Purpose Restrictions on Information Use

  • Michael Carl Tschantz
  • Anupam Datta
  • Jeannette M. Wing
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8134)


Privacy policies in sectors as diverse as Web services, finance and healthcare often place restrictions on the purposes for which a governed entity may use personal information. Thus, automated methods for enforcing privacy policies require a semantics of purpose restrictions to determine whether a governed agent used information for a purpose. We provide such a semantics using a formalism based on planning. We model planning using Partially Observable Markov Decision Processes (POMDPs), which supports an explicit model of information. We argue that information use is for a purpose if and only if the information is used while planning to optimize the satisfaction of that purpose under the POMDP model. We determine information use by simulating ignorance of the information prohibited by the purpose restriction, which we relate to noninterference. We use this semantics to develop a sound audit algorithm to automate the enforcement of purpose restrictions.


Privacy Policy Markov Decision Process Belief State Label Transition System Access Control Model 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bank of America Corp.: Bank of America privacy policy for consumers (2005)Google Scholar
  2. 2.
    Office for Civil Rights: Summary of the HIPAA privacy rule. OCR Privacy Brief, U.S. Department of Health and Human Services (2003)Google Scholar
  3. 3.
    Yahoo!: Privacy policy: Yahoo Mail (2013)Google Scholar
  4. 4.
    FairWarning: Privacy breach detection for healthcare. White Paper (2010)Google Scholar
  5. 5.
    Taylor, R.: Action and Purpose. Prentice-Hall (1966)Google Scholar
  6. 6.
    Tschantz, M.C., Datta, A., Wing, J.M.: Formalizing and enforcing purpose restrictions in privacy policies. In: 2012 IEEE Symp. on Security and Privacy, pp. 176–190 (2012)Google Scholar
  7. 7.
    Goguen, J.A., Meseguer, J.: Security policies and security models. In: IEEE Symp. on Security and Privacy, pp. 11–20 (1982)Google Scholar
  8. 8.
    Tschantz, M.C., Datta, A., Wing, J.M.: Purpose restrictions on information use. Technical Report CMU-CyLab-13-005 and CMU-CS-13-116, Carnegie Mellon University (June 2013)Google Scholar
  9. 9.
    Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE Journal on Selected Areas in Communications 21(1), 5–19 (2003)CrossRefGoogle Scholar
  10. 10.
    Vachharajani, N., Bridges, M.J., Chang, J., Rangan, R., Ottoni, G., Blome, J.A., Reis, G.A., Vachharajani, M., August, D.I.: RIFLE: An architectural framework for user-centric information-flow security. In: 37th Annual IEEE/ACM Intl. Symp. on Microarchitecture, pp. 243–254 (2004)Google Scholar
  11. 11.
    Newsome, J., Song, D.X.: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In: Network and Distributed System Security Symp. The Internet Society (2005)Google Scholar
  12. 12.
    Venkatakrishnan, V.N., Xu, W., DuVarney, D.C., Sekar, R.: Provably correct runtime enforcement of non-interference properties. In: Ning, P., Qing, S., Li, N. (eds.) ICICS 2006. LNCS, vol. 4307, pp. 332–351. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  13. 13.
    McCamant, S., Ernst, M.D.: A simulation-based proof technique for dynamic information flow. In: 2007 Wksp. on Programming Languages and Analysis for Security, pp. 41–46. ACM (2007)Google Scholar
  14. 14.
    Yumerefendi, A.R., Mickle, B., Cox, L.P.: Tightlip: keeping applications from spilling the beans. In: 4th USENIX Conf. on Networked Systems Design and Implementation, p. 12 (2007)Google Scholar
  15. 15.
    Capizzi, R., Longo, A., Venkatakrishnan, V.N., Sistla, A.P.: Preventing information leaks through shadow executions. In: 2008 Annual Computer Security Applications Conf., pp. 322–331. IEEE Computer Society (2008)Google Scholar
  16. 16.
    Devriese, D., Piessens, F.: Noninterference through secure multi-execution. In: 2010 IEEE Symp. on Security and Privacy, pp. 109–124 (2010)Google Scholar
  17. 17.
