Personal and sensitive information about individuals, often needs to be legitimately exchanged among diferent stakeholders, to provide services, maintain public health, law and order, and so on. While such exchanges are necessary, they also impose enormous privacy and security challenges. Data protection laws like GDPR specify conditions and the legal capacity in which personal information can be solicited and disseminated further. But there is a dearth of formalisms for specifying legal capacities and jurisdictional boundaries, so that open-ended exchange of sensitive data can be implemented. This paper proposes an extensible framework called Multiverse in which sensitive data can flow across a network through “role tunnels” established based on corresponding legal capacities.
where open-ended sharing of certain sensitive information, can endanger a community or country.
In addition to the above concerns, there is also a need for legitimate open-ended sharileges are associated with roles, rather than ing of private and/or sensitive information in with individuals, and the association of in- times of crisis, to protect public health and dividuals with roles are dynamic. Authenti- order. For instance, public health managecation now involves not only proving one’s ment in the time of Covid crisis requires priidentity, but also proving one’s role. vate and sensitive information about patients
RBAC models are typically implemented sufering from Covid to be shared with
sevwithin an organizational context. This means eral stakeholders like doctors, administrators,
that the RBAC mechanism is situated within volunteer organizations, etc.
a larger semantic framework that establishes In such cases, there is no overarching
virassociations of users with roles. RBAC frame- tual organizational structure, or role granting
works are also extended for inter-organizationaland mapping authority. The number of
disworkflows [
More recently, there has been increased in- age legitimate exchanges of sensitive data in terest in open-ended data dissemination in an open-ended fashion, without the need for the form of “open data” for greater common an overarching organizational framework to good. With increasing numbers of governance enforce the integrity of data exchange. In Secand administrative workflows appearing on- tion 2 we discuss some of the existing modline, there is also an increased need for ex- els of access control systems. Details of the changing data across several entities with lit- “Multiverse” framework are presented in Sectle or no inter-organizational authorities for tion 3. Section 4 discusses a variety of advermanaging the integrity of data exchange. sarial scenarios and how it can be handled
While open data improves transparency and by the “Multiverse” framework and Section
accountability in public workflows. it also 5 presents a couple of case studies where it is
brings with it challenges of privacy and secu- useful. Conclusions and future directions are
rity leading to several contradictory require- presented in Section 6.
ments [
Individuals can be granted / revoked ac- carefully than say population level aggregate cess based on their identity, which is known data, since it can reveal the identity of indias Identity-Based Access Control (IBAC) [16, viduals and in turn put them at risk. For ex15]. In these designs, the individuals need ample, in healthcare setting even anonymized to prove their identity using authentication data can be used to infer patient’s identity techniques like the use of passwords, biomet- based on their diagnosis details, location etc rics, or combinations of public and private [21, 22, 23]. There are encryption based and keys. Once an individual’s identity is authen- data masking techniques to manage access ticated, they can access the required data. How- to personal and personally identifiable data. ever, in large organizations and teams span- However, there is a dearth of computational ning multiple organizations, it is dificult and models which can define access mechanisms cumbersome to manage access controls of all for data aligned to the laws of that region or the stakeholders individually in this manner. country. It is especially crucial with data pro
Role-based access control (RBAC) methods tection laws like EU’s General Data Protec[3, 5] were designed so that permissions can tion Regulation (GDPR), Sweden’s Data Act, be granted to users based on their roles rather Philippines’s The Data Privacy Act, India’s than their identity. This access control design Personal Data Protection Bill, California’s Conis more efective as changing roles of an indi- sumer Privacy Act etc being defined around vidual automatically updates their privileges. the world.
