Exploring Consequences of Privacy Policies with Narrative Generation via Answer Set Programming

TL;DR

This paper introduces a framework using Answer Set Programming to formalize and simulate the consequences of privacy policies, enhancing user understanding of policy implications through narrative generation.

Contribution

It presents a novel ASP-based approach to formalize privacy policies and simulate their consequences, improving transparency and comprehension for end-users.

Findings

Successfully formalized HIPAA privacy policies using ASP

Enabled simulation of policy consequences and compliance checks

Demonstrated potential for improved user understanding of privacy policies

Abstract

Informed consent has become increasingly salient for data privacy and its regulation. Entities from governments to for-profit companies have addressed concerns about data privacy with policies that enumerate the conditions for personal data storage and transfer. However, increased enumeration of and transparency in data privacy policies has not improved end-users' comprehension of how their data might be used: not only are privacy policies written in legal language that users may struggle to understand, but elements of these policies may compose in such a way that the consequences of the policy are not immediately apparent. We present a framework that uses Answer Set Programming (ASP) -- a type of logic programming -- to formalize privacy policies. Privacy policies thus become constraints on a narrative planning space, allowing end-users to forward-simulate possible consequences of the policy in terms of actors having roles and taking actions in a domain. We demonstrate through the example of the Health Insurance Portability and Accountability Act (HIPAA) how to use the system in various ways, including asking questions about possibilities and identifying which clauses of the law are broken by a given sequence of events.