privacy and identity management for life978-3-642-20317-6/1.pdf · achieved by prime to address...
TRANSCRIPT
Privacy and Identity Management for Life
Jan Camenisch • Simone Fischer-Hübner
Editors Privacy and Identity
or Life
Kai Rannenberg
Mangement f
Editors Jan Camenisch Simone Fischer-Hübner
Sweden
Kai Rannenberg
ISBN 978-3-642-20316-9 e-ISBN 978-3-642-20317-6 DOI 10.1007/978-3-642-20317-6 Springer Heidelberg Dordrecht London New York
Springer-Verlag Berlin Heidelberg 2011 This work is subject to copyright. All rights are reserved, whether the whole or part of the material is
Cover design: deblik, Berlin
Printed on acid-free paper Springer is part of Springer Science+Business Media (www.springer.com)
Springer. Violations are liable to prosecution under the German Copyright Law.
casting, reproduction on microfilm or in any other way, and storage in data banks. Duplication of this concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broad-
publication or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965, in its current version, and permission for use must always be obtained from
protective laws and regulations and therefore free for general use.
The use of general descriptive names, registered names, trademarks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant
Library of Congress Control Number: 2011930188
IBM Research - Zürich
Switzerland
Goethe University Frankfurt
SecurityGrueneburgplatz 160629 Frankfurt/[email protected]
65188 Karlstad8803 Rüschlikon
Universitetsgatan 2
T-Mobile Chair of Mobile Business & Multilateral
Säumerstrasse 4
To the memory of our colleague and friend Andreas Pfitzmann
The protection of people’s privacy was dear to Andreas’ heart. He was aninspiration to all of us, and many of the results presented in this book owe to him.
Preface
Publication is a self-invasion of privacy.
Marshall McLuhan
Individuals in the Information Society want to safeguard their autonomy and retaincontrol over their personal information, irrespective of their activities. Informationtechnologies generally do not consider those user requirements, thereby putting theprivacy of the citizen at risk. At the same time, the Internet is changing from a client-server to a collaborative paradigm. Individuals are contributing throughout their lifeleaving a life-long trace of personal data. This raises substantial new privacy chal-lenges.
Saving digital privacy. By 2008, the European project PRIME (Privacy and IdentityManagement for Europe) had demonstrated that existing privacy technologies canenable citizens to execute their legal rights to control their personal informationin on-line transactions. It had raised considerable awareness amongst stakeholdersand has significantly advanced the state of the art in the areas of privacy and identitymanagement. PrimeLife has been building on the momentum created and the resultsachieved by PRIME to address emerging challenges in the areas of privacy andidentity management and really bring privacy and identity management to live:
• A first, short-term goal of PrimeLife was to provide scalable and configurableprivacy and identity management in new and emerging internet services and ap-plications such as virtual communities and Web 2.0 collaborative applications.
• A second, longer-term goal of PrimeLife was to protect the privacy of individualsover their whole span of life. Each individual leaves a multitude of traces duringa lifetime of digital interactions. Technological advancements facilitate extensivedata collection, unlimited storage, as well as reuse and life-long linkage of thesedigital traces.
• A third goal of PrimeLife was to support privacy and identity management byprogressing the state of the art on
– tools guaranteeing privacy and trust,
vii
viii Preface
– the usability experience of privacy and identity management solutions,– security and privacy policy systems, and– privacy-enabling infrastructures.
• The last but certainly important goal of PrimeLife was to disseminate our resultsand enable their use in real life. We organized interdisciplinary Summer Schoolsof Privacy, organized and participated in standardization groups and meetings,and made the source code and documentation of most of our prototypes andimplementations available for free use.
This Book. After more than three years of work in PrimeLife, this book aims at giv-ing an overview of the results achieved. It is therefore structured into an introductionand six parts covering the most important areas of privacy and identity managementconsidering the life of today: Several aspects of “Privacy in Life” are discussed in
on “Infrastructures for Privacy and Identity Management,” before Part VI “PrivacyLive” comes full circle describing how PrimeLife is reaching out to the life of to-day’s and the future’s netizens.