    Agrawal, R., Kiernan, J., Srikant, R., Xu, Y.: Hippocratic databases. In: VLDB 2002: 28th Intl. Conf. on Very Large Data Bases, pp. 143–154. VLDB Endowment (2002)Google Scholar
  18. 18.
    Byun, J.W., Bertino, E., Li, N.: Purpose based access control of complex data for privacy protection. In: SACMAT 2005: Tenth ACM Symp. on Access Control Models and Technologies, pp. 102–110 (2005)Google Scholar
  19. 19.
    Al-Fedaghi, S.S.: Beyond purpose-based privacy access control. In: Eighteenth Australasian Database Conf., pp. 23–32. Australian Computer Society, Inc. (2007)Google Scholar
  20. 20.
    Byun, J.W., Li, N.: Purpose based access control for privacy protection in relational database systems. The VLDB Journal 17(4), 603–619 (2008)CrossRefGoogle Scholar
  21. 21.
    Peng, H., Gu, J., Ye, X.: Dynamic purpose-based access control. In: Intl. Symp. on Parallel and Distributed Processing with Applications, pp. 695–700. IEEE Computer Society (2008)Google Scholar
  22. 22.
    Jafari, M., Safavi-Naini, R., Sheppard, N.P.: Enforcing purpose of use via workflows. In: WPES 2009: 8th ACM Wksp. on Privacy in the Electronic Society, pp. 113–116 (2009)Google Scholar
  23. 23.
    Ni, Q., Bertino, E., Lobo, J., Brodie, C., Karat, C.M., Karat, J., Trombetta, A.: Privacy-aware role-based access control. ACM Trans. Inf. Syst. Secur. 13, 24:1–24:31 (2010)Google Scholar
  24. 24.
    Enamul Kabir, M., Wang, H., Bertino, E.: A conditional purpose-based access control model with dynamic roles. Expert Syst. Appl. 38, 1482–1489 (2011)CrossRefGoogle Scholar
  25. 25.
    Jafari, M., Fong, P.W., Safavi-Naini, R., Barker, K., Sheppard, N.P.: Towards defining semantic foundations for purpose-based privacy policies. In: First ACM Conf. on Data and Application Security and Privacy, pp. 213–224 (2011)Google Scholar
  26. 26.
    Martinelli, F., Morisset, C.: Quantitative access control with partially-observable markov decision processes. In: Second ACM Conf. on Data and Application Security and Privacy, pp. 169–180 (2012)Google Scholar
  27. 27.
    Hayati, K., Abadi, M.: Language-based enforcement of privacy policies. In: Martin, D., Serjantov, A. (eds.) PET 2004. LNCS, vol. 3424, pp. 302–313. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  28. 28.
    Massacci, F., Mylopoulos, J., Zannone, N.: Hierarchical Hippocratic databases with minimal disclosure for virtual organizations. The VLDB Journal 15(4), 370–387 (2006)CrossRefGoogle Scholar
  29. 29.
    Barth, A., Mitchell, J., Datta, A., Sundaram, S.: Privacy and utility in business processes. In: CSF 2007: 20th IEEE Computer Security Foundations Symp., pp. 279–294 (2007)Google Scholar
  30. 30.
    Schmidt, C., Sridharan, N., Goodson, J.: The plan recognition problem: An intersection of psychology and artificial intelligence. Artificial Intelligence 11(1-2), 45–83 (1978)CrossRefGoogle Scholar
  31. 31.
    Baker, C.L., Tenenbaum, J.B., Saxe, R.R.: Bayesian models of human action understanding. In: Advances in Neural Information Processing Systems 18, pp. 99–106. MIT Press (2006)Google Scholar
  32. 32.
    Baker, C.L., Saxe, R., Tenenbaum, J.B.: Action understanding as inverse planning. Cognition 113(3), 329–349 (2009)CrossRefGoogle Scholar
  33. 33.
    Ramírez, M., Geffner, H.: Plan recognition as planning. In: 21st International Joint Conf. on Artificial Intelligence, pp. 1778–1783 (2009)Google Scholar
  34. 34.
