A Scalable Consent, Transparency and Compliance Architecture

In this demo we present the SPECIAL consent, transparency and compliance system. The objective of the system is to afford data subjects more control over personal data processing and sharing, while at the same time enabling data controllers and processors to comply with consent and transparency obligations mandated by the European General Data Protection Regulation. A short promotional video can be found at https://purl.com/specialprivacy/demos/ESWC2018

Privacy CURE: Consent Comprehension Made Easy

Although the General Data Protection Regulation (GDPR) defines several potential legal bases for personal data processing, in many cases data controllers, even when they are located outside the European Union (EU), will need to obtain consent from EU citizens for the processing of their personal data. Unfortunately, existing approaches for obtaining consent, such as pages of text followed by an agreement/disagreement mechanism, are neither specific nor informed. In order to address this challenge, we introduce our Consent reqUest useR intErface (CURE) prototype, which is based on the GDPR requirements and the interpretation of those requirements by the Article 29 Working Party (i.e., the predecessor of the European Data Protection Board). The CURE prototype provides transparency regarding personal data processing, more control via a customization, and, based on the results of our usability evaluation, improves user comprehension with respect to what data subjects actually consent to. Although the CURE prototype is based on the GDPR requirements, it could potentially be used in other jurisdictions also

CamFlow: Managed Data-sharing for Cloud Services

A model of cloud services is emerging whereby a few trusted providers manage the underlying hardware and communications whereas many companies build on this infrastructure to offer higher level, cloud-hosted PaaS services and/or SaaS applications. From the start, strong isolation between cloud tenants was seen to be of paramount importance, provided first by virtual machines (VM) and later by containers, which share the operating system (OS) kernel. Increasingly it is the case that applications also require facilities to effect isolation and protection of data managed by those applications. They also require flexible data sharing with other applications, often across the traditional cloud-isolation boundaries; for example, when government provides many related services for its citizens on a common platform. Similar considerations apply to the end-users of applications. But in particular, the incorporation of cloud services within `Internet of Things' architectures is driving the requirements for both protection and cross-application data sharing. These concerns relate to the management of data. Traditional access control is application and principal/role specific, applied at policy enforcement points, after which there is no subsequent control over where data flows; a crucial issue once data has left its owner's control by cloud-hosted applications and within cloud-services. Information Flow Control (IFC), in addition, offers system-wide, end-to-end, flow control based on the properties of the data. We discuss the potential of cloud-deployed IFC for enforcing owners' dataflow policy with regard to protection and sharing, as well as safeguarding against malicious or buggy software. In addition, the audit log associated with IFC provides transparency, giving configurable system-wide visibility over data flows. [...]Comment: 14 pages, 8 figure

Advanced Cloud Privacy Threat Modeling

Privacy-preservation for sensitive data has become a challenging issue in cloud computing. Threat modeling as a part of requirements engineering in secure software development provides a structured approach for identifying attacks and proposing countermeasures against the exploitation of vulnerabilities in a system . This paper describes an extension of Cloud Privacy Threat Modeling (CPTM) methodology for privacy threat modeling in relation to processing sensitive data in cloud computing environments. It describes the modeling methodology that involved applying Method Engineering to specify characteristics of a cloud privacy threat modeling methodology, different steps in the proposed methodology and corresponding products. We believe that the extended methodology facilitates the application of a privacy-preserving cloud software development approach from requirements engineering to design

A Blockchain-based Approach for Data Accountability and Provenance Tracking

The recent approval of the General Data Protection Regulation (GDPR) imposes new data protection requirements on data controllers and processors with respect to the processing of European Union (EU) residents' data. These requirements consist of a single set of rules that have binding legal status and should be enforced in all EU member states. In light of these requirements, we propose in this paper the use of a blockchain-based approach to support data accountability and provenance tracking. Our approach relies on the use of publicly auditable contracts deployed in a blockchain that increase the transparency with respect to the access and usage of data. We identify and discuss three different models for our approach with different granularity and scalability requirements where contracts can be used to encode data usage policies and provenance tracking information in a privacy-friendly way. From these three models we designed, implemented, and evaluated a model where contracts are deployed by data subjects for each data controller, and a model where subjects join contracts deployed by data controllers in case they accept the data handling conditions. Our implementations show in practice the feasibility and limitations of contracts for the purposes identified in this paper

