EPAL and Management of Privacy Obligations Marco Casassa
EPAL and Management of Privacy Obligations Marco Casassa Mont marco. casassa-mont@hp. com Trusted Systems Lab Hewlett-Packard Labs, Bristol, UK 13 -14 May 2004, Lubeck, Germany © 2004 Hewlett-Packard Development Company, L. P. The information contained herein is subject to change without notice
Presentation Outline • HP Position on EPAL • Privacy Obligation Management and Technical Solution leveraging EPAL • Additional Requirements for EPAL • Conclusions 11/5/2020 2
HP Position on EPAL • HP Supports the Standardisation Process of EPAL. The current EPAL Version is a starting point towards a standard • HP Labs are interested in Investigating and Researching the usage of EPAL in a variety of contexts, including: - Research Prototypes - Commercial Offering 11/5/2020 3
Using EPAL for Management of Privacy Obligations • Importance of dealing with Privacy Obligations - Need to be compliant with Laws, Legislation, Organisations’ Guidelines, Customers’ Requests … • EPAL provides a framework to deal with Privacy Policies • HP Labs/TSL is researching in the context of Privacy Obligation Management for Enterprises: - Exploring how to leverage EPAL … • Research and work (partially) done in EU PRIME 11/5/2020 4
Privacy Obligations • Dictated by Laws, Legislation, Organisations’ Guidelines, Customers’ Requests, … • EU Legislation, OECD, US Laws (HIPPA, COPPA, GLB, etc • Define requirements and actions to be fulfilled by Organisations and Enterprises concerning Personal Data • Obligations can be very abstract: “Every financial institution has an affirmative and continuing obligation to respect customer privacy and protect the security and confidentiality of customer information” Gramm-Leach-Bliley Act 11/5/2020 5
Privacy Obligations More refined Privacy Obligations dictate responsibilities with respect of Personal Information: • Notice Requirements • Enforcement of opt-out options • Limits on reuse of Information and Information Sharing • … 11/5/2020 6
Privacy Obligations Even more refined Privacy Obligations specify “technical” constraints on Personal Information: • “Notify Data Owners every time their Personal Data is involved in a Transaction or Accessed by Personnel” • “Access/Changes to Personal Data must be Audited” • “Delete Personal Information after 7 Years” • “Delete Personal Information of Customers whom do not come back to this web site within 30 days” • … 11/5/2020 7
Categories of Privacy Obligations “Transactional” • “Notify Data Owners when their Personal Data is involved in a Transaction or is accessed by Personnel” • “Audit the Access/Changes to Personal Data” • … “Non-Transactional” - Ongoing Obligations • “Delete Personal Information after 7 Years” • “Delete Personal Information of Customers that do not come back to this web site within 30 days” • … 11/5/2020 8
Privacy Obligations • We focus on technical aspects of Obligations (even if we recognise it is not just a matter of technology…) • To be technically enforceable a Privacy Obligation requires the definition of: • Timeframe and Period of Validity • Events and Situations that Trigger the Obligation • Target of the Obligation (PII data, etc. ) • Actions and Tasks to be fulfilled for its Enforcement • Entities that are Accountable for its Enforcement • Accountability Criteria (logging, reporting, notification, etc. ) • Exceptions and Special Cases • … 11/5/2020 9
Privacy Obligation Management Interactions/Transactions Involving Personal Data Authorization Process “Transactional” Privacy Obligations 11/5/2020 Ongoing and Long-term Privacy Obligations Obligation Management and Enforcement 10
EPAL and Privacy Obligation Management User, Application, Service, … EPAL-driven Authorization and Enforcement Obligation Management And Enforcement Personal and Private Information Privacy Management Framework 11/5/2020 11
EPAL and Privacy Obligation Management 11/5/2020 12
Example of EPAL Rule Privacy Policy (informal): Allow a sales agent or a sales supervisor to collect a customer's data for order entry if the customer is older than 13 years of age and the customer has been notified of the privacy policy. Delete the data 3 years from now. EPAL Privacy Rule: ruling allow user category sales department action store data category customer-record purpose order-processing condition the customer is older than 13 years of age obligation delete the data 3 years from now Source: http: //www. w 3. org/Submission/2003/SUBM-EPAL-20031110/ 11/5/2020 13
