text-only page produced automatically by Usablenet Assistive Skip all navigation and go to page content Skip top navigation and go to directorate navigation Skip top navigation and go to page navigation
National Science Foundation
design element
Search Awards
Recent Awards
Presidential and Honorary Awards
About Awards
Grant Policy Manual
Grant General Conditions
Cooperative Agreement Conditions
Special Conditions
Federal Demonstration Partnership
Policy Office Website

Award Abstract #1064688

TC: Medium: Semantics and Enforcement of Privacy Policies: Information Use and Purpose

Division Of Computer and Network Systems
divider line
Initial Amendment Date: April 12, 2011
divider line
Latest Amendment Date: August 12, 2013
divider line
Award Number: 1064688
divider line
Award Instrument: Continuing grant
divider line
Program Manager: Nan Zhang
CNS Division Of Computer and Network Systems
CSE Direct For Computer & Info Scie & Enginr
divider line
Start Date: August 1, 2011
divider line
End Date: July 31, 2016 (Estimated)
divider line
Awarded Amount to Date: $1,197,126.00
divider line
Investigator(s): Anupam Datta danupam@andrew.cmu.edu (Principal Investigator)
Jeannette Wing (Former Principal Investigator)
Anupam Datta (Former Co-Principal Investigator)
divider line
Sponsor: Carnegie-Mellon University
5000 Forbes Avenue
PITTSBURGH, PA 15213-3815 (412)268-9527
divider line
Secure &Trustworthy Cyberspace
divider line
Program Reference Code(s): 7434, 7924, 7795, 7923, 9102
divider line
Program Element Code(s): 7795, 8060


Organizations, such as hospitals, financial institutions, and universities, that collect and use personal information are required to comply with privacy regulations, such as the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), and the Family Educational Rights and Privacy Act (FERPA). Similarly, to ensure customer trust, web services companies, such as Google, Facebook, Yahoo!, and Amazon, publish privacy policies stating what they will do with the information they keep about customers' individual behaviors. These policies impose constraints on disclosure (or transmission) of personal information, articulate obligations (e.g., notifying customers about privacy breaches), and identify purposes for which personal information may or may not be used. Prior work has focused on formalisms for disclosure and obligations, but no such foundation has been developed for information use for specified purposes.

Intellectual Merit. This project addresses the central problem of developing a formal semantics that explains what it means to use information for a set of purposes, a logic for specifying such policies, and algorithmic methods for their enforcement. It advances the state of knowledge in the field of privacy by providing a foundation for a concept that is commonly used in practice, but has not been the subject of careful scientific study. The project also investigates the interaction of this concept with the previously studied concepts of disclosure and obligation, thereby enabling a more comprehensive understanding of privacy. The formal semantics the project develops is novel and draws on insights from prior work on philosophical theories of causation and intentions, and from the computer science literature on formal methods, information flow, and planning. The model is validated through user studies and its application through case studies in the healthcare domain.

Broader Impacts. The project addresses a problem of significant and growing importance to society. It initiates a new direction in providing foundations for privacy by studying the concept of information use for a purpose. This concept appears in privacy policies published by organizations in sectors as diverse as finance, web services, healthcare, insurance, education, and government - the cornerstones of modern society. The semantic foundation serves as the basis for developing practical tools to support the enforcement of such policies in such organizations. The project provides opportunities for engaging graduate and undergraduate students. The PIs plan to integrate the research results into their existing security and privacy courses, and, for wider dissemination, leverage outreach programs in Carnegie Mellon's Computer Science Department and CyLab aimed at K-12, women, persons with disabilities, and underrepresented minorities.


M.C. Tschantz, A. Datta, and J.M. Wing. "Formalizing and Enforcing Purpose Restrictions in Privacy Policies", 08/01/2011-07/31/2012, "IEEE Symposium on Security and Privacy",  2012, "to appear May 2012".

M.C. Tschantz. "Formalizing and Enforcing Purpose Restrictions", 08/01/2011-07/31/2012,  2012, "Ph.D. Thesis, CMU-12-117, Carnegie Mellon University".

M.C. Tschantz, A. Datta, and J.M. Wing. "Formalizing and Enforcing Purpose Restrictions in Privacy Policies (full version)", 08/01/2011-07/31/2012,  2012, "CMU-CS-12-106 Technical Report
Carnegie Mellon University".


Please report errors in award information by writing to: awardsearch@nsf.gov.



Print this page
Back to Top of page
Research.gov  |  USA.gov  |  National Science Board  |  Recovery Act  |  Budget and Performance  |  Annual Financial Report
Web Policies and Important Links  |  Privacy  |  FOIA  |  NO FEAR Act  |  Inspector General  |  Webmaster Contact  |  Site Map
National Science Foundation Logo
The National Science Foundation, 4201 Wilson Boulevard, Arlington, Virginia 22230, USA
Tel: (703) 292-5111, FIRS: (800) 877-8339 | TDD: (800) 281-8749
  Text Only Version