inferring accountability from trust perceptions koen decroix, denis butin, joachim jansen, vincent...
TRANSCRIPT
![Page 1: Inferring Accountability from Trust Perceptions Koen Decroix, Denis Butin, Joachim Jansen, Vincent Naessens ICISS 2014, Hyderabad](https://reader030.vdocuments.us/reader030/viewer/2022032522/56649d6e5503460f94a4e908/html5/thumbnails/1.jpg)
Inferring Accountability from Trust PerceptionsKoen Decroix, Denis Butin, Joachim Jansen, Vincent NaessensICISS 2014, Hyderabad
![Page 2: Inferring Accountability from Trust Perceptions Koen Decroix, Denis Butin, Joachim Jansen, Vincent Naessens ICISS 2014, Hyderabad](https://reader030.vdocuments.us/reader030/viewer/2022032522/56649d6e5503460f94a4e908/html5/thumbnails/2.jpg)
Outline
• Introducing Accountability• Goal• Modeling Approach• Evaluation• Conclusions
![Page 3: Inferring Accountability from Trust Perceptions Koen Decroix, Denis Butin, Joachim Jansen, Vincent Naessens ICISS 2014, Hyderabad](https://reader030.vdocuments.us/reader030/viewer/2022032522/56649d6e5503460f94a4e908/html5/thumbnails/3.jpg)
Introducing Accountability
![Page 4: Inferring Accountability from Trust Perceptions Koen Decroix, Denis Butin, Joachim Jansen, Vincent Naessens ICISS 2014, Hyderabad](https://reader030.vdocuments.us/reader030/viewer/2022032522/56649d6e5503460f94a4e908/html5/thumbnails/4.jpg)
![Page 5: Inferring Accountability from Trust Perceptions Koen Decroix, Denis Butin, Joachim Jansen, Vincent Naessens ICISS 2014, Hyderabad](https://reader030.vdocuments.us/reader030/viewer/2022032522/56649d6e5503460f94a4e908/html5/thumbnails/5.jpg)
![Page 6: Inferring Accountability from Trust Perceptions Koen Decroix, Denis Butin, Joachim Jansen, Vincent Naessens ICISS 2014, Hyderabad](https://reader030.vdocuments.us/reader030/viewer/2022032522/56649d6e5503460f94a4e908/html5/thumbnails/6.jpg)
UsernamePassword
EmailDate of birth
SexName
Credit card information
![Page 7: Inferring Accountability from Trust Perceptions Koen Decroix, Denis Butin, Joachim Jansen, Vincent Naessens ICISS 2014, Hyderabad](https://reader030.vdocuments.us/reader030/viewer/2022032522/56649d6e5503460f94a4e908/html5/thumbnails/7.jpg)
Privacy policy
Alice agrees with the terms and policies of Spotify and gives her explicit consent for the specified data handling practices
Often vague about:• Purpose for which personal data is used• The collaborating third-parties they forward data to• Obligations in terms of third-party forwarding• Retention of personal data• …
![Page 8: Inferring Accountability from Trust Perceptions Koen Decroix, Denis Butin, Joachim Jansen, Vincent Naessens ICISS 2014, Hyderabad](https://reader030.vdocuments.us/reader030/viewer/2022032522/56649d6e5503460f94a4e908/html5/thumbnails/8.jpg)
Spotify
Advertisers
Sub-contractors
…, but this may have unexpected consequences, outside the scope of Spotify’s obligations.
?
?
?
?
![Page 9: Inferring Accountability from Trust Perceptions Koen Decroix, Denis Butin, Joachim Jansen, Vincent Naessens ICISS 2014, Hyderabad](https://reader030.vdocuments.us/reader030/viewer/2022032522/56649d6e5503460f94a4e908/html5/thumbnails/9.jpg)
She loses control over her personal data
…, and her personal data may even spread around to locations having less restrictive privacy regulations
![Page 10: Inferring Accountability from Trust Perceptions Koen Decroix, Denis Butin, Joachim Jansen, Vincent Naessens ICISS 2014, Hyderabad](https://reader030.vdocuments.us/reader030/viewer/2022032522/56649d6e5503460f94a4e908/html5/thumbnails/10.jpg)
a key component for protecting an individual’s privacy
Accountability
Necessity to demonstrate compliance as a burden for data controllers
![Page 11: Inferring Accountability from Trust Perceptions Koen Decroix, Denis Butin, Joachim Jansen, Vincent Naessens ICISS 2014, Hyderabad](https://reader030.vdocuments.us/reader030/viewer/2022032522/56649d6e5503460f94a4e908/html5/thumbnails/11.jpg)
Accountability explicitly cited as an obligation of data processors for their data handling practices in the
upcoming EU Data Protection Regulation
![Page 12: Inferring Accountability from Trust Perceptions Koen Decroix, Denis Butin, Joachim Jansen, Vincent Naessens ICISS 2014, Hyderabad](https://reader030.vdocuments.us/reader030/viewer/2022032522/56649d6e5503460f94a4e908/html5/thumbnails/12.jpg)
Proposal upcoming EU Data Protection Regulation
Article 22 takes account of the debate on a "principle of accountability" and describes in detail the obligation of responsibility of the controller to comply with this Regulation and to demonstrate this compliance, including by way of adoption of internal policies and mechanisms for ensuring such compliance.
