When a data user asks for information, a formal policy provides the concept of laws represented for a TLD with its possible enforcement constraints through a data usage context. Whenever a data usage context is suited to a multiple TLDs’ intersection area, formal policies from these TLDs are unified to enforce data usage (see TLD d in Figure 2). In the procedure of unifying multiple formal policies, we map and merge local ontologies from policies and construct a global ontology of these unified formal policies [7]. For demonstration, two types of formal policies, privacy protection and national security, are unified to enforce a national security policy in the social network cloud (see Section 4.4).
10 Yuh-Jong Hu, Win-Nan Wu, and Jiun-Jan Yang 4.1 Formal Policy Integration
People are getting aware of a more flexible and easier way to provide information sharing services in the cloud. For example, it is much easier to counter-terrorism through collecting a suspect’s profile in the social network cloud. A challenge exists for how to achieve a privacy-preserving data integration and sharing ser-vices [19]. We attempt to apply the semantics-enabled formal policies integrated from various autonomous data sources in the cloud for information sharing once the laws are available. Information integration collects the data from autonomous and heterogeneous sources, and provides users with a unified view of these data through a so called global schema. The global schema, which is a reconciled view of the information, provides a single point of query services for end users. But the design of a data integration system includes several different issues, so it is very complex [20]. In this paper, we use a data integration service for information sharing in order to achieve a privacy-preserving data usage in the social network cloud.
4.2 Privacy Protection Policies
A privacy protection policy is a type of formal policy used for specifying a data usage constraint created by a data owner. After a policy is accepted, it represents a long-term promise made by an enterprise to its users. Therefore, it is undesirable to change an enterprise’s promises to customers every time an internal access control rule changes. If possible, we should enable the P3P and EPAL policies to be accountable and transparent on information processing for a data owner to revise the data usage permissions in the future [3]. A data owner’s PII is usually collected by a data controller, analyzed by a data processor, and accessed by a data user. All of these operations are protected under the privacy protection law’s umbrella in a TLD b (see Figure 4). When a data request, including collection, analysis, and use, is asked for. We first consider the data usage context of this request. This allows us to decide how many and at what level PII can be disclosed in order to comply with the privacy laws.
4.3 National Security Policies
When a national security officer intends to access a group of suspects’ PII, a data usage context is also created for this request. The data usage context of this information request includes a national security officer as a data user role, an investigation for homeland security as a purpose, the location of this data user, and the data itself. The policy ontology in Figure 1 details this concept description. Formal policies, based on the national security laws, are fetched to circumscribe the virtual boundary of a data usage in a TLD. Once the laws are revised, the data usage context will be changed and the virtual boundary of a data usage will be updated. Thus the formal policy framework in Figure 2 provides a flexible policy re-mapping while applying the new laws to redraw a TLD virtual boundary.
Semantics-enabled Policies for Information Sharing and Protection 11 A PII is originally protected by the data protection law in the TLD b. When a data usage context is created to enforce the national security policy, a data usage is moved and circumscribed in the TLD d, and eventually migrated into the TLD c (see Figure 4). For a PII, if it sits in the TLD b but cannot move into the TLD d or TLD c with any data usage context, this implies that this PII cannot be disclosed through the national security policy enforcement.
4.4 Unifying Privacy Protection and National Security Policies Some believe that the objectives of greater national security and greater personal privacy can be compromised but others disagree. For example, in [9] they believe that the ultimate solution balances the national security and privacy protection lies in utilizing information technologies for counter-terrorism and to safeguard civil liberties.
Pattern-based data queries face the challenge of privacy rights violation for false positives when identify the terrorist suspects. Therefore, pattern-based queries are required to issue iteratively in a privacy-sensitive manner. In this paper, the privacy violation issue can be avoided by using the right data usage context in a TLD. When we retrieve PII, the semantics-enabled polices reason.
This provides additional evidence for updating the data usage context to allow enforcing national security policies iteratively; however, the information disclo-sure still respects the data protection policies.
When a data usage context is moved into the intersection of TLDs, i.e. TLD d, it implies that the privacy protection and national security policy are unified.
