Advertisement

PriCL: Creating a Precedent, a Framework for Reasoning about Privacy Case Law

  • Michael BackesEmail author
  • Fabian Bendun
  • Jörg Hoffmann
  • Ninja Marnau
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9036)

Abstract

We introduce PriCL: the first framework for expressing and automatically reasoning about privacy case law by means of precedent. PriCL is parametric in an underlying logic for expressing world properties, and provides support for court decisions, their justification, the circumstances in which the justification applies as well as court hierarchies. Moreover, the framework offers a tight connection between privacy case law and the notion of norms that underlies existing rule-based privacy research. In terms of automation, we identify the major reasoning tasks for privacy cases such as deducing legal permissions or extracting norms. For solving these tasks, we provide generic algorithms that have particularly efficient realizations within an expressive underlying logic. Finally, we derive a definition of deducibility based on legal concepts and subsequently propose an equivalent characterization in terms of logic satisfiability.

Keywords

Leaf Node Policy Language Description Logic Legal Action World Knowledge 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

References

  1. 1.
    Anderson, A.: A comparison of two privacy policy languages: EPAL and XACML (2005)Google Scholar
  2. 2.
    Annas, G.J.: Hipaa regulations-a new era of medical-record privacy? New England Journal of Medicine 348(15), 1486–1490 (2003)CrossRefGoogle Scholar
  3. 3.
    Ashley, P., Hada, S., Karjoth, G., Powers, C., Schunter, M.: Enterprise privacy authorization language (EPAL 1.2). Submission to W3C (2003)Google Scholar
  4. 4.
    Baader, F., Calvanese, D., McGuinness, D.L., Nardi, D., Patel-Schneider, P.F. (eds.): The Description Logic Handbook: Theory, Implementation, and Applications. Cambridge University Press (2003)Google Scholar
  5. 5.
    Baader, F., Horrocks, I., Sattler, U.: Description Logics. In: Handbook of Knowledge Representation, ch. 3, pp. 135–180. Elsevier (2008)Google Scholar
  6. 6.
    Backes, M., Bendun, F., Hoffman, J., Marnau, N.: PriCL: Creating a Precedent. A Framework for Reasoning about Privacy Case Law (Extended Version) (2015), http://arxiv.org/abs/1501.03353
  7. 7.
    Backes, M., Karjoth, G., Bagga, W., Schunter, M.: Efficient comparison of enterprise privacy. In: Proc. of Symposium on Applied Computing, pp. 375–382. ACM (2004)Google Scholar
  8. 8.
    Barth, A., Datta, A., Mitchell, J.C., Nissenbaum, H.: Privacy and contextual integrity: Framework and applications. In: Proc. of S&P, p. 15. IEEE (2006)Google Scholar
  9. 9.
    Barth, A., Mitchell, J.C., Datta, A., Sundaram, S.: Privacy and utility in business processes. In: CSF, vol. 7, pp. 279–294 (2007)Google Scholar
  10. 10.
    Basin, D., Klaedtke, F., Marinovic, S., Zălinescu, E.: Monitoring compliance policies over incomplete and disagreeing logs. In: Qadeer, S., Tasiran, S. (eds.) RV 2012. LNCS, vol. 7687, pp. 151–167. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  11. 11.
    Basin, D.A., Klaedtke, F., Müller, S., Pfitzmann, B.: Runtime monitoring of metric first-order temporal properties. In: Proc. of FSTTCS, pp. 49–60 (2008)Google Scholar
  12. 12.
    Borgida, A.: On the relative expressiveness of description logics and predicate logics. Artificial Intelligence 82(1), 353–367 (1996)CrossRefMathSciNetGoogle Scholar
  13. 13.
