Custard: Computing Norm States over Information Stores Amit K. Chopra Munindar P. Singh School of Computing and Communications Department of Computer Science Lancaster University North Carolina State University Lancaster, LA1 4WA, UK Raleigh, NC 27695-8206, USA [email protected] [email protected] ABSTRACT instance would specify the specific patient whose information has Norms provide a way to model the social architecture of a so- been received. Some instances of a norm may be violated and ciotechnical system (STS) and are thus crucial for understanding some satisfied. We consider important norm types from the liter- how such a system supports secure collaboration between princi- ature, namely, commitment, authorization, prohibition, and power pals, that is, autonomous parties such as humans and organizations. [4, 22, 26, 36]. Each of these norm types involves a canonical life- Accordingly, an important challenge is to compute the state of a cycle [36], discussed in Figure 3, in which a norm instance may be norm instance at runtime in a sociotechnical system. created, expired, detached, discharged, or violated. Custard addresses this challenge by providing a relational syn- Norms as institutional facts are elements of social reality in the tax for schemas of important norm types along with their canonical sense of Searle [31] and as such are realized through and reflected lifecycles and providing a mapping from each schema to queries in brute facts [3], that is, low-level information. In our setting, brute that compute instances of the schema in different lifecycle stages. facts are recorded in databases and event logs; often, these events In essence, Custard supports a norm-based abstraction layer over correspond to messages sent and received. However, Searle’s claims underlying information stores such as databases and event logs. about mental representation are inapplicable here [7, 16, 30, 32]. Specifically, it supports deadlines; complex events, including those An important challenge in realizing norms, therefore, is how to based on aggregation; and norms that reference other norms. compute norm instances from brute facts. To this end, we treat (1) We prove important correctness properties for Custard, includ- norms on par with information schemas and (2) database relations ing stability (once an event has occurred, it has occurred forever) as stores of norm instances in various lifecycle stages. For example, and safety (a query returns a finite set of tuples). Our compiler gen- an information store may indicate which instances of a prohibition erates SQL queries from Custard specifications. Writing out such are expired and which are violated. In general, we would like to SQL queries by hand is tedious and error-prone even for simple specify nested norms—for example, a commitment to inform pa- norms, thus demonstrating Custard’s practical benefits. tients of the violation of a prohibition on disclosing their private information. Figure 1 illustrates our approach in conceptual terms. 1. INTRODUCTION Figure 1: Custard real- Norm-Aware Agent A sociotechnical system (STS) involves social elements or prin- izes norms over information cipals, such as autonomous humans or organizations, and technical stores. An agent can query elements such as IT resources. We understand an agent as a soft- Norm Store a virtual norm store for norm ware entity that acts on behalf of a principal in an STS. (virtualized as Custard queries) instances; Custard computes Norms provide a standard of correctness for interactions among and retrieves such instances the principals, thereby capturing the social architecture of an STS Traditional Information Store based on events in the under- [37]. Specifically, a norm captures how the principals ought to in- (event log, relational database) lying information store. teract: it provides a social-level, yet computational, encoding of an integrity or security (for simplicity, including privacy) requirement Our contributions are as below. First, we propose Custard, a lan- regarding their collaboration. An example norm would be that a guage for specifying information-based norms, including commit- physician is prohibited by the hospital from disclosing identifying ments, authorizations, prohibitions, and powers. Custard is event- information about a patient. Such a norm helps characterize secu- based: important stages in the lifecycle of a norm instance, specifi- rity at the social level independently of the implementation. There- cally, its creation, detachment, expiration, discharge, and violation, fore, representing norms is crucial for an agent to determine how to are event instances and inferred from event instances recorded in act; and how to evaluate compliance and accountability of others. the underlying information store. Custard supports complex event We distinguish norm schemas from instances. A norm schema expressions involving logic operators, aggregation operators, rel- or specification describes a norm in general terms, such as a pro- ative time intervals within which events should occur, and nested hibition against disclosing