1.
Introduction ^
[1]
This paper reports on early work of an examination of the concepts found in civil law, and compares them with existing access control models.
[2]
Computer systems have undergone an architectural change in the past 50 years. Early machines had a single processing facility, used by one or several users (cf. mainframes, personal computers). More recent paradigms are similar to a mash-up of services (cf. distributed systems, mobile agents, grid computing, cloud computing) and, hence, are more comparable with interacting independent persons. Natural and legal persons regulate their interaction by contracts, the primary concept provided by civil law. A contract is negotiated between persons who have equal legal power and it includes rights as well as obligations. Contracts exist in the civil law codes of most jurisdictions, be it based on Roman Law [University of Saarbrücken (undated)], Napoleonic Code [The Napoleon Series 1995], Sharia [Seestani (undated)], Chinese civil law [People's Republic of China 1999] or others.
[3]
Access control models have traditionally been driven by technical abilities and structures and remain an active field of study [Dawson 2011, Sandhu 1996]. A goal of applying principles and structures of civil law to access control is to ease transformation from legal texts to access control policies and, hence, to ease enforcement of contracts in information systems. A second goal is to legally interpret events in information systems and to ease enforcement of contracts and liability law.
[4]
We base our evaluation of law concepts on the German civil code (BGB) which has five parts: a general part defining terms and rules underlying all legal acts, a second part on the law of obligations, a third part on property law, a fourth part on family law, and a fifth part on the law of succession. We concentrate on the general part and on obligations as well as property law. This is an acceptable loss of generality, because BGB is based in large parts on ancient Roman law (traditional German law is used mostly for family law and law of succession, both of which are of less relevance in information systems). Several other legislations are also based on Roman law [Brox, 18].
2.
Previous and Related Work ^
[5]
In one of the earliest works on access control in information systems, Lampson presents access control models that focus on the existing mechanisms for enforcing access control at the time [Lampson 1974]. The mechanisms are the familiar access matrix, having protection domains (or subjects) labelling the rows, objects (to be protected) labelling the columns, and attributes (or access rights) as its elements. The approach taken is a preventive one, i.e., the operating system must prevent violations of the access control policy from happening. Blakley points out that in the past "computers were expensive, solitary, heavy and rare" and that this had changed with today's systems [Blakley 1996]. As an alternative to preventive security, economic models are mentioned as one alternative. In an example accesses are related to a two-sided transfer of resources, incurring a loss for a party not fulfilling a negotiated contract.
[6]
Povey supports optimistic security schemes that permit access to resources [Povey 1999]. Accesses violating the access control policy are not prevented, but logged and need to be resolved later. This approach is similar to civil law that does not prevent actions from occurring, but regulates consequences of actions. Accountability, auditability, recoverability are three requirements of optimistic schemes.
[7]
Gama discusses obligations bound to access permissions, and presents an enforcement mechanism [Gama 2005]. The technical mechanisms are explicitly motivated by contractual obligations. Irwin investigates interpretation of policies that include obligations [Irwin 2006]. The article notes that enforcement requires accountability of subjects. Stieghahn discusses how laws and regulations can be incorporated in access control [Stieghahn 2009]. The approach is basically to formulate unilaterally-imposed policy (e.g., regulations) as XACML statements and to compose formally specified law and more resource-oriented access control policies.
[8]
Röscheisen discusses shortcomings of the access matrix model and compares access control policies in computing systems to barter economies [Röscheisen 1996]. Ungureanu proposes to express contracts between legal entities as sets of certified policies [Ungureanu 2005]. A certified policy is a part of a contract expressed in a formal language and signed by an authority. Jakob looks at contract-based systems for electronic agents [Jakob 2008]. Linington presents a model and prototype infrastructure for automated checking of business contracts [Linington 2003]. The article is aware of a gap between the specification language used and the terms used in law.
[9]
Métayer directs service calls through a proxy to log invocation [Métayer 2010]. The log files are later compared to formally expressed expected behaviour of a service. Krishna presents a data and process model for keeping track of contracts and their fulfilment in a business [Krishna 2005]. Access to resources is part of the workflow for handling a contract; it is not made clear whether there is an intention to couple contract management with access control.
3.
Structures in Civil Law ^
[10]
Main concepts of civil law are legal person, property, contract, and tort [Wesel 1991, 183].
[11]
The persons in civil law are natural persons (humans) and legal persons. Legal persons can represent accumulated resources (e.g., an incorporated organization) or can be sets of natural and legal persons (e.g., an association). A legal person has the capacity to act, can acquire rights and can create obligations with binding effect. It has the capacity to be a party in court, to sue (or be sued) to enforce a contract. Legal persons are represented by their organs, e.g., a management board that consists of natural persons.
