Article

Maintaining privacy on derived objects

Authors:

Nicola Zannone,

Sushil Jajodia,

Fabio Massacci,

Duminda WijesekeraAuthors Info & Claims

WPES '05: Proceedings of the 2005 ACM workshop on Privacy in the electronic society

Pages 10 - 19

https://doi.org/10.1145/1102199.1102202

Published: 07 November 2005 Publication History

Abstract

Protecting privacy means to ensure users that access to their personal data complies with their preferences. However, information can be manipulated in order to derive new objects that may disclose part of the original information. Therefore, control of information flow is necessary for guaranteeing privacy protection since users should know and control not only who access their personal data, but also who access information derived from their data. Actually, current approaches for access control do not provide support for managing propagation of information and for representing user preferences.This paper proposes to extend the Flexible Authorization Framework (FAF) in order to automatically verify whether a subject is entitled to process personal data and derive the authorizations associated with the outcome of data processing. In order to control information flow, users may specify the range of authorizations that can be associated with objects derived from their data. The framework guarantees that every "valid" derived object does not disclose more information than users want and preserves the permissions that users want to maintain. To make the discussion more concrete, we illustrate the proposal with a bank case study.

References

[1]

Privacy Act of 1974. 5 USC, Section 552A. Available at http://www.usdoj.gov/foia/privstat.htm "Privacy of Consumer Financial Information; Final Rule." 16 CFR Part 313. Federal Register 65, No. 101.]]

[2]

N. R. Adam and J. C. Worthmann. Security-control methods for statistical databases: a comparative study. CSUR, 21(4):515--556, 1989.]]

Digital Library

[3]

R. Agrawal, J. Kiernan, R. Srikant, and Y. Xu. Hippocratic Databases. In Proc. of VLDB'02, pages 143--154. Morgan Kaufmann, 2002.]]

Digital Library

[4]

M. Backes, B. Pfitzmann, and M. Schunter. A Toolkit for Managing Enterprise Privacy Policies. In Proc. of ESORICS'03, LNCS 2808, pages 162--180. Springer, 2003.]]

[5]

M. Y. Becker and P. Sewell. Cassandra: distributed access control policies with tunable expressiveness. In Proc. of POLICY'04, pages 159--168. IEEE Press, 2004.]]

Digital Library

[6]

D. L. Chaum. Untraceable electronic mail, return addresses, and digital pseudonyms. CACM, 24(2):84--90, 1981.]]

Digital Library

[7]

S. Chong and A. C. Myers. Security Policies for Downgrading. In Proc. of CCS'04, pages 198--209. ACM Press, 2004.]]

Digital Library

[8]

L. Cranor, M. Langheinrich, M. Marchiori, and J. Reagle. The Platform for Privacy Preferences 1.0 (P3P1.0) Specification. W3C Recommendation, Apr. 2002.]]

[9]

N. Damianou, N. Dulay, E. Lupu, and M. Sloman. The Ponder Policy Specification Language. In Proc. of POLICY'01, LNCS 1995, pages 18--39. Springer, 2001.]]

Digital Library

[10]

E. Ferrari, P. Samarati, E. Bertino, and S. Jajodia. Providing flexibility in information flow control for object oriented systems. In Proc. of Symp. on Sec. and Privacy, pages 130--140. IEEE Press, 1997.]]

Digital Library

[11]

E. Freudenthal, T. Pesin, L. Port, E. Keenan, and V. Karamcheti. dRBAC: distributed role-based access control for dynamic coalition environments. In Proc. of ICDCS'02, pages 411--420. IEEE Press, 2002.]]

Digital Library

[12]

S. Jajodia, P. Samarati, M. L. Sapino, and V. S. Subrahmanian. Flexible support for multiple access control policies. TODS, 26(2):214--260, 2001.]]

