A dynamic logic for privacy compliance

Abstract

Knowledge based privacy policies are more declarative than traditional action based ones, because they specify only what is permitted or forbidden to know, and leave the derivation of the permitted actions to a security monitor. This inference problem is already non trivial with a static privacy policy, and becomes challenging when privacy policies can change over time. We therefore introduce a dynamic modal logic that permits not only to reason about permitted and forbidden knowledge to derive the permitted actions, but also to represent explicitly the declarative privacy policies together with their dynamics. The logic can be used to check both regulatory and behavioral compliance, respectively by checking that the permissions and obligations set up by the security monitor of an organization are not in conflict with the privacy policies, and by checking that these obligations are indeed enforced.

Appendices

Appendix 1: An extension of Castañeda’s deontic logic

In this Appendix, we give an extension of our epistemic deontic logic embedding Castañeda’s deontic logic (Castañeda 1981). Starting from a linguistic analysis, the insight of Castañeda is to acknowledge the grammatical duality of expressions depending on whether they are within or without the scope of an obligation operator. This leads him formally to introduce two sets of formulas: circumstances which cannot alone be the foci of deontic operators, unlike what he calls practitions. The former are usually expressed grammatically in the indicative form and the latter are usually expressed grammatically in the infinitive/subjunctive form. For example, “Freud cures Anna O” in the indicative form is a circumstance, but the same sentence in “it is obligatory that Freud cures Anna O” in subjunctive/infinitive form is a practition. Just as practitions are the foci of deontic operators, circumstances are dually the foci of knowledge operators, as pointed out by Castañeda (1988). In that respect, note that an expression ϕ in the scope of a knowledge operator K _r ϕ is always in the indicative form and never in the subjunctive/infinitive form, even if K _r ϕ is in the scope of a deontic operator O.

We extend Castañeda (1988)’s intuition to the context of epistemic permissions and obligations. In a deontic setting the reading of the term knowledge or belief can be twofold: either as a circumstance or as a practition. On the one hand, in the sentence “it is obligatory that John knows / for John to know that there is an infinity of prime numbers”, the verb ‘to know’ is the focus of a deontic operator and is in the subjunctive/infinitive form. On the other hand, the sentence “John knows that there is an infinity of prime numbers” alone describes a circumstance and the interpretation of the verb ‘to know’ in the indicative form matches the one usually studied in epistemic logic. The former use of the term knowledge within the scope of a deontic operator is not studied in epistemic logic. For these reasons we enrich the language of Castañeda with two knowledge modalities, one for circumstances K _r and the other one for epistemic practitions K _r ′. This allows us to express new kinds of statements which cannot be expressed directly with our language \({{\fancyscript{L}}_{DEDL}, }\) such as

$$ O_s(K_r\phi\rightarrow K_r'\psi) $$

(10)

Formula 10 reads as ‘it is obligatory for the Sender that, if the Recipient knows ϕ then he also knows ψ’. In our language \({{\fancyscript{L}}_{DEDL}, }\) this statement would be expressed by the intuitively equivalent but formally different expression:

$$ K_r\phi\rightarrow O_sK_r'\psi $$

(11)

Formula 11 reads as ‘if the Recipient knows ϕ then it is obligatory for the Sender that the Recipient also knows ψ’. Both of these formulations 10 and 11 are intuitively equivalent, but they are both intuitively different from the following expression:

$$ O_s(K_r'\phi\rightarrow K_r'\psi) $$

(12)

Formula 12 reads as ‘if it is obligatory for the Sender that the Recipient knows ϕ then it is also obligatory for the Sender that the Recipient knows ψ’. Note that this last formulation 12 is itself also quite similar to the reading of the formula \(O_sK_r'\phi\rightarrow O_sK_r'\psi. \) Formula 10 is not a well-formed formula of our language \({{\fancyscript{L}}_{DEDL}, }\) but it is a well-formed formula of the following language \({{\fancyscript{L}}_{DL}.}\)

Definition 13

Let \(\Upphi^{\alpha}\) be a set of propositional letters. The language \({{\fancyscript{L}}_{DL}={\fancyscript{L}}^{\phi'}_{EDL}\cup{\fancyscript{L}}^{\alpha'}_{EDL},}\) whose formulas are denoted ϕ^* in general, is defined inductively as follows.

$$ \begin{aligned} {\fancyscript{L}}^{\phi'}_{EDL}:\phi&::=p\mid \neg\phi\mid\phi\land\phi\mid K_r\phi\mid O_s\alpha\\ {\fancyscript{L}}^{\alpha'}_{EDL}:\alpha&::=\beta\mid K_r\phi\mid\neg\alpha\mid\alpha\land\alpha\mid\alpha\land\phi\mid\phi\land\alpha \end{aligned} $$

where p ranges over \(\Upphi^{\phi}\) and β over \(\Upphi^{\alpha}.\)The only difference with the language \({{\fancyscript{L}}_{DL}}\) is that we now have pure practitions \(\Upphi^{\alpha}\) and that practitions can now be of the form \(\phi\land\alpha\) or \(\phi\rightarrow\alpha\) where ϕ is a circumstance. Pure practitions \(\Upphi^{\alpha}\) are expressions in the scope of a deontic operator that cannot be expressed with a knowledge operator, such as ‘to cure Anna O’ in ‘it is obligatory to cure Anna O’. Therefore, just as epistemic practitions, they are in the subjunctive/infinitive form. Moreover, with this definition of practitions we can also express formulas of the form \(O_s(\phi\rightarrow\alpha)\) and in particular Formula 10 above. Obviously, we would like to have the following validity:

$$ \models O_s(\phi\rightarrow\alpha)\leftrightarrow(\phi\rightarrow O_s\alpha) $$

which is a generalization to the epistemic case of Castañeda’s key validity. For example, “it is obligatory that if Freud knows that Anna O is sick, then he cures her” (\(O_s(K_r\phi\rightarrow \alpha)\)) has the same meaning as “if Freud knows that Anna O is sick, then it is obligatory that he cures her” (\(K_r\phi\rightarrow O_s\alpha\)). This would also make Formulas 10 and 11 formally equivalent. To obtain this validity, we need to add an extra condition (*) in our definition of EDL-model and so define EDL-model’.

Definition 14

An EDL-model’ M is a tuple M = (W, D, R, R′, V), where W is a non-empty set of possible worlds, \(R:W\rightarrow 2^W, R':W\rightarrow 2^W\) and \(D:W\rightarrow 2^W\) are accessibility relations on W, D being serial. \(V:\Upphi^{\phi}\cup\Upphi^{\alpha}\rightarrow 2^W\) is a valuation such that:⁷

$$ \hbox{for all} \,w\in W, \hbox{ all } v,v'\in D(w)\cup\{w\}, (M,v) \hbox{ is } R D-\hbox{bisimilar to} (M,v'). $$

(*)

The truth conditions are defined as in Definition 14.

The semantic condition (∗) intuitively means that the (epistemic) context where a normative system applies is fixed. One can easily show that any Castañeda model (Castañeda 1981) can be embedded into an EDL-model’, in the sense that the Castañeda model and the corresponding EDL-model’ satisfy the same formulas of \({{\fancyscript{L}}_{EDL}'}\) without epistemic operators K _r or K _r ′. One can also show that the semantics of \({{\fancyscript{L}}_{EDL}'}\) is sound and complete with respect to the logic \(\mathsf{L}_{EDL}\) to which we add the axiom scheme \(\vdash O_s(\phi\rightarrow\alpha)\leftrightarrow(\phi\rightarrow O_s\alpha). \)

Theorem 7

The semantics of \({{\fancyscript{L}}_{EDL}'}\) is sound and complete with respect to the logic \(\mathsf{L}_{\mathsf{EDL}}'\) axiomatized as follows. The symbol K below stands either for K _r or K _r ′.

$$ \begin{array}{lll} {\mathsf{A}}_1 & All\, propositional\, tautologies\, based\, on\,\Upphi^{\phi}\\ {\mathsf{A}}_2 & \vdash O_s(\phi\rightarrow\alpha)\leftrightarrow(\phi\rightarrow O_s\alpha)\\ {\mathsf{A}}_3 & \vdash O_s\alpha\rightarrow P_s\alpha\\ {\mathsf{A}}_4 & \vdash O_s(\alpha\rightarrow\alpha')\rightarrow(O_s\alpha\rightarrow O_s\alpha')\\ {\mathsf{A}}_5 & \vdash K(\phi^*\rightarrow\psi^*)\rightarrow(K\phi^*\rightarrow K\psi^*)\\ {\mathsf{R}}_1 & If \vdash\alpha\, then \vdash O_s\alpha \\ {\mathsf{R}}_2 & If \vdash\phi^* then \vdash K\phi^*\\ {\mathsf{R}}_3 & If \vdash\phi^*\rightarrow\psi^* and \vdash\phi^* then \vdash\psi^*\\ \end{array} $$

