Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Data Traceability for Privacy Alignment

Kevin Liao, Shreya Thipireddy, Daniel Weitzner

TL;DR

The paper addresses the gap between privacy law and technology in cross-domain data sharing by introducing data traceability and a legal-technical alignment framework. It extends threat models to include covert-accountability and presents OTrace, a data-traceability protocol that provides consumer visibility into who uses their data and for what purposes, across multiple parties. The core contributions include a formal alignment framework, the OTrace protocol with completeness guarantees under distinct threat models, and a regulatory design to enable scalable enforcement and consumer empowerment. Together, these elements aim to enhance regulatory oversight, reduce information asymmetry, and restore trust in modern data ecosystems where sensitive personal data flows across numerous intermediaries.

Abstract

This paper offers a new privacy approach for the growing ecosystem of services -- ranging from open banking to healthcare -- dependent on sensitive personal data sharing between individuals and third parties. While these services offer significant benefits, individuals want control over their data, transparency regarding how their data is used, and accountability from third parties for misuse. However, existing legal and technical mechanisms are inadequate for supporting these needs. A comprehensive approach to the modern privacy challenges of accountable third-party data sharing requires a closer alignment of technical system architecture and legal institutional design. In order to achieve this privacy alignment, we extend traditional security threat modeling and analysis to encompass a broader range of privacy notions than has been typically considered. In particular, we introduce the concept of covert-accountability, which addresses the risk from adversaries that may act dishonestly but nevertheless face potential identification and legal consequences. As a concrete instance of this design approach, we present the OTrace protocol, designed to provide traceable, accountable, consumer-control in third-party data sharing ecosystems. OTrace empowers consumers with the knowledge of who has their data, what it is being used for, what consent or other legal terms apply, and whom it is being shared with. By applying our alignment framework, we demonstrate that OTrace's technical affordances can provide more confident, scalable regulatory oversight when combined with complementary legal mechanisms.

Data Traceability for Privacy Alignment

TL;DR

The paper addresses the gap between privacy law and technology in cross-domain data sharing by introducing data traceability and a legal-technical alignment framework. It extends threat models to include covert-accountability and presents OTrace, a data-traceability protocol that provides consumer visibility into who uses their data and for what purposes, across multiple parties. The core contributions include a formal alignment framework, the OTrace protocol with completeness guarantees under distinct threat models, and a regulatory design to enable scalable enforcement and consumer empowerment. Together, these elements aim to enhance regulatory oversight, reduce information asymmetry, and restore trust in modern data ecosystems where sensitive personal data flows across numerous intermediaries.

Abstract

This paper offers a new privacy approach for the growing ecosystem of services -- ranging from open banking to healthcare -- dependent on sensitive personal data sharing between individuals and third parties. While these services offer significant benefits, individuals want control over their data, transparency regarding how their data is used, and accountability from third parties for misuse. However, existing legal and technical mechanisms are inadequate for supporting these needs. A comprehensive approach to the modern privacy challenges of accountable third-party data sharing requires a closer alignment of technical system architecture and legal institutional design. In order to achieve this privacy alignment, we extend traditional security threat modeling and analysis to encompass a broader range of privacy notions than has been typically considered. In particular, we introduce the concept of covert-accountability, which addresses the risk from adversaries that may act dishonestly but nevertheless face potential identification and legal consequences. As a concrete instance of this design approach, we present the OTrace protocol, designed to provide traceable, accountable, consumer-control in third-party data sharing ecosystems. OTrace empowers consumers with the knowledge of who has their data, what it is being used for, what consent or other legal terms apply, and whom it is being shared with. By applying our alignment framework, we demonstrate that OTrace's technical affordances can provide more confident, scalable regulatory oversight when combined with complementary legal mechanisms.

Paper Structure

This paper contains 41 sections, 1 figure, 1 table.

Table of Contents

  1. Introduction
  2. Privacy Law and Technology
  3. Legal Frameworks
  4. US federal enforcement
  5. US state and private enforcement
  6. EU privacy law
  7. Technical Approaches
  8. Privacy-compliance tools
  9. Accountable systems
  10. Formal privacy analysis frameworks
  11. The Need to Bridge Law and Technology
  12. A Legal-Technical Privacy Alignment Framework
  13. The inadequacy of traditional technical approaches to privacy
  14. The covert-accountability guarantee
  15. Mixing adversary models and guarantees
  16. ...and 26 more sections

Figures (1)

  • Figure 1: High-level overview of the OTrace traceability protocol.