Constructing Independently Verifiable Privacy-Compliant Type Systems for Message Passing between Black-Box Components
Robin Adams, Sibylle Schupp

TL;DR
This paper introduces a formal method for designing privacy-compliant message-passing architectures between black-box components, ensuring privacy guarantees without requiring source code access.
Contribution
It presents algorithms that extend architectures to satisfy privacy constraints, enabling privacy-by-design in black-box component interactions.
Findings
Algorithms successfully enforce privacy constraints
Architecture extensions guarantee privacy properties
Applicable without source code access
Abstract
Privacy by design (PbD) is the principle that privacy should be considered at every stage of the software engineering process. It is increasingly both viewed as best practice and required by law. It is therefore desirable to have formal methods that provide guarantees that certain privacy-relevant properties hold. We propose an approach that can be used to design a privacy-compliant architecture without needing to know the source code or internal structure of any individual component. We model an architecture as a set of agents or components that pass messages to each other. We present in this paper algorithms that take as input an architecture and a set of privacy constraints, and output an extension of the original architecture that satisfies the privacy constraints.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
11institutetext: Chalmers University of Technology
11email: [email protected] 22institutetext: Technische Universität Hamburg-Harburg
22email: [email protected]
Constructing Independently Verifiable Privacy-Compliant Type Systems for Message Passing between Black-Box Components
Robin Adams 11
Sibylle Schupp 22
Abstract
Privacy by design (PbD) is the principle that privacy should be considered at every stage of the software engineering process. It is increasingly both viewed as best practice and required by law. It is therefore desirable to have formal methods that provide guarantees that certain privacy-relevant properties hold. We propose an approach that can be used to design a privacy-compliant architecture without needing to know the source code or internal structure of any individual component.
We model an architecture as a set of agents or components that pass messages to each other. We present in this paper algorithms that take as input an architecture and a set of privacy constraints, and output an extension of the original architecture that satisfies the privacy constraints.
1 Introduction
Privacy by Design is the principle that privacy should be a consideration at every stage of the software design process[8]. It is increasingly seen as best practice for privacy protection, including by the International Conference of Data Protection and Privacy Commissioners[9] and the US Federal Trade Commission[14], and is a legal requirement in the EU since the General Data Protection Regulation (GDPR) came into force on 25 May 2018[13].
It is therefore desirable to create methods that will provide a guarantee that software satisfies certain privacy-relevant properties. To this end, a substantial amount of research (both formal methods and other approaches) has been devoted to this problem, including static analysis of source code (e.g. [15],[11]); real-time “taint tracking” of the data released by apps on a mobile device (e.g. [19],[12]); refinement techniques that preserve privacy properties as we refine in stages from a high-level design to code (e.g. [1],[10]); or the creation of new programming languages which include representations of privacy-relevant properties in types or annotations (e.g. [18],[16]).
We can thus design a privacy-safe application, or verify that a given application is privacy-safe, provided we can access and/or change its source code. However, in practice, many systems involve the interaction of different components, each controlled by a different person or organisation. The source code might not be available, or it might not be possible for us to change it. New versions of each component may come out regularly, so that a privacy analysis we did using an old component quickly becomes obsolete.
In this paper, we will show how we can design a type system for the messages that the components pass to each other, in such a way that we can formally prove that, if every message passed is typable under this typing system, then the privacy property must hold. We indicate how an existing unsafe component can be adapted into a component that uses this typing system by providing each component with an interface through which all messages must pass, without needing to read or modify the component’s source code.
The structure of the paper is as follows. In Section 2, we give a relatively simple but realistic example of privacy constraints that we may wish to hold, and show the architecture that our algorithms generate. In Section 3, we provide the formal definition of architecture that we use. In Section 4, we define the algorithm for a simple constraint language and prove it correct. In Section 5, we do the same development again for a stronger language of constraints, of the form (‘if possesses a term of type then must previously have possessed a term of type ’). Finally we survey some related work in Section 6, and conclude in Section 7.
