This is the companion code to the following paper:

Inferring Accountability from Trust Perceptions — Koen Decroix, Denis Butin, Joachim 
Jansen and Vincent Naessens — 10th International Conference on Information Systems 
Security (ICISS 2014), Springer LNCS.

http://link.springer.com/chapter/10.1007%2F978-3-319-13841-1_5

Code by Koen Decroix (KU Leuven, Technology Campus Ghent, Department of Computer 
Science).

----------------------------------------------------------------
General Description
----------------------------------------------------------------

Opaque communications between groups of data processors leave individuals out of touch 
with the circulation and use of their personal information. Empowering individuals in 
this regard requires supplying them — or auditors on their behalf — with clear data 
handling guarantees. We introduce an inference model providing individuals with global 
(organization-wide) accountability guarantees which take into account user expectations 
and varying levels of usage evidence, such as data handling logs. Our model is 
implemented in the IDP knowledge base system and demonstrated with the scenario of a 
surveillance infrastructure used by a railroad company. We show that it is flexible 
enough to be adapted to any use case involving communicating stakeholders for which a 
trust hierarchy is defined. Via auditors acting for them, individuals can obtain 
global accountability guarantees, providing them with a trust-dependent synthesis of 
declared and proven data handling practices for an entire organization.

This project is realized in IDP 3 (http://dtai.cs.kuleuven.be/krr/software/idp).

----------------------------------------------------------------
Camera Surveillance Scenario
----------------------------------------------------------------

To illustrate the model, we consider the scenario of video camera surveillance in a 
railway station. Since individuals are filmed by cameras, the collected categories 
of personal data are related to images (in some cases, cameras also record sound). 
Several categories of personal data can be inferred from camera recordings, such as 
identification through face detection, gait recognition, behavioral tracking and 
many others. Signs inform passersby that the Railway Company installed Cameras for 
Safety surveillance. These record images and provision the railway’s Monitors in the 
control room with real-time video feeds containing Blurred Faces and Gaits of 
travelers. Furthermore, detailed images of individuals’ Full Body and Gait are 
stored in the railway’s Image Database serving as Evidence in legal investigations. 
Only authorized Image Processors employed by the railway company have access to it. 
Additionally, surveillance Guards employed by a third-party Security Company patrol 
in the station. They are authorized to view real-time images on the monitors, and 
carry a Mobile Device for registering Contextual Data (e.g. time and location) in 
case of incidents. These devices are connected with the Status Database, property 
of the security company. It is only accessible for the security company’s Status 
Processors upon request of legal institutions for collecting Evidence. The trusted 
auditor (acting on behalf of a filmed individual) is external to the model and we 
focus on data handling statements from the entities collecting personal data.

(R)ailway Company, (C)amera, (M)onitor, (I)mage Database Statements
(D): Declarative statement, (L): Logged statement, (V): Logged and verified statement

R.1 	L 	Pictures of travelers' full bodies with blurred and non-blurred faces, gaits, heights, and behavior are recorded for incident detection.
R.2 	D 	Collected pictures containing evidence of incidents can be forwarded to legal authorities upon their request.
R.3 	L 	Pictures are never collected for commercial purposes.
R.4 	L 	The maximal retention time for any category of collected personal data is 60 days.
C.1 	L 	Cameras in the station record full bodies with blurred and non-blurred faces, gaits, heights, and behaviors of travelers for incident detection purposes.
M.1 	L 	Guards monitor in real-time full bodies with blurred faces, gaits, heights, and behaviors of travelers in the station for incident detection purposes.
I.1 	L 	Pictures of travelers' full bodies with non-blurred faces are stored as evidence of possible incidents.
I.2 	V 	Access to stored pictures of travelers' full bodies with non-blurred faces is only granted to the image processor upon request of the legal authorities.
I.3 	V 	Images of travelers' full bodies with non-blurred faces, gaits, heights, and behavior are never processed for the purpose of identification.
I.4 	D 	Stored images are deleted after 30 days, unless they are being used as evidence in legal cases. 


(S)ecurity Company, M(O)bile Device, Status (D)atabase Statements
(D): Declarative statement, (L): Logged statement, (V): Logged and verified statement

S.1 	D 	Time and location of incidents are collected as evidence.
S.2 	L 	Time and location of incidents are only forwarded to legal authorities upon request.
O.1 	V 	Surveillance guards collect time and location as evidence in case of incidents.
D.1 	V 	Time and location of incidents are collected as evidence.
D.2 	V 	Access to stored time and location of incidents is granted to status processors for gathering evidence.
D.3 	V 	The time and location of incidents are deleted after 90 days unless they are being used as legal evidence. 

----------------------------------------------------------------
Models
----------------------------------------------------------------

The scenario is modeled for 3 different types of user, namely:

    Model for a naive user (UsermodelA_idp_input.idp). Results (IDP output format): UsermodelA_idp_output.o
    Model for a regular user (UsermodelB_idp_input.idp); Results (IDP output format): UsermodelB_idp_output.o
    Model for a privacy-aware user (UsermodelB_idp_input.idp); Results (IDP output format): UsermodelC_idp_output.o