CareGrid: Autonomous Trust Domains for Healthcare Applications
|
N. Dulay, E. Lupu, M. Sloman |
J. Bacon, K. Moody, D. Ingram |
Introduction
Future large-scale health-care will involve many different organisations cooperating in patient care, including hospitals, GPs, dentists, pharmacies, drug companies, and insurance companies. With the advent of new wireless healthcare products, it is becoming feasible to contemplate new applications that offer real-time healthcare to patients, and involve complex interactions between many services in many organisations (see scenarios below). Key to their design is the issue of trust, where we want trust-based decisions relating to the interactions between entities – which entity to interact with, what resources should the entity have access to, what information should be released to the entity, how to configure the mechanisms needed to make the interaction secure and how trust levels change over time, based on experience and reputation [Gra00]. Large-scale applications cannot rely on the traditional person in the trust decision loop, but must make use of automated trust decisions. A trust domain is a dynamic set of collaborating entities capable of making autonomous trust-based decisions. Trust domains, with varying trust relationships between them, can be grouped in compositional, hierarchic and ad-hoc peer-to-peer relationships. Examples include a body-area network monitoring the health of a patient, care workers responsible for a patient, a hospital or a regional health authority. In this project, we will investigate techniques for the organisation, management, and interoperation of trust domains to be used as the basis for building large-scale trust-based applications.
Consider a simple scenario where a patient with an acute heart condition subscribes to a monitoring service that provides wearable sensors and a small wireless controller that can send monitored information to the service centre and provide feedback, if necessary, to the patient from a medic. If an emergency is detected the monitoring service calls an ambulance. The monitoring service needs access to patient cardiac history from the patient’s GP and from the hospital where the patient had treatment and so liaises with the emergency services and the hospital to which he will be taken for emergency treatment. Assume the monitoring service also provides anonymised monitoring records for medical research. Hospitals need to interact with the patient’s GP and possibly social services about caring for a patient after treatment. In a small hospital, there may not be local expertise to evaluate patient information such as X-rays, ECG readings and so these need to be sent to a remote expert over the network. Perhaps the patient’s usual consultant is not available and a new trusted one has to be chosen which is a form of trust-based choice of service. A consultant evaluating an X-ray or an ECG may wish to search for similar examples via a medical services grid but then the question of trust in the source of the examples arises.
There are many different aspects of trust in all the above interactions. Will the monitoring service detect actual problems without false alarms? Can the wireless infrastructure being used be trusted with respect to confidentiality? If not, can this lack of trust, ensure that data is communicated over a secure channel. Can the monitoring service be trusted to pass on monitored information for research while still maintaining patient privacy and can they guarantee that the information will be used only for medical research. Can the patient (if he so wishes) agree to information being sold to insurance companies in exchange for a lower monitoring service charge or insurance premium? In cases of emergency, can we ensure that privacy issues may be over-ruled and the patient’s doctor should have access to detailed monitored information? Trust with respect to interactions between organisations (e.g. a hospital using a blood analysis service) will change over time based on experience, recommendations, or reputations [Abd00]. There is a need to collect this evidence for use in making decisions based on trust, for example in health workflow systems to aid medical procedures or patient care, where the entities participating in the workflow, change dynamically because of workload, availability etc and may have varying levels of trust between them. Trust may also depend on current context, particularly for mobile applications. P rivacy – an individual’s right to control the collection and use of personal information plays a crucial role in building trust, particularly in healthcare applications.
Research in trust issues is at an early stage. There is not much work on the integration of automated trust decision support within a potentially large-scale, multi-domain distributed system architecture, taking application context into account. The concept of trust domain is novel and important. The dynamic creation of trust domains, and interactions between trust domains, with the need to dynamically construct appropriate policies for trust based-decisions, and gather the evidence required to make those decisions while maintaining privacy has not been addressed in the literature.
