4 research outputs found
Enhancing user's privacy : developing a model for managing and testing the lifecycle of consent and revocation
Increasingly, people turn to the Internet for access to services, which often require
disclosure of a significant amount of personal data. Networked technologies have
enabled an explosive growth in the collection, storage and processing of personal
information with notable commercial potential. However, there are asymmetries in
relation to how people are able to control their own information when handled by
enterprises. This raises significant privacy concerns and increases the risk of privacy
breaches, thus creating an imperative need for mechanisms offering information
control functionalities.
To address the lack of controls in online environments, this thesis focuses on
consent and revocation mechanisms to introduce a novel approach for controlling
the collection, usage and dissemination of personal data and managing privacy ex-
pectations. Drawing on an extensive multidisciplinary review on privacy and on
empirical data from focus groups, this research presents a mathematical logic as the
foundation for the management of consent and revocation controls in technological
systems.
More specifically, this work proposes a comprehensive conceptual model for con-
sent and revocation and introduces the notion of 'informed revocation'. Based on
this model, a Hoare-style logic is developed to capture the effects of expressing indi-
viduals' consent and revocation preferences. The logic is designed to support certain
desirable properties, defined as healthiness conditions. Proofs that these conditions
hold are provided with the use of Maude software. This mathematical logic is
then verified in three real-world case study applications with different consent and
revocation requirements for the management of employee data in a business envi-
ronment, medical data in a biobank and identity assurance in government services.
The results confirm the richness and the expressiveness of the logic. In addition, a
novel testing strategy underpinned by this logic is presented. This strategy is able
to generate testing suites for systems offering consent and revocation controls, such
as the EnCoRe system, where testing was carried out successfully and resulted in
identifying faults in the EnCoRe implementation
A Component-based Architecture for Secure Data Publication
We present an approach for controlling access to data publishers in the framework of Web-based information services. The paper presents a model for enforcing access control regulations, an XML core schema and namespace for expressing such regulations, and illustrate the architecture of Access Control Unit (ACU), an autonomous software component based on the proposed model. Besides "standard" authorizations, the ACU supports authorizations based on user profiles and dynamic conditions whose outcome is determined by user actions such as the acceptance of a written agreement and/or payment