Privacy and Trust in Business Processes: Challenges and Opportunities In processes we trust Marlon Dumas [email protected] SOAMED Workshop – Berlin 9-10 June 2016
Privacy and Trust in Business Processes: Challenges and Opportunities
In processes we trust
Marlon Dumas
SOAMED Workshop – Berlin 9-10 June 2016
What do you understand by…
Security?
Privacy?Trust?
2
Trust
Confi
dent
ial
ity
Inte
gri
ty
Non
-Re
pudi
atio
n
Avai
labi
lity
Relia
bilit
y
Safe
ty
FunctionalityData
3
• Security: Confidentiality, integrity and non-repudiation in the presence of dishonest/malicious attackers
• Privacy: Confidentiality in the presence of honest-but-curious actors
SECURITY VS. PRIVACY
4
Topics in Business Process Security & Privacy
• Access control and release control in business processes• Flow analysis to detect unauthorized data object access/disclosures
• Privacy-aware business process execution
• Collaborative process execution with untrusted parties
5
Privacy-Aware Business Processes
Analysis of Linked Datasets: No privacy tech
Analysis of Linked Datasets: k-anonymization
Analysis of Linked Datasets:Multi-Party Computation (MPC)
10 million tax records
+
500 000 education records
Dan Bogdanov et al.: Students and Taxes: a Privacy-Preserving Study Using Secure Computation. PoPETs 2016(3): 117-135 (2016)
9
Dan Bogdanov et al.: a Privacy-Preserving Study Using Secure Computation. PoPETs 2016(3): 117-135 (2016)
Data Analysis with MPC – Architecture
10
Data analysis process with MPC (part 1)
11
12
Data analysis process with MPC (part 2)
Challenges
1. How can we make it easy for business users to model and configure multi-party private data analysis processes?
2. How to analyze such processes against compliance requirements?
12
Scope of MPC
• Allows a computation to be performed across parties without them disclosing anything but the output
• But the output is visible to the analyst…• What if the analyst issues several (authorized) queries? What can they learn about
individuals?
• Information release control• K-anonymity, t-closeness
• Differential privacy
13
Differential Privacy (Dwork 2006)K gives e-differential privacy if for all values of DB, DB’
differing in a single element, and all S in Range(K )
Pr[ K (DB) in S]
Pr[ K (DB’) in S]≤ eε ~ (1+ε)
ratio bounded
Pr [t]
14
Differential Privacy
Source: Gerome Miklau and Michael Hay
Accuracy loss!
15
Dan Bogdanov et al.: a Privacy-Preserving Study Using Secure Computation. PoPETs 2016(3): 117-135 (2016)
Data Analysis with MPC – Architecture
Differentially Private Release Mechanism
Challenges
3. How to measure differential privacy of data analysis processes that are repeatedly executed?
4. How to strike tradeoffs between differential privacy and accuracy in data analysis processes?
Pleak.io – Vision
- Lets one model stakeholders and flows in extended BPMN (PA-BPMN)- Finds data leaks taking into account Privacy-Enhancing Technologies used
- Secure multi-party computation- Encrypted computation- K-anonymity, differential privacy
- Quantifies leakages and accuracy loss.- Suggests relevant privacy-enhancing technologies to reduce privacy leaks.
Part of DARPA’s Brandeis Program – NAPLES Project
18
Pleak.io – Architecture
Sample Scenario in PA-BPMN
19
dp-flow
dp-task
Privacy AnalysisDifferential Privacy Disclosure
20
Underpinning Theory – Generalized Sensitivity
Generalized distances – any partial order with addition and least element- dX: X2 → VX
f : X→Y has sensitivity cf : VX→VY
Differential privacy is a specific case of generalized sensitivity
Generalized sensitivity is composable, e.g. cf○g = cf cg
21
Abstract Model:Data Processing Workflow
22
Differential Privacy Disclosure of Outputs w.r.t. Data Sources
23
Differential Privacy Disclosure of Outputs w.r.t. Data Sources
24
Differential Privacy Disclosure of Outputs w.r.t. Data Sources
25
Differential Privacy Disclosure of a Data Source to a Party
r
26
(ships, disaster) -> { avail_food = 0; avail_ships = []; for (ship in ships) do { fuzzed_loc = ship.loc() + Lap2(3); if (dist(fuzzed_loc, disaster.loc()) / ship.speed() <= 2 && ship.cargo_type() == "food" && !ship.contains(dangerous_materials) ) { avail_food += ship.cargo(); avail_ships.append({ship.name(), fuzzed_loc}); } } avail_food += Lap(2); return (avail_food, avail_ships);}
Collaborative processes with untrusted parties
Distributed Ledger (e.g. Blockchain)
29Source: FT Research
Distributed append-only database that ensures integrity and non-repudiation in an untrusted setting
• Programs living on the blockchain (e.g. Ethereum) with their own memory and code
• Invoked when certain transactions are sent to them
• Can store data, send transactions, interact with other contracts or with “agents”
Smart Contracts
30
Distributed Ledgers for Collaborative Processes
- Participants agree on a collaborative process and a model for it
31
3232
Distributed Ledgers for Collaborative Processes
- Participants agree on a collaborative process and a model for it
- The model is translated to a smart contract(s) to be executed on the blockchain
- Smart contracts listen to process execution events and interact with agents or other smart contracts in order to monitor and/or execute the process
33
1. Audit trail: Record all events in the process, which can be used later to retrace the execution of a given process instance.
2. Monitoring: Deploy a smart contract for every instance of the process to verify and/or enforce the constraints captured in the process model.
3. Active coordination: Deploy a smart contract for every process instance, which observes every event occurring in the process instance and triggers the next step by notifying the agent(s) of the corresponding actors.
34
Distributed Ledgers for Collaborative Processes
Collaborative Process Coordination on Blockchain
35
Ingo Weber et al. (BPM’2016)
Challenges
1. How to make it possible for business users to model and configure collaborative processes on dist. ledgers?
2. How to analyze these processes against security and privacy requirements?
3. How to efficiently execute high-throughput collaborative processes on distributed ledgers?
4. How to ensure privacy in these processes?
Join us…
Reference(s)
[1] Dan Bogdanov et al.: Students and Taxes: a Privacy-Preserving Study Using Secure Computation. PoPETs 2016(3):117-135, 2016
[2] Marlon Dumas, Luciano Garcia-Banuelos, Peeter Laud: Differential Privacy of Data Processing Workflows. In Proc. of GraMSec’2016
[3] Ingo Weber, Xiwei Xu, Regis Riveret, Guido Governatori, Alexander Ponomarev, Jan Mendling. Untrusted Business Process Monitoring and Execution Using Blockchain. In Proc. of BPM’2016
37
Research funded by DARPA (Brandeis program 2015-2019)
Thanks!