One core project deliverable will be a trusted interaction service somewhat akin to SSL/TSL that supports evidence collection, trust negotiation and privacy control. This service needs to cater for simple body-area networks as well as very large-scale applications. The project will investigate the interdependencies between trust, privacy, and security. We will use healthcare as the application driver as we are involved in other Healthcare projects but the concepts and tools developed will be applicable to other e-science applications.
Background
Imperial has developed the Sultan Toolkit for specifying and analysing trust relations [Gra02, 03]. This provides support for human trust-based decisions and permits trust based on recommendations or vice versa. The trust specification included risk and experience as constraints. The design did support simple authorisation policies which queried the Trust management system for access control based on trust levels but the system was too heavyweight for automated trust decision support as the emphasis was more on the analysis of trust specifications. The PEACE system [Keo04] is a policy-based framework for the establishment, evolution and management of mobile ad-hoc communities although it is also usable for grid-interconnected virtual organisations. It defines the policies for setting up the community, assigning entities to roles within the community and how roles interact. Imperial has developed the Ponder policy toolkit for security and management policy that also supports role based management and is used by many other institutions [Dam01]. The EPSRC AMUSE (GR/S68033/01) project is developing the concept of a Self Managed Cell (SMC) for autonomic ubiquitous systems. The SMC has some similarities to the proposed trust domains but AMUSE is not working on trust or security. Imperial is also working on policy-based adaptive security, for distributed firewalls to respond to attacks, which has some similarity to the ideas of adaptive context-aware trust in this project. Trustcom ( www.eu-trustcom.com ) is an industry led large EU IP project developing tools for integrations of trust, security, contract management and business processes for virtual organisations. Imperial leads the DTI UbiCare Centre on Ubiquitous Computing Healthcare in the community ( www.ubicare.org) , which will be used as one of the application drivers and source of scenarios for the project. Prof. Sloman and Dr. Lupu have IBM Faculty Awards for work on interactions between autonomic cells and policy analysis and refinement.
The Opera group have worked on event-based middleware (CEA, Hermes) and role-based access control (OASIS) for a decade. These paradigms have come to be acknowledged as the most promising for achieving scalability in distributed systems, both locally dense (as in sensor networks and ubiquitous computing) and widely distributed, for applications that include multi-domain healthcare, multi-campus electronic courseware delivery, national police services, international businesses with world-wide branches, and many more. OASIS RBAC [Bac01, Bac02a,b, Bac03]is being used by several research projects, including an Electronic Health Record (EHR) service demonstrator by CBCL and IBHIS for healthcare. Our OASIS research includes the specification, management and automatic enforcement of policy [Bel03b]. The EDSAC21 project (EPSRC) will generalise publish-subscribe communication, while maintaining its scalability and efficiency, and secure it using RBAC for interactions within and between administration domains [Bel03a]. Within the EU SECURE project ( secure.dsg.cs.tcd.ie ) we have quantified risk and have integrated trust and risk with access control [Dim04]. Each participant in a possible interaction decides whether to proceed according to policy which may require a certain level of trust. Trust values are acquired from (historical) direct evidence of the participants and by interaction with other known parties. Evidence is classified as supporting (s) a good behaviour hypothesis, inconclusive (i) or contradicting (c) in terms of the possible outcomes of each interaction. Formally, an event structure captures and classifies all stages of all outcomes. An interaction history indicates the number of occurrences of each type of outcome in a triple (s, i, c) and this is used to compute a trust value range in the [0,1] interval of reals. Triples received from other parties can be modified depending on trust in the sending party and a single trust value is created from the direct and indirect evidence.
The SECURE project has shown how trust can be made computationally tractable while retaining a reasonable connection with human and social notions of trust. SECURE has produced a well-founded theory of trust that has been tested and refined through use in real software such as collaborative spam filtering and electronic purse. The software comprises the SECURE kernel with extensions for policy specification by application developers. It has yet to be applied to large-scale, multi-domain distributed systems taking different application contexts into account. The project has not considered privacy in evidence distribution, a crucial issue for many application domains, including public services such as healthcare and police. The SECURE collaboration model has similarities with the trust domain concept, embodying the interaction set of a principal, but SECURE is primarily concerned with pseudonymous entities rather than domain-structured systems.
