If you are the designer of a privacy critical system who has a set privacy requirements to meet, and you are given a set of privacy policies and a domain model representing the operational context of the designed system. Then, one way of satisfying such privacy requirements in your system design is your ability to justify that the disclosure of information by the system as a result of an information request does not result in the violation of associated policies. The focus of Caprice is therefore to help designers to discover possible runtime privacy threats resulting from information disclosure and potential mitigation actions. These threats are privacy violations that systems user may face in an environment where context changes frequently.

To be explicit, Caprice is meant to inform an implementation of adaptive privacy system, and not the implementation or a theorem prover. Rather, we believe that Caprice is a useful tool for endearing the so call privacy-by-design paradigm by making explicit the context of privacy violations and possible mitigation actions at design time.

Target audience (User Manual), (Installation Instructions)
Caprice is targeted at designers of any system where information disclosure is modelled as the transfer of messages between a group or community of interacting agents. Examples of such systems include mobility based systems and devices, social networks and energy consumption and distribution in a smart grid.

The framework for Caprice consist of three analysis steps (Figure 1).
  1. Identify the set of monitored context attributes required to satisfy privacy awareness.
  2. Based on monitored attributes, carry out privacy threats analysis to discover operational context that can violate privacy.
  3. By computing the severity of discovered threat, a possible adaptation action is suggested to the designer.
Caprice leverages on contextual integrity as a means to justify the preservation or violation of privacy in a system's behavioural model. Contextual integrity posits that the transfer of information about a subject from a sender to a receiver in a specific context, are tied to certain transmission principles (such as notice, consent, confidentiality, etc.). In Caprice, we operationalize these transmission principles in a system by using privacy policies. Then based on the behavioural representation of the system (as a finite state machine) and a domain model, we reason over operational context that threatens privacy and possible adaptation actions to ameliorate the discovered threat.

Figure 1
Caprice suggests four categories of adaptation actions based on the severity of discovered threat. These include to Ignore, React, Prevent or Terminate usage interactions that can generate discovered threat. Threat severity is computed based on the obfuscation and sensitivity levels of disclosed information. Least severe threat can be ignored while very severe ones are terminated. If a specific threat reoccurs frequently, then a more severe adaptation action is recommended to the designer.

Last edited Mar 26, 2012 at 8:27 AM by omoronyia, version 32


No comments yet.