Online personal data are rarely, if ever, effectively controlled by the users they concern. Worse, as demonstrated by the numerous leaks reported each week, the organizations that store and process them fail to adequately safeguard the required confidentiality. In this paper, we propose pdguard, a framework that defines prototypes and demonstrates an architecture and an implementation that address both problems. In the context of pdguard, personal data are always stored encrypted as opaque objects. Processing them can only be performed through the pdguard application programming interface (api), under data and action-specific authorizations supplied online by third party agents. Through these agents, end-users can easily and reliably authorize and audit how organizations use their personal data. A static verifier can be employed to identify accidental api misuses. Following a security by design approach, pdguard changes the problem of personal data management from the, apparently, intractable problem of supervising processes, operations, personnel, and a large software stack to that of auditing the applications that use the framework for compliance. We demonstrate the framework’s applicability through a reference implementation, by building a pdguard-based e-shop, and by integrating pdguard into the The Guardian newspaper’s website identity application.
This is a preview of subscription content, access via your institution.
Buy single article
Instant access to the full article PDF.
Tax calculation will be finalised during checkout.
Subscribe to journal
Immediate online access to all issues from 2019. Subscription will auto renew annually.
Tax calculation will be finalised during checkout.
ABC4Trust EU project: Official website. https://www.abc4trust.eu/index.php. Accessed 9 July 2019
Anderson, R.J.: Security Engineering: A Guide to Building Dependable Distributed Systems, 1st edn. Wiley, New York, NY (2001)
Ateniese, G., Kevin, F., Green, M., Hohenberger, S.: Improved proxy re-encryption schemes with applications to secure distributed storage. ACM Trans. Inf. Syst. Secur. 9(1), 1–30 (2006)
Barford, P., Canadi, I., Krushevskaja, D., Ma, Q., Muthukrishnan, S.: Adscape: harvesting and analyzing online display ads. In: Proceedings of the 23rd International Conference on World Wide Web, pp. 597–608. ACM, New York, NY, USA (2014)
Barnum, S., Gegick, M.: Design principles. https://buildsecurityin.us-cert.gov/articles/knowledge/principles/design-principles 19 Sept (2005)
Bell, J., Kaiser, G.: Phosphor: illuminating dynamic data flow in commodity JVMS. In: Proceedings of the 2014 ACM International Conference on Object Oriented Programming Systems Languages and Applications, OOPSLA ’14, pp. 83–101. ACM, New York, NY, USA (2014)
Bellovin, S.M.: Thinking Security: Stopping Next Year’s Hackers. Addison-Wesley, Boston (2016)
Berger, S., Cáceres, R., Goldman, K.A., Perez, R., Sailer, R., van Doorn, L.: VTPM: virtualizing the trusted platform module. In: Proceedings of the 15th Conference on USENIX Security Symposium—Volume 15, USENIX-SS’06, Berkeley, CA, USA. USENIX Association (2006)
Brodsky, A., Farkas, C., Jajodia, S.: Secure databases: constraints, inference channels, and monitoring disclosures. IEEE Trans. Knowl. Data Eng. 12, 12 (2000)
Camenisch, J., Lehmann, A., Neven, G., Rial, A.: Privacy-preserving auditing for attribute-based credentials. In: 19th European Symposium on Research in Computer Security—Volume 8713, ESORICS 2014, pp. 109–127. Springer, New York, NY, USA (2014)
Chen, E.Y., Pei, Y., Chen, S., Tian, Y., Kotcher, R., Tague, P.: OAuth demystified for mobile application developers. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 892–903. ACM, New York, NY, USA (2014)
Cohen, F.B.: Defense-in-depth against computer viruses. Comput. Secur. 11(6), 563–579 (1992)
CREDENTIAL: Secure cloud identity wallet. https://credential.eu/. Accessed 09 July 2019
Denning, D.E.R.: An intrusion detection model. IEEE Trans. Softw. Eng. 13(2), 222–232 (1987)
Denning, P.J.: Computers Under Attack: Intruders, Worms, and Viruses. Addison-Wesley, Boston (1990)