Objectives and Research Issues
The overall objective of this research project is to develop the necessary support for building e-science autonomous trust domains, with healthcare as a demonstrator. The specific objectives of the project include:
- Autonomous trust domains that make decisions based on evidence, trust and privacy requirements and trust negotiation and are capable of scaling down to body-area networks as well as scaling up for grid application.
- Techniques for the formation, management and interoperation of ad-hoc trust domains. This includes techniques for federating and composing trust domains to support large scale applications and inter-organisational interactions.
- An evidence service that collects, filters, synthesises and anonymises experience, risk, recommendation and reputation data that can be used as evidence for trust evaluation. Note that evidence may have to be archived for audit and statistical evaluations.
- Trust-based decision support for security adaptation, privacy or service selection.
- Techniques for protection against attacks on the trust infrastructure
- A healthcare demonstrator based on the scenarios described above.
- We will not develop a new Trust model in the project but will adapt the one developed in SECURE [Cah03]. The research issues to be addressed therefore include:
- What trust model is most appropriate? This includes issues of how to specify trust requirements to enable use by trust decision algorithms? How to use policies to govern the behaviour of the trust infrastructure?
- How to scale down to simple wireless devices as well as scale up to large inter-organisation applications?
- What privacy models to use and how to specify privacy requirements in policies which combine trust and privacy?
- How to summarise historical evidence taking into account disparate, classified, patterns of behaviour? How to identify evidence as being specific to a particular trust related activity and how to correlate evidence related to different activities? How to anonymise evidence to satisfy privacy requirements? This includes the requirements for vertical studies of populations as well as for evidence distribution in recommendations.
- When and how to exchange evidence and trust information across trust domains? How to define trust relationships between domains? How to use such relationships in trust interactions?
- How to assess the trustworthiness and risks in using trusted interactions, which includes identification of potential attacks and vulnerabilities of the trust infrastructure? What countermeasures are possible and how to evaluate user confidence in proposed solutions?
Approach and Work Packages
The project will be divided into the following 7 workpackages (see section 10 for deliverables):
WP1 Autonomous Trust Domains
Most of the emphasis of existing work in trust systems has been on exploring the very wide range of possible models for defining and formally reasoning about trust. We will concentrate on the infrastructure required to deploy trust-based applications. We will adapt and extend previous work on SECURE, SULTAN and PEACE to define and implement the concept of autonomous trust domain. This will include defining the core components, the language(s) used for writing trust and privacy policies, how to create (name, list members/roles, join/leave), structure and evolve autonomous trust domains and how they interact.
The following diagram illustrates some of the components involved in resolving a simple request from X to interact with Y which can be used as the basis for establishing more complex multiparty collaborations within and between trust domains.
Tr
: trust domains, trust & privacy policies, stores (recommendations, experiences, certificates etc)
Ev
: evidence stores, filtering & anonymisation, uncertainty rules, privacy policies
Ac
: authorisation & privacy policies
Co
: secure communications (e.g. SSL for authentication, confidentiality, integrity)
Other components: trust brokers, secure auditing, context.
Requests for trusted interactions are forwarded to the local Trust Domain, which is responsible for determining whether the interaction should succeed or fail. The Trust Domain is also capable of providing a signed statement of the reasoning for success or failure (useful for debugging and repudiation). In this example, if a request succeeds, the Trust Domain will establish a new secure channel and trigger any necessary security adaptations, e.g in the communications (Co) or access control (Ac) systems. Although the architecture of the trust domain implied by the diagram is preliminary and over-simplified, it indicates some of the functionality and data that will be required. Functionality like secure communications is well understood with accepted standards (e.g. SSL/TSL ), although most middleware communications services do not yet consider trust issues. Trust languages and trust negotiation protocols have few implementations and little acceptance [Sea02]. There is a need to federate (i.e. to form ad-hoc dynamic coalitions) and compose trust domains (e.g. nested hierarchies) to support more complex scenarios. This requires protocols for group-membership and trust negotiation, as well as an overarching architecture that is self-managing.
