Sven Wohlgemuth

Privacy with delegation of rights by identity management

Privacy in business processes with proxies is not possible. Users need to share attributes with their proxies which leads to “Big Brothers”. This is the reason why identity management systems such as Liberty Alliance and Microsoft .NET Passport are not successful. We propose a generic privacy-preserving protocol for sharing identifying attributes as credentials with others. This delegation protocol extends current identity management systems.

Isolation in Cloud Computing and Privacy-Enhancing Technologies

Cloud Computing lifts the borders between the access control domain of individuals’ and companies’ IT systems by processing their data within the application frameworks and virtualized runtime environments of Cloud service providers. A deployment of traditional security policies for enforcing confidentiality of Cloud users’ data would lead to a conflict with the availability of the Cloud’s software services: confidentiality of data would be assured but Cloud services would not be available for every user of a Cloud. This state-of-the-art contribution shows the analogy of the confidentiality of external data processing by Cloud services with mechanisms known and applied in privacy. Sustainability in Cloud is a matter of privacy, which in Cloud is called “isolation”.

An algorithm for k -anonymity-based fingerprinting

The anonymization of sensitive microdata (e.g. medical health records) is a widely-studied topic in the research community. A still unsolved problem is the limited informative value of anonymized microdata that often rules out further processing (e.g. statistical analysis). Thus, a tradeoff between anonymity and data precision has to be made, resulting in the release of partially anonymized microdata sets that still can contain sensitive information and have to be protected against unrestricted disclosure. Anonymization is often driven by the concept of k-anonymity that allows fine-grained control of the anonymization level. In this paper, we present an algorithm for creating unique fingerprints of microdata sets that were partially anonymized with k-anonymity techniques. We show that it is possible to create different versions of partially anonymized microdata sets that share very similar levels of anonymity and data precision, but still can be uniquely identified by a robust fingerprint that is based on the anonymization process.

Tagging Disclosures of Personal Data to Third Parties to Preserve Privacy

Privacy in cloud computing is at the moment simply a promise to be kept by the software service providers. Users are neither able to control the disclosure of personal data to third parties nor to check if the software service providers have followed the agreed-upon privacy policy. Therefore, disclosure of the users‘ data to the software service providers of the cloud raises privacy risks. In this article, we show a privacy risk by the example of using electronic health records abroad. As a countermeasure by an ex post enforcement of privacy policies, we propose to observe disclosures of personal data to third parties by using data provenance history and digital watermarking.

Privacy by Data Provenance with Digital Watermarking - A Proof-of-Concept Implementation for Medical Services with Electronic Health Records

Security is one of the biggest concerns about Cloud Computing. Most issues are related to security problems faced by cloud providers, who have to ensure that their infrastructure is properly secure and client data are protected, and by the customers, who must ensure proper security measures have been taken by the provider in order to protect their personal data. When you move your information into the cloud, you lose control of it. The cloud gives you access to your data, but you have no way of ensuring no one else has access to these data. In this article, we propose an evaluation of a proof-of-concept implementation of a usage control system for an ex post enforcement of privacy rules regarding the disclosure of personal data to third parties. The system is based on cryptographic protocols and digital watermarking in medical services and electronic health records.

Reclaiming Location Privacy in Mobile Telephony Networks—Effects and Consequences for Providers and Subscribers

Mobile telephony (e.g., Global System for Mobile Communications [GSM]) is todays most common communication solution. Due to the specific characteristics of mobile communication infrastructure, it can provide real added value to the user and various other parties. Location information and mobility patterns of subscribers contribute not only to emergency planning, general safety, and security, but are also a driving force for new commercial services. However, there is a lack of transparency in todays mobile telephony networks regarding location disclosure. Location information is generated, collected, and processed without being noticed by subscribers. Hence, by exploiting subscriber location information, an individuals privacy is threatened. We develop a utility-based opponent model to formalize the conflict between the additional utility of mobile telephony infrastructure being able to locate subscribers and the individuals privacy. Based on these results, measures were developed to improve an individuals location privacy through a user-controllable GSM software stack. To analyze and evaluate the effects of specific subscriber provider interaction, a dedicated test environment will be presented, using the example of GSM mobile telephony networks. The resulting testbed is based on real-life hardware and open-source software to create a realistic and defined environment that includes all aspects of the air interface in mobile telephony networks and thus, is capable of controlling subscriber–provider interaction in a defined and fully controlled environment.

