Section: New Results
Privacy policies
Participants : Julien Le Clainche, Daniel Le Métayer, Guillaume Piolle, Romuald Thion.
Despite apparently strong legal protections, many citizens feel that information technologies have invaded so much of their lives that they no longer have suitable guarantees about their privacy. As a matter of fact, many aspects of new information technologies render privacy protection difficult to put into practice. Many data communications already take place nowadays on the Internet without the users' notice and the situation is going to get worse with the advent of “ambient intelligence” or “pervasive computing” [23] . One of the most challenging privacy issues in this context is the compliance with the “informed consent” principle, which is a cornerstone of most data protection regulations. For example, Article 7 of the EU Directive 95/46/EC states that “personal data may be processed only if the data subject has unambiguously given his consent” (unless waiver conditions are satisfied, such as the protection of the vital interests of the subject). In addition, this consent must be informed in the sense that the controller must provide sufficient information to the data subject, including “the purposes of the processing for which the data are intended”. Technically speaking, the consent of the subject can be implemented via a “privacy policy” which should reflect his choices in terms of disclosure and use of personal data. However privacy is a very subtle notion and the definition, implementation and practical use of privacy policies raise a number of challenges. Licit has tackled these issues from three complementary perspectives in 2009: legal, theoretical and practical :
Legal perspective on the implementation of privacy policies
We have studied the legal issues raised by the implementation of privacy policies through “Privacy Agents”, dedicated software components acting as “surrogates” of the subjects and managing their personal data on their behalf. The subject can define his privacy requirements once and for all, with all information and assistance required, and then rely on his Privacy Agent to implement these requirements faithfully. This technical solution triggers a number of questions from the legal side: for example, to what extent should a consent delivered via a software agent be considered as legally valid? Are the current regulations flexible enough to accept such kind of delegation to an automated system? Can the Privacy Agent be “intelligent” enough to deal with all possible situations? Should subjects really rely on their Privacy Agent and what would be the consequences of any error (bug, misunderstanding...) in the process?
In order to shed some light on these legal issues, we have focused on three main aspects of consent : (1) its legal nature (unilateral versus contractual act), its essential features (qualities and defects) and its formal requirements. In a second stage, we have drawn the lessons learned from this legal analysis to put forward design choices ensuring that Privacy Agents can be used as valid means to deliver the consent of the data subject [6] . Several kinds of Privacy Agents have been proposed (Subject Agents, Controller Agents and Auditor Agents) and the roles of the different actors involved in the process have been defined precisely. Privacy policies themselves can be expressed in a restricted (pattern based) dedicated natural language. In order to avoid ambiguities in the expression of the policies, a mathematical semantics of the privacy language has been defined. This mathematical semantics characterizes precisely the expected behaviour of the Privacy Agents (based on the privacy policies defined by their users) in terms of compliant execution traces. In addition, all privacy related actions can be recorded into log files and used as evidence in case of legal dispute.
This work is an illustration of the privacy be design approach [11] . Beyond the specific application to privacy, we have studied in a systematic way the different modes of organization of regulations, the means to measure their practical results (relevance, effectiveness, efficiency, etc.) and the potential effects of the use of technologies on these results [9] . Current privacy regulations have been assessed with respect to these criteria as well as the Software Agent solution put forward here (which appears to implement three regulation modes: administrative controls, deontological rules and liability rules).
A logical framework for the expression of privacy policies
As mentioned above, privacy is quite a subtle notion and the definition of a formal framework for expressing privacy properties and reasoning about them is of prime importance. A major challenge to this respect is to find the appropriate way of integrating deontic and temporal operators. Deontic operators are required because privacy policies are typically expressed in terms of obligations and interdictions. Temporal operators are necessary because obligations and interdictions usually come with deadlines: for example, the controller must inform the data subject before forwarding his data to a third party or must delete the data within a given period of time. Our work on this topic is the follow-up of a thesis prepared in the LIG laboratory (Magma team), which has put forward a number of requirements for a suitable integration of deontic and logical operators to express privacy properties (e.g. propagation of obligations until the obligation is met or the deadline is reached, monotony with respect to deadlines, etc.) and has studied their implications in a new deontic logic for privacy (DLP). DLP includes past and future operators as well as an obligation operator and its semantics is defined over Kripke-like bi-dimensional structures. It has been shown, by translation into DLP, that existing proposals do not satisfy all the requirements and have proposed new ways of expressing obligations with deadlines which meet these requirements. This model has been used to express typical rules occuring in privacy regulations and to check that it conveys the intuitive meaning [7] .
Privacy policies for healthcare records
Healthcare is one of the most demanding areas with respect to privacy policies and subject consent. First there is a strong pressure to implement electronic healthcare records for a variety of reasons: data availability, quality of care, cost reduction, etc. But the management of healthcare records is quite challenging because healthcare data are considered as sensitive from a legal point of view (with stronger constraints on collection and use) and such records can potentially be accessed by a large number of actors with different privileges (doctors, surgeons, physicians, nurses, etc.). Appropriate means should be provided to allow the patient to define his privacy policy with the required level of detail and confidence. In collaboration with the SMIS project team, we have defined EBAC, an event based access control model which can be used by the patient to mask healthcare records in his folder [14] . The model is based on the concepts of events, episodes and trust relations. Each healthcare record is associated with an event and each event belongs to an episode. An episode is a logically related set of events such as “abortion” or “wisdom tooth extraction”. The trust relation defines, for each episode, what each actor can do and see from the other actors' actions. To this aim, events are qualified as “shared” or “exclusive” and read and write privileges depend on the qualification of the events. The semantics of the EBAC model has been defined in a relational framework and it has been implemented in the DBMS (Database Management System) system of the SMIS project team in the context of the DMSP (Shared Medical Social Folder) project of the Yvelines district council [5] , [14] .
