Privacy in Business Processes by Identity Management
-
Upload
sven-wohlgemuth -
Category
Internet
-
view
368 -
download
0
Transcript of Privacy in Business Processes by Identity Management
PrivacyPrivacy in Business in Business ProcessesProcesses bybyIdentityIdentity ManagementManagement
IST 2006, Helsinki, November 23IST 2006, Helsinki, November 23rdrd, 2006, 2006
Sven WohlgemuthProf. Dr. Günter Müller
Albert-Ludwig University of Freiburg, GermanyInstitute of Computer Science and Social Studies
Department of Telematicshttp://www.telematik.uni-freiburg.de
http://www.telematik.uni-freiburg.de 2Sven Wohlgemuth <[email protected]>
IIG TelematicsProf. Dr. Günter Müller
Computer science(7 assistants)
Privacy &security E-Commerce Economics
(7 assistants)
• iManager: Security and usability by identity management (CeBIT 2003, doIT Software-Award2003)
• Int. Conference on Emerging Trends in Information and Communication Security (ETRICS)2006
• Editor of CACM special issue “Privacy and Security in Highly Dynamic Systems”, Sept. 2006
• Electronic Commerce Enquête 2005: Use of IT in German enterprises
• Coordination of German Priority Programme “Security in the Information and CommunicationTechnology”
• Coordination of FIDIS NoE work package “Privacy in Business Processes”
http://www.telematik.uni-freiburg.de 3Sven Wohlgemuth <[email protected]>
43,6%37,3% 34,4% 34,2%
22,6% 20,9%
44,3%46,8% 49,8% 47,7%
56,7% 58,4%
12,0% 16,0% 15,8% 18,1% 20,7% 20,7%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
no
medium
high
Costly integrationin processes
Expected neg.reaction since
privacyviolation
Doubts wrt.data
protectionlaws
Low customeracceptance
Other legaldoubts
Pot. lossof reputation
http://www.telematik.uni-freiburg.de/ece.php
SurveySurvey forfor Germany (ECE IV)Germany (ECE IV)Most Most ImportantImportant BarriersBarriers forfor PersonalizedPersonalized ServicesServices
http://www.telematik.uni-freiburg.de 4Sven Wohlgemuth <[email protected]>
I want a car
Car
Service 1
Service 2
Challenge: User-controlled disclosure of personal data
I need money
Money
Profile 1
Profile 2
Jendricke, U., Gerd tom Markotten, D.: Usability meets Security - The Identity-Manager as your Personal Security Assistant for the Internet, ACSAC, 2000
Problem 1: Linkability of Problem 1: Linkability of ProfilesProfiles
Personalised services:Conscious data collection
Creating profiles
Tracing an user byidentifying data
U=
profile
Drivinglicence
Stella FreiburgerClasses: ABEFriedrichstr. 50D-79098 FreiburgGermanyIP: 132.15.16.3
Drivinglicence
Stella FreiburgerClasses: ABEFriedrichstr. 50D-79098 FreiburgGermanyIP: 132.15.16.3
Drivinglicence
Stella FreiburgerClasses: ABEFriedrichstr. 50D-79098 FreiburgGermanyIP: 132.15.16.3
Drivinglicence
Stella FreiburgerClasses: ABEFriedrichstr. 50D-79098 FreiburgGermanyIP: 132.15.16.3
Identity management (e.g. Freiburg iManager)
http://www.telematik.uni-freiburg.de 5Sven Wohlgemuth <[email protected]>
Wohlgemuth, S., Müller, G.: Privacy with Delegation of Rights by Identity Management, LNCS 3995, 2006
Need medicalhelp
TherapyService 1
Blood analysis of P
ResultService 2 …
Person
Person
Profile 2Profile1+2+…
Big Brother
Loss of control• All-or-nothing delegation
• DREISAM: Protocol for unlinkable delegation of rights on personal data
Problem 2: Delegation of Problem 2: Delegation of ProfilesProfilesChallenge: User-controlled disclosure and use of personal data
Drivinglicence
Stella FreiburgerClasses: ABEFriedrichstr. 50D-79098 FreiburgGermanyIP: 132.15.16.3
Drivinglicence
Stella FreiburgerClasses: ABEFriedrichstr. 50D-79098 FreiburgGermanyIP: 132.15.16.3
Drivinglicence
Stella FreiburgerClasses: ABEFriedrichstr. 50D-79098 FreiburgGermanyIP: 132.15.16.3
Drivinglicence
Stella FreiburgerClasses: ABEFriedrichstr. 50D-79098 FreiburgGermanyIP: 132.15.16.3
http://www.telematik.uni-freiburg.de 6Sven Wohlgemuth <[email protected]>
Service 1
Profile 1
RFID data
Sensordata
Policydata
Video data
AmI changes collection:Conscious communication
Unawarehuman-machinecommunication
User has no control on disclosureof personal data
…
Sackmann, S., Strüker, J., Accorsi, R.: Personalization in Privacy-Aware Highly Dynamic Systems, CACM 49(9), 2006
Challenge: Avoidance of loss of control on personal data
Problem 3: Unaware Collection of ProfilesProblem 3: Unaware Collection of Profiles
http://www.telematik.uni-freiburg.de 7Sven Wohlgemuth <[email protected]>
OurOur Approach: Approach: PrivacyPrivacy EvidenceEvidence
Accorsi, R.: On the Relationship of Privacy and Secure Remote Logging in Dynamic Systems, IFIP/SEC 2006
http://www.telematik.uni-freiburg.de 8Sven Wohlgemuth <[email protected]>
Contact me!
Sven WohlgemuthE-Mail [email protected] http://www.telematik.uni-freiburg.de
LookingLooking forfor PartnersPartnersChallenge: Avoidance of loss of control on personal data
Privacy evidences
Flexible privacy policy
Usable secureinterfaces
Delegation
Secure logging & audit
Watch this space!