Towards Accountable Management of Privacy and Identity Information Marco Casassa Mont Siani Pearson Pete Bramhall Trusted Systems Laboratory Hewlett-Packard Labs, Bristol, UK ESORICS 2003, 13-15 October 2003 Gjovik, Norway
ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK Presentation Outline Problem Outline Related Work Privacy Management Model Realisation Discussion Conclusions 11/05/2019 ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK
Privacy and Identity Information E-Commerce Government Person Profiles User interacts with multiple services- send personal data but how do they protect it. How can they specify how they want there data to be treated The service will no doubt create a db full of personal data – but how do they deal with it? Can they just ship it to others – what view, control can we give the user. How much say in how there data is user? Digital Identities and Profiles are relevant to enable transactions and interactions on the web, in many contexts: personal, social, business, government, etc. Privacy Management is a major issue: involves people, organisations, governments, etc. Different reactions by people: ranging from “completely ignoring the privacy issues” to “being so concerned to prevent any web interaction” Business Personal 11/05/2019 ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK
Scenario: Multiparty Interactions Multiparty Transaction / Interaction Government Services User Negotiation of Privacy Policy Finance Services Services Policies Provision of Identity & Profile Data Data Services Identity/ Profile Disclosure Give example here Little has been done so far to directly involve people (or third parties acting on their behalf) in the management of their privacy Users lack control over their personal information after their initial disclosures Organisations, as well, lack control over the confidential information they manage on behalf of their customers, once they disclose it to third parties It is hard to make organisations accountable Privacy Enforcement Accountability of Organizations Involvement of People in the Management of their Personal Data Enterprise Accountability Enterprise Enforcement User Specification 11/05/2019 ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK
EPAL Legal Identity Services P3P Related Work EPAL Enterprise Enforcement Tools Legal P Proof, Evidence, Prosecution? Who Controls? EU vs US Personal Data User Understanding Identity Services P3P Lot of work done to provide Legislative Frameworks for Privacy Different legislative approaches: example US vs. EU Privacy and Data Protection laws are hard to enforce when personal information spreads across boundaries In general users have little understanding or knowledge of privacy laws and their implications W3C approach on Platform for Privacy Preferences (P3P): simple policies, point-to-point interactions. Little control on the fulfilment of these policies (at least, in the current implementations) Liberty Alliance and Microsoft Passport: Identity and Privacy Management based on closed web of trust and predefined policies IBM’s work on Enterprise Privacy Authorization Language (EPAL) and related Privacy Framework Association of fine-grained Privacy Policies (Sticky Policies) to personal data. Enforcement of Privacy Polices by the Enterprise Current Open Issues: - Policy “Stickiness” is not enforceable; - Too much trust in the enterprise; - Leakages of personal data can still happen; - Little user’s involvement. The above issues are very hard to address! Point to point Eg: MS Passport Privacy Seal Predefined Policies Enforcement? Club 11/05/2019 ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK
ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK Presentation Outline Problem Outline Related Work Privacy Management Model Realisation Discussion Conclusions 11/05/2019 ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK
Privacy Management Model User Enterprise User DB P Transaction User Involvement Enforcement “Sticky” Privacy Policies strongly associated to Identity Information Mechanisms for strong (but not impregnable) enforcement of privacy policies Mechanisms to increase the Accountability of the involved parties Mechanisms to allow people to be more involved in the management of their data (if they want to …) Confidentiality of Data: obfuscation of confidential data Strong Association of Privacy Policies to Confidential Data: - “tamper resistant” policies associated to data. - “Stickiness” guaranteed at least till the first disclosure. Policy Compliance Check and Enforcement: by trusted Tracing & Auditing Authorities (TAAs) and Trusted Platforms + OSs Accountability Management: auditing and tracing of disclosures by TAA (used as evidence) User Involvement: policy authoring, notification, authorization Tracing and Audit Authority Accountable? Transparency Evidence Policy Compliance 11/05/2019 ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK
? Multi-Party Scenario User 6 ? Enterprise Multiparty Transaction / Interaction Policies Data Services Negotiation of Privacy Policy 1 Request for Authorization or Notification 5 Obfuscated Data + Sticky Privacy Policies Sticky 2 Obfuscated Data + Sticky Privacy Policies 8 Decryption Key (if Authorised) 6 Request for Disclosure of Data + Sticky Privacy Policies Credentials 3 Checking for Integrity and Trustworthiness of Remote Environment 4 6 ? ? Tracing and Auditing Authorities (TAAs) 7 11/05/2019 ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK
Privacy Model -- Summary User Centric Specifies Policies Binds with their profile TAA – aids user Manages and records release of data Transparency aids accountability Validates and records enforcement mechanism Enterprise Makes audited promises concerning personal data Allows validation and assessment of enforcement mechanism Can Still Abuse Privacy 11/05/2019 ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK
ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK Presentation Outline Problem Outline Related Work Privacy Management Model Realisation Discussion Conclusions 11/05/2019 ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK
Strong Binding of Policy and Data Enforcement Verifiability Realisation Issues Strong Binding of Policy and Data P User User DB Transaction Enforcement Enterprise Tracing and Audit Authority User Involvement Policy Compliance Evidence IBE Enforcement Verifiability Lets go back to the TCG Tagged OS 11/05/2019 ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK
What is Identifier-based Encryption (IBE)? User Enterprise Get decrypt Key,e Choose e Encrypt Encrypted Msg Decrypt Msg Msg Profile Enterprise must Satisfy Policy Privacy Policy Public details TAA – Enforces Policy It is an Emerging Cryptography Technology Based on a Three-Player Model: Sender, Receiver, Trust Authority (Trusted Third Party) Same Strength of RSA Different Approaches: Quadratic Residuosity, Weil Pairing, Tate Pairing … SW Library and Technology available at HP Laboratories 1st Property: any kind of “string” (or Sequence of Bytes) can be used as an IBE Encryption Key: for example a Role, an e-Mail Address, a Picture, a Disclosure Time, Terms and Conditions, a Privacy Policy … 2nd Property: the generation of IBE Decryption Keys can be postponed in time, even long time after the generation of the correspondent IBE Encryption Key 3rd Property: reliance on at least a Trust Authority (Trusted Third Party) for the generation of IBE Decryption Key Compute public details Audit Generate Decryption Key Secrets s 11/05/2019 ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK
Trusted Platforms -- TCG Server Root of Trust Apps OS Bios User ID Issuer Query Status Measures Boot, OS and APP loading 11/05/2019 ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK
Tagged Operating Systems Tagged OS Data Tagged Data followed through memory Tagged Kernel Function PEP Policy – internal allow – external encrypt with policy Policy Tag Operation (Destination) 11/05/2019 ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK
Server Control Flow Enterprise TAA Keys IBE Encrypt Key = PPolicy Apps Request for IBE decryption Key Keys IBE Encrypt Key = PPolicy Apps Tagged OS Bios Context, Id, Purpose Dataflow Policies Check Policy ID User Check Machine Status Record Request 11/05/2019 ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK
Sticky Privacy Policies Example of high-level Sticky Policy (XML format): Reference to TA(s) Constraints/ Obligations Platform/OS Constraint Actions (User Involvement) IBE encryption keys can define any kind of privacy constraints or terms and conditions to be deployed and enforced at different levels of abstractions (application/service, OS, platform) 11/05/2019 ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK
High-level System Architecture Based on the IBE Model Privacy Policies are represented as “IBE Encryption Keys” Confidential data is encrypted with IBE encryption keys IBE encryption keys “stick” with the encrypted data (at least till the first de-obfuscation of the data …) The “Tracing and Auditing Authority” is an (IBE based) Trust Authority. Leveraging Trusted Platforms and Tagged OS for enforcing aspects of Privacy Policies (Work in Progress…) 11/05/2019 ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK
ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK Presentation Outline Problem Outline Related Work Privacy Management Model Realisation Discussion Conclusions 11/05/2019 ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK
ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK Discussion Enterprise 1 Personal Data Policy Engine Sticky Privacy Policies TCG Tagged OS TCG Enterprise 2 + Enforcement via Trust Authority + TCG Tagged OS TCG + Policy Engine Enforcement By Trusted Platforms and Tagged OS (Work in Progress) So What we have is a model where: Users are in control – specify their policy At least initial enforcement by TAA TAA looks and gives policies to enforcement mechanisms Could be other Mechanisms TAA Provides an audit log for users to see where data went – for what purpose, what enforcement.... What we really have is a number of mechanisms that become joined up to help the user Control or know what has happened to their data. TCG Tagged OS TCG Trusted Audit Policy Engine Tracing, Audit Authority (TAA) 11/05/2019 ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK
ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK Conclusion Presented a model for accountable management of private identity data User gains more control Aided by (their) third party Audit of legitimate requests Shared with the user Checks on enforcement mechanisms Linked to TAA Enterprise is accountable for use and enforcement Links to policy based enforcement 11/05/2019 ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK