annual workshop february 5th, 2014. a formal approach to analyze privacy in electronic services msec...
TRANSCRIPT
[Koen Decroix – MSEC - KU Leuven]
A Formal Approach to Analyze Privacy in Electronic Services
MSECKoen Decroix
3
Outline
• Introducing Privacy in Loyalty Services• Conceptual model of inShopnito• Framework for Formal Reasoning on Privacy• Privacy Analysis of inShopnito• Conclusions
6
… Max Schrems, an Austrian student, did!
Now he sues Facebook for their data practices on the personal data they collected about him.
9
Authenticate
Share your shopping activities with friends on Facebook
For the convenience of their customers, loyalty services evolved to electronic services integrated with other online (third-party) services. Is this the full story?
10
When registering to such services, you agreed with their terms and policies and gave them your consent for collecting, processing, and forwarding your personal data.
Not transparent to users
11
Your past online activities leave non-erasable, possibly harmful, traces behind and might get spread around.
12
Citizens must be protected for these data practices.
This is where the European data protection legislation comes into play.
15
Privacy analysis is based on user profiles built from the formal models. Its feedback must be useful for system designers and users as well.
18
From specifications of service providers’ data practices (= service policies), we can derive that …
… but looking into more detail …
Conc
lusi
ons
Logi
c Co
mpo
nent
Vocabulary(Concepts) Behavior Inference Rules
System Independent Model
Inpu
t Mod
el
Identifiability Model
User Model System Model
Trust Perception
Credentials Profiles
Identities Pseudonyms
Initial State
Organizations Services
Service Policies
Access Control
Storage
Distribution Output
Theory
26
inShopnito modeled for two user types
No trust in organizationsTrusts• Grocery Store• Loyalty Program Provider• inShopnito
Advertisers are not trusted
Loyalty credential: Idemix what if X509 is used?
28
Linkabilities in inShopnito
Scan Product
No Collab No Collab GS <->LP X509
Grocery Store Anon Pseudo Pseudo Ident
inShopnito Anon Pseudo Pseudo Ident
Loyalty Provider Anon Pseudo Pseudo Ident
Advertiser Anon Pseudo Pseudo Ident
29
Detect Violations in inShopnito
Advertisers not allowed to have the customer’s his:1. Name2. Address3. eMail address
Violations of rules 1, 2, 3 are found only in case a X509 certificate is used in case of the user model
31
• It is a formal approach to analyze privacy power to prove properties
• Approach is useful during service design– privacy by design is one of the principles in EU reform of
data protection legislation.– analyzing linkabilities, collaborations, attributes in user
profiles.– verify compliance with legislative and corporate level
rules (detecting violations).
• Approach is useful for education of people– EU reform of data protection authorities get the task to
educate people. E.g., model a user that participates to a survey about Facebook. Afterwards, perform a privacy analysis based on his assumptions and present him the difference between what he thinks and what can happen.