A Formal Approach for Inspecting Privacy and Trust in Advanced Electronic Services
Advanced information processing technologies are often applied to large profiles and result in detailed behavior analysis. Moreover, under the pretext of increased personalization and strong accountability, organizations exchange information to compile even larger profiles. However, the user is unaware about the amount and type of personal data kept in profiles, partially due to advanced interactions between multiple organizations during service consumption.
In this paper, a formal approach to inspect privacy and trust in advanced electronic services is presented. It allows to express access and privacy policies of service providers. Also, the privacy properties of multiple authentication technologies are formally modeled. From this, meaningful privacy properties can be extracted based on varying trust assumptions. Feedback is rendered through automated reasoning, useful for both users and system designers. To demonstrate its practicability, the approach is applied to the design of a travel reservation system.
Keywordsprivacy trust electronic services modeling
Unable to display preview. Download preview PDF.
- 1.Barth, A., Datta, A., Mitchell, J.C., Nissenbaum, H.: Privacy and contextual integrity: Framework and applications. In: Proceedings of the 2006 IEEE Symposium on Security and Privacy, SP 2006, pp. 184–198. IEEE Computer Society, Washington, DC (2006)Google Scholar
- 3.Camenisch, J., Van Herreweghen, E.: Design and implementation of the idemix anonymous credential system. In: Proceedings of the 9th ACM Conference on Computer and Communications Security, CCS 2002, pp. 21–30. ACM, New York (2002)Google Scholar
- 4.Microsoft Corporation. Privacy guidelines for developing software products and services, version 3.1 (September 2008), http://www.microsoft.com/en-us/download/details.aspx?id=16048
- 5.Decroix, K.: Inspect privacy and trust (2012), http://code.google.com/p/inspect-privacy-and-trust/
- 11.Mariën, M., Wittocx, J., Denecker, M.: The IDP framework for declarative problem solving. In: Search and Logic: Answer Set Programming and SAT, pp. 19–34 (2006)Google Scholar
- 12.Naessens, V., De Decker, B.: A Methodology for Designing Controlled Anonymous Applications. In: Fischer-Hübner, S., Rannenberg, K., Yngström, L., Lindskog, S. (eds.) SEC 2006. IFIP, vol. 201, pp. 111–122. Springer, Boston (2006)Google Scholar
- 13.Paquin, C.: U-prove technology overview v1.1 draft revision 1. Microsoft Corporation (February 2011)Google Scholar
- 15.Pfitzmann, A., Hansen, M.: A terminology for talking about privacy by data minimization: Anonymity, unlinkability, undetectability, unobservability, pseudonymity, and identity management, v0.34 (August 2010)Google Scholar
- 18.Tschantz, M.C., Datta, A., Wing, J.M.: Formalizing and enforcing purpose restrictions in privacy policies. In: IEEE Symposium on Security and Privacy, pp. 176–190. IEEE Computer Society (2012)Google Scholar
- 20.Wittocx, J., Mariën, M., Denecker, M.: The idp system: a model expansion system for an extension of classical logic. In: LaSh, pp. 153–165 (2008)Google Scholar