On the Semantics of Purpose Requirements in Privacy Policies (CMU-CS-11-102)

Privacy policies often place requirements on the purposes for which a governed entity may use personal information. For example, regulations, such as HIPAA, require that hospital employees use medical information for only certain purposes, such as treatment. Thus, using formal or automated methods for enforcing privacy policies requires a semantics of purpose requirements to determine whether an action is for a purpose or not. We provide such a semantics using a formalism based on planning. We model planning using a modified version of Markov Decision Processes, which exclude redundant actions for a formal definition of redundant. We use the model to formalize when a sequence of actions is only for or not for a purpose. This semantics enables us to provide an algorithm for automating auditing, and to describe formally and compare rigorously previous enforcement methods. This research was supported by the US Army Research Office under grants DAAD19-02-1-0389 and W911NF09-1-0273 to CyLab and by the National Science Foundation (NSF) grant CCF0424422. The views and conclusions contained in this document are those of the authors and should not be interpreted as representing the official policies, either expressed or implied, of any sponsoring institution, the U.S. government or any other entity. ∗ On May 10, 2012, the above funding acknowledgements were corrected. No other changes were made. This manuscript was submitted to the 24th IEEE Computer Security Foundations Symposium.