Privacy has become a significant concern in modern society as personal information about individuals is increasingly collected, used, and shared, often using digital technologies, by a wide range of organizations. To mitigate privacy concerns, organizations are required to respect privacy laws in regulated sectors (e.g., HIPAA in healthcare, GLBA in financial sector) and to adhere to self-declared privacy policies in self-regulated sectors (e.g., privacy policies of companies such as Google and Facebook in Web services). We investigate the possibility of formalizing and enforcing such practical privacy policies using computational techniques. We formalize privacy policies that prescribe and proscribe *flows* of personal information as well as those that place restrictions on the *purposes* for which a governed entity may use personal information. Recognizing that traditional preventive access control and information flow control mechanisms are inadequate for enforcing such privacy policies, we develop principled audit and accountability mechanisms that seek to encourage policy-compliant behavior by detecting policy violations, assigning blame, and punishing violators. We apply these techniques to several U.S. privacy laws and organizational privacy policies, in particular, producing the first complete logical specification and audit of all disclosure-related clauses of the HIPAA Privacy Rule.
Anupam Datta is an Assistant Research Professor at Carnegie Mellon University, where he has appointments in the CyLab, Electrical & Computer Engineering, and (by courtesy) Computer Science departments. His research focuses on the scientific foundations of security and privacy. Dr. Datta has authored a book and over 40 other publications and presented numerous seminars on programming language, logical, and algorithmic methods for privacy, software system security, and cryptographic protocol analysis and design. He serves on the Steering Committee of the IEEE Computer Security Foundations Symposium, and has served as Program and General Chair of several meetings on security foundations and on the program committees of top security and privacy conferences. He participates in the NSF TRUST center on security and the HHS SHARPS center on healthcare security and privacy. Dr. Datta obtained Ph.D. and M.S. degrees from Stanford University and a B.Tech. from IIT Kharagpur, all in Computer Science.