Katrin Borcea-Pfitzmann

Privacy 3.0 := Data Minimization + User Control + Contextual Integrity Privatheit 3.0 := Datenminimierung + Nutzerkontrolle + Kontextuelle Integrität

Abstract Over the last two decades, privacy has been fading away. Some people have even stated: You have zero privacy — get over it! As privacy researchers, we are not willing to accept this statement. Therefore, we analyze the causes for this fading away of privacy, and develop a set of approaches to preserve or even regain privacy. We argue that Privacy 3.0 should be a combination of (1) Data minimization, (2) User control of personal information disclosure, and (3) Contextual integrity. Data minimization is one of the main motivations for the development of privacy-enhancing technologies, which aim to limit collection and processing of personal data by data controllers. User control of personal information disclosure supports users in deciding which personal information is released to whom and in which situation. Contextual integrity provides a new quality of privacy by making the original context in which particular personal data have been generated easily accessible to all entities that are aware of that particular personal data. Zusammenfassung In den letzten zwei Jahrzehnten nahm das Gefühl von Privatheit im Internet bei den Benutzern immer mehr ab. Manche konstatierten sogar: Es gibt keine Privatheit — findet Euch damit ab! In diesem Artikel analysieren wir die Gründe hierfür und beschreiben synergetische Ansätze zur Erhaltung bzw. sogar Rückgewinnung von Datenschutz und Privatheit. Aus unserer Sicht sollte Privatheit 3.0 einem dreistufigen Ansatz folgen: (1) Datenminimierung, (2) Nutzerkontrolle und (3) Kontextuelle Integrität. Datenminimierung war und ist eine der treibenden Motivationen für die Entwicklung Privatheit fördernder Technik, die die Begrenzung von Datensammlung und Datenverarbeitung zum Ziel hat. Mit Hilfe der Nutzerkontrolle werden die Nutzer bei der Entscheidungsfindung unterstützt, welche persönlichen Daten sie wem und in welcher Situation zugänglich machen. Die Durchsetzung von Kontextueller Integrität hebt den Datenschutz auf eine qualitativ neue Stufe, indem der originale Kontext, in welchem persönliche Daten erstellt wurden, all den Entitäten, die Kenntnis von diesen persönlichen Daten haben, zugreifbar gemacht werden.

What user-controlled identity management should learn from communities☆

Abstract To enable trustworthy privacy, identity management has to be user-controlled, i.e. each user administrates his/her partial identities being supported by an identity management system running on his/her machines under his/her control. Past work on user-controlled identity management focused on isolated users administrating their partial identities mainly used towards organizations, e.g., shops, public administrations and the like. But users intensively interact with other users as well. Additionally, these interactions are not only direct, but indirect, too, as, e.g., within communities. A universally usable identity management meta-system (IMMS) will have to be able to handle and combine all interactions possible. For the sake of privacy, users interacting with organizations might minimize the personal information transmitted in the context of AAA (authentication, authorization, and accounting) without losing functionality. But users interacting with other users, in particular within a community, have to share additional supportive information, e.g., awareness information. Otherwise, neither a community nor team spirit will develop. Balancing privacy and functionality in communities is a current research question. Therefore, an IMMS has to be flexible enough to incorporate new knowledge and demands as they develop.

Usable presentation of secure pseudonyms

Privacy-Enhancing Identity Management (PIM) enables us-ers to control which personal information they provide to their communication partner(s) by partitioning their personal information into partial identities for themselves. Since partial identities must not be linkable, they cannot share a global name. Therefore, pseudonyms are used as identifiers.We discuss in this paper that besides the frequency of their use also the (re)presentation of pseudonyms influences the achievable privacy. Particularly, we point out that conflicting requirements on privacy and usability cannot be sufficiently considered by a single type of representation of pseudonyms. Hence, a PIM system should generate digital pseudonyms which are used for communication, while users assign local mnemonics to these pseudonyms in order to simplify their use. We discuss possible solutions for the support of mnemonics and, thereby, propose some improvements to privacy-enhancing identity management tools.

Privacy Implications of the Internet of Things

The Internet of Things (IoT) is likely to become one of the milestones which is going to determine the technological advance for the future. At the same time, new privacy concerns arise which might seriously impede the adoption of such systems. In this paper, we provide for our view on privacy implications of IoT focusing on RFID technology as one of its main enablers and suggest possible solutions to developing IoT systems in a privacy-respecting and secure way.

Privacy in Social Software

While using social software and interacting with others on the Internet, users share a lot of information about themselves. An important issue for these users is maintaining control over their own personal data and being aware to whom which data is disclosed. In this chapter, we present specific requirements and realised solutions to these problems for two different kinds of social software: social network sites and web forums.

Collaborative E-learning

In the following chapter a short overview about the collaborative eLearning application prototype BluES’n is given. Starting by emphasising its need and potentials for PRIME, the integrated and realised privacy-enhancing components and functionalities are described. A summarising section points out lessons learnt when integrating PRIME into the application.

Managing one’s identities in organisational and social settings

Interacting in the Internet, users should be empowered to use only those subsets of their personal attributes, called partial identities, which are appropriate for the actual situation and context. Refraining from acting under few and easily linkable partial identities is a prerequisite for trustworthy privacy. Traditionally user-controlled identity management systems primarily support individuals interacting with organisations, but mainly ignore special needs which arise if individuals interact with each other. To support online communities those systems have to change.

Privacy-aware user interfaces within collaborative environments

The main focus of this paper is to discuss the representation of contextual information in advanced user interfaces supporting privacy awareness. Thereby, we especially consider collaborative environments which potentially provide information about users to everybody acting in the system. Users can apply Privacy-Enhancing Identity Management (PIM) in order to control which information they disclose to whom in which situation. However, since PIM must be done additionally to the actual tasks within the application, it is questionable whether users will reasonably utilize it. Therefore, a privacy-aware user interface is an important prerequisite for the broad acceptance and adequate use of PIM. We discuss which contextual information should be represented in a collaborative environment and suggest a possible representation of the selected information.

Lifelong Privacy: Privacy and Identity Management for Life

The design of identity management preserving an individual’s privacy must not stop at supporting the user in managing her/his present identities. Instead, since any kind of privacy intrusion may have implications on the individual’s future life, it is necessary that we identify and understand the issues related to longterm aspects of privacy-enhancing identity management. Only that way, according solutions can be developed, which enable users to control the disclosure of their personal data throughout their whole lives, comprising past, present, and future.

Requirements for identity management from the perspective of multilateral interactions

In this chapter, application scenarios for identity management systems will be discussed in order to identify requirements which should be or already are considered in the design and implementation of privacy-enhancing technologies (PETs).