Privacy-enhancing technologies
A privacy-enhancing technology (PET) is a method of protecting data. PETs allow online users to protect the privacy of their personally identifiable information (PII) provided to and handled by services or applications. PETs use techniques to minimize possession of personal data without losing the functionality of an information system.[1]
Goals of PETs
The objective of PETs is to protect personal data and ensure the users of technology that their information is confidential and management of data protection is a priority to the organizations who withhold responsibility for any PII - allowing users to take one or more of the following actions related to their personal data sent to and used by, online service providers, merchants or other users.
The goal of privacy-enhancing technologies include increasing control over personal data sent to, and used by, online service providers and merchants (or other online users)(self-determination). PETs aim to minimize personal data collected and used by service providers and merchants, use pseudonyms or anonymous data credentials to provide anonymity, and strive to achieve informed consent about giving personal data to online service providers and merchants.[2] In Privacy Negotiations, consumers and service providers establish, maintain, and refine privacy policies as individualized agreements through the ongoing choice among service alternatives, therefore providing the possibility to negotiate the terms and conditions of giving personal data to online service providers and merchants (data handling/privacy policy negotiation). Within private negotiations, the transaction partners may additionally bundle the personal information collection and processing schemes with monetary or non-monetary rewards.[3]
PETs provide the possibility to remotely audit the enforcement of these terms and conditions at the online service providers and merchants (assurance), allow users to log, archive and look up past transfers of their personal data, including what data has been transferred, when, to whom and under what conditions, and facilitate the use of their legal rights of data inspection, correction and deletion.
Families of PETs
Privacy-enhancing Technologies can be distinguished based on their assumption. [4]
Soft privacy technologies
Where it is assumed that the third-party can be trusted for the processing of data. This model is based on compliance, consent, control and audit.[4]
Example technologies are access control, differential privacy, and tunnel encryption (SSL/TLS).
Hard privacy technologies
No single entity can violate the privacy of the user. It assumes that third-parties cannot be trusted. The data protection goal is data minimization and reduction of the trust in third-parties.[4]
Examples of such technologies include onion routing and the secret ballot used for democratic elections.
Existing PETs
PETs have evolved since their first appearance in the 1980s. In intervals, review articles published the stats of privacy technology:
- A principal, though fundamentally theoretical overview of terminology and principal anonymization technology is found in Pfitzmann & Hansen's terminology of anonymity.[5]
- In 1997, a report by Goldberg, Wagner and Brewer at the University of California in Berkeley summarized PETs.[6]
- In 2003, Borking, Blarkom and Olk reviewed the technologies from a data protection perspective in their Handbook of privacy enhancing technologies.[1]
- In 2007, Fritsch published an historic, taxonomic and practical overview of contemporary privacy-enhancing technology for the Internet for the research project PETWeb.[7]
- In 2008, Fritsch and Abie documented the gap between implemented PETs and their successful deployment in a research roadmap for PETs.[8]
- In 2015, Heurix et al. published a taxonomy of privacy enhancing technologies.[9]
- A specialization of PET research that looks into increasing transparency of data processing researches Transparency Enhancing Technologies (TETs). A review article by Janic et. al. summarizes the developments.[10] Murmann and Fischer-Hübner published in 2017 a review of transparency tools.[11]
Example PETs
Examples of existing privacy enhancing technologies are:
- Communication anonymizers hiding the real online identity (email address, IP address, etc.) and replacing it with a non-traceable identity (disposable / one-time email address, random IP address of hosts participating in an anonymising network, pseudonym, etc.). They can be applied to email, Web browsing, P2P networking, VoIP, Chat, instant messaging, etc.
- Shared bogus online accounts. One person creates an account for MSN, providing bogus data for Name, address, phone number, preferences, life situation etc. They then publish their user-IDs and passwords on the Internet. Everybody can now use this account comfortably. Thereby the user is sure that there is no personal data about him or her in the account profile. (Moreover, he is freed from the hassle of having to register at the site himself.)
- Obfuscation refers to the many practices of adding distracting or misleading data to a log or profile, which may be especially useful for frustrating precision analytics after data has already been lost or disclosed. Its effectiveness against humans is questioned, but it has greater promise against shallow algorithms.[12][13][14][15]
- Access to personal data: The service provider's infrastructure allows users to inspect, correct or delete all their data stored at the service provider.
- Enhanced privacy ID (EPID) is a digital signature algorithm supporting anonymity. Unlike traditional digital signature algorithms (e.g., PKI), in which each entity has a unique public verification key and a unique private signature key, EPID provides a common group public verification key associated with many of unique private signature keys.[16] EPID was created so that a device could prove to an external party what kind of device it is (and optionally what software is running on the device) without needing to also reveal exact identity, i.e., to prove you are an authentic member of a group without revealing which member. It has been in use since 2008.
