A Formal Privacy System and its Application to Location Based Services Carl A. Gunter University of Pennsylvania Michael J. May University of Pennsylvania Stuart G. Stubblebine Stubblebine Research Labs May 2004 Abstract There are a variety of well-known models for access control developed for purposes like formally modeling the access rights on files, databases, and web resources. However, the ex- isting models provide an inadequate represen- tation of a number of concepts that are impor- tant when modeling privacy rights in distributed systems. We present an analog of the access control matrix designed to model such concepts. Our formalism, which we call a privacy system, empashizes the management of data and actions that affect the privacy of subjects. We moti- vate privacy systems, describe them mathemat- ically, and illustrate their value in an architec- ture based on Personal Digital Rights Manage- ment (PDRM), which uses DRM concepts as a foundation for the specification and negotiation of privacy rights. This illustration is carried out throuh a case study of a privacy-respecting sys- tem for location based services. Our prototype, which we call AdLoc, manages advertising in- terupts on PDAs based on their location as de- termined by WiFi sightings in accordance with contracts written in the DRM language XrML. 1 Introduction Privacy is a pivotal concern for data collected by and stored on computers. A variety of formal models have been proposed to char- acterize privacy based on cryptographic and information-theoretic critera, providing a rig- orous definition of privacy. A closely related class of formal models formulate access con- trol rules, which describe the rights of princi- pals to perform actions and access data. These provide an abstract architectural perspective on privacy that can be supported by crypto- graphic techniques. Portions of what is needed are present in various formalisms. For instance, access control matrices provide an intuitive and fundamental model of the relationship between prinicipals, objects, and rights. Trust manage- ment systems provide a foundation for delega- tion, credentials, and decentralized operation. Role-based systems provide efficient ways to manage the relationship between principals and rights. However, the existing systems fall short on important issues like direct representation of the idea that data are about a specified prin- cipal whose privacy is at issue. They also fail to integrate the right range of basic concepts. The aim of this paper is to propose an analog of an access control matrix primarily aimed at the representation and management of privacy rights. This entails the problems of represent- ing, negotiating, delegating, and interpreting rights in a distributed context. We make three contributions: a formal system as a conceptual aid for analysis and design, an architectural ap- proach to enable development based on com- mon software platforms, and a case study to illustrate its characteristics and prove its scala- bility. Our formal system, which we call a ‘privacy system’, describes an abstract concept of rights of principals to create and manipulate objects related to a principal which we call the ‘sub- ject’ of the object. While existing models of- 1