Enforcing Expressive Accountability Policies

Accountability policies for the enforcement of the responsible stewardship of personal data have to support the gathering of information at all levels of the service stack and across different policy domains, for instance, for the retrospective enforcement of transparency and remediation properties. Existing approaches to accountability, however, often do not meet these requirements and corresponding implementation support is lacking. In this paper we show how expressive accountability policies can be defined in terms of policy domains, accessible data at all levels of the service stack, and preventive and retrospective mechanisms. Additionally, we present a notion of accountability schemes that support the constructive implementation of our accountability policies. Finally, we motivate and apply our approach in the context of real-world attacks to OAuth-based authorization and authentication protocols.