Proof

Soundness is routine. We prove completeness by building the canonical model of our logic. Let W be the set of all maximal \(\mathsf{L}_{\mathsf{EDL}}'\)-consistent subsets of \({{\fancyscript{L}}_{DL}. }\) For all \(\Upgamma,\Upgamma'\in W, \) we set \(\Upgamma'\in R(\Upgamma)\) iff for all \(K_r\phi\in\Upgamma, \phi\in\Upgamma'. \) We define O _s and R′ similarly. Besides, for all \(\Upgamma\in W, \Upgamma\in V(p)\) iff \(p\in\Upgamma, \) and \(\Upgamma\in V(\beta)\) iff \(\beta\in\Upgamma. \) We have therefore defined the canonical model M = (W, D, R, R′, V). We now show by induction on ϕ the ‘truth lemma’: for all \(\Upgamma\in W\) and \({\phi\in{\fancyscript{L}}_{DL}, M,\Upgamma\models\phi}\) iff \(\phi\in \Upgamma (1). \) If \(\Upgamma=p\) then (1) holds. The other boolean cases work by induction hypothesis. Assume ϕ = K _r ϕ′. If \(K_r\phi'\in\Upgamma\) then for all \(\Upgamma'\in R(\Upgamma), \phi'\in\Upgamma'\) by definition of R. So \(M,\Upgamma'\models\phi'\) for all \(\Upgamma'\in R(\Upgamma)\) by induction hypothesis, i.e., \(M,\Upgamma\models K_r\phi'. \) If \(M,\Upgamma\models K_r\phi'\) then assume that \({S\subseteq\{\phi\in{\fancyscript{L}}_{DL}\mid K_r\phi\in \Upgamma\}\cup\{\neg\phi'\}}\) is consistent. It follows that there is \(\Upgamma^0\in W\) such that \(S\subseteq\Upgamma^0. \) So there is \(\Upgamma^0\in R(\Upgamma)\) such that \(\neg\phi'\in \Upgamma^0. \) Therefore \(M,\Upgamma\models\neg K_r\phi'\) which is absurd. So S is inconsistent and so there must be \(\phi^1,\ldots,\phi^n\in S\) such that \(\vdash(\phi^1\land\cdots\land\phi^n)\rightarrow\phi'. \) By \(\mathsf{R}_2\) and \(\mathsf{A}_5\) we get \(\vdash(K_r\phi^1\land\cdots\land K_r\phi^n)\rightarrow K_r\phi'\) and because \(K_r\phi^i\in\Upgamma, \) we finally have \(K_r\phi'\in \Upgamma. \) The proof is similar for the operators O _s and K _r ′. One can also show that D is serial.