Derler, D., Krenn, S., Lornser, T., Ramacher, S., Slamanig, D., Striecks, C.: Revisiting proxy re-encryption: forward secrecy, improved security, and applications. Cryptology ePrint Archive, Report 2018/321 (2018). https://eprint.iacr.org/2018/321
Ding, W., Yan, Z., Deng, R.: Privacy-preserving data processing with flexible access control. IEEE Trans. Dependable Secure Comput. (2017). https://doi.org/10.1109/TDSC.2017.2786247
Doshi, N.: Facebook applications accidentally leaking access to third parties. Technical report, Symantec Corporation (2011) Accessed 10 Feb 2017
Fredrikson, M., Jha, S., Ristenpart, T.: Model inversion attacks that exploit confidence information and basic countermeasures. In: Proceedings of the 22Nd ACM SIGSAC Conference on Computer and Communications Security, CCS ’15, pp. 1322–1333. ACM, New York, NY, USA (2015)
Geambasu, R., Kohno, T., Levy, A.A., Levy, H.M.: Vanish: increasing data privacy with self-destructing data. In: Proceedings of the 18th Conference on USENIX Security Symposium, pp. 299–316. USENIX Association, Berkeley, CA, USA (2009)
Goyal, V., Pandey, O., Sahai, A., Waters, B.: Attribute-based encryption for fine-grained access control of encrypted data. In: Proceedings of the 13th ACM Conference on Computer and Communications Security, CCS ’06, pp. 89–98. ACM, New York, NY, USA (2006)
Grogan, S., McDonald, A.M.: Access denied! contrasting data access in the United States and Ireland. In: Proceedings on Privacy Enhancing Technologies, pp. 191–211. De Gruyter (2016)
Hannak, A., Soeller, G., Lazer, D., Mislove, A., Wilson, C.: Measuring price discrimination and steering on e-commerce web sites. In: Proceedings of the 2014 Internet Measurement Conference, pp. 305–318. ACM, New York, NY, USA (2014)
Howard, M., LeBlanc, D.: Writing Secure Code, 2nd edn. Microsoft Press, Redmond, WA (2003)
International Organization for Standardization. Information technology—Security techniques—Encryption algorithms—Part 3: Block ciphers. ISO, Geneva, Switzerland. ISO/IEC 18033-3:2010 (2010)
Kamp, P.-H.: Linkedin password leak: salt their hide. Queue 10(6), 20:20–20:22 (2012)
Karegar, F., Lindegren, D., Pettersson, J.S., Fischer-Hübner, S.: Assessments of a cloud-based data wallet for personal identity management. In: Information Systems Development: Advances in Methods, Tools and Management—Proceedings of the 26th International Conference on Information Systems Development, ISD 2017, Larnaca, Cyprus, University of Central Lancashire Cyprus, September 6–8 2017 (2017)
Kc, G.S., Keromytis, A.D., Prevelakis, V.: Countering code-injection attacks with instruction-set randomization. In: Proceedings of the 10th ACM Conference on Computer and Communications Security, CCS ’03, pp. 272–280. ACM, New York, NY, USA (2003)
Kirkham, T., Winfield, S., Ravet, S., Kellomaki, S.: The personal data store approach to personal data security. IEEE Secur. Priv. 11(5), 12–19 (2013)
Klein, T.: All your private keys are belong to us. http://trapkit.de/research/sslkeyfinder/keyfinder_v1.0_20060205.pdf 5 Feb (2006)
Krawczyk, H., Bellare, M., Canetti, R.: HMAC: Keyed-hashing for message authentication. http://www.ietf.org/rfc/rfc2104.txt Accessed 9 Nov 2015, February 1997. RFC 2104 (Informational)
Lécuyer, M., Spahn, R., Spiliopolous, Y., Chaintreau, A., Geambasu, R., Hsu, D.: Sunlight: fine-grained targeting detection at scale with statistical confidence. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 554–566. Denver, CO, USA, October 12–6, 2015 (2015)
Mazurek, M.L., Komanduri, S., Vidas, T., Bauer, L., Christin, N., Cranor, L.F., Kelley, P.G., Shay, R., Ur, B.: Measuring password guessability for an entire university. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS ’13, pp. 173–186. ACM, New York, NY, USA (2013)
McGraw, G.: Software Security: Building Security. Addison-Wesley Professional, Boston (2006)
Milenkoski, A., Vieira, M., Kounev, S., Avritzer, A., Payne, B.D.: Evaluating computer intrusion detection systems: a survey of common practices. ACM Comput. Surv. 48(1), 12:1–12:41 (2015)
Mundada, Y., Ramachandran, A., Feamster, N.: Silverline: data and network isolation for cloud services. In: Proceedings of the 3rd USENIX Conference on Hot Topics in Cloud Computing, HotCloud’11, p. 13. USENIX Association, Berkeley, CA, USA (2011)