![Page 13: Inferring Accountability from Trust Perceptions Koen Decroix, Denis Butin, Joachim Jansen, Vincent Naessens ICISS 2014, Hyderabad](https://reader030.vdocuments.us/reader030/viewer/2022032522/56649d6e5503460f94a4e908/html5/thumbnails/13.jpg)
Goal
![Page 14: Inferring Accountability from Trust Perceptions Koen Decroix, Denis Butin, Joachim Jansen, Vincent Naessens ICISS 2014, Hyderabad](https://reader030.vdocuments.us/reader030/viewer/2022032522/56649d6e5503460f94a4e908/html5/thumbnails/14.jpg)
Spotify
Advertisers
Sub-contractors
?
?
?
?
Spotify fulfills its promises, but what do the others ?
Even all organization may individually have clear data handling practices global result is opaque for Alice
![Page 15: Inferring Accountability from Trust Perceptions Koen Decroix, Denis Butin, Joachim Jansen, Vincent Naessens ICISS 2014, Hyderabad](https://reader030.vdocuments.us/reader030/viewer/2022032522/56649d6e5503460f94a4e908/html5/thumbnails/15.jpg)
Spotify
To understand the system-wide (global) guarantees of data controllers that apply to her personal data.
What would she like …
![Page 16: Inferring Accountability from Trust Perceptions Koen Decroix, Denis Butin, Joachim Jansen, Vincent Naessens ICISS 2014, Hyderabad](https://reader030.vdocuments.us/reader030/viewer/2022032522/56649d6e5503460f94a4e908/html5/thumbnails/16.jpg)
Modeling Approach
![Page 17: Inferring Accountability from Trust Perceptions Koen Decroix, Denis Butin, Joachim Jansen, Vincent Naessens ICISS 2014, Hyderabad](https://reader030.vdocuments.us/reader030/viewer/2022032522/56649d6e5503460f94a4e908/html5/thumbnails/17.jpg)
Inferring Global Accountability Guarantees
Spotify
= A panoramic overview from the viewpoint of a trusted auditor who operates on behalf of the user. This overview also takes the user’s privacy preferences into account
![Page 18: Inferring Accountability from Trust Perceptions Koen Decroix, Denis Butin, Joachim Jansen, Vincent Naessens ICISS 2014, Hyderabad](https://reader030.vdocuments.us/reader030/viewer/2022032522/56649d6e5503460f94a4e908/html5/thumbnails/18.jpg)
Glo
bal A
ccou
ntab
ility
Pro
file
Kno
wle
dge
Bas
e S
yste
m (
IDP
)
VocabularyAccountability
Concepts
System Independent ModelIn
pu
t M
od
el
User Model System Model
User Type- Naïve- Regular User- Privacy-Aware
Entity Statements
DutiesNotification Guarantees
ProhibitionsRetention
Limits
Global Accountability Computation Rules
Trusted Organization
Entities
Organizations
Compontents Operators
![Page 19: Inferring Accountability from Trust Perceptions Koen Decroix, Denis Butin, Joachim Jansen, Vincent Naessens ICISS 2014, Hyderabad](https://reader030.vdocuments.us/reader030/viewer/2022032522/56649d6e5503460f94a4e908/html5/thumbnails/19.jpg)
Railway
Camera
Monitor
Image DB
Status DB
Mobile Device
Surveillance Guard
Status Processor
Image Processor
Security Company
Face
Blurred Face
Picture Incident
Gait
Height Behavior
LocationTime
Camera Surveillance in the Railway Station
![Page 20: Inferring Accountability from Trust Perceptions Koen Decroix, Denis Butin, Joachim Jansen, Vincent Naessens ICISS 2014, Hyderabad](https://reader030.vdocuments.us/reader030/viewer/2022032522/56649d6e5503460f94a4e908/html5/thumbnails/20.jpg)
type DataCategory = { PersData; Face; … }
DataCategoryOf(DataCategory, DataCategory) = { Face, PictureIncident; …}
ComponentOf(Component) : Organization = { Camera → RailwayCompany; … }
EmployeeOf(Operator) : Organization = {SurveilanceGuard → SecurityCompany; … }OperatorOf(Operator, Component) = { SurveilanceGuard, Monitor;, … }
ComponentCanCollect(Component, DataCategory) = { Camera, Face;Camera, BlurredFace; ImageDB, BlurredFace; … }
