Trust Driven Strategies for Privacy by Design

  • Thibaud Antignac
  • Daniel Le Métayer
Conference paper
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 454)


In this paper, we describe a multi-step approach to privacy by design. The main design step is the choice of the types of trust that can be accepted by the stakeholders, which is a key driver for the construction of an acceptable architecture. Architectures can be initially defined in a purely informal way and then mapped into a formal dedicated model. A tool integrating the approach can be used by designers to build and verify architectures. We apply the approach to a case study, an electronic toll pricing system, and show how different solutions can be suggested to the designer depending on different trust assumptions.


Personal Data Formal Framework Homomorphic Encryption Privacy Requirement Integrity Requirement 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



This work was partially funded by the European project PRIPARE/FP7-ICT-2013-1.5, the ANR project BIOPRIV, and the Inria Project Lab CAPPRIS (Collaborative Action on the Protection of Privacy Rights in the Information Society).


  1. 1.
    Antignac, T., Le Métayer, D.: Privacy architectures: reasoning about data minimisation and integrity. In: Mauw, S., Jensen, C.D. (eds.) STM 2014. LNCS, vol. 8743, pp. 17–32. Springer, Heidelberg (2014) CrossRefGoogle Scholar
  2. 2.
    Balasch, J., Rial, A., Troncoso, C., Geuens, C.: PrETP: privacy-preserving electronic toll pricing. In: Proceedings of the 19th USENIX Security Symposium, Washington, DC, August 2010, pp. 63–78 (2010)Google Scholar
  3. 3.
    Bass, L., Clements, P., Kazman, R.: Software Architecture in Practice. SEI series in Software Engineering, 3rd edn. Addison-Wesley, Reading (2012)Google Scholar
  4. 4.
    Bobot, F., Filliâtre, J.c., Marché, C., Paskevich, A.: Why3: shepherd your herd of provers. In: Workshop on Intermediate Veri Cation Languages (2011)Google Scholar
  5. 5.
    Conchon, S., Contejean, E.: The Alt-Ergo automatic theorem prover (2008).
  6. 6.
    Deswarte, Y., Aguilar Melchor, C.: Current and future privacy enhancing technologies for the internet. Ann. Des Télécommun. 61(3–4), 399–417 (2006)CrossRefGoogle Scholar
  7. 7.
    Diaz, C., Kosta, E., Dekeyser, H., Kohlweiss, M., Girma, N.: Privacy preserving electronic petitions. Identity Inf. Soc. 1(1), 203–209 (2009)CrossRefGoogle Scholar
  8. 8.
    European Parliament: general data protection regulation, ordinary legislative procedure: first reading, March 2014Google Scholar
  9. 9.
    Fournet, C., Kohlweiss, M., Danezis, G., Luo, Z.: Zql: a compiler for privacy-preserving data processing. In: Proceedings of the 22Nd USENIX Conference on Security, SEC 2013, pp. 163–178. USENIX Association, Berkeley (2013)Google Scholar
  10. 10.
    Garcia, F.D., Jacobs, B.: Privacy-friendly energy-metering via homomorphic encryption. In: Cuellar, J., Lopez, J., Barthe, G., Pretschner, A. (eds.) STM 2010. LNCS, vol. 6710, pp. 226–238. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  11. 11.
    Goldberg, I.: Privacy enhancing technologies for the internet III: ten years later. In: Digital Privacy: Theory, Technologies, and Practices, pp. 3–18. Auerbach Publications (2007)Google Scholar
  12. 12.
    Gürses, S., Troncoso, C., Diaz, C.: Engineering privacy by design. In: Presented at the Computers, Privacy and Data Protection Conference (2011)Google Scholar
  13. 13.
    Hafiz, M.: Pattern language for developing privacy enhancing technologies. Softw. Pract. Exp. 43(7), 769–787 (2010)CrossRefGoogle Scholar
  14. 14.
    Hoepman, J.H.: Privacy design strategies. In: Cuppens-Boulahia, N., Cuppens, F., Jajodia, S., Abou El Kalam, A., Sans, T. (eds.) SEC 2014. IFIP AICT, vol. 428, pp. 446–459. Springer, Heidelberg (2014) CrossRefGoogle Scholar
  15. 15.
    Jawurek, M., Kerschbaum, F., Danezis, G.: Privacy technologies for smart grids - a survey of options. Technical report MSR-TR-2012-119, Microsoft, November 2012Google Scholar
  16. 16.