    Ramírez, M., Geffner, H.: Goal recognition over POMDPs: Inferring the intention of a POMDP agent. In: 22nd International Joint Conf. on Artificial Intelligence, pp. 2009–2014. IJCAI/AAAI (2011)Google Scholar
  35. 35.
    Bellman, R.: On the theory of dynamic programming. National Academy of Sciences 38, 716–719 (1952)zbMATHCrossRefGoogle Scholar
  36. 36.
    Sondik, E.J.: The optimal control of partially observable Markov processes. PhD thesis, Stanford University (1971)Google Scholar
  37. 37.
    Monahan, G.E.: A survey of partially observable Markov decision processes: Theory, models, and algorithms. Management Science 28(1), 1–16 (1982)MathSciNetzbMATHCrossRefGoogle Scholar
  38. 38.
    Papadimitriou, C., Tsitsiklis, J.N.: The complexity of Markov decision processes. Math. Oper. Res. 12, 441–450 (1987)MathSciNetzbMATHCrossRefGoogle Scholar
  39. 39.
    Zhou, R., Hansen, E.A.: An improved grid-based approximation algorithm for POMDPs. In: 17th International Joint Conf. on Artificial Intelligence, vol. 1, pp. 707–714. Morgan Kaufmann (2001)Google Scholar
  40. 40.
    Smith, T., Simmons, R.: Point-based POMDP algorithms: Improved analysis and implementation. In: Conf. on Uncertainty in Artificial Intelligence (July 2005)Google Scholar
  41. 41.
    Kurniawati, H., Hsu, D., Lee, W.S.: SARSOP: Efficient point-based POMDP planning by approximating optimally reachable belief spaces. In: Proc. Robotics: Science and Systems (2008)Google Scholar
  42. 42.
    Poupart, P., Kim, K.E., Kim, D.: Closing the gap: Improved bounds on optimal POMDP solutions. In: Intl. Conf. on Automated Planning and Scheduling. AAAI (2011)Google Scholar
  43. 43.
    Madani, O.: Complexity Results for Infinite-Horizon Markov Decision Processes. PhD thesis, University of Washington (2000)Google Scholar
  44. 44.
    Rummery, G.A., Niranjan, M.: On-line Q-learning using connectionist systems. Technical Report CUEF/F-INFENG/TR 166, Cambridge University Engineering Department (1994)Google Scholar
  45. 45.
    Kaelbling, L.P., Littman, M.L., Cassandra, A.R.: Planning and acting in partially observable stochastic domains. Artif. Intell. 101, 99–134 (1998)MathSciNetzbMATHCrossRefGoogle Scholar
  46. 46.
    McCullough, D.: Noninterference and the composability of security properties. In: IEEE Symp. on Security and Privacy, pp. 177–186 (1988)Google Scholar
  47. 47.
    Wittbold, J.T., Johnson, D.M.: Information flow in nondeterministic systems. In: IEEE Symp. on Security and Privacy, pp. 144–161 (1990)Google Scholar
  48. 48.
    McLean, J.: A general theory of composition for trace sets closed under selective interleaving functions. In: 1994 IEEE Symp. on Security and Privacy, p. 79 (1994)Google Scholar
  49. 49.
    Clark, D., Hunt, S.: Non-interference for deterministic interactive programs. In: Degano, P., Guttman, J., Martinelli, F. (eds.) FAST 2008. LNCS, vol. 5491, pp. 50–66. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  50. 50.
    Tschantz, M.C., Wing, J.M.: Extracting conditional confidentiality policies. In: Sixth IEEE Intl. Conferences on Software Engineering and Formal Methods (2008)Google Scholar
  51. 51.
    Mayer, J.R., Mitchell, J.C.: Third-party web tracking: Policy and technology. In: IEEE Symp. on Security and Privacy, pp. 413–427 (2012)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Michael Carl Tschantz
    • 1
  • Anupam Datta
    • 2
  • Jeannette M. Wing
    • 3
  1. 1.University of CaliforniaBerkeleyUSA
  2. 2.Carnegie Mellon UniversityUSA
  3. 3.Microsoft ResearchUSA

Personalised recommendations