- Homomorphic encryption is a form of encryption that allows computation on ciphertexts.
- Zero-knowledge proof is a method by which one party (the prover) can prove to another party (the verifier) that they know a value x, without conveying any information apart from the fact that they know the value x.
- Secure multi-party computation is a method for parties to jointly compute a function over their inputs while keeping those inputs private.
- Non-interactive zero-knowledge proof (NIZKs) are zero-knowledge proofs that require no interaction between the prover and verifier.
- Format-preserving encryption (FPE), refers to encrypting in such a way that the output (the ciphertext) is in the same format as the input (the plaintext)
- Blinding is a cryptography technique by which an agent can provide a service to a client in an encoded form without knowing either the real input or the real output.
Future PETs
Examples of privacy enhancing technologies that are being researched or developed include[17] limited disclosure technology, anonymous credentials such as online car rental, negotiation and enforcement of data handling conditions, and data transaction log. Limited disclosure technology provides a way of protecting individuals' privacy by allowing them to share only enough personal information with service providers to complete an interaction or transaction. This technology is also designed to limit tracking and correlation of users’ interactions with these third parties. Limited disclosure uses cryptographic techniques and allows users to retrieve data that is vetted by a provider, to transmit that data to a relying party, and have these relying parties trust the authenticity and integrity of the data.[18] Anonymous credentials are asserted properties or rights of the credential holder that don't reveal the true identity of the holder; the only information revealed is what the holder of the credential is willing to disclose. The assertion can be issued by the user himself/herself, by the provider of the online service or by a third party (another service provider, a government agency, etc.). For example:
Online car rental. The car rental agency doesn't need to know the true identity of the customer. It only needs to make sure that the customer is over 23 (as an example), that the customer has a drivers license, health insurance (i.e. for accidents, etc.), and that the customer is paying. Thus there is no real need to know the customers name nor their address or any other personal information. Anonymous credentials allow both parties to be comfortable: they allow the customer to only reveal so much data which the car rental agency needs for providing its service (data minimization), and they allow the car rental agency to verify their requirements and get their money. When ordering a car online, the user, instead of providing the classical name, address and credit card number, provides the following credentials, all issued to pseudonyms (i.e. not to the real name of the customer):
- An assertion of minimal age, issued by the state, proving that the holder is older than 23 (note: the actual age is not provided)
- A driving licence, i.e. an assertion, issued by the motor vehicle control agency, that the holder is entitled to drive cars
- A proof of insurance, issued by the health insurance
- Digital cash
Negotiation and enforcement of data handling conditions. Before ordering a product or service online, the user and the online service provider or merchant negotiate the type of personal data that is to be transferred to the service provider. This includes the conditions that shall apply to the handling of the personal data, such as whether or not it may be sent to third parties (profile selling) and under what conditions (e.g. only while informing the user), or at what time in the future it shall be deleted (if at all). After the transfer of personal data took place, the agreed upon data handling conditions are technically enforced by the infrastructure of the service provider, which is capable of managing and processing and data handling obligations. Moreover, this enforcement can be remotely audited by the user, for example by verifying chains of certification based on Trusted computing modules or by verifying privacy seals/labels that were issued by third party auditing organisations (e.g. data protection agencies). Thus instead of the user having to rely on the mere promises of service providers not to abuse personal data, users will be more confident about the service provider adhering to the negotiated data handling conditions [19] Lastly, the data transaction log allows users the ability to log the personal data they send to service provider(s), the time in which they do it, and under what conditions. These logs are stored and allow users to determine what data they have sent to whom, or they can establish the type of data that is in possession by a specific service provider. This leads to more transparency, which is a pre-requisite of being in control.
See also
- Crypto-shredding
- Cypherpunk
- Digital credentials
- Enhanced privacy ID (EPID)
- I2P - The Anonymous Network
- Identity management
- Information privacy
- Information processing
- Information security
- Privacy
- Privacy by design
- Privacy Engineering
- Privacy-enhanced Electronic Mail
- Privacy software
- Privacy policy
- Self-sovereign identity
References
- van Blarkom, G.W.; Borking, J.J.; Olk, J.G.E. (2003). "PET". Handbook of Privacy and Privacy-Enhancing Technologies. (The Case of Intelligent Software Agents). ISBN 978-90-74087-33-9.CS1 maint: ref=harv (link)
- Cánovas Sanchez, Jose Luis; Bernal Bernabe, Jorge; Skarmeta, Antonio (2018). "Integration of Anonymous Credential Systems in IoT Constrained Environments". IEEE Access. 6: 4767–4778. doi:10.1109/ACCESS.2017.2788464.
