Lead Institution: Carnegie Mellon University

Project Leader: Anupam Datta

Research Progress

  • Abstract

    Privacy policies in sectors such as healthcare often place restrictions on the purposes for which a governed entity may use personal information. For example, regulations, such as the Health Insurance Portability and Accountability Act (HIPAA), require that hospital employees use medical information for only certain purposes, such as treatment, and not for others, such as gossip. Thus, automated methods for enforcing privacy policies require a semantics of purpose restrictions to determine whether a governed agent used information for a purpose. We provide such a semantics using a formalism based on planning. We implemented an auditing algorithm using our semantics. We also worked on understanding how to audit an organization’s information use when the auditor has limited information about and little control over the organization. For example, a public advocacy organization might wish to determine whether a hospital is obeying the purpose restrictions on information use found in HIPAA.

  • Focus of the research/Market need for this project

    Auditing systems like FairWarning and Cerner’s P2Sentiel are capable of logging the accesses to electronic medical records and answering queries about the logged accesses. These queries are crafted to identify known suspicious behaviors and do not identify the purposes motivating actions. Our algorithm is complementary by looking for expected behaviors for the allowed purposes and flagging unexpected behaviors for auditing. Thus, our method can detect emerging threats missed by the current commercial approaches.

  • Project Aims/Goals

    Our goal was to enable the automated auditing of employees and firms to determine whether they obey privacy policies that restrict the purposes for which they may use information

  • Key Conclusions/Significant Findings/Milestones Reached

    We have concluded that auditing for purpose restrictions is possible using our planning model. We model planning using a modified version of Markov Decision Processes (MDPs), which exclude redundant actions for a formal definition of redundant. We argued that an action is for a purpose if and only if the action is part of a plan for optimizing the satisfaction of that purpose under the MDP model, which we validated with a survey comparing our semantics to how people commonly understand the word “purpose”. Our semantics enabled us to create and implement an algorithm for automating auditing, and to describe formally and compare rigorously previous enforcement methods. We presented this work at the 2012 IEEE Symposium on Security and Privacy.

    We extended our model for reasoning about when a use of information is for a purpose. We do so by using Partially Observable Markov Decision Processes (POMDPs), which supports an explicit model of information. We determined information use by simulating ignorance of the information prohibited by the purpose restriction, which we related to noninterference, a traditional information security property. We use this semantics to develop a sound audit algorithm. We published this result at ESORICS 2013.

    We have determined conditions under which an auditor may determine that information usage occurred while having limited control over or information about the audited organization, a common case for outside auditors. We have developed a general model and protocols for making such determinations. We provided a short presentation (accompanied by an extended abstract) on these results at the 2013 IEEE Computer Security Foundations Symposium with a technical report providing details.

  • Materials Available for Other Investigators/interested parties

    The algorithm implementation is freely available at the following URL:

    We made protocols for auditing with limited control over the auditee available:

  • Market entry strategies

    Our auditing algorithm may be integrated into the aforementioned commercial auditing tools. We have made our software and algorithms freely available to commercial firms at:
    We are discussing our approach for auditing with limited control over the auditee with researchers at Microsoft.