An Adaptive Privacy Management System for Data Repositories

Marco Casassa Mont

marco_casassa-mont@hp.com Trusted Systems Lab, HP Labs, Bristol, UK
2005 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice

Presentation Outline
Privacy: Core Concepts Scenarios and Key Issues Addressed Problem Related Work vs. Our Approach Our Approach: Adaptive Privacy Management Discussion and Open Issues Conclusions

Presentation Outline
Privacy: Core Concepts Scenarios and Key Issues Addressed Problem Related Work vs. Our Approach Our Approach: Adaptive Privacy Management Discussion and Open Issues Conclusions

Privacy: Core Concepts

Privacy Management has Strong Implications on how Personal Identifiable Information (PII data) is Managed by Various Parties Accessing these Data

Applications & Services

Personal Data PEOPLE Enterprises/Organisations

Employees, Partners, Third Parties, Etc.

Personal Data And Privacy Policies

Privacy Policies:
Personal Data Laws/Legislations Guidelines Preferences

Privacy for Personal Data: Principles

Purpose Specification Consent Limited Collection

Limited Use
Limited Disclosure Limited Retention

Privacy Policies

Privacy Policies: Rights, Permissions and Obligations

Purpose Specification Consent Privacy Permissions Limited Use

Limited Collection

Privacy Rights

Privacy Obligations

Limited Disclosure
Limited Retention

Privacy Policies

Presentation Outline
Privacy: Core Concepts Scenarios and Key Issues Addressed Problem Related Work vs. Our Approach Our Approach: Adaptive Privacy Management Discussion and Open Issues Conclusions

Relevant Scenarios
Enterprise
- Company vs. Private data for Employees - Protection of Customers and Employees Data - Compliance to Legislation

Health Care
- View on Data dependent upon Requestors Roles - Patients Sensitive Data

Federated Identity Management

- Partners and Third Parties should only get the minimal (required) Personal Information

Conflicting Interests, Multiple Views on Data, Accountability

We Want to Enable an Incremental Disclosure of Personal Data Driven by Privacy Policies and Current Context

Focus: Enterprise Scenario

Enterprise

Information Flow

Enterprise

Role 3

Role 2

Role 1

Application /Service
PEOPLE Personal Data

Key Issues

Data might be accessed and manipulated by multiple employees to fulfil tasks and support/provide information to people with different roles (marketing, management, etc.) These employees actually might not be entitled to access these data, due to data sensitivity/privacy policies However they are the only one that know how to retrieve and manipulate data Access granted to enable Business Processes vs. Privacy Data can be disclosed outside the Enterprise. Privacy Policy Enforcement based on Trust (and Contracts )

Presentation Outline
Privacy: Core Concepts Scenarios and Key Issues Addressed Problem Related Work vs. Our Approach Our Approach: Adaptive Privacy Management Discussion and Open Issues Conclusions

Addressed Problem
Adaptive Privacy Policy Enforcement for Personal Data Stored in Data Repositories: o How to Allow People with Different Roles to Retrieve Relevant Data and, at the same time, Enforce Privacy Policies without Disrupting Business Processes and Interaction Flows? o How to do it in an Inter-Enterprise Context?

o How to have an Adaptive Disclosure of these data based on the Context?

o How to Audit Disclosures and Ensure Accountability?

Presentation Outline
Privacy: Core Concepts Scenarios and Key Issues Addressed Problem Related Work vs. Our Approach Our Approach: Adaptive Privacy Management Discussion and Open Issues Conclusions

Prior Art vs. Our Approach

Prior Art
Translucent Databases Based on Encryption and AC Hippocratic Databases Fine-grained Privacy Policies on Confidential Data - No control after data disclosure - Only RDBMS databases IBM Tivoli Privacy Manager Product available on the Market - No control after data disclosure - Vertical Approach DRM Solutions Control after data disclosure Not really for data repositories

Our Approach
Focus on and Leverage current Data Repositories

Privacy Management: Flexible and Adaptive to the Context

Supports fine-grained Privacy Policies Incremental disclosure of Confidential Data based on Privacy Policies R&D Work in Progress

Presentation Outline
Privacy: Core Concepts Scenarios and Key Issues Addressed Problem Related Work vs. Our Approach Our Approach: Adaptive Privacy Management Discussion and Open Issues Conclusions

Our Approach: Adaptive Privacy Management

Personal Data is Encrypted and Stored in Data Repositories along with Privacy Policies
Retrieved Data could still be (partially) Encrypted and Strongly Associated to Privacy Policies The actual Visibility (Access) of Encrypted Data is Adaptive, depending on the Requestor, Context, Intent and Purpose Multiple Views on Personal Data
Retrieve/ Disclose Data Repositories
Privacy Policy Package Encrypted Data

Our Adaptive Privacy Model

Data Structure: View 2

Information Flow

Privacy Virtualization System (PVS)

Decryption keys Entity 2 <Access Request: privacy policies, Credentials, Contextual Information>

Data Structure: View 1

Privacy Virtualization System (PVS)

Entity 1

Decryption keys <Access Request: privacy policies, Credentials, Contextual Information>

Privacy Management Service (PMS)

Data Repositories
Privacy Policy Package Encrypted Data

Personal Data: Encryption

Actual Data Stored in the Data repository

Privacy Policy

Package

Encrypted Personal Data

Encrypted with PMS Public Key:

Symmetric Key used to Encrypt Personal Data Hash of Privacy Policy

Encryption Techniques

Traditional Public Key Cryptography

Enveloping techniques Symmetric Key Used to Encrypt Personal Data Package Encryption: Public Key of Privacy Management Service

Identifier-based Cryptography (IBE)

Three-players model: Sender, Receiver, Trust Authority Use directly the Privacy Policy (and a Public Detail of the Trust Authority) to Encrypt Personal Data Alternatively, use Symmetric key (for better performance) Privacy Management Service is the Trust Authority

Example: Travel Agency [1/3]

Customer DB unique (internal) customer ID custome r name customer customer address credit card number custome customer r country flight preference s customer custome data usage r gender preference s

Privacy Policies

all fields are viewable by members of the customer service department; the credit card number must be readable only by accredited personnel or systems within the account department; the name and address fields may be readable by the advertising department only if approved in the customers data usage preferences

Example: Travel Agency [1/3]

Customer DB unique (internal) customer ID custome r name customer customer address credit card number custome customer r country flight preference s customer custome data usage r gender preference s

Privacy Policies

all fields are viewable by members of the customer service department; the credit card number must be readable only by accredited personnel or systems within the account department; the name and address fields may be readable by the advertising department only if approved in the customers data usage preferences

Example: Travel Agency [2/3]

Customer DB

unique (internal) customer ID

custome r name

customer customer address credit card number

custome customer r country flight preference s

customer custome data usage r gender preference s

Access_Granted IF requestor.department = {customer_service } OR IF (requestor.department = {advertising} AND data_usage = Y)

Example: Travel Agency [3/3]

Privacy Management Service
Privacy Virtualization System
Role: Member of Advertising Department Query: SELECT * FROM customer_table WHERE customer_country = uk

Customer DB

XML/ DataSet/ ResultSet/, Etc.

