Preserving Privacy in Cyber-physical-social Systems: An Anonymity and Access Control Approach Tanusree Sharma John Christian Bambenek Masooda Bashir Informatics, University of Illinois at Informatics, University of Illinois at School of Information Sciences Urbana Champaign Urbana Champaign University of Illinois at Urbana Champaign, IL, USA Champaign, IL, USA Champaign tsharma6@illinois.edu bambenek@illinois.edu Champaign, IL, USA mnb@illinois.edu ABSTRACT response with a shorter decision time because user- and customer- With the significant development of mobile commerce, the integra- generated social data can be used as an unbiased sensor network tion of physical, social, and cyber worlds is increasingly common. for natural experimentation by extracting useful patterns and de- The term Cyber Physical Social Systems is used to capture tech- ploying intelligence to serve the entity to make predictions about nology’s human-centric role. With the revolutionization of CPSS, future events and decision making [20]. CPSS can be utilized as a privacy protections become a major concern for both customers decision aiding framework and for designing architectural strate- and enterprises. Although data generalization by obfuscation and gies for existing and new applications by tagging based systems or anonymity can provide protection for an individual’s privacy, over- services where a human remains in the sensing loop or where social generalization may lead to less-valuable data. In this paper, we sensing data is a good option to train machine to make decisions contrive generalization boundary techniques (k-anonymity) to max- with trained data set and fact-finding algorithms. However, these imize data usability while minimizing disclosure with a privacy enabling technologies, which make the automatic design of CPSS access control mechanism. This paper proposes a combination of feasible, also introduce multiple privacy and security challenges purpose-based access control models with an anonymity technique that need to be examined. One of the most important aspects that in distributed computing environments for privacy preserving poli- has not been researched well is how users’ contributions to the cies and mechanisms that demonstrate policy conflicting problems. system are protected from the privacy and security point of views. This combined approach will provide protections for individual per- Due to the open network structure and service sharing scheme sonal information and make data sharable to authorized party with of the cloud, it imposes very challenging obstacles to security, as proper purposes. Here, we have examined data with k-anonymity CPSS are relatively sophisticated systems, ranging from integrata- to create a specific level of obfuscation that maintains the use- tion of multiple devices to highly heterogeneous networks and fulness of data and used a heuristic approach to a privacy access the possible severity of the physical environment. Therefore, CPSS control framework in which the privacy requirement is to satisfy are more susceptible to targeted attacks since this system includes the k-anonymity. The extensive experiments on both real-world cyberspace, physical space and social space, where the malicious and synthetic data sets show that the proposed privacy aware access users can attack from multiple links and sources: for example, the control model with k- anonymity is practical and effective. It will location data that comes from GPS or the user’s handheld device in generate an anonymized data set in accordance with the privacy social space or the user’s authentication information in cyberspace. clearance of a certain request and allow users access at different Malicious attackers may eavesdrop on sensitive information if there privacy levels, fulfilling some set of obligations and addressing pri- is lack of reasonable security and privacy mechanisms. vacy and utility requirements, flexible access control, and improved One important technique that is often used to protect private data availability, while guaranteeing a certain level of privacy. information (static or dynamic) in distributed systems is specifically tailored to support privacy policies. Securing private information cannot be easily achieved by traditional access management sys- KEYWORDS tems because traditional access management systems focus on CPSS, Data privacy and security in CPSS, Access Control, Anonymity which user is performing what action on which data object [18], Model. and privacy policies are concerned with which data object is used for what purpose(s). When the users will be sharing or searching their location using apps like Foursquare and Swarm, which shop- 1 INTRODUCTION ping mall/ hospitals they are visiting that might expose their data, With growing technological advances, Cyber Physical Social Sys- including name, age, diseases, current location, and historical loca- tems (CPSS) have increasingly been used in automobile, chemical tions. If the privacy and data sharing policy is not defined clearly, composition, robotics, and numerous other cloud-based and IoT including who will be using the data and for what purpose, then applications. CPSS provide many features which enable us to lever- there will be complexities that might expose their data to unau- age the potential of cloud scalability, context relevant experiences, thorized data collectors. Again, for hiding identifiable information, network-based infrastructures, constructive documentation tools, there are several anonymity and obfuscation techniques that have and cross platforms, to name a few. The main advantage that CPSS been developed by several researchers. However, anonymity is not offers is enabling human input in the loops. It generates a faster enough to accomplish the purpose of CPSS. There is no doubt that 1st Workshop on Cyber-Physical Social Systems (CPSS2019), October 22, 2019, Bilbao, Spain. Copyright © 2019 for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0). 