No Time for Compliance

No Time for Compliance

Guido Governatori, Mustafa Hashmi

23 September 2015

www.data61.csiro.au

A Privacy Act

Section 1: (Prohibition to collect personal medical information)

Offence: It is an offence to collect personal medical information.Defence: It is a defence to the prohibition of collecting personal medical information, if an

entity immediately destroys the illegally collected personal medical informationbefore making any use of the personal medical information

Section 2: An entity is permitted to collect personal medical information if the entity acts undera Court Order authorising the collection of personal medical information.

Section 3: (Prohibition to collect personal information) It is forbidden to collect personalinformation unless an entity is permitted to collect personal medical information.

Offence: an entity collected personal informationDefence: an entity being permitted to collect personal medical information.

2 | No Time for Compliance | Guido Governatori, Mustafa Hashmi

Making Sense of the Act

• Collection of medical information is forbidden.

• Destruction of the illegally collected medical information excuses the illegalcollection.

• Collection of medical information is permitted if there is an authorising courtorder.

• Collection of personal information is forbidden.

• Collection of personal information is permitted if the collection of medicalinformation is permitted


Are We Compliant?

Collect

Medical

Information

Collect

Personal

Information

Destroy

Medical

Information

T1 T2 T3

Start End


Motivation

• Linear Temporal Logic (LTL): mature technology to verify systems

• Similarity between conditions for obligations and temporal notions in LTL

• many compliance frameworks proposed LTL to check compliance of businessprocesses

Can current compliance frameworks based on LTL be used todetermine compliance of processes with norms?


Motivation

• Linear Temporal Logic (LTL): mature technology to verify systems

• Similarity between conditions for obligations and temporal notions in LTL

• many compliance frameworks proposed LTL to check compliance of businessprocesses

Can current compliance frameworks based on LTL be used todetermine compliance of processes with norms?


Linear Temporal Logic 101 (Syntax)

• Xφ: at the next time φ holds;

• Fφ: eventually φ holds (sometimes in the future φ); and

• Gφ: globally φ holds (always in the future φ).

In addition we have three binary operators:

• φ U ψ (until): φ holds until ψ holds;

• φW ψ (weak until): φ holds until ψ holds and ψ might not hold.

Interdefinability

• Fφ ≡ > U φ,

• Gφ ≡ ¬F¬φ,

• φW ψ ≡ (φ U ψ) ∨ Gφ


Linear Temporal Logic 102 (Semantics)

TS , σ |= as0a

s1 s2 s3

TS , σ |= Xas0 s1

a

s2 s3

TS , σ |= a U bs0

a ∧ ¬bs1

a ∧ ¬bs2

b

s3

TS , σ |= Fas0¬a

s1¬a

s2a

s3

TS , σ |= Gas0a

s1a

s2a

s3a

A formula φ is true in a fullpath σ iff it is true at the first element of the fullpath.A formula is true in a state S

TS , s |= φ iff ∀σ : σ[0] = s, TS , σ |= φ.



TS , σ |= as0a

s1 s2 s3

TS , σ |= Xas0 s1

a

s2 s3

TS , σ |= a U bs0

a ∧ ¬bs1

a ∧ ¬bs2

b

s3

TS , σ |= Fas0¬a

s1¬a

s2a

s3

TS , σ |= Gas0a

s1a

s2a

s3a

A formula φ is true in a fullpath σ iff it is true at the first element of the fullpath.

A formula is true in a state S

TS , s |= φ iff ∀σ : σ[0] = s, TS , σ |= φ.



TS , σ |= as0a

s1 s2 s3

TS , σ |= Xas0 s1

a

s2 s3

TS , σ |= a U bs0

a ∧ ¬bs1

a ∧ ¬bs2

b

s3

TS , σ |= Fas0¬a

s1¬a

s2a

s3

TS , σ |= Gas0a

s1a

s2a

s3a

A formula φ is true in a fullpath σ iff it is true at the first element of the fullpath.A formula is true in a state S

TS , s |= φ iff ∀σ : σ[0] = s, TS , σ |= φ.


Obligation, Prohibition and Permission

Obligation A situation, an act, or a course of action to which a bearer is legallybound, and if it is not achieved or performed results in a violation.

Prohibition A situation, an act, or a course of action which a bearer should avoid,and if it is achieved results in a violation.

Permission Something is permitted if the obligation or the prohibition to thecontrary does not hold.


