Hippocratic Databases

Databases should include responsibility for privacy as a fundamental tenet. Efficiency is no longer a central focus.

Related Work:

Statistical Databases: These provide only aggregate information without revealing any sensitive private information. The two major methods are:

  1. Query Restriction: Keep query result-size small, control overlap among successive queries.

  2. Data Perturbation: Swapping values, adding noise, replacing from the same distribution. May perturb query results too, return a sample of the result.

Secure Databases: These mainly incorporate access control of the database.  In multilevel secure databases, there is a level associated with each attribute, and one associated with each query too. A query can access only those attributes allowed by its level.

Founding Principles:

The following are the principles on which hippocratic databases should be built. These are mainly inspired from the U.S. Privacy Act of 1974 and similar acts from other countries. These are called fair information practices. They apply to any information being collected about individuals:

  1. Purpose Specification: The purpose for which the information is being collected should be specified.

  2. Consent: The donor must have consented to the data collection.

  3. Limited Collection: Only as much data as necessary should be collected.

  4. Limited Use: Information should be used only for the purpose for which it is collected.

  5. Limited Disclosure: The information should not be disclosed to third parties without the donor's consent.

  6. Limited Retention: The information should be retained only for as long as required.

  7. Accuracy: The information maintained about the individual should be accurate and up-to-date.

  8. Safety: The collecting agency should ensure the safety of the data and protect against unauthorized access.

  9. Openness: The donor must be able to see his information and edit it.

  10. Compliance: Donor should be able to verify whether the privacy of the data is being respected.

Proposed Design and Implementation:

i) Privacy Metadata

Purpose is a fundamental concept on which this whole structure is built. Associated with each purpose (say P), we have the following:

Further, each attribute of each table is collected for a certain set of purposes. Hence we have privacy metadata of the form:

Purpose Table   Attribute Recipients Retention Authorized Users

ii) Data Collection

The W3C recommends P3P (Platform for Privacy Preferences) for companies to specify their privacy policy in a machine-readable XML-like format. The users can specify their privacy preferences in APPEL which also has a similar format.

The function of P3P is basically to specify the privacy metadata shown above, i.e., it specifies what information is being collected for which purpose, how long it will be retained and so on. It does so by having some predefined values for these fields:

Purpose (12 possible values): For example current - for current transaction, individual- for making personalized recommendations.
Recipient (6 possible values): For example ourselves - the agency collecting information, same - other organizations following the same practices.
Retention (5 possible values): For example stated purpose - for only the current transaction, business-practice - retained but discarded according to a timetable.

Privacy preferences are specified in APPEL. They basically consist of a set of rules which can be matched against the privacy policy. These can be viewed as an XQuery over the policy specified in XML. Each rule consists of a behavior ( either block or request (i.e. allow) ) and a body. When the body matches a portion of the policy, the behavior is triggered.

Implementations: Microsoft IE6, AT&T Privacy Bird
Policy Creation Tools: P3Pedit, IBM Trivoli Privacy Wizard
Checking or policy matching: Presently done using a proxy.
 
Agrawal et. al. propose the use of server-centric technology for matching preferences against policies. They argue that this can allow us to use much of the power of relational databases. For using relational databases, the policy is first flattened out into relations. The privacy preference is then converted into a SQL query over this database. This implementation works faster than a client-side implementation and is more extensible. Besides, server-centric implementation is good for mobile clients.
 
If the preference matches against the policy, data is collected. Each tuple is then tagged with the set of purposes for which it is collected. Audit trails of each successful match are stored for any legal challenges to compliance.

iii) Querying:

Queries are tagged with a purpose. These queries can access only certain columns of the tables depending on the privacy metadata. Further, only those tuples in the data that are tagged with that purpose are visible to the query.

There should be a separate intrusion detection module to detect anomalous queries posed by even authorized users. For example  although the sales department is allowed to see the shipping address on an order-by-order basis, if a person in the sales department tries to steal all the addresses, such a query should be declared as anomalous.

iv) Retention:

A data  item should be retained for the maximum retention period among all the  purposes for which it has been collected. After this period, it should be deleted from all logs, checkpoints etc.

v) Data Collection Organizer:

This module is responsible for checking if a particular attribute is unused, or if a particular authorized user has more than privileges than required.

Challenges:

There are various challenges to developing such a system.

i) A better language:

A good language is needed for specifying privacy policies We need a language more general than P3P. For example, how about a user who is willing to give away some information provided he is given a certain compensation?

ii) Efficiency:

There are traditional efficiency concerns in using this design. For example, if every time a customer give information  for the same purpose, the purpose tag can be kept in the customer table, rather than keeping the it with every possible transaction.

iii) Limited Collection:

For ensuring this, we can do

  1. Access Analysis - see which attributes are not being used. The problem is that the use of an attribute can be conditional. For example, assets are required for a mortgage application only if the salary is low.

  2. Granularity analysis - see that not more information than required is being collected. For example, if queries are only of the form numChildren>0 and numChildren==0, the exact number of children is higher granularity data than required.

A query may be rewritten in terms of minimal queries to actually reveal things as in (1) and (2).

iii) Limited Retention:

Data should be removed permanently after expiry, i.e. from all logs, checkpoints etc.

iv) Safety:

For safety, data on disk must be secured by encryption. However, this opens the very difficult problem of query-processing over encrypted data.

v) Compliance:  There are two ways:

Conclusion:

 A strawman design for the Hippocratic Databases paradigm and the major challenges therein are given above.

References:

Hippocratic Databases. R. Agrawal, J. Kiernan, R. Srikant, and Y. Xu. VLDB 2002
Implementing P3P Using Database Technology. R.Agrawal, J.  Kiernan, R. Srikant, and Y. Xu. ICDE 2003.
usriv@stanford.edu