Acknowledgements. Editing and writing a multidisciplinary book like this is notpossible without many contributors that dedicated their knowledge, expertise, and
PrimeLife book, we would like to give a special thanks to:
• The partner organisations and individual researchers in PrimeLife that con-tributed to this book and the underlying PrimeLife deliverables. They come from
• Els van Herreweghen who was instrumental in writing and submitting the project
• The international team of reviewers that as friends of PrimeLife dedicated theirtime to improve and streamline the parts of this book. We are particularlygrateful to Bart De Decker, Ian Glazer, David-Olivier Jaquet-Chiffelle, VaclavMatyas, Vincent Naessens, Lasse Øverlier, Jakob Pagter, Michael Pedersen,Claire Vishik, and Jozef Vyskoc for their most valuable comments and sugges-tions.
• The people who helped to create this book:
– Michelle Cryer for transforming much of the nerds’ English in the draft ver-sions of this book into English.
– The PrimeLife “Activity Leaders” Katrin Borcea-Pfitzmann, Sandra Stein-brecher, Pierangela Samarati, Gregory Neven, Gokhan Bal, and Marit Hansenfor their support and coordination of the respective parts. Gregory also pro-vided the Latex templates and wisdom on how to put the different chapters andparts together into this book.
Part I, followed by Part II “Mechanisms for Privacy”. Part III is dedicated to “Hu-
time to make the work a success. Among the many people that worked on this
proposal and Dieter Sommer who did a wonderful job as coordinator.
seven Member States of the European Union, Switzerland, and the USA.
man Computer Interaction (HCI)”, and Part IV to “Policy Languages”. Part V focuses
Preface ix
– Our colleagues at IBM Research – Zurich, Karlstad University, and GoetheUniversity Frankfurt for keeping our backs covered when we were workingon this book.
– Saskia Werdmuller for the final checking of the manuscript.– Christian Rauscher at Springer for helping us with publication of the book.
• The European Commission for funding PrimeLife and our Project OfficersManuel Carvalhosa and Maria-Concepcion Anton-Garcia, their management,Jacques Bus, Jesus Villasante, Thomas Skordas, Gustav Kalbe, and Dirk vanRooy, and the project reviewers Jean-Marc Dinant, Alberto Escudero-Pascual,and Massimo Felici for most valuable feedback and encouragement.
• Last, but certainly not least, all the members of the PrimeLife Reference Groupfor many inspiring discussions and lots of valuable and helpful feedback.
We hope that this book will contribute to the understanding that digital privacy canbe a reality: Many tools exist and are waiting to be deployed in practice.
Zurich, Karlstad, Frankfurt, Jan CamenischMarch 2011 Simone Fischer-Hubner
Kai Rannenberg
x Preface
List of Contributors to this Book
Stefano Paraboschi, Gerardo Pelosi, Mario VerdicchioUniversita degli Studi di Bergamo, DIIMMViale Marconi 25, Dalmine, I-24044
Cornelia Graf, Christina Hochleitner, Manfred Tscheligi, Peter WolkerstorferCURE – Center for Usability Research and EngineeringModecenterstrasse 17, Vienna, A-1110
Katrin Borcea-Pfitzmann, Jaromir Dobias, Benjamin Kellermann, StefanKopsell, Andreas Pfitzmann, Stefanie Potzsch, Sandra SteinbrecherDresden University of Technology, Department of Computer ScienceNothnitzer Strasse 46, Dresden, D-01187
Marc-Michael Bergfeld, Stephan SpitzGiesecke & DevrientPrinzregentenstrasse 159, Munchen, D-81677
Gokhan Bal, Sascha Koschinat, Kai Rannenberg, Christian WeberGoethe University Frankfurt, T-Mobile Chair of Mobile Business & Multilateral
¨
Jan Camenisch, Maria Dubovitskaya, Gregory Neven, Franz-Stefan PreissIBM Research – ZurichSaumerstrasse 4, Ruschlikon, CH-8803
Julio AnguloKarlstad University, Department of Information SystemsUniversitetsgatan 2, Karlstad, S-65188
Simone Fischer-Hubner, Hans Hedbom, Tobias PullsKarlstad University, Department of Computer ScienceUniversitetsgatan 2, Karlstad, S-65188
Erik WastlundKarlstad University, Department of PsychologyUniversitetsgatan 2, Karlstad, S-65188
Filipe Beato, Markulf Kohlweiss, Jorn Lapon, Stefan Schiffner, Karel WoutersKatholieke Universiteit Leuven, ESAT - COSICKasteelpark Arenberg 10, Leuven, B-3001
Laurent Bussard, Ulrich PinsdorfMicrosoft EMIC
Security Gruneburgplatz 1, Frankfurt/Main, D-60629
Ritterstrasse 23, Aachen, D-52072
Preface xi
Claudio A. Ardagna, Sabrina De Capitani di Vimercati, Sara Foresti, GiovanniLivraga, Eros Pedrini, Pierangela SamaratiUniversita degli Studi di Milano, Dip. di Tecnologie dell’InformazioneVia Bramante 65, Crema, I-26013
Michele Bezzi, Akram Njeh, Stuart Short, Slim TrabelsiSAP Labs France805, Avenue du Docteur Maurice Donat, BP 1216, Mougins Cedex, F-06254
Bibi van den Berg, Laura Klaming, Ronald Leenes, Arnold RoosendaalUniversiteit van Tilburg, TILTPostbus 90153, Tilburg, NL-5000 LE
Marit Hansen, Leif-Erik Holtz, Ulrich Konig, Sebastian Meissner, JanSchallabock, Katalin Storf, Harald ZwingelbergUnabhangiges Landeszentrum fur Datenschutz Schleswig-HolsteinHolstenstrasse 98, Kiel, D-24103
Carine Bournez, Dave Raggett, Rigo WenningWorld Wide Web Consortium (W3C)Route des Lucioles, BP 93, Sophia-Antipolis, F-06902
Contents
Introduction
