A Framework for Expressing and Enforcing Purpose-Based Privacy Policies
Date
2013-01-28
Journal Title
Journal ISSN
Volume Title
Publisher
Abstract
Purpose is a key concept in privacy policies and has been mentioned in major privacy laws and regulations.
Although some models have been proposed for enforcing purpose-based policies, little has been done in
de ning formal semantics for purpose and therefore an e ective enforcement mechanism for policies has
remained a challenge. In this paper, we develop a framework for formalizing and enforcing purpose-based
privacy policies. Purpose is formally de ned as the dynamic situation of an action within the network of
inter-related actions in the system. Accordingly, we propose a modal-logic language for formally expressing
constraints about purposes of actions which can be used to model purpose-based policies. The semantics of
this language are de ned over an abstract model of activities in the system which is directly derivable from
business processes.
Based on this formal framework, we discuss some properties of purpose and show how some well-known,
as well as new forms of purpose constraints can be formalized using the proposed language. We also show
how purpose-based constraints can be tied to other access control policies in the system. Finally, we present
a model-checking algorithm for verifying whether a given state of the system complies with a given set of
policies, followed by a discussion of how this can be used in an actual implementation of a purpose reference
monitor.
Description
Keywords
Purpose, Semantics, purpose-Based policies