System Model
![Page 21: Inferring Accountability from Trust Perceptions Koen Decroix, Denis Butin, Joachim Jansen, Vincent Naessens ICISS 2014, Hyderabad](https://reader030.vdocuments.us/reader030/viewer/2022032522/56649d6e5503460f94a4e908/html5/thumbnails/21.jpg)
Individual Statements
Railway
CameraMonitor
Image DB Status DBMobile Device
Security Company
Statement
Statement
StatementStatement
StatementStatement
Statement
Statement
StatementStatement
![Page 22: Inferring Accountability from Trust Perceptions Koen Decroix, Denis Butin, Joachim Jansen, Vincent Naessens ICISS 2014, Hyderabad](https://reader030.vdocuments.us/reader030/viewer/2022032522/56649d6e5503460f94a4e908/html5/thumbnails/22.jpg)
Camera Surveillance Statements
![Page 23: Inferring Accountability from Trust Perceptions Koen Decroix, Denis Butin, Joachim Jansen, Vincent Naessens ICISS 2014, Hyderabad](https://reader030.vdocuments.us/reader030/viewer/2022032522/56649d6e5503460f94a4e908/html5/thumbnails/23.jpg)
Accountability Levels
We consider three levels of accountability (statement assurance):
• Declarative statements (D): only specified in data handling statements.
• Logged Unverified statements (L): data handling logs are provided together with the statement but cannot be checked straight away.
• Logged and Verified statements (V): data handling logs are provided and checked = highest level of accountability
![Page 24: Inferring Accountability from Trust Perceptions Koen Decroix, Denis Butin, Joachim Jansen, Vincent Naessens ICISS 2014, Hyderabad](https://reader030.vdocuments.us/reader030/viewer/2022032522/56649d6e5503460f94a4e908/html5/thumbnails/24.jpg)
Decomposing Data Handling Statement
(L) : Full body pictures with blurred faces or clear faces, gaits, heights, and behavior are recorded for incident detection
Example 1:
Statement of = Railway companySubjects= Face, Blurred Face, Gait, Height, BehaviorPurpose = Incident detectionPermission = Always (duty)Action = Record (collect)Proof = LoggedUnverified
![Page 25: Inferring Accountability from Trust Perceptions Koen Decroix, Denis Butin, Joachim Jansen, Vincent Naessens ICISS 2014, Hyderabad](https://reader030.vdocuments.us/reader030/viewer/2022032522/56649d6e5503460f94a4e908/html5/thumbnails/25.jpg)
(V) : Full body pictures with clear faces, gaits, heights, and behavior are never processed for the purpose of identification.
Statement of = Image databaseSubjects= Face, Gait, Height, BehaviorPurpose = IdentificationPermission = Never (prohibition)Action = ProcessProof = LoggedAndVerified
Example 2:
Decomposing Data Handling Statement
![Page 26: Inferring Accountability from Trust Perceptions Koen Decroix, Denis Butin, Joachim Jansen, Vincent Naessens ICISS 2014, Hyderabad](https://reader030.vdocuments.us/reader030/viewer/2022032522/56649d6e5503460f94a4e908/html5/thumbnails/26.jpg)
(L) : The maximal retention time for any category of collected personal data is 60 days.
Statement of = Railway companySubjects= Personal DataProof = LoggedUnverifiedRetentionLimit = 60 days
Example 3:
Decomposing Data Handling Statement
![Page 27: Inferring Accountability from Trust Perceptions Koen Decroix, Denis Butin, Joachim Jansen, Vincent Naessens ICISS 2014, Hyderabad](https://reader030.vdocuments.us/reader030/viewer/2022032522/56649d6e5503460f94a4e908/html5/thumbnails/27.jpg)
Conditions: e.g., only forward pictures to legal authorities upon their request.
Forwarding data: e.g., pictures are forwarded to legal authorities.
Notification guarantee: e.g., a weekly SMS is sent to a customer containing the current status.
