No Time for Compliance Guido Governatori, Mustafa Hashmi 23 September 2015 www.data61.csiro.au
A Privacy Act
Section 1: (Prohibition to collect personal medical information)
Offence: It is an offence to collect personal medical information.Defence: It is a defence to the prohibition of collecting personal medical information, if an
entity immediately destroys the illegally collected personal medical informationbefore making any use of the personal medical information
Section 2: An entity is permitted to collect personal medical information if the entity acts undera Court Order authorising the collection of personal medical information.
Section 3: (Prohibition to collect personal information) It is forbidden to collect personalinformation unless an entity is permitted to collect personal medical information.
Offence: an entity collected personal informationDefence: an entity being permitted to collect personal medical information.
2 | No Time for Compliance | Guido Governatori, Mustafa Hashmi
Making Sense of the Act
• Collection of medical information is forbidden.
• Destruction of the illegally collected medical information excuses the illegalcollection.
• Collection of medical information is permitted if there is an authorising courtorder.
• Collection of personal information is forbidden.
• Collection of personal information is permitted if the collection of medicalinformation is permitted
3 | No Time for Compliance | Guido Governatori, Mustafa Hashmi
Are We Compliant?
Collect
Medical
Information
Collect
Personal
Information
Destroy
Medical
Information
T1 T2 T3
Start End
4 | No Time for Compliance | Guido Governatori, Mustafa Hashmi
Motivation
• Linear Temporal Logic (LTL): mature technology to verify systems
• Similarity between conditions for obligations and temporal notions in LTL
• many compliance frameworks proposed LTL to check compliance of businessprocesses
Can current compliance frameworks based on LTL be used todetermine compliance of processes with norms?
5 | No Time for Compliance | Guido Governatori, Mustafa Hashmi
Motivation
• Linear Temporal Logic (LTL): mature technology to verify systems
• Similarity between conditions for obligations and temporal notions in LTL
• many compliance frameworks proposed LTL to check compliance of businessprocesses
Can current compliance frameworks based on LTL be used todetermine compliance of processes with norms?
5 | No Time for Compliance | Guido Governatori, Mustafa Hashmi
Linear Temporal Logic 101 (Syntax)
• Xφ: at the next time φ holds;
• Fφ: eventually φ holds (sometimes in the future φ); and
• Gφ: globally φ holds (always in the future φ).
In addition we have three binary operators:
• φ U ψ (until): φ holds until ψ holds;
• φW ψ (weak until): φ holds until ψ holds and ψ might not hold.
Interdefinability
• Fφ ≡ > U φ,
• Gφ ≡ ¬F¬φ,
• φW ψ ≡ (φ U ψ) ∨ Gφ
6 | No Time for Compliance | Guido Governatori, Mustafa Hashmi
Linear Temporal Logic 102 (Semantics)
TS , σ |= as0a
s1 s2 s3
TS , σ |= Xas0 s1
a
s2 s3
TS , σ |= a U bs0
a ∧ ¬bs1
a ∧ ¬bs2
b
s3
TS , σ |= Fas0¬a
s1¬a
s2a
s3
TS , σ |= Gas0a
s1a
s2a
s3a
A formula φ is true in a fullpath σ iff it is true at the first element of the fullpath.A formula is true in a state S
TS , s |= φ iff ∀σ : σ[0] = s, TS , σ |= φ.
7 | No Time for Compliance | Guido Governatori, Mustafa Hashmi
Linear Temporal Logic 102 (Semantics)
TS , σ |= as0a
s1 s2 s3
TS , σ |= Xas0 s1
a
s2 s3
TS , σ |= a U bs0
a ∧ ¬bs1
a ∧ ¬bs2
b
s3
TS , σ |= Fas0¬a
s1¬a
s2a
s3
TS , σ |= Gas0a
s1a
s2a
s3a
A formula φ is true in a fullpath σ iff it is true at the first element of the fullpath.
A formula is true in a state S
TS , s |= φ iff ∀σ : σ[0] = s, TS , σ |= φ.
7 | No Time for Compliance | Guido Governatori, Mustafa Hashmi
Linear Temporal Logic 102 (Semantics)
TS , σ |= as0a
s1 s2 s3
TS , σ |= Xas0 s1
a
s2 s3
TS , σ |= a U bs0
a ∧ ¬bs1
a ∧ ¬bs2
b
s3
TS , σ |= Fas0¬a
s1¬a
s2a
s3
TS , σ |= Gas0a
s1a
s2a
s3a
A formula φ is true in a fullpath σ iff it is true at the first element of the fullpath.A formula is true in a state S
TS , s |= φ iff ∀σ : σ[0] = s, TS , σ |= φ.
7 | No Time for Compliance | Guido Governatori, Mustafa Hashmi
Obligation, Prohibition and Permission
Obligation A situation, an act, or a course of action to which a bearer is legallybound, and if it is not achieved or performed results in a violation.
Prohibition A situation, an act, or a course of action which a bearer should avoid,and if it is achieved results in a violation.
Permission Something is permitted if the obligation or the prohibition to thecontrary does not hold.