Now we have to show that condition (∗∗) holds in our canonical model M. We first show that for all \(\Upgamma\in W, \) all \(\Upgamma',\Upgamma''\in D(\Upgamma)\cup\{\Upgamma\}, \Upgamma'\leftrightsquigarrow\Upgamma'' \), i.e., for all \({\phi\in{\fancyscript{L}}^{\phi'}_{EDL}, \phi\in\Upgamma'}\) iff \(\phi\in\Upgamma''. \) Let \({\phi\in{\fancyscript{L}}^{\phi'}_{EDL}}\) and assume \(\phi\in\Upgamma'. \) If \(\phi\notin\Upgamma\) then \(\neg\phi\in\Upgamma, \) and \(O_s\alpha\in\Upgamma\) for some \({\alpha\in{\fancyscript{L}}^\alpha_{EDL}. }\) So \(M,\Upgamma\models\neg\phi\land O_s\alpha, \) therefore \(M,\Upgamma\models O_s(\neg\phi\land\alpha). \) Then \(M,\Upgamma'\models\neg\phi\land\alpha, \) and so \(\neg\phi\in\Upgamma'. \) This is impossible, so \(\phi\in\Upgamma. \) By the same reasoning we get that \(\phi\in\Upgamma''. \) Likewise vice versa. We now show that \(\leftrightsquigarrow\) is a R D-bisimulation relation. Assume \(\Upgamma\leftrightsquigarrow\Upgamma'. \) The base case for \(\Upphi^{\phi}\) clearly works. We prove the forth condition for R. Let \(\Upgamma_1\in R(\Upgamma)\) and let \({\Upgamma_1^*=\{\phi\in{\fancyscript{L}}^{\phi'}_{EDL}\mid\phi\in\Upgamma_1\}}\) and assume that for all \(\Upgamma_1'\in R(\Upgamma')\) it is not the case that \(\Upgamma_1\leftrightsquigarrow\Upgamma_1', \) i.e., \(\Upgamma^*_1\nsubseteq\Upgamma_1'. \) Let \(S_1=\Upgamma^*_1-\underset{\Upgamma_1'\in R(\Upgamma')}{\bigcup}\Upgamma_1'\) and let us define S = S ₁ ∪ S ₂ where \({S_2=\{\phi\in{\fancyscript{L}}^{\phi'}_{EDL}\mid K_r\phi\in\Upgamma\}}\). S is consistent, because \(S\subseteq\Upgamma_1. \) So there is \(\Upgamma_2\in W\) such that \(S\subseteq\Upgamma_2. \) But \({\{\phi\in{\fancyscript{L}}^{\phi'}_{EDL}\mid K_r\phi\in\Upgamma'\}=\{\phi\in{\fancyscript{L}}^{\phi'}_{EDL}\mid K_r\phi\in\Upgamma'\}=\{\phi\in{\fancyscript{L}}^{\phi'}_{EDL}\mid K_r\phi\in\Upgamma\}}\) because \(\Upgamma\leftrightsquigarrow\Upgamma'.\,\Upgamma_2\in R(\Upgamma')\) and \(S_1\subseteq\Upgamma_2\) which is impossible by assumption. So there is \(\Upgamma_1'\in R(\Upgamma)\) such that \(\Upgamma^*\subseteq\Upgamma_1', \) i.e., such that \(\Upgamma_1\leftrightsquigarrow\Upgamma_1'. \) The same reasoning applies for the back condition. It also applies for the back and forth conditions for D by replacing S ₂ by \({S_2'=\{\alpha\in{\fancyscript{L}}^{\alpha'}_{EDL}\mid O_s\alpha\in\Upgamma\}. }\) \(\square\)

Axioms \(\mathsf{A}_1\) to \(\mathsf{A}_4\) and rules \(\mathsf{R}_1\) and \(\mathsf{R}_3\) provide an alternative axiomatization of Castañeda’s language. We can then derive in this logic the following theorems. In particular, note that our notion of knowledge is truthful, even if it was not explicitly mentioned in the axiomatization.

Proposition 5

For all \({\phi\in{\fancyscript{L}}_{EDL}, }\)

$$ \vdash K_r'\phi\rightarrow\phi $$

(13)

$$ \vdash K_r\phi\rightarrow\phi $$

(14)

$$ \vdash O_sK_r'\phi\rightarrow\phi $$

(15)

$$ \vdash \neg P_s K_r' \phi\rightarrow\phi $$

(16)

Equation 16 allows us to derive that as a result of informing the recipient that he should not know that ϕ holds, this very Recipient actually learns that ϕ holds. Indeed, as a result of sending this message, the Recipient knows that he should not know ϕ (\(K_r\neg P_sK_r'\phi\)), and therefore by application of Equation 16, he also knows that ϕ (K _r ϕ). This derivation was not possible in our logic \(\mathsf{L}_{DEDL}, \) as we noted it in Example 9.

Appendix 2: Algorithms \({Add_1^{\fancyscript{P}}}\) and \({Add_2^{\fancyscript{P}}}\)

Algorithms \({Add_1^{\fancyscript{P}}}\) and \({Add_2^{\fancyscript{P}}}\) below (i.e. Algorithms 5 and 6) are called in Algorithm 4. They are adapted from algorithms Add ₁ and Add ₂ (i.e. Algorithms 2 and 3) to take into account the presence of the privacy policy \({\fancyscript{P}}\) in the language \({{\fancyscript{L}}_{PL}. }\)