An official website of the United States government
An essential requirement of any information management system is to protect data and resources against breach or improper modifications, while at the same time ensuring data access to legitimate users. Systems handling personal data are mandated to track its flow to comply with data protection regulations. We have built a novel framework that integrates semantically rich data privacy knowledge graph with Hyperledger Fabric blockchain technology, to develop an automated access-control and audit mechanism that enforces users' data privacy policies while sharing their data with third parties. Our blockchain based data-sharing solution addresses two of the most critical challenges: transaction verification and permissioned data obfuscation. Our solution ensures accountability for data sharing in the cloud by incorporating a secure and efficient system for End-to-End provenance. In this paper, we describe this framework along with the comprehensive semantically rich knowledge graph that we have developed to capture rules embedded in data privacy policy documents. Our framework can be used by organizations to automate compliance of their Cloud datasets.
more »
« less
Dependable Public Ledger for Policy Compliance, a Blockchain Based Approach
The ever increasing amount of personal data accumulated by companies offering innovative services through the cloud, Internet of Things devices and, more recently, social robots has started to alert consumers and legislative authorities. In the advent of the first modern laws trying to protect user privacy, such as the European Union General Data Protection Regulation, it is still unclear what are the tools and techniques that the industry should employ to comply with regulations in a transparent and cost effective manner. We propose an architecture for a public blockchain based ledger that can provide strong evidence of policy compliance. To address scalability concerns, we define a new type of off-chain channel that is based on general state channels and offers verification for information external to the blockchain. We also create a model of the business relationships in a smart home setup that includes a social robot and suggest a sticky policy mechanism to monitor cross-boundary policy compliance.
more »
« less
- Award ID(s):
- 1657548
- PAR ID:
- 10099174
- Date Published:
- Journal Name:
- 39th IEEE International Conference on Distributed Computing Systems (ICDCS 2019)
- Format(s):
- Medium: X
- Sponsoring Org:
- National Science Foundation
More Like this
-
-
Irfan Awan; Muhammad Younas; Jamal Bentahar; Salima Benbernou (Ed.)Multi-site clinical trial systems face security challenges when streamlining information sharing while protecting patient privacy. In addition, patient enrollment, transparency, traceability, data integrity, and reporting in clinical trial systems are all critical aspects of maintaining data compliance. A Blockchain-based clinical trial framework has been proposed by lots of researchers and industrial companies recently, but its limitations of lack of data governance, limited confidentiality, and high communication overhead made data-sharing systems insecure and not efficient. We propose π²πππΎπππΊ, a privacy-preserving smart contracts framework, to manage, share and analyze clinical trial data on fabric private chaincode (FPC). Compared to public Blockchain, fabric has fewer participants with an efficient consensus protocol. π²πππΎπππΊ consists of several modules: patient consent and clinical trial approval management chaincode, secure execution for confidential data sharing, API Gateway, and decentralized data governance with adaptive threshold signature (ATS). We implemented two versions of π²πππΎπππΊ with non-SGX deploys on AWS blockchain and SGX-based on a local data center. We evaluated the response time for all of the access endpoints on AWS Managed Blockchain, and demonstrated the utilization of SGX-based smart contracts for data sharing and analysis.more » « less
-
Data privacy policy requirements are a quickly evolving part of the data management domain. Healthcare (e.g., HIPAA), financial (e.g., GLBA), and general laws such as GDPR or CCPA impose controls on how personal data should be managed. Relational databases do not offer built-in features to support data management features to comply with such laws. As a result, many organizations implement ad-hoc solutions or use third party tools to ensure compliance with privacy policies. However, external compliance framework can conflict with the internal activity in a database (e.g., trigger side-effects or aborted transactions). In our prior work, we introduced a framework that integrates data retention and data purging compliance into the database itself, requiring only the support for triggers and encryption, which are already available in any mainstream database engine. In this demonstration paper, we introduce DBCompliant β a tool that demonstrates how our approach can seamlessly integrate comprehensive policy compliance (defined via SQL queries). Although we use PostgreSQL as our back-end, DBCompliant could be adapted to any other relational database. Finally, our approach imposes low (less than 5%) user query overhead.more » « less
-
This paper is part of a larger project investigating the role of politics and policy design on suitability and energy transitions from the FSU participants in the Sustainable Healthy Cities Network. The City of Tallahassee FL is used as a test bed to examine how policy design is linked to individual behavior and outcomes. This specific piece examines voluntary compliance and explores actor motivations to comply with non-mandatory directives. We investigate the conditions and motivations shaping household-level decisions related to voluntary compliance within an energy audit (low-commitment) and a loan (high-commitment) program. We find evidence of different economic and social motivations at play, and discuss the research implications for policy design and implementation.more » « less
-
The General Data Protection Regulation (GDPR) and other recent privacy laws require organizations to post their privacy policies, and place specific expectations on organisations' privacy practices. Privacy policies take the form of documents written in natural language, and one of the expectations placed upon them is that they remain up to date. To investigate legal compliance with this recency requirement at a large scale, we create a novel pipeline that includes crawling, regex-based extraction, candidate date classification and date object creation to extract updated and effective dates from privacy policies written in English. We then analyze patterns in policy dates using four web crawls and find that only about 40% of privacy policies online contain a date, thereby making it difficult to assess their regulatory compliance. We also find that updates in privacy policies are temporally concentrated around passage of laws regulating digital privacy (such as the GDPR), and that more popular domains are more likely to have policy dates as well as more likely to update their policies regularly.more » « less
- Free Publicly Accessible Full Text
-
Accepted Manuscript1.0
- Conference Paper:
- The DOI is not currently available.