The roles can be assigned to the individuals by an authorized individual. A RBAC policy is designed using role-permission, user-role 3. The Multiverse and role-role relationships. There are vari- Framework ants of RBAC models like models which can handle role hierarchies, constraints, triggers The proposed framework called “Multiverse” and temporal dependencies, teams within the to create an extensible, open-ended infrastrucorganization etc [5, 3, 17]. ture for legitimate exchange of data, is de
Using open data has its own benefits as scribed in this section. A Multiverse framewell as challenges [18], however it is difi- work, also called a “Frame” is made up of cult to make appropriate use of open data in the following building blocks: the absence of open data management systems which can handle handle large volume = ( , , , ) (1) of diverse data such that it can be securely ac
Here is a set of containers called “worlds” and also reads data only from ( ). that represent the semantic boundary or le- Figure 1 depicts a multiverse schematically. gal jurisdiction within which, a data element The multiverse is a network of worlds conis accessed and processed. represents the nected by one or more relations defined in set of all data elements or “resources” that are templates. Data are published within worlds being shared. The term represents “agents” and exchanged between them based on a syswhich could be users or application programs tem of legal capacities explained later on. Agents, that produce and consume resources. The term which include users and application programs, represents a set of “templates” where each lie outside of the multiverse cloud, but have a template defines a set of access points through representation for themselves in the form of which data may be accessed, and a set of rela- a semantic world, within the multiverse. tionship types with which worlds can be re- Worlds could be contained within one anlated. other. If world 2 is contained within world
A world represents the basic unit within 1, this is represented as 2 ⊳ 1. Containwhich data is accessed. Every agent ∈ ment of a world is called its “jurisdictional lohas its own corresponding world named as cation” or simply “location” that represents ( ). In addition to representing agents, a system of privilege inheritance explained a world could represent any semantic entity later on. or legal jurisdiction. Some examples of worlds Each world may implement one or more include: institutions, town municipalities, un- templates ∈ , that gives it a semantic chardivided families, resident welfare societies of acterization in the form of a set of data accommunities, etc. Every data element is pub- cess points and relationship types with other lished within the boundaries of a world, and worlds. Any template ∈ is made up of the data is only exchanged between worlds. An following elements: agent only publishes its data into ( ), (3) called in an outgoing relationship specification means (2) that the target world with which this relationship is being established, should be implementing template . Similarly, such a constraint for an incoming relation means that, the relationship can be accepted only if the recipient world is implementing template .
of a universally uniquer ID like a URI.
Hence for example, in a template called we can specify that an outgoing relationship can be established with a , point elements: ∈ = (, )
Here points, and represents a set of data access
represents a set of relationship specifications . A data access point represents a gated interface through which a given data element may be accessed. Any data access comprises of the following = (, , )
element is accessed. The terms and represent legal capacity and purpose code respectively, which are both explained later.
The relationship specifications specimay have a constraint that the source world ifes the kind of relationships that the world should have implemented a template called can implement with other worlds, as well as the kinds of relationships that the world can accept from other worlds.
A relationship specification may be of two kinds– an incoming relationship specification, and an outgoing relationship specification. These .
The A relationship specification comprises of the are represented as and respectively. ification of a , we can specify a rela
with another world the target or source world should have a rela(, ) constraint specifies that
with a world that im
Hence for example, in the template spectionship named plements template . , only if
tionship called called ) ) (4) (5) tal.
with a world that is implementing a template has a relationship named
. In other words, a person can be related to another person as a patient, only if the other person is a doctor at some hospitarget world, only if the world implements a template called template called coming relationship called . Similarly, for a there can be an in, which
The ification for tionship edge.
any agent obtains, when traversing a relapart of the relationship spec, represents the privileges that following elements: = (,
, ,
= (, , ( )
In addition to template and relationship specA relationship has a name at its incoming end and its outgoing end. The incoming relaifications, a constraint could also identify specific worlds with their unique identifiers, usentering a world through a relationship, where tionship name is also called a role. Any agent ing the the incoming name of the relationship is , is said to be playing the role in the world. (,
) specification.
or specification may have multiple constraints specified. In such cases, all the specified constraints need to be
Both outgoing and incoming relationships satisfied, for an instance of the relationship are subject to a set of constraints. Table 1 to be formed. specifies diferent kinds of constraints on a relationship. The template constraint:
Constraint Template
Specification implements(t) ship ship Template Relationrelt(name, t)
The source or target world needs to have a relaIdentity Relationrelid(name, id)
The source or target world needs to have a relaMeaning valid. gitimacy for the access. The
The
element of An incoming agent who enters a world through Hence, in a given world , an outgoing rea relationship, gets the role specified in and the corresponding privileges associated , lationship specification of the form: ( , , ) represents that any agent playing the role over resources (including templates), and the target world. world itself. A role having a resource.read that apply respectively to a set of operations with it. Table 2 details a set of privilege classes, can traverse the relationship edge to act as a representative of the source world , in the
privilege for example, enables the role player
which trivially has all privileges. The creator to read resources hosted by this world.
