Section: New Results

Data confidentiality and privacy

Participants : Nicolas Anciaux, Luc Bouganim, Harold van Heerde, Philippe Pucheral.

SMIS has been initially involved in the definition of fine-grain access control models trying to capture the complexity of the information to be protected [9] . Now, the team focuses on the protection of personal data (also called micro-data) where concepts like user's consent, purpose declaration and limited retention play a central role. Conversely to (and complementary with) our initial approach, the challenge we are addressing now is to define models as simple as possible to help a user calibrating a predefined access control policy to her specific situation and sensitivity. We started to study how user consent could be more easily expressed in the context of Electronic Health Record (EHR) systems [32] [31] . Indeed, access control policies usually defined to regulate accesses to EHR systems are far too complex to expect collecting an enlightened consent of the patients on them, as required by the law. This is mainly due (1) to a huge number of rules (huge number of practitioners with a diversity of roles and privileges) and (2) to the intrinsic complexity of the data to be protected (which data reveals which pathology?). To tackle this issue, we are designing an Event-Based Access Control model (EBAC) helping the patient to mask sensitive records in her folder. The EBAC masking rules take priority over the default access control rules and are defined on metadata easy to manage by the user. Any document added to a folder is described by an event, events are grouped by episodes (i.e., a set of events sharing a common masking policy, like "MyAbortion", "MySecondDepression") and the participation of a practitioner to an episode is regulated by a relation of confidence. The intuition of this model has been published in [11] [23] but this work is still at a preliminary stage.

In the same (usage control) line, we are tackling the limited data retention problem. Our daily life activity leaves digital trails in an increasing number of databases (commercial web sites, internet service providers, search engines, location tracking systems, etc). Personal digital trails are commonly exposed to accidental disclosures and ill-intentioned scrutinization resulting from negligence, piracy and abusive usages. No one is sheltered because common events, like applying for a job, can suddenly make our history a precious asset. By definition, access control fails preventing trail disclosures, and anonymity techniques are often not usable in this context, motivating the integration of the Limited Data Retention principle in legislations protecting data privacy. By this principle, data is withdrawn from a database after a predefined time period. However, this principle is difficult to apply in practice, leading to retain useless sensitive information for years. To address this issue, we propose the Data Degradation Model where sensitive data undergoes a progressive and irreversible degradation from an accurate state, to degraded but still informative states, up to complete disappearance when the data becomes useless, along with suitable query and transaction semantics [36] , [35] . The benefit of this model is twofold: (i) the amount of accurate data, and thus the privacy offence resulting from a trail disclosure, is drastically reduced; (ii) the model is flexible enough to remain in line with the applications purposes, and thus favors data utility. We have recently formalized those benefits, and shown (under reasonable assumptions) to which extent data degradation overcomes basic implementations of the limited data retention principle [19] . In addition, the data degradation model strongly impacts core database techniques, opening interesting research issues. We made a preliminary study into that direction, by proposing database storage and indexing structures, logging and locking mechanisms adapted to data degradation [34] , to show the practical feasibility of the model.