ITR: Encoding Rights, Permissions and Obligations: Privacy Policy Specification and Compliance
North Carolina State University, Raleigh NC
Investigators
Abstract
ABSTRACT 0325269 Ana Anton North Carolina State Objectives: The objectives of the proposed work are to (a) develop a framework and software tools that support policy and requirements specification, run-time privacy enforcement and end-user privacy management, and (b) conduct surveys of members of the public who use IT systems for information transactions to investigate their perceptions of rights, permissions and obligations. Results: There are three main expected results of this work. First, tools will be produced to aid policy makers in determining the ramifications of policy changes to ensure that, as policy evolves, conflicts and inconsistencies may be prevented. Second, tools will be produced to aid organizations as they enforce and verify policy compliance. Third, tools will be produced to empower end-users to manage their own privacy. Intellectual Merit Claims: This work aims to bridge two cultures of scholarship and research: technical specification and privacy policy. Specifications of systems typically concentrate on system-level entities (e.g. cookies), whereas policy discussions emphasize fundamental rights discursively. This proposal will formulate a framework ontology of rights, permissions and obligations (RPO) based on rigorous models of obligation and action similar to those previously used by the Co-PI in research into requirements specification, but informed also by the best current models from formal jurisprudence. The proposed surveys of user views about RPOs concerning personal information in the healthcare domain are informed by the PI's previous work in methodologies of goal refinement in e-commerce and other applications of IT and her survey research conducted under an existing NSF ITR grant and will directly influence the construction of tools that support the specification and compliance checking of policydriven IT systems. These tools in turn will integrate the framework and survey results with an industry standard privacy preferences platform, P3P, going beyond P3P to allow specification and monitoring of privacy RPOs at a semantic level that users and IT professionals share. The project team has a proven track record of successful research collaboration on requirements and policy analysis that bridges the two cultures identified. The proposed activity is creative in its foundational thinking and promises to produce currently unavailable technology and survey results. The project activities are distributed over the course of five years with proactive management by the PI with workshops scheduled to help track progress and invite external evaluation of project results. North Carolina State University and Georgia Tech are well equipped and supported to conduct this work.
View original record on NSF Award Search →