Data Minimisation in Communication Protocols: A Formal Analysis Framework and Application to Identity Management

With the growing amount of personal information exchanged over the Internet, privacy is becoming more and more a concern for users. One of the key principles in protecting privacy is data minimisation. This principle requires that only the minimum amount of information necessary to accomplish a certain goal is collected and processed. "Privacy-enhancing" communication protocols have been proposed to guarantee data minimisation in a wide range of applications. However, currently there is no satisfactory way to assess and compare the privacy they offer in a precise way: existing analyses are either too informal and high-level, or specific for one particular system. In this work, we propose a general formal framework to analyse and compare communication protocols with respect to privacy by data minimisation. Privacy requirements are formalised independent of a particular protocol in terms of the knowledge of (coalitions of) actors in a three-layer model of personal information. These requirements are then verified automatically for particular protocols by computing this knowledge from a description of their communication. We validate our framework in an identity management (IdM) case study. As IdM systems are used more and more to satisfy the increasing need for reliable on-line identification and authentication, privacy is becoming an increasingly critical issue. We use our framework to analyse and compare four identity management systems. Finally, we discuss the completeness and (re)usability of the proposed framework

DevOps for Trustworthy Smart IoT Systems

ENACT is a research project funded by the European Commission under its H2020 program. The project consortium consists of twelve industry and research member organisations spread across the whole EU. The overall goal of the ENACT project was to provide a novel set of solutions to enable DevOps in the realm of trustworthy Smart IoT Systems. Smart IoT Systems (SIS) are complex systems involving not only sensors but also actuators with control loops distributed all across the IoT, Edge and Cloud infrastructure. Since smart IoT systems typically operate in a changing and often unpredictable environment, the ability of these systems to continuously evolve and adapt to their new environment is decisive to ensure and increase their trustworthiness, quality and user experience. DevOps has established itself as a software development life-cycle model that encourages developers to continuously bring new features to the system under operation without sacrificing quality. This book reports on the ENACT work to empower the development and operation as well as the continuous and agile evolution of SIS, which is necessary to adapt the system to changes in its environment, such as newly appearing trustworthiness threats

Extended Abstracts of the Fourth Privacy Enhancing Technologies Convention (PET-CON 2009.1)

PET-CON, the Privacy Enhancing Technologies Convention, is a forum for researchers, students, developers, and other interested people to discuss novel research, current development and techniques in the area of Privacy Enhancing Technologies. PET-CON was first conceived in June 2007 at the 7th International PET Symposium in Ottawa, Canada. The idea was to set up a bi-annual convention in or nearby Germany to be able to meet more often than only once a year at some major conference

Privacy Design in Online Social Networks: Learning from Privacy Breaches and Community Feedback

The objective of this paper is to systematically develop privacy heuristics for Online Social Network Services (SNS). In order to achieve this, we provide an analytical framework in which we characterize privacy breaches that have occurred in SNS and distinguish different stakeholders’ perspectives. Although SNS have been criticized for numerous grave privacy breaches, they have also proven to be an interesting space in which privacy design is implemented and critically taken up by users. Community involvement in the discovery of privacy breaches as well as in articulating privacy demands points to possibilities in user-driven privacy design. In our analysis we take a multilateral security analysis approach and identify conflicts in privacy interests and list points of intervention and negotiation. In our future research, we plan to validate the usefulness as well as the usability of these heuristics and to develop a framework for privacy design in SNS

Privacy by Design in Agile Software Development

With privacy concerns on the rise, the European Commission passed the General Data Protection Regulation (GDPR) which forces all software manufacturers to employ the privacy by design principles starting from the design phase of development. The privacy by design approach has been pushed into regulation as the ultimate solution by some, but very little information is given on applying the approach in practice. Very little information is also available on enforcement of the regulatory side of privacy by design which makes evaluation of compliance difficult. This thesis explores the state of privacy by design implementation and attempts to formulate a model for adhering to the privacy by design principles in an iterative agile software development methodology. This model is fully integrated into the Scrum software development model and provides the developers with an improved view into the compliance state of their product during development through employment of visual documentation practices. Additional focus is given to other regulatory demands of the GDPR. Compatibility with other privacy oriented development frameworks is also considered. Furthermore, this thesis explores the criticism and benefits on privacy by design from both an implementation and regulatory point of view in Europe and in other jurisdictions. These criticisms and benefits are evaluated against the agile integrated model. The state of privacy by design in the global privacy community is a positive development, but some global privacy threats are also discussed