[12]
The concept of property gives the owner of an object the right to use the object at his discretion. BGB § 903: "The owner of a thing may, to the extent that a statue or third-party rights do not conflict with this, deal with the thing at his discretion and exclude others from every influence." Ownership exists independent from possession, e.g., when person O owns a house, but is not in possession of it, because person L lives in the house based on a lease agreement. Apart from corporeal objects (things) there exist immaterial goods (intellectual creations for which their creator is endowed with a right to use and exploit), and rights (rights related to assets, e.g., related to things, to rights, to immaterial goods, receivables, shares) that can be objects of a legal transaction. The assets of a person are all rights owned by that person that are equivalent to money. Only rights, not things, belong to assets. Ownership of a thing is a right to use the thing and exclude others from using it. Rights equivalent to money are rights that can typically be exchanged for money or that provide their owner with a benefit that can be valued for money. The concept of assets is important, because it relates to a universal medium of exchange.
[13]
A contract is the agreement of two or more parties on a set of rights and obligations. It is put into effect by the acceptance of an offer. Offer and acceptance must have the same intent. "An acceptance with expansions, restrictions or other alterations is deemed to be a rejection combined with a new offer." (BGB § 150) As regards the enforcement of contracts (similar to policy enforcement in access control systems), handling rights and obligations are not considered the most difficult part. Often times, a party might deny that an effective contract exists. Several sections of the law regulate who is capable of entering into a contract, how certain types of contracts need to be formalized, how to deal with hidden lack of agreement and with malicious intent. Contracts can also be entered by authorised agent (§ 164): "A declaration of intent which a person makes within the scope of his own power of agency in the name of a principal takes effect directly in favour of and against the principal." To protect the other parties in a contract, § 165 adds: "The effectiveness of a declaration of intent made by or to an agent is not adversely affected by the agent having limited capacity to contract." Further sections determine responsibility and compensative actions in case of misuse of authority by an agent.
[14]
Law does not prevent actions from occurring; it regulates how persons are held responsible to compensate for their actions if these violate the law (tort). § 823 on liability in damages: "A person who, intentionally or negligently, unlawfully injures the life, body, health, freedom, property or another right of another person is liable to make compensation to the other party for the damage arising from this." In information systems, "property or another right" is probably the most likely reason for tort claims unless there is a contractual basis for liability.
4.
Comparison ^
[15]
One of the principles of civil law is the existence of independent subjects that can be held accountable for their actions. In information systems, the equivalence is strong authentication of users and programs. Programs act on human users' behalf, often without proper authentication of a program's source, without negotiated authorisation, and with little possibility to detect, document, and compensate for actions misusing a given authorisation.
[16]
Many classic access control models allow a unilateral determination of access rights in the form of a triple (subject, object, access mode). More recent models include provisions (pre-conditions), obligations (post-conditions), temporal constraints and evaluation of the context of an access before granting access to an object. The structures are driven by mathematical logic (in case of systems that are never implemented or do not reach beyond the state of a limited prototype) or by ease of implementation (in case of commercially available systems where low implementation costs and compatibility with legacy software take precedence).
[17]
We show important concepts in civil law and their counterparts in access control in table 1. Programs are routinely used to act as agents on a user's behalf without the user being in a position to negotiate authorisation with agents or with the system owner. Accesses to objects are granted or denied, and are often based on rather simple modes of access, i.e., observing, modifying, executing data. Discretionary access control policies make a difference between ownership and possession; the owner of an object can determine which subjects can invoke an object. Possession of an object is often implemented as having a reference that can be used in function calls to the access control subsystem.
[18]
| Civil law | Access control | Comment |
| Legal person | Subject | Used for human user and for computer processes |
| Agent | Process | Non-negotiated authorisation |
| No agent | Trusted path | Rarely implemented |
| Property | Object | Object in access control |
| Ownership | Object owner | Defines access list in discretionary policies |
| Obligation type | Access mode | Access mode in access control |
| Entitlement | Capability | Access rights bound to a subject |
| Standard business terms | Non-negotiated policy | Imposed by system owner/vendor |
Table 1: Comparison of terms
5.
Discussion ^
[19]
While civil law emphasizes autonomous actions by legally independent persons, access control models are more rigid in their freedom of expression. Some types of obligations may be impractical in information systems, because there is no universal medium of exchange, i.e., an equivalent to money. Contemporary computer systems are unaware of money as the counterpart in transactions and for compensative actions. Scheduling of resource use, hence, is more comparable to a gratuitous loan of objects to subjects. Web services and cloud computing could profit from a law-aware infrastructure as these service-oriented architectures are more like interactions of persons than of processes on a low technical level.