16 CPSS2019, October 22, 2019, Bilbao, Spain T. Sharma, J.C. Bambenek, and M. Bashir users may be willing to participate in data aggregation but probably what purpose [1]. For example, personal information provided by do not intend to have their private information leaked. For example, patients to hospitals may only be used for record keeping purposes we can get our step numbers on WeChat everyday and share with not for advertising purposes. So, there must be a purpose for data our friends to establish a ranking list. However, the data collected collection and data access. The work in [7] proposes trust archi- by the cyber devices may contain personal information, which users tecture for pervasive systems by extending SPKI and role-based may not want to be leaked. How to aggregate data with privacy access control. In particular, the framework is enabled based on a preservation therefore has become a critical and challenging issue distributed model that employs various security agents to identify that hampers the advancement of data aggregation in CPSS [19]. the authentication within their service domain. Additionally, ontol- Through our research, we have worked on how to preserve users’ ogy is utilized to specify the user’s permission rule, and a delegation data privacy and security while maintaining the purpose of CPSS, chain is used to deliver the access privilege between multiple users. which is data aggregation. Our combined approach proposes a com- In the work of [12], a cyber-physical-social security architecture is prehensive framework for purpose and data management where presented for future IoT, it is divided into three layers to protect the purposes are organized in a hierarchy. In our approach each data el- security of IoT, including information security, physical security ement is associated with a set of purposes, as opposed to the single and management security. The work in [3] presents a trust-based security level in traditional secure applications. We have combined personalized privacy model for pervasive environments. It mainly the anonymity model to hide the identification information from includes a trust privacy manager and a user-centric privacy frame- unauthorized third-party data collectors or other external users. work. A trust privacy manager is a user-centric abstraction in which In the following section, we will be presenting research work for the goal is to realize the balance between privacy protection, service preserving privacy in CPSS. usability and user manageability. Further, a user-centric privacy framework as a reference framework that not only offers privacy control but also gives the brokering context to interact with exter- 2 RELATED WORKS nal parties. The component of a user-centric privacy framework is Preserving privacy in the CPSS has been attracting attention from developed by a service- oriented architecture framework. To some both academia and industries. Most of the prior research studies extent, it is expected to enable the loose coupling of the holistic has focused on data privacy and has not considered the usability of architecture and to achieve high flexibility for privacy management. CPSS. However, while existing security and privacy approaches aim to Pitofsky [14] showed that 97 percent of web sites and distributed address the security of embedded systems, Cyber Physical systems, systems were collecting at least one type of identifying information and Cyber Social Systems, they are tricky to adapt to the multiple such as name, home address, e-mail address, postal addressws of security requirements of CPSS. Currently there lacks a universal consumers, or current or historical locations. The fact that per- framework to integrate approaches for CPSS. Here, in our paper sonal information is collected and can be used without any consent we are demonstrating with mathematical and logical expressions or awareness violates privacy for many people. Access control how to specify and enforce policies for authorizing purpose-based mechanisms for enforcing such policies have not been investigated access management and combining anonymity techniques. [8]. Ni et al. [11] analyzed conditional privacy management with role-based access control, which supports expressive condition lan- guages and flexible relations among permission assignments for 3 PROPOSED PRIVACY ARCHITECTURE complex privacy policies. It is important to note that simply remov- There are two parts of our security architecture to increase the level ing identity information, like names or social-security numbers, of user’s privacy while maintaining the quality of data that can be from the released