[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to main content

Run-Time Monitoring of Data-Handling Violations

  • Conference paper
  • First Online:
Computer Security (SECPRE 2018, CyberICPS 2018)

Abstract

Organisations are coming under increasing pressure to respect and protect personal data privacy, especially with the European Union’s General Data Protection Regulation (GDPR) now in effect. As legislation and regulation evolve to incentivise such data-handling protection, so too does the business case for demonstrating compliance both in spirit and to the letter. Compliance will require ongoing checks as modern systems are constantly changing in terms of digital infrastructure services and business offerings, and the interaction between human and machine. Therefore, monitoring for compliance during run-time is likely to be required. There has been limited research into how to monitor how well a system respects consents given, and withheld, pertaining to handling and onward sharing. This paper proposes a finite-state-machine method for detecting violations of preferences (consents and revocations) expressed by Data Subjects regarding use of their personal data, and also violations of any related obligations that might be placed upon data handlers (data controllers and processors). Our approach seeks to enable detection of both accidental and malicious compromises of privacy properties. We also present a concept demonstrator to show the feasibility of our approach and discuss its design and technical implementation.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
£29.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
GBP 19.95
Price includes VAT (United Kingdom)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
GBP 35.99
Price includes VAT (United Kingdom)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
GBP 44.99
Price includes VAT (United Kingdom)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    For the types of CR considered in this paper, projection amounts to removal of 1-step sharing consents. This enables their interpretation at receiving systems without regard for where the data and choices came from. If, on the other hand, projection is trivial (the identity function) then only original choices are ever communicated, which would mean they must be interpreted according to whether the data was received directly from the DS or instead from an upstream system.

  2. 2.

    Communicating Sequential Processes.

  3. 3.

    https://protective-h2020.eu/.

References

  1. Barth, A., Datta, A., Mitchell, J.C., Nissenbaum, H.: Privacy and contextual integrity: framework and applications. In: 2006 IEEE Symposium on Security and Privacy, 15-p. IEEE (2006)

    Google Scholar 

  2. Basin, D., Debois, S.: and Thomas Hildebrandt. Compliance under the GDPR, On purpose and by necessity (2018)

    Google Scholar 

  3. Basin, D., Klaedtke, F., Marinovic, S., Zălinescu, E.: Monitoring of temporal first-order properties with aggregations. Form. Methods Syst. Des. 46(3), 262–285 (2015)

    Article  Google Scholar 

  4. British Parliament. Data Protection Act. London Stationery Office (1998)

    Google Scholar 

  5. Brooks, S., Brooks, S., Garcia, M., Lefkovitz, N., Lightman, S., Nadeau, E.: An Introduction to Privacy Engineering and Risk Management in Federal Systems. US Department of Commerce, National Institute of Standards and Technology (2017)

    Google Scholar 

  6. Cavoukian, A.: Privacy by design. 7 foundational principles (2011). www.ipc.on.ca/wp-content/uploads/Resources/7foundationalprinciples.pdf

  7. Cavoukian, A., et al.: Privacy by design documentation for software engineers version 1.0. (PbD-SE). Organization for the Advancement of Structured Information Standards (OASIS), Burlington (2014)

    Google Scholar 

  8. Chowdhury, O., Jia, L., Garg, D., Datta, A.: Temporal mode-checking for runtime monitoring of privacy policies. In: Biere, A., Bloem, R. (eds.) CAV 2014. LNCS, vol. 8559, pp. 131–149. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-08867-9_9

    Chapter  Google Scholar 

  9. Daniel, F., et al.: Business compliance governance in service-oriented architectures. In: International Conference on Advanced Information Networking and Applications, AINA 2009, pp. 113–120. IEEE (2009)

    Google Scholar 

  10. Datta, A., et al.: Understanding and protecting privacy: formal semantics and principled audit mechanisms. In: Jajodia, S., Mazumdar, C. (eds.) ICISS 2011. LNCS, vol. 7093, pp. 1–27. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25560-1_1

    Chapter  Google Scholar 

  11. EnCoRe project partners. Encore: Ensuring consent and revocation (2008). http://www.hpl.hp.com/breweb/encoreproject/index.html

  12. European Commission. General Data Protection Regulation (2018). https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en

  13. Fawcett, T.: An introduction to ROC analysis. Pattern Recognit. Lett. 27(8), 861–874 (2006)

    Article  MathSciNet  Google Scholar 

  14. Fisk, G., Ardi, C., Pickett, N., Heidemann, J., Fisk, M., Papadopoulos, C.: Privacy principles for sharing cyber security data. In: 2015 IEEE Security and Privacy Workshops (SPW), pp. 193–197. IEEE (2015)

    Google Scholar 

  15. Garg, D., Jia, L., Datta, A.: Policy auditing over incomplete logs: theory, implementation and applications. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, pp. 151–162. ACM (2011)

    Google Scholar 

  16. Koops, B.-J., Leenes, R.: Privacy regulation cannot be hardcoded. A critical comment on the ‘privacy by design’ provision in data-protection law. International Review of Law, Computers & Technology 28(2), 159–171 (2014)

    Article  Google Scholar 

  17. Liu, Y., Muller, S., Ke, X.: A static compliance-checking framework for business process models. IBM Syst. J. 46(2), 335–361 (2007)

    Article  Google Scholar 

  18. Luckham, D.: The power of events: an introduction to complex event processing in distributed enterprise systems. In: Bassiliades, N., Governatori, G., Paschke, A. (eds.) RuleML 2008. LNCS, vol. 5321, p. 3. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-88808-6_2

    Chapter  Google Scholar 

  19. Movius, L.B., Krup, N.: US and EU privacy policy: comparison of regulatory approaches. Int. J. Commun. 3, 19 (2009)

    Google Scholar 

  20. Mulo, E., Zdun, U., Dustdar, S.: Monitoring web service event trails for business compliance. In: 2009 IEEE International Conference on Service-oriented Computing and Applications (SOCA), pp. 1–8. IEEE (2009)

    Google Scholar 

  21. O’Leary, D.E., Bonorris, S., Klosgen, W., Khaw, Y.-T., Lee, H.-Y., Ziarko, W.: Some privacy issues in knowledge discovery: the OECD personal privacy guidelines. IEEE Expert 10(2), 48–59 (1995)

    Article  Google Scholar 

  22. Papanikolaou, N., Creese, S., Goldsmith, M., Mont, M.C., Pearson, S.: Encore: towards a holistic approach to privacy. In: Proceedings of the 2010 International Conference on Security and Cryptography (SECRYPT), pp. 1–6. IEEE (2010)

    Google Scholar 

  23. Roscoe, B.: The theory and practice of concurrency (1998)

    Google Scholar 

  24. Sarbanes-Oxley Act. Sarbanes-oxley act of 2002. Public Law (107–204) (2002)

    Google Scholar 

  25. Soto-Mendoza, V., Serrano-Alvarado, P., Desmontils, E., Garcia-Macias, J.A.: Policies composition based on data usage context. In: Sixth International Workshop on Consuming Linked Data (COLD 2015) at ISWC (2015)

    Google Scholar 

  26. Sundaram, A.: An introduction to intrusion detection. Crossroads 2(4), 3–7 (1996)

    Article  Google Scholar 

  27. Tran, H., et al.: An end-to-end framework for business compliance in process-driven SOAs. In: 2010 12th International Symposium on Symbolic and Numeric Algorithms for Scientific Computing (SYNASC), pp. 407–414. IEEE (2010)

    Google Scholar 

Download references

Acknowledgement

This research was conducted as a part of the PROTECTIVE project. This project has received funding from the European Union’s Horizon 2020 research and innovation program under grant agreement No. 700071. This output reflects the views only of the author(s), and the European Union cannot be held responsible for any use which may be made of the information contained therein.

The EnCoRe project [11] was an interdisciplinary research project, a collaboration between UK industry and academia, partially funded by the UK Technology Strategy Board (TP/12/NS/P0501A), the UK Engineering and Physical Sciences Research Council and the UK Economic and Social Research Council (EP/G002541/1).

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Jassim Happa .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Happa, J., Moffat, N., Goldsmith, M., Creese, S. (2019). Run-Time Monitoring of Data-Handling Violations. In: Katsikas, S., et al. Computer Security. SECPRE CyberICPS 2018 2018. Lecture Notes in Computer Science(), vol 11387. Springer, Cham. https://doi.org/10.1007/978-3-030-12786-2_13

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-12786-2_13

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-12785-5

  • Online ISBN: 978-3-030-12786-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics