Privacy and Identity Management for Life

The Internet continues to be increasingly valuable to individuals, organisations and companies. Web usage for everyday tasks such as shopping, banking, and paying bills is increasing, and businesses and governments are delivering more services and information over the Internet. Users have embraced the Internet for social networking and substantial collaborative works have emerged including Open Source initiatives, collaborative editing of encyclopedias, and self-help groups. Indeed, much of the information that is implicitly exchanged when people meet in person is now exchanged electronically over the Internet.

While using social software and interacting with others on the Internet, users share a lot of information about themselves. An important issue for these users is maintaining control over their own personal data and being aware to whom which data is disclosed. In this chapter, we present specific requirements and realised solutions to these problems for two different kinds of social software: social network sites and web forums.

Some decades ago content on which people base important judgment used to be provided by relatively few, institutional sources like Encyclopedias. Since the 1990s the Internet has become an invaluable source of information for a growing number of people. While ten years ago web content has also only been provided by a limited number of institutions or individuals, today’s Web 2.0 technologies have enabled nearly every web user to act not only as consumer, but also as producer of content. User contribution is at the core of many services available on the Web and as such, is deeply built into those service architectures. Examples are wikis like Wikipedia, that are entirely based on content contributed by multiple users and modifiable at any time by any of them.

Much research and development has been done during the past couple of years to assist users in managing their partial identities in the digital world by several types of identity management [BMH05]. A comprehensive privacy-enhancing identity management system would include the following components [CK01]: an Identity Manager (IdM) on the user’s side; IdM support in applications (e.g., at content providers, web shops, etc.); various third-party services (e.g., certification authorities, identity providers).

With the increasing use of electronic media for our daily transactions, we widely distribute our personal information. Once released, controlling the dispersal of this information is virtually impossible. Privacy-enhancing technologies can help to minimise the amount of information that needs to be revealed in transactions, on the one hand, and to limit the dispersal, on the other hand. Unfortunately, these technologies are hardly used today. In this paper, we aim to foster the adoption of such technologies by providing a summary of what they can achieve. We hope that by this, policy makers, system architects, and security practitioners will be able to employ privacy-enhancing technologies.

The increasing spread of personal information on the Internet calls for new tools and paradigm to complement the concealment and protection paradigms. One such suggested paradigm is transparency and the associated transparency enhancing tools, making it possible for Data Subjects to track an examine how there data have been used, where it originates and what personal data about them that Data Controllers have stored. One such tool needed in order to track events related to personal data is a log system. Such a log system must be constructed in such a way that it does not introduce new privacy problems. This chapter describes such a log system that we call a privacy preserving secure log. It outlines the requirements for the system and describes and specifies a privacy preserving log system that has been developed and implemented within the PrimeLife project.

Reputation systems naturally collect information on who interacts with whom and how satisfied the interaction partners are about the outcome of the interactions. Opinion of and about natural persons are personal data and need to be protected.We elaborate requirements for electronic reputation systems.We focus on security properties, that is if a system is secure an attacker can not forge reputation values, further we elaborate privacy protection goals. A short literature survey on system implementations is given.We discuss interoperability of different reputation providers, that is how can a reputation be transported from one to an other reputation provider. Finally, we show how reputation systems should be integrated in identity management systems.

In today’s globally interconnected society, a huge amount of data about individuals is collected, processed, and disseminated. Data collections often contain sensitive personally identifiable information that need to be adequately protected against improper disclosure. In this chapter, we describe novel informationtheoretical privacy metrics, necessary to measure the privacy degree guaranteed by a published dataset. We then illustrate privacy protection techniques, based on fragmentation, that can be used to protect sensitive data and sensitive associations among them.

The evolution of information and communication technologies (ICTs) has introduced new ways for sharing and disseminating user-generated content through remote storage, publishing, and disseminating services. From an enterprise oriented point of view, these services offer cost effective and reliable data storage features that any organisation can take advantage of without long setup delays and capital expenses. Also, from an end-user point of view, distributed and shared data storage services offer considerable advantages in terms of reliability and constant availability of data. While on one hand data sharing services encourage and enhance the collaboration among users, on the other hand they need to provide proper protection of data, possibly enforcing access restrictions defined by the data owner. In this chapter, we present an approach for allowing users to delegate to an external service the enforcement of the access control policy on their resources, while at the same time not requiring complete trust in the external service. Our solution relies on the translation of the access control policy into an equivalent encryption policy on resources, and on a hierarchical key structure that exploits the relationships between groups or users. In this way, we limit both the number of keys to be maintained and the amount of encryption to be performed, while keeping a good flexibility with respect to policy updates and revocations.

