Privacy-Preserving Transparency-Enhancing Tools

Click here to load reader

download Privacy-Preserving Transparency-Enhancing Tools

of 37

  • date post

  • Category


  • view

  • download


Embed Size (px)

Transcript of Privacy-Preserving Transparency-Enhancing Tools

  • Privacy-Preserving Transparency-Enhancing Tools

    Tobias Pulls

    licentiate thesis | Karlstad University studies | 2012:57

    computer science

    Faculty of economic sciences, communication and it

  • licentiate thesis | Karlstad University studies | 2012:57

    Privacy-Preserving Transparency-Enhancing Tools

    Tobias Pulls

  • Distribution:Karlstad University Faculty of economic sciences, communication and itcomputer sciencese-651 88 Karlstad, sweden+46 54 700 10 00

    the author

    isBn 978-91-7063-469-7

    Print: Universitetstryckeriet, Karlstad 2012

    issn 1403-8099

    Karlstad University studies | 2012:57

    licentiate thesis

    tobias Pulls

    Privacy-Preserving transparency-enhancing tools

  • iii

    Privacy-Preserving Transparency-Enhancing ToolsTOBIAS PULLSDepartment of Computer ScienceKarlstad UniversitySweden

    AbstractTransparency is a key principle in democratic societies. For example, the pub-lic sector is in part kept honest and fair with the help of transparency throughdifferent freedom of information (FOI) legislations. In the last decades, whileFOI legislations have been adopted by more and more countries worldwide,we have entered the information age enabled by the rapid development of in-formation technology. This has led to the need for technological solutionsthat enhance transparency, for example to ensure that FOI legislation canbe adhered to in the digital world. These solutions are called transparency-enhancing tools (TETs), and consist of both technological and legal tools.TETs, and transparency in general, can be in conflict with the privacy prin-ciple of data minimisation. The goal of transparency is to make informationavailable, while the goal of data minimisation is to minimise the amount ofavailable information.

    This thesis presents two privacy-preserving TETs: one cryptographic sys-tem for enabling transparency logging, and one cryptographic scheme for stor-ing the data for the so called Data Track tool at a cloud provider. The goal ofthe transparency logging TET is to make data processing by data controllerstransparent to the user whose data is being processed. Our work ensures thatthe process in which the data processing is logged does not leak sensitive in-formation about the user, and that the user can anonymously read the in-formation logged on their behalf. The goal of the Data Track is to make ittransparent to users which data controllers they have disclosed data to underwhich conditions. Furthermore, the Data Track intends to empower usersto exercise their rights, online and potentially anonymously, with regard totheir disclosed data at the recipient data controllers. Our work ensures thatthe data kept by the Data Track can be stored at a cloud storage provider,enabling easy synchronisation across multiple devices, while preserving theprivacy of users by making their storage anonymous toward the provider andby enabling users to hold the provider accountable for the data it stores.

    Keywords: Transparency-Enhancing Tools, Privacy by Design, applied cryp-tography, anonymity, unlinkability.

  • v

    AcknowledgementsIt is commonly said that you learn the most when you surround yourself withbetter people than yourself. My time at Karlstad University in the PriSec re-search group, working in the PrimeLife project and within the realm of aGoogle research award, has convinced me of the truth of this saying. With-out the help and influence of several people the work presented in this thesiswould never have happened.

    First and foremost, I am grateful to my supervisor Simone Fischer-Hbnerand my co-supervisor Stefan Lindskog. Their support and constructive advicehave kept me on the right track and focused on the task at hand. Thank youHans Hedbom for being my, from my point of view, informal supervisorwhen I first got hired at the department. Without your guidance I would nothave gotten into the PhD program, or hired in the first place.

    Thank you to my colleagues at the Department of Computer Science thathave provided me with a wonderful working environment; be it in form ofrewarding discussions on obscure topics, or the regular consumption of sub-par food on Fridays during lunch followed by delicious cake. In particular, Iwould like to thank Stefan Berthold, Philipp Winter, and Julio Angulo for thefruitful, and often adhoc1, discussions and collaborations.

    I would also like to thank all the inspirational researchers I have had theopportunity to collaborate with as part of the different projects the PriSecgroup have participated in. My experiences in PrimeLife, HEICA, U-PrIM,and with Google have helped me grow as a research student. In particular, Iam grateful for the collaboration with Karel Wouters. I hope our work willcontinue, just as it has so far, even though PrimeLife ended over a year ago.

    Last, but not least; to my family and friends, outside of work, thank youfor all of your support over the years. I am in your debt.

    The work in this thesis was a result of research funded by the EuropeanCommunitys Seventh Framework Programme (FP7/2007-2013) under grantagreement number 216483, and a Google research award on Usable Privacyand Transparency Tools.

    Karlstad, December 2012 Tobias Pulls

    1Initiated by stuffed animals or balls being thrown in different directions.

  • vii

    List of Appended PapersA. Tobias Pulls, Karel Wouters, Jo Vliegen, and Christian Grahn. Dis-

    tributed Privacy-Preserving Log Trails. In Karlstad University Studies,Technical Report 2012:24, Department of Computer Science, Karlstad Uni-versity, Sweden, 2012.

    B. Hans Hedbom and Tobias Pulls. Unlinking Database EntriesImple-mentation Issues in Privacy Preserving Secure Logging. In Proceedings ofthe 2nd International Workshop on Security and Communication Networks(IWSCN 2010), pp. 17, Karlstad, Sweden, May 2628, IEEE, 2010.

    C. Tobias Pulls. (More) Side Channels in Cloud StorageLinking Data toUsers. In Privacy and Identity Management for Life Proceedings of the 7thIFIP WG 9.2, 9.6/11.7, 11.4, 11.6/PrimeLife, International Summer SchoolTrento, Italy, September 2011 Revised Selected Papers, pp. 102115, IFIPAICT 375, Springer, 2012.

    D. Tobias Pulls. Privacy-Friendly Cloud Storage for the Data TrackAnEducational Transparency Tool. In Secure IT Systems Proceedings of the17th Nordic Conference (NordSec 2012), Karlskrona, Sweden, October 31November 2, Springer LNCS, 2012.

    Comments on my ParticipationPaper A This technical report was joint work by four authors. I and KarelWouters collaborated on the bulk of the work. I came up with the idea ofcascading and wrote all the algorithms defining the (non-auditable) system, in-cluding the specification for a trusted state. Karel made the system auditable,performed a thorough investigation of related work, and wrote the proof forcascading. Jo Vliegen and Christian Grahn contributed with a description oftheir respective proof of concept hardware and software implementations.

    Paper B This paper was a collaboration with Hans Hedbom. We identifiedthe problem area as part of my Masters thesis, and jointly came up with thedifferent versions of the shuffler algorithm. I performed the experiments,while Hans was the driving force behind writing the paper.

    Paper C I was the sole author of this paper. As acknowledged in the pa-per, I received a number of useful comments from Simone Fischer-Hbner,Stefan Lindskog, Stefan Berthold, and Philipp Winter.

    Paper D I was the sole author of this paper. I received a number of usefulcomments from Stefan Berthold, Simone Fischer-Hbner, Stefan Lindskog,and Philipp Winter.

    Some of the appended papers have been subject to minor editorial changes.

  • viii

    Selection of Other Peer-Reviewed Publications Jo Vliegen, Karel Wouters, Christian Grahn and Tobias Pulls. Hard-

    ware Strengthening a Distributed Logging Scheme. In Proceedings ofthe 15th Euromicro Conference on Digital System Design, Cesme, Izmir,Turkey, September 58, IEEE, 2012. To appear.

    Julio Angulo, Simone Fischer-Hbner, Erik Wstlund, and Tobias Pulls.Towards Usable Privacy Policy Display & Management for PrimeLife.Information Management & Computer Security, Volume 20, Issue 1, pp.417, Emerald, 2012.

    Hans Hedbom, Tobias Pulls, and Marit Hansen. Transparency Tools.In Jan Camenisch, Simone Fischer-Hbner, and Kai Rannenberg (eds.),Privacy and Identity Management for Life, 1st Edition, pp. 135143,Springer, 2011.

    Julio Angulo, Simone Fischer-Hbner, Tobias Pulls, and Ulrich Knig.HCI for Policy Display and Administration. In Jan Camenisch, SimoneFischer-Hbner, and Kai Rannenberg (eds.), Privacy and Identity Man-agement for Life, 1st Edition, pp. 261-277, Springer, 2011.

    Hans Hedbom, Tobias Pulls, Peter Hjrtquist, and Andreas Lavn.Adding Secure Transparency Logging to the PRIME Core. Privacy andIdentity Management for Life, 5th IFIP WG 9.2,9.6/11.7,11.4,11.6 /PrimeLife International Summer School, Nice, France, Revised Selected Pa-pers, pp. 299314, Springer, 2010.

    Selected Contributions to Project Deliverables Tobias Pulls, Hans Hedbom, and Simone Fischer-Hbner. Data Track

    for Social Communities: the Tagging Management System. In ErikWstlund and Simone Fischer-Hbner (eds.), End User TransparencyTools: UI Prototypes, PrimeLife Deliverable 4.2.2, 2010.

    Tobias Pulls and Simone Fischer-Hbner. Policy Management & Dis-play Mockups 4th Iteration cycle. In Simone Fischer-Hbner and Har-ald Zwingelberg (eds.), UI Prototypes: Policy Administration and Presen-tation Version 2, PrimeLife Deliverable 4.3.2, 2010.

    Tobias Pulls and Hans Hedbom. Privacy Preferences Editor. In Si-mone Fischer-Hbner and Harald Zwingelberg (eds.), UI Prototypes:Policy Administration and