Then a data usage request is regulated by these two type of policies. The ontolo-gies of these policies will be mapped and merged. Rules will be further integrated to enforce the data usage within the conjunction, TLD d, of the multiple legal domains (see Figure 4). However, when applying pattern-based data usage in the conjunction area, we still have to follow the PII anonymous disclosure principles if supporting evidence is not strong enough to allow a full information disclo-sure. Handling anonymous information requires multiple stages of human-driven analysis with reasoning of unified policies. Therefore, national security analysts cannot act alone on the results of such queries until a third-party legal author-ity has established sufficient probable cause. Data analysts would refine queries in stages, seeking to gain more confirmation while involving privacy-protection techniques in the process [9].
Eventually, the data usage context will move to the TLD c, where it is be-yond the TLD b’s data protection boundary. Under that circumstance, the data usage context is only regulated and enforced by the national security laws. At this stage, data protection laws are out of context because national security offi-cers have enough plausible evidence to prove that the suspects have committed a crime against the national security laws. Unifying privacy-protection policies with national security policies not only ensure privacy, but also encourages shar-ing data without fear of a privacy rights violation.
Sometimes, PII are collected and stored by a social network in multiple data centers dispersed across different judicial TLDs. Each TLD is an independent
12 Yuh-Jong Hu, Win-Nan Wu, and Jiun-Jan Yang
Fig. 4. A data usage context serves various information disclosure for TLDs.
legal domain and regulated by its own data protection and national security laws.
Unless there is an establishment of (international) mutual agreements, a TLD’s legal regulations do not allow its PII to be shared and transported to other TLDs. So the formal policies are only enforced locally without being unified with each other. Given this situation, the data usage and storing is restricted in a single legal domain, so the economic incentives of using a cloud’s resources are hard to obtain.
4.5 Formal Policy Enforcement
Based on the policy ontology presented in Section 3.1, we reuse the vocabular-ies of this ontology to describe the concepts of domain-policy and data-policy for the policy enforcement rules in the TLD d. We demonstrate how to use the information sharing and privacy protection policies to serve the purposes of en-forcing national security and privacy protection for a data request in the TLD d.
According to the policy ontology (see Figure 1), when a data request ?x with its data usage context ?c satisfy a DomainPolicy(?d)’s data usage context ?dc.
A user is allowed to enter the TLD ?tld enforcing the investigation of national security(see rule (1)):
– A partial ontology for a domain policy:
hasTLD.DomainPolicy(d), hasTLD−.TLD(d).
hasCondition.DomainPolicy(d), hasCondition−.Condition(d).
hasPartOf.Condition(d), hasPartOf−.Purpose(investigation), hasPartOf−.DataUser(securityPersonnel),
hasPartOf−.Location(TW), hasPartOf−.Evidence(things).
hasPartOf−.Consent(nill).
Semantics-enabled Policies for Information Sharing and Protection 13 – A rule for a domain policy enforcement:
Request(?x) ∧ hasCondition(?x, ?c) ∧ Condition(?c) ∧ hasCondition(?d, ?dc)
∧ Condition(?dc) ∧ DomainPolicy(?d) ∧ hasTLD(?d, ?tld)
−→ getInTo(?x, ?tld) ← (1)
An ontology and a rule for a data policy ?d in the TLD ?tld allow a request
?r using PII ?pii of the social network information ?sInfo (see rule (2)) as follows:
– A partial ontology for a data policy:
isBelongedTo.DataPolicy(d), isBelongedTo−.TLD(d).
describes.DataPolicy(d), describes−.PII(d).
hasDisclosedFor.PII(d), hasDisclosedFor−.socialNetInfo(d).
socialNetInfo(d) ≡ Email(d) t OnlineLocation(d) t phoneNo.(d).
– A rule for a data policy enforcement:
Request(?r) ∧ satisfy(?r, ?x) ∧ DataPolicy(?d) ∧describes(?d, ?pii)
∧ hasDisclosedFor(?pii, ?sInfo) ∧ Evidence(things)
−→ canUse(?r, ?pii) ∧ socialNetInfo(?sInfo) ← (2)