The element of specifies a set of a world is its default owner, but may add other owners and/or give up the owner role of legitimate reasons or “purpose codes” for to other agents. which a particular activity needs to be performed. Annotating a purpose code for each data access, helps in establishing oficial le
When an agent traverses a relationship to reach a new world, the legal capacity in which the agent performs any operation in the tarcode is
get world is a concatenation of all the roles represented as an enumerated list of values.
played by the agent beginning from the world the roles within the source world that are enFigure 2 shows an example. Here, an agent titled to traverse the given relationship edge. who is a user named Dr. Ram is accessing in Eq 5 specifies representing the agent. some data stored in a world called Sharada. pathway from the agent to the dataset based Sharada has implemented a template called on legal arrangements between worlds. Clinic, and it is in relationship with another A role tunnel is valid if each element in the world called Fortis, which has implemented role tunnel satisfies their corresponding a template called Hospital. The world for the constraints, and the last element in the tunuser Ram, is also in relationship with Fortis, nel represents the ( ) role, where is with the role of Doctor. The relationship be- the id of the agent performing the access. tween the Hospital and the Clinic enables a Each resource stored in a world also has Doctor of the Hospital to appear as Advisor stored along with it, the legal capacity by which in the Clinic, which gives them some privi- it was brought there. Formally, a resource leges over the data. in a world has the following fields:
Here, when Dr. Ram accesses some data element stored at Sharada, the data access (6) point would look as follows: = (, , )
Here, is the data element, and is the legal capacity by which the data element came = ( ( ), to be stored in the world. If the data element is local to the world and was not imported (ℎ ) ∶ from elsewhere, the field would be null. ( ) ∶ ( ), A data element with a string of multiple ) roles for its legal capacity represents a remote puTrphoeselacsotdtee,r min di cating the orficeiaplrepsuernptosstehe dAalltareelmemoteendtabtraoueglehmt einnftrsoamlsoa rheamvoetea s“oTuirmcee. for which the data is being accessed. The To Live (TTL)” parameter, which indicates the length of time until which it can be stored at string: (ℎ ) ∶ ( ) ∶ the remote location. After the TTL expires, which t(he ac)creespsreissebnetsintghemleagdael. caTphaicsitryepin- the data needs to be fetched again through a resents a string of role and world specifica- legal role tunnel. tions that leads up from the agent to the data Every access of a data element involves checksource. ing the validity of the legal capacity. A role
The string representing the legal capacity tunnel of the form: ( ) ∶ ⋯ ∶ 2( 2) ∶ is called a Role Tunnel, since it creates a legal 1( 1) ∶ ( ) requires + 1 integrity checks before the data access can be made ileges, in all branches contained in . possible. If the legal capacity of the agent fails to hold when accessing a remote data Template visibility: Templates are treated element that is cached in its world, then the like any resource, and can be created within data element is removed from the world. Sub- any world by agents who have write privisequent access to the data element requires leges on the world. Other worlds that have the agent to approach the source world of read privileges on a given world can acthe data element through an legal role tun- cess and implement the templates defined in nel, and fetch it once again. world . When a template that is defined
Note that a legal capacity represents a logi- in world is used in another world ′, it cal tunnel. A role tunnel of the form ( ) ∶ is treated as a remote resource in ′ and the ⋯ ∶ 2( 2) ∶ 1( 1) ∶ ( ) does not role tunnel with which was accessed, is stored require the data to physically flow through along with , in addition to the TTL parameall the intermediate worlds in the tunnel be- ter. Use of the template data access points, or tween and . The interim worlds are re- creation or deletion of relationship instances quired only for establishing the legitimacy of of the template will require the legal capacity the data access. The interim worlds should of the template to be satisfied. be reachable and be able to validate the given For instance, let template in world be role at the time of access. accessed through a role tunnel 2( 2) ∶ 1( 1) ∶
Data and network level security in the form ( ). The use of this template for acof encryption and secure communication, will cessing a data element and/or defining a relaneed to be implemented in addition to the tionship, will require the above legal capacity mechanisms of the Multiverse. The Multi- to be valid. The template will also need to be verse framework only provides a system for retrieved once again after its has expired. creating legally tractable privilege frameworks An expired template will return false for all across independent institutional contexts. its relationships and data access points. At any point during the use of a template, if the Role inheritance: Containment of worlds template role tunnel is not satisfied, the temhave special semantics in terms of inheritance plate is marked as expired and will be unusof roles. Suppose world 2 is contained in able, until it is retrieved again from the source. 1 and both implement a template . In such Templates can also be subclassed from other cases, any agent playing a given role in the templates to form a conceptual subsumption container world, also gets the privilege of role tree. If template ′ is a subclass of template , in the contained world. This enables aggre- then ′ inherits all the data access points and gation of similar worlds into a larger world, relation specifications from . The subclass ′ and defining privileges on the larger, container can override definitions of data access points world, rather than on each world individu- and/or relation specifications to apply to the ally. world implementing the subclass template.