2 Motivating Example
We now give an example of realistic privacy constraints that we might wish to introduce, and the architectures that are produced by our algorithms. The example is similar to an example considered by Barth et al. [4].
The US Children’s Online Privacy Protection Act (COPPA) includes the clause:
When a child sends protected information to the website, a parent must have previously received a privacy notice from the web site operator, [and] granted consent to the web site operator.
We propose to model a system as being composed of agents or components who pass messages to each other. The possible messages are provided by a type system, which consists of a set of types and a set of constructors. These two sets determine the set of terms, each of which has a type. We write to denote that the term has type .
A message is a triple (, , ), where and are agents and is a term; this represents the agent sending the piece of data to . If , then we write this message as or .
For the COPPA example, Figure 1 suggests an architecture with three agents, Child, Website, and Parent. In the initial state, Child possesses a term info : INFO, Website possesses policy : POLICY, and Child may send messages of type INFO to Website, etc. This represents a website which can send its privacy policy to the parent; the parent may send consent for the website to collect the child’s protected info; and the child may send their protected info to the website. However, at the moment, there is nothing to prevent the protected info being sent to the website without either policy or consent having been sent.
Formally, an architecture is described by specifying the following (see Definition 2):
- •
for any agent , which constructors an agent possesses in the initial state;
- •
for any two agents , , the set of types such that may pass a message of type to .
If is a type, we shall sometimes say ’ can send to ’ to mean ’ may send messages of type to ’.
We envision the designer beginning with a set of agents and a type system which describes the pieces of data they are interested in. They write down the set of privacy constraints that they wish the finished system to have. For now, we consider constraints of these two forms (see Definitions 4 and 6):
- •
: If agent has a piece of data of type , then a piece of data of type must have previously been created.
- •
: If agent has a piece of data of type , then agent must previously have had a piece of data of type .
The privacy constraints that we require for the architecture in Figure 1 include
[TABLE]
[TABLE]
The first constraint specifies that agent Website possesses INFO only if it previously has received data of type CONSENT. The second constraint specifies that agent Website possesses CONSENT only if the Parent agent has received the POLICY before. (We will add a third constraint later, in Section 5.1.)
Given privacy constraints, we show how to extend to a type system . The type system includes a set of new types . A term of type is called a certified term. As well as the plain INFO type, for example, the safe architecture contains the type . A term of this type represents a piece of data from which can extract a term of type , but no other agent can.111In practice, this would presumably be achieved by encryption, but we abstract from these implementation details here. See Section 2.1 for more discussion. There are no restrictions on which agents may receive them or send certified terms.
The type system also has types , and constructors that construct terms of type . We may think of a term of type as a proof that possesses a term of type .
The architecture created by our Algorithm 2 is shown in Fig. 2. (For space reasons, we have listed only some of the constructors and messages, and omitted the subscripts on the types and .) The algorithm creates new components , the input interface to , and , the output interface for ; and similarly input and output interfaces for and .
The constructor takes a term of type and constructs a term of type — a proof that has received a term of type . The constructor constructs a certified term of type out of a term of type , plus the proof that the preconditions for to be allowed to read a term of type , namely a term of type . The constructor then extracts the term of type from the certified term. Similar comments hold for and , and the other new constructors in Fig. 2.
It can be seen that, while may send to at any time, the only way for the data to travel any further is for a term of type to be created; this can only happen if a term of type has been created; this can only happen if a term of type reaches ; and this can only happen if has a term of type . Similar considerations hold for our other negative constraint.
We can partition the agents in Fig. 2 into three sets: , , . Each set thus consists of one of the agents from Fig. 1, plus its two new interfaces. Note that, if an agent from one set passes a message to an agent in another set, then that message has type or for some , . In the rest of this paper, we will prove two results (Theorems 4.1 and 4.2) that give general conditions such that, if an architecture can be partitioned in a way that satisfies these conditions, then a given set of privacy constraints are satisfied.
