csc 495.002 lecture 7 ai for privacy: privacy requirements · 2017. 11. 15. · privacy...

CSC 495.002 – Lecture 7AI for Privacy: Privacy Requirements

Dr. Ozgur Kafalı

North Carolina State UniversityDepartment of Computer Science

Fall 2017

PREVIOUSLY ON SOCIAL NETWORKS

Web/Social Networks Privacy

InferenceSharing and disclosureViolations and regretTargeted advertisingK-anonymity

Dr. Ozgur Kafalı AI for Privacy: Privacy Requirements Fall 2017 1 / 26

AI FOR PRIVACY MODULE

What You Will Learn

Privacy requirements engineeringAutonomous agents and reasoning

ArgumentationNegotiation

Privacy normsReasoning about privacy breaches

OntologiesSemantic similarity

Dr. Ozgur Kafalı AI for Privacy: Privacy Requirements Fall 2017 2 / 26

PRIVACY REQUIREMENTS PROBLEM

Requirements

Software requirements: Software has to provide solutions toestablish the needs of its stakeholders

Satisfy a capability needed by a user to achieve an objectiveFunctionality to comply with a contract, regulation, or standard

Example requirements from an electronic health records (EHR)software:The physician shall alter the current prescriptions of a patient oradd new prescriptions after a routine visitThe system shall respond to a patient scheduling request within30 seconds

Dr. Ozgur Kafalı AI for Privacy: Privacy Requirements Fall 2017 3 / 26

PRIVACY REQUIREMENTS PROBLEM

Security and Privacy Requirements

Typically non-functional requirements, though might changedepending on the domainCan be implied from functional requirementsRequirement: The physician shall alter the current prescriptions ofa patient or add new prescriptions after a routine visit

What are the security and privacy implications of this requirement?Patients’ prescription list should be encryptedPatients’ prescription list should not be taken out of the hospitalwithout being anonymizedPhysicians should only access those patients that they arecurrently treating

Dr. Ozgur Kafalı AI for Privacy: Privacy Requirements Fall 2017 4 / 26

PRIVACY REQUIREMENTS PROBLEM

Access Control Requirements

Describe who can access what using a role-based access controlmechanismCan be implemented as part of the EHR softwareIn an emergency, relax the access control mechanismInstead, a norm prohibits physicians from accessing EHR of otherpatientsYou can also log each access for auditing

Dr. Ozgur Kafalı AI for Privacy: Privacy Requirements Fall 2017 5 / 26

PRIVACY REQUIREMENTS PROBLEM

Sample Requirements Taxonomy

Gharib et al. Privacy Requirements: Findings and Lessons Learned in Developing a Privacy Platform. RequirementsEngineering Conference (RE), pages 256–265, 2016

Dr. Ozgur Kafalı AI for Privacy: Privacy Requirements Fall 2017 6 / 26

PRIVACY REQUIREMENTS PROBLEM

Phases of Requirements Engineering

Requirements elicitationRequirements analysis

ClassificationPrioritizationNegotiation

Requirements specificationRequirements validation

Dr. Ozgur Kafalı AI for Privacy: Privacy Requirements Fall 2017 7 / 26

PRIVACY REQUIREMENTS PROBLEM

Sample Elicitation Process: VisiOn

Gharib et al. Privacy Requirements: Findings and Lessons Learned in Developing a Privacy Platform. RequirementsEngineering Conference (RE), pages 256–265, 2016

Dr. Ozgur Kafalı AI for Privacy: Privacy Requirements Fall 2017 8 / 26

PRIVACY REQUIREMENTS PROBLEM

Sample Elicitation Process: i*

Liu et al. Security and privacy requirements analysis within a social setting. Requirements Engineering Conference (RE), pages151–161, 2003

Dr. Ozgur Kafalı AI for Privacy: Privacy Requirements Fall 2017 9 / 26

PRIVACY REQUIREMENTS PROBLEM

Attacker Analysis

Assumption: “All actors are guilty until proven innocent”

Any actor (roles, positions, agents) can be a potential attackerTo the systemTo other actors

For example, in what ways a physician can misuse the system?What benefit will the physician gain from an informationdisclosure?

