering (SLE) will be held on October 11, 2010 in Eindhoven, as part of the 3rd instance of SLE. This conference series aims to integrate the different sub-communities of the software-language engineering community to foster cross-fertilisation and strengthen research overall. The Doctoral Symposium at SLE 2010 aims to contribute towards these goals by providing a forum for both early and late-stage Ph.D. students to present their research and get detailed feedback and advice from researchers both in and out of their particular research area. Consequently, the main objectives of this event are: – to give Ph.D. students an opportunity to write about and present their research; – to provide Ph.D. students with constructive feedback from their peers and from established researchers in their own and in different SLE sub-communities; – to build bridges for potential research collaboration; and – to foster integrated thinking about SLE challenges across sub-communities. All Ph.D. students participating in the Doctoral Symposium submitted an extended abstract describing their doctoral research. Based on a good set of submisssions we were able to accept 13 submissions for participation in the Doctoral Symposium. These proceedings present final revised versions of these accepted research abstracts. We are particularly happy to note that submissions to the Doctoral Symposium covered a wide range of SLE topics drawn from all SLE sub-communities. In selecting submissions for the Doctoral Symposium, we were supported by the members of the Doctoral-Symposium Selection Committee (SC), representing senior researchers from all areas of the SLE community.We would like to thank them for their substantial effort, without which this Doctoral Symposium would not have been possible. Throughout, they have provided reviews that go beyond the normal format of a review being extra careful in pointing out potential areas of improvement of the research or its presentation. Hopefully, these reviews themselves will already contribute substantially towards the goals of the symposium and help students improve and advance their work. Furthermore, all submitting students were also asked to provide two reviews for other submissions. The members of the SC went out of their way to comment on the quality of these reviews helping students improve their reviewing skills

1st doctoral symposium of the international conference on software language engineering (SLE) : collected research abstracts, October 11, 2010, Eindhoven, The Netherlands

The first Doctoral Symposium to be organised by the series of International Conferences on Software Language Engineering (SLE) will be held on October 11, 2010 in Eindhoven, as part of the 3rd instance of SLE. This conference series aims to integrate the different sub-communities of the software-language engineering community to foster cross-fertilisation and strengthen research overall. The Doctoral Symposium at SLE 2010 aims to contribute towards these goals by providing a forum for both early and late-stage Ph.D. students to present their research and get detailed feedback and advice from researchers both in and out of their particular research area. Consequently, the main objectives of this event are: – to give Ph.D. students an opportunity to write about and present their research; – to provide Ph.D. students with constructive feedback from their peers and from established researchers in their own and in different SLE sub-communities; – to build bridges for potential research collaboration; and – to foster integrated thinking about SLE challenges across sub-communities. All Ph.D. students participating in the Doctoral Symposium submitted an extended abstract describing their doctoral research. Based on a good set of submisssions we were able to accept 13 submissions for participation in the Doctoral Symposium. These proceedings present final revised versions of these accepted research abstracts. We are particularly happy to note that submissions to the Doctoral Symposium covered a wide range of SLE topics drawn from all SLE sub-communities. In selecting submissions for the Doctoral Symposium, we were supported by the members of the Doctoral-Symposium Selection Committee (SC), representing senior researchers from all areas of the SLE community.We would like to thank them for their substantial effort, without which this Doctoral Symposium would not have been possible. Throughout, they have provided reviews that go beyond the normal format of a review being extra careful in pointing out potential areas of improvement of the research or its presentation. Hopefully, these reviews themselves will already contribute substantially towards the goals of the symposium and help students improve and advance their work. Furthermore, all submitting students were also asked to provide two reviews for other submissions. The members of the SC went out of their way to comment on the quality of these reviews helping students improve their reviewing skills

Defining the Internet of Devices: Privacy and Security Implications

Presented at the 2014 Privacy Law Scholars Conference, hosted by the George Washington University Law School in Washington, DC, June 2014.What observers have called the Internet of Things (IoT) presents privacy and security challenges for contemporary society. The conceptual model of the IoT evolved rapidly from technologies used to track parts in industrial supply chain management to a diverse set of smart technologies. This rapid evolution has merged several conceptually distinct technologies into a single, difficult-to-define concept. A key difficulty is defining what constitutes a “thing.” The term has been used to refer both to the things sensed, such as a star or the contents of a refrigerator, and to the things that do the sensing (devices). We argue that the Internet of Things is better conceptualized as an Internet of Devices (IoD) because devices, not things, act in a digital form and connect to the Internet. Along with the other requirements of an effective IoD, technologists and policy makers must develop standards, network protocols, identity management solutions, and governance for the IoD to address privacy and security challenges a priori rather than retrofitted after the fact. Privacy and security cannot easily be added to a system that is already deployed and established. In this paper, we define the IoT and the IoD and summarize the independent technologies from which they have evolved. We provide a five-stage general policy framework for evaluating privacy and security concerns in the IoD. Our framework seeks to provide a consistent approach to evaluating privacy and security concerns across all IoD technologies while remaining flexible enough to adapt to new technical developments

Template-based Ontology Evolution

Katedra kybernetik

Detecting and resolving redundancies in EP3P policies

Current regulatory requirements on data privacy make it increasingly important for enterprises to be able to verify and audit their compliance with their privacy policies. Traditionally, a privacy policy is written in a natural language. Such policies inherit the potential ambiguity, inconsistency and mis-interpretation of natural text. Hence, formal languages are emerging to allow a precise specification of enforceable privacy policies that can be verified. The EP3P language is one such formal language. An EP3P privacy policy of an enterprise consists of many rules. Given the semantics of the language, there may exist some rules in the ruleset which can never be used, these rules are referred to as redundant rules. Redundancies adversely affect privacy policies in several ways. Firstly, redundant rules reduce the efficiency of operations on privacy policies. Secondly, they may misdirect the policy auditor when determining the outcome of a policy. Therefore, in order to address these deficiencies it is important to identify and resolve redundancies. This thesis introduces the concept of minimal privacy policy - a policy that is free of redundancy. The essential component for maintaining the minimality of privacy policies is to determine the effects of the rules on each other. Hence, redundancy detection and resolution frameworks are proposed. Pair-wise redundancy detection is the central concept in these frameworks and it suggests a pair-wise comparison of the rules in order to detect redundancies. In addition, the thesis introduces a policy management tool that assists policy auditors in performing several operations on an EP3P privacy policy while maintaining its minimality. Formal results comparing alternative notions of redundancy, and how this would affect the tool, are also presented