Digital Library

[13]

G. Karjoth, M. Schunter, and M. Waidner. Platform for Enterprise Privacy Practices: Privacy-enabled Management of Customer Data. In Proc. of PET'02, LNCS 2482, pages 69--84. Springer, 2002.]]

[14]

N. Leone, G. Pfeifer, W. Faber, T. Eiter, G. Gottlob, S. Perri, and F. Scarcello. The DLV System for Knowledge Representation and Reasoning. TOCL, 2005. To appear.]]

Digital Library

[15]

K. Marriott and P. J. Stuckey. Programming with constraints: an introduction. MIT Press, 1998.]]

[16]

C. D. McCollum, J. R. Messing, and L. Notargiacomo. Beyond the pale of MAC and DAC-defining new forms of access control. In Proc. of Symp. on Sec. and Privacy, pages 190--200. IEEE Press, 1990.]]

[17]

A. Sabelfeld and A. C. Myers. Language-Based Information-Flow Security. IEEE J. on Selected Areas in Comm., 21(1):5--19, 2003.]]

Digital Library

[18]

P. Samarati, E. Bertino, A. Ciampichetti, and S. Jajodia. Information flow control in object-oriented systems. TKDE, 9(4):524--538, 1997.]]

Digital Library

[19]

P. Samarati and S. D. C. di Vimercati. Access Control: Policies, Models, and Mechanisms. In FOSAD 2001/2002, LNCS 2946, pages 137--196. Springer, 2001.]]

Digital Library

[20]

R. Sandhu and P. Samarati. Authentication, access control, and audit. CSUR, 28(1):241--243, 1996.]]

Digital Library

[21]

R. S. Sandhu, E. J. Coyne, H. L. Feinstein, and C. E. Youman. Role-based access control models. IEEE Comp., 29(2):38--47, 1996.]]

Digital Library

[22]

K. Seamons, M. Winslett, and T. Yu. Limiting the Disclosure of Access Control Policies during Automated Trust Negotiation. In Proc. of NDSS'01, pages 109--125. IEEE Press, 2001.]]

[23]

K. E. Seamons, M. Winslett, T. Yu, L. Yu, and R. Jarvis. Protecting Privacy during On-line Trust Negotiation. In Proc. of PET'02, LNCS 2482, pages 129--143. Springer, 2002.]]

[24]

A. Stoughton. Access flow: A protection model which integrates access control and information flow. In Proc. of Symp. on Sec. and Privacy, pages 9--18. IEEE Press, 1981.]]

[25]

T. Syrjänen. Lparse 1.0: User's Manual. Helsinki University of Technology, 2000.]]

Cited By

den Hartog JZannone NBertino ESandhu RKrishnan R(2016)A Policy Framework for Data Fusion and Derived Data ControlProceedings of the 2016 ACM International Workshop on Attribute Based Access Control10.1145/2875491.2875492(47-57)Online publication date: 11-Mar-2016
https://dl.acm.org/doi/10.1145/2875491.2875492
Cuzzocrea AHacid MGrillo N(2010)Inheriting access control rules from large relational databases to materialized views automaticallyProceedings of the 14th international conference on Knowledge-based and intelligent information and engineering systems: Part III10.5555/1885450.1885505(426-437)Online publication date: 8-Sep-2010
https://dl.acm.org/doi/10.5555/1885450.1885505
Cuzzocrea AHacid MGrillo NDesai BBernardino J(2010)Effectively and efficiently selecting access control rules on materialized views over relational databasesProceedings of the Fourteenth International Database Engineering & Applications Symposium10.1145/1866480.1866512(225-235)Online publication date: 16-Aug-2010
https://dl.acm.org/doi/10.1145/1866480.1866512
Show More Cited By

Index Terms

Maintaining privacy on derived objects
1. Security and privacy
  1. Database and storage security
2. Theory of computation
  1. Theory and algorithms for application domains
    1. Database theory
      1. Theory of database privacy and security