WP2 Trust-based Access Control and Security Adaptation
This work package will develop a federated access control model suitable for expressing authorisation policy for dynamic trust-domains and dynamically created security associations. Current models [San96] lack the adaptability required to dynamically change authorisations, or mandate changes to the security policy in response to changes in trust although work is being done using the Ponder framework for adaptive firewall security. The package will evaluate and extend current work on the specification and enforcement of role-based access to services within and between domains, and to the communication service itself [Bel03a], to include trust and risk (the probabilistic cost of a wrong decision). This may require some merging of concepts between Ponder and OASIS frameworks. It will then explore dynamically assembled domains, for example, when a patient moves to a new geographical location. Note that the parametrised roles of OASIS capture the principals acting in roles, and the relationships between principals concerned in an invocation, such as the treating-doctor relationship to a patient [Bac03].
WP3 Privacy
Authorisation policy (WP2) is concerned with controlling access to services and the visibility of data on service/method invocation at the application level. But data is routinely recorded by a (trusted) audit service at the system level , to satisfy legal requirements. This data may need to be anonymised when used for population studies (e.g. epidemiology) while retaining the historical principal-data relationship for vertical studies. This workpackage will establish privacy concepts related to evidence gathering and transmission for the computation of application-level trust. We will classify different privacy requirements, different degrees of anonymisation that might be enforced, and how they affect the basic trust model and trust computation. Anonymisation mechanisms are an output of WP4.
WP4 Evidence Collection
Direct evidence will be calculated, as in SECURE, by a monitoring component of each service. In SECURE indirect evidence is gathered from a closure of pseudonymous contacts, encountered in some context. In CareGrid we have the new concept of trust domain where experience and evidence is shared by mutually trusting parties. But new trust domains can be formed and new, initially untrusted members can join a trust domain. We will define how trust of an entity is established in this new domain-based environment by gathering and analysing evidence, taking recommendations from other domains, discounting indirect evidence according to trust in the source and take into consideration the risk related to the activity. We will need to be able to correlate a trust rating for a specific activity (e.g. cardiac monitoring) as evidence to determine a trust rating for a different activity (e.g. diabetes monitoring). In addition, we will take into account privacy policy that affects interactions within and between trust domains. We will create anonymisation mechanisms to maintain the usefulness of evidence data to the extent possible while honouring privacy requirements. We will analyse historical evidence, classify patterns of behaviour, which, when detected dynamically, can be used as (probabilistic) predictors of future behaviour.
WP5 Context Management
This work package will investigate techniques for relating evidence, trust and privacy to context. Examples of context such as the location of a person or device, the time of day, environmental readings, physiological state (e.g. heart rate), patterns of past behaviour, user preferences and current roles, will be integrated into WP1-4 through a context management service (CMS). The CMS will support context schemas, context sensing and storage and flexible context querying. Components within a CareGrid trust domain will also be able to register with their CMS and receive events when particular context changes occur, and support context-triggered actions. We will extend initial work at Imperial on incorporating uncertainty into context values and defining functions over uncertain contexts [Cha04].
WP6 Threat Analysis and Protection
Trust-based systems may be compromised by attacks based on generating incorrect information and collusion against the trust-models and trust-implementations used. This work package will evaluate threats, characterise existing attack techniques and identify new ones (c.f. cryptanalysis) . We will develop techniques to mitigate attacks. We will investigate techniques such as lying [Sch00], collusion [Sen02], failure to disseminate recommendations, and inference of identity, as well as countermeasures such as selective disclosure, certified ratings/endorsements, insurance, searches on encrypted data. We will apply and evaluate the techniques against the CareGrid architecture and communicate the results back into WPs 1-5.