EPAL and Privacy Obligation Management EPAL supports Privacy Obligations: • “EPAL defines an Abstract Authorization Interface that outputs a Decision and Obligations …” There is a clear fit for “Transactional” Obligations but … Is it correct to describe also “Non-Transactional” Privacy Obligations within an EPAL rule? • These Obligations can actually specify “First Class” Policies Why “Embedding” them in the context of Authorization Rules? • These Obligations might need to be enabled and enforced independently by any Transaction or Interaction (e. g. Unconditionally Delete Personal Data XYZ after 7 years …) 11/5/2020 14
EPAL and HPL Privacy Obligation Management – Current Status Interactions and Transactions Involving Personal Data Ongoing and Long-term Privacy Obligations EPAL “Transactional” Privacy Obligations Obligation Management Service 11/5/2020 15
HPL Privacy Obligation Management High-Level Architecture Obligation Monitoring Service obligation feedback Obligation Server result Obligation Enforcer Events Handler feedback Data Obligation Ref. Audit Logs Obligation Store & Versioning 11/5/2020 Confidential Data 16
HPL Privacy Obligation Management Portal Users Applications and Services Admins Privacy Portal 11/5/2020 Association Manager Obligation Server Obligation Monitoring Service Monitoring Task Handler Active Obligations Obligation Scheduler & Manager Workflows Obligation Enforcer Action Adaptors Audit Server Data Obligation Ref. Audit Logs Obligation Store & Versioning Events Handler Confidential Data Information Tracker Tracking Obligation Handler ENTERPRISE Admins Store/ Retrieve GUI: Authoring & Display 17
Open Issues [1/2] • Dealing with different types of Privacy Obligations: - using same Language - Independence from the Nature of the Obligation (Transactional, Non-Transactional, …) • Strong Stickiness of “Obligation Policies” to Personal Data might be Required (for data transmission, etc. ) • Provide degrees of Assurance on Obligations Enforcement and overall Accountability • Dealing with Trust Aspects 11/5/2020 18
Open Issues [2/2] • Dealing with Explicit Management of Conflicting Obligations, at the Enforcement time: - Criteria can change based on the Context, Location … - Different priorities (on the same Rule-set) dictated by Local Legislation, Guidelines, Local Arrangements, … - Different rule-sets in a Policy might be “active” in different contexts … Note: at the moment EPAL addresses conflicts on rules via: - precedence, i. e. priority in the rule list - “delegation” to additional management tools Using rule preconditions can add complexity to rules 11/5/2020 19
EPAL: Additional Requirements Extend EPAL to represent different types of Privacy Policies: EPAL EPL Goal: allow the explicit definition of Privacy Policies beyond Authorization: • “Non-transactional” and “Ongoing” Privacy Obligations • Trust Compliance Policies for Privacy • … 11/5/2020 20
EPAL: Additional Requirements Introduce “Meta-Rules” within the EPAL Language to declare: - How to deal with conflicting rules within a policy - How to select “relevant” rules Goal: Explicit Management of Rule/Policy selection: • Go beyond the current approach based on positional “precedence” • Ensure Portability across different Privacy Frameworks • Define evaluation mechanisms adaptive to Context, Localization (EU, US, …) • … 11/5/2020 21
EPAL: Additional Long-term Requirements Extending the Expressiveness of Policy Rules to deal with: • Trust Constraints on Systems (Requestor, Policy Evaluator, etc and Entities based on Contextual Information • Selective Disclosure of data, for example based on the Current Level of Trust i. e. Privacy driven by Trust • Accountability, for example declaring actions that require authenticated Audit and Interactions with Trusted Third Parties 11/5/2020 22
Conclusions • HP supports the Standardisation Process of EPAL • HP Labs are interested in Investigating and Researching the usage of EPAL, including leveraging EPAL for Privacy Obligation Management • EPAL could be extended to: - Describe Policies/Rules that are not based on Authorisation - Add “Meta-Rules” to increase policy portability, explicitly address conflicts and define additional requirements • In the longer-term EPAL could deal with trust constraints, selective disclosure and accountability 11/5/2020 23
BACKUP Slides 11/5/2020 24
Example of Technical Representation of Privacy Obligation • • • • • • • - <Obligations> <Obligation. Id>obl. Id 1</Obligation. Id> <Description>Delete Confidential Data for Pseudonym: uid 1</Description> <Obligation. Trigger. Descriptor> <Type>Event</Type> <Sub. Type>Time. Based. Event</Sub. Type> <Parameters> <Trigger. Time> <Year>2007</Year> <Month>4</Month> <Day>28</Day> <Hour>13</Hour> <Minute>30</Minute> </Trigger. Time> </Parameters> </Obligation. Trigger. Descriptor> <Target> <Data. Owner>uid 1</Data. Owner> <Data. Type>Database</Data. Type> <Data. Locator>SELECT * FROM Customers WHERE Customer. Id='uid 1'</Data. Locator> </Target> <Actions> <Action>Delete</Action> </Actions> </Obligations> 11/5/2020 25
- Slides: 26