data may not be enough to anonymize the data. shared with authorized data collector to make the CPSS a useful Many examples show that even when such information is removed framework to deal with. Figure 1 shows the design architecture. from the released data, the remaining data, combined with other Only obfuscation and anonymity can be reasons for hampering information sources, may still link the information to the individual or disregarding the importance of data aggregation from CPSS [17]. Sweeney [15] proposed approaches based on the notion of that are useful in many ways. Hence, combining access control for k-anonymity as solutions to the problem. Another secure private authentication and verification to get information from users will information techniques such as density-based clustering algorithms be helpful for authorized third parties to gain their purpose and happens in the context of data mining [10]. also restrict attackers. Trust-based security approaches are widely applied in CPSS. For this use case, we will be considering external user attacks Privacy preservation in CPSSs has become increasingly important from three main adversaries who are more likely to want to access, and thus attracts attention from both academic and industrial com- or are prone to use, the online data or any relational query data. munities. This issue has drawn even more attention in the recent Addressing three kinds of adversaries at the same time would not years due to pervasive embedded sensors in mobile devices. Privacy be feasible from the perspective of privacy access control and k- protections are also becoming a significant consideration for both anonymity mechanism. Yet while the motivation behind external customers and enterprises in today’s corporate marketing strategies. users’ attacks can be divergent, their approaches are often similar. This raises challenging questions and problems regarding the use They mostly seek to sow disruption misdirect by planting mislead- and protection of private messages, especially for context-aware ing data or taking down police and government systems. For now, web services [4]. One principle of protecting private information using a single use case for this research will make the discussion is based on who is allowed to access private information and for more effective and we can say this integrated method can serve 17 Preserving Privacy in Cyber-physical-social systems: An Anonymity and Access CPSS2019, October 22, 2019, Bilbao, Spain Control Approach well-represented values for the sensitive attribute. With probabilis- tic reason, adversaries can still access about a person’s information where t-closeness is significant. It demands that the statistical distri- bution of the sensitive attribute values in each k-anonymous group is "close" to the overall distribution of that attribute in the entire dataset. Closeness can be measured using e.g. the Kullback-Leibler (KL) divergence. Third, in order to maintain the truthfulness of the dataset, we only use spatiotemporal generalization and suppression to process the trajectory data. Spatial generalization means merging nearby base stations, and temporal generalization means increasing tem- poral granularity to combine different trajectories into one. When merging some spatiotemporal points causes a huge loss of spa- tiotemporal granularity, we just delete them, which is called sup- pression. Turning a dataset into a anonymous dataset is a difficult problem and even finding the optimal partition into k-anonymity is NP-Hard. We have used greedy search technique “Mondrian” to partition the original data. Quasi Identifier: pieces of information that are not of them- selves unique identifiers, but are sufficiently well correlated with an entity Figure 1: Combined Privacy preserving Model (Access Con- Sensitive Attribute: Information related to a specific individual trol Policy and Anonymity) that can cause a privacy breach. Algorithm 1: Partitioning data to k-anonymous group the purposes that we have mentioned above to fulfill mainly two main missions here which are data availability for authorized users Result: Complete Set of Partitions and guarantee a certain amount of privacy access control of the initialize complete set to empty set, Pcom = 0 information shared online or any relational databases by users. Initialize working set of partition to set containing a partition with entire dataset 3.1 Anonymity Technique Pwor kinд = (1, 2, 3, 4, ...n) According to [13] [16] [2] [9], our privacy model could be consis- while Partition in working set do tent with the objective that of publishing truthful data against both pop; reidentification and semantic attacks by satisfying criterions of k− Calculate span(columns in partition); anonymity, l− iversity and t− closeness. First, k− anonymity en- Sort Resulting columns; sures the attacker cannot distinguish the victim from at least k − 1 Split with median; other individuals, which is used against reidentification attacks. We if partition with anonymity then can also say that k-anonymity protects the privacy of individual add new partition; persons by pooling their attributes into groups of at least k peo- else ple, assuming the data set has N entries, and each entry includes add original partition to complete partitions; attributes X i (iϵ[0, A]) with