    de Jonge, W., Jacobs, B.: Privacy-friendly electronic traffic pricing via commits. In: Degano, P., Guttman, J., Martinelli, F. (eds.) FAST 2008. LNCS, vol. 5491, pp. 143–161. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  17. 17.
    Kerschbaum, F.: Privacy-preserving computation (position paper). In: Presented at the Annual Privacy Forum Conference (2012)Google Scholar
  18. 18.
    Kung, A.: PEARs: privacy enhancing architectures. In: Preneel, B., Ikonomou, D. (eds.) APF 2014. LNCS, vol. 8450, pp. 18–29. Springer, Heidelberg (2014) CrossRefGoogle Scholar
  19. 19.
    Le Métayer, D.: Privacy by design: a formal framework for the analysis of architectural choices. In: Proceedings of the Third ACM Conference on Data and Application Security and Privacy, CODASPY 2013, pp. 95–104. ACM, New York (2013)Google Scholar
  20. 20.
    LeMay, M., Gross, G., Gunter, C.A., Garg, S.: Unified architecture for large-scale attested metering. In: 40th annual Hawaii International Conference on System Sciences (HICSS 2007), pp. 115–124, January 2007Google Scholar
  21. 21.
    Maffei, M., Pecina, K., Reinert, M.: Security and privacy by declarative design. In: 2013 IEEE 26th Computer Security Foundations Symposium (CSF), pp. 81–96 (2013)Google Scholar
  22. 22.
    Manousakis, V., Kalloniatis, C., Kavakli, E., Gritzalis, S.: Privacy in the cloud: bridging the gap between design and implementation. In: Franch, X., Soffer, P. (eds.) CAiSE Workshops 2013. LNBIP, vol. 148, pp. 455–465. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  23. 23.
    de Moura, L., Bjørner, N.S.: Z3: an efficient SMT solver. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 337–340. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  24. 24.
    Mulligan, D.K., King, J.: Bridging the gap between privacy and design. Univ. Pa. J. Const. Law 14(4), 989–1034 (2012)Google Scholar
  25. 25.
    Pearson, S., Benameur, A.: A decision support system for design for privacy. In: Fischer-Hübner, S., Duquenoy, P., Hansen, M., Leenes, R., Zhang, G. (eds.) Privacy and Identity Management for Life. IFIP AICT, vol. 352, pp. 283–296. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  26. 26.
    Popa, R.A., Balakrishnan, H., Blumberg, A.J.: VPriv: protecting privacy in location-based vehicular services. In: Proceedings of the 18th USENIX Security Symposium, Montreal, Canada, August 2009, pp. 335–350 (2009)Google Scholar
  27. 27.
    Rezgui, A., Bouguettaya, A., Eltoweissy, M.Y.: Privacy on the web: facts, challenges, and solutions. IEEE Secur. Priv. 1(6), 40–49 (2003)CrossRefGoogle Scholar
  28. 28.
    Rial, A., Danezis, G.: Privacy-Preserving smart metering. Technical report MSR-TR-2010-150, Microsoft Research, November 2010Google Scholar
  29. 29.
    Romanosky, S., Acquisti, A., Hong, J., Cranor, L.F., Friedman, B.: Privacy patterns for online interactions. In: Proceedings of the 2006 Conference on Pattern Languages of Programs, PLoP 2006. pp. 12:1–12:9. ACM, New York (2006)Google Scholar
  30. 30.
    Spiekermann, S., Cranor, L.F.: Engineering privacy. IEEE Trans. Softw. Eng. 35(1), 67–82 (2009)CrossRefGoogle Scholar
  31. 31.
    Sprenger, C., Basin, D.: Developing security protocols by refinement. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS 2010, pp. 361–374. ACM, New York (2010)Google Scholar
  32. 32.
    Ta, V.T., Antignac, T.: Privacy by design: on the conformance between protocols and architecture. In: Cuppens, F., Garcia-Alfaro, J., Zincir Heywood, N., Fong, P.W.L. (eds.) FPS 2014. LNCS, vol. 8930. Springer, Heidelberg (2015)CrossRefGoogle Scholar
  33. 33.
    Troncoso, C., Danezis, G., Kosta, E., Preneel, B.: Pripayd: privacy friendly pay-as-you-drive insurance. In: Ning, P., Yu, T. (eds.) Proceedings of the 2007 ACM Workshop on Privacy in the Electronic Society, WPES 2007, pp. 99–107. ACM, New York (2007)Google Scholar
  34. 34.
    Tschantz, M.C., Wing, J.M.: Formal methods for privacy. In: Cavalcanti, A., Dams, D.R. (eds.) FM 2009. LNCS, vol. 5850, pp. 1–15. Springer, Heidelberg (2009) CrossRefGoogle Scholar

Copyright information

© IFIP International Federation for Information Processing 2015

Authors and Affiliations

  1. 1.InriaUniversité de LyonLyonFrance

Personalised recommendations