Nair, S.K., Dashti, M.T., Crispo, B., Tanenbaum, A.S.: A hybrid PKI-IBC based ephemerizer system. In: Proceedings of the IFIP TC-11 22nd International Information Security Conference, 14–16 May 2007, Sandton, South Africa, pp. 241–252 (2007)
Narayanan, A., Shmatikov, V.: Myths and fallacies of “personally identifiable information”. Commun. ACM 53(6), 24–26 (2010)
OAuth: An open protocol to allow secure authorization in a simple and standard method from web, mobile and desktop applications. http://oauth.net/. Accessed 09 July 2019
OpenID connect main website. https://openid.net/connect/. Accessed 09 July 2019
Pappas, V., Kemerlis, V.P., Zavou, A., Polychronakis, M., Keromytis, A.D.: Cloudfence: data flow tracking as a cloud service. In: Research in Attacks, Intrusions, and Defenses—16th International Symposium, Rodney Bay, St. Lucia, October 23–25, 2013. Proceedings, pp. 411–431 (2013)
Perlman, R., Perlman, R.: The Ephemerizer: making data disappear. J. Inf. Syst. Secur. 1, 51–68 (2005)
Popa, R.A., Redfield, C., Zeldovich, N., Balakrishnan, H.: CryptDB: protecting confidentiality with encrypted query processing. In: Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles, pp. 85–100. ACM, New York, NY, USA (2011)
Popa, R.A., Stark, E., Helfer, J., Valdez, S., Zeldovich, N., Kaashoek, M.F., Balakrishnan, H.: Building web applications on top of encrypted data using mylar. In: Proceedings of the 11th USENIX Conference on Networked Systems Design and Implementation, pp. 157–172. USENIX Association, Berkeley, CA, USA (2014)
Ray, D., Ligatti, J.: Defining code-injection attacks. In: Proceedings of the 39th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 179–190. ACM, New York, NY, USA (2012)
Ryutov, T., Neuman, C., Kim, D., Zhou, L.: Integrated access control and intrusion detection for web servers. In: Proceedings of the 23rd International Conference on Distributed Computing Systems, p. 394. IEEE, Washington, DC, USA (2003)Computer Society
Ryutov, T., Neuman, C., Kim, D.: Dynamic authorization and intrusion response in distributed systems. In: DARPA Information Survivability Conference and Exposition, 2003. Proceedings, Vol. 1, pp. 50–61. IEEE (2003)
Ryutov, T., Neuman, C.: The specification and enforcement of advanced security policies. In: Proceedings of the 3rd International Workshop on Policies for Distributed Systems and Networks, pp. 128. IEEE Computer Society, Washington, DC, USA (2002)
Ryutov, T., Zhou, L., Neuman, C., Leithead, T., Seamons, K.E.: Adaptive trust negotiation and access control. In: Proceedings of the Tenth ACM Symposium on Access Control Models and Technologies, pp. 139–146. ACM, New York, NY, USA (2005)
Sabouri, A., Rannenberg, K.: ABC4Trust: protecting privacy in identity management by bringing privacy-abcs into real-life. In: Privacy and Identity Management for the Future Internet in the Age of Globalisation—9th IFIP WG 9.2, 9.5, 9.6/11.7, 11.4, 11.6/SIG 9.2.2 International Summer School, Patras, Greece, September 7–12, 2014, Revised Selected Papers, pp. 3–16 (2014)
Schneier, B.: Secrets & Lies: Digital Security in a Networked World. Wiley, New York (2000)
Shokri, R., Stronati, M., Shmatikov, V.: Membership inference attacks against machine learning models. In: 2017 IEEE Symposium on Security and Privacy (SP), pp. 3–18 (2017)
Smith, N., Van Bruggen, D., Tomassetti. F.: Visited. Leanpub, JavaParser (2017)
Song, D., Shi, E., Fischer, I., Shankar, U.: Cloud data protection for the masses. Computer 45(1), 39–45 (2012)
Spiekermann, S.: The challenges of privacy by design. Commun. ACM 55(7), 38–40 (2012)
Spinellis, D.: Reflection as a mechanism for software integrity verification. ACM Trans. Inf. Syst. Secur. 3(1), 51–62 (2000)
Stolfo, S., Bellovin, S.M., Keromytis, A.D., Sinclair, S., Smith, S.W., Hershkop, S.: Insider Attack and Cyber Security: Beyond the Hacker (Advances in Information Security), 1st edn. Springer, Santa Clara, CA (2008)
Stytz, M.R.: Considering defense in depth for software applications. IEEE Secur. Priv. 2(1), 72–75 (2004)
Su, Z., Wassermann, G.: The essence of command injection attacks in web applications. In: Conference Record of the 33rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 372–382. ACM, New York, NY, USA (2006)