2.1 Note on Implementation
In practice, certification on the one hand, access on the other hand, could be implemented through encryption and decryption. But, other mechanisms possibly exist as well. The type systems we present in this paper abstract from these details. They specify which agents may and may not access which data, without specifying how this is to be done.
The terms of type should, in practice, ideally be an appropriate zero-knowledge proof which guarantees that possesses a term of type , without revealing the value of the term of type . Again, in this paper we abstract from the details of how this would be implemented.
However, we expect it to be possible to implement these types in such a way that the designer could publish both the set of constraints and the type system , and an independent third party (the user, a regulatory authority, or anyone else) to verify both that our algorithm maps to , and that any given message is typable under . This would greatly increase the trust that all parties can have that the global privacy policies hold true.
We also note that, if there are large numbers of agents in our system, we will need a large number of types. In our motivating example, if we have many children and many parents, then we will need types , , etc. and a way to ensure that accepts terms of type only if , requiring the use of dependent types. For now, this is left as work for the future.
3 Architectures
We now describe the language we use for specifying architectures. This system was inspired by work by le Métayer et al [3] and Barth et al [4].
An architecture consists of agents who pass messages to each other. Each message is a term that can be typed in a type system.
Definition 1 (Type System)
A type system is given by the following:
- •
A set of atomic types. The set of types is the defined inductively by:
- –
Every atomic type is a type.
- –
If and are types, then is a type.
- •
A set of constructors, each with an associated type.
The set of terms of each type is then defined inductively by:
- •
Every constructor of type is a term of type .
- •
If is a term of type and is a term of type , then is a term of type .
We write to denote that is a term of type .
In the example in Figure 1, the atomic types are , and . The constructors are which has type , which has type , and which has type . In the example in Figure 2, the architecture has been extended with new atomic types such as , and new constructors such as , which has type .
Definition 2 (Architecture)
Given a type system , an architecture over consists of:
- •
a set of agents or components;
- •
for every agent , a set of constructors that initially possesses or initially has;
- •
for every ordered pair of distinct agents , a set of atomic types that may send in a message to .
We shall write to denote that .
(Note that only terms of atomic type can be passed between agents.)
In the example in section 2, we have . The agent initially possesses the constructor , and initially possesses , and initially possesses . We have ; thus, may send messages of type to . We also have and .
We will use lower-case Greek letters , , …for agents, lower-case Roman letters , , …for terms, and capital Roman letters , , …for types. The letter is reserved for constructors.
Let us say that an agent can compute terms of type iff it possesses a constructor of type for some , …, .
Definition 3
Let be an architecture.
An event or message is an expression of the form , to be read as ‘ passes the term of type to .’ 2. 2.
A trace is a finite sequence of events. 3. 3.
A judgement is an expression of the form , which we read as “After the trace , has the term of type .”
We write for the concatenation of traces and . We write iff is a prefix of , i.e. there exists such that .
The derivable judgements are given by the rules of deduction in Figure 3. We say that is a valid trace through iff is derivable for some , , . We say that an agent possesses a term of type after , and write , iff there exists a term such that . We say that there exists a term of type after , and write , iff for some , .
The rule (init) states that, if initially possesses , then possesses in the initial state. The rule (func) states that, if an agent possesses both a function and term of the appropriate types, it may compute the term . The rule (message1) states that, after has sent to , then possesses . The rule (message2) states that, if possesses before sends a message to , then still possesses after the message is sent.
3.1 Metatheorems
We can establish the basic properties that our typing system satisfies.
Lemma 1
**
Weakening* Suppose and is a valid trace. Then .* 2. 2.
If is a valid trace, then , and . 3. 3.
