A Declarative Framework for Specifying and Enforcing Purpose-aware Policies

TL;DR

This paper introduces a formal declarative framework using first-order temporal logic to precisely specify and enforce purpose-aware privacy policies, addressing ambiguities and enabling runtime enforcement.

Contribution

It provides a novel formal semantics for purpose-aware policies and demonstrates the complexity of generating runtime monitors, a first in this research area.

Findings

Formal semantics for purpose-aware policies established

Algorithm for runtime monitor generation analyzed

Complexity results for monitor creation presented

Abstract

Purpose is crucial for privacy protection as it makes users confident that their personal data are processed as intended. Available proposals for the specification and enforcement of purpose-aware policies are unsatisfactory for their ambiguous semantics of purposes and/or lack of support to the run-time enforcement of policies. In this paper, we propose a declarative framework based on a first-order temporal logic that allows us to give a precise semantics to purpose-aware policies and to reuse algorithms for the design of a run-time monitor enforcing purpose-aware policies. We also show the complexity of the generation and use of the monitor which, to the best of our knowledge, is the first such a result in literature on purpose-aware policies.