nach oben

Erschienen in:

2024 | OriginalPaper | Buchkapitel

Secure and Privacy-Preserving Authentication for Data Subject Rights Enforcement

verfasst von : Malte Hansen, Andre Büttner

Erschienen in: Privacy and Identity Management. Sharing in a Digital World

Verlag: Springer Nature Switzerland

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

In light of the GDPR, data controllers (DC) need to allow data subjects (DS) to exercise certain data subject rights. A key requirement here is that DCs can reliably authenticate a DS. Due to a lack of clear technical specifications, this has been realized in different ways, such as by requesting copies of ID documents or by email address verification. However, previous research has shown that this is associated with various security and privacy risks and that identifying DSs can be a non-trivial task. In this paper, we review different authentication schemes and propose an architecture that enables DCs to authenticate DSs with the help of independent Identity Providers in a secure and privacy-preserving manner by utilizing attribute-based credentials and eIDs. Our work contributes to a more standardized and privacy-preserving way of authenticating DSs, which will benefit both DCs and DSs.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel Towards Privacy-Preserving Machine Learning in Sovereign Data Spaces: Opportunities and Challenges

Nächstes Kapitel A Privacy-Preserving Approach to Vehicle Renting and Driver Accountability in VANETs

At the time of writing.

Alonso, Á., et al.: Enhancing university services by extending the eIDAS European specification with academic attributes. Sustainability 12(3), 770 (2020)CrossRef

Avellaneda, O., et al.: Decentralized identity: where did it come from and where is it going? IEEE Commun. Stand. Maga. 3(4), 10–13 (2019)CrossRef

Berbecaru, D., Lioy, A., Cameroni, C.: Electronic identification for universities: building cross-border services based on the eIDAS infrastructure. Information 10(6), 210 (2019)CrossRef

Boniface, C., Fouad, I., Bielova, N., Lauradoux, C., Santos, C.: Security analysis of subject access request procedures: how to authenticate data subjects safely when they request for their data. In: Naldi, M., Italiano, G., Rannenberg, K., Medina, M., Bourka, A. (eds.) Privacy Technologies and Policy: 7th Annual Privacy Forum, APF 2019, Rome, Italy, 13–14 June 2019, Proceedings, vol. 7, pp. 182–209. Springer, Heidelberg (2019). https://doi.org/10.1007/978-3-030-21752-5_12

Cagnazzo, M., Holz, T., Pohlmann, N.: Gdpirated–stealing personal information on-and offline. In: Sako, K., Schneider, S., Ryan, P. (eds.) ESORICS 2019, pp. 367–386. Springer, Heidelberg (2019). https://doi.org/10.1007/978-3-030-29962-0_18

Di Martino, M., Meers, I., Quax, P., Andries, K., Lamotte, W.: Revisiting identification issues in GDPR ‘Right Of Access’ policies: a technical and longitudinal analysis. Proc. Priv. Enhan. Technol. 2022(2), 95–113 (2022)

Di Martino, M., Robyns, P., Weyts, W., Quax, P., Lamotte, W., Andries, K.: Personal information leakage by abusing the GDPR ‘Right of Access’. In: Fifteenth Symposium on Usable Privacy and Security (SOUPS 2019) (2019)

EDBP: Dutch SA fines DPG Media Magazines for unnecessarily requesting copies of identity documents | European Data Protection Board (2022). https://edpb.europa.eu/news/national-news/2022/dutch-sa-fines-dpg-media-magazines-unnecessarily-requesting-copies-identity_en

Engelbertz, N., Erinola, N., Herring, D., Somorovsky, J., Mladenov, V., Schwenk, J.: Security analysis of \(\{\)eIDAS\(\}\)–The \(\{\)Cross-Country\(\}\) authentication scheme in Europe. In: 12th USENIX Workshop on Offensive Technologies (WOOT 18) (2018)

10.

ENISA: Engineering Personal Data Sharing. https://www.enisa.europa.eu/publications/engineering-personal-data-sharing

11.

