Databases Reference
In-Depth Information
Further, the automated negotiation of an enterprise's policy with the pref-
erences, choices and requirements of an individual remains an important chal-
lenge. Such automated mediation would relieve the individual from having to
review each enterprise's policy and allow enterprises to gain the maximum
usage of personal information while fully complying with and individual pref-
erences. Also, given the current investment in information systems and their
data disclosure mechanisms, HDB should allow refinement of policies based
on actual information usage, such that the policy is a representation of a
company's intent and practice. Future policy languages and systems must
reconcile these requirements with the need for ecient computation, which is
a dicult technical challenge [19].
Enforcement After Extraction.
HDB active enforcement is currently
adept at limiting disclosure of information contained within the database,
but does not exert any control or safeguards over information that is legit-
imately extracted and transferred outside of the database. Enterprises that
transfer private information to other entities must rely on those entities to
enforce the appropriate disclosure policies. Their only means of assurance is
to impose disclosure obligations on the transferee by written contract. Future
HDBs should address this issue by extending active enforcement to distributed
data environments having no central point of control and providing guaran-
tees on the external systems with regards to policy compliance. When indi-
viduals disclose personal information to an enterprise under specific policies
and conditions, they should know that these policies and conditions will be
enforced after legitimate transfers of the information to other entities. Thus,
HDBs should be able to attach policy annotations to each item of information
that is transferred from the database to ensure that the transferee complies
with the original disclosure policies. They should also be capable of applying
source disclosure policies to any information received from another entity and
resolving any policy conflicts. Compliance with attached policies should be
reviewable by audit.
Filter and Deny Semantics.
The HDB active enforcement solution de-
scribed above uses query predicates to
filter
results in compliance with the
applicable policy rules. The system transforms the query so that the database
only returns information that is compliant with the database user's authoriza-
tion, the enterprise's privacy policy, and any individual choices. Prohibited
values that are sought by the query are returned as null values. However, in
some circumstances, this type of filtering may not be desirable because it may
mislead the user into thinking that the prohibited values do not actually exist.
For example, suppose that a military ocer would like to know whether
there are any friendly forces within a particular building before authorizing a
missile strike. There are friendly intelligence operatives in the building, but the
existence and locations of these operatives exceeds the security clearance of
the o
cer. In this case, filtering the prohibited results would not be desirable