WP7 Demonstrators & Evaluation
An important part of the proposal will be a set of trust-based healthcare applications. These will allow evaluation of the CareGrid concepts, but also act as exemplars that others can use and adapt (we intend to make the software and applications developed in the project open-source). The work package will develop a methodology to test the effectiveness of using trusted interactions and identify weaknesses. User studies will be used to check how the system is perceived by end-users and how well the interaction behaviour of applications matches user expectations
We will liaise with the DTI’s UbiCare centre in order to define useful and challenging scenarios and in order to interest e-Health providers that are considering autonomic healthcare systems. We will evaluate the need for a trust component in the CBCL EHR demonstrator and the incorporation of such an EHR service into the CareGrid architecture. The design takes a web services approach.
Related Work
The early work on trust management systems [Bla96] provided applications with a standard interface for getting answers to questions such as “ Does the set C of credentials prove that the request r complies with the local security policy p”. Without such middleware, applications had to provide their own mechanisms for specifying policy, interpreting credentials and binding user authentication with the authorisation to perform certain operations. PGP another early system (for secure mail), advocated the use of an ad-hoc “web-of-trust” model for associating trust with public keys using a rather than PKI. Automated trust negotiation based on the iterative exchange of digital credentials between two or more parties is used to establish trust. Combining trust negotiations with a web-of-trust or with dynamic coalitions allows greater flexibility. Systems in this class include TPL [Her00], PSPL [Bon00], TrustBuilder [Yu01, Win02], Trust-X [Ber04] and. [Sei03] proposes an opportunistic approach for evolving trust based on entity recognition. A model that attempts to address the wider lifecycle of trust management is outlined in [Eng02] and [Sko04]. Issues related to implementing trust and context-based access control autonomously are identified in [Sel04]. [Dat03] advocates a statistical approach to quantify trust properties and realise a distributed PKI. The system is built on P-Grid [Abe01]. [Ati02] advocates the use trust service brokers. eDiamond ( www.ediamond.ox.ac.uk ) uses OGSA to build a suite of grid services for breast cancer treatment. eDiamond allows breast imaging data to anonymised for research, but has no notion of trust - do you trust the ‘unknown’ person doing a reading. Conoise-G ( www.ecs.soton.ac.uk/~sr2/ConoiseG/research.html ) aims to use trust and reputation models for agent-based virtual organisations where participants must be accredited, and their activities policed. The Gold project (www.neresc.ac.uk/projects/GOLD/projectdescription.html) is developing tools and techniques for deploying dynamic virtual organisations. The application focus is the Chemistry industry and is also investigating the concept of dynamic trust domains although this is not the main focus of the project but they are not considering privacy. It has only recently started so detailed information is not available but we are jointly organising a UK workshop on virtual organisations in Spring 2005.
Like trust, many models have been proposed for modelling privacy [Sch03]. A model that combines user consent and obligations for access control is proposed in [Kar02]. [Goe02] combines trust networks with reputations system to provide privacy, while [Sha03] uses recommendations to control the exchange of personal information. Little is available in the privacy standards arena although there are initiatives such as P3P/APPEL for describing a company’s privacy polices and for users to express their privacy preferences. Seal programs such TrustE/BBSonline for building consumer confidence haven’t yet found widespread acceptance. [Lan01] presents ideas for incorporating privacy-enhancing infrastructure in the ubiquitous computing environment through extensions of P3P. Privacy Mirrors [Ngu02], aims to make pervasive computing visible by providing users with more awareness by visualising the invisible flow of information. [Can02] describe a system that combines privacy and collaborative filtering. Approaches to location privacy include Cricket [Pri00], Mist [Alm02], as well as [Myl03, Ber03]. Usability aspects of privacy policies are explored in [Jen04]. [Son00] introduce practical cryptographic techniques for searching on encrypted data residing on untrusted servers.