    Breaux, T.D., Antón, A.I.: Analyzing regulatory rules for privacy and security requirements. IEEE Trans. on Software Engineering 34(1), 5–20 (2008)CrossRefGoogle Scholar
  14. 14.
    Cavoukian, A.: Privacy by design. Report of the Information & Privacy Commissioner Ontario, Canada (2012)Google Scholar
  15. 15.
    Datta, A., Blocki, J., Christin, N., DeYoung, H., Garg, D., Jia, L., Kaynar, D., Sinha, A.: Understanding and protecting privacy: formal semantics and principled audit mechanisms. In: Jajodia, S., Mazumdar, C. (eds.) ICISS 2011. LNCS, vol. 7093, pp. 1–27. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  16. 16.
    DeYoung, H., Garg, D., Kaynar, D., Datta, A.: Logical specification of the glba and hipaa privacy laws. CyLab, p. 72 (2010)Google Scholar
  17. 17.
    Duma, C., Herzog, A., Shahmehri, N.: Privacy in the semantic web: What policy languages have to offer. In: Proc. of POLICY, pp. 109–118. IEEE (2007)Google Scholar
  18. 18.
    European Commission. General data protection regulation, http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf
  19. 19.
    Garg, D., Jia, L., Datta, A.: Policy auditing over incomplete logs: theory, implementation and applications. In: Proc. of CCS, pp. 151–162. ACM (2011)Google Scholar
  20. 20.
    Gürses, S., Gonzalez Troncoso, C., Diaz, C.: Engineering privacy by design. Computers, Privacy & Data Protection (2011)Google Scholar
  21. 21.
    Karat, J., Karat, C.-M., Bertino, E., Li, N., Ni, Q., Brodie, C., Lobo, J., Calo, S., Cranor, L., Kumaraguru, P., Reeder, R.: Policy framework for security and privacy management. IBM Journal of Research and Development 53(2), 4 (2009)CrossRefGoogle Scholar
  22. 22.
    Lämmel, R., Pek, E.: Understanding privacy policies. Empirical Software Engineering 18(2), 310–374 (2013)CrossRefGoogle Scholar
  23. 23.
    Maffei, M., Pecina, K., Reinert, M.: Security and privacy by declarative design. In: Proc. of CSF, pp. 81–96. IEEE (2013)Google Scholar
  24. 24.
    Ni, Q., Bertino, E., Lobo, J., Brodie, C., Karat, C.-M., Karat, J., Trombeta, A.: Privacy-aware role-based access control. Proc. of TISSEC 13(3), 24 (2010)Google Scholar
  25. 25.
    Office for Civil Rights, U.S. Department of Health and Human Services. Summary of the HIPAA privacy rule (2003)Google Scholar
  26. 26.
    Oh, S.E., Chun, J.Y., Jia, L., Garg, D., Gunter, C.A., Datta, A.: Privacy-preserving audit for broker-based health information exchange. In: Proc. of Data and Application Security and Privacy, pp. 313–320. ACM (2014)Google Scholar
  27. 27.
    Schmidt-Schauß, M., Smolka, G.: Attributive concept descriptions with complements. Artificial Intelligence 48(1), 1–26 (1991)CrossRefzbMATHMathSciNetGoogle Scholar
  28. 28.
    Sen, S., Guha, S., Datta, A., Rajamani, S.K., Tsai, J., Wing, J.M.: Bootstrapping privacy compliance in big data systems. In: Proc. of S& PGoogle Scholar
  29. 29.
    Tschantz, M.C., Datta, A., Wing, J.M.: Formalizing and enforcing purpose restrictions in privacy policies. In: Proc. of S& P, pp. 176–190. IEEE (2012)Google Scholar
  30. 30.
    United States Congress. Financial services modernization act of 1999 (2010)Google Scholar
  31. 31.
    United States federal law. Children’s Online Privacy Protection Act (1998)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2015

Authors and Affiliations

  • Michael Backes
    • 1
    Email author
  • Fabian Bendun
    • 1
  • Jörg Hoffmann
    • 1
  • Ninja Marnau
    • 1
  1. 1.CISPASaarland UniversitySaarbrückenGermany

Personalised recommendations