1 5Andreas Pfitzmann, Katrin Borcea-Pfitzmann, and Jan Camenisch1.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51.2 Vision and Objectives of the PrimeLife Project . . . . . . . . . . . . . . . . . 71.3 Defining Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81.4 From Identity via Identity Management to Privacy by Identity
Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91.4.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101.4.2 Presentation of Identities – Pseudonyms . . . . . . . . . . . . . . . 131.4.3 Time Aspects of Identity Management and Privacy . . . . . 17
1.5 Further Facets of Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191.6 . . . . . . . . . 20
Part I - Privacy in Life . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221.6.2 221.6.3 231.6.4 Part IV - Policy Languages . . . . . . . . . . . . . . . . . . 241.6.51.6.6 Part VI- Privacy Live . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
References Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Part I Privacy in Life
2 Privacy in Social Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Bibi van den Berg, Stefanie Potzsch, Ronald Leenes, KatrinBorcea-Pfitzmann, and Filipe Beato2.1 Scenarios and Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
2.1.1 Scenario 1: A Social Network Site . . . . . . . . . . . . . . . . . . . 352.1.2 Scenario 2: A Forum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
xiii
. . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . .. . . . . . . . .
. . . . . . .
.
Identity – What it is
1.6.1PrimeLife’s Contributions to Protect Privacy
PrimeLife . . . . . . . . . . . . . . . . . . . . . . .. . . . .
. . . . . . . . .
Part II - Mechanisms for Privacy
Part V- Infrastructures for Privacy and Identity Managem.en.t . 25
Part III - Human Computer Interaction (HCI)
xiv Contents
2.1.3 General Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362.2 Two Prototypes for Privacy-Enhanced Social Networking . . . . . . . . 37
2.2.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372.2.2 Privacy Issues in Social Network Sites . . . . . . . . . . . . . . . . 382.2.3 Clique: An Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422.2.4 Scramble!: An Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
2.3 Privacy-Enhancing Selective Access Control for Forums . . . . . . . . 502.3.1 Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502.3.2 Introducing phpBB Forum Software and PRIME
Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512.3.3 Extending phpBB with Selective Access Control . . . . . . . 522.3.4 Scenario Revisited . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 542.3.5 Privacy-Awareness Information . . . . . . . . . . . . . . . . . . . . . . 552.3.6 User Survey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
2.4 Concluding Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 592.5 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
3 Trustworthiness of Online Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Jan Camenisch, Sandra Steinbrecher, Ronald Leenes, Stefanie Potzsch,Benjamin Kellermann, and Laura Klaming3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 613.2 Scenarios and requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
3.2.1 Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633.2.2 High-level mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 653.2.3 Requirements of mechanisms . . . . . . . . . . . . . . . . . . . . . . . 66
3.3 Experiments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 703.3.1 Binding metadata to data . . . . . . . . . . . . . . . . . . . . . . . . . . . 713.3.2 User Reputation and Certification . . . . . . . . . . . . . . . . . . . . 74
3.4 Demonstrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 763.4.1 Trustworthy Blogging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 763.4.2 Encouraging Comments with Incentives . . . . . . . . . . . . . . . 783.4.3 Author reputation system and trust evaluation of
content in MediaWiki . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 803.5 Conclusive Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 843.6 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
4 Identity and Privacy Issues Throughout Life . . . . . . . . . . . . . . . . . . . . . 87Jaromir Dobias, Marit Hansen, Stefan Kopsell, Maren Raguse, ArnoldRoosendaal, Andreas Pfitzmann, Sandra Steinbrecher, Katalin Storf,and Harald Zwingelberg4.1 Challenges and Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
4.1.1 Dealing with Dynamics . . . . . . . . . . . . . . . . . . . . . . . . . . . . 874.1.2 Digital Footprint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 914.1.3 Concepts for Delegation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
4.2 Demonstrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 994.2.1 Overview of the Backup Demonstrator Architecture . . . . . 102
Contents xv
4.2.2 Deployment and Usage of the Demonstrator . . . . . . . . . . . 1094.3 Concluding Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1104.4 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
References Part I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Part II Mechanisms for Privacy
5 Cryptographic Mechanisms for Privacy . . . . . . . . . . . . . . . . . . . . . . . . . 117Jan Camenisch, Maria Dubovitskaya, Markulf Kohlweiss, Jorn Lapon,and Gregory Neven5.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1175.2 Cryptography to the Aid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1185.3 Private Credentials, Their Extensions, and Applications . . . . . . . . . 119
5.3.1 Extended Functionalities . . . . . . . . . . . . . . . . . . . . . . . . . . . 1205.3.2 Direct Anonymous Attestation . . . . . . . . . . . . . . . . . . . . . . . 123
5.4 Other Privacy-Enhancing Authentication Mechanisms . . . . . . . . . . 1235.4.1 Privacy-Enhancing Encryption . . . . . . . . . . . . . . . . . . . . . . 126
5.5 Electronic Voting, Polling, and Petitions . . . . . . . . . . . . . . . . . . . . . . 1275.6 Oblivious Transfer with Access Control and Prices . . . . . . . . . . . . . 1285.7 Oblivious Trusted Third Parties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1305.8 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
6 Transparency Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135Hans Hedbom, Tobias Pulls, and Marit Hansen6.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1356.2 Setting the Scene . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1376.3 On Privacy Preserving and Secure Logs . . . . . . . . . . . . . . . . . . . . . . . 138
6.3.1 Attacker Model and Security Evaluation . . . . . . . . . . . . . . 1396.4 Prior Work and Our Contribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1396.5 Technical Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
6.5.1 State and Secrets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1406.5.2 Entry Structure and Storage . . . . . . . . . . . . . . . . . . . . . . . . . 1416.5.3 API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1426.5.4 Unlinkability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
6.6 Conclusion and Outlook . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
7 Interoperability of Trust and Reputation Tools . . . . . . . . . . . . . . . . . . . 145Sandra Steinbrecher and Stefan Schiffner7.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1457.2 Social need . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1467.3 Legal Aspect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1477.4 Security and Privacy Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . 1487.5 Technical Implementability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1497.6 Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
7.6.1 Interoperability with Applications . . . . . . . . . . . . . . . . . . . . 150
xvi Contents
7.6.2 Interoperability with Trust Management . . . . . . . . . . . . . . . 1527.6.3 Interoperability with Identity Management . . . . . . . . . . . . 1537.6.4 Resulting implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
7.7 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
8 Data Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157Michele Bezzi, Sabrina De Capitani di Vimercati, Sara Foresti,Giovanni Livraga, Stefano Paraboschi, and Pierangela Samarati8.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1578.2 Privacy Metrics and Information Theory . . . . . . . . . . . . . . . . . . . . . . 158
8.2.1 Basic Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1598.2.2 Traditional Privacy Metrics . . . . . . . . . . . . . . . . . . . . . . . . . 1608.2.3 An Information Theoretic Approach for Privacy Metrics . 1618.2.4 Protecting Privacy of Sensitive Value Distributions . . . . . . 164
8.3 Privacy Protection Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1658.3.1 Basic Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
8.4 Fragmentation and Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1678.4.1 Fragmentation Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1688.4.2 Minimal Fragmentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1698.4.3 Query Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
8.5 Departing from Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1718.5.1 Fragmentation Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1728.5.2 Minimal Fragmentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1728.5.3 Query Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
8.6 Preserving Utility in Data Publication . . . . . . . . . . . . . . . . . . . . . . . . 1758.6.1 Visibility Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1758.6.2 Loose Associations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
8.7 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
9 Selective Exchange of Confidential Data in the OutsourcingScenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181Sabrina De Capitani di Vimercati, Sara Foresti, Stefano Paraboschi,Gerardo Pelosi, and Pierangela Samarati9.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1819.2 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1839.3 Encryption Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
9.3.1 Key Agreement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1849.3.2 Key Derivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1859.3.3 Encryption Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
9.4 Resource Sharing Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1899.5 Comparison with the PGP’s Key-Management Strategy . . . . . . . . . 1919.6 Exposure Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
9.6.1 Anonymous Accesses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1929.7 Encryption Policy Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
9.7.1 Two-Layered Encryption Model . . . . . . . . . . . . . . . . . . . . . 1959.7.2 Over-Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Contents xvii
9.7.3 Collusion Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1969.8 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
References Part II . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
10 PET-USES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213Erik Wastlund and Peter Wolkerstorfer10.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21310.2 PET-USES in Practice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
10.2.1 When to use the PET-USES . . . . . . . . . . . . . . . . . . . . . . . . . 21610.2.2 How to use the PET-USES . . . . . . . . . . . . . . . . . . . . . . . . . . 216
10.3 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21710.4 Appendix: PET-USES[1.0] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
10.4.1 Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
11 HCI for PrimeLife Prototypes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221Cornelia Graf, Peter Wolkerstorfer, Christina Hochleitner, ErikWastlund, and Manfred Tscheligi11.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22111.2 Overview of HCI challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
11.2.1 Challenge 1: Limited User Knowledge of PETs . . . . . . . . 22211.2.2 Challenge 2: Technologically Driven Development of
PETs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22311.2.3 Challenge 3: Understanding PET Related Terms . . . . . . . . 22311.2.4 Challenge 4: Wrong Mental Models of PETs . . . . . . . . . . . 22311.2.5 Challenge 5: Privacy as a Secondary Task . . . . . . . . . . . . . 22411.2.6 Challenge 6: Complex Mechanisms are Hard to
Understand . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22511.3 Tackling the Challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
11.3.1 Limited User Knowledge of PETs . . . . . . . . . . . . . . . . . . . . 22511.3.2 Technologically Driven Development of PETs . . . . . . . . . 22611.3.3 Understanding of PET Related Terms . . . . . . . . . . . . . . . . . 22611.3.4 Wrong Mental Models of PETs . . . . . . . . . . . . . . . . . . . . . . 22711.3.5 Privacy as a Secondary Task . . . . . . . . . . . . . . . . . . . . . . . . 22711.3.6 Complex Mechanisms are Hard to Understand . . . . . . . . . 228
11.4 HCI Activities and Software Development . . . . . . . . . . . . . . . . . . . . 22811.4.1 Backup Prototype . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22811.4.2 Privacy Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22911.4.3 Examples Reflected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
11.5 Discussion and Outlook . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Part III Human Computer I nteraction (HCI)
xviii Contents
12 The Users’ Mental Models’ Effect on their Comprehension ofAnonymous Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233Erik Wastlund and Simone Fischer-Hubner12.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
12.1.1 Anonymous Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23412.1.2 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
12.2 Performed User Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23612.2.1 Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23612.2.2 The Card-Based Approach . . . . . . . . . . . . . . . . . . . . . . . . . . 23812.2.3 The Attribute-Based Approach . . . . . . . . . . . . . . . . . . . . . . 24012.2.4 Results of the User Studies . . . . . . . . . . . . . . . . . . . . . . . . . . 242
12.3 Conclusions & Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24212.4 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
13 Trust and Assurance HCI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245Simone Fischer-Hubner, Hans Hedbom, and Erik Wastlund13.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24513.2 Social Trust Factors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24613.3 A Trust Evaluation Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
13.3.1 Trust Parameters Used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24713.3.2 Design Principles and Test Results . . . . . . . . . . . . . . . . . . . 24913.3.3 Test Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
13.4 The Data Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25313.4.1 Use of the Data Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25413.4.2 Test Scenarios & Test Setups . . . . . . . . . . . . . . . . . . . . . . . . 25613.4.3 Results of the Usability Tests . . . . . . . . . . . . . . . . . . . . . . . . 25713.4.4 Discussion of Data Track Usability Tests . . . . . . . . . . . . . . 259
13.5 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
14 HCI for Policy Display and Administration . . . . . . . . . . . . . . . . . . . . . . 261Julio Angulo, Simone Fischer-Hubner, Tobias Pulls, and Ulrich Konig14.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26114.2 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26314.3 User Interfaces for Policy Management and Display . . . . . . . . . . . . 265
14.3.1 Selecting Privacy Preferences . . . . . . . . . . . . . . . . . . . . . . . 26614.3.2 The “Send Data?” Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . 26714.3.3 Testing the Usability of the “Send Data?” Dialog . . . . . . . 273Conclusions and Outlook . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