Relevance to Beneficiaries
The interplay of trust, privacy and security has been identified as a key issue by the UK Foresight Cybertrust Project ( www.foresight.gov.uk/cybertrust.html ) and one of the biggest problems facing organisations relying on the internet and future large scale grids. This project will focus on the research issues related to the provision of practical trust and privacy for e-health but the concepts and tools developed will be generic and applicable to e-science and e-commerce.
Dissemination and Exploitation
The investigators have a good track record of publishing papers at major conferences and in journals and will continue to do so. We also have a good track record of providing tutorials at conferences and to industry, have good links with various standards groups, and will continue to influence those bodies. The software will be developed for current grid platforms and will be made available in the public domain . We will collaborate closely with the e-Science Gold project and make sure our ideas and tools are made available to the UK e-Science community. We have strong links with industry through the UbiCare centre and many other projects, making early awareness of and adoption by industrial collaborators highly likely. The Ubicare centre does not currently include any work on automated, trust-based, decision support, security or privacy. We will be collaborating with the IBM Almaden Intelligent Systems Group led by Dr. Rakesh Agrawal who developed the Hippcractic Database to respect privacy of the data it manages (www.almaden.ibm.com/software/quest/index.shtml) as Dr. Grandison who developed the SULTAN System at Imperial is now working there.
References
[Abe01] Aberer K: P-Grid: A self-organising access structure for P2P information systems . Proc of the 6 th Intl. Conf. on Cooperative Information Systems (CoopIS 2001), Trento, Italy 2001.
[Abd00] Abdul-Rahman A. and Hailes S.: Supporting Trust in Virtual Communities, Proc. of 33 rd Annual Hawaii Intl. Conf. on System Sciences, Hawaii, Vol 1, 9pp.
[Alm02] Al-Muhtadi J., Campbell R., Kapadia A., Mickunas D., and Yi S.: Routing Through the Mist: Privacy Preserving Communication in Ubiquitous Computing Environment . In the Intl. Conf. of Distributed Computing Systems (ICDCS 2002), pp. 65-74, Vienna, 2002.
[Ati02] Atif Y.: Building Trust in E-Commerce , IEEE Internet Computing, pp18-24. Jan-Feb 2002.
[Bac01] Bacon J., Moody K. and Yao W.: Access Control and Trust in the Use of Widely Distributed Services . In Middleware 2001, Lecture Notes in Computer Science 2218, pp295-310, Springer 2001.
[Bac02a] Bacon J. and Moody K.: Adaptive middleware: Toward open, secure, widely distributed services . Communications of the ACM, 45(6):pp59-63, June 2002.
[Bac02b] Bacon J., Moody K. and Yao W.: A model of OASIS role-based access control and its support for active security. ACM Transactions on Information and System Security (TISSEC), 5(4):pp492-540, November 2002.
[Bac03] Bacon J., Moody K. and Yao W.: Access control and trust in the use of widely distributed services . Software - Practice and Experience, 33(4), pp375-394, April 2003.
[Bel03a] Belokosztolszki A., Eyers D. M., Pietzuch P. R., Bacon J., Moody K.: Role-based access control for publish/subscribe middleware architectures . In International Workshop on Distributed Event-Based Systems (DEBS03), ACM SIGMOD, San Diego, CA, USA, 2003. ACM.
[Bel03b] Belokosztolszki A., Eyers D. M., Wang W., Moody K.: Policy storage for role-based access control systems . In Proceedings of the Twelfth IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE'03), pp196-201, June 2003.
[Ber03] Beresford A., Stajano F.: Location Privacy in Pervasive Computing , Pervasive Computing, pp46-55, Vol 2 No 1, Jan-Mar2003.
[Ber04] Bertino E., Ferrari E., Squicciarini A.: Trust-X: A Peer-to-Peer Framework for Trust Establishment , IEEE Transactions on Knowledge and Data Engineering, Vol 16, No 7, July 2004, pp 827-842.