Other statement aspects:
Decomposing Data Handling Statement
![Page 28: Inferring Accountability from Trust Perceptions Koen Decroix, Denis Butin, Joachim Jansen, Vincent Naessens ICISS 2014, Hyderabad](https://reader030.vdocuments.us/reader030/viewer/2022032522/56649d6e5503460f94a4e908/html5/thumbnails/28.jpg)
StatementFrom(Statement) : Entity = { StatR1 → RailwayCompany;… }
StatementSubject(Statement, DataCategory) = { StatR1 , Face;. . . }
StatementPurpose(Statement, Purpose) = { StatR1 , DetectIncident;…}
partial StatementCondtion(Statement) : Condition = { StatR2 → RequestLegalAuthority; . . . }
StatementPermission(Statement) : Permission = { StatR1 → Always; . . . }
partial StatementAction(Statement) : Action = { StatR1 → Collecting; … }
StatementDestination(Statement, Organization) = { StatR2, LegalAuthority; . . . }
partial StatementRetentionLimit(Statement) : Duration = {StatR4 → 60; . . . }
StatementNotificationGuarantee(Statement) = { }
StatementProof(Statement) : StatementEvidence = {StatR1 → LoggedUnverified; StatR2 → Declarative; …}
![Page 29: Inferring Accountability from Trust Perceptions Koen Decroix, Denis Butin, Joachim Jansen, Vincent Naessens ICISS 2014, Hyderabad](https://reader030.vdocuments.us/reader030/viewer/2022032522/56649d6e5503460f94a4e908/html5/thumbnails/29.jpg)
User Model: Trust Perceptions
Naive user
Regular user
Privacy-aware user
Required Data Handling Assurance Levels
Data handling logs must be verified
Data handling logs are sufficient
Purely declarative statements are sufficient
Trusted organizations
Railway
![Page 30: Inferring Accountability from Trust Perceptions Koen Decroix, Denis Butin, Joachim Jansen, Vincent Naessens ICISS 2014, Hyderabad](https://reader030.vdocuments.us/reader030/viewer/2022032522/56649d6e5503460f94a4e908/html5/thumbnails/30.jpg)
Knowledge Base System (IDP)
Worst-case synthesis of global accountability profile
(GAP)
Global Accountability Profile Inference
Global Duties Global Prohibitions
Trust Perceptions
Global Retention Limits
Global Notification Guarantees
Individual Statements
![Page 31: Inferring Accountability from Trust Perceptions Koen Decroix, Denis Butin, Joachim Jansen, Vincent Naessens ICISS 2014, Hyderabad](https://reader030.vdocuments.us/reader030/viewer/2022032522/56649d6e5503460f94a4e908/html5/thumbnails/31.jpg)
GAPCollectData(DataCategory)GAPCollectDataAction(DataCategory, Action)GAPCollectDataForPurposeOf(DataCategory, Purpose)GAPCollectDataCondition(DataCategory, Condition)GAPCollectDataProof(DataCategory, GAPEvidence)
GAPForwardDataTo(DataCategory, Organization)GAPForwardDataAction(DataCategory, Action)GAPForwardDataForPurposeOf(DataCategory, Purpose)GAPForwardDataCondition(DataCategory, Condition)GAPForwardDataProof(DataCategory, GAPEvidence)
IDP Representation of the GAP
GAPRetentionLimit(DataCategory, Duration)GAPRetentionLimitCondition(DataCategory, Condition)GAPRetentionLimitProof(DataCategory, GAPEvidence)
…
![Page 32: Inferring Accountability from Trust Perceptions Koen Decroix, Denis Butin, Joachim Jansen, Vincent Naessens ICISS 2014, Hyderabad](https://reader030.vdocuments.us/reader030/viewer/2022032522/56649d6e5503460f94a4e908/html5/thumbnails/32.jpg)
Proof(S) Declared LoggedUnverified LoggedAndVerified
Naive User (U1)
Regular User (U2)
Privacy-aware User (U3)
Statements of organization of entity of organization are (G)uaranteed or (U)ncertain in function of the modeled user.
Global Statement Guarantees
![Page 33: Inferring Accountability from Trust Perceptions Koen Decroix, Denis Butin, Joachim Jansen, Vincent Naessens ICISS 2014, Hyderabad](https://reader030.vdocuments.us/reader030/viewer/2022032522/56649d6e5503460f94a4e908/html5/thumbnails/33.jpg)
Global Statement Evidence of Uncertain Guaranteed
Duty()
Prohibition()
NotificationGuarantee()
RetentionLimit()
𝜓 (𝑆 ,𝐸 ,𝐷𝐶 )≡𝐶𝑎𝑛𝐶𝑜𝑙𝑙𝑒𝑐𝑡 (𝐸 ,𝐷𝐶 )∧𝑆𝑢𝑏(𝐷𝐶)
Deduction Of Global Data Categories
Worst-case computation rules for the deduction of global data categories deduced from statement of entity .
denotes the subject of statement
the collectable data categories of entity
![Page 34: Inferring Accountability from Trust Perceptions Koen Decroix, Denis Butin, Joachim Jansen, Vincent Naessens ICISS 2014, Hyderabad](https://reader030.vdocuments.us/reader030/viewer/2022032522/56649d6e5503460f94a4e908/html5/thumbnails/34.jpg)
Global Duty computation rules
• Global Purpose of data category : Union of all purposes of individual duties with subject global data category . If no purpose is specified, then all purposes are assumed.
