Private Data System Enabling Self-Sovereign Storage Managed by Executable Choreographies

With the increased use of Internet, governments and large companies store and share massive amounts of personal data in such a way that leaves no space for transparency. When a user needs to achieve a simple task like applying for college or a driving license, he needs to visit a lot of institutions and organizations, thus leaving a lot of private data in many places. The same happens when using the Internet. These privacy issues raised by the centralized architectures along with the recent developments in the area of serverless applications demand a decentralized private data layer under user control. We introduce the Private Data System (PDS), a distributed approach which enables self-sovereign storage and sharing of private data. The system is composed of nodes spread across the entire Internet managing local key-value databases. The communication between nodes is achieved through executable choreographies, which are capable of preventing information leakage when executing across different organizations with different regulations in place. The user has full control over his private data and is able to share and revoke access to organizations at any time. Even more, the updates are propagated instantly to all the parties which have access to the data thanks to the system design. Specifically, the processing organizations may retrieve and process the shared information, but are not allowed under any circumstances to store it on long term. PDS offers an alternative to systems that aim to ensure self-sovereignty of specific types of data through blockchain inspired techniques but face various problems, such as low performance. Both approaches propose a distributed database, but with different characteristics. While the blockchain-based systems are built to solve consensus problems, PDS's purpose is to solve the self-sovereignty aspects raised by the privacy laws, rules and principles.Comment: DAIS 201

Expert Mental Models of SSI Systems and Implications for End-User Understanding

Self-sovereign identity (SSI) systems have gained increasing attention over the last five years. In a variety of fields (e.g., education, IT security, law, government), developers and researchers are attempting to give end-users back their right to and control of their data. Although prototypes and theoretical concepts for SSI applications exist, the majority of them are still in their infancy. Due to missing definitions and standards, there is currently a lack of common understanding of SSI system within the (IT) community. To investigate current commonalities and differences in SSI understanding, I contribute the first qualitative user study (N=13) on expert mental models of SSI and its associated threat landscape. The study results highlight the need for a general definition of SSI and further standards for such systems, as experts\u27 perceptions of SSI requirements vary widely. Based on the expert interviews, I constructed a minimal knowledge map for (potential) SSI end-users and formulated design guidelines for SSI to facilitate broad adoption in the wild and improve privacy-preserving usage

Privacy, Self-Sovereign Identity Technology and the Willingness to Provide Personal Information

The internet has caused an unprecedented increase in the amount of personal information that is available online. This personal information has been harnessed directly by companies, to provide targeted marketing to 3rd parties. It can also be used for a company's own internal marketing communication practices. Further highlighting the importance of personal information, some companies have emerged whose business models depend on the accurate collection, and monetisation of this personal information (Streitfeld, 2018). This has led to interest and concern over the misuse of personal information, and the extent companies should benefit from the acquisition of personal information of consumers and 3rd parties. Technological innovation, specifically Blockchain Technology has created the possibility to eliminate these actual or perceived abuses of consumer data, and allow consumers to exercise greater control over their personal data. Blockchain Technology can be simply understood as a Microsoft Excel spreadsheet where hundreds of participants continuously verify each entry in the spreadsheet so that no incorrect or fraudulent inputs are made. Specifically, SelfSovereign Identity Technology, currently in its early stages, may allow consumers to have full control of their consumer data via the Blockchain. This includes, access, distribution and may even allow consumers to monetise their own personal information. If consumers fully embrace Self-Sovereign Identity Technology, businesses will have to rethink and overhaul their data collection, marketing practices and business models. On the other hand, consumers will have to decide what they will do, with the data relating to their digital identity and how they might exchange it for their benefit. Despite its potential to disrupt the collection of personal information by companies, a scholarly analysis of the use Self-Sovereign Identity Technology and its relationship with a consumer's willingness to share personal information has not yet happened. Thus the aim of this thesis is two-fold. Firstly, to understand what drives a consumer to disclose personal information over the internet. Secondly, to understand the connection between this willingness to disclose personal information, and the use of Self-Sovereign Identity Technology. This is investigated using a survey analysis and primary data. This study aspires to create an academic basis for the examination of Self-Sovereign Identity Technology and its relationship with the willingness of consumers to provide personal information. In this study several factors were found to affect a South African consumer's willingness to provide personal information online. Based on the prior work of Schoenbachler and Gordon (2010) and Phelps, Nowak and Ferrel (2000) several perceived risk factors and trust factors were hypothesised to affect this willingness to provide personal information. The trust factors included: past experience with a company, reputation of a company and perception of dependability. The perceived risk factors included: type of personal information requested, consequences and benefits, individual consumer characteristics and consumer control over information. All of these factors were found to be significant except for the perception of dependability, which was not supported. Furthermore, perceived functional value was found to moderate the relationship between individual consumer characteristics and the willingness to provide personal information. Lastly, this study found evidence that a relationship exists between the willingness to provide personal information online and the willingness to use SSI technology. This relationship was found to be strong, and negative