Generation*
Suppose . Then there exist terms , …, () and agents , …, () such that , , and the following events occur in in order:*
[TABLE]
Further, we have , …, . 4. 4.
If , then either can compute , or there is an event in for some .
Intuitively, Generation says that if agent possesses a piece of data of type , then it must have been computed by an agent that can compute terms of type , and then passed to in a sequence of messages.
The proofs of the first three properties are by straightforward induction on derivations. Part 4 follows easily from part 3.
4 The First Algorithm
In the rest of this paper, we will consider different sets of constraints that we may wish to place on our architectures. In each case, we shall show how, given an architecture and a set of constraints , we can construct an architecture , which we call a safe architecture, that extends and satisfies all the constraints.
For our first algorithm, we consider the following constraints:
Definition 4 (Constraint)
A negative constraint has the form , where and are atomic types. We read it as: “If receives a message of type , then a term of type must have previously been created.” A trace complies with this constraint iff, for every , if for some , then for some , . 2. 2.
A positive constraint has the form , where is an atomic type. We read it as: “It must be possible for to have a term of type .” A trace complies with this constraint iff for some term .
Note
To understand part 1 of this definition, note that, if it is possible to create a term without first creating a term , then there is a trace such that for some , and for all . Thus, the condition “For every , if for some , then for some , ” captures the idea “If receives a message of type , then a term of type must have previously been created.”
Example
Consider an accountancy firm collecting personal data from the employees of a company in order to prepare a tax report. The principle of data minimization [13, Section 25] states that the accountancy firm should collect only the data that is necessary for this purpose. We can model this as follows: assume there are two types of tax return that can be prepared, and . Let initially possess and , where is required to prepare and is required to prepare . The company can send requests and to , requesting a tax return of one of the two types. We could then write constraints and to express that the accountancy firm may only possess an employee’s personal data if it is necessary for a tax return that it has been requested to prepare.
We now construct the type system that the safe architecture will use:
Definition 5 (Safe Type System)
Let be a type system and a set of agents. Let be a finite set of negative constraints over and . The safe type system is defined as follows.
- •
The atomic types of are the atomic types of together with, for every agent and atomic type in , a type , the type of certified terms of type that may only be read by .
- •
Every constructor of is a constructor of .
- •
For every and type of , let the constraints in that begin with ‘’ be
[TABLE]
Then the following are constructors of :
[TABLE]
The intention is that constructs a term of type out of a term of type and other terms which prove that the preconditions to are all satisfied. The constructor then extracts the term of type again.
Using the type system, we can state a set of conditions that guarantee that an architecture satisfies the negative constraints in .
Theorem 4.1
Let be a type system, a set of agents, and a set of negative constraints over and . Let be an architecture over with set of agents , where . Suppose there is a partition of indexed by such that:
* for all ;* 2. 2.
If and , are in different sets of the partition, then has the form for some , ; 3. 3.
If initially possesses then ; 4. 4.
For every constraint in , if an agent possesses a constructor with target , then this constructor is .
Then every trace through satisfies every negative constraint in .
The intuition behind the premises is this: the partition divides the system into parts. The part is the only part of the system that is allowed to look inside a term of type and extract the underlying term of type . Only certified terms may be passed between the parts. Thus, the only way for an agent in to possess a term of type is either for it to be computed within , or for a term of type to be passed in from another part of the system.
Proof
Let be any trace through and let be one of the constraints in . We must show that, if , then . We shall prove the more general result:
If for some , then .
So suppose for some . We may also assume without loss of generality that is the shortest trace for which this is true. By Generation and the minimality of , possesses a constructor with target . By our hypotheses, this is , and for some . Hence for some .
Now, looking at the construction of , the only constructor with target is
[TABLE]
So applying Generation again, we must have and there must be an agent which possesses with
[TABLE]
Now, is one of the types ; let it be . Then . By similar reasoning, there must be an agent that possesses one of the constructors , and . ∎
We are now ready to construct the safe architecture.
