Use this URL to cite or link to this record in EThOS: http://ethos.bl.uk/OrderDetails.do?uin=uk.bl.ethos.559768
Title: Secure provenance-based auditing of personal data use
Author: Aldeco Perez, Rocio
Awarding Body: University of Southampton
Current Institution: University of Southampton
Date of Award: 2012
Availability of Full Text:
Access from EThOS:
Access from Institution:
Abstract:
In recent years, an increasing number of personalised services that require users to disclose personal information have appeared on the Web (e.g. social networks, governmental sites, on-line selling sites). By disclosing their personal information, users are given access to a wide range of new functionality and benefits. However, there exists a risk that their personal information is misused. To strike a balance between the advantages of personal information disclosure and protection of information, governments have created legal frameworks, such as the Data Protection Act, Health Insurance Portability & Accountability Act (HIPAA) or Safe Harbor, which place restrictions on how organisations can process personal information. By auditing the way in which organisations used personal data, it is possible to determine whether they process personal information in accordance with the appropriate frameworks. The traditional way of auditing collects evidence in a manual way. This evidence is later analysed to assess the degree of compliance to a predefined legal framework. These manual assessments are long, since large amounts of data need to be analysed, and they are unreliable, since there is no guarantee that all data is correctly analysed. As several cases of data leaks and exposures of private data have proven, traditional audits are also prone to intentional and unintentional errors derived from human intervention. Therefore, this thesis proposes a provenance-based approach to auditing the use of personal information by securely gathering and analysing electronic evidence related to the processing of personal information. This approach makes three contributions to the state of art. The first contribution is the Provenance-based Auditing Architecture that defies a set of communication protocols to make existing systems provenance-aware. These protocols specify which provenance information should be gathered to verify the compliance with the Data Protection Act. Moreover, we derive a set of Auditing Requirements by analysing a Data Protection Act case study and demonstrate that provenance can be used as electronic evidence of past processing. The second contribution is the Compliance Framework, which is a provenance-based auditing framework for automatically auditing the compliance with the Data Protection Act's principles. This framework consist of a provenance graph representation (Processing View), a novel graph-based rule representation expressing processing rules (Usage Rules Definition) and a novel set of algorithms that automatically verify whether information was processed according to the Auditing Requirements by comparing the Processing View against the Usage Rules Definition. The third contribution is the Secure Provenance-based Auditing Architecture that ensures any malicious alteration on provenance during the entire provenance life cycle of recording, storage, querying and analysis can be detected. This architecture, which relies on cryptographic techniques, guarantees the correctness of the audit results
Supervisor: Moreau, Luc Sponsor: Not available
Qualification Name: Thesis (Ph.D.) Qualification Level: Doctoral
EThOS ID: uk.bl.ethos.559768  DOI: Not available
Keywords: HV Social pathology. Social and public welfare ; K Law (General) ; QA75 Electronic computers. Computer science
Share: