Enabling Personal Consent in Databases

Download PDF

Abstract

Users have the right to consent to the use of their data, but currentmethods are limited to very coarse-grained expressions of consent,as “opt-in/opt-out” choices for certain uses. In this paper we identifythe need for fine-grained consent management and formalize howto express and manage user consent and personal contracts ofdata usage in relational databases. Unlike privacy approaches, ourfocus is not on preserving confidentiality against an adversary,but rather cooperate with a trusted service provider to abide byuser preferences in an algorithmic way. Our approach enables dataowners to express the intended data usage in formal specifications,that we call consent constraints, and enables a service providerthat wants to honor these constraints, to automatically do so byfiltering query results that violate consent; rather than both sidesrelying on “terms of use” agreements written in natural language.We provide formal foundations (based on provenance), algorithms(based on unification and query rewriting), connections to dataprivacy, and complexity results for supporting consent in databases.We implement our framework in an open source RDBMS, andprovide an evaluation against the most relevant privacy approachusing the TPC-H benchmark, and on a real dataset of ICU data.