Michael Carl Tschantz

Thesis Title: Formalizing and Enforcing Purpose Restrictions
Degree Type: Ph.D. in Computer Science
Advisor(s): Anupam Datta, Jeannette Wing
Graduated: May 2012

Abstract:

Privacy policies often place restrictions on the purposes for which a governed entity may use personal information. For example, regulations, such as the Health Insurance Portability and Accountability Act (HIPAA), require that hospital employees use medical information for only certain purposes, such as treatment, but not for others, such as gossip. Thus, using formal or automated methods for enforcing privacy policies requires a semantics of purpose restrictions to determine whether an action is for a purpose. We provide such a semantics using a formalism based on planning. We model planning using a modified version of Markov Decision Processes (MDPs), which exclude redundant actions for a formal definition of redundant. We argue that an action is for a purpose if and only if the action is part of a plan for optimizing the satisfaction of that purpose under the MDP model. We use this formalization to define when a sequence of actions is only for or not for a purpose. This semantics enables us to create and implement an algorithm for automating auditing, and to describe formally and compare rigorously previous enforcement methods. We extend this formalization to Partially Observable Markov Decision Processes (POMDPs) to answer when information is used for a purpose. To validate our semantics, we provide an example application and conduct a survey to compare our semantics to how people commonly understand the word "purpose".

Thesis Committee:
Anupam Datta (Co-chair)
Jeannette M. Wing (Co-chair)
Lorrie Faith Cranor
Manuela M. Veloso
Joseph Y. Halpern (Cornell University)

Jeannette Wing, Head, Computer Science Department
Randy Bryant, Dean, School of Computer Science

Keywords:
Privacy, Formal methods, Auditing, Compliance Checking, Planning, MDPs, POMDPs