Inferring Accountability from Trust Perceptions Koen Decroix, Denis Butin, Joachim Jansen, Vincent Naessens ICISS 2014, Hyderabad
Dec 21, 2015
Inferring Accountability from Trust PerceptionsKoen Decroix, Denis Butin, Joachim Jansen, Vincent NaessensICISS 2014, Hyderabad
Outline
• Introducing Accountability• Goal• Modeling Approach• Evaluation• Conclusions
Introducing Accountability
UsernamePassword
EmailDate of birth
SexName
Credit card information
Privacy policy
Alice agrees with the terms and policies of Spotify and gives her explicit consent for the specified data handling practices
Often vague about:• Purpose for which personal data is used• The collaborating third-parties they forward data to• Obligations in terms of third-party forwarding• Retention of personal data• …
Spotify
Advertisers
Sub-contractors
…, but this may have unexpected consequences, outside the scope of Spotify’s obligations.
?
?
?
?
She loses control over her personal data
…, and her personal data may even spread around to locations having less restrictive privacy regulations
a key component for protecting an individual’s privacy
Accountability
Necessity to demonstrate compliance as a burden for data controllers
Accountability explicitly cited as an obligation of data processors for their data handling practices in the
upcoming EU Data Protection Regulation
Proposal upcoming EU Data Protection Regulation
Article 22 takes account of the debate on a "principle of accountability" and describes in detail the obligation of responsibility of the controller to comply with this Regulation and to demonstrate this compliance, including by way of adoption of internal policies and mechanisms for ensuring such compliance.
Goal
Spotify
Advertisers
Sub-contractors
?
?
?
?
Spotify fulfills its promises, but what do the others ?
Even all organization may individually have clear data handling practices global result is opaque for Alice
Spotify
To understand the system-wide (global) guarantees of data controllers that apply to her personal data.
What would she like …
Modeling Approach
Inferring Global Accountability Guarantees
Spotify
= A panoramic overview from the viewpoint of a trusted auditor who operates on behalf of the user. This overview also takes the user’s privacy preferences into account
Glo
bal A
ccou
ntab
ility
Pro
file
Kno
wle
dge
Bas
e S
yste
m (
IDP
)
VocabularyAccountability
Concepts
System Independent ModelIn
pu
t M
od
el
User Model System Model
User Type- Naïve- Regular User- Privacy-Aware
Entity Statements
DutiesNotification Guarantees
ProhibitionsRetention
Limits
Global Accountability Computation Rules
Trusted Organization
Entities
Organizations
Compontents Operators
Railway
Camera
Monitor
Image DB
Status DB
Mobile Device
Surveillance Guard
Status Processor
Image Processor
Security Company
Face
Blurred Face
Picture Incident
Gait
Height Behavior
LocationTime
Camera Surveillance in the Railway Station
type DataCategory = { PersData; Face; … }
DataCategoryOf(DataCategory, DataCategory) = { Face, PictureIncident; …}
ComponentOf(Component) : Organization = { Camera → RailwayCompany; … }
EmployeeOf(Operator) : Organization = {SurveilanceGuard → SecurityCompany; … }OperatorOf(Operator, Component) = { SurveilanceGuard, Monitor;, … }
ComponentCanCollect(Component, DataCategory) = { Camera, Face;Camera, BlurredFace; ImageDB, BlurredFace; … }
System Model
Individual Statements
Railway
CameraMonitor
Image DB Status DBMobile Device
Security Company
Statement
Statement
StatementStatement
StatementStatement
Statement
Statement
StatementStatement
Camera Surveillance Statements
Accountability Levels
We consider three levels of accountability (statement assurance):
• Declarative statements (D): only specified in data handling statements.
• Logged Unverified statements (L): data handling logs are provided together with the statement but cannot be checked straight away.
• Logged and Verified statements (V): data handling logs are provided and checked = highest level of accountability
Decomposing Data Handling Statement
(L) : Full body pictures with blurred faces or clear faces, gaits, heights, and behavior are recorded for incident detection
Example 1:
Statement of = Railway companySubjects= Face, Blurred Face, Gait, Height, BehaviorPurpose = Incident detectionPermission = Always (duty)Action = Record (collect)Proof = LoggedUnverified
(V) : Full body pictures with clear faces, gaits, heights, and behavior are never processed for the purpose of identification.
Statement of = Image databaseSubjects= Face, Gait, Height, BehaviorPurpose = IdentificationPermission = Never (prohibition)Action = ProcessProof = LoggedAndVerified
Example 2:
Decomposing Data Handling Statement
(L) : The maximal retention time for any category of collected personal data is 60 days.
Statement of = Railway companySubjects= Personal DataProof = LoggedUnverifiedRetentionLimit = 60 days
Example 3:
Decomposing Data Handling Statement
Conditions: e.g., only forward pictures to legal authorities upon their request.
