The University of Southampton
University of Southampton Institutional Repository

Secure provenance-based auditing of personal data use

Secure provenance-based auditing of personal data use
Secure provenance-based auditing of personal data use
In recent years, an increasing number of personalised services that require users to disclose personal information have appeared on the Web (e.g. social networks, governmental sites, on-line selling sites). By disclosing their personal information, users are given access to a wide range of new functionality and benefits. However, there exists a risk that their personal information is misused.

To strike a balance between the advantages of personal information disclosure and protection of information, governments have created legal frameworks, such as the Data Protection Act, Health Insurance Portability & Accountability Act (HIPAA) or Safe Harbor, which place restrictions on how organisations can process personal information. By auditing the way in which organisations used personal data, it is possible to determine whether they process personal information in accordance with the appropriate frameworks.

The traditional way of auditing collects evidence in a manual way. This evidence is later analysed to assess the degree of compliance to a predefined legal framework. These manual assessments are long, since large amounts of data need to be analysed, and they are unreliable, since there is no guarantee that all data is correctly analysed. As several cases of data leaks and exposures of private data have proven, traditional audits are also prone to intentional and unintentional errors derived from human intervention.

Therefore, this thesis proposes a provenance-based approach to auditing the use of personal information by securely gathering and analysing electronic evidence related to the processing of personal information. This approach makes three contributions to the state of art.

The first contribution is the Provenance-based Auditing Architecture that defies a set of communication protocols to make existing systems provenance-aware. These protocols specify which provenance information should be gathered to verify the compliance with the Data Protection Act. Moreover, we derive a set of Auditing Requirements by analysing a Data Protection Act case study and demonstrate that provenance can be used as electronic evidence of past processing.

The second contribution is the Compliance Framework, which is a provenance-based auditing framework for automatically auditing the compliance with the Data Protection Act's principles. This framework consist of a provenance graph representation (Processing View), a novel graph-based rule representation expressing processing rules (Usage Rules Definition) and a novel set of algorithms that automatically verify whether information was processed according to the Auditing Requirements by comparing the Processing View against the Usage Rules Definition.

The third contribution is the Secure Provenance-based Auditing Architecture that ensures any malicious alteration on provenance during the entire provenance life cycle of recording, storage, querying and analysis can be detected. This architecture, which relies on cryptographic techniques, guarantees the correctness of the audit results
Aldeco Perez, Rocio
91007839-f963-4d93-aef8-31fc4c2a16b4
Aldeco Perez, Rocio
91007839-f963-4d93-aef8-31fc4c2a16b4
Moreau, Luc
033c63dd-3fe9-4040-849f-dfccbe0406f8

Aldeco Perez, Rocio (2012) Secure provenance-based auditing of personal data use. University of Southampton, Faculty of Physical and Applied Sciences, Doctoral Thesis, 231pp.

Record type: Thesis (Doctoral)

Abstract

In recent years, an increasing number of personalised services that require users to disclose personal information have appeared on the Web (e.g. social networks, governmental sites, on-line selling sites). By disclosing their personal information, users are given access to a wide range of new functionality and benefits. However, there exists a risk that their personal information is misused.

To strike a balance between the advantages of personal information disclosure and protection of information, governments have created legal frameworks, such as the Data Protection Act, Health Insurance Portability & Accountability Act (HIPAA) or Safe Harbor, which place restrictions on how organisations can process personal information. By auditing the way in which organisations used personal data, it is possible to determine whether they process personal information in accordance with the appropriate frameworks.

The traditional way of auditing collects evidence in a manual way. This evidence is later analysed to assess the degree of compliance to a predefined legal framework. These manual assessments are long, since large amounts of data need to be analysed, and they are unreliable, since there is no guarantee that all data is correctly analysed. As several cases of data leaks and exposures of private data have proven, traditional audits are also prone to intentional and unintentional errors derived from human intervention.

Therefore, this thesis proposes a provenance-based approach to auditing the use of personal information by securely gathering and analysing electronic evidence related to the processing of personal information. This approach makes three contributions to the state of art.

The first contribution is the Provenance-based Auditing Architecture that defies a set of communication protocols to make existing systems provenance-aware. These protocols specify which provenance information should be gathered to verify the compliance with the Data Protection Act. Moreover, we derive a set of Auditing Requirements by analysing a Data Protection Act case study and demonstrate that provenance can be used as electronic evidence of past processing.

The second contribution is the Compliance Framework, which is a provenance-based auditing framework for automatically auditing the compliance with the Data Protection Act's principles. This framework consist of a provenance graph representation (Processing View), a novel graph-based rule representation expressing processing rules (Usage Rules Definition) and a novel set of algorithms that automatically verify whether information was processed according to the Auditing Requirements by comparing the Processing View against the Usage Rules Definition.

The third contribution is the Secure Provenance-based Auditing Architecture that ensures any malicious alteration on provenance during the entire provenance life cycle of recording, storage, querying and analysis can be detected. This architecture, which relies on cryptographic techniques, guarantees the correctness of the audit results

PDF
Rocio_Aldeco-Perez's_thesis.pdf - Other
Download (63MB)

More information

Published date: May 2012
Organisations: University of Southampton, Electronics & Computer Science

Identifiers

Local EPrints ID: 340065
URI: https://eprints.soton.ac.uk/id/eprint/340065
PURE UUID: 72ab8c1e-9f19-4b4f-baa1-654e851fdf83
ORCID for Luc Moreau: ORCID iD orcid.org/0000-0002-3494-120X

Catalogue record

Date deposited: 28 Jan 2013 14:22
Last modified: 06 Jun 2018 13:04

Export record

Contributors

Author: Rocio Aldeco Perez
Thesis advisor: Luc Moreau ORCID iD

University divisions

Download statistics

Downloads from ePrints over the past year. Other digital versions may also be available to download e.g. from the publisher's website.

View more statistics

Atom RSS 1.0 RSS 2.0

Contact ePrints Soton: eprints@soton.ac.uk

ePrints Soton supports OAI 2.0 with a base URL of https://eprints.soton.ac.uk/cgi/oai2

This repository has been built using EPrints software, developed at the University of Southampton, but available to everyone to use.

We use cookies to ensure that we give you the best experience on our website. If you continue without changing your settings, we will assume that you are happy to receive cookies on the University of Southampton website.

×