A model of information flow control to determine whether malfunctions cause the privacy invasion

Abstract

Privacy is difficult to assure in complex systems that collect, process, and store data about individuals. The problem is particularly acute when data arise from sensing physical phenomena as individuals are unlikely to realise that actions such as walking past a building generate privacy-sensitive data. Information Flow Control (IFC) is a mature technique for managing security and privacy concerns in large distributed systems. This paper describes (i) how the meta-data required by IFC, in the form of tags, can reflect the physical properties of sensors; and (ii) how the formal expression of the IFC this allows can be used to, statically, determine the proportion of the system that handles private data and how this changes in the face of software or human malfunctions.