Adaptive User-Centered Security

One future challenge in informatics is the integration of humans in an infrastructure of data-centric IT services. A critical activity of this infrastructure is trustworthy information exchange to reduce threats due to misuse of (personal) information. Privacy by Design as the present methodology for developing privacy-preserving and secure IT systems aims to reduce security vulnerabilities already in the early requirement analysis phase of software development. Incident reports show, however, that not only an implementation of a model bears vulnerabilities but also the gap between rigorous view of threat and security model on the world and real view on a run-time environment with its dependencies. Dependencies threaten reliability of information, and in case of personal information, privacy as well. With the aim of improving security and privacy during run-time, this work proposes to extend Privacy by Design by adapting an IT system not only to inevitable security vulnerabilities but in particular to their users’ view on an information exchange and its IT support with different, eventually opposite security interests.

An Efficient Fine-grained Access Control mechanism for database outsourcing service

In database outsourcing service, the data owners store their databases at the servers which belong to potentially untrusted service providers. It is necessary to protect outsourced data from unauthorized access. However, by using existing access control mechanisms, data owners are incapable of controlling access to individual sensitive attributes of their data. In this paper, we propose an Efficient Fine-grained Access Control mechanism, named EFGAC, which can restrict access to the more sensitive columns of the shared relation. EFGAC can handle most of dynamic updates on users or dataset or access rights efficiently without the need of the systematic reconstruction or database re-keying. Experimental results show that EFGAC can save a worthy amount of key derivation time of users and reduce the number of keys held by each user in the system. Especially, we suggest strategies which are useful for the data owner in deciding the necessary number of keys in both static and dynamic cases of outsourcing.

Using Generalization Patterns for Fingerprinting Sets of Partially Anonymized Microdata in the Course of Disasters

In the event of large natural and artificial disasters, it is of vital importance to provide all sorts of data to the relief organizations (fire department, red cross,...) to enhance their effectivity. Still, some of this data (e.g. regarding personal information on health status) may be considered private. k-anonymity can be utilized to mitigate the risks resulting from disclosure of such data, however, sometimes it is not possible to achieve a suitable size for k in order to completely anonymize the data without interfering with rescue operations. Still, this data will be sensitive after the disaster recovery is finished. Thus we aim at protecting the data by devising an intrinsic fingerprinting-scheme that allows to detect the source of eventually disclosed information afterwards. Our approach uses the properties directly derived from the anonymization process to generate unique fingerprints for every data set.