[Bla96] Blaze M., Feigenbaum J. and Lacy J.: Decentralized Trust Management, IEEE Symp. on Security and Privacy, Oakland, California, USA, 1996, pp. 164-173.
[Bon00] Bonatti P., Samarati P.; Regulating Service Access and Information Release on the Web, 7 th ACM Conf. on Computer and Communications Secuirty, Athens, Greece, Nov 2000.
[Cha04] Chalmers D., Dulay N., Sloman M.: Towards Reasoning about Context in the Presences of Uncertainty , Workshop on Advanced Context Modelling, Reasoning and Management, UbiComp 2004, Sept 2004.
[Dam01] Damianou N., Dulay N., Lupu E. and M. Sloman M.: The Ponder Policy Specification Language , Proc. Policy 2001: Workshop on Policies for Distributed Systems and Networks, Bristol, UK, pp29-31 Jan. 2001
[Dat03] Datta A., Hauswirth M.,, Aberer K.: Beyond “web-of-trust”: Enabling P2P E-commerce , Proc. IEEE Conf. on E-Commerce (CEC’03).
[Dim04] Dimmock N., Belokosztolszki A., Eyers D., Bacon J., Moody K .: Using trust and risk in role-based access control policies . In Proceedings of Symposium on Access Control Models and Technologies ACM, ACM, June 2004.
[Eng02] English C., Nixon P., Terzis S., McGettrick A., Lowe H.: Security Models for Trusting Network Appliances , 5 th Annual Workshop on Networked Appliances, Liverpool, England, October 2002
[Goe02] Goecks J. and Mynatt E: Enabling privacy management in ubiquitous computing environments through trust and reputation systems . Workshop on Privacy in Digital Environments: Empowering Users. Proceedings of CSCW 2002, New Orleans, LA USA
[Gra00] Grandison T. and Sloman M.: A Survey of Trust in Internet Applications , IEEE Communications Surveys and Tutorials, Vol. 4, No. 4, pp. 2-16, 2000
[Gra02] Grandison T. and Sloman M.: Specifying and Analysing Trust for Internet Applications , Proc. of the 2nd IFIP Conf. on E-Commerce, E-Business and E-Government, Oct 7 - 9, 2002, Lisbon, Portugal.
[Gra03] Grandison T. and Sloman M.: Trust Management Tools for Internet Applications, Proc. 1st Int’l Conf. Trust Management, LNCS 2692, Springer-Verlag, 2003, pp. 91–107.
[Her00] Herzberg A., Mass Y., Michaeli J., Ravid Y., Naor D.: Access Control Meets Public Key Infrastructure, Or: Assigning Roles to Strangers 2000 IEEE Symposium on Security and Privacy, May 14 - 17, 2000. Berkeley, California.
[Ing03] Ingram D. Trust-based Filtering for Augmented Reality First International Conference on Trust Management, pp108-122, LNCS 2692, Springer, 2003
[Jen04] Jensen C., Potts C.: Privacy Policies as Decision-Making Tools: An Evaluation of Online Privacy Notices . CHI 2004, April 2004, Vienna, Austria, pp471-478
[Kar02] Karjoth G., Schunter M.: A Privacy Policy Model for Enterprises , Proc. 15 th IEEE Computer Security Foundations Workshop, pp271-281.
[Keo04] Keoh S.L., Lupu E., Sloman M.: PEACE : A Policy-based Establishment of Ad-hoc Communities, Annual Computer Security Applications Conference (ACSAC 2004) , Tucson, Arizona, USA, Dec. 2004
[Kos03] Kobsa A., Schreck J.: Privacy through Pseudonymity in User-Adaptive Systems , ACM Transactions on Internet Technology, Vol 3, No 2, May 2003, pp149-183.
[Lan01] Langheinrich M: A Privacy Awareness System for Ubiquitous Computing Environments . In: G. Borriello, L.E. Holmquist (Eds.): 4th Intl Conference on Ubiquitous Computing (UbiComp2002), Springer-Verlag LNCS 2498, pp. 237-245, September 2002.