15 Privacy Policy Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279Leif-Erik Holtz, Harald Zwingelberg, and Marit Hansen15.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27915.2 Motivation for Introducing Privacy Icons . . . . . . . . . . . . . . . . . . . . . . 28015.3 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28015.4 PrimeLife Icon Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
15.4.1 PrimeLife Icon Set for General Usage . . . . . . . . . . . . . . . . 281
14.4
Contents xix
15.4.2 PrimeLife Icon Set for Social Networks . . . . . . . . . . . . . . . 28215.5 Test Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28215.6 An Approach for Handling E-mail Data: Privicons . . . . . . . . . . . . . 28415.7 Conclusions and Outlook . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
References Part III . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
Part IV Policy Languages
16 Policy Requirements and State of the Art . . . . . . . . . . . . . . . . . . . . . . . 295Carine Bournez and Claudio A. Ardagna16.1 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
16.1.1 Data Handling Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29516.1.2 Access Control Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29616.1.3 Trust Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
16.2 Legal Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29716.3 Policy Language Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
16.3.1 General Design Principles and Expressivity . . . . . . . . . . . . 29916.3.2 Requirements for Data Handling Policies . . . . . . . . . . . . . . 30016.3.3 Requirements for Access Control policies . . . . . . . . . . . . . 30316.3.4 Requirements for Trust policies . . . . . . . . . . . . . . . . . . . . . . 30516.3.5 Other Technical Requirements for PrimeLife . . . . . . . . . . . 307
16.4 State of the Art . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30816.4.1 Access Control Policy Languages . . . . . . . . . . . . . . . . . . . . 30816.4.2 Data Handling Policy Languages . . . . . . . . . . . . . . . . . . . . 30916.4.3 Anonymous Credential Systems and Private
Information Management . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
17 Matching Privacy Policies and Preferences: Access Control,Obligations, Authorisations, and Downstream Usage . . . . . . . . . . . . . . 313Laurent Bussard, Gregory Neven, and Franz-Stefan Preiss17.1 Privacy Specifications: Preferences, Policies, and Sticky Policies . 31317.2 Matching Data Handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
17.2.1 Boolean Match . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31517.2.2 Going Further than Boolean Match . . . . . . . . . . . . . . . . . . . 316
17.3 Obligations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31717.3.1 Triggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31817.3.2 Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31917.3.3 Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
17.4 Authorisations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32117.5 Downstream Data Handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
17.5.1 Structure of Downstream Authorisations . . . . . . . . . . . . . . 32217.5.2 Proactive Matching of Downstream Data Handling . . . . . 32317.5.3 Lazy Matching of Downstream Data Handling . . . . . . . . . 324
17.6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
xx Contents
18 Advances in Access Control Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
Stefano Paraboschi, Eros Pedrini, Franz-Stefan Preiss, PierangelaSamarati, and Mario Verdicchio18.1 Privacy-Preserving Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
18.1.1 Credentials Enabling Privacy-Preservation . . . . . . . . . . . . . 32818.1.2 A Policy Language for Privacy-Preserving Access Control329
18.2 Credential Ontologies: Concepts and Relations . . . . . . . . . . . . . . . . 33118.2.1 Abstractions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33118.2.2 Delegation by Recursion . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
18.3 Dialog Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33318.3.1 Policy Sanitisation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
18.4 Integration into XACML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33618.4.1 Credential-Based XACML . . . . . . . . . . . . . . . . . . . . . . . . . . 33818.4.2 SAML as Claims Language . . . . . . . . . . . . . . . . . . . . . . . . . 34018.4.3 XACML Architecture Extensions . . . . . . . . . . . . . . . . . . . . 340
18.5 Concluding Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
19 Legal Policy Mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343Leif-Erik Holtz and Jan Schallabock19.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34319.2 Legal Framework for Processing Personal Data . . . . . . . . . . . . . . . . 34419.3 Gaps in Current Policy Language Approaches . . . . . . . . . . . . . . . . . 346
19.3.1 XACML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34619.3.2 P3P . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
19.4 Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34819.4.1 Looking into Privacy Policies . . . . . . . . . . . . . . . . . . . . . . . 34819.4.2 Looking at the Law . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
