Inferring Accountability from Trust PerceptionsKoen Decroix, Denis Butin, Joachim Jansen, Vincent NaessensICISS 2014, Hyderabad

Outline

• Introducing Accountability• Goal• Modeling Approach• Evaluation• Conclusions

Introducing Accountability

UsernamePassword

EmailDate of birth

SexName

Credit card information

Privacy policy

Alice agrees with the terms and policies of Spotify and gives her explicit consent for the specified data handling practices

Often vague about:• Purpose for which personal data is used• The collaborating third-parties they forward data to• Obligations in terms of third-party forwarding• Retention of personal data• …

Spotify

Advertisers

Sub-contractors

Facebook

…, but this may have unexpected consequences, outside the scope of Spotify’s obligations.

?

?

?

?

She loses control over her personal data

…, and her personal data may even spread around to locations having less restrictive privacy regulations

a key component for protecting an individual’s privacy

Accountability

Necessity to demonstrate compliance as a burden for data controllers

Accountability explicitly cited as an obligation of data processors for their data handling practices in the

upcoming EU Data Protection Regulation

Proposal upcoming EU Data Protection Regulation

Article 22 takes account of the debate on a "principle of accountability" and describes in detail the obligation of responsibility of the controller to comply with this Regulation and to demonstrate this compliance, including by way of adoption of internal policies and mechanisms for ensuring such compliance.

Goal

Spotify

Advertisers

Sub-contractors

Facebook

?

?

?

?

Spotify fulfills its promises, but what do the others ?

Even all organization may individually have clear data handling practices global result is opaque for Alice

Spotify

To understand the system-wide (global) guarantees of data controllers that apply to her personal data.

What would she like …

Modeling Approach

Inferring Global Accountability Guarantees

Spotify

= A panoramic overview from the viewpoint of a trusted auditor who operates on behalf of the user. This overview also takes the user’s privacy preferences into account

Glo

bal A

ccou

ntab

ility

Pro

file

Kno

wle

dge

Bas

e S

yste

m (

IDP

)

VocabularyAccountability

Concepts

System Independent ModelIn

pu

t M

od

el

User Model System Model

User Type- Naïve- Regular User- Privacy-Aware

Entity Statements

DutiesNotification Guarantees

ProhibitionsRetention

Limits

Global Accountability Computation Rules

Trusted Organization

Entities

Organizations

Compontents Operators

Railway

Camera

Monitor

Image DB

Status DB

Mobile Device

Surveillance Guard

Status Processor

Image Processor

Security Company

Face

Blurred Face

Picture Incident

Gait

Height Behavior

LocationTime

Camera Surveillance in the Railway Station

type DataCategory = { PersData; Face; … }

DataCategoryOf(DataCategory, DataCategory) = { Face, PictureIncident; …}

ComponentOf(Component) : Organization = { Camera → RailwayCompany; … }

EmployeeOf(Operator) : Organization = {SurveilanceGuard → SecurityCompany; … }OperatorOf(Operator, Component) = { SurveilanceGuard, Monitor;, … }

ComponentCanCollect(Component, DataCategory) = { Camera, Face;Camera, BlurredFace; ImageDB, BlurredFace; … }

System Model

Individual Statements

Railway

CameraMonitor

Image DB Status DBMobile Device

Security Company

Statement

Statement

StatementStatement

StatementStatement

Statement

Statement

StatementStatement

Camera Surveillance Statements

Accountability Levels

We consider three levels of accountability (statement assurance):

• Declarative statements (D): only specified in data handling statements.

• Logged Unverified statements (L): data handling logs are provided together with the statement but cannot be checked straight away.

• Logged and Verified statements (V): data handling logs are provided and checked = highest level of accountability

Decomposing Data Handling Statement

(L) : Full body pictures with blurred faces or clear faces, gaits, heights, and behavior are recorded for incident detection

Example 1:

Statement of = Railway companySubjects= Face, Blurred Face, Gait, Height, BehaviorPurpose = Incident detectionPermission = Always (duty)Action = Record (collect)Proof = LoggedUnverified

(V) : Full body pictures with clear faces, gaits, heights, and behavior are never processed for the purpose of identification.

Statement of = Image databaseSubjects= Face, Gait, Height, BehaviorPurpose = IdentificationPermission = Never (prohibition)Action = ProcessProof = LoggedAndVerified

Example 2:

Decomposing Data Handling Statement

(L) : The maximal retention time for any category of collected personal data is 60 days.

Statement of = Railway companySubjects= Personal DataProof = LoggedUnverifiedRetentionLimit = 60 days

Example 3:

Decomposing Data Handling Statement

Conditions: e.g., only forward pictures to legal authorities upon their request.

Forwarding data: e.g., pictures are forwarded to legal authorities.

