Privacy Enforcement with Data Owner-defined Policies Dissertation eingereicht von Diplom-Informatiker Thomas Scheffler vorgelegt der Mathematisch-Naturwissenschaftlichen Fakultät der Universität Potsdam zur Erlangung des Akademischen Grades Doktor der Naturwissenschaften – Dr. rer. nat. – angefertigt am Institut für Informatik der Universität Potsdam Professur Betriebssysteme und Verteilte Systeme Potsdam, den 2. September 2013 This work is licensed under a Creative Commons License: Attribution 3.0 To view a copy of this license visit http://creativecommons.org/licenses/by/3.0/ Published online at the Institutional Repository of the University of Potsdam: URL http://opus.kobv.de/ubp/volltexte/2013/6793/ URN urn:nbn:de:kobv:517-opus-67939 http://nbn-resolving.de/urn:nbn:de:kobv:517-opus-67939 Abstract Data privacy continues to be a very important topic, as our dependency on electronic communi- cation maintains its current growth and private data is shared between multiple devices, users and locations. The growing amount and the ubiquitous availability of personal private data increases the likelihood of data misuse, where private data may be used against the privacy preferences of the person that is identified by it and personal information might be revealed. Documented cases of privacy breaches show that misuse of data has multiple causes, malicious intent is only one of them. A substantial number of privacy breaches also occur due to carelessness of data users and disregard of the original privacy requirements for the data. Privacy advocates like Goldberg[2003] and Stytz[2005] have long requested that technical measures should be used for the privacy protection of data in applications and data exchange protocols. Documented data breaches, such as the illegitimate sharing of airline passenger data in open conflict with the agreed privacy policy [Anton, He, and Baumer, 2004], have raised the demand for effective privacy protection. Early privacy protection techniques, such as anonymous email and payment systems that have been developed by Chaum[1981, 1985], focused on data avoidance and anonymous use of ser- vices. They did not take into account that data sharing can not be avoided if people want to participate in electronic communication scenarios that involve social interactions. Many data pri- vacy protagonists still focus their efforts on data avoidance and limiting data collection, while society has moved on. People use social networking platforms, store personal private data online and make private data available to ‘friends’ that participate in the same ‘network’. This leads to a situation where data is shared widely and uncontrollably and in most cases the data owner has no control over the further distribution and use of data that has been submitted to such services. Previous efforts to integrate privacy awareness into data processing workflows have focused on the extension of existing access control frameworks with privacy aware functions [Park and Sandhu, 2004; Sevinç and Basin, 2006] or have analysed specific individual problems such as the expressiveness of policy languages [Karjoth, Schunter, and Herreweghen, 2003; Ashley and Karjoth, 2003]. So far very few implementations of overarching privacy protection mechanisms exist and can be studied to prove their effectiveness for privacy protection. Second level issues that stem from practical application of the implemented mechanisms, such as usability, life-time data management and changes in trustworthiness have received very little attention so far, mainly because they require actual implementations to be studied. This thesis proposes a mechanism for the controlled distribution and use of personal private data that combines existing concepts for the specification, distribution and enforcement of access control policies with novel ideas to build a privacy protection framework with unique properties. Most existing privacy protection schemes silently assume that it is the privilege of the data user to define the contract under which personal private data is released. Such an approach simplifies policy management and policy enforcement for the data user, but leaves the data owner with a binary decision to submit or withhold his or her personal data based on the provided policy. It is also far from clear to the people that are providing personal data, what happens when the data user changes the rules of this contract at a later time. In many cases it was shown that the stated privacy policy amounts to a simple privacy promise, because the legal text of the declaration is not directly tied to reliable practical enforcement. Our framework changes this assumption. We argue that granted rights must be automatically enforceable in order to be effective against carelessness and oversight on the side of the data user. If a privacy policy is agreed, this policy should be valid for all further access to the data. Furthermore, we want to empower the data owner to express his or her privacy preferences though privacy policies that follow the so called Owner-Retained Access Control (ORAC) mechanism. ORAC has been proposed by McCollum, Messing, and Notargiacomo[1990] as an alternate access control mechanism that offers the originator of the data, in our case the data owner, a way to express their own access control policies. A data access rule in our framework is bound to a particular subject, which could be an individual person or an organisation. The permission that is expressed in this rule is not transitive. This means that access rules strictly apply to the named subject in the policy and can not be delegated. The data owner is given control over the release policy for his or her personal data and he or she can set permissions or restrictions according to individually perceived trust values. Such a policy needs to be expressed in a coherent way and must allow the deterministic policy evaluation by different entities. We compared different privacy policy languages and came to the conclusion that the eXtensible Access Control Markup Language (XACML)[XACML-2.0, 2005] offers a rich set of features that can be used for the expression of privacy preferences. Our privacy policies are therefore written as a set of rules in the XACML policy description language. The privacy policy has to be communicated from the data owner to the data user, so that the data user can act accordingly. Our data protection framework augments private data with an ex- plicit privacy policy in order to fulfil this requirement. Data and policy are stored together as a Protected Data Object that follows the Sticky Policy model as defined by Mont, Pearson, and Bramhall[2003] and Karjoth, Schunter, and Waidner[2003]. Data access policies can be refer- enced whenever data access is about to happen – independent of time and location of the access. We developed a unique policy combination approach that takes usability aspects for the creation and maintenance of policies into consideration. Our privacy policy consists of three parts: A default policy provides basic privacy protection if no specific rules have been entered by the data owner. An owner policy part allows the customisation of the default policy by the data owner. A third part of the policy, the so called safety policy, guarantees that the data owner can not specify disadvantageous policies, which, for example, exclude him or her from further access to the private data. We believe that this precaution is necessary, because the creators of the privacy policy are ordinary computer users and not trained privacy policy experts and giving the policy administrator complete control over the policy rule base may also lead to cases where the created rules are erroneous or harmful. The combined evaluation of these three policy-parts yields the necessary access decision. The automatic enforcement of privacy policies is another important building block in our protec- tion framework. We started our work with the development of a client-side protection mechanism that allows the enforcement of data-use restrictions after private data has been released to the data user. The client-side enforcement component for data-use policies is based on a modified Java Security Framework [Scheffler, Geiß, and Schnor, 2008], where XACML privacy policies are translated into corresponding Java permissions that can be automatically enforced by the Java Security Manager. This approach allows the privacy-aware usage of existing Java applications without implementing policy checks in the application itself. Our reference monitor implementa- iv tion uses a modified Java class loader to bind the policy-derived permissions to a loaded class and thereby allows privacy enforcement for individual instances of an application class. After evaluating benefits and drawbacks of the client-side solution we extended our work to also offer data privacy protection for scenarios that require server-side protection mechanisms. A number of usage scenarios today require the processing of sensitive private data by service providers. Prominent examples of such a use case are location-based services. Our approach of policy enforcement through Java permissions requires the re-load of applica- tion classes for different data-sets, because once a Java class is loaded by the class loader, the set of permissions is fixed and can not be adapted. We found that server-side protection mechanisms can not be easily based on the enforcement of Java permissions by the Java Security Framework, because business applications usually follow a tiered architecture that separates different functions such as business logic, data access and data representation. Data access in a tiered business ap- plication is handled by Data Access Objects (DAOs) that might be shared by different services. Reloading a DAO for every data access is not an option. We solved this problem by extending our reference monitor design to use Aspect-oriented Pro- gramming (AOP) and the Java Reflection API to intercept data accesses in existing applications and provide a way to enforce data owner-defined privacy policies for business applications [Schef- fler, Schindler, and Schnor, 2012].