<extracteddata> <PrivacyManagementService>125.18.219.66</PrivacyManagementService> <mediator>www.policysite.org/mediator.jar</mediator> <record> <customerID>123857841</customerID> <customername>Jane Doe</customername> <customeraddress> <street>123 Long Ave.</street> <city>New York</city> <state>NY</state> <zip>12345-0000</zip> </customeraddress> <customercreditcardnumber> www.policysite.org/12568.pol, MTM0VF9F5E$R96%K#$PCP3$QCP04T#2T </customercreditcardnumber> <customercountry>USA</customercountry> <customerflightpref>Window,Vegitarian</customerflightpref> <customerdatausage>Y</customerdatausage> <customersex>F</customersex> </record> </extracteddata>

System: High Level Architecture

Applications People
Privacy Policy + Access Request

Privacy Management Services

Privacy Virtualization API

Data Mgmt Policy Handler Comms Decryption Module

Comms

Authentication Disclosure Management Module

Encryption Module

Privacy Virtualization System

Data Repositories

Privacy Policy Engine

Deobfuscation Key

A P I

Context Management

Credentials Verification Sensors

Gathering of Contextual Information/ Settings

Enterprise Polices

Audit Logs

Privacy Policy Package

Encrypted Data

Audit Module

Presentation Outline
Privacy: Core Concepts Scenarios and Key Issues Addressed Problem Related Work vs. Our Approach Our Approach: Adaptive Privacy Management Discussion and Open Issues Conclusions

Discussion

Privacy and Confidentiality are enforced even if the Privacy Virtualization System is Bypassed Data are Encrypted The Privacy Management Service(s) can Act as a Trusted Auditing System for Accountability and Compliance Management Verifications Once Data are Disclosed they can be Misused : Auditing as a Risk Mitigation Mechanism We have all the Technological Components to Build a Prototype: Database Mediator (Proxy), IBE/Crypto Libraries and Auditing Systems

Open Issues and Future Work

Renewal of Encryption Keys/Revocation: Aspect to be fully Explored

Session Keys are transparent to users (but not to PVS ) Option to change Session Keys every time data is disclosed.

Lifecycle Management of Privacy Policies associated to Data: need for Tools to Simplify their Management and Update Performance Issues: To be fully Investigated once our Prototype is Available Future Work: build a Prototype, Research and Explore how to better Address these Open Issues, in Real-World Contexts

Presentation Outline
Privacy: Core Concepts Scenarios and Key Issues Addressed Problem Related Work vs. Our Approach Our Approach: Adaptive Privacy Management Discussion and Open Issues Conclusions

Conclusions

Importance of Enforcing Privacy and, at the same time, enable Business Interactions We propose a Privacy Management System to enable Adaptive, Incremental Disclosure of Personal Data based on Privacy Policies All technological components are Available at HPL Open Issues: Policy and Key Lifecycle Management and Performance Next Steps: build working Prototype and Make Experiment in Real-world Contexts
It is Work in Progress

Backup Slides

What is Identifier-based Encryption (IBE)?

It is an Emerging Cryptography Technology Based on a Three-Player Model: Sender, Receiver, Trust Authority (Trusted Third Party) Same Strength of RSA Different Approaches: Quadratic Residuosity, Weil Pairing, Tate Pairing SW Library and Technology available at HP Laboratories

IBE Core Properties

1st Property: any kind of String (or sequence of bytes) can be used as an IBE encryption key: for example a Role, an e-Mail Address, a Picture, a Disclosure Time, Terms and Conditions, a Privacy Policy

2nd Property: the generation of IBE decryption keys can be postponed in time, even long time after the generation of the correspondent IBE encryption key 3rd Property: reliance on at least a trust authority (trusted third party) for the generation of IBE decryption key

IBE Three-Player Model

Alice 2 3 4

Bob
5. Bob requests the Decryption Key associated to the Encryption Key to the relevant Trust Authority.

2. Alice knows the Trust Authority's published value of Public Detail N It is well known or available from reliable source 3. Alice chooses an appropriate Encryption Key. She encrypts the message: Encrypted message

= {E(msg, N, encryption key)}

4. Alice Sends the encrypted Message to Bob, along with the Encryption Key

6. The Trust Authority issues an IBE Decryption Key Trust 1 corresponding to the supplied Authority Encryption Key only if it is happy with Bobs 1. Trust Authority entitlement to the Decryption Key. - Generates and It needs the Secret to perform the protects a Secret computation. - Publishes a Public Detail N