In Processes We Trust: Privacy and Trust in Business Processes

Privacy and Trust in Business Processes: Challenges and Opportunities

In processes we trust

Marlon Dumas

marlon.dumas@ut.ee

SOAMED Workshop – Berlin 9-10 June 2016

What do you understand by…

Security?

Privacy?Trust?

2

Trust

Confi

dent

ial

ity

Inte

gri

ty

Non

-Re

pudi

atio

n

Avai

labi

lity

Relia

bilit

y

Safe

ty

FunctionalityData

3

• Security: Confidentiality, integrity and non-repudiation in the presence of dishonest/malicious attackers

• Privacy: Confidentiality in the presence of honest-but-curious actors

SECURITY VS. PRIVACY

4

Topics in Business Process Security & Privacy

• Access control and release control in business processes• Flow analysis to detect unauthorized data object access/disclosures

• Privacy-aware business process execution

• Collaborative process execution with untrusted parties

5

Privacy-Aware Business Processes

Analysis of Linked Datasets: No privacy tech

Analysis of Linked Datasets: k-anonymization

Analysis of Linked Datasets:Multi-Party Computation (MPC)

10 million tax records

+

500 000 education records

Dan Bogdanov et al.: Students and Taxes: a Privacy-Preserving Study Using Secure Computation. PoPETs 2016(3): 117-135 (2016)

9

Dan Bogdanov et al.: a Privacy-Preserving Study Using Secure Computation. PoPETs 2016(3): 117-135 (2016)

Data Analysis with MPC – Architecture

10

Data analysis process with MPC (part 1)

11

12

Data analysis process with MPC (part 2)

Challenges

1. How can we make it easy for business users to model and configure multi-party private data analysis processes?

2. How to analyze such processes against compliance requirements?

12

Scope of MPC

• Allows a computation to be performed across parties without them disclosing anything but the output

• But the output is visible to the analyst…• What if the analyst issues several (authorized) queries? What can they learn about

individuals?

• Information release control• K-anonymity, t-closeness

• Differential privacy

13

Differential Privacy (Dwork 2006)K gives e-differential privacy if for all values of DB, DB’

differing in a single element, and all S in Range(K )

Pr[ K (DB) in S]

Pr[ K (DB’) in S]≤ eε ~ (1+ε)

ratio bounded

Pr [t]

14

Differential Privacy

Source: Gerome Miklau and Michael Hay

Accuracy loss!

15

Dan Bogdanov et al.: a Privacy-Preserving Study Using Secure Computation. PoPETs 2016(3): 117-135 (2016)

Data Analysis with MPC – Architecture

Differentially Private Release Mechanism

Challenges

3. How to measure differential privacy of data analysis processes that are repeatedly executed?

4. How to strike tradeoffs between differential privacy and accuracy in data analysis processes?

Pleak.io – Vision

- Lets one model stakeholders and flows in extended BPMN (PA-BPMN)- Finds data leaks taking into account Privacy-Enhancing Technologies used

- Secure multi-party computation- Encrypted computation- K-anonymity, differential privacy

- Quantifies leakages and accuracy loss.- Suggests relevant privacy-enhancing technologies to reduce privacy leaks.

Part of DARPA’s Brandeis Program – NAPLES Project

18

Pleak.io – Architecture

Sample Scenario in PA-BPMN

19

dp-flow

dp-task

Privacy AnalysisDifferential Privacy Disclosure

20

Underpinning Theory – Generalized Sensitivity

Generalized distances – any partial order with addition and least element- dX: X2 → VX

f : X→Y has sensitivity cf : VX→VY

Differential privacy is a specific case of generalized sensitivity

Generalized sensitivity is composable, e.g. cf○g = cf cg

21

Abstract Model:Data Processing Workflow

22

Differential Privacy Disclosure of Outputs w.r.t. Data Sources

23

Differential Privacy Disclosure of Outputs w.r.t. Data Sources

24

Differential Privacy Disclosure of Outputs w.r.t. Data Sources

25

Differential Privacy Disclosure of a Data Source to a Party

r

26

(ships, disaster) -> { avail_food = 0; avail_ships = []; for (ship in ships) do { fuzzed_loc = ship.loc() + Lap2(3); if (dist(fuzzed_loc, disaster.loc()) / ship.speed() <= 2 && ship.cargo_type() == "food" && !ship.contains(dangerous_materials) ) { avail_food += ship.cargo(); avail_ships.append({ship.name(), fuzzed_loc}); } } avail_food += Lap(2); return (avail_food, avail_ships);}

Collaborative processes with untrusted parties

Distributed Ledger (e.g. Blockchain)

29Source: FT Research

Distributed append-only database that ensures integrity and non-repudiation in an untrusted setting

• Programs living on the blockchain (e.g. Ethereum) with their own memory and code

• Invoked when certain transactions are sent to them

• Can store data, send transactions, interact with other contracts or with “agents”

Smart Contracts

30

Distributed Ledgers for Collaborative Processes

- Participants agree on a collaborative process and a model for it

31

3232

Distributed Ledgers for Collaborative Processes

- Participants agree on a collaborative process and a model for it

- The model is translated to a smart contract(s) to be executed on the blockchain

- Smart contracts listen to process execution events and interact with agents or other smart contracts in order to monitor and/or execute the process

33

1. Audit trail: Record all events in the process, which can be used later to retrace the execution of a given process instance.

2. Monitoring: Deploy a smart contract for every instance of the process to verify and/or enforce the constraints captured in the process model.

3. Active coordination: Deploy a smart contract for every process instance, which observes every event occurring in the process instance and triggers the next step by notifying the agent(s) of the corresponding actors.

34

Distributed Ledgers for Collaborative Processes

Collaborative Process Coordination on Blockchain

35

Ingo Weber et al. (BPM’2016)

Challenges

1. How to make it possible for business users to model and configure collaborative processes on dist. ledgers?

2. How to analyze these processes against security and privacy requirements?

3. How to efficiently execute high-throughput collaborative processes on distributed ledgers?

4. How to ensure privacy in these processes?

Join us…

Reference(s)

[1] Dan Bogdanov et al.: Students and Taxes: a Privacy-Preserving Study Using Secure Computation. PoPETs 2016(3):117-135, 2016

[2] Marlon Dumas, Luciano Garcia-Banuelos, Peeter Laud: Differential Privacy of Data Processing Workflows. In Proc. of GraMSec’2016

[3] Ingo Weber, Xiwei Xu, Regis Riveret, Guido Governatori, Alexander Ponomarev, Jan Mendling. Untrusted Business Process Monitoring and Execution Using Blockchain. In Proc. of BPM’2016

37

Research funded by DARPA (Brandeis program 2015-2019)

Thanks!