• Global Actions for data category : Union of all actions of individual statements with global data category .
Some examples of worst-case computation rules of Global Duty aspects:
![Page 35: Inferring Accountability from Trust Perceptions Koen Decroix, Denis Butin, Joachim Jansen, Vincent Naessens ICISS 2014, Hyderabad](https://reader030.vdocuments.us/reader030/viewer/2022032522/56649d6e5503460f94a4e908/html5/thumbnails/35.jpg)
Inferred GAP of Camera SurveillanceU1:Naive user; U2: Regular user; U3: Privacy-aware user
![Page 36: Inferring Accountability from Trust Perceptions Koen Decroix, Denis Butin, Joachim Jansen, Vincent Naessens ICISS 2014, Hyderabad](https://reader030.vdocuments.us/reader030/viewer/2022032522/56649d6e5503460f94a4e908/html5/thumbnails/36.jpg)
Evaluation
![Page 37: Inferring Accountability from Trust Perceptions Koen Decroix, Denis Butin, Joachim Jansen, Vincent Naessens ICISS 2014, Hyderabad](https://reader030.vdocuments.us/reader030/viewer/2022032522/56649d6e5503460f94a4e908/html5/thumbnails/37.jpg)
Modeling Concepts
• Modeling concepts defined for statements containing single declarations.
• Modeling statements containing multiple declarations. E.g., The image database stores the blurred faces and gait for max. of 30 days and for the purpose of statistics and marketing.o Must be split in two statements:
• a duty that blurred face and gait are stored• a retention limit that it stores personal data for max. of 30 days
![Page 38: Inferring Accountability from Trust Perceptions Koen Decroix, Denis Butin, Joachim Jansen, Vincent Naessens ICISS 2014, Hyderabad](https://reader030.vdocuments.us/reader030/viewer/2022032522/56649d6e5503460f94a4e908/html5/thumbnails/38.jpg)
Framework Components
• User model:o Coarse-grained prototypical user types modelers only
need to specify type of user via constant E.g., .
• Reusable modeling components. For a given system model:o Different types of users can easily be applied by
changing user model.o Different samples (collected by auditor) of statement
evidence can be applied.
![Page 39: Inferring Accountability from Trust Perceptions Koen Decroix, Denis Butin, Joachim Jansen, Vincent Naessens ICISS 2014, Hyderabad](https://reader030.vdocuments.us/reader030/viewer/2022032522/56649d6e5503460f94a4e908/html5/thumbnails/39.jpg)
Modeling Extensions
• Detecting Conflictso Models can be extended with user privacy preferences.
Conflicts can be detected between these and the data handling statements in the system.
![Page 40: Inferring Accountability from Trust Perceptions Koen Decroix, Denis Butin, Joachim Jansen, Vincent Naessens ICISS 2014, Hyderabad](https://reader030.vdocuments.us/reader030/viewer/2022032522/56649d6e5503460f94a4e908/html5/thumbnails/40.jpg)
Conclusions
![Page 41: Inferring Accountability from Trust Perceptions Koen Decroix, Denis Butin, Joachim Jansen, Vincent Naessens ICISS 2014, Hyderabad](https://reader030.vdocuments.us/reader030/viewer/2022032522/56649d6e5503460f94a4e908/html5/thumbnails/41.jpg)
Conclusions
• A modeling approach for inferring accountability is realized in IDP (knowledge base system). Results can be found at code.google.com/p/inferring-accountability
• A panoramic view is inferred from individual data handling practices using worst-case computation rules.
• Different types of users can easily be modeled
• We modeled coarse-grained implicit data handling evidence. A more refined approach would model semantics of log compliance explicitly. This is difficult to implement using FO.
![Page 42: Inferring Accountability from Trust Perceptions Koen Decroix, Denis Butin, Joachim Jansen, Vincent Naessens ICISS 2014, Hyderabad](https://reader030.vdocuments.us/reader030/viewer/2022032522/56649d6e5503460f94a4e908/html5/thumbnails/42.jpg)
Questions