Skip to main content
SpringerLink
Log in

Privacy through Accountability: A Computer Science Perspective

  • Conference paper
Distributed Computing and Internet Technology (ICDCIT 2014)

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 8337))

Abstract

Privacy has become a significant concern in modern society as personal information about individuals is increasingly collected, used, and shared, often using digital technologies, by a wide range of organizations. To mitigate privacy concerns, organizations are required to respect privacy laws in regulated sectors (e.g., HIPAA in healthcare, GLBA in financial sector) and to adhere to self-declared privacy policies in self-regulated sectors (e.g., privacy policies of companies such as Google and Facebook in Web services). This article provides an overview of a body of work on formalizing and enforcing privacy policies. We formalize privacy policies that prescribe and proscribe flows of personal information as well as those that place restrictions on the purposes for which a governed entity may use personal information. Recognizing that traditional preventive access control and information flow control mechanisms are inadequate for enforcing such privacy policies, we develop principled accountability mechanisms that seek to encourage policy-compliant behavior by detecting policy violations, assigning blame, and punishing violators. We apply these techniques to several U.S. privacy laws and organizational privacy policies, in particular, producing the first complete logical specification and audit of all disclosure-related clauses of the HIPAA Privacy Rule.

This work was partially supported by the NSF Science and Technology Center TRUST, the NSF Trustworthy Computing grant “Privacy Policy Specification and Enforcement: Information Use and Purpose,” and HHS Grant no. HHS 90TR0003/01. The views and conclusions contained in this document are those of the authors and should not be interpreted as representing the official policies, either expressed or implied, of any sponsoring institution, the U.S. government or any other entity.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Wall Street Journal: What they know, http://online.wsj.com/public/page/what-they-know-digital-privacy.html (accessed on September 24, 2013)

  2. Hulme, G.: Steady Bleed: State of HealthCare Data Breaches. InformationWeek (September 2010), http://www.informationweek.com/blog/healthcare/229200720

  3. US Health and Human Services: HIPAA enforcement, http://www.hhs.gov/ocr/privacy/hipaa/enforcement/index.html (accessed September 24, 2013)

  4. Robertson, J.: New data spill shows risk of online health records. Yahoo News (August 2011), http://news.yahoo.com/data-spill-shows-risk-online-health-records-120743449.html

  5. Barth, A., Datta, A., Mitchell, J.C., Nissenbaum, H.: Privacy and contextual integrity: Framework and applications. In: Proceedings of the 27th IEEE Symposium on Security and Privacy, Oakland, pp. 184–198 (2006)

    Google Scholar 

  6. Barth, A., Datta, A., Mitchell, J.C., Sundaram, S.: Privacy and utility in business processes. In: Proceedings of the 20th IEEE Computer Security Foundations Symposium (CSF), pp. 279–294 (2007)

    Google Scholar 

  7. DeYoung, H., Garg, D., Jia, L., Kaynar, D., Datta, A.: Experiences in the logical specification of the HIPAA and GLBA privacy laws. In: Proceedings of the 9th Annual ACM Workshop on Privacy in the Electronic Society, WPES. Full version: Carnegie Mellon University Technical Report CMU-CyLab-10-007 (2010)

    Google Scholar 

  8. Garg, D., Jia, L., Datta, A.: Policy auditing over incomplete logs: Theory, implementation and applications. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS (2011)

    Google Scholar 

  9. Blocki, J., Christin, N., Datta, A., Sinha, A.: Regret minimizing audits: A learning-theoretic basis for privacy protection. In: Proceedings of the 24th IEEE Computer Security Foundations Symposium (CSF), pp. 312–327 (2011)

    Google Scholar 

  10. Tschantz, M.C., Datta, A., Wing, J.M.: Formalizing and enforcing purpose restrictions in privacy policies. In: IEEE Symposium on Security and Privacy, pp. 176–190 (2012)

    Google Scholar 

  11. Tschantz, M.C., Datta, A., Wing, J.M.: Purpose restrictions on information use. In: Crampton, J., Jajodia, S., Mayes, K. (eds.) ESORICS 2013. LNCS, vol. 8134, pp. 610–627. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  12. Tschantz, M.C., Datta, A., Wing, J.M.: Information flow investigations. Technical report cmu-cs-13-118, Carnegie Mellon University (2013)

    Google Scholar 

  13. Blocki, J., Christin, N., Datta, A., Sinha, A.: Audit mechanisms for provable risk management and accountable data governance. In: GameSec, pp. 38–59 (2012)

    Google Scholar 

  14. Blocki, J., Christin, N., Datta, A., Procaccia, A.D., Sinha, A.: Audit games. In: IJCAI (2013)

    Google Scholar 

  15. Blocki, J., Christin, N., Datta, A., Sinha, A.: Adaptive regret minimization in bounded-memory games. In: GameSec (to appear, 2013)

    Google Scholar 

  16. Nissenbaum, H.: Privacy in Context: Technology, Policy, and the Integrity of Social Life. Stanford University Press (2010)

    Google Scholar 

  17. House, T.W.: Consumer data privacy in a networked world: A framework for protecting privacy and promoting innovation in the global digital economy (February 2012)

    Google Scholar 

  18. Lampson, B.W.: Computer security in the real world. IEEE Computer 37(6), 37–46 (2004)

    Article  Google Scholar 

  19. Weitzner, D.J., Abelson, H., Berners-Lee, T., Feigenbaum, J., Hendler, J.A., Sussman, G.J.: Information accountability. Commun. ACM 51(6), 82–87 (2008)

    Article  Google Scholar 

  20. Tambe, M.: Security and Game Theory: Algorithms, Deployed Systems, Lessons Learned. Cambridge University Press (2011)

    Google Scholar 

  21. Becker, G.S.: Crime and punishment: An economic approach. Journal of Political Economy 76, 169 (1968)

    Article  Google Scholar 

  22. von Stackelberg, H.: Marktform und Gleichgewicht. Springer, Wien & Berlin (1934); VI, 138 S. 8. J. Springer (1934)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Computer Science Department, Electrical and Computer Engineering Department, CyLab, Carnegie Mellon University, USA

    Anupam Datta

Authors
  1. Anupam Datta
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. School of Technology & Computer Science, Tata Institute of Fundamental Research, Homi Bhabha Road, Colaba, 400005, Mumbai, India

    Raja Natarajan

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

Datta, A. (2014). Privacy through Accountability: A Computer Science Perspective. In: Natarajan, R. (eds) Distributed Computing and Internet Technology. ICDCIT 2014. Lecture Notes in Computer Science, vol 8337. Springer, Cham. https://doi.org/10.1007/978-3-319-04483-5_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-04483-5_5

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-04482-8

  • Online ISBN: 978-3-319-04483-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation