Blind Auditing and Probabilistic Access Controls.

Keeping audit logs about past activities in any computer system is one of the requirements regulated decades ago. However, there is no clear definition of what information should be kept in audit logs. Therefore, most existing systems include identifiers in audit records that violate data privacy, or they apply pseudonymization techniques before logging that add unnecessary overhead to the system. In this paper, we define an auditing approach called blind auditing in which the audit logs contain just “enough” information to preserve data privacy and enable different auditing processes without adding intolerable overhead to the system being audited. With those blind audit logs, we define a probabilistic access control model that dynamically improves over time. Together, these allow auditing and access control that is performant, privacy-preserving and perpetually improving.