This chapter describes the PET-USES [Privacy-Enhancing Technology Users’ Self-Estimation Scale], a questionnaire that enables users to evaluate PET User Interfaces [UIs] for their overall usability and to measure six different PET aspects. The objective of this chapter is to outline the creation and the background of the PET-USES questionnaire and invite the usability community to not only use the test but also contribute to the further development of the PET-USES. This text is an excerpt of [WWK10] which additionally contains a more elaborate description of the rationale behind the PET-USES.

User-centered design (UCD) processes need to be further extended to the field of privacy enhancing technologies (PETs). The goal of the UCD process for PETs is to provide a means for users to empower them to manage their privacy on the Web. Taking care of privacy and being careful while surfing theWeb are still considered to be cumbersome and time-consuming activities. Hence, PrimeLife aspires to provide easy to use tools for users to manage their privacy. This chapter describes the challenges in UCD that arose during the development of the PrimeLife prototypes. As part of the HCI activities in the PrimeLife project, we have researched the users’ attitudes towards privacy and discovered the main challenges when developing userfriendly PETs. We use two example prototypes to explain how the challenges can be tackled in practice. In general, PETs should neither require much of the user’s attention and time, nor should they require particular technical knowledge. They should, in fact, present the complex methods of privacy enhancing technologies in an easy, understandable and usable way. We will conclude this chapter with a discussion of our findings and implications for further development of user-centered privacy enhancing technologies.

Anonymous Credentials are a key technology for enforcing data minimisation for online applications. The design of easily understandable user interfaces for the use of anonymous credentials is however a major challenge, as end users are not yet familiar with this rather new and complex technology and no obvious real-world analogies exist for them. In this chapter, we analyse what effects the users’ mental models have on their understanding of the data minimization property of anonymous credentials in the context of an e-Shopping application scenario. In particular, we have investigated the effects of the mental models of a card-based user interface approach and an attribute-based user interface approach and compared these in terms of errors of omission and addition. The results show that the card-based approach leads to significantly more errors of addition (i.e., users believe that they have disclosed more information than they actually have) whereas the attribute-based approach leads to more errors of omission (i.e., users underestimate the amount of data that they have disclosed).

In this chapter, we present our HCI (Human Computer Interaction) work for mediating the degree of trustworthiness of services sides to end users and for enhancing their trust in PrimeLife-enabled applications. For this, we will present the user interface development work of a trust evaluation function and the PrimeLife Data Track.

The PrimeLife Policy Language (PPL) has the objective of helping end users make the data handling practices of data controllers more transparent, allowing them to make well-informed decisions about the release of personal data in exchange for services. In this chapter, we present our work on user interfaces for the PPL policy engine, which aims at displaying the core elements of a data controller’s privacy policy in an easily understandable way as well as displaying how far it corresponds with the user’s privacy preferences. We also show how privacy preference management can be simplified for end users.

Many individuals are not aware of who is collecting and handling their personal data for what purpose. Usually privacy policies are too long, too complicated to understand, and reading them is hardly appealing. To improve the awareness and comprehension of individuals on what is happening with their personal data, privacy icons are being proposed. The PrimeLife project has developed icon sets for different use cases such as e-commerce, social networks and handling of emails. It conducted user tests and an online survey to analyse how well users understand what the privacy icons should express. This section summarises the findings of PrimeLife’s work on privacy icons.

The design and implementation of a versatile privacy policy language is one of the core activities in the PrimeLife project. Policy languages are a crucial tool in any privacy-aware information infrastructure. Machine-interpretable languages have a major advantage over natural languages in that, if designed properly, they allow automated negotiation, reasoning, composition, and enforcement of policies. The requirements are the first step in the development of such a language. The methodology was to collect use case scenarios and derive concrete requirements from them. This chapter presents those requirements independently; they are not derived from research work other than the PrimeLife study itself.

This chapter describes how users’ privacy preferences and services’ privacy policies are matched in order to decide whether personal data can be shared with services. Matching has to take into account data handling, i.e. does services handle collected data in a suitable way according to user expectations, and access control, i.e. do the service that will be granted access to the data comply with user expectations. Whereas access control describes the conditions that have to be fulfilled before data is released, data handling describes how the data has to be treated after it is released. Data handling is specified as obligations that must be fulfilled by the service and authorisations that may be used by the service. An important aspect of authorisation, especially in light of the current trend towards composed web services (so-called mash-ups), is downstream usage, i.e., with whom and under which data handling restrictions data can be shared.

This chapter presents the results of the research on how the current standards for access control policies can be extended. In particular, Section 18.1 illustrates how privacy issues can be effectively tackled by means of a credential-based access control that includes anonymous credentials. Section 18.2 shows how the expressivity of policy languages can be exploited to introduce ontologies that model credential taxonomies and the relations among them, with a particular stress on the support for delegation mechanisms. Section 18.3 investigates the privacy issues that arise in those access control systems that are enriched with a dialog framework that enables servers to publish their policies. Finally, Section 18.4 maps these proposals onto a set of possible extensions of the architecture of the current de facto standard in access control policy languages: XACML.

