Publications‎ > ‎


On Compound Purposes and Reasons for Enabling Privacy


This paper puts forward a verification method for compound purposes and compound reasons to be used during purpose limitation.When it is absolutely necessary to collect privacy related information, it is essential that privacy enhancing technologies (PETs) protect access to data – in general accomplished by using the concept of purposes bound to data. Compound purposes and reasons are an enhancement of purposes used during purpose limitation and binding and are more expressive than purposes in their general form. Data users specify their accessneeds by making use of compound reasons which are defined in terms of (compound) purposes. Purposes are organised in a lattice with purposes near the greatest lower bound (GLB) considered weak (less specific) and purposes near the least upper bound (LUB) considered strong (most specific).Access is granted based on the verification of the statement of intent (from the data user) against the compound purpose bound to the data; however, because purposes are in a lattice, the data user is not limited to a statement of intent that matches the purposes bound to the data exactly – the statement can be a true reflection of their intent with the data. Hence, the verification of compound reasons against compoundpurposes cannot be accomplished by current published verification algorithms. Before presenting the verification method, compound purposes and reasons, as well as the structures used to represent them, and the operators that are used to define compounds is presented. Finally, some thoughts on implementation are provided.


Note = {journal: J. UCS},
author = {van Staden, Wynand  and Olivier, Martin S.},
title = {On Compound Purposes and Compound Reasons for Enabling Privacy},
volume = {17},
number = {3},
pages = {426-450},
year = {2011},

Full Text: Full Text

SQL’s Revoke with a view on Privacy


Protecting access to data that can be linked to an individual (or personal identifiable information (PII)), thereby seeking to protect the individual’s privacy can be accomplished through legislation, organisational safeguards, and technology. Of particular interest and the focus of this paper is the technological means by which data is protected, in particular we are considering the mechanisms of purpose binding and limitation which facilitate the organisational safeguards. Purpose binding allows an enterprise to specify their purpose with collected data, and purpose limitation controls access to information based on these purpose bindings.Technologies that implement the aforementioned safeguards of PII forms a subset of a set of technologies commonly referred to as Privacy Enhancing Technologies (PETs). Many legacy systems do not employ these safeguards, even though it can be accomplished by providing “wrapper” technologies which reside on top of these legacy systems.This article continues work done by the authors in which extensions to SQL was proposed in order to integrate PETs with structured databases. The extensions showed that access to data through SQL can be controlled non-intrusively, and that the general discretionary access control model provided by many database management systems can still be enforced. In our previous work the extensions were limited to the SQL grant and selectstatements.In this article we propose a model for revoking privileges from database users, and thus consider the SQL revoke statement. We also show that the general principles of revoking privileges remain true for our proposed model. We also briefly consider extensions to the commands from the Data Manipulation Language (DML) that was not considered, being insert, delete, and update. 


author = {van Staden, Wynand JC and Olivier, Martin S},
title = {SQL's revoke with a view on privacy},
booktitle = {Proceedings of the 2007 annual research conference of the South African institute of computer scientists and information technologists on IT research in developing countries},
series = {SAICSIT '07},
year = {2007},
isbn = {978-1-59593-775-9},
location = {Port Elizabeth, South Africa},
pages = {181--188},
numpages = {8},
url = {},
doi = {},
acmid = {1292512},
publisher = {ACM},
address = {New York, NY, USA},
keywords = {SQL, access control, compound purposes, privacy, purpose binding},
Text:lACM DL