An Information-Flow Model for Privacy (Infopriv)

  • Lucas C. J. Dreyer
  • Martin S. Olivier
Part of the IFIP — The International Federation for Information Processing book series (IFIPAICT, volume 14)


Privacy is concerned with the protection of personal information. Traditional security models (such as the Bell-LaPadula model) assume that users can be trusted and instead concentrate on the processes within the boundaries of the computer system. The InfoPriv model goes further by assuming that users (especially people) are not trustworthy. The information flow between the users should, therefore, be taken into account as well. The basic elements of InfoPriv are entities and the information flow between them. Information flow can either be positive (permitted) or negative (not permitted). It is shown how InfoPriv can be formalised by using graph theory. This formalisation includes the notion of information sanitisers (or trusted entities). InfoPriv is concluded with a discussion of its static and dynamic aspects. A Prolog prototype based on InfoPriv has been implemented and tested successfully on a variety of privacy policies.


  1. [1]
    Anonymous, General Accounting Office United States, National Crime Information Center: Legislation Needed to Deter Misuse of Criminal Justice Information, Document GAO/T-GGD-93–41, Washington, 1993Google Scholar
  2. [2]
    Anonymous, European Union, Directive 95/46/EC on the Protection of Individuals With Regard to the Processing of Personal Data and on the Free Movement of such Data, 1995Google Scholar
  3. [3]
    Anonymous, Information Infrastructure Task Force, Privacy Working Group, Principles for Providing and Using Personal Information, Washington, 1995Google Scholar
  4. [4]
    Anonymous, General Accounting Office United States, IRS Systems Security: Tax Processing Operations and Data Still at Risk Due to Serious Weaknesses, Document GAO/AIMD-97–49, Washington, 1997Google Scholar
  5. [5]
    Anonymous, Information Infrastructure Task Force, Information Policy Committee, Options for Promoting Privacy on the National Information Infrastructure, Washington, 1997Google Scholar
  6. [6]
    DE Bell, LJ LaPadula, “Secure Computer Systems: Unified Exposition & Multics Interpretation”, Technical Report MTIS AD-A023588, MITRE Corporation, 1975Google Scholar
  7. [7]
    TH Cormen, CE Leiserson, RL Rivest, Introduction to Algorithms, McGraw-Hill Book Company, MIT, 1994Google Scholar
  8. ] DE Denning, “A lattice Model for Secure Information Flow”, Communications of the ACM, 19, 5, 236–243, 1976MathSciNetzbMATHCrossRefGoogle Scholar
  9. [9]
    LCJ Dreyer, MS Olivier, “Dynamic Aspects of the InfoPriv Model”, In: Proc. 9th Database and Expert Systems Applications Dexa 98 (RR Wagner Editor), IEEE Computer Society, Los Alamitos, 340–345, 1998Google Scholar
  10. [10]
    LCJ Dreyer, MS Olivier, “A workbench for privacy policies”, In: Proc. 22th Computer Software and Applications Conference Compsac 98 (E Hughes editor), IEEE Computer Society, Los Alamitos, 350–355, 1998Google Scholar
  11. [11]
    S Hsieh, E Unger, R Mata-Toledo, “Using Program Dependence graphs for information flow control”, J. Systems Software, 17, 227–232, 1992CrossRefGoogle Scholar
  12. [12]
    CP Pfleeger, Security in Computing, Prentice Hall, New Jersey, 1989Google Scholar
  13. [13]
    F Rabitti, E Bertino, W Kim, D Woelk, “A model of authorization for next-generation database systems”, ACM Transactions on Database Systems, 16, 1, 1991 88–131.CrossRefGoogle Scholar
  14. [14]
    RS Sandhu, “Lattice-Based Access Control Models”, IEEE Computer, 919, 1993Google Scholar

Copyright information

© Springer Science+Business Media New York 1999

Authors and Affiliations

  • Lucas C. J. Dreyer
  • Martin S. Olivier

There are no affiliations available

Personalised recommendations