The European Union General Data Protection Regulation (GDPR). http://data.consilium.europa.eu/doc/document/ST-5419-2016-INIT/en/pdf (2016). Accessed 30 Sept 2018
The Guardian Media Group. http://www.theguardian.com/gmg. Accessed 30 Sept 2018
The Guardian. The source code of the world’s leading liberal voice. https://github.com/guardian. Accessed 30 Sept 2018
United States Department Of Veterans Affairs. Management of data breaches involving sensitive personal information (SPI). http://www.va.gov/vapubs/viewPublication.asp?Pub_ID=608. 6 Jan (2012)
User managed access: Created by kantara initiative staff. https://kantarainitiative.org/confluence/display/LC/User+Managed+Access. Accessed 05 July 2019
Viega, J., McGraw, G.: Building Secure Software: How to Avoid Security Problems the Right Way. Addison-Wesley, Boston, MA (2001)
Winslett, M., Lee, A., Olson, L., Rosulek, M.: TrustBuilder: negotiating trust in dynamic coalitions. In: DARPA Information Survivability Conference and Exposition, 2003. Proceedings, VOL. 2, pp. 49–51. IEEE (2003)
Yu, S., Wang, C., Ren, K., Lou, W.: Achieving secure, scalable, and fine-grained data access control in cloud computing. In: Proceedings of the 29th Conference on Information Communications, INFOCOM’10, pp. 534–542. IEEE Press, Piscataway, NJ, USA (2010)
We would like to thank Amit Levy, Panos Louridas, Thodoris Mavrikis, Theofilos Petsios, and George Argyros for their insightful comments.
This work has received funding from the eu’s Horizon 2020 research and innovation programme under Grant Agreement No 825328 and the Research Centre of the Athens University of Economics and Business, under the Original Scientific Publications framework 2019 (Project er-3074-01).
Conflict of interest
The authors declare that they have no conflict of interest.
This article does not contain any studies with human participants or animals performed by any of the authors.
The source code of our framework is available as open-source software at https://github.com/AUEB-BALab/PDGuard.
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Partial work by Dimitris Mitropoulos was done while at the Department of Computer Science of Columbia University in the City of New York.
In the following, we describe the user interface provided by our escrow agent reference implementation. Through this interface, data subjects can set or edit authorization rules, and monitor the actions performed on their data.
Data subjects can easily render their data inaccessible or set new allowable actions. Figure 10 illustrates a pop-up window that data subjects see when they attempt to define such rules for a specific data controller (“The Guardian” in this example). Notably, pdguard’s data type hierarchy allows data subjects to set one rule for multiple types of data via grouping.
A data subject can view which data controllers perform actions on which data types. For instance, in Fig. 11, Alice observes that “The Guardian” uses three different data types, namely: her given name, her surname, and her address. By clicking on the magnifier image Alice can view all the related uses or updates that the data controller may perform on her data and the corresponding validity period. For example, in Fig. 12 we see that “The Guardian” can use Alice’s surname for analytics and reporting from February 26, 2017 to March 8 2019.
Data subjects can monitor all the actions that the various applications perform on their personal data, through the authorization logs that the escrow agent provides. Figure 13 illustrates all the actions that were performed on the personal data of Alice, by The Guardian’s “frontend” application, for a specific period of time. The logs also include the interaction purpose the date and the time that the action took place. Finally, the data subject can check if the action was permitted or not.
About this article
Cite this article
Mitropoulos, D., Sotiropoulos, T., Koutsovasilis, N. et al. PDGuard: an architecture for the control and secure processing of personal data. Int. J. Inf. Secur. 19, 479–498 (2020). https://doi.org/10.1007/s10207-019-00468-5
- Personal data
- Software architecture
- Encrypted data