DevOps for Trustworthy Smart IoT Systems

ENACT is a research project funded by the European Commission under its H2020 program. The project consortium consists of twelve industry and research member organisations spread across the whole EU. The overall goal of the ENACT project was to provide a novel set of solutions to enable DevOps in the realm of trustworthy Smart IoT Systems. Smart IoT Systems (SIS) are complex systems involving not only sensors but also actuators with control loops distributed all across the IoT, Edge and Cloud infrastructure. Since smart IoT systems typically operate in a changing and often unpredictable environment, the ability of these systems to continuously evolve and adapt to their new environment is decisive to ensure and increase their trustworthiness, quality and user experience. DevOps has established itself as a software development life-cycle model that encourages developers to continuously bring new features to the system under operation without sacrificing quality. This book reports on the ENACT work to empower the development and operation as well as the continuous and agile evolution of SIS, which is necessary to adapt the system to changes in its environment, such as newly appearing trustworthiness threats

Dilution: A Novel Approach In Preserving Privacy

Protection of privacy is a very personal matter and therefore a sensitive issue. Often protection or prevention of exchange of information is crucial to preserve privacy. With information technology on the rise, exchange of information got boosted and preserving privacy turned to a very challenging issue. Commonly, privacy is often understood as non-disclosure of information. Modern media, particularly the Internet, and development of Web 2.0 within the Internet, pose new challenges to the intention of not disclosing certain information for quite a while already. Still, we observe that state of the art is classifying personal information into very few categories - often only two: visible to friends only and visible to everybody. This does not mirror physical life and the behavior in communication between two individuals. In this work we move away from privacy by secrecy towards privacy by dilution. Adding enough data to some information under consideration will make it hard to distinguish and hence reveal the information being protected. Dilution is applicable for any kind of data: while in case of plain text additional text can be inserted into the existing text, dilution of pictures and videos is adding additional files of the same type. Furthermore, we enable presentation of different partial identities to different requesters, e.g., a visitor of a web site. Beside a survey that allowed us to derive a basic model here, we elaborated our concepts into two directions. These can be distinguished by their transparency, i.e., the required user-interaction. We introduce active and passive dilution respectively. Means to efficiently monitor an online reputation, as well as assessments and use case studies regarding robustness, have been conducted. Conclusively, we will see that the dilution methodology is a promising approach pointing to a novel direction in privacy enhancing technologies. All tools and frameworks presented in this work and contributed by us have been implemented as fully working proof-of-concepts

A System for Privacy-Preserving Mobile Health and Fitness Data Sharing: Design, Implementation and Evaluation

The growing spread of smartphones and other mobile devices has given rise to a number of health and fitness applications. Users can track their calorie intake, get reminders to take their medication, and track their fitness workouts. Many of these services have social components, allowing users to find like-minded peers, compete with their friends, or participate in open challenges. However, the prevalent service model forces users to disclose all of their data to the service provider. This may include sensitive information, like their current position or medical conditions. In this thesis, we will design, implement and evaluate a privacy-preserving fitness data sharing system. The system provides privacy not only towards other users, but also against the service provider, does not require any Trusted Third Parties (TTPs), and is backed by strong cryptography. Additionally, it hides the communication metadata (i.e. who is sharing data with whom). We evaluate the security of the system with empirical and formal methods, including formal proofs for parts of the system. We also investigate the performance with empirical data and a simulation of a large-scale deployment. Our results show that the system can provide strong privacy guarantees. However, it incurs a significant networking overhead for large deployments