information about a patient. A norm norms. We give the semantics of Custard via queries in the tuple relational calculus (TRC) [15]. Effectively, for every norm speci- Appears in: Proceedings of the 15th International Conference on Au- fied in Custard, we define a query (expression) for each stage in the tonomous Agents and Multiagent Systems (AAMAS 2016), norm’s canonical lifecycle, which yields all instances of the norm J. Thangarajah, K. Tuyls, C. Jonker, S. Marsella (eds.), in that stage. The benefit of using the TRC is that it maps well to May 9–13, 2016, Singapore. Copyright c 2016, International Foundation for Autonomous Agents and underlying representations and paves the way for easy implemen- Multiagent Systems (www.ifaamas.org). All rights reserved. tation in widely used query languages such as SQL. Second, we formulate and prove two desirable properties for key accID time t Custard. Stability is monotonicity over time: once an event in- stance has occurred, it stays occurred forever. For example, a pro- //pID allows disclosure to third party tpID hibition instance violated at one moment remains violated at all Allowed(pID, hID, discID , accID, tpID, info) key d i s c I D time t future moments. Ensuring stability requires a correct treatment of time. Safety captures the idea that queries map to finite sets. //pID revokes disclosure for tpID Third, because of Custard’s support for specifying the nonoccur- Revoked(pID, hID, discID) rence of an event, aggregation, and expressive time intervals, the key d i s c I D time t TRC queries for a norm turn out to be nontrivial. As Section 4 shows, even a simple Custard specification yields SQL queries that //hID sends creds to tpID if disclosure allowed SentCred(hID, tpID, discID , credentials) are complex and an order of magnitude longer. Writing such queries key d i s c I D time t by hand would be highly tedious, time-consuming, and error-prone. To demonstrate the practical benefits of Custard, we implemented //tpID requests patient data from hID a compiler that generates SQL queries from Custard specifications. ReqData(tpID, hID, reqID, discID , request) key reqID time t 2. SAMPLING CUSTARD IN PRIVACY //tpID gets access to the requested data Accessed(tpID, hID, reqID, response) We demonstrate the effectiveness of Custard by modeling a real- key reqID time t world privacy consent scenario being considered by Health Level Seven (HL7) [18], which is a leading standardization body for health //tpID forwards data to party otherID information systems. A patient signs up with a cloud-based health Forwarded(tpID, otherID , forID , reqID, response) vault provider to store and manage access to its private health infor- key f o rI D time t mation (PHI). This information may include records of the patient’s //hID sanctions tpID for mishandling information vital signs such as blood pressure and blood sugar, for example, as Sanction(hID, tpID, discID , details) monitored by wearable devices and uploaded to the vault. The pa- key d i s c I D time t tient may authorize third parties, such as a health coach, to receive We build on recent work that understands norm types such as the PHI from the vault by indicating consent. A patient may revoke commitment, authorization, prohibition, and power as directed so- an authorization. The overseeing jurisdictional authority empow- cial expectations between agents [36,37]. Figure 2 shows important ers the patient to grant or revoke such authorizations. In general, elements of our conceptual model. third parties authorized by the patient to access information are pro- hibited from forwarding the information they receive to yet other expectee Norm parties. Parties may be sanctioned for violating this prohibition. Agent Antecedent expecter (Instance) Listing 1 shows an information schema for this healthcare set- ting. It describes a number of event specifications as relations, each annotated with its key and timestamp attributes. No two instances Consequent of an event (specification) may have identical bindings for the key; for every instance, the timestamp attribute records the time of oc- currence of the instance. The key of one event may occur in an- Commit Authorize Prohibit Empower other. For example, accID occurs in Allowed. Such foreign keys enable correlation: every Allowed instance can be correlated by a Signedup instance via the binding for accID in the former. In gen- Figure 2: Simplified metamodel for norms (based on [36]). eral, correlations may be effected via chaining of foreign keys. For example, a Revoked instance is correlated with an Allowed instance In Figure 2, each (created) norm instance is a conditional ex- by discID, and, therefore, with Signedup via accID. pectation, whose antecedent states the condition under which the Notice that there can be at most one SentCred instance for an force of the norm, given by the consequent, applies. The expec- Allowed instance as their keys are identical. For every disclosure tor and expectee represent the privileged and liable parties, respec- to a third party, there can be zero or more requests for data from tively.