Hence for example, if a Hospital has several branches each implementing a template Access risk: Suppose that a remote data elof type Hospital, with each branch contained ement is cached in a world using the folwithin the larger world , then any agent lowing role tunnel: ( ) ∶ ⋯ ∶ 1( 1) ∶ playing a role (say, ) in would also ( ). Accessing this data element reget to play the same role with the same priv- quires + 1 integrity checks to be made. Now suppose that a given role ( ) is implemented it also opens up questions about how easy by world using template that itself is would it be for the framework to be comprofetched using yet another role tunnel ( ). mised.
Validating ( ) will now require validating In this section, we will consider several adthe role tunnel for the template that has de- verserial scenarios that could potentially afifned . This validation may in turn require fect the integrity of data exchange, and see further validations of further templates along how the framework addresses such situations. the way.
In order to reduce and limit this unfolding Scenario 1: False implementation of a
temof role tunnel integrity checks, data access is plate: One of the constraints for a world
characterized by a notion of access risk, de- to form a relationship with another world, is
noted by a parameter ∈ [
For the initial level of data access (also called ing world is a bogus world that appears like level 0), where integrity check is done for the an instance of . role tunnel from which a data element is re- For instance, suppose a role of type trieved, the integrity check is performed with can be established between a person and a a probability (1 − )0. For the next level of in- world of type “Hospital” (that is, the world tegrity checks, where the templates defining has implemented the “Hospital” template). Since the roles are themselves validated, integrity any world can implement any template, it could check is initiated with a probability (1 − )1. be possible that the world is not actually a Similarly, integrity check at level is initi- hospital, but a bogus world implementing the ated with a probability (1 − ) . Hence, the template. higher the value of the lesser the levels to Such a scenario is possible, only if the “Hoswhich integrity check is performed, and the pital” template is publicly available. To pregreater the access risk. vent fake representations, important templates
Access risk is a parameter that is set by the should be defined in a world representing a agent performing a read operation, balancing certifying authority, and read access granted between speed of access and guarantee of le- to worlds based on an ofline verification of gal authenticity of the access. their authenticity. 4. Adverserial Scenarios Scenario 2: False implementation of a relationship: The (, ) constraint for One of the ways in which the proposed Mul- a relationship, require the source or target tiverse framework difers from Roles Based world to have a relationship called with Access Control (RBAC) is the absence of an a world implementing template . overarching role-granting authority. Role spec- In such a case, there could be two levels ifications are defined in templates that are in at which information can be falsified– either turn defined within worlds and exchanged across template does not have a relationship named them based on access privileges. , and/or the world implementing tem
While this provides enormous flexibility and plate is a bogus world. scalability for the access control framework,
In either case, the main security mecha- template, even though it was legally required nism is to control the definition of . If tem- to discontinue its use. What would be the plate is defined by a certified authority and repercussions of such a case? be made accessible to worlds based on ofline There are two safeguards that addresses cases validation of their credentials (which is a one- involving such malicious intermediaries. The time activity), both levels of falsification can ifrst is the parameter for the template, which be addressed. limits the duration until which, the template will be illegally valid. The second safeguard Scenario 3: Unauthorized read of third- is the access risk parameter by the agent party data from a world: Suppose that Dr. performing a read. If the data being accessed Ram has accessed data about a patient from is very sensitive, the reader may set the acSharada clinic from the example from Figure 2. cess risk to a low value, which will force When the resource is copied to the world of integrity check for the template that defines Dr. Ram, would it now be accessible to other a role. agents who have a read privilege on this world?
