We propose VAMS, a system that enables transparency for audits of access to data requests without compromising the privacy of parties in the system. VAMS supports audits on an aggregate level and an individual level, by relying on three mechanisms. A tamper-evident log provides integrity for the log entries that are audited. A tagging scheme allows users to query log entries that relate to them, without allowing others to do so. MultiBallot, a novel extension of the ThreeBallot voting scheme, is used to generate a synthetic dataset that can be used to publicly verify published statistics with a low expected privacy loss. We evaluate two implementations of VAMS, and show that both the log and the ability to verify published statistics are practical for realistic use cases such as access to healthcare records and law enforcement access to communications records.

翻译：我们提出VAMS系统，该系统能在不损害系统中各方隐私的前提下，实现对数据访问请求审计的透明度。VAMS通过三种机制支持聚合层面和个体层面的审计：防篡改日志确保被审计日志条目的完整性；标签方案允许用户查询与自身相关的日志条目，同时阻止他人进行此类查询；MultiBallot作为ThreeBallot投票方案的新型扩展，用于生成合成数据集，该数据集能以较低的预期隐私损失实现已发布统计数据的公开验证。我们评估了VAMS的两种实现方案，并证明其日志功能与已发布统计数据的验证能力在医疗记录访问和执法机构通信记录访问等实际应用场景中具有可行性。