Advertisement

Transparent Personal Data Processing: The Road Ahead

  • Piero Bonatti
  • Sabrina KirraneEmail author
  • Axel Polleres
  • Rigo Wenning
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10489)

Abstract

The European General Data Protection Regulation defines a set of obligations for personal data controllers and processors. Primary obligations include: obtaining explicit consent from the data subject for the processing of personal data, providing full transparency with respect to the processing, and enabling data rectification and erasure (albeit only in certain circumstances). At the core of any transparency architecture is the logging of events in relation to the processing and sharing of personal data. The logs should enable verification that data processors abide by the access and usage control policies that have been associated with the data based on the data subject’s consent and the applicable regulations. In this position paper, we: (i) identify the requirements that need to be satisfied by such a transparency architecture, (ii) examine the suitability of existing logging mechanisms in light of said requirements, and (iii) present a number of open challenges and opportunities.

Notes

Acknowledgments

Supported by the European Union’s Horizon 2020 research and innovation programme under grant 731601.

References

  1. 1.
    Accorsi, R.: On the relationship of privacy and secure remote logging in dynamic systems. In: Fischer-Hübner, S., Rannenberg, K., Yngström, L., Lindskog, S. (eds.) SEC 2006. IIFIP, vol. 201, pp. 329–339. Springer, Boston, MA (2006). doi: 10.1007/0-387-33406-8_28 CrossRefGoogle Scholar
  2. 2.
    Bellare, M., Yee, B.: Forward integrity for secure audit logs. Technical report, Computer Science and Engineering Department, University of California at San Diego (1997)Google Scholar
  3. 3.
    Bonatti, P., De Capitani di Vimercati, S., Samarati, P.: An algebra for composing access control policies. ACM Trans. Inf. Syst. Secur. (TISSEC), 5(1) (2002)Google Scholar
  4. 4.
    Cachin, C., Haralambiev, K., Hsiao, H., Sorniotti, A.: Policy-based secure deletion. In: 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS 2013 (2013)Google Scholar
  5. 5.
    Fernández Garcia, J.D., Umbrich, J., Knuth, M., Polleres, A.: Evaluating query and storage strategies for RDF archives. In: 12th International Conference on Semantic Systems (SEMANTICS), ACM International Conference Proceedings Series (2016)Google Scholar
  6. 6.
    Hedbom, H., Pulls, T., Hjärtquist, P., Lavén, A.: Adding secure transparency logging to the PRIME Core. In: Bezzi, M., Duquenoy, P., Fischer-Hübner, S., Hansen, M., Zhang, G. (eds.) Privacy and Identity 2009. IAICT, vol. 320, pp. 299–314. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-14282-6_25 CrossRefGoogle Scholar
  7. 7.
    Holt, J.E.: Logcrypt: forward security and public verification for secure audit logs. In: Proceedings of the 2006 Australasian Workshops on Grid Computing and e-Research, vol. 54 (2006)Google Scholar
  8. 8.
    Hope-Bailie, A., Thomas, S.: Interledger: creating a standard for payments. In: Proceedings of the 25th International Conference Companion on World Wide Web (2016)Google Scholar
  9. 9.
    Kremer, S., Markowitch, O., Zhou, J.: An intensive survey of fair non-repudiation protocols. Comput. Commun. 25(17) (2002)Google Scholar
  10. 10.
    Ma, D., Tsudik, G.: A new approach to secure logging. ACM Trans. Storage (TOS) 5(1) (2009)Google Scholar
  11. 11.
    Peeters, R., Pulls, T., Wouters, K.: Enhancing transparency with distributed privacy-preserving logging. In: Reimer, H., Pohlmann, N., Schneider, W. (eds.) ISSE 2013 Securing Electronic Business Processes, pp. 61–71. Springer, Wiesbaden (2013). doi: 10.1007/978-3-658-03371-2_6 CrossRefGoogle Scholar
  12. 12.
    Pulls, T., Peeters, R., Wouters, K.: Distributed privacy-preserving transparency logging. In: Proceedings of the 12th ACM Workshop on Privacy in the Electronic Society (2013)Google Scholar
  13. 13.
    Rinne, M., Blomqvist, E., Keskisärkkä, R., Nuutila, E.: Event processing in RDF. In: Proceedings of the 4th International Conference on Ontology and Semantic Web Patterns, vol. 1188 (2013)Google Scholar
  14. 14.
    Sackmann, S., Strüker, J., Accorsi, R.: Personalization in privacy-aware highly dynamic systems. Commun. ACM, 49(9) (2006)Google Scholar
  15. 15.
    Schneier, B., Kelsey, J.: Cryptographic support for secure logs on untrusted machines. In: USENIX Security (1998)Google Scholar
  16. 16.
    Seneviratne, O., Kagal, L.: Enabling privacy through transparency. In: 2014 Twelfth Annual International Conference on Privacy, Security and Trust (PST) (2014)Google Scholar
  17. 17.
    Waizenegger, T.: Secure cryptographic deletion in the swift object store. In Datenbanksysteme für Business, Technologie und Web (BTW) (2017)Google Scholar
  18. 18.
    Waizenegger, T., Wagner, F., Mega, C.: SDOS: using trusted platform modules for secure cryptographic deletion in the swift object store. In: Proceedings of the 20th International Conference on Extending Database Technology, EDBT (2017)Google Scholar
  19. 19.
    Weitzner, D.J., Abelson, H., Berners-Lee, T., Feigenbaum, J., Hendler, J., Sussman, G.J.: Information accountability. Commun. ACM 51(6) (2008)Google Scholar
  20. 20.
    Wouters, K., Simoens, K., Lathouwers, D., Preneel, B.: Secure and privacy-friendly logging for egovernment services. In: Third International Conference on Availability, Reliability and Security, 2008, ARES 2008 (2008)Google Scholar
  21. 21.
    Zyskind, G., Nathan, O., et al.: Decentralizing privacy: using blockchain to protect personal data. In: Security and Privacy Workshops (SPW), 2015. IEEE (2015)Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Piero Bonatti
    • 1
  • Sabrina Kirrane
    • 2
    Email author
  • Axel Polleres
    • 2
    • 3
  • Rigo Wenning
    • 4
  1. 1.Universita’ di Napoli Federico IINaplesItaly
  2. 2.Vienna University of Economics and BusinessViennaAustria
  3. 3.Complexity Science Hub ViennaViennaAustria
  4. 4.W3CSophia-AntipolisFrance

Personalised recommendations