Recommendations

PBDM: a flexible delegation model in RBAC
SACMAT '03: Proceedings of the eighth ACM symposium on Access control models and technologies

Role-based access control (RBAC) is recognized as an efficient access control model for large organizations. Most organizations have some business rules related to access control policy. Delegation of authority is among these rules. RBDM0 and RDM2000 ...
Privacy-enhanced access control in primelife
DIM '10: Proceedings of the 6th ACM workshop on Digital identity management

This talk gives an overview of the PrimeLife¹ project, funded by the European Commission's 7th Framework Programme, with a particular focus on its research results in privacy-preserving access control in distributed systems. Users commonly reveal more ...
SQL's revoke with a view on privacy
SAICSIT '07: Proceedings of the 2007 annual research conference of the South African institute of computer scientists and information technologists on IT research in developing countries

Protecting access to data that can be linked to an individual (or personal identifiable information (PII)), thereby seeking to protect the individual's privacy can be accomplished through legislation, organisational safeguards, and technology. Of ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

WPES '05: Proceedings of the 2005 ACM workshop on Privacy in the electronic society

November 2005

116 pages

ISBN:1595932283

DOI:10.1145/1102199

General Chair:
Vijay Atluri
Rutgers University
,
Program Chairs:
Sabrina De Capitani di Vimercati
Università degli Studi di Milano, Italy
,
Roger Dingledine
The Free Haven Project

Copyright © 2005 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 November 2005

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

CCS05

Sponsor:

CCS05: 12th ACM Conference on Computer and Communications Security 2005

November 7, 2005

VA, Alexandria, USA

Acceptance Rates

Overall Acceptance Rate 106 of 355 submissions, 30%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

6
Total Citations
View Citations
367
Total Downloads

Downloads (Last 12 months)4
Downloads (Last 6 weeks)0

Reflects downloads up to 21 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

den Hartog JZannone NBertino ESandhu RKrishnan R(2016)A Policy Framework for Data Fusion and Derived Data ControlProceedings of the 2016 ACM International Workshop on Attribute Based Access Control10.1145/2875491.2875492(47-57)Online publication date: 11-Mar-2016
https://dl.acm.org/doi/10.1145/2875491.2875492
Cuzzocrea AHacid MGrillo N(2010)Inheriting access control rules from large relational databases to materialized views automaticallyProceedings of the 14th international conference on Knowledge-based and intelligent information and engineering systems: Part III10.5555/1885450.1885505(426-437)Online publication date: 8-Sep-2010
https://dl.acm.org/doi/10.5555/1885450.1885505
Cuzzocrea AHacid MGrillo NDesai BBernardino J(2010)Effectively and efficiently selecting access control rules on materialized views over relational databasesProceedings of the Fourteenth International Database Engineering & Applications Symposium10.1145/1866480.1866512(225-235)Online publication date: 16-Aug-2010
https://dl.acm.org/doi/10.1145/1866480.1866512
Cuzzocrea AHacid MGrillo N(2010)Inheriting Access Control Rules from Large Relational Databases to Materialized Views AutomaticallyKnowledge-Based and Intelligent Information and Engineering Systems10.1007/978-3-642-15393-8_48(426-437)Online publication date: 2010
https://doi.org/10.1007/978-3-642-15393-8_48
Zannone NJajodia SWijesekera D(2006)Creating Objects in the Flexible Authorization Framework20th Annual IFIP WG 11.3 Working Conference on Data and Applications Security on Data and Applications Security XX - Volume 412710.5555/3127142.3127143(1-14)Online publication date: 31-Jul-2006
https://dl.acm.org/doi/10.5555/3127142.3127143
Keppler DSwarup VJajodia SFerraiolo DRay I(2006)Redirection policies for mission-based information sharingProceedings of the eleventh ACM symposium on Access control models and technologies10.1145/1133058.1133088(210-218)Online publication date: 7-Jun-2006
https://dl.acm.org/doi/10.1145/1133058.1133088

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents