This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
2013 IEEE CS Security and Privacy Workshops (SPW2013)
San Francisco, CA USA
May 23-May 24
ISBN: 978-1-4799-0458-7
Denis Butin, INSA-Lyon, Univ. de Lyon, Villeurbanne, France
Marcos Chicote, INSA-Lyon, Univ. de Lyon, Villeurbanne, France
Daniel Le Metayer, INSA-Lyon, Univ. de Lyon, Villeurbanne, France
Accountability is a requirement to be included in the initial design phase of systems because of its strong impact on log architecture implementation. As an illustration, the logs we examine here record actions by data controllers handling personally identifiable information to deliver services to data subjects. The structures of those logs seldom consider requirements for accountability, preventing effective dispute resolution. We address the question of what information should be included in logs to make their a posteriori compliance analysis meaningful. Real-world scenarios are used to show that decisions about log architecture are nontrivial and should be made from the design stage on. Four categories of situations for which straightforward solutions are problematic are presented. Our contribution shows how log content choices and accountability definitions mutually affect each other and incites service providers to rethink up to what extent they can be held responsible. These different aspects are synthesized into key guidelines to avoid common pitfalls in accountable log design. This analysis is based on case studies performed on our implementation of the PPL policy language.
Index Terms:
Credit cards,Privacy,Delays,Security,Data handling,Guidelines,Companies,PPL,Accountability,Security Policy,Privacy
Citation:
Denis Butin, Marcos Chicote, Daniel Le Metayer, "Log Design for Accountability," spw, pp.1-7, 2013 IEEE CS Security and Privacy Workshops (SPW2013), 2013
Usage of this product signifies your acceptance of the Terms of Use.