Privacy APIs: Access Control Techniques to Analyze and Verify Legal Privacy Policies

Venice, Italy July 05-July 07

DOI Bookmark:

http://doi.ieeecomputersociety.org/10.1109/CSFW.2006.24

19th IEEE Computer Security Foundatio ...

	This Article
	PURCHASE ARTICLE: $19 PDF HTML IEEE Xplore Subscribers
	Share
	Email this Article to a friend
	Bibliographic References
	ASCII Text BibTex RefWorks Procite/RefMan/Endnote
	Add to:
	Digg Furl Spurl Blink Simpy Google Del.icio.us Y!MyWeb
	Search
	Similar Articles Articles by Michael J. May Articles by Carl A. Gunter Articles by Insup Lee

	ASCII Text	x
	Michael J. May, Carl A. Gunter, Insup Lee, "Privacy APIs: Access Control Techniques to Analyze and Verify Legal Privacy Policies," Computer Security Foundations Workshop, IEEE, pp. 85-97, 19th IEEE Computer Security Foundations Workshop (CSFW'06), 2006.

	BibTex	x
	@article{ 10.1109/CSFW.2006.24, author = {Michael J. May and Carl A. Gunter and Insup Lee}, title = {Privacy APIs: Access Control Techniques to Analyze and Verify Legal Privacy Policies}, journal ={Computer Security Foundations Workshop, IEEE}, volume = {0}, year = {2006}, issn = {1063-6900}, pages = {85-97}, doi = {http://doi.ieeecomputersociety.org/10.1109/CSFW.2006.24}, publisher = {IEEE Computer Society}, address = {Los Alamitos, CA, USA}, }

	RefWorks Procite/RefMan/Endnote	x
	TY - CONF JO - Computer Security Foundations Workshop, IEEE TI - Privacy APIs: Access Control Techniques to Analyze and Verify Legal Privacy Policies SN - 1063-6900 SP85 EP97 A1 - Michael J. May, A1 - Carl A. Gunter, A1 - Insup Lee, PY - 2006 KW - null VL - 0 JA - Computer Security Foundations Workshop, IEEE ER -

Michael J. May, University of Pennsylvania, USA

Carl A. Gunter, University of Illinois Urbana-Champaign, USA

Insup Lee, University of Pennsylvania, USA

There is a growing interest in establishing rules to regulate the privacy of citizens in the treatment of sensitive personal data such as medical and financial records. Such rules must be respected by software used in these sectors. The regulatory statements are somewhat informal and must be interpreted carefully in the software interface to private data. This paper describes techniques to formalize regulatory privacy rules and how to exploit this formalization to analyze the rules automatically. Our formalism, which we call privacy APIs, is an extension of access control matrix operations to include (1) operations for notification and logging and (2) constructs that ease the mapping between legal and formal language. We validate the expressive power of privacy APIs by encoding the 2000 and 2003 HIPAA consent rules in our system. This formalization is then encoded into Promela and we validate the usefulness of the formalism by using the SPIN model checker to verify properties that distinguish the two versions of HIPAA.

Citation:

Michael J. May, Carl A. Gunter, Insup Lee, "Privacy APIs: Access Control Techniques to Analyze and Verify Legal Privacy Policies," csfw, pp.85-97, 19th IEEE Computer Security Foundations Workshop (CSFW'06), 2006

Peer Review Notice | Give Us Feedback

Usage of this product signifies your acceptance of the Terms of Use.