Notification guarantee: e.g., a weekly SMS is sent to a customer containing the current status.

Other statement aspects:

Decomposing Data Handling Statement

StatementFrom(Statement) : Entity = { StatR1 → RailwayCompany;… }

StatementSubject(Statement, DataCategory) = { StatR1 , Face;. . . }

StatementPurpose(Statement, Purpose) = { StatR1 , DetectIncident;…}

partial StatementCondtion(Statement) : Condition = { StatR2 → RequestLegalAuthority; . . . }

StatementPermission(Statement) : Permission = { StatR1 → Always; . . . }

partial StatementAction(Statement) : Action = { StatR1 → Collecting; … }

StatementDestination(Statement, Organization) = { StatR2, LegalAuthority; . . . }

partial StatementRetentionLimit(Statement) : Duration = {StatR4 → 60; . . . }

StatementNotificationGuarantee(Statement) = { }

StatementProof(Statement) : StatementEvidence = {StatR1 → LoggedUnverified; StatR2 → Declarative; …}

User Model: Trust Perceptions

Naive user

Regular user

Privacy-aware user

Required Data Handling Assurance Levels

Data handling logs must be verified

Data handling logs are sufficient

Purely declarative statements are sufficient

Trusted organizations

Railway

Knowledge Base System (IDP)

Worst-case synthesis of global accountability profile

(GAP)

Global Accountability Profile Inference

Global Duties Global Prohibitions

Trust Perceptions

Global Retention Limits

Global Notification Guarantees

Individual Statements

GAPCollectData(DataCategory)GAPCollectDataAction(DataCategory, Action)GAPCollectDataForPurposeOf(DataCategory, Purpose)GAPCollectDataCondition(DataCategory, Condition)GAPCollectDataProof(DataCategory, GAPEvidence)

GAPForwardDataTo(DataCategory, Organization)GAPForwardDataAction(DataCategory, Action)GAPForwardDataForPurposeOf(DataCategory, Purpose)GAPForwardDataCondition(DataCategory, Condition)GAPForwardDataProof(DataCategory, GAPEvidence)

IDP Representation of the GAP

GAPRetentionLimit(DataCategory, Duration)GAPRetentionLimitCondition(DataCategory, Condition)GAPRetentionLimitProof(DataCategory, GAPEvidence)

…

Proof(S) Declared LoggedUnverified LoggedAndVerified

Naive User (U1)

Regular User (U2)

Privacy-aware User (U3)

Statements of organization of entity of organization are (G)uaranteed or (U)ncertain in function of the modeled user.

Global Statement Guarantees

Global Statement Evidence of Uncertain Guaranteed

Duty()

Prohibition()

NotificationGuarantee()

RetentionLimit()

𝜓 (𝑆 ,𝐸 ,𝐷𝐶 )≡𝐶𝑎𝑛𝐶𝑜𝑙𝑙𝑒𝑐𝑡 (𝐸 ,𝐷𝐶 )∧𝑆𝑢𝑏(𝐷𝐶)

Deduction Of Global Data Categories

Worst-case computation rules for the deduction of global data categories deduced from statement of entity .

denotes the subject of statement

the collectable data categories of entity

Global Duty computation rules

• Global Purpose of data category : Union of all purposes of individual duties with subject global data category . If no purpose is specified, then all purposes are assumed.

• Global Actions for data category : Union of all actions of individual statements with global data category .

Some examples of worst-case computation rules of Global Duty aspects:

Inferred GAP of Camera SurveillanceU1:Naive user; U2: Regular user; U3: Privacy-aware user

Evaluation

Modeling Concepts

• Modeling concepts defined for statements containing single declarations.

• Modeling statements containing multiple declarations. E.g., The image database stores the blurred faces and gait for max. of 30 days and for the purpose of statistics and marketing.o Must be split in two statements:

• a duty that blurred face and gait are stored• a retention limit that it stores personal data for max. of 30 days

Framework Components

• User model:o Coarse-grained prototypical user types modelers only

need to specify type of user via constant E.g., .

• Reusable modeling components. For a given system model:o Different types of users can easily be applied by

changing user model.o Different samples (collected by auditor) of statement

evidence can be applied.

Modeling Extensions

• Detecting Conflictso Models can be extended with user privacy preferences.

Conflicts can be detected between these and the data handling statements in the system.

Conclusions

Conclusions

• A modeling approach for inferring accountability is realized in IDP (knowledge base system). Results can be found at code.google.com/p/inferring-accountability

• A panoramic view is inferred from individual data handling practices using worst-case computation rules.

• Different types of users can easily be modeled

• We modeled coarse-grained implicit data handling evidence. A more refined approach would model semantics of log compliance explicitly. This is difficult to implement using FO.

Questions