6 research outputs found
TIRA: An OpenAPI Extension and Toolbox for GDPR Transparency in RESTful Architectures
Transparency - the provision of information about what personal data is
collected for which purposes, how long it is stored, or to which parties it is
transferred - is one of the core privacy principles underlying regulations such
as the GDPR. Technical approaches for implementing transparency in practice
are, however, only rarely considered. In this paper, we present a novel
approach for doing so in current, RESTful application architectures and in line
with prevailing agile and DevOps-driven practices. For this purpose, we
introduce 1) a transparency-focused extension of OpenAPI specifications that
allows individual service descriptions to be enriched with transparency-related
annotations in a bottom-up fashion and 2) a set of higher-order tools for
aggregating respective information across multiple, interdependent services and
for coherently integrating our approach into automated CI/CD-pipelines.
Together, these building blocks pave the way for providing transparency
information that is more specific and at the same time better reflects the
actual implementation givens within complex service architectures than current,
overly broad privacy statements.Comment: Accepted for publication at the 2021 International Workshop on
Privacy Engineering (IWPE'21). This is a preprint manuscript (authors' own
version before final copy-editing
Configurable Per-Query Data Minimization for Privacy-Compliant Web APIs
The purpose of regulatory data minimization obligations is to limit personal
data to the absolute minimum necessary for a given context. Beyond the initial
data collection, storage, and processing, data minimization is also required
for subsequent data releases, as it is the case when data are provided using
query-capable Web APIs. Data-providing Web APIs, however, typically lack
sophisticated data minimization features, leaving the task open to manual and
all too often missing implementations. In this paper, we address the problem of
data minimization for data-providing, query-capable Web APIs. Based on a
careful analysis of functional and non-functional requirements, we introduce
Janus, an easy-to-use, highly configurable solution for implementing legally
compliant data minimization in GraphQL Web APIs. Janus provides a rich set of
information reduction functionalities that can be configured for different
client roles accessing the API. We present a technical proof-of-concept along
with experimental measurements that indicate reasonable overheads. Janus is
thus a practical solution for implementing GraphQL APIs in line with the
regulatory principle of data minimization.Comment: Preprint version (2022-03-18) This version of the contribution has
been accepted for publication at the 22nd International Conference on Web
Engineering (ICWE 2022), Bari, Ital
Blockchain and Internet of Things in smart cities and drug supply management: Open issues, opportunities, and future directions
Blockchain-based drug supply management (DSM) requires powerful security and privacy procedures for high-level authentication, interoperability, and medical record sharing. Researchers have shown a surprising interest in Internet of Things (IoT)-based smart cities in recent years. By providing a variety of intelligent applications, such as intelligent transportation, industry 4.0, and smart financing, smart cities (SC) can improve the quality of life for their residents. Blockchain technology (BCT) can allow SC to offer a higher standard of security by keeping track of transactions in an immutable, secure, decentralized, and transparent distributed ledger. The goal of this study is to systematically explore the current state of research surrounding cutting-edge technologies, particularly the deployment of BCT and the IoT in DSM and SC. In this study, the defined keywords “blockchain”, “IoT”, drug supply management”, “healthcare”, and “smart cities” as well as their variations were used to conduct a systematic search of all relevant research articles that were collected from several databases such as Science Direct, JStor, Taylor & Francis, Sage, Emerald insight, IEEE, INFORMS, MDPI, ACM, Web of Science, and Google Scholar. The final collection of papers on the use of BCT and IoT in DSM and SC is organized into three categories. The first category contains articles about the development and design of DSM and SC applications that incorporate BCT and IoT, such as new architecture, system designs, frameworks, models, and algorithms. Studies that investigated the use of BCT and IoT in the DSM and SC make up the second category of research. The third category is comprised of review articles regarding the incorporation of BCT and IoT into DSM and SC-based applications. Furthermore, this paper identifies various motives for using BCT and IoT in DSM and SC, as well as open problems and makes recommendations. The current study contributes to the existing body of knowledge by offering a complete review of potential alternatives and finding areas where further research is needed. As a consequence of this, researchers are presented with intriguing potential to further create decentralized DSM and SC apps as a result of a comprehensive discussion of the relevance of BCT and its implementation.© 2023 The Author(s). Published by Elsevier B.V. This is an open access article under the CC BY license (http://creativecommons.org/licenses/by/4.0/).fi=vertaisarvioitu|en=peerReviewed
The UX of things: exploring UX principles to inform security and privacy design in the smart home
Smart homes are under attack. Threats can harm both the security of these homes and the privacy of their inhabitants. As a result, in addition to delivering pleasant and aesthetic experiences, smart devices need to protect households from vulnerabilities and attacks. Further, the need for user-centered security and privacy design is particularly important for such an environment, given that inhabitants are demographically-diverse (e.g., age, gender, educational level) and have different skills and (dis)abilities.
Prior work has explored different usable security and privacy solutions for smart homes; however, the applicability of user eXperience (UX) principles to security and privacy design is under-explored. This research project aims to address the on-going challenge of security and privacy in the smart home through the lens of UX design. The objective of this thesis is two-fold. First, to investigate how UX factors and principles affect the security and privacy of smart home users. Secondly, to inform product design through the development of an empirically-tested framework for UX design of security and privacy in smart home products.
In the first step, we explored the relationship between UX, security, and privacy in smart homes from user and designer perspectives: through (i) conducting a qualitative interview study with smart home users (n=13) and (ii) analyzing an ethnomethodologically informed study of six UK households living in smart homes (n=6); and, we then explored the role of UX in the design of security, privacy and data protection in smart homes through qualitative semi-structured interviews with smart home users, designers and business leaders through two rounds of interviews (n=20, n=20).
In the second step, using conceptual framework analysis, we systematically analyzed our previously collected data and the literature to construct a framework of design heuristics for consent and permission in smart homes. We applied these heuristics in four participatory co-design workshops and reported on their use. We further analyzed the use of the heuristics through thematic analysis highlighting how the heuristics were used, their purpose, and their effectiveness.
By bringing UX design to the smart home security and privacy table, we believe that this research project will have a significant impact on academia, industry, and government organizations. Our thesis will improve design practices for security and privacy in domestic smart devices while addressing wider challenges, opportunities, and future work