There is a growing interest in establishing rules to regulate the privacy of citizens in the treatment of sensitive personal data such as medical and financial records. Such rules must be respected by software used in these sectors. The regulatory statements are somewhat informal and must be interpreted carefully in the software interface to private data. This paper describes techniques to formalize regulatory privacy rules and how to exploit this formalization to analyze the rules automatically. Our formalism, which we call privacy APIs, is an extension of access control matrix operations to include (1) operations for notification and logging and (2) constructs that ease the mapping between legal and formal language. We validate the expressive power of privacy APIs by encoding the 2000 and 2003 HIPAA consent rules in our system. This formalization is then encoded into Promela and we validate the usefulness of the formalism by using the SPIN model checker to verify properties that distinguish the two versions of HIPAA. 1

Abstract. Privacy is considered critical for all organizations needing to manage individual related information. As such, there is an increasing need for access control models which can adequately support the specification and enforcement of privacy policies. In this paper, we propose a model, referred to as Conditional Privacy-aware Role Based Access Control (P-RBAC), which supports expressive condition languages and flexible relations among permission assignments for more complex privacy policies. Efficient algorithms for detecting conflicts, redundancies, and indeterminism for a set of permission assignments are presented. In the paper we also extend Conditional P-RBAC to Universal P-RBAC by taking into account hierarchical relations among roles, data and purposes. In comparison with other approaches, such as P3P, EPAL, and XACML, our work has achieved both expressiveness and efficiency. 1

We propose an abstract model of business processes for the purpose of (i) evaluating privacy policy in light of the goals of the process and (ii) developing automated support for privacy policy compliance and audit. In our model, agents that send and receive tagged personal information are assigned organizational roles and responsibilities. We present approaches and algorithms for determining whether a business process design simultaneously achieves privacy and the goals of the organization (utility). The model also allows us to develop a notion of minimal exposure of personal information, for a given process. We investigate the problem of auditing with inexact information and develop methods to identify a set of potentially culpable individuals when privacy is breached. The audit methods draw on traditional causality concepts to reduce the effort needed to search audit logs for irresponsible actions. 1

Modern vehicles are increasingly equipped with more sensors which are connected to control units through cables for transmitting crucial real-time sensing data. To reduce the complexity and cost brought to the automotive design and production by the sensor wiring harness, replacing cables with wireless links has been proposed in [1].With its fine capability of solving multipath fading and interference resilience, as well as its freely available spectrum, the ultra-wideband (UWB) technology is considered as a highly promising candidate for such intra-vehicle wireless network. For the purpose of evaluating UWB based sensor network, compared with wired system, from the aspects of performance and reliability in transmitting automotive sensing data, an UWB communication testbed is needed. In this paper we present our first attempt in building an intra-vehicle UWB wireless sensor network to transmit automotive speed data from four wheel speed sensors to the electronic control unit (ECU) 1. Assembly of the testbed consists of ABS motor control simulating system, wheel speed sensors, UWB transmitting nodes and the UWB network coordinator interfacing with ECU. The paper also includes the description of the main testbed software modules and the report of initial measurement result. Future measurement plan and further work needed to improve the testbed are discussed in the conclusion section. 1

Abstract. Obligations are pervasive in modern systems, often linked to access control decisions. We present a very general model of obligations as objects with state, and discuss its interaction with a program’s execution. We describe several analyses that the model enables, both static (for verification) and dynamic (for monitoring). This includes a systematic approach to approximating obligations for enforcement. We also discuss some extensions that would enable practical policy notations. Finally, we evaluate the robustness of our model against standard definitions from jurisprudence. 1

Social networking sites have come under criticism for their poor privacy protection track record. Yet, there is an inherent difficulty in deciding which principals should have access to user’s information or actions, without requiring them to constantly manage their privacy settings. We propose to extract automatically such privacy settings, based on the policy that information produced within a social context should remain in that social context, both to ensure privacy as well as maximising utility. A machine learning approach is used to extract automatically such social contexts, as well as a tentative evaluation.

Abstract. We present the Obligation Specification Language (OSL), a policy language for distributed usage control. OSL supports the formalization of a wide range of usage control requirements. We also present translations between OSL and two rights expression languages (RELs) from the DRM area. These translations make it possible to use DRM mechanisms to enforce OSL policies. Furthermore, the translations enhance the interoperability of DRM mechanisms and allow us to apply OSL-specific monitoring and analysis tools to the RELs. 1

Abstract. Data-centric business applications comprise an important class of distributed systems that includes on-line stores, document management systems, and patient portals. However, their complexity makes it difficult to design and implement them. We address these issues from a model-driven perspective by developing a formal, compositional, and domain-specific set of abstractions for the specification and analysis of data-centric business applications. Our technique allows us to formally analyze the specified system at design time; in particular we can analyze whether the system is resilient to abnormal conditions, i.e. that key system invariants can always be re-established. 1

We study a novel problem of mining significant recurrent rules from a sequence database. Recurrent rules have the form “whenever a series of precedent events occurs, eventually a series of consequent events occurs”. Recurrent rules are intuitive and characterize behaviors in many domains. An example is in the domain of software specifications, in which the rules capture a family of program properties beneficial to program verification and bug detection. Recurrent rules generalize existing work on sequential and episode rules by considering repeated occurrences of premise and consequent events within a sequence and across multiple sequences, and by removing the “window ” barrier. Bridging the gap between mined rules and program specifications, we formalize our rules in linear temporal logic. We introduce and apply a novel notion of rule redundancy to ensure efficient mining of a compact representative set of rules. Performance studies on benchmark datasets and a case study on an industrial system have been performed to show the scalability and utility of our approach.

Applications and services that take advantage of social data usually infer social relationships using information produced only within their own context. We propose to combine social information from multiple sources into a directed and weighted social multigraph in order to enable novel sociallyaware applications and services. We present GeoS, our early prototype of a geo-social data management service which implements a representative set of social inferences. We demonstrate GeoS ’ potential for social applications on a collection of social data that combines collocation information and Facebook friendship declarations from 100 students. Categories and Subject Descriptors E.1 [Data]: Data Structures—graphs and networks;