This document discusses challenges and opportunities around privacy and trust in business processes. It begins by defining key concepts like security, privacy, and trust. It then outlines topics related to business process security and privacy, such as access control, flow analysis to detect unauthorized data access, and privacy-aware business process execution. The document proposes approaches for privacy-aware business processes using techniques like k-anonymization and multi-party computation. It describes a system called Pleak.io that aims to model stakeholders, data flows, and privacy-enhancing technologies to quantify privacy leaks and accuracy loss in processes. The document concludes by discussing challenges around collaborative processes with untrusted parties and the potential use of distributed ledgers and smart contracts to address issues of

1. Privacy and Trust in Business Processes: Challenges and Opportunities
In processes we trust
Marlon Dumas
marlon.dumas@ut.ee
SOAMED Workshop – Berlin 9-10 June 2016

2. What do you understand by…
Security?
Privacy?Trust?
2

3. Trust
Confidentiality
Integrity
Non-
Repudiation
Availability
Reliability
Safety
Functionality
Data
3

4. • Security: Confidentiality, integrity and non-repudiation in the presence of
dishonest/malicious attackers
• Privacy: Confidentiality in the presence of honest-but-curious actors
SECURITY VS. PRIVACY
4

5. Topics in Business Process Security & Privacy
• Access control and release control in business processes
• Flow analysis to detect unauthorized data object access/disclosures
• Privacy-aware business process execution
• Collaborative process execution with untrusted parties
5

6. Privacy-Aware Business
Processes

7. Analysis of Linked Datasets: No privacy tech

8. Analysis of Linked Datasets: k-anonymization

9. Analysis of Linked Datasets:
Multi-Party Computation (MPC)
10 million tax records
+
500 000 education records
Dan Bogdanov et al.: Students and Taxes: a Privacy-Preserving Study Using Secure
Computation. PoPETs 2016(3): 117-135 (2016)
9

10. Dan Bogdanov et al.: a Privacy-Preserving Study Using Secure Computation. PoPETs 2016(3): 117-135 (2016)
Data Analysis with MPC – Architecture
10

11. Data analysis process with MPC (part 1)
11

12. 12
Data analysis process with MPC (part 2)
Challenges
1. How can we make it easy for business users to model
and configure multi-party private data analysis
processes?
2. How to analyze such processes against compliance
requirements?
12

13. Scope of MPC
• Allows a computation to be performed across parties without them disclosing
anything but the output
• But the output is visible to the analyst…
• What if the analyst issues several (authorized) queries? What can they learn about individuals?
• Information release control
• K-anonymity, t-closeness
• Differential privacy
13

14. Differential Privacy (Dwork 2006)
K gives e-differential privacy if for all values of DB, DB’
differing in a single element, and all S in Range(K )
Pr[ K (DB) in S]
Pr[ K (DB’) in S]
≤ eε ~ (1+ε)
ratio bounded
Pr [t]
14

15. Differential Privacy
Source: Gerome Miklau and Michael Hay
Accuracy
loss!
15

16. Dan Bogdanov et al.: a Privacy-Preserving Study Using Secure Computation. PoPETs 2016(3): 117-135 (2016)
Data Analysis with MPC – Architecture
Differentially
Private Release
Mechanism
Challenges
3. How to measure differential privacy of data analysis
processes that are repeatedly executed?
4. How to strike tradeoffs between differential privacy
and accuracy in data analysis processes?

17. Pleak.io – Vision
- Lets one model stakeholders and flows in extended BPMN (PA-BPMN)
- Finds data leaks taking into account Privacy-Enhancing Technologies used
- Secure multi-party computation
- Encrypted computation
- K-anonymity, differential privacy
- Quantifies leakages and accuracy loss.
- Suggests relevant privacy-enhancing technologies to reduce privacy leaks.
Part of DARPA’s Brandeis Program – NAPLES Project

18. 18
Pleak.io – Architecture

19. Sample Scenario in PA-BPMN
19
dp-flow
dp-task

20. Privacy Analysis
Differential Privacy Disclosure
20

21. Underpinning Theory – Generalized Sensitivity
 Generalized distances – any partial order with addition and least element
- dX: X2
→ VX
 f : X→Y has sensitivity cf : VX→VY
 Differential privacy is a specific case of generalized sensitivity
 Generalized sensitivity is composable, e.g. cf○g = cf cg
21

22. Abstract Model:
Data Processing Workflow
22

23. Differential Privacy Disclosure of Outputs w.r.t. Data
Sources
23

24. Differential Privacy Disclosure of Outputs w.r.t. Data
Sources
24

25. Differential Privacy Disclosure of Outputs w.r.t. Data
Sources
25

26. Differential Privacy Disclosure of a
Data Source to a Party
r
26

27. (ships, disaster) -> {
avail_food = 0;
avail_ships = [];
for (ship in ships) do {
fuzzed_loc = ship.loc() + Lap2
(3);
if (dist(fuzzed_loc, disaster.loc()) / ship.speed() <= 2
&& ship.cargo_type() == "food"
&& !ship.contains(dangerous_materials) ) {
avail_food += ship.cargo();
avail_ships.append({ship.name(), fuzzed_loc});
}
}
avail_food += Lap(2);
return (avail_food, avail_ships);
}

28. Collaborative processes with
untrusted parties

29. Distributed Ledger (e.g. Blockchain)
29
Source: FT Research
Distributed append-only database that ensures integrity and non-
repudiation in an untrusted setting

30. • Programs living on the blockchain (e.g. Ethereum) with their own memory and
code
• Invoked when certain transactions are sent to them
• Can store data, send transactions, interact with other contracts or with “agents”
Smart Contracts
30

31. Distributed Ledgers for Collaborative Processes
- Participants agree on a collaborative process and a model for it
31

32. 32
32

33. Distributed Ledgers for Collaborative Processes
- Participants agree on a collaborative process and a model for it
- The model is translated to a smart contract(s) to be executed on the blockchain
- Smart contracts listen to process execution events and interact with agents or
other smart contracts in order to monitor and/or execute the process
33

34. 1. Audit trail: Record all events in the process, which can be used later to retrace
the execution of a given process instance.
2. Monitoring: Deploy a smart contract for every instance of the process to verify
and/or enforce the constraints captured in the process model.
3. Active coordination: Deploy a smart contract for every process instance, which
observes every event occurring in the process instance and triggers the next step
by notifying the agent(s) of the corresponding actors.
34
Distributed Ledgers for Collaborative Processes

35. Collaborative Process Coordination on Blockchain
35
Ingo Weber et al. (BPM’2016)
Challenges
1. How to make it possible for business users to model
and configure collaborative processes on dist. ledgers?
2. How to analyze these processes against security and
privacy requirements?
3. How to efficiently execute high-throughput collaborative
processes on distributed ledgers?
4. How to ensure privacy in these processes?

36. Join us…

37. Reference(s)
[1] Dan Bogdanov et al.: Students and Taxes: a Privacy-Preserving Study Using
Secure Computation. PoPETs 2016(3):117-135, 2016
[2] Marlon Dumas, Luciano Garcia-Banuelos, Peeter Laud: Differential Privacy of
Data Processing Workflows. In Proc. of GraMSec’2016
[3] Ingo Weber, Xiwei Xu, Regis Riveret, Guido Governatori, Alexander
Ponomarev, Jan Mendling. Untrusted Business Process Monitoring and Execution
Using Blockchain. In Proc. of BPM’2016
37

38. Research funded by DARPA (Brandeis
program 2015-2019)
Thanks!