Online Personal Data Processing and EU Data Protection Reform. CEPS Task Force Report, April 2013

This report sheds light on the fundamental questions and underlying tensions between current policy objectives, compliance strategies and global trends in online personal data processing, assessing the existing and future framework in terms of effective regulation and public policy. Based on the discussions among the members of the CEPS Digital Forum and independent research carried out by the rapporteurs, policy conclusions are derived with the aim of making EU data protection policy more fit for purpose in today’s online technological context. This report constructively engages with the EU data protection framework, but does not provide a textual analysis of the EU data protection reform proposal as such

LEVERAGING BLOCKCHAIN TECHNOLOGY FOR SLA ENFORCEMENT IN HEALTH CARE CLOUD PARTNERSHIPS

The healthcare industry is rapidly adopting cloud-based solutions to improve operational efficiency and patient outcomes. However, healthcare cloud partnerships often face challenges related to the lack of scalability, trust, and Service Level Agreement (SLA) enforcement, and has a notable impact on consumer care quality. To address this issue, the study proposed leveraging blockchain technology to enhance SLA enforcement by using smart contracts in health care cloud partnerships for small and medium-sized facilities. The research questions were: Q.1 What are the current challenges facing small to medium sized healthcare facilities in enforcing SLAs in cloud partnerships? Q.2 How can BC-based smart contracts helps enhance scalability in cloud computing systems in healthcare SMEs by enforcing Service Level Agreements (SLAs) in a safe and efficient manner? Q.3 What are the factors that affect the implementation of blockchain-based smart contracts for SLA enforcement in healthcare SMEs cloud partnerships? The project utilized case studies to demonstrate the effectiveness of using BC technology based smart contracts to enhance SLA enforcement and improve patient outcomes. The findings and conclusions were as follows: 1. Current challenges facing healthcare SMEs in enforcing SLAs in cloud partnerships: SMEs may lack bargaining power, resources, and technical expertise to effectively negotiate, monitor, and enforce SLAs in cloud partnerships, leading to service disruptions, compliance issues, and financial losses. 2. BC-based smart contracts can enhance the scalability of cloud computing systems in healthcare SMEs by automating SLA execution, ensuring real-time data integrity, transparency, and accountability, reducing fraud, error, and transaction costs, and enabling decentralized trust among stakeholders. 3. Factors affecting the implementation of BC-based smart contracts to better SLA enforcement in healthcare SMEs cloud partnerships: regulatory uncertainty, interoperability, standardization, privacy, security, cost, complexity, governance, and user adoption, and 4. Unique Trends and challenges in the healthcare industry for its data analysis: increasing demand for real-time, patient-centered, personalized, and evidence-based care, generating and integrating large volumes of diverse and complex data from multiple sources, ensuring data quality, privacy, and security, complying with regulations and standards, and fostering collaboration and innovation across stakeholders. MedRec, SimplyVital Health, and Medical Chain demonstrate how BC provides secure data sharing, encryption and access control mechanisms, and promotes interoperability through standard data formats and protocols. Results showed improved scalability, trust, and SLA enforcement with the use of BC technology. Further research in the other domains of this area is recommended. It is required to address broader aspects related to the topic. The areas for further study that emerged from the findings and conclusions of this project include: 1. interoperability,2. trusted monitoring solutions, 3.user experience, 4. privacy and security,5. med tokens, cost and 6. integration with existing BSS and OSS. Keywords: Cloud computing, Blockchain technology, SLA enforcement, Smart Contracts, Healthcare cloud, Blockchain-based SLA enforcement, Smart Healthcare, e-healthcare, Scalability