2. A Linked Data Privacy Auditing Perspective?
• Recent work on a Linked Data Publishing Framework
using two RDFS ontologies (L2TAP+SCIP) [SC12,SC14]
– Publishing privacy log events as Linked Data
• Enable log integration via secure web access to all events
– Encoding privacy‐related events in RDF
• Simple target for mapping key Contextual Integrity concepts
– SPARQL solutions for
• Log construction (from policies and dataset descriptions)
• Obligation derivation
• Log‐based auditing of compliance checking (detection of privacy
violations and attribution)
• Facilitates best practices using audit logs and
monitoring as an effective oversight regime
17/10/2014 Consens
[SC14] R. Samavi, M. P. Consens, “Publishing L2TAP Logs to Facilitate Transparency and Accountability”. In
Linked Data on the Web (LDOW2014), WWW Workshops, 2014.
[SC12] R. Samavi, M. P. Consens, “L2TAP+SCIP: An audit‐based privacy framework leveraging Linked Data”. In
8th International Conference on Collaborative Computing (CollaborateCom2012), 2012.
5. L2TAP+SCIP Motivation
• Increasing need for privacy frameworks that allow
– Individuals to express their privacy preferences
– Service providers to interpret, enforce, and be held
accountable for respecting individual’s privacy concerns
• Compliance (e.g., HIPAA Privacy Rule, Gramm‐Leach‐Bliley Act,
EU Directive 95/46/EC)
• EU Agency Recommendation (ENISA, 2011)
– Research on information accountability technology
should be promoted, aimed at the technical ability to
hold information processors accountable for their
storage, use and dissemination of third‐party data.
17/10/2014 Consens
6. Related Work
• Linked Data privacy
– Expressing access control policies, SPPO (ACL) [Sacco, 2011]
– Using SWRL to express access rules [Mühleisen, 2010]
– Leveraging the linked data architecture for providing authorization and
access restrictions (based on WebID) [Story, 2009 ], [Hollenbach et al., 2009 ]
• Policy monitoring approaches
– LPU [Barth et al., 2006], MFOTL [Basin et al., 2010], PrivacyLFP [Datta et al., 2011]
– Use linear, metric temporal logic (LTL, MFOTL)
– Provide proof‐based systems for run time monitoring of policies
• Access control and privacy policy languages
– Expressing access control policies [Sandhu et al., 1996], [Jojodia et al., 2001]
– Expressing and enforcing privacy policies (P‐RBAC) [Ni et al., 2007], [Ni et
al., 2008], [Li et al., 2012]
17/10/2014 Consens
8. Privacy‐Aware Preservation in OAIS
• The PDI (Preservation Description Information)
includes Access Rights Information
– Access restrictions pertaining to the Content
Information; including the legal framework, licensing
terms, and access control
– Contains access and distribution conditions stated in
the Submission Agreement, related to both
preservation (by the OAIS) and final usage (by the
Consumer)
– Includes the specifications for the application of rights
enforcement measures
17/10/2014 Consens
29. 17/10/2014 Consens
Access Request
Research Team
RT1
Obligation Acceptance
Data Provider
PhysioNet
Privacy Policies
L2TAP Audit Log
Access Response
SCIP in the Medical Research Study
31. 17/10/2014 Consens
Access Request
Research Team
RT1
Obligation Acceptance
Data Provider
PhysioNet
Privacy Policies
L2TAP Audit Log
Access Response
Performed Obligation
SCIP in the Medical Research Study
33. 17/10/2014 Consens
Access Request
Research Team
RT1
Obligation Acceptance
Access Activity
Data Provider
PhysioNet
Privacy Policies
L2TAP Audit Log
Access Response
Performed Obligation
SCIP in the Medical Research Study
36. 17/10/2014 Consens
Access Request
Research Team
RT1
Obligation Acceptance
Access Activity
Data Provider
PhysioNet
Privacy Policies
L2TAP Audit Log
Access Response
Performed Obligation
SCIP in the Medical Research Study
41. Compliance Checking via SPARQL
• Algorithm
1. Determine the individual satisfaction of each obligation
(ASK query)
2. Evaluate how the individual satisfaction of each
obligation contributes to the overall compliance of an
access request (multiple ASK queries)
3. Determine the access request compliance (SELECT
query)
• Representative compliance queries
– Which access requests are not compliant at time t?
– Which access requests have been discharged?
– What obligations are pending?
17/10/2014 Consens
42. SELECT DISTINCT ?request
WHERE {
?response scip:responseTo ?request .
?response scip:contextObligation ?obligation .
?response scip:accessDecision ?accessDecision .
FILTER ((!(φt
f) && (φt
p)) && ?accessDecision) }
Step 3 Compliance Checking Query
• Which access requests are not compliant at time t?
• Which access requests have been discharged?
• Which access requests are compliant at time t but are not yet
discharged?
Framework Extensibility:
Φ can be substituted by an
expressions that its
propositional value is deducted
from a more sophisticated
obligation model
4217/10/2014 Consens
43. Experimental Validation
• Experimental validation of the scalability and practicality
– Custom Java application (SyntheticSCIP) used to generate a hypothetical audit
log scenario with a growing number of access requests
– Six representative compliance queries timed using a Virtouso 6 installation on
an Ubuntu server
Q1
Q2
Q3
Q4
10 50 100 400 1,000
Q5
Q6
0
500
1000
1500
2000
2500
Time(seconds)
Access Requests (in thousands)17/10/2014 Consens