TC: Medium: Privacy and Declassification Policy Enforcement Framework

TC：媒介：隐私和解密政策执行框架

• 批准号: 0964710
• 负责人: Jianwei Niu
• 金额: $ 116.27万
• 依托单位: University of Texas at San Antonio
• 依托单位国家: 美国
• 项目类别: Continuing Grant
• 财政年份: 2010
• 资助国家: 美国
• 起止时间: 2010-07-01 至 2016-06-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=0964710&HistoricalAwards=false
• 关键词: TC; Medium; Privacy; Declassification; Policy

Information systems that handle personal information must adhere tolegal regulations, corporate privacy policies, and contractualagreements designed to protect personal privacy. Relying exclusivelyon application designers and developers for such assurances isunrealistic. There is a need for methods and tools that can identifyerrors in the handing of personal data and provide formal assurancesthat personal information is handled appropriately.This project is developing a software development framework that usesnovel language-based techniques to ensure that software enforcesprivacy policies. Privacy policies (based on legal and regulatoryrequirements) are formally specified in temporal logic, and identifycircumstances under which information can be shared (based on criteriasuch as the roles of individuals involved, prior events, and whetherthe data has been aggregated) and future obligations that are incurredas a result of the information sharing. The framework consists ofpolicy analysis tools, a programming language, program analysis toolsthat verify both privacy and declassification policies are enforced,and a runtime environment. Used in concert, these components producedistributed information systems that verifiably handle personalinformation appropriately.The framework being developed by this project will address problemsfaced by many information systems. However, the project will focusespecially on the needs of the medical industry, both with respect topatient records and clinical trials. As medical practice transitionsto electronic medical records, the need for high-assurance systemsbecomes increasingly acute. This project will develop thecapabilities needed to verify that electronic medical recordssystems comply with applicable privacy policies.

处理个人信息的信息系统必须遵守旨在保护个人隐私的法律法规、公司隐私政策和合同协议。 完全依赖应用程序设计者和开发者来提供此类保证是不现实的。 需要能够识别个人数据处理中的错误并提供个人信息得到适当处理的正式保证的方法和工具。该项目正在开发一个软件开发框架，该框架使用基于语言的新颖技术来确保软件执行隐私策略。 隐私政策（基于法律和监管要求）以时间逻辑形式正式规定，并确定可以共享信息的情况（基于相关个人的角色、先前事件以及数据是否已聚合等标准）以及因信息共享而产生的未来义务。 该框架由策略分析工具、编程语言、验证隐私和解密策略是否执行的程序分析工具以及运行时环境组成。 协同使用，这些组件产生了分布式信息系统，能够以可验证的方式适当地处理个人信息。该项目正在开发的框架将解决许多信息系统面临的问题。 然而，该项目将特别关注医疗行业在患者记录和临床试验方面的需求。 随着医疗实践转向电子病历，对高保证系统的需求变得越来越迫切。 该项目将开发验证电子病历系统是否符合适用的隐私政策所需的功能。