Forwarding data: e.g., pictures are forwarded to legal authorities.
Notification guarantee: e.g., a weekly SMS is sent to a customer containing the current status.
Other statement aspects:
Decomposing Data Handling Statement
StatementFrom(Statement) : Entity = { StatR1 → RailwayCompany;… }
StatementSubject(Statement, DataCategory) = { StatR1 , Face;. . . }
StatementPurpose(Statement, Purpose) = { StatR1 , DetectIncident;…}
partial StatementCondtion(Statement) : Condition = { StatR2 → RequestLegalAuthority; . . . }
StatementPermission(Statement) : Permission = { StatR1 → Always; . . . }
partial StatementAction(Statement) : Action = { StatR1 → Collecting; … }
StatementDestination(Statement, Organization) = { StatR2, LegalAuthority; . . . }
partial StatementRetentionLimit(Statement) : Duration = {StatR4 → 60; . . . }
StatementNotificationGuarantee(Statement) = { }
StatementProof(Statement) : StatementEvidence = {StatR1 → LoggedUnverified; StatR2 → Declarative; …}
User Model: Trust Perceptions
Naive user
Regular user
Privacy-aware user
Required Data Handling Assurance Levels
Data handling logs must be verified
Data handling logs are sufficient
Purely declarative statements are sufficient
Trusted organizations
Railway
Knowledge Base System (IDP)
Worst-case synthesis of global accountability profile
(GAP)
Global Accountability Profile Inference
Global Duties Global Prohibitions
Trust Perceptions
Global Retention Limits
Global Notification Guarantees
Individual Statements
GAPCollectData(DataCategory)GAPCollectDataAction(DataCategory, Action)GAPCollectDataForPurposeOf(DataCategory, Purpose)GAPCollectDataCondition(DataCategory, Condition)GAPCollectDataProof(DataCategory, GAPEvidence)
GAPForwardDataTo(DataCategory, Organization)GAPForwardDataAction(DataCategory, Action)GAPForwardDataForPurposeOf(DataCategory, Purpose)GAPForwardDataCondition(DataCategory, Condition)GAPForwardDataProof(DataCategory, GAPEvidence)
IDP Representation of the GAP
GAPRetentionLimit(DataCategory, Duration)GAPRetentionLimitCondition(DataCategory, Condition)GAPRetentionLimitProof(DataCategory, GAPEvidence)
…
Proof(S) Declared LoggedUnverified LoggedAndVerified
Naive User (U1)
Regular User (U2)
Privacy-aware User (U3)
Statements of organization of entity of organization are (G)uaranteed or (U)ncertain in function of the modeled user.
Global Statement Guarantees
Global Statement Evidence of Uncertain Guaranteed
Duty()
Prohibition()
NotificationGuarantee()
RetentionLimit()
𝜓 (𝑆 ,𝐸 ,𝐷𝐶 )≡𝐶𝑎𝑛𝐶𝑜𝑙𝑙𝑒𝑐𝑡 (𝐸 ,𝐷𝐶 )∧𝑆𝑢𝑏(𝐷𝐶)
Deduction Of Global Data Categories
Worst-case computation rules for the deduction of global data categories deduced from statement of entity .
denotes the subject of statement
the collectable data categories of entity
Global Duty computation rules
• Global Purpose of data category : Union of all purposes of individual duties with subject global data category . If no purpose is specified, then all purposes are assumed.
• Global Actions for data category : Union of all actions of individual statements with global data category .
Some examples of worst-case computation rules of Global Duty aspects:
Inferred GAP of Camera SurveillanceU1:Naive user; U2: Regular user; U3: Privacy-aware user
Evaluation
Modeling Concepts
• Modeling concepts defined for statements containing single declarations.
• Modeling statements containing multiple declarations. E.g., The image database stores the blurred faces and gait for max. of 30 days and for the purpose of statistics and marketing.o Must be split in two statements:
• a duty that blurred face and gait are stored• a retention limit that it stores personal data for max. of 30 days
Framework Components
• User model:o Coarse-grained prototypical user types modelers only
need to specify type of user via constant E.g., .
• Reusable modeling components. For a given system model:o Different types of users can easily be applied by
changing user model.o Different samples (collected by auditor) of statement
evidence can be applied.
Modeling Extensions
• Detecting Conflictso Models can be extended with user privacy preferences.
Conflicts can be detected between these and the data handling statements in the system.
Conclusions
Conclusions
• A modeling approach for inferring accountability is realized in IDP (knowledge base system). Results can be found at code.google.com/p/inferring-accountability
• A panoramic view is inferred from individual data handling practices using worst-case computation rules.
• Different types of users can easily be modeled
• We modeled coarse-grained implicit data handling evidence. A more refined approach would model semantics of log compliance explicitly. This is difficult to implement using FO.
Questions