information like age, gender, address, end which are quasi identifiers. We are also assuming that the dataset end only includes a single sensitive point of information like disease, income, or something what usually a person usually wants to pro- tect. Our method will generalize the dataset with more than one sensitive data point, while there will be no indication of difference 3.2 Purpose-Based Access Control between quasi-identifier and sensitive information. Since we do not This paper bridges the gap between private information protecting limit the attacker’s knowledge about individual’s trajectory, the mechanisms and access control models. We propose a purpose- victim’s trajectory should be indistinguishable from at least k − 1 based access control framework with an anonymity technique. other trajectories, which means these trajectories should be the This section develops the purpose-based access control framework, same after generalization. which includes extended access control models and supports pur- However, if all the persons in the group of data have the same pose hierarchy by introducing the intended and access purposes sensitive attributes, the adversaries will still be able to learn about and purpose associated data models. the sensitive attributes. In order to fix this problem, privacy criteri- The purpose explains the reason(s) for collecting data and ac- ons of l− diversity and t− closeness should be met, which requires cessing it [5]. If there is a set of purposes P that is organized in a that the sensitive attribute of a k− anonymous set contains at least l tree structure, then each node represents a purpose in P and each 18 CPSS2019, October 22, 2019, Bilbao, Spain T. Sharma, J.C. Bambenek, and M. Bashir The following privacy policies: 1. "Amazon can check customers’ MailingAdd for shipping purpose". 2. "eBay can only check customers’ EmailAdd for sending further alert if they allow to do so". 3. "Fedex may check customers’ InfoOrder for Billing purpose and customers will be informed by Email". 4. "Customer-service can check customers’ ContactInfo for Problem solving if it is approved by Amazon". Hence, these policies are expressed as follows in a privacy access control model: P1: (Amazon, (MailingAdd, check), Shipping, N /A, ϕ); P2: (eBay, (EmailAdd, check), Purchase, OwnerConsent = ‘Yes’, ϕ); P3: (Fedex, (InfoOrder, Check), Billing, N/A, Notify(ByEmail)); P4: (customer-service, (ContactInfo, check), Problemsolving, ’Ap- proved by Amazon’, N/A) 3.2.2 Policy Operation: With the change of technological and reg- ulatory affairs, new policies need to be added. This section analyzes Figure 2: Example of purpose structure (inspired by [5]) the impact of generating new policies to add to an existing pri- vacy access control model. Sometimes, a new policy for privacy protection is raised, but it might not be addressed. For example, edge represents relations between two purposes. Figure 2 shows when eBay moves to the complaint section, a new policy need to the purpose structure tree. be addressed. Assuming Pi and P j be two purposes in the hierarchical pur- 5. "eBay can only check Email address of customers, for com- pose tree where Pi is the predecessor of P j . There remains some plaint purpose if they are allowed by customers" The corresponding relationship among the purposes based on the tree structure of expression will be reflected in the model: purposes. Suppose in the purpose tree, while P is a set of purposes, P5:(eBay,(EmailAdd, check), Complaint, OwnerConsent = ’Yes’, ϕ). Pk ϵP is a purpose, the predecessor purposes of Pk which is the set of all nodes that are senior to Pu . On the above tree structure, Predecessor (Direct Use) = Marketing, G-Purpose in figure 2. The Algorithm 2: Component Checking for access by [6] junior purposes of Pk , is the set of all nodes that are junior to Pk . Comp-Check1(ap,AIP, PIP) For instance, Successor (Admin) = Analyze, Profiling. We have fol- 1. if apϵPIPthen lowed the research work of [5] to design an access control model 2. return False; with a stated privacy policy by adding purposes for data objects to 3. else if apϵAIP ↓ then be confirmed if a particular data element is allowed to be shared. 4. return True; Access purpose authorizations are granted to users based on the 5. end if access purpose on the data, obligations and conditions. In order Comp-Check2(ap, CIP, PIP) to perform privacy-preserving access control, a system needs to 1. if apϵPIPthen enforce privacy requirements stated by data owners. 2. return False; 3. else if apϵCIP ↓ then 3.2.1 Definition: According to the basic privacy access control 4. return True; model, there are a few components in it. Mainly there are three 5. end if entities that are used in a basic access control system: subjects, ob- Where, AIP: Allowed Intended Purpose; PIP: Prohibited jects, and operations. Based on the access control model, purposes, Intended Purpose; CIP: Conditional Intended Purpose role, policy would be added. A set S of Subjects, a set D of Data, a set P of purposes, a set A of actions, a set of O for obligations and a set of C for conditions. Now compared with previous purpose P2, these are two policies • Set of data access right: (d, a)|a ϵ A, d ϵ D for eBay to access email addresses. There are two different pur- • Private data access right: (da,a,p,c,o)|daϵ DA,pϵ P,cϵ poses: one for purchase and one for compliant. Now how would the C,oϵ O,aϵ A system verify Complaint to access email addresses within consent • Assignment of private data subject: access of private conditions? To make it simpler and for polices to be updated, we information. can use a conjunction here for two different purposes. That is, if a • Purpose: The reason for access. user wants to access right ar on data d for purpose Pu, all access polices related to ((d, ar ), P) need to be checked. So, in the example For example: above, eBay can check the email address if there exists at least one • Subjects:Amazon, eBay, Fedex, Customer − service policy (purchase or compliant) that will satisfy all policies. If a new • Data:In f oOrder, ContactIn f o, MailinдAdd, EmailAdd access policy is related to the same user, same data, same right and • Action:check, U pdate, Delete same conditions of some existed private policies, it is not used to • Purpose:Order, Complaint, Billinд, Shippinд, ProblemSolvinд relax the access situations but to make the access stricter. If privacy 19 Preserving Privacy in Cyber-physical-social systems: An Anonymity and Access CPSS2019, October 22, 2019, Bilbao, Spain Control Approach admin wants to ease/modify the access environments, they can do so by revising the existed access policies instead of creating a new one. For Policy checking, here we utilized the algorithms by [6]. Finally, the access decision is constructed based on the Comp-Check and intended purposes of a specific attribute. 4 IMPLEMENTATION We implement a simple algorithm multi-dimensional k-anonymity to produce a k-anonymous dataset. k-anonymity protects the pri- vacy of individual persons by pooling their attributes into groups of at least k people. We explore the "Mondrian" algorithm which uses a greedy search algorithm to partition the original data into smaller and smaller groups. (If we plot the resulting partition boundaries in 2D they resemble the pictures by Piet Mondrian, hence the name.) The algorithm assumes that we have converted all attributes into numerical or categorical values and that we’re able to measure the "span" of a given data attribute X i . The algorithm proceeds then to partition the data into k-anonymous groups. After obtaining the partitions, we still need to aggregate the values of the quasi identifiers and the sensitive attributes in each k- anonymous group. For this, we can e.g. replace numerical attributes with their range (e.g. "age: 24-28") and categorical attributes with Figure 3: anonymous data visualization after partitioning their union (e.g. "employment-group: [self-employed, employee, worker]"), though other aggregations are possible. Methods like [5] even preserve the micro-data in each group, which increases re-identification-risk. We are using text data of Adult with different quasi identifiers like age, work class, education, marital status, occupation, race, and age, and also containing sensitive attribute income. For our implementation purpose, first we have considered two columns from the dataset to apply partition to speed up the execution. With that execution, 500 partitions have been created. The results after creating partitioning functions to divide datasets are below for better visualization. After partitioning and sorting the resulting data frame using features columns and sensitive attributes, we have a k-anonymous dataset with age, count, education and income. For generating k-anonymous data that contains one row for each partition and value of sensitive data, we aggregate the columns of each partition. We implement l-diversity in order to protect the privacy of the persons in the dataset even better. The image below cam make it more understandable. For t closeness: As we can see, for regions where the value diver- sity is low, our l-diverse method produces partitions that contain a very large number of entries for one value of the sensitive attribute and only one entry for the other value. This is not ideal because while there is "plausible deniability" for a person in the dataset Figure 4: After Applying I-diversity (after all the person could be the one "outlier"),an adversary can still be very certain about the person’s attribute value in that case. t-closeness solves this problem by making sure that the distribution protected. After data are collected, intended purposes with three of sensitive attribute values in a given partition is similar to the different levels will be associated with data. As the intended purpose distribution of the values in the overall dataset. We generate the is assigned to every data element, an intended-purposes table (IPT) global frequencies for the sensitive columns. is formed. Data providers (customers) are able to control the release In our model, customers are given three more possible options of their data by adding privacy levels to the IPT which will not for using their data. These make them comfortable to release their affect data in the database. After authorizing an access purpose, data fully or conditionally, knowing the private information will be users get access to purpose permissions from the access control 20 CPSS2019, October 22, 2019, Bilbao, Spain T. Sharma, J.C. Bambenek, and M. Bashir Transactions on Knowledge Discovery from Data 1, 1 (2007), 1–52. [3] Susana Alcalde Bagüés, Andreas Zeidler, Ignacio R Matias, Cornel Klein, and Carlos Fernández-Valdivielso. 