4.5 Privacy Protection at the interaction level
4.5.3 Privacy can sufficiently be protected at the interaction level
level
The proposed framework provides the protection mechanisms at the interaction level. It extends the interaction protocol with essential messages and sequences to protect the sensitive information that is shared or disclosed in the original interaction protocol.
Theorem 3: For any incomplete knowledge CDS where entities adopt message-based interaction, P-Model can be sufficiently addressed at the interaction level.
To provide the supporting materials for the above theorem, it is essential that we prove the following points:
ο· All the information that is shared or disclosed to other entities are decided at the interaction level
ο· Any class of privacy protection mechanism happens at the interaction level. The computation entity in CDS has autonomy on coordinating activities with others. The interaction layer manages the necessary processes to identify the adequate messages to communicate to resolve the interdependency problem. The communication layer is responsible for exchanging messages. However, it does not have the decision-making authority on the messages to be sent and it is not aware of the intent that initiates the exchange of messages.
Lemma 1: Let ππ β‘< πΎπ, πππ, πΌππ, πΆπππ > be the computation entity. For any information
πΌπ,π that is going to be shared with ππ, π(πΌπ,π, ππ) is decided in πΌππ
If πππ realizes that to achieve a goal, there is interdependency problem, πΌππ finds a coordination solution πΆππ,πwith an entity such as ππ .
If πΌπ,π is shared with ππ,
β πΌπ,π, β (πΌπ,π, πΌππ)|π(πΌπ,π, ππ)
Then there are two possibilities:
1. It is discovered at πππ that πΌπ,πis required to perform the πΆππ,π therefore
πΆππ,π β π(πΌπ,π, ππ)
2. It is discovered at πΌππ that πΌπ,π has to be shared with ππ
πΌππ β π(πΌπ,π, ππ)
In both cases, the shared information is processed and decided by the interaction layer.
Lemma 2: Let πΌπ,π be the information that is disclosed. For any πΌπ,π there is explicit information that is shared
β πΌπ,π, ππ , β (πΌπ,π, πΌππ)| π·(πΌπ,π, ππ)
When information is implicitly disclosed:
π·(πΌπ,π, ππ) β β πΌπ,πβ², ππ,π€| ππ,π€(πΌπ,πβ², πΌππ’π₯)
Assuming πΌπ,πβ² is not shared through interaction. Then there are two possibilities:
1. Fact A: πΌπ,πβ² is an auxiliary information disseminated by a third party ππ‘ then:
If πΌπ,πβ² is shared to ππ‘, then it has been decided at interaction
2. πΌπ,πβ² is not shared with any entity, therefore:
a. Either π·(πΌπ,πβ², ππ‘) so that Fact A occurs
b. Or it has not been shared by interaction. This contradicts Lemma 1.
This proves that any information that is shared or disclosed has initiated sharing point at the interaction.
In equation 8, Privacy protection in privacy model is defined as :
PP(ej, (PS(Ii)), OΜj) β‘ β t , w| β (t, PS(Ii)) β§ oΜΜΏΜ j,wt (t)
To achieve oΜΜΏΜ , the privacy protection mechanisms are applied. The privacy j,wt (t)
protection mechanisms can be classified at information or operation level.
Lemma 3: If a preventive protection mechanism at information exists, it happens at the interaction.
Let π be a preventive mechanism at information level for protecting πΌπ (πΌ
π,π, ππ) in
which enables oΜΜΏΜ . j,wt (t)
πΜΏ β PP (ej, {Ii,r}, oΜΜΏΜ ) j,wt (t)
In Equation 10,
π β‘< πΌπ, ππ >
ππ = {ππ,1, β¦ , ππ,π, β¦ , ππ,π·} , 1 β€ π β€ π·
Based on the execution of preventive protection mechanisms at information level in equation 11:
πΜΏπ,π·(πΜΏπ,π·β1(πΜΏπ,π·β2(Iπ,k) (πΜΏπ,π·β3(Iπ,k) (β¦ (πΜΏπ,1(Iπ,k)))))) = πΌπ
This results in sharing information that is manipulated by the operations in protection mechanisms.
πΜΏ β π(πΌπ,πβ², ππ)
Based on Lemma 1, πΌπ,πβ²has to go through interactions. Therefore, the preventive
mechanisms at the information level can happen at the interaction level.
Lemma 4: If a preventive mechanism at operation level exists, it happens at interaction level
Let πΌπ,πbe the sensitive information that can implicitly be disclosed to ππ through
πΜπ,π€π‘ when πΌπ,πβ² is shared.
β πΌπ,π, πΌπ,πβ², ππ, πΜπ,π€π‘ | πΌπ (πΌπ,π, ππ, πΜπ,π€π‘ ) β§ πΜπ,π€π‘ (πΌπ,πβ², πΌππ’π₯) β‘ πΌπ,π β§ π(πΌπ,πβ², ππ)
Let π be the protection mechanism at the operation level that can protect πΌπ,π.
π β‘< πΌπ, ππ >
ππ = {ππ,1, β¦ , ππ,π, β¦ , ππ,π·} , 1 β€ π β€ π·
Based on the execution of the protection mechanisms at the operation:
πΜΏπ,π·({ππ,π€, πΜΏπ,π·β1({ππ,π€, πΜΏπ,π·β2({ππ,π€, β¦ , πΜΏπ,1(ππ,π€, Iπ,r)})})})
= { β ππ β (ππ,π€, πΜπ
π)
Iπ,r" ππ β (ππ,π€, πΜππ)
which results in sharing Iπ,r" or β . Therefore, based on Lemma 1, it happens at the interaction level.
Lemma 5: if there is punishing privacy protection mechanisms, it happens at the interaction level.
Let π β‘< πΌπ, ππ > be the punishing protection mechanism that protects πΌπ (πΌπ,π, ππ). Based on the execution of punishing mechanisms in equation 13:
β π‘,
π
Μπ,π‘π,π| oΜΏΜΏΜΏΜΏΜΏΜΏ ({m,Dπ
Μ π,π‘ π,π , oΜΏΜΏΜΏΜΏΜΏΜΏΜΏΜΏΜΏ({m,Dβ1π
Μ π,π‘ π,π , oΜΏΜΏΜΏΜΏΜΏΜΏΜΏΜΏΜΏ(m,Dβ2π
Μ π,π‘ π,π , β¦ , oΜΏΜΏΜΏΜΏΜΏΜΏ(m,1π
Μ π,π‘ π,π )})})}) β‘ πΌπThe generated information in this mechanism is shared with the entity that has executed the non-authorized operations.
πΜΏ β π(πΌπ, ππ)
This indicates that the punishing mechanisms happen at the interaction level.
Given Lemma 1, Lemma 2, Lemma 3, Lemma 4 and Lemma 5, it is proven that any protection mechanisms will be applied at the interaction level. Therefore, it is sufficient to capture the privacy protection at the interaction level.