8 | No Time for Compliance | Guido Governatori, Mustafa Hashmi
Achievement vs Maintenance Obligations
• For an achievement obligation, a certain condition must occur at least once beforethe deadline
‘Customers must pay before the delivery of the good, after receiving the invoice’
• For maintenance obligations, a certain condition must obtain during all instantsbefore the deadline:
‘After opening a bank account, customers must keep a positive balance until bankcharges are taken out’
9 | No Time for Compliance | Guido Governatori, Mustafa Hashmi
Achievement and Maintenance Obligations inLTL
Maintenance obligationGφ G(τ → φ U δ)
Achievement obligation
Fφ G(τ → ¬(¬φ U δ))
10 | No Time for Compliance | Guido Governatori, Mustafa Hashmi
Compliance in LTL
To determine, given a model encoding a trace of a business processand a set of formulas encoding the relevant norms, whether theformulas are satisfiable by the model.
11 | No Time for Compliance | Guido Governatori, Mustafa Hashmi
LTL Compliance Frameworks
• Several compliance frameworks based on LTL have been proposed (e.g.,COMPAS, MoBuCOM, BPMN-Q, we focus on COMPAS ComplianceRequirement Language CRL).
• Propose templates/patterns to capture “compliance requirements” based on the“temporal order” of tasks or business process components.
• Templates correspond to temporal logic formulas
12 | No Time for Compliance | Guido Governatori, Mustafa Hashmi
CRL Patterns
• Absence: φ isAbsent, φ does not occur in the process
G¬φ
• Existence: φ Exists, φ occurs in the the process
Fφ
• Leads To: φ LeadsTo ψ, φ must always be followed by ψ
G(φ→ Fψ)
13 | No Time for Compliance | Guido Governatori, Mustafa Hashmi
CRL Contrary-to-duty Pattern
Pattern to represent compensations to violations
φ (LeadsTo|DirectlyFollowedBy) φ1 (Else|ElseNext)
φ2 . . . (Else|ElseNext) φn
translated to
G(φ→ F|X(φ1 ∧1≤i<n−1 (F|X(φi NotSucceed) ∧(φi NotSucceed → F|Xφi+1))))
but it does not work for maintenance obligations (prohibitions), Gφ ∧ ¬φ→ ⊥.
Gφ ∨ F(¬φ ∧ F|Xψ)
14 | No Time for Compliance | Guido Governatori, Mustafa Hashmi
CRL Contrary-to-duty Pattern
Pattern to represent compensations to violations
φ (LeadsTo|DirectlyFollowedBy) φ1 (Else|ElseNext)
φ2 . . . (Else|ElseNext) φn
translated to
G(φ→ F|X(φ1 ∧1≤i<n−1 (F|X(φi NotSucceed) ∧(φi NotSucceed → F|Xφi+1))))
but it does not work for maintenance obligations (prohibitions), Gφ ∧ ¬φ→ ⊥.
Gφ ∨ F(¬φ ∧ F|Xψ)
14 | No Time for Compliance | Guido Governatori, Mustafa Hashmi
CRL Exception Patterns
Strong Exceptions: [[R]]Patternφ→ ψ
Weak Exceptions: [R]Patternφ ∨ ψ
where:
• φ is the LTL translation of R
• ψ is the LTL translation of Pattern
15 | No Time for Compliance | Guido Governatori, Mustafa Hashmi
Privacy Act Logical Structure
• A (“collection of medical information”) is forbiddenI B (“destruction of medical information”) compensates the illegal collection
• A is permitted if C (“acting under a court order”)
• D (“collection of personal information”) is forbidden
• D is permitted if A is permitted
16 | No Time for Compliance | Guido Governatori, Mustafa Hashmi
Privacy Act in CRL and LTL
CRL1 R1 : ([R2]A isAbsent) Else B,
CRL2 R2 : C ,
CRL3 R3 : [R4]D isAbsent,
CRL4 R4 : A isPermitted .
LTL1 G(C ∨ (G¬A ∨ F(A ∧ FB)));
LTL2 G(FA ∨ G¬D).
17 | No Time for Compliance | Guido Governatori, Mustafa Hashmi
Privacy Act in CRL and LTL
CRL1 R1 : ([R2]A isAbsent) Else B,
CRL2 R2 : C ,
CRL3 R3 : [R4]D isAbsent,
CRL4 R4 : A isPermitted .
LTL1 G(C ∨ (G¬A ∨ F(A ∧ FB)));
LTL2 G(FA ∨ G¬D).
17 | No Time for Compliance | Guido Governatori, Mustafa Hashmi
CRL: Are We Compliant?
Collect
Medical
Information
Collect
Personal
Information
Destroy
Medical
Information
T1 T2 T3
Start End
LTL1 G(C ∨ (G¬A ∨ F(A ∧ FB)));
LTL2 G(FA ∨ G¬D).
• v(start) = {¬A,¬B,¬C ,¬D };
• v(T1) = {A,¬B,¬C ,¬D };
• v(T2) = {A,¬B,¬C ,D };
• v(T3) = {A,B,¬C ,D };
• v(end) = {A,B,¬C ,D }.
M |= LTL1 ∧ LTL2
18 | No Time for Compliance | Guido Governatori, Mustafa Hashmi
Conclusions
• Current Compliance Frameworks based on Temporal Logic are not able to modelreal life norms.
• Result not restricted to Linear Temporal Logic, it extends to other temporal logics
• Result is not an impossibility theorem. If one knows what are the complianttraces, one can build a set of temporal formulas corresponding to the complianttraces (but it means using an external oracle, so useless for compliance)
• Result seems to affect Deontic logic based on possible world semantics.
• As far as we know, PCL and Deontic Event Calculus are not affected by theproblem
19 | No Time for Compliance | Guido Governatori, Mustafa Hashmi
Questions?Mustafa Hashmi
Guido [email protected]
20 | No Time for Compliance | Guido Governatori, Mustafa Hashmi