Notes
- (van Blarkom, Borking & Olk 2003)
- The EU PRIME research project's Vision on privacy enhanced identity management Archived 2007-10-11 at the Wayback Machine
- Key Facts on Privacy Negotiations
- Deng, Mina; Wuyts, Kim; Scandariato, Riccardo; Preneel, Bart; Joosen, Wouter (2011-03-01). "A privacy threat analysis framework: supporting the elicitation and fulfillment of privacy requirements" (PDF). Requirements Engineering. 16 (1): 332. doi:10.1007/s00766-010-0115-7. ISSN 1432-010X.
- Pfitzmann, Andreas and Hansen, Marit (2010) A terminology for talking about privacy by data minimization: Anonymity, Unlinkability, Undetectability, Unobservability, Pseudonymity, and Identity Management, v0.34, Report, University of Dresden, http://dud.inf.tu-dresden.de/Anon_Terminology.shtml, accessed 09-Dec-2019
- Ian Goldberg, David Wagner and Eric Brewer (1997) Privacy-enhancing technologies for the Internet, University of California, Berkeley, https://apps.dtic.mil/dtic/tr/fulltext/u2/a391508.pdf, accessed 2019-12-09
- Fritsch, Lothar (2007): State of the Art of Privacy-enhancing Technology (PET) - Deliverable D2.1 of the PETweb project; NR Report 1013, Norsk Regnesentral, ISBN 978-82-53-90523-5, 34 pages, https://www.nr.no/publarchive?query=4589, accessed 2019-12-09
- Lothar Fritsch, Habtamu Abie: Towards a Research Road Map for the Management of Privacy Risks in Information Systems. Sicherheit 2008: 1-15, Lecture Notes in Informatics vol. 128, http://cs.emis.de/LNI/Proceedings/Proceedings128/P-128.pdf#page=18, accessed 2019-12-09
- Heurix, Johannes; Zimmermann, Peter; Neubauer, Thomas; Fenz, Stefan (2015-09-01). "A taxonomy for privacy enhancing technologies". Computers & Security. 53: 1–17. doi:10.1016/j.cose.2015.05.002. ISSN 0167-4048.
- Janic, M.; Wijbenga, J. P.; Veugen, T. (June 2013). "Transparency Enhancing Tools (TETs): An Overview". 2013 Third Workshop on Socio-Technical Aspects in Security and Trust: 18–25. doi:10.1109/STAST.2013.11. ISBN 978-0-7695-5065-7.
- Murmann, P.; Fischer-Hübner, S. (2017). "Tools for Achieving Usable Ex Post Transparency: A Survey". IEEE Access. 5: 22965–22991. doi:10.1109/ACCESS.2017.2765539. ISSN 2169-3536.
- "Obfuscation".
- "TrackMeNot".
- Al-Rfou', Rami; Jannen, William; Patwardhan, Nikhil (2012). "TrackMeNot-so-good-after-all". arXiv:1211.0320 [cs.IR].
- Loui, Ronald (2017). "Plausible Deniability for ISP Log and Browser Suggestion Obfuscation with a Phrase Extractor on Potentially Open Text". 2017 IEEE 15th Intl Conf on Dependable, Autonomic and Secure Computing, 15th Intl Conf on Pervasive Intelligence and Computing, 3rd Intl Conf on Big Data Intelligence and Computing and Cyber Science and Technology Congress(DASC/Pi Com/Data Com/CyberSci Tech). pp. 276–279. doi:10.1109/DASC-PICom-DataCom-CyberSciTec.2017.58. ISBN 978-1-5386-1956-8.
- "Enhanced Privacy Id" (PDF). December 2011. Retrieved 5 November 2016.
- The EU PRIME research project's White Paper Archived 2007-08-17 at the Wayback Machine (Version 2)
- Gartner IT Glossary
- "Enhancing User Privacy Through Data Handling Policies" (PDF). 2006. Retrieved 5 November 2016.
External links
PETs in general:
- The EU PRIME research project (2004 to 2008) aiming at studying and developing novel PETs
- About PETs from the Center for Democracy and Technology
- Annual symposium on PETs
- Report about PETs from the META Group, published by the Danish ministry of science
- Activities of the EU Commission in the area of PETs broken link
Anonymous credentials:
- IBM Zürich Research Lab's idemix
- Stefan Brands' U-Prove Digital credential 'credentica'
- which is now owned by Microsoft U-Prove
Privacy policy negotiation:
- The W3C's P3P
- IBM's EPAL
- Sören Preibusch: Implementing Privacy Negotiations in E-Commerce, Discussion Papers of DIW Berlin 526, 2005