Dr. Ozgur Kafalı AI for Privacy: Privacy Requirements Fall 2017 10 / 26

APPLICATION DOMAINS

Threat Modeling

Enumerate potential ways that your system might be attacked

Typically include only attack nodes

But, defense nodes can also be included that mitigate suchattacks

Dr. Ozgur Kafalı AI for Privacy: Privacy Requirements Fall 2017 11 / 26

APPLICATION DOMAINS

Misuse Cases

Physician

AccessEHR

Logout

Guesspassword

Catchunattended

Adversary

threatens

threatens

mitigates

Dr. Ozgur Kafalı AI for Privacy: Privacy Requirements Fall 2017 12 / 26

APPLICATION DOMAINS

Misuse Case Maps

Karpati et al. Investigating security threats in architectural context: Experimental evaluations of misuse case maps. Journal ofSystems and Software, 104(C):90–111, 2015

Dr. Ozgur Kafalı AI for Privacy: Privacy Requirements Fall 2017 13 / 26

APPLICATION DOMAINS

Attack/Defense Trees

AccessEHR

Guesspassword

Catchcomputer

unattended

Strongpassword Logout

Do not usepublic

computer

Dr. Ozgur Kafalı AI for Privacy: Privacy Requirements Fall 2017 14 / 26

APPLICATION DOMAINS

Exercise: Healthcare Threat Model

http://agile.csc.ncsu.edu/iTrust/wiki/doku.php?id=requirements

Dr. Ozgur Kafalı AI for Privacy: Privacy Requirements Fall 2017 15 / 26

APPLICATION DOMAINS

Exercise: Internet of Things Threat Model

http://www.devolo.com/en/Products/devolo-Home-Control-Key-Fob-Switch/

Dr. Ozgur Kafalı AI for Privacy: Privacy Requirements Fall 2017 16 / 26

TECHNIQUES & STUDIES

Eddy: A Formal Language for Privacy Requirements

Breaux et al. Eddy, a Formal Language for Specifying and Analyzing Data Flow Specifications for Conflicting PrivacyRequirements. Requirements Engineering, 19(3):281–307, 2014

Dr. Ozgur Kafalı AI for Privacy: Privacy Requirements Fall 2017 17 / 26

TECHNIQUES & STUDIES

Example: Facebook and Zynga

Dr. Ozgur Kafalı AI for Privacy: Privacy Requirements Fall 2017 18 / 26

TECHNIQUES & STUDIES

Data Flow between Parties

Dr. Ozgur Kafalı AI for Privacy: Privacy Requirements Fall 2017 19 / 26

TECHNIQUES & STUDIES

Objectives

Develop a privacy requirements specificationTo align multi-party expectationsAcross multi-tier applicationsAnd, to formally check conflicts among requirements

High-level design document to be used bySoftware developersPrivacy law expertsEnd users

Dr. Ozgur Kafalı AI for Privacy: Privacy Requirements Fall 2017 20 / 26

TECHNIQUES & STUDIES

Conflicts

permission(X) ∧ prohibition(X) → conflict(X)

Dr. Ozgur Kafalı AI for Privacy: Privacy Requirements Fall 2017 21 / 26

TECHNIQUES & STUDIES

Methodology

Dr. Ozgur Kafalı AI for Privacy: Privacy Requirements Fall 2017 22 / 26

TECHNIQUES & STUDIES

Coded Policy

Dr. Ozgur Kafalı AI for Privacy: Privacy Requirements Fall 2017 23 / 26

TECHNIQUES & STUDIES

Specification in Eddy Syntax

Dr. Ozgur Kafalı AI for Privacy: Privacy Requirements Fall 2017 24 / 26

TECHNIQUES & STUDIES

Conflict Analysis: Between Facebook and Zynga

PROHIBIT TRANSFER user-dataFROM facebook TO ad-networkFOR anythingPERMIT TRANSFER aggregate-information,anonymous-informationFROM anyone TO anyone

PROHIBIT TRANSFER user-dataFROM facebook TO third-partyFOR merger, acquisitionPERMIT TRANSFER informationFOR merger, acquisition

Dr. Ozgur Kafalı AI for Privacy: Privacy Requirements Fall 2017 25 / 26

TECHNIQUES & STUDIES

Conflict Analysis: Within AOL

PROHIBIT USE personally-identifiable-informationFROM registration-environmentFOR targeted-ads

PERMIT COLLECT personally-identifiable-informationFROM anyoneFOR improving-targeted-ads

Dr. Ozgur Kafalı AI for Privacy: Privacy Requirements Fall 2017 26 / 26