Privacy as Permissible Operations: An ABAC Framework for Policy-Law Compliance

TL;DR

This paper introduces APLiance, an ABAC-based framework for efficiently verifying that organizational privacy policies comply with relevant laws, demonstrated through a real-time browser plugin for the Indian Data Protection Act.

Contribution

It presents a novel ABAC modeling approach for policy-law compliance and implements a browser plugin for real-time enforcement verification.

Findings

Effective modeling of privacy law requirements as ABAC rules

Real-time compliance checking via a publicly released browser plugin

Demonstrated applicability to India's Data Protection Act

Abstract

In recent years, many countries have started enacting laws to safeguard privacy of personal data of their citizens collected and maintained by various enterprises through websites, mobile apps, and other means. It is imperative that the privacy policies of these enterprises respect the provisions of the applicable law. In this paper, we show how such organizational privacy policies can be efficiently checked against a prevalent law. Our novel approach named APLiance (\underline{A}BAC framework for \underline{P}olicy-\underline{L}aw Compl\underline{iance}) models the requirements of the different sections of a privacy law in the form of Attribute-based Access Control (ABAC) rules and the clauses of a privacy policy as a sequence of implied access requests. A policy is considered to be compliant with the law if these access requests are permitted by the corresponding ABAC rules. Although APLiance can be used in any policy-law setting, we demonstrate its effectiveness in the context of the recently introduced Digital Personal Data Protection Act of India. A browser plugin has been developed and publicly released for real time compliance checking using APLiance whenever a user visits the privacy policy page of a website.