Nachhaltiges Computing in Clouds

Cloud-Computing verspricht Kosteneffizienz und Flexibilitat, vor allem aber einen unbegrenzten Zugang zu potenziell wirtschaftlich relevanten Diensten. Diese hohe Abstraktionsebene von Diensten und ihre jederzeitige Verfugbarkeit verandert nicht nur die Entwicklung sondern auch das Computing von Informationssystemen. Man lagert das Rechnen in eine unbekannte „Wolke“ (Cloud) aus und bezieht von dort die gewunschten Dienste und orchestriert sie z. B. zu hoherwertigen Geschaftsprozessen. Im Privaten geschieht dies bereits millionenfach durch die Smartphones, die einen weltweiten Boom erleben und die alle auf die Telefonie beschrankten Gerate verdrangen werden. Die Unternehmen werden diesem Vorbild folgen und dadurch sowohl die betriebswirtschaftlichen Funktionen vereinheitlichen und das Rechnen globalisieren. Solche Veranderungen erzeugen Widerstande, die gegenwartig vor allem durch den Zweifel am Schutz kritischer Informationen genahrt werden. Ein wenig diskutierter Aspekt spielt vor allem in Japan eine wichtige Rolle, indem sie dort die Cloud als uberlebensverbessernde Infrastruktur im Falle von Katastrophen interpretieren. Nachhaltigkeit in der IT ist ein werbewirksames Schlagwort geworden, wobei vor allem eine irgendwie geartete okologische Auswirkung gemeint ist. Der ursprungliche, nicht-IT bezogene Begriff der Nachhaltigkeit betont die Notwendigkeit, Abhangigkeiten zwischen der vergangenen, aktuellen und zukunftigen Entwicklung zu berucksichtigen und ist ein Synonym fur Moderne. IT wird im Allgemeinen vor allem in zwei Bereichen mit Nachhaltigkeit in Verbindung gebracht. Zum einen soll Hardware nachhaltig zu erzeugen sein und betrieben werden. Dies ist das Ziel der „Green-IT“. Dabei soll der momentan teilweise noch immense Energieverbrauch z. B. fur den Betrieb und die Kuhlung von Rechneranlagen reduziert werden. „Green-IS“ hingegen sieht CloudComputing als wichtiges Mittel bei der Losung von Nachhaltigkeit, damit das „produziere und konsumiere“ Paradigma durch eine okologischere Variante der Produktion ersetzt werden kann. Das aktuelle Green-IS-Thema sind die durch Cloud ermoglichten Skaleneffekte, welche durch individuelle Unternehmen oder ausgelagerte IT-Anbieter nicht erzielbar sind und die zugleich uber eine optimale Ressourcenplanung die regenerative Produktion fordern. Unternehmen aller Art profitieren dabei von dem in globalen Masstab durchgefuhrten Benchmarking und der Standardisierung von Diensten. Die IT-Kosten fallen. Generell werden weltweit die ahnlich lautenden Einwande gegen Cloud in der mangelnden Fahigkeit zum Schutz kritischer Daten gesehen. Dieser ist mit einem Kontrollverlust und der Furcht der Nutzer vor Regelverletzungen verbunden, welche die Reputation, das Verhaltnis zu Partnern und Kunden oder die Compliance beschadigen konnen. Wie gut ungewollte Informationsflusse und Datenmissbrauch vermieden werden konnen, wird in diesem Sonderheft der WIRTSCHAFTSINFORMATIK als Trennlinie zwischen nachhaltigem und nicht-nachhaltigem Cloud-Computing betrachtet. Da missbrauchte Daten keinen Weg zuruck erlauben, ist ein System dann nicht nachhaltig, wenn solcher Datenmissbrauch zu wirtschaftlich relevantem Schaden fuhrt. Neben Green-IT und Green-IS gibt es einen dritten, weit weniger haufig bearbeiteten Nachhaltigkeitsaspekt. Japanische Planungen zu Cloud-Computing betonen die Schutzfunktion, die das Uberleben und den Neubeginn nach Katastrophen fordern soll. Ironischerweise ist ausgerechnet die Branche, die dem Cloud-Computing am nachsten steht, am weitesten davon entfernt. Merill Lynch (Chow et al. 2009) zufolge gibt es bisher nur ein IT-Unternehmen, namlich die Softwarefirma „Salesforce.com“, das komplett Cloud-basiert arbeitet. Dieselbe Studie besagt ferner, dass die Top-FunfSoftwarefirmen (gemessen am Umsatz) nur wenig Gebrauch von der Cloud machen und ihre sensitiven Daten nicht in eine Umgebung verlagern mochten, die sie als nicht zuverlassig und unkontrollierbar einstufen. Diese Furcht geht soweit, dass sogar die allgemein verwendeten Kommunikationsdienste wie soziale Netze fur Mitarbeiter teilweise verboten werden. Entgegen der ursprunglichen Cloud-Vision, dass Nutzer sich nicht darum kummern sollten, wo die Dienste faktisch ausgefuhrt bzw. ausgerechnet werden, ist nun genau die Unkenntnis des Ortes der Datenspeicherung und -bearbeitung