[Liu03] Liu L., Yu E., Mylopoulos: Security and Privacy Requirements Analysis within a Social Setting . Proc. 11 th IEEE Requirements Engineering Conference.
[Myl03] Myles G., Friday A., and Davies N.: Preserving Privacy in Environments with Location-Based Applications , Pervasive Computing, pp56-64, Vol 2 No 1, Jan-Mar 2003.
[Ngu02] Nguyen D. and Mynatt E.: Privacy Mirrors: Understanding and Shaping Socio-technical Ubiquitous Computing Systems . Georgia Institute of Technology Technical Report GIT-GVU-02-16. June 2002.
[Nod98] Nodine M. and Unruh, A.: Facilitating Open Communication in Agent Systems. In M. Singh, A. Rao and M. Wooldridge, Eds, Intelligent Agents IV: Agent Theories, Architectures and Languages, pp281-296. Springer-Verlag, 1988.
[Pri00] Priyantha N., Chakraborty A. and Balakrishnan H.: The Cricket Location-Support System . In Proceedings of the 6th ACM Intl. Conference on Mobile Computing and Networking (ACM MOBICOM), Boston, MA, August 2000.
[San96] Sandhu R. S., Coyne E. J., Feinstein H. L., Youmann C. E.: Role-based access control models . IEEE Computer 29(2), pp38-47, Feb 1996.
[Sea02] Seamons K., Winslett M, Yu T., Smith B., Child E., Jacobson J., Mills H., and Yu L.: Requirements for Policy Languages for Trust Negotiation, 3 rd Intl. Workshop in Policies for Distributed Systems and Networks, IEEE, June 2002, Monterey, pp68-79
[Sel04] Seleznyov A. and Hailes S.: Distributed Knowledge Management for Autonomous Access Control in Computer Networks , Intl. Conf. on Information Technology: Coding and Computing, Vol 2, pp433-437, 2004
[Sen02] Sen S., Sajja N.: Robustness of Reputation-based Trust : Boolean Case , Proc. 1 st Intl Joint Conf. on Autonomous Agents and Multi-Agent Systems, Vol 1, pp288-293, 2002.
[Sch00] Schillo M., Funk P., Rovatsos M.: Using Trust for Detecting Deceptive Agents in Artificial Societies , Applied Artificial Intelligence, Vol 14, No 8, pp825-848. 2000
[Sch03] Schunter M. (ed): Enterprise Privacy Authorisation Language, v1.73. IBM research report,
[Sei03] Seigneur J-M., Farrel S., Jensen C., Gray E., Chen Y.: End-to-end Trust Starts with Recognition , Proceedings of the First International Conference on Security in Pervasive Computing, Boppard, Germany, March 12 - 14, 2003
[Sha03] Shand B., Dimmock N., and Bacon J.: Trust for Ubiquitous, Transparent Collaboration , 1 st IEEE Conference on Pervasive Computing and Communications (PerCom 2003), pp153—160, March 2003
[Sko04] Skogsrud H., Benatallah B., Casati F.: Trust-Serv: Model-Driven Lifecycle Management of Trust Negotiation Policies for Web Services , WWW 2004, May 2004, New York, pp53-62
[Son00] Song D., Wagner D., Perrig A.: Practical Techniques for Searches on Encrypted Data , Proc. 2000 IEEE Symp. on Security and Privacy. 2000.
[Win02] Winsborough W. and Li N.: Towards Practical Automated Trust Negotiation , 3 rd Intl. Workshop in Policies for Distributed Systems and Networks, IEEE, June 2002, Monterey, California, pp92-103
[Yu01] Yu T., Winslett M. and Seamons K.: Interoperable strategies in automated trust negotiation . In Proc. of the 8th ACM Conference on Computer and Communications Security (CCS-8), pages 146–155. ACM Press, November 2001.