19.5 Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35019.5.1 Online Shopping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35019.5.2 Social Networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352
19.6 Results and Further Research . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
20 Policy Implementation in XACML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355Slim Trabelsi and Akram Njeh20.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35520.2 Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
20.2.1 High Level Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35620.2.2 Detailed Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
20.3 PPL Policy Language Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36020.3.1 PolicySets, Policy and Rules . . . . . . . . . . . . . . . . . . . . . . . . 36120.3.2 Credential Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . 36120.3.3 Provisional Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36220.3.4 Data Handling Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36220.3.5 Data Handling Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . 36320.3.6 Sticky Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
Claudio A. Ardagna, Sabrina De Capitani di Vimercati, Gregory Neven,
Contents xxi
20.3.7 Obligations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36420.3.8 Authorisations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
20.4 PPL Engine Data Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36520.4.1 Package pii . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36620.4.2 Package policy.Impl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36720.4.3 Package Credential . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36920.4.4 Package Obligations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37120.4.5 Package StickyPolicy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
20.5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
References Part IV . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375
Part V Infrastructures for Privacy and Identity Management
21 Privacy for Service Oriented Architectures . . . . . . . . . . . . . . . . . . . . . . 383Ulrich Pinsdorf, Laurent Bussard, Sebastian Meissner, Jan Schallabock,and Stuart Short21.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38321.2 Requirements for Privacy in SOA . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385
21.2.1 Core Policy Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . 38621.2.2 Privacy Logging Requirements . . . . . . . . . . . . . . . . . . . . . . 38721.2.3 Requirements for Access to Personal Information . . . . . . . 38921.2.4 Cross-Domain-Specific Requirements . . . . . . . . . . . . . . . . 38921.2.5 Requirements for Additional Mechanisms . . . . . . . . . . . . 390
21.3 Abstract Framework Addressing the Lifecycle of PrivacyPolicies in SOAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39221.3.1 Privacy Issues Arising from SOA . . . . . . . . . . . . . . . . . . . . 39421.3.2 Abstract Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39521.3.3 PII Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39821.3.4 PII Consumer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40021.3.5 Matching Abstract Framework with SOA Requirements . 402
21.4 Policy Composition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40421.4.1 Policy Composition Scenario . . . . . . . . . . . . . . . . . . . . . . . . 40521.4.2 Privacy Policy Composition Challenges . . . . . . . . . . . . . . . 40621.4.3 Data-Centric Architecture for Privacy Enforcement . . . . . 40821.4.4 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410
21.5 Outlook and Open Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
22 Privacy and Identity Management on Mobile Devices: EmergingTechnologies and Future Directions for Innovation . . . . . . . . . . . . . . . 413
22.1 The Status: Privacy and Identity Management on Smart MobileDevices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
22.2 The Changing Context (I): Multiple Partial Identities acrossDevices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
Marc-Michael Bergfeld and Stephan Spitz
xxii Contents
22.3 The Changing Context (II): Multiple Identity ProvidingStakeholders Along an Increasingly Dynamic Mobile ServicesValue Chain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415
22.4 Technologies for Identity Management and PrivacyEnhancement: Secure Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417
22.5 Present Secure Element Technologies: UICCs and Stickers . . . . . . 42022.5.1 The Universal Integrated Circuit Card (UICC) and the
Smart Card Web Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42022.5.2 The Sticker as Example for Static Mobile Service
Identities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42122.6 Emerging Secure Element Technologies: Trusted Execution
Environments and the Privacy Challenge . . . . . . . . . . . . . . . . . . . . . . 42222.7 Technologies for Secure and Dynamic Mobile Services and the
Privacy Challenge in Highly Dynamic Environments . . . . . . . . . . . . 42422.8 Contributions of the PrimeLife Project for the Advancement of
Technologies in the Field . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42622.9 The Privacy Challenge in Mobile Services and Future Directions