Achievement vs Maintenance Obligations

• For an achievement obligation, a certain condition must occur at least once beforethe deadline

‘Customers must pay before the delivery of the good, after receiving the invoice’

• For maintenance obligations, a certain condition must obtain during all instantsbefore the deadline:

‘After opening a bank account, customers must keep a positive balance until bankcharges are taken out’


Achievement and Maintenance Obligations inLTL

Maintenance obligationGφ G(τ → φ U δ)

Achievement obligation

Fφ G(τ → ¬(¬φ U δ))


Compliance in LTL

To determine, given a model encoding a trace of a business processand a set of formulas encoding the relevant norms, whether theformulas are satisfiable by the model.


LTL Compliance Frameworks

• Several compliance frameworks based on LTL have been proposed (e.g.,COMPAS, MoBuCOM, BPMN-Q, we focus on COMPAS ComplianceRequirement Language CRL).

• Propose templates/patterns to capture “compliance requirements” based on the“temporal order” of tasks or business process components.

• Templates correspond to temporal logic formulas


CRL Patterns

• Absence: φ isAbsent, φ does not occur in the process

G¬φ

• Existence: φ Exists, φ occurs in the the process

Fφ

• Leads To: φ LeadsTo ψ, φ must always be followed by ψ

G(φ→ Fψ)


CRL Contrary-to-duty Pattern

Pattern to represent compensations to violations

φ (LeadsTo|DirectlyFollowedBy) φ1 (Else|ElseNext)

φ2 . . . (Else|ElseNext) φn

translated to

G(φ→ F|X(φ1 ∧1≤i<n−1 (F|X(φi NotSucceed) ∧(φi NotSucceed → F|Xφi+1))))

but it does not work for maintenance obligations (prohibitions), Gφ ∧ ¬φ→ ⊥.

Gφ ∨ F(¬φ ∧ F|Xψ)


CRL Contrary-to-duty Pattern

Pattern to represent compensations to violations

φ (LeadsTo|DirectlyFollowedBy) φ1 (Else|ElseNext)

φ2 . . . (Else|ElseNext) φn

translated to

G(φ→ F|X(φ1 ∧1≤i<n−1 (F|X(φi NotSucceed) ∧(φi NotSucceed → F|Xφi+1))))

but it does not work for maintenance obligations (prohibitions), Gφ ∧ ¬φ→ ⊥.

Gφ ∨ F(¬φ ∧ F|Xψ)


CRL Exception Patterns

Strong Exceptions: [[R]]Patternφ→ ψ

Weak Exceptions: [R]Patternφ ∨ ψ

where:

• φ is the LTL translation of R

• ψ is the LTL translation of Pattern


Privacy Act Logical Structure

• A (“collection of medical information”) is forbiddenI B (“destruction of medical information”) compensates the illegal collection

• A is permitted if C (“acting under a court order”)

• D (“collection of personal information”) is forbidden

• D is permitted if A is permitted


Privacy Act in CRL and LTL

CRL1 R1 : ([R2]A isAbsent) Else B,

CRL2 R2 : C ,

CRL3 R3 : [R4]D isAbsent,

CRL4 R4 : A isPermitted .

LTL1 G(C ∨ (G¬A ∨ F(A ∧ FB)));

LTL2 G(FA ∨ G¬D).


Privacy Act in CRL and LTL

CRL1 R1 : ([R2]A isAbsent) Else B,

CRL2 R2 : C ,

CRL3 R3 : [R4]D isAbsent,

CRL4 R4 : A isPermitted .

LTL1 G(C ∨ (G¬A ∨ F(A ∧ FB)));



CRL: Are We Compliant?

Collect

Medical

Information

Collect

Personal

Information

Destroy

Medical

Information

T1 T2 T3

Start End

LTL1 G(C ∨ (G¬A ∨ F(A ∧ FB)));


• v(start) = {¬A,¬B,¬C ,¬D };

• v(T1) = {A,¬B,¬C ,¬D };

• v(T2) = {A,¬B,¬C ,D };

• v(T3) = {A,B,¬C ,D };

• v(end) = {A,B,¬C ,D }.

M |= LTL1 ∧ LTL2


Conclusions

• Current Compliance Frameworks based on Temporal Logic are not able to modelreal life norms.

• Result not restricted to Linear Temporal Logic, it extends to other temporal logics

• Result is not an impossibility theorem. If one knows what are the complianttraces, one can build a set of temporal formulas corresponding to the complianttraces (but it means using an external oracle, so useless for compliance)

• Result seems to affect Deontic logic based on possible world semantics.

• As far as we know, PCL and Deontic Event Calculus are not affected by theproblem


Questions?Mustafa Hashmi

Guido [email protected]


[email protected]

No Time for Compliance

Technology