European Commission: Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL amending Regulation (EU) No 910/2014 as regards establishing a framework for a European Digital Identity. https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX:52021PC0281, sEC(2021) 228 final - SWD(2021) 124 final - SWD(2021) 125 final

12.

European Commission: Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on European data governance (Data Governance Act), cOM/2020/767 final

13.

European Commission: Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on harmonised rules on fair access to and use of data (Data Act), sEC(2022) 81 final - SWD(2022) 34 final - SWD(2022) 35 final

14.

European Commission: Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC. http://data.europa.eu/eli/reg/2014/910/oj

15.

European Commission: European data strategy – Making the EU a role model for a society empowered by data (2022). https://ec.europa.eu/info/strategy/priorities-2019-2024/europe-fit-digital-age/european-data-strategy_en

16.

European Commission: EU Digital Identity Wallet Pilot implementation (2023). https://digital-strategy.ec.europa.eu/en/policies/eudi-wallet-implementation

17.

European Commission: The Common Union Toolbox for a Coordinated Approach Towards a European Digital Identity Framework (2023). https://ec.europa.eu/newsroom/dae/redirection/document/93678

18.

European Parliament and Council: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance). https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679 &from=EN

19.

Gaw, S., Felten, E.W.: Password management strategies for online accounts. In: Proceedings of the Second Symposium on Usable Privacy and Security, pp. 44–55 (2006)

20.

Gerakos, K., Maliappis, M., Costopoulou, C., Ntaliani, M.: Electronic authentication for university transactions using eIDAS. In: Katsikas, S., Zorkadis, V. (eds.) E-Democracy–Privacy-Preserving, Secure, Intelligent E-Government Services: 7th International Conference, E-Democracy 2017, Athens, Greece, 14–15 December 2017, Proceedings, vol. 7. pp. 187–195. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-319-71117-1_13

21.

Hansen, M., Gruschka, N., Jensen, M.: A universal data model for data sharing under the european data strategy (2023)

22.

Hansen, M., Gruschka, N., Jensen, M.: Introducing the concept of data subject rights as a service under the GDPR (2023)

23.

Hansen, M., Jensen, M.: A generic data model for implementing right of access requests. In: Gryszczynska, A., Polanski, P., Gruschka, N., Rannenberg, K., Adamczyk, M. (eds.) APF 2022, vol. 13279, pp. 3–22. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-07315-1_1

24.

Hardt, D.: The OAuth 2.0 Authorization Framework. RFC 6749 (2012). https://doi.org/10.17487/RFC6749. https://www.rfc-editor.org/info/rfc6749

25.

Khayretdinova, A., Kubach, M., Sellung, R., Roßnagel, H.: Conducting a usability evaluation of decentralized identity management solutions. In: Selbstbestimmung, Privatheit und Datenschutz: Gestaltungsoptionen für einen europäischen Weg, pp. 389–406. Springer, Fachmedien Wiesbaden Wiesbaden (2022)

26.

Lauradoux, C.: Can authoritative governments abuse the right to access? In: Gryszczynska, A., Polanski, P., Gruschka, N., Rannenberg, K., Adamczyk, M. (eds.) APF 2022, vol. 13279, pp. 23–33. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-07315-1_2

27.

Lips, S., Bharosa, N., Draheim, D.: eIDAS implementation challenges: the case of Estonia and the Netherlands. In: Chugunov, A., Khodachek, I., Misnikov, Y., Trutnev, D. (eds.) EGOSE 2022, vol. 1349, pp. 75–89. Springer, Heidelberg (2020). https://doi.org/10.1007/978-3-030-67238-6_6

28.

Mühle, A., Grüner, A., Gayvoronskaya, T., Meinel, C.: A survey on essential components of a self-sovereign identity. Comput. Sci. Rev. 30, 80–86 (2018)CrossRef

29.

OASIS Open: SAML Version 2.0 Errata 05 (2012). http://docs.oasis-open.org/security/saml/v2.0/errata05/os/saml-v2.0-errata05-os.html

30.

