114 research outputs found
Machine-Readable Privacy Certificates for Services
Privacy-aware processing of personal data on the web of services requires
managing a number of issues arising both from the technical and the legal
domain. Several approaches have been proposed to matching privacy requirements
(on the clients side) and privacy guarantees (on the service provider side).
Still, the assurance of effective data protection (when possible) relies on
substantial human effort and exposes organizations to significant
(non-)compliance risks. In this paper we put forward the idea that a privacy
certification scheme producing and managing machine-readable artifacts in the
form of privacy certificates can play an important role towards the solution of
this problem. Digital privacy certificates represent the reasons why a privacy
property holds for a service and describe the privacy measures supporting it.
Also, privacy certificates can be used to automatically select services whose
certificates match the client policies (privacy requirements).
Our proposal relies on an evolution of the conceptual model developed in the
Assert4Soa project and on a certificate format specifically tailored to
represent privacy properties. To validate our approach, we present a worked-out
instance showing how privacy property Retention-based unlinkability can be
certified for a banking financial service.Comment: 20 pages, 6 figure
Continuous trust management frameworks : concept, design and characteristics
PhD ThesisA Trust Management Framework is a collection of technical components and governing
rules and contracts to establish secure, confidential, and Trustworthy transactions
among the Trust Stakeholders whether they are Users, Service Providers, or Legal
Authorities. Despite the presence of many Trust Frameworks projects, they still fail
at presenting a mature Framework that can be Trusted by all its Stakeholders. Particularly
speaking, most of the current research focus on the Security aspects that may
satisfy some Stakeholders but ignore other vital Trust Properties like Privacy, Legal
Authority Enforcement, Practicality, and Customizability. This thesis is all about
understanding and utilising the state of the art technologies of Trust Management to
come up with a Trust Management Framework that could be Trusted by all its Stakeholders
by providing a Continuous Data Control where the exchanged data would be
handled in a Trustworthy manner before and after the data release from one party to
another. For that we call it: Continuous Trust Management Framework.
In this thesis, we present a literature survey where we illustrate the general picture
of the current research main categorise as well as the main Trust Stakeholders, Trust
Challenges, and Trust Requirements. We picked few samples representing each of
the main categorise in the literature of Trust Management Frameworks for detailed
comparison to understand the strengths and weaknesses of those categorise. Showing
that the current Trust Management Frameworks are focusing on fulfilling most of the
Trust Attributes needed by the Trust Stakeholders except for the Continuous Data
Control Attribute, we argued for the vitality of our proposed generic design of the
Continuous Trust Management Framework.
To demonstrate our Design practicality, we present a prototype implementing its
basic Stakeholders like the Users, Service Providers, Identity Provider, and Auditor
on top of the OpenID Connect protocol. The sample use-case of our prototype is to
protect the Users’ email addresses. That is, Users would ask for their emails not to be
iii
shared with third parties but some Providers would act maliciously and share these
emails with third parties who would, in turn, send spam emails to the victim Users.
While the prototype Auditor would be able to protect and track data before their
release to the Service Providers, it would not be able to enforce the data access policy
after release. We later generalise our sample use-case to cover various Mass Active
Attacks on Users’ Credentials like, for example, using stolen credit cards or illegally
impersonating third-party identity.
To protect the Users’ Credentials after release, we introduce a set of theories and
building blocks to aid our Continuous Trust Framework’s Auditor that would act as
the Trust Enforcement point. These theories rely primarily on analysing the data
logs recorded by our prototype prior to releasing the data. To test our theories, we
present a Simulation Model of the Auditor to optimise its parameters. During some
of our Simulation Stages, we assumed the availability of a Data Governance Unit,
DGU, that would provide hardware roots of Trust. This DGU is to be installed in the
Service Providers’ server-side to govern how they handle the Users’ data. The final
simulation results include a set of different Defensive Strategies’ Flavours that could
be utilized by the Auditor depending on the environment where it operates.
This thesis concludes with the fact that utilising Hard Trust Measures such as DGU
without effective Defensive Strategies may not provide the ultimate Trust solution.
That is especially true at the bootstrapping phase where Service Providers would be
reluctant to adopt a restrictive technology like our proposed DGU. Nevertheless, even
in the absence of the DGU technology now, deploying the developed Defensive Strategies’
Flavours that do not rely on DGU would still provide significant improvements
in terms of enforcing Trust even after data release compared to the currently widely
deployed Strategy: doing nothing!Public Authority for Applied Education and Training in Kuwait, PAAET
User's Privacy in Recommendation Systems Applying Online Social Network Data, A Survey and Taxonomy
Recommender systems have become an integral part of many social networks and
extract knowledge from a user's personal and sensitive data both explicitly,
with the user's knowledge, and implicitly. This trend has created major privacy
concerns as users are mostly unaware of what data and how much data is being
used and how securely it is used. In this context, several works have been done
to address privacy concerns for usage in online social network data and by
recommender systems. This paper surveys the main privacy concerns, measurements
and privacy-preserving techniques used in large-scale online social networks
and recommender systems. It is based on historical works on security,
privacy-preserving, statistical modeling, and datasets to provide an overview
of the technical difficulties and problems associated with privacy preserving
in online social networks.Comment: 26 pages, IET book chapter on big data recommender system
- …