Abstract

Privacy policies are often defined in terms of purposes for which the information may be used. Recent work on specification and enforcement of purpose-based privacy policies proceeds by expressing purpose constraints using modal logics for defining when a sequence of actions is "only for" and "not for" a purpose, where a purpose is modelled using either Markov decision processes or workflows. In this paper, we argue that purpose-based privacy policies can be naturally captured by assigning labels to subjects and objects for tracking the information flows in the system. We model the underlying application in terms of information flow diagrams, and demonstrate the advantages of these diagrams for specifying and enforcing purpose restrictions. Note that, most of the existing work assigns purpose annotations to actions and discusses privacy in terms of human users of the information system. In contrast, our work explicitly recognizes the significance of many-to-many relations between actions and subjects (computer programs as opposed to human users) and between actions and data for enforcing purpose restrictions in privacy policies. We illustrate our approach through examples and compare it with existing literature.