2010. Enabling Personal Privacy for Pervasive Computing Environments. J. UCS 16, 3 (2010), 341–371. [4] Elisa Bertino, Pierangela Samarati, and Sushil Jajodia. 1997. An extended autho- rization model for relational databases. IEEE Transactions on Knowledge and Data Engineering 9, 1 (1997), 85–101. [5] Gabriel Ghinita, Panagiotis Karras, Panos Kalnis, and Nikos Mamoulis. 2009. A framework for efficient data anonymization under privacy and accuracy con- straints. ACM Transactions on Database Systems (TODS) 34, 2 (2009), 9. [6] Md Enamul Kabir, Hua Wang, and Elisa Bertino. 2010. A role-involved conditional purpose-based access control model. In E-Government, E-Services and Global Processes. Springer, 167–180. [7] Lalana Kagal, Tim Finin, and Anupam Joshi. 2001. Trust-based security in pervasive computing environments. Computer 34, 12 (2001), 154–157. [8] Min Li, Xiaoxun Sun, Hua Wang, Yanchun Zhang, and Ji Zhang. 2011. Privacy- aware access control with trust management in web service. World Wide Web 14, 4 (2011), 407–430. [9] Ninghui Li, Tiancheng Li, and Suresh Venkatasubramanian. 2007. t-closeness: Privacy beyond k-anonymity and l-diversity. In 2007 IEEE 23rd International Conference on Data Engineering. IEEE, 106–115. [10] Jinfei Liu, Joshua Zhexue Huang, Jun Luo, and Li Xiong. 2012. Privacy preserving distributed DBSCAN clustering. In Proceedings of the 2012 Joint EDBT/ICDT Workshops. ACM, 177–185. [11] Qun Ni, Elisa Bertino, Jorge Lobo, Carolyn Brodie, Clare-Marie Karat, John Karat, and Alberto Trombeta. 2010. Privacy-aware role-based access control. ACM Transactions on Information and System Security (TISSEC) 13, 3 (2010), 24. [12] Huansheng Ning and Hong Liu. 2012. Cyber-physical-social based security architecture for future internet of things. Advances in Internet of Things 2, 01 (2012), 1. [13] Zahid Pervaiz, Walid G Aref, Arif Ghafoor, and Nagabhushana Prabhu. 2013. Figure 5: After applying t-closeness Accuracy-constrained privacy-preserving access control mechanism for rela- tional data. IEEE Transactions on Knowledge and Data Engineering 26, 4 (2013), 795–807. engine. The access control engine needs a match process to finish [14] Matthias Schunter and C Powers. 2003. The enterprise privacy authorization language (epal 1.1). the compliance computation fully or conditionally in accordance [15] Latanya Sweeney. 2002. Achieving k-anonymity privacy protection using gen- with access purposes and intended purposes. If the requester’s eralization and suppression. International Journal of Uncertainty, Fuzziness and access purpose is fully compliant with the intended purposes of Knowledge-Based Systems 10, 05 (2002), 571–588. [16] Latanya Sweeney. 2002. k-anonymity: A model for protecting privacy. Inter- requested data, the engine will release full data to the requester. On national Journal of Uncertainty, Fuzziness and Knowledge-Based Systems 10, 05 the other hand, if the access purpose is conditionally compliant, (2002), 557–570. [17] Vicenç Torra. 2010. Towards knowledge intensive data privacy. In Data Privacy the engine will release conditional data to the requester; otherwise Management and Autonomous Spontaneous Security. Springer, 1–7. returned data will be null. Thus, in this model the search engine [18] Hua Wang, Yanchun Zhang, and Jinli Cao. 2008. Effective collaboration with needs to evaluate two compliance checks, the first one is for full information sharing in virtual universities. IEEE Transactions on Knowledge and Data Engineering 21, 6 (2008), 840–853. compliance and the second one is for conditional compliance. [19] Jiahui Yu, Kun Wang, Deze Zeng, Chunsheng Zhu, and Song Guo. 2019. Privacy- preserving data aggregation computing in cyber-physical social systems. ACM 5 CONCLUSION Transactions on Cyber-Physical Systems 3, 1 (2019), 8. [20] Daniel Zeng, Hsinchun Chen, Robert Lusch, and Shu-Hsing Li. 2010. Social media From our research, we can conclude that a combined approach analytics and intelligence. IEEE Intelligent Systems 25, 6 (2010), 13–16. of anonymity and a purpose-based access control policy foster a privacy preserving environment for personal information. Formu- lating the interaction between these two mechanisms make the cyber physical social system more usable and at the same time preserve a certain level privacy. We have also analyzed the impact of adding new policies and the conflicts that can result. Algorithms have been developed to help a system detect and solve these prob- lems. Furthermore, the experimental results demonstrate the prac- ticality of the algorithms. The evaluation of the dataset validates the effectiveness of the algorithm, and the component check for purpose-based privacy paves the way to a direct, proper policy for access control. For our future work, we will evaluate more datasets with this method and extend this model to incremental data. REFERENCES [1] Rakesh Agrawal, Jerry Kiernan, Ramakrishnan Srikant, and Yirong Xu. 2002. Hippocratic databases. In VLDB’02: Proceedings of the 28th International Conference on Very Large Databases. Elsevier, 143–154. [2] Machanavajjhala Ashwin, Kifer Daniel, Gehrke Johannes, and Venkitasubrama- niam Muthuramakrishnan. 2007. l-diversity: Privacy beyond k-anonymity. ACM 21