Algorithm 1
Given an architecture and a finite set of constraints , construct the architecture as follows:
The agents of are the agents of together with, for every agent of , an agent , which we call the interface to . 2. 2.
The type system of is . 3. 3.
If an agent possesses a constructor in , then possesses in . 4. 4.
For every type of , let the negative constraints that begin with be
[TABLE]
- •
Every* interface possesses for all , …, .*
- •
* posseses * 5. 5.
For every atomic type , the agents and may send to each other. 6. 6.
Any two interfaces may send messages of type to each other for any , .
Thus, in order to construct a certified term of type readable by , an interface must first obtain certified terms of all the types which the constraints require. The only way can receive a term of type is through its interface obtaining a term of type . Interfaces may pass certified terms between each other at will. An agent and its interface may exchange uncertified terms at will.
Theorem 4.2
Let be an architecture and a set of constraints. Suppose that:
For every negative constraint in , we have that cannot compute terms of type . 2. 2.
For every positive constraint , there exists a trace through that satisfies and all the negative constraints in .
Then the architecture has the following properties:
Every trace through satisfies every negative constraint in . 2. 2.
For every positive constraint , there exists a trace through that satisfies .
Proof
Part 1 follows from the previous theorem, taking .
We now show that has the following property. Part 2 of the theorem follows immediately.
If in , is an atomic type, and satisfies every negative constraint in , then there exists a valid trace through such that and for some .
The proof is by induction on , then on the derivation of . We deal here with the case where the last rule in the derivation was :
[TABLE]
By the induction hypothesis, there exists such that . By the construction of , we have and . Hence .
Now, let the negative constraints in that begin with be . By hypothesis, satisfies all these constraints. Therefore, .
Hence, by the induction hypothesis, there exists such that . Therefore,
[TABLE]
for some , …, . By Weakening, we may assume .
After extending by passing , …, as messages to , we have that can construct a term of type . After passing this term to , we have that possesses a term of type . From this, it can construct a term of type which it may then pass to , completing the required trace. ∎
5 The Second Algorithm
Supposing it is important to us, not merely that a piece of data has been created, but that a particular agent has seen it. We can extend our system to handle this type of constraint as follows.
Definition 6
In this section of the paper:
- •
a negative constraint is an expression of the form . A trace satifies this constraint iff, for every , if then .
- •
Positive constraints are as in Section 4.
Note
If , then the constraint is to be read as “if possesses a term of type , then must previously have possessed a term of type ”. (The condition is trivial.)
We show how to extend a given architecture to an architecture that uses the new privacy-safe type system. Unfortunately, we have not found a way to do this that requires no modifications to the agents in . We present below (Algorithm 2) an algorithm that requires modifications which we expect would be minor in practice, and discuss in Section 5.2 ways in which this situation could be improved in future work.
Definition 7
Given a type system , a set of agents , and a set of negative constraints over and , define the type system as follows.
- •
The types of are the types of together with, for every agent and atomic type of , a type and a type . (Intuition: a term is a certified term of type that is permitted to read. A term is proof that has held a term of type .)
- •
Every constructor of is a constructor of .
- •
For every agent and type , let the negative contraints in that begin with be
[TABLE]
Then the following are constructors of :
[TABLE]
Theorem 5.1
Let be a type system, a set of agents, and a set of negative constraints over and . Let be an architecture over with set of agents , where . Suppose that there is a partition of the agents of such that:
- •
;
- •
If and and are in different sets in the partition, then has either the form or ;
- •
If initially possesses then ;
- •
If initially possesses then cannot compute .
- •
If initially possesses and then .
Then every trace through satisfies every constraint in .
Proof
Let be a trace through and be a constraint in . We must show that, if , then . We shall prove the more general result:
If for any , then .
