Enhancing Public Digital Identity System (SPID) to Prevent Information Leakage

  • Francesco BuccafurriEmail author
  • Lidia Fotia
  • Gianluca Lax
  • Rocco Mammoliti
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9265)


Public Digital Identity System (SPID) is the Italian government framework compliant with the EU eIDAS regulatory environment, aimed at implementing electronic identification and trust services in e-government and business applications. According to this federated identity management framework, digital identities are issued, upon application of the interested party, by digital identity providers. This way, users authenticate to service providers, which are public or private organizations providing a service to authorized users, provided that they adhere to SPID. A drawback that could limit the real diffusion of this framework is that, despite the fact that identity and service providers might be competitor private companies, SPID authentication results in information leakage about customers of identity providers. To overcome this potential limitation, in this paper, we propose a modification of SPID to allow user authentication by preserving the anonymity of the identity provider that grants the authentication credentials. This way, information leakage about customers of identity providers is fully prevented.



This work has been partially supported by the TENACE PRIN Project (n. 20103P34XC) funded by the Italian Ministry of Education, University and Research and by the Program “Programma Operativo Nazionale Ricerca e Competitività” 2007-2013, Distretto Tecnologico CyberSecurity funded by the Italian Ministry of Education, University and Research.


  1. 1.
    Agency for Digital Italy (AGID) (2015).
  2. 2.
  3. 3.
  4. 4.
    Security Assertion Markup Language (SAML) (2015).
  5. 5.
  6. 6.
    Vila, J.A., Serna-Olvera, J., Fernandez, L., Medina, M., Sfakianakis, A.: A professional view on ebanking authentication: challenges and recommendations. In: 2013 9th International Conference on Information Assurance and Security (IAS), pp. 43–48. IEEE (2013)Google Scholar
  7. 7.
    Buccafurri, F., Fotia, L., Lax, G.: Allowing continuous evaluation of citizen opinions through social networks. In: Kő, A., Leitner, C., Leitold, H., Prosser, A. (eds.) EDEM 2012 and EGOVIS 2012. LNCS, vol. 7452, pp. 242–253. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  8. 8.
    Buccafurri, F., Fotia, L., Lax, G.: Privacy-preserving resource evaluation in social networks. In: Proceedings of the 2012 Tenth Annual International Conference on Privacy, Security and Trust (PST 2012), pp. 51–58. IEEE Computer Society (2012)Google Scholar
  9. 9.
    Buccafurri, F., Fotia, L., Lax, G.: Allowing non-identifying information disclosure in citizen opinion evaluation. In: Kő, A., Leitner, C., Leitold, H., Prosser, A. (eds.) EDEM 2013 and EGOVIS 2013. LNCS, vol. 8061, pp. 241–254. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  10. 10.
    Buccafurri, F., Fotia, L., Lax, G.: Allowing privacy-preserving analysis of social network likes. In: Privacy, Security and Trust (PST), 2013 Eleventh Annual International Conference on, pp. 36–43. IEEE (2013)Google Scholar
  11. 11.
    Buccafurri, F., Fotia, L., Lax, G.: Social signature: signing by tweeting. In: Kő, A., Francesconi, E. (eds.) EGOVIS 2014. LNCS, vol. 8650, pp. 1–14. Springer, Heidelberg (2014) CrossRefGoogle Scholar
  12. 12.
    Buccafurri, F., Fotia, L., Lax, G.: A privacy-preserving e-participation framework allowing citizen opinion analysis. Electron. Gov. An Int. J. 11, 185–206 (2015)CrossRefGoogle Scholar
  13. 13.
    Buchmann, N., Rathgeb, C., Baier, H., Busch, C.: Towards electronic identification and trusted services for biometric authenticated transactions in the single euro payments area. In: Preneel, B., Ikonomou, D. (eds.) APF 2014. LNCS, vol. 8450, pp. 172–190. Springer, Heidelberg (2014) Google Scholar
  14. 14.
    Cuijpers, C., Schroers, J.: eIDAS as guideline for the development of a pan European eID framework in FutureID. Open Identity Summit 2014(237), 23–38 (2014)Google Scholar
  15. 15.
    Dumortier, J., Vandezande, N.: Critical Observations on the Proposed Regulation for Electronic Identification and Trust Services for Electronic Transactions in the Internal Market. ICRI Research Paper, 9 (2012)Google Scholar
  16. 16.
    Hühnlein, D.: Towards eIDAS as a Service. In: Reimer, H., Pohlmann, N., Schneider, W. (eds.) ISSE 2014 Securing Electronic Business Processes, pp. 241–248. Springer, Heidelberg (2014) Google Scholar
  17. 17.
    Jordan, F., Pujol, H., Ruana, D.: Achieving the eIDAS vision through the mobile, social and cloud triad. In: Reimer, H., Pohlmann, N., Schneider, W. (eds.) ISSE 2014 Securing Electronic Business Processes, pp. 81–93. Springer, Heidelberg (2014) Google Scholar
  18. 18.
    Lax, G., Buccafurri, F., Caminiti, G.: Digital document signing: Vulnerabilities and solutions. A Global Perspective, Information Security Journal (2015)Google Scholar
  19. 19.
    Massacci, F., Gadyatskaya, O.: How to get better EID and Trust Services by leveraging eIDAS legislation on EU funded research results (2013)Google Scholar
  20. 20.
    Navarro, V.A., Gumbau, J., Santapau, P., Marzal, A.: Stork project results: Pan-european eid interoperability demonstrated (2011)Google Scholar
  21. 21.
    Wessels, B.: Identification and the practices of identity and privacy in everyday digital communication. New Media Soc. 14, 1251–1268 (2012)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Francesco Buccafurri
    • 1
    Email author
  • Lidia Fotia
    • 1
  • Gianluca Lax
    • 1
  • Rocco Mammoliti
    • 2
  1. 1.DIIESUniversity Mediterranea of Reggio CalabriaReggio CalabriaItaly
  2. 2.Security and SafetyPoste Italiane S.p.ARomaItaly

Personalised recommendations