Purpose Restrictions

Research on Formalizing and Enforcing Purpose Restrictions

Project Description

Privacy policies often place restrictions on the purposes for which a governed entity may use personal information. For example, regulations, such as the Health Insurance Portability and Accountability Act (HIPAA), require that hospital employees use medical information for only certain purposes, such as treatment, but not for others, such as gossip. Thus, using formal or automated methods for enforcing privacy policies requires a semantics of purpose restrictions to determine whether an action is for a purpose or not. We provide such a semantics using a formalism based on planning. We model planning using a modified version of Markov Decision Processes (MDPs), which exclude redundant actions for a formal definition of redundant. We argue that an action is for a purpose if and only if the action is part of a plan for optimizing the satisfaction of that purpose under the MDP model. We use this formalization to define when a sequence of actions is only for or not for a purpose. This semantics enables us to create and implement an algorithm for automating auditing, and to describe formally and compare rigorously previous enforcement methods. To validate our semantics, we conduct a survey to compare our semantics to how people commonly understand the word "purpose".

Conference Publications

Michael Carl Tschantz, Anupam Datta, and Jeannette M. Wing
Formalizing and Enforcing Purpose Restrictions in Privacy Policies
Proceedings of the 33rd IEEE Symposium on Security and Privacy, 2012
Read the paper: (PDF)
Michael Carl Tschantz, Anupam Datta, and Jeannette M. Wing
Purpose Restrictions on Information Use
The 18th European Symposium on Research in Computer Security (ESORICS), 2013 (to appear)
Read the paper: (PDF)

Tech Reports

Michael Carl Tschantz, Anupam Datta, and Jeannette M. Wing
On the Semantics of Purpose Requirements in Privacy Policies
Tech. Rep., CMU-CS-11-102, 2011
Read the paper at ArXiv: here
Michael Carl Tschantz, Anupam Datta, and Jeannette M. Wing
Formalizing and Enforcing Purpose Restrictions in Privacy Policies (Full Version)
School of Computer Science, Carnegie Mellon University, Tech. Rep. CMU-CS-12-106, March 2012
Read the paper: (PDF)
Michael Carl Tschantz
Formalizing and Enforcing Purpose Restrictions
Ph.D. Dissertation, School of Computer Science, Carnegie Mellon University, Tech. Rep. CMU-CS-12-117, May 2012
Read the paper: (PDF)
Michael Carl Tschantz, Anupam Datta, and Jeannette M. Wing
Purpose Restrictions on Information Use
Tech. Rep., CMU-CS-13-116, 2013
Read the paper: here

Software

In the above papers, we refer to an implemented algorithm. It and related software may be downloaded here:

README.txt included in audit-implementation.zip provides details of the implementation.