Transparency is one of the core principles of data protection legislation in Europe, beyond Europe and all around the world. The European understanding is different than the American one as the European understanding is that individuals should be aware of ‘who knows what about them.’ Often enough the establishment of the European understanding is hard to enact, enforce and above all make understandable to the user because the user is confronted with a multitude of different purposes for data handling, often hidden in lengthy legal text of privacy notices especially when surfing the web. Therefore, a number of approaches are currently trying to tackle this problem, by offering the user tools and mechanisms for a better understanding of what is happening with their data. The work presented in this chapter is an outcome of PrimeLife’s research on Next Generation Policies, it aims at a better understanding of the legal aspects of the processing of personal data, by looking at the current status of this processing in different contexts and structuring these.

This chapter presents the implementation details of the PrimeLife policy engine (called PPL engine). This engine is primarily in charge of interpreting the policies and the preferences defined by the Data Controllers and the Data Subjects. Additionally, this engine is responsible for the enforcement of the privacy rules specified by the user. The enforcement is characterised by the application of the access control rules, the execution of the obligations and the generation/verification of the cryptographic proof related to the credentials. In this chapter we describe the architecture of this engine, the structure of policy language, and finally the data model of the implementation.

This chapter describes requirements for privacy in service-oriented architectures. It collects 39 legal and technical requirements, grouped in the five categories. These requirements are the starting point for a technical framework that brings privacy-enhanced data handling to multi-layered, multi-domain service compositions. We describe an abstract framework that is technology agnostic and allows for late adoption also in already existing SOA applications. We describe the general building blocks that are necessary on a PII provider’s side and on a PII consumer’s side. Finally, we look at the technical implementation of a very common, yet complicated aspect: the composition of policies when composing information artifacts. We describe how the composition of data influences the composition of policies.

Secure Elements have been around as identity providing modules in Mobile Services since the creation of the Mobile Phone Industry. With an increasingly dynamic environment of Mobile Services and multiple Mobile Devices, however, and with an ever changing ecosystem, characterized by new value chain entrants, new (partial) identities need to be provided for the end users. Here, emerging Secure Elements such as Stickers and Secure SD cards can be leveraged in addition to the omnipresent SIM card / UICC. For future services though, even more flexible, secure and privacy enhanced Secure Elements, such as Trusted Execution Environments can be expected. They are needed to cope with an ever more dynamic Mobile Services environment that depends upon reliable, partial identities of the end users and increasingly calls for privacy and security measures. This chapter elaborates upon the emerging and future Secure Element technologies for Mobile Devices. These technologies shall allow an increasingly dynamic creation of services between front-end Mobile Devices and back-end Servers. The Chapter sets the current developments of the ecosystem for Mobile Services into perspective with the needed technologies, reflects on the contributions of the PrimeLife project and draws attention towards the still needed future directions of innovation.

Telcos face an elementary change in their traditional business model. The reasons for this are manifold: Tougher regulations, new technology (most notably VoIP and open spectrum), matured core business markets (voice and messaging), new market entrants or advancing customer demands and expectations. A potential direction of this change is business models that concentrate on the exploitation and monetisation of the huge amount of customer data that results from the usage of traditional communication services (data, voice). Based on these data, telcos’ longstanding relationships to their customers, and infrastructural assets and capabilities, telcos are a reasonable candidate for assuming the role of identity management service providers (IdMSPs). This chapter describes a method to evaluate privacyenhancing IdM Services from the perspective of a telco acting as prospective IdM Service Provider. The basis for the evaluation method is formed by the concept of Identity Management Enablers, which are used to analyse and describe the services and scenarios on which the decision supporting method is based on.

Privacy protection tools can be characterised by the number of parties that have to cooperate so that the tools work and achieve the desired effect [Pfi01]: Some privacy protection tools can be used stand-alone, without the need for the cooperation of other parties. Others require that the communication partners use the same tools. Some tools only function when being supported by an appropriate infrastructure that quite often is currently not in place.

Standardisation has many goals and facets: Standards are used for consumer protection to achieve a minimum quality of certain products and services. Standards lead to lower cost because of a unified higher volume market. Standards also support interoperability that is vitally needed in ICT.

The PrimeLife project has worked in various areas of privacy and identity management. Some are mainly relevant for researchers, some for practitioners in the application field, and yet others tackle upcoming policy issues that yield recommendations for policy makers. The following sections point out specific findings and results of the PrimeLife project: Firstly, we address industry as being representative for application development and service provisioning. Secondly, we give recommendations to policy makers on the European, international or national level. Finally we show bits and pieces of PrimeLife’s legacy and sketch possible ways where they may be picked up and developed further. Note that we can only present a small part of PrimeLife’s outcome here – we had to select some of the most interesting best practice solutions that serve as example of how PrimeLife’s results are potentially valuable for other stakeholders.