for Innovation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428
23 Privacy by Sustainable Identity Management Enablers . . . . . . . . . . . . 431Sascha Koschinat, Gokhan Bal, Christian Weber, and Kai Rannenberg23.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43123.2 Economic Valuation Approach for Telco-Based Identity
Management Enablers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43223.2.1 Description of the Baseline Option and Feasible Delta
Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43423.2.2 Identification of each Stakeholder’s Costs and Benefits
Based on Delta Scenarios in Comparison to theBaseline Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436
23.2.3 Selection of Key Costs and Benefits for each Stakeholder 43923.2.4 Mapping of each Stakeholder’s Key Cost and Benefits
on IdM Service Provider by Cause-Effect Chains . . . . . . . 43923.2.5 Clustering of Mapped IdM Service Provider Costs and
Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44023.2.6 Assessment and Aggregation of Clustered IdM Service
Provider costs and Benefits . . . . . . . . . . . . . . . . . . . . . . . . . 44323.2.7 Visualisation of Aggregated IdM Service Provider
Costs and Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44523.3 Description of the Identity Management Scenarios . . . . . . . . . . . . . 445
23.3.1 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44623.3.2 Privacy Policy Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . 447
23.4 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45123.5 Summary and Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 452
References Part V . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
Contents xxiii
Part VI Privacy Live
24 Open Source Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459Jan Camenisch, Benjamin Kellermann, Stefan Kopsell, StefanoParaboschi, Franz-Stefan Preiss, Stefanie Potzsch, Dave Raggett,Pierangela Samarati, and Karel Wouters24.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45924.2 Social Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460
24.2.1 Clique – Privacy-Enhanced Social Network Platform . . . . 46024.2.2 Scramble! – Audience Segregation by Encryption . . . . . . 46124.2.3 Privacy-Awareness Support for Forum Users: Personal
Data MOD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46224.2.4 Privacy-Enhancing Selective Access Control for Forums . 464
24.3 Dudle – Privacy-enhanced Web 2.0 Event Scheduling . . . . . . . . . . 46424.4 The Privacy Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46624.5 Privacy in Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470
24.5.1 Pri-Views – Protecting Sensitive Values by Fragmentation47024.5.2 Over-Encrypt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
24.6 Anonymous Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47224.6.1 Identity Mixer Crypto Library . . . . . . . . . . . . . . . . . . . . . . . 47224.6.2 Components for a Privacy-Preserving Access Control
System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47324.7 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474
25 Contributions to Standardisation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479Hans Hedbom, Jan Schallabock, Rigo Wenning, and Marit Hansen25.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47925.2 Standardisation in ISO/IEC JTC 1/SC 27/WG 5 . . . . . . . . . . . . . . . . 480
25.2.1 ISO 24760 – Framework for Identity Management . . . . . . 48125.2.2 Introducing Privacy Protection Goals to ISO 29101
Privacy Reference Architecture . . . . . . . . . . . . . . . . . . . . . . 48225.3 Web Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485
25.3.1 Workshop on Access Control Application Scenarios . . . . 48625.3.2 Workshop on Privacy for Advanced Web APIs . . . . . . . . . 48825.3.3 Workshop on Privacy and Data Usage Control . . . . . . . . . 48925.3.4 Workshop on Internet Privacy . . . . . . . . . . . . . . . . . . . . . . . 490
25.4 PrimeLife’s Contributions to Standardisation in IETF . . . . . . . . . . . 49125.5 Conclusion and Outlook . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491
26 Best Practice Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493Marit Hansen26.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49326.2 Recommendations to Industry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493
26.2.1 Data Minimisation by Pseudonyms and PrivateCredentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494
26.2.2 Improvement of Privacy Functionality in Social Media . . 494
xxiv Contents
26.2.3 Better Protection of the User’s Privacy on the Web . . . . . . 49626.2.4 Better Information of Users on Privacy-Relevant Issues
on the Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49626.3 Recommendations to Policy Makers . . . . . . . . . . . . . . . . . . . . . . . . . . 497
26.3.1 Clear Guidelines for System Developers and DataControllers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498
26.3.2 Incentives and Sanctions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49926.3.3 Development of Law . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499
References Part VI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503
27 PrimeLife’s Legacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505Jan Camenisch and Marit Hansen
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507