So suppose for some . We may assume without loss of generality that is the shortest such trace. By Generation and the minimality of , must possess a constructor with target . By our hypotheses, this is . Hence for some . Now, let the constraints in that begin with be
[TABLE]
Applying Generation, we must have , and there must be an agent that possesses such that
[TABLE]
Now, there is some such that and . We have . Since a term of type has been constructed, it must be that , as required.
We now show again how, given an architecture , we can construct an architecture that is privacy-safe.
Algorithm 2
Given an architecture and a finite set of constraints , construct the architecture as follows:
The agents of are the agents of together with, for every agent of :
- •
an agent , which we call the input interface to ;
- •
an agent , which we call the output interface to 2. 2.
The type system of is . 3. 3.
If an agent has a constructor in , then it has the constructor in . 4. 4.
For any agent and type :
- •
Every output interface possesses
- •
* possesses *
- •
* possesses * 5. 5.
For any atomic type of , may send to , and may send to . 6. 6.
Any two interfaces may send messages of type or to each other for any , .
Theorem 5.2
Let be an architecture and a set of constraints. Suppose that:
For every negative constraint in , we have that cannot compute terms of type . 2. 2.
For every positive constraint , there exists a trace through that satisfies and all the negative constraints in .
Then the architecture has the following properties:
Every trace through satisfies every negative constraint in . 2. 2.
For every positive constraint , there exists a trace through that satisfies .
Proof
Part 1 follows from Theorem 5.1, taking .
We shall now prove the following property, from which part 2 of the theorem follows.
If in and satisfies every negative constraint in , then there exists a trace through such that .
The proof is by induction on , then on the derivation of . We deal here with the case where the final step in the derivation is an instance of :
[TABLE]
By the induction hypothesis, there is a trace such that . Let the negative constraints beginning with be
[TABLE]
Then, by hypothesis,
[TABLE]
Using the fact that for all , the last step in each of these derivations must have been . Therefore,
[TABLE]
We may therefore apply the induction hypothesis to obtain traces , …, such that
[TABLE]
Now, let be the trace followed by these events:
[TABLE]
(Informally: the agent collects the term of type from and all the necessary proofs, assembles the term of type , and passes it to , who decodes it with and passes the value of to .)
We thus have in , as required. ∎
5.1 Example Revisited
We return to the example we presented in Section 2. We are now ready to formulate our third, positive constraint. We want to ensure it is possible for the website to receive the child’s information once all legal requirements have been met. So the privacy constraints that we require for this architecture are:
Negative Constraint
Negative Constraint
Positive Constraint
We can verify that the first constraint holds. The child can send the protected info to the interface , but it cannot then be sent to another agent unless receives a term of type . And for a term of type to be constructed, the parent must have sent consent to the website (via and ).
We can also verify that, in the architecture in Figure 2, it is possible for the website to send the privacy policy to the parent, the parent to send consent to the website, and the child to send the protected info to the website. Formally, we describe a valid trace through the architecture that represents this sequence of events. The trace begins
[TABLE]
Let . The trace continues:
[TABLE]
Let . The trace continues:
[TABLE]
This ends the trace which verifies that it is possible for to receive a term of type .
5.2 Note
In Fig. 2, we have had to modify the agents from Fig. 1. The agent needs to be able to output messages of type , and needs to be able to output messages of type . We believe these would be minor changes in practice. However, this is still unfortunate, because as discussed in the Introduction, we want our algorithms to apply in cases in which we are unable to change the source code of the agents in .
In practice, we could implement this by allowing to send to , and to send to , and adding the following local constraints to their behaviour:
- •
If sends to , then must previously have sent to .
- •
If sends to , then must previously have sent to .
Obtaining a formal proof of correctness for this construction requires an architecture language in which this sort of local constraint can be expressed, and we leave this for future work.