[20]
The malware problem in information systems could be addressed by civil law. Malicious processes are agents that act on a principal's behalf. Their acts are defined by algorithms specified by a person. The principal could hold the person providing the algorithm accountable for any damages that are caused. Raising tort claims against malware authors is today hampered by a lack of forensic readiness of information systems (actions cannot be attributed to processes), a lack of strong authentication for program authorship (processes cannot be attributed to specific program components), a lack of negotiated authorisation of processes by users (documentation and configuration of programs is a difficult task), and a lack of automated interpretation of process execution in terms of civil law (forensic examinations are resource-intensive tasks involving humans). Improved forensic readiness of information systems could improve the fact finding phase in a court of law. If evidence was collected by a law-aware infrastructure, presentation and interpretation could be accelerated by automation. Strong authentication for program authorship is available on a voluntary basis in the form of certificates and digital signatures for executable code. It might become more prevalent with a shift in software distribution to a small number of vendors (e.g., app stores for mobile devices). Authorisation of programs and compliance with specific policies has always been a difficult issue. Translation of requirements so that they are available to interpretation in a court as well as by software, has made slow progress. It could help to have similar target structures in both the legal and the technical infrastructure.
[21]
Our examination is work in progress. Next steps are a broader investigation of existing access control models as well as a comparative analysis of civil law concepts in different countries.
6.
References ^
Blakley, B. The emperor's old armor. In: Proceedings of the 1996 workshop on New security paradigms, NSPW '96, pp. 2-16 (1996).
Brox, H. Allgemeiner Teil des BGB (English: General part of the civil code). Heymanns, Köln, 25th edition (2001).
Dawson, E., Reid, J., Salim, F. Access Control. http://www.nisnet.no/filer/Finse11/Dawson-Authorisation_Course.pdf retrieved 2011-12-19 (2011).
Federal Ministry of Justice. German civil code (BGB). http://www.gesetze-im-internet.de/englisch_bgb/ retrieved 2011-12-19 (2010).
Gama, P., Ferreira, P. Obligation policies: An enforcement platform. In: IEEE International Workshop on Policies for Distributed Systems and Networks, pp. 203-212 (2005).
Irwin, K., Yu, T., Winsborough, W.H. On the modeling and analysis of obligations. In: Proceedings of the 13th ACM CCS, pp. 134-143 (2006).
Jakob, M., Pĕchouček, M., Miles, M., Luck, M. Case studies for contract-based systems. In: Proceedings of AAMAS '08: industrial track, pp. 55-62 (2008).
Krishna, P., Karlapalem, K., Dani, A. From contracts to e-contracts: Modeling and enactment. In: Information Technology and Management, Issue 6, pp. 363-387 (2005).
Lampson, B.W. Protection. In: Proc. Fifth Princeton Symposium on Information Sciences and Systems, Princeton University, March 1971, pp. 437-443, reprinted in: SIGOPS Oper. Syst. Rev., Issue 8, pp. 18-24 (1974).
Le Métayer, D., Maarek, M., Tong, V. V. T., Mazza, E., Potet, M.-L., Craipeau, N., Frénot, S., and Hardouin, R. Liability in software engineering: overview of the LISE approach and illustration on a case study. In: Proceedings of the 32nd ACM/IEEE International Conference on Software Engineering, pp. 135-144 (2010).
Linington, P.F., Neal, S. Using policies in the checking of business to business contracts. In: IEEE International Workshop on Policies for Distributed Systems and Networks, pp. 207-218 (2003).
People's Republic of China. Contract Law of the People's Republic of China. http://www.fdi.gov.cn/pub/FDI_EN/Laws/law_en_info.jsp?docid=50943 retrieved 2011-12-19 (1999).
Povey, D. Optimistic security: a new access control paradigm. In: Proceedings of the 1999 workshop on New security paradigms, NSPW '99, pp. 40-45 (2000).
Röscheisen, M., Winograd, T. A communication agreement framework for access/action control. In: IEEE Symposium on Sec. and Priv., pp. 154-163 (1996).
Sandhu, R. Access control: The neglected frontier. In: First Australasian Conference on Information Security and Privacy, Springer, pp. 23-26 (1996).
Seestani, A. Islamic Laws according to the Fatawa of Ayatullah al Uzama Syed Ali Al-Husaini Seestani. http://www.al-islam.org/laws/ retrieved 2011-12-19.
Stieghahn, M., Engel, T. Law-aware access control: about modeling context and transforming legislation. In: Proceedings of JSAI-isAI'09, pp. 73-86 (2010).
The Napoleon Series. The Civil Code Index. http://www.napoleon-series.org/research/government/c_code.html retrieved 2011-12-19 (1995).
Ungureanu, V. Using certified policies to regulate e-commerce transactions. In: ACM Trans. Internet Technol., Issue 5, pp. 129-153 (2005).
University of Saarbrücken, Roman Law branch of the Law-related Internet Project. http://archiv.jura.uni-saarland.de/Rechtsgeschichte/Ius.Romanum/english.html retrieved 2011-12-19 (undated).
Wesel, U., Fast alles, was Recht ist. Eichborn (1991).
