Log Analysis for Data Protection Accountability

  • Denis Butin
  • Daniel Le Métayer
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8442)

Abstract

Accountability is increasingly recognised as a cornerstone of data protection, notably in European regulation, but the term is frequently used in a vague sense. For accountability to bring tangible benefits, the expected properties of personal data handling logs (used as “accounts”) and the assumptions regarding the logging process must be defined with accuracy. In this paper, we provide a formal framework for accountability and show the correctness of the log analysis with respect to abstract traces used to specify privacy policies. We also show that compliance with respect to data protection policies can be checked based on logs free of personal data, and describe the integration of our formal framework in a global accountability process.

References

  1. 1.
    Article 29 Data Protection Working Party: Opinion 3/2010 on the principle of accountability (2010)Google Scholar
  2. 2.
    Bella, G., Paulson, L.C.: Accountability Protocols: Formalized and Verified. ACM Trans. Inf. Syst. Secur. 9(2), 138–161 (2006)CrossRefGoogle Scholar
  3. 3.
    Bellare, M., Yee, B.S.: Forward Integrity for Secure Audit Logs. Tech. rep., University of California at San Diego (1997)Google Scholar
  4. 4.
    Butin, D., Chicote, M., Le Métayer, D.: Log Design for Accountability. In: 2013 IEEE Security & Privacy Workshop on Data Usage Management, pp. 1–7. IEEE Computer Society (2013)Google Scholar
  5. 5.
    Butin, D., Chicote, M., Le Métayer, D.: Strong Accountability: Beyond Vague Promises. In: Gutwirth, S., Leenes, R., De Hert, P. (eds.) Reloading Data Protection, pp. 343–369. Springer (2014)Google Scholar
  6. 6.
    Butin, D., Le Métayer, D.: Log Analysis for Data Protection Accountability (Extended Version). Tech. rep., Inria (2013)Google Scholar
  7. 7.
    Cederquist, J., Corin, R., Dekker, M., Etalle, S., den Hartog, J., Lenzini, G.: Audit-based compliance control. Int. J. Inf. Secur. 6(2), 133–151 (2007)CrossRefGoogle Scholar
  8. 8.
    Center for Information Policy Leadership: Data Protection Accountability: The Essential Elements (2009)Google Scholar
  9. 9.
    Bennett, C.J.: Implementing Privacy Codes of Practice. Canadian Standards Association (1995)Google Scholar
  10. 10.
    De Hert, P.: Accountability and System Responsibility: New Concepts in Data Protection Law and Human Rights Law. In: Managing Privacy through Accountability (2012)Google Scholar
  11. 11.
    Etalle, S., Winsborough, W.H.: A Posteriori Compliance Control. In: Proceedings of the 12th ACM Symposium on Access Control Models and Technologies, SACMAT, pp. 11–20. ACM (2007)Google Scholar
  12. 12.
    European Commission: Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of such Data (2012)Google Scholar
  13. 13.
    Guagnin, D., Hempel, L., Ilten, C.: Managing Privacy Through Accountability. Palgrave Macmillan (2012)Google Scholar
  14. 14.
    Haeberlen, A.: A Case for the Accountable Cloud. Operating Systems Review 44(2), 52–57 (2010)CrossRefGoogle Scholar
  15. 15.
    Jagadeesan, R., Jeffrey, A., Pitcher, C., Riely, J.: Towards a Theory of Accountability and Audit. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 152–167. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  16. 16.
    Joint NEMA/COCIR/JIRA Security and Privacy Committee (SPC): Break-Glass: An Approach to Granting Emergency Access to Healthcare Systems (2004)Google Scholar
  17. 17.
    Le Métayer, D., Mazza, E., Potet, M.L.: Designing Log Architectures for Legal Evidence. In: Proceedings of the 8th International Conference on Software Engineering and Formal Methods, SEFM 2010, pp. 156–165. IEEE Computer Society (2010)Google Scholar
  18. 18.
    Organisation for Economic Co-operation and Development: OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980)Google Scholar
  19. 19.
    Schneider, F.B.: Accountability for Perfection. IEEE Security & Privacy 7(2), 3–4 (2009)CrossRefGoogle Scholar
  20. 20.
    Schneier, B., Kelsey, J.: Secure Audit Logs to Support Computer Forensics. ACM Trans. Inf. Syst. Secur. 2(2), 159–176 (1999)CrossRefGoogle Scholar
  21. 21.
    Waters, B.R., Balfanz, D., Durfee, G., Smetters, D.K.: Building an Encrypted and Searchable Audit Log. In: Proceedings of the Network and Distributed System Security Symposium, NDSS 2004 (2004)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Denis Butin
    • 1
  • Daniel Le Métayer
    • 1
  1. 1.InriaUniversité de LyonFrance

Personalised recommendations