Papadamou, K., et al.: Killing the password and preserving privacy with device-centric and attribute-based authentication. IEEE Trans. Inf. Forensics Secur. 15, 2183–2193 (2019)CrossRef

31.

Pavur, J., Knerr, C.: GDPARRRRR: using privacy laws to steal identities. arXiv preprint arXiv:1912.00731 (2019)

32.

Preukschat, A., Reed, D.: Self-sovereign identity. Manning Publications (2021)

33.

Purtova, N.: From knowing by name to targeting: the meaning of identification under the GDPR. Int. Data Priv. Law 12(3), 163–183 (2022)CrossRef

34.

Sabouri, A., Rannenberg, K.: ABC4Trust: protecting privacy in identity management by bringing privacy-ABCs into real-life. In: Camenisch, J., Fischer-Hubner, S., Hansen, M. (eds.) Privacy and Identity Management for the Future Internet in the Age of Globalisation: 9th IFIP WG 9.2, 9.5, 9.6/11.7, 11.4, 11.6/SIG 9.2. 2 International Summer School, Patras, Greece, 7–12 September 2014, Revised Selected Papers, vol. 9, pp. 3–16. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-319-18621-4_1

35.

Sakimura, N., Bradley, J., Jones, M.: Final: OpenID Connect Core 1.0 incorporating errata set 1 (2014). https://openid.net/specs/openid-connect-core-1_0.html

36.

Satybaldy, A.: Usability evaluation of SSI digital wallets. In: Bieker, F., Meyer, J., Pape, S., Schiering, I., Weich, A. (eds.) IFIP International Summer School on Privacy and Identity Management, pp. 101–117. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-31971-6_9

37.

Sharif, A., Ranzi, M., Carbone, R., Sciarretta, G., Marino, F.A., Ranise, S.: The eIDAS regulation: a survey of technological trends for European electronic identity schemes. Appl. Sci. 12(24), 12679 (2022)CrossRef

38.

Tsakalakis, N., O’hara, K., Stalla-Bourdillon, S.: Identity assurance in the UK: technical implementation and legal implications under the eIDAS Regulation. In: Proceedings of the 8th ACM Conference on Web Science, pp. 55–65 (2016)

39.

Urban, T., Tatang, D., Degeling, M., Holz, T., Pohlmann, N.: A study on subject data access in online advertising after the GDPR. In: Data Privacy Management, Cryptocurrencies and Blockchain Technology: ESORICS 2019 International Workshops, DPM 2019 and CBT 2019, Luxembourg, 26–27 September 2019, Proceedings 14, pp. 61–79. Springer, Heidelberg (2019). https://doi.org/10.1007/978-3-030-31500-9_5

Titel: Secure and Privacy-Preserving Authentication for Data Subject Rights Enforcement
verfasst von: Malte Hansen
Andre Büttner
Verlag: Springer Nature Switzerland
Buch: Privacy and Identity Management. Sharing in a Digital World
Print ISBN: 978-3-031-57977-6

Electronic ISBN: 978-3-031-57978-3

Copyright-Jahr: 2024
DOI: https://doi.org/10.1007/978-3-031-57978-3_12

Premium Partner

Bildnachweise

Rittal/© Rittal, NTT Data/© NTT Data, Wildix/© Wildix, Ceyoniq Technology GmbH/© Ceyoniq Technology GmbH, arvato Systems GmbH/© arvato Systems GmbH, Ninox Software GmbH/© Ninox Software GmbH, Everyday Software S.L./© Everyday Software S.L., Redgate/© Redgate, CELONIS Labs GmbH, DC-Datacenter-Group GmbH/© DC-Datacenter-Group GmbH, all for one/© all for one, G Data CyberDefense/© G Data CyberDefense, FAST LTA/© FAST LTA, Vendosoft/© Vendosoft, Kumavision/© Kumavision, Noriis Network AG/© Noriis Network AG, WSW Software GmbH/© WSW Software GmbH

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"