Z Unification Tools in Generic Formaliser

We describe some prototype tools for performing unification (i.e. deriving the least common refinement) of simple Z specifications. The techniques used are those described in http://alethea.ukc.ac.uk/Dept/Computing/Research/NDS/consistency/cccfpsiZ.html on viewpoint specification in Z; the tools have been implemented in Generic http://public.logica.com/formaliser (a product of Logica UK Limited). UKC Computing Laboratory technical report 10-97. The prototype tools themselves (in the form of Generic Formaliser grammars) will be made available later

Grey Box Data Refinement

We introduce the concepts of grey box and display box data types. These make explicit the idea that state variables in abstract data types are not always hidden. Programming languages have visibility rules which make representations observable and modifiable. Specifications in model-based notations may have implicit assumptions about visible state components, or are used in contexts where the representation does matter. Grey box data types are like the ``standard'' black box data types, except that they contain explicit subspaces of the state which are modifiable and observable. Display boxes indirectly observe the state by adding displays to a black box. Refinement rules for both these alternative data types are given, based on their interpretations as black boxes

9 Squares: Framing Data Privacy Issues

open access articleIn order to frame discussions on data privacy in varied contexts, this paper introduces a categorisation of personal data along two dimensions. Each of the nine resulting categories offers a significantly different flavour of issues in data privacy. Some issues can also be perceived as a tension along a boundary between different categories. The first dimension is data ownership: who holds or publishes the data. The three possibilities are “me”, i.e. the data subject; “us”, where the data subject is part of a community; and “them”, where the data subject is indeed a subject only. The middle category contains social networks as the most interesting instance. The amount of control for the data subject moves from complete control in the “me” category to very little at all in the “them” square – but the other dimension also plays a role in that. The second dimension has three possibilities, too, focusing on the type of personal data recorded: “attributes” are what would traditionally be found in databases, and what one might think of first for “data protection”. The second type of data is “stories”, which is personal data (explicitly) produced by the data subjects, such as emails, pictures, and social network posts. The final type is “behaviours”, which is (implicitly) generated personal data, such as locations and browsing histories. The data subject has very little control over this data, even in the “us” category. This lack of control, which is closely related to the business models of the “us” category, is likely the major data privacy problem of our time

Strategies for Consistency Checking

Viewpoint models of system development are becoming increasingly important. A major requirement for viewpoints modelling is to be able to check that the multiple viewpoint specifications are consistent with one another. The work presented in this report makes a contribution to this task. Our work is particularly influenced by the viewpoints model used in the ISO standardisation architecture for Open Distributed Processing. This report focuses on the issue of strategies for consistency checking. In particular, it considers how global consistency (between any arbitrary number of viewpoints) can be obtained from binary consistency (between two viewpoints). The report documents a number of different classes of consistency checking, from those that are very poorly behaved to those that are very well behaved. The report is intended as a companion to the work presented in [1] and it should be read in association with this document. In particular, the body of this report is a single chapter which should be viewed as additional to the chapters included in [1]. This report contains complete proofs of all relevant results, even though some of the results are obvious and some of the proofs are trivial. A much compressed version of the report is being submitted for publication. Thus, the main value of this report is as a reference document for readers who require a complete presentation of the technical. [1] E. Boiten, H. Bowman, J. Derrick and M. Steen ''Cross Viewpoint Consistency in Open Distributed Processing (Intra Language Consistency)'', Technical Report, Computing Laboratory, University of Kent at Canterbury, report No. 8-95, 1995. Phone: +44 1227 827913, Fax: 44 1227 762811 Email: H.Bowman,E.A.Boiten,J.Derrick,[email protected]

Solving a combinatorial problem by transformation of abstract data types

Techniques from the area of formal specification are shown to be useful in the analysis of combinatorial problems. A problem description is given, using an abstract data type. By gradual elimination of the equivalences on the data types a unique representation of the type is derived which reduces the new problem to a known one

Unification and multiple views of data in Z

This paper discusses the unification of Z specifications, in particular specifications that maintain different representations of what is intended to be the same datatype. Essentially this amounts to integrating previously published techniques for combining multiple viewpoints and for combining multiple views. It is shown how the technique proposed in this paper indeed produces unifications, and that it generalises both previous techniques

Specifying and Refining Internal Operations in Z

Abstract An important aspect in the specification of distributed systems is the role of the internal (or unobservable) operation. Such operations are not part of the interface to the environment (i.e. the user cannot invoke them), however, they are essential to our understanding and correct modelling of the system. In this paper we are interested in the use of the formal specification notation Z for the description of distributed systems. Various conventions have been employed to model internal operations when specifying such systems in Z. If internal operations are distinguished in the specification notation, then refinement needs to deal with internal operations in appropriate ways. Using an example of a telecommunications protocol we show that standard Z refinement is inappropriate for refining a system when internal operations are specified explicitly. We present a generalization of Z refinement, called weak refinement, which treats internal operations differently from observable operations when refining a system. We discuss the role of internal operations in a Z specification, and in particular whether an equivalent specification not containing internal operations can be found. The nature of divergence through livelock is also discussed. Keywords: Z; Refinement; Distributed Systems; Internal Operations; Process Algebras; Concurrency

Privacy Risk Assessment: From Art to Science, by Metrics

Privacy risk assessments aim to analyze and quantify the privacy risks associated with new systems. As such, they are critically important in ensuring that adequate privacy protections are built in. However, current methods to quantify privacy risk rely heavily on experienced analysts picking the “correct” risk level on e.g. a five-point scale. In this paper, we argue that a more scientific quantification of privacy risk increases accuracy and reliability and can thus make it easier to build privacy-friendly systems. We discuss how the impact and likelihood of privacy violations can be decomposed and quantified, and stress the importance of meaningful metrics and units of measurement. We suggest a method of quantifying and representing privacy risk that considers a collection of factors as well as a variety of contexts and attacker models. We conclude by identifying some of the major research questions to take this approach further in a variety of application scenarios

Complementing Privacy and Utility Trade-Off with Self-Organising Maps

open access articleIn recent years, data-enabled technologies have intensified the rate and scale at which organisations collect and analyse data. Data mining techniques are applied to realise the full potential of large-scale data analysis. These techniques are highly efficient in sifting through big data to extract hidden knowledge and assist evidence-based decisions, offering significant benefits to their adopters. However, this capability is constrained by important legal, ethical and reputational concerns. These concerns arise because they can be exploited to allow inferences to be made on sensitive data, thus posing severe threats to individuals’ privacy. Studies have shown Privacy-Preserving Data Mining (PPDM) can adequately address this privacy risk and permit knowledge extraction in mining processes. Several published works in this area have utilised clustering techniques to enforce anonymisation models on private data, which work by grouping the data into clusters using a quality measure and generalising the data in each group separately to achieve an anonymisation threshold. However, existing approaches do not work well with high-dimensional data, since it is difficult to develop good groupings without incurring excessive information loss. Our work aims to complement this balancing act by optimising utility in PPDMprocesses. To illustrate this, we propose a hybrid approach, that combines self-organising maps with conventional privacy-based clustering algorithms. We demonstrate through experimental evaluation, that results from our approach produce more utility for data mining tasks and outperforms conventional privacy-based clustering algorithms. This approach can significantly enable large-scale analysis of data in a privacy-preserving and trustworthy manner