6 Related Work
Le Métayer et al. [3, 2, 7, 6] have described several languages for describing architectures and deciding privacy-related properties over them. Barth et al. [4] also give a formal definition of architectures, and show how to decide properties defined in temporal logic. Our work was heavily inspired by these systems; however, our aim was to give a method to design an architecture starting from a set of privacy properties, and not to decide whether a property holds of a given architecture.
Basin et al. [5] show how to describe privacy policies in metric first-order temporal logic (MFOTL), and how to build a component that monitors in real-time whether these policies are being violated. Nissenbaum et al [4] also describe privacy policies using linear temporal logic (LTL), and this has inspired a lot of research into systems such as P-RBAC, which enforces low-level privacy-related conditions at run-time [17]. Most of this research has concentrated on verifying at run-time whether or not a given action is permitted by a given set of privacy policies. The work presented here concentrates instead on design-time, and ensures that a high-level privacy policy is followed, no matter what actions each individual component performs with the data it receives, as long as all messages follow the given type system.
Jeeves [20] is a constraint functional language motivated by separating business logic and confidentially concerns. We could implement our (architectural) constraints in Jeeves, but would no longer have static guarantees. Other work in formal methods for privacy includes static analysis of source code [11, 15] and refinement techniques for deriving low-level designs from high-level designs in a way that preserves privacy properties [1, 10]. These approaches complement ours well, addressing properties for individual components that cannot be expressed in our constraint language, while our algorithms provide formal guarantees of global properties of the system as a whole.
Other work in formal methods for privacy has tended to concentrate either on static analysis of source code [15, 11] or on refinement techniques for deriving low-level designs from high-level designs in a way that preserves privacy properties [1, 10]. These approaches should complement ours well, providing formal guarantees for individual components of properties that cannot be expressed in our constraint language, while our algorithms provide formal guarantees of global properties of the system as a whole.
7 Conclusion
We have given two algorithms which take an architecture, and a set of constraints on that architecture, and show how the architecture may be extended in such a way that we can produce a formal proof that the negative constraints hold on every trace through the architecture, and the positive constraints are satisfiable. Moreover, we do not need to read or modify the source code of the components from the original architecture in order to do this. We believe this is a promising approach to designing large, complex systems, with many different parts designed and maintained by different people, such that we can provide a formal proof of privacy-relevant properties.
For the future, we wish to expand the language that may be used for our constraints, for example by allowing the designer to express constraints using propositional, predicate or temporal logic. We hope then to express other properties that are desirable for privacy, such as the obligation to delete data. This will require in turn expanding our type systems . We also plan to construct a prototype implementation of the interfaces described in this paper.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] Alur, R., Černỳ, P., Zdancewic, S.: Preserving secrecy under refinement. Automata, Languages and Programming pp. 107–118 (2006)
- 2[2] Antignac, T., le Métayer, D.: Privacy architectures: Reasoning about data minimisation and integrity. In: Security and Trust Management — 10th International Workshop, STM 2014. pp. 17–32 (2014)
- 3[3] Antignac, T., le Métayer, D.: Privacy by design: From technologies to architectures. In: Privacy Technologies and Policy — Second Annual Privacy Forum, APF 2014. pp. 1–17 (2014)
- 4[4] Barth, A., Datta, A., Mitchell, J.C., Nissenbaum, H.: Privacy and contextual integrity: Framework and applications. In: IEEE Symposium on Security and Privacy. pp. 184–198 (2006)
- 5[5] Basin, D., Klaedtke, F., Müller, S.: Monitoring security policies with metric first-order temporal logic. In: ACM SACMAT ’10 (2010)
- 6[6] Butin, D., Chicote, M., le Métayer, D.: Log design for accountability. In: IEEE Symposium on Security and Privacy Workshops. pp. 1–7 (2013)
- 7[7] Butin, D., Chicote, M., le Métayer, D.: Reloading data protection, pp. 343–369 (2014)
- 8[8] Cavoukian, A.: Privacy by design. IEEE Technology and Society Magazine 31(4), 18–19 (2012)
