Obligations of trust for privacy and confidentiality in distributed transactions

Purpose – This paper aims to describe a bilateral symmetric approach to authorization, privacy protection and obligation enforcement in distributed transactions. The authors introduce the concept of the obligation of trust (OoT) protocol as a privacy assurance and authorization mechanism that is built upon the XACML standard. The OoT allows two communicating parties to dynamically exchange their privacy and authorization requirements and capabilities, which the authors term a notification of obligation (NoB), as well as their commitments to fulfilling each other's requirements, which the authors term signed acceptance of obligations (SAO). The authors seek to describe some applicability of these concepts and to show how they can be integrated into distributed authorization systems for stricter privacy and confidentiality control. Design/methodology/approach – Existing access control and privacy protection systems are typically unilateral and provider-centric, in that the enterprise service provider assigns the access rights, makes the access control decisions, and determines the privacy policy. There is no negotiation between the client and the service provider about which access control or privacy policy to use. The authors adopt a symmetric, more user-centric approach to privacy protection and authorization, which treats the client and service provider as peers, in which both can stipulate their requirements and capabilities, and hence negotiate terms which are equally acceptable to both parties. Findings – The authors demonstrate how the obligation of trust protocol can be used in a number of different scenarios to improve upon the mechanisms that are currently available today. Practical implications – This approach will serve to increase trust in distributed transactions since each communicating party receives a difficult to repudiate digitally signed acceptance of obligations, in a standard language (XACML), which can be automatically enforced by their respective computing machinery. Originality/value – The paper adds to current research in trust negotiation, privacy protection and authorization by combining all three together into one set of standardized protocols. Furthermore, by providing hard to repudiate signed acceptance of obligations messages, this strengthens the legal case of the injured party should a dispute arise

User-driven Privacy Enforcement for Cloud-based Services in the Internet of Things

Internet of Things devices are envisioned to penetrate essentially all aspects of life, including homes and urbanspaces, in use cases such as health care, assisted living, and smart cities. One often proposed solution for dealing with the massive amount of data collected by these devices and offering services on top of them is the federation of the Internet of Things and cloud computing. However, user acceptance of such systems is a critical factor that hinders the adoption of this promising approach due to severe privacy concerns. We present UPECSI, an approach for user-driven privacy enforcement for cloud-based services in the Internet of Things to address this critical factor. UPECSI enables enforcement of all privacy requirements of the user once her sensitive data leaves the border of her network, provides a novel approach for the integration of privacy functionality into the development process of cloud-based services, and offers the user an adaptable and transparent configuration of her privacy requirements. Hence, UPECSI demonstrates an approach for realizing user-accepted cloud services in the Internet of Things.Comment: 6 pages, 2 figures, 1 listing. The 2nd International Conference on Future Internet of Things and Cloud (FiCloud-2014

Authentication and authorisation in entrusted unions

This paper reports on the status of a project whose aim is to implement and demonstrate in a real-life environment an integrated eAuthentication and eAuthorisation framework to enable trusted collaborations and delivery of services across different organisational/governmental jurisdictions. This aim will be achieved by designing a framework with assurance of claims, trust indicators, policy enforcement mechanisms and processing under encryption to address the security and confidentiality requirements of large distributed infrastructures. The framework supports collaborative secure distributed storage, secure data processing and management in both the cloud and offline scenarios and is intended to be deployed and tested in two pilot studies in two different domains, viz, Bio-security incident management and Ambient Assisted Living (eHealth). Interim results in terms of security requirements, privacy preserving authentication, and authorisation are reported

Privacy and data protection in Australia : a critical overview (extended abstract)

This research is funded by the Data to Decisions Cooperative Research Centre (D2D CRC), Project C, with participation of the Spanish Project DER2016-78108-P.This extended abstract describes the regulation of privacy under Australian laws and policies. In the CRC D2D programme, we will develop a strategy to model legal requirements in a situation that is far from clear. Law enforcement agencies are facing big floods of data to be acquired, stored, assessed and used. We will propose in the final paper a linked data regulatory model to organise and set the legal and policy requirements to model privacy in this unstructured context

Changing Expectations of Privacy and the Fourth Amendment

Public attitudes about privacy are central to the development of fourth amendment doctrine in two respects. These are the two “reasonableness” requirements, which define the scope of the fourth amendment (it protects only “reasonable” expectations of privacy), and provide the key to determining compliance with its commands (it prohibits “unreasonable” searches and seizures). Both requirements are interpreted in substantial part through evaluation of societal norms about acceptable levels of privacy from governmental intrusions. Caselaw, poll data, newspaper articles, internet sites, and other vehicles for gauging public attitudes after the September 11 attacks indicate that public concerns about terrorism and the erosion of personal privacy by governmental responses to terrorism have had significant effects on fourth amendment law. These include both a cutting back on overall fourth amendment coverage and treating as reasonable security intrusions that previously would not have been permitted. Results include less judicial scrutiny, additional intrusions based on security, possibly legal and political support for racial profiling in law enforcement

Towards privacy-aware identity management

The overall goal of the PRIME project (Privacy and Identity Management for Europe) is the development of a privacy-enhanced identity management system that allows users to control the release of their personal information. The PRIME architecture includes an Access Control component allowing the enforcement of protection requirements on personal identifiable information (PII). The overall goal of the PRIME project (Privacy and Identity Management for Europe) is the development of a privacy-enhanced identity management system that allows users to control the release of their personal information. The PRIME architecture includes an Access Control component allowing the enforcement of protection requirements on personal identifiable information (PII)

Ring, Amazon Calling: The State Action Doctrine & The Fourth Amendment

Video doorbells have proliferated across the United States and Amazon owns one of the most popular video doorbell companies on the market—Ring. While many view the Ring video doorbell as useful technology that protects the home and promotes safer neighborhoods, the product reduces consumer privacy without much recourse. For example, Ring partners with cities and law enforcement agencies across the United States thereby creating a mass surveillance network in which law enforcement agencies can watch neighborhoods and access Ring data without the user’s knowledge or consent. Because Amazon is not a state actor, it is able to circumvent the due process requirements of the Fourth Amendment. Moreover, through these partnerships, law enforcement agencies may circumvent Fourth Amendment requirements by having Amazon access users’ information for them. This Comment argues Amazon should be recognized as a state actor under the state action doctrine so that Ring users are protected by the Fourth Amendment. As technology develops, the law is playing catch-up. This Comment proposes holding private companies—namely Amazon— to the same standards as state actors in order to protect the privacy of consumers