To answer this, we need to note that the le- 5. Case Studies gal capacity with which the data element was accessed is also stored along with the data In this section, we will consider some case element. In this example, the legal capacity study applications where a Multiverse frameis: (ℎ ) ∶ ( ) ∶ work would be useful. ( ). This Role Tunnel representing the legal capacity is stored along with the resource in the world, and has to be valid 5.1. CET Score Verification at the time of accessing the data element. Hence,Many countries have some form of a Comanother agent who is trying to access this data mon Entrance Test (CET) for graduate admiselement, will be able to do so, only if the agent sions. Applicants who take the test use these satisfies all the roles in the Role Tunnel: scores to gain admissions in universities. The (ℎ ), ( ) and number of universities who recognize CET ( ). That is, the agent should not scores may be large, and may vary over time. only be listed as a co-owner of the world , In addition, several other organizations may but should also be listed as a in the also consider CET scores for hiring employworld and as in the world ees. ℎ . These organizations will need to independently verify scores of an applicant from the Scenario 4: Malicious Representation: In CET database. This process can be securely the example from Figure 2, suppose that the automated using the Multiverse framework hospital has implemented its tem- as follows: plate by downloading it from a regulatory agency Applicant takes the which is re , that recognizes hospitals and issues cer- quired for admission at University. In tificates and templates for their operations. this setup as shown in Figure 3, there are three Suppose that the hospital loses its recogni- entities student , university and tion due to some malpractice, and is no longer administering organization, each of which have eligible to use the template. How- their own worlds. Applicant implements ever, the hospital continues to implement the the template of , implements the template of and University UID details from the UID application. Since implements the template of . Fol- the bank is a well known entity which has lowing relationships exist among the worlds: been pre-verified and pre-approved, it has read Applicant plays the role of prospective stu- rights on the UID world. Next, wants to dent in the world of University and a rent a house . Before is accepted as a test applicant for application. Once tenant, house needs to verify the idenhas completed the , the scores are stored tify of . Since house is not a centralin their database. also informs the ized entity, it does not have direct access to application regarding universities / organiza- the UID application. However, it is a welltions that s/he is applying to. In turn, known fact that ′ identity is valid if s/he university requests to access the scores has an account in bank. And thus house of applicant and if the constraints such as accepts bank account details (like acapplicant exists, has valid scores, and has count number and address) as valid identity applied to university are all satisfied, proof of . The role tunnel is complete if then ′ scores are securely shared with requests bank to share the account deuniversity. tails with . 5.2. Identity Validation
Most countries have a unique ID (UID) of all its citizens. It is used to uniquely identify the Data utility needs to contend with three concitizens and this UID is mandatory for a vari- lficting concerns– transparency, privacy and ety of purposes like opening a bank account, security. Most of the solutions to address these buying / renting a property etc. Even in this concerns have thus far required a larger inscenario, Multiverse framework can be used stitutional framework, that regulates access. as follows: Extending the legitimacy of access control across
As shown in Figure 4, let’s say person is organizational boundaries in an open-ended a citizen and his UID details are stored in the fashion had always been a challenge. UID application. When wants to open an The Multiverse framework proposed in this account in bank, the bank validates the paper addresses this problem, and uses role