Secondary use of personal information is of essential importance for the Internet of Things. The main application is resilience. Biometrics is an example for support of resilience in times of a natural disaster. The primary use of biometrics is to identify people; a secondary use is to improve healthcare services for affected people. This requires information sharing with third parties. The challenge faced for reliable support of the Internet of Things is safety. Special cases of security systems achieve safety for information flow, but they don’t scale for secondary use. Their users lose control on their identity. With the aim of improving usability of security, this research-in-progress proposes a multilateral information flow control. This is privacy as understood with informational self-determination. The key is usage control with secure delegation of rights and a secondary use of personal security-related information as Open Data.
2. Helper
The Great East Japan Earthquake
03.08.16 Privacy with Secondary Use of Personal Information 2
Urushidani and Aoki 2011, JAISA 2015
Refugee
National academic ICT infrastructure (SINET) was available
Physical
Cyber
SINET 4: Cloud-type services for > 700 organizations
Telemedicine
Insufficient information in real-time for response and recovery
3. Agenda
I. Resilience and Safety
• Lessons learned
• Safety: A Zero-Knowledge Proof?
II. Towards Provable Safety
• Language-Based Information Flow Control
• Language for ICT Resilience
III. Proof System for ICT Resilience
• Zero-Knowledge Proof with Open Data
• Cryptographic Building Blocks
IV. Looking for Partners!
03.08.16 Privacy with Secondary Use of Personal Information 3
4. I. Resilience and Safety
03.08.16 Privacy with Secondary Use of Personal Information 4
Urushidani et al. 2015, JAISA 2015
Resilience by predictive IT risk management with personal data
HelperRefugee
Physical
Cyber
SINET 5: Cloud Computing with PKI and Marketplace
Telemedicine
Ground Truth 5
Courtesy of Tsukuba Univ.
Kostadinka Bizheva, et al.,
J. of Biomedical Optics,
July/ 2004 Vol.9 No.4
Petra Wilder-Smith, et al.
J. of Biomedical Optics Sep/ 2005 Vol.10 No.5
BrainEye
Tooth
Oral
Skin
Z.P.Chen, et al.,
Opt. Express, Aug/ 2007
Vol. 15 No. 16
Esophagus
Alexander Popp, et al.,
J. of Biomedical Optics, Jan/ 2004
Vol.11 No.1
Lung
Guillermo J. Tearney, et al.
J. of Biomedical Optics
Mar/ 2006 Vol.11 No.2
Cardiovascular
Pancreas
Pier Alberto, et al.
J Pancreas (Online)
2007 Vol.8 No.2 Cervix
Ilya V. Turchin, et al.,
J. of Biomedical Optics,
Nov/ 2005 Vol.10 No.6
Blood flow
Bradley A. Bower., J. of Biomedical Optics,
Jul/ 2007 Vol.12 No.4
Stomach
Yonghong He, et al.
J. of Biomedical Optics
Jan/ 2004 Vol.9 No.1
Trachea
Matthew Brenner, et al.,
J. of Biomedical Optics,
Sep/ 2007 Vol.12 No.5
Cochlea
Fangyi Chen, et al.,
J. of Biomedical Optics,
Mar/ 2007 Vol.12 No.2
Bladder
Ying T. Pan, et al.
J. of Biomedical Optics
Sep/ 2007 Vol.12 No.5
Colon
Alexandre R. Tumlinson, et al.,
J. of Biomedical Optics,
Nov/ 2006 Vol.11 No.6
Kidney
Yu Chen, et al.
J. of Biomedical Optics
Sep/ 2007 Vol.12 No.3
Bone
santec confidential SS-OCT System Inner Vision 16Application to Biometrics:
Non-invasive measurement of iris, retina, fingerprint, vascular image under skin.
OCT(Optical Coherence Tomography)
図:santec株式会社提供資料より
5. Requirements on Safety
03.08.16 Privacy with Secondary Use of Personal Information 5
Compliance
• End-to-end security
• Declassification
• Accountability and penalty
• Adequate risk management with authentic reporting
Personal Risk Management
• Transaction-specific safety
• Just-in-time scalable knowledge creation from data
• Optimizing user’s risk with data minimization
User-centric safety
(Completeness)
Integrity of computation
(Soundness)
User-centric safe
information flow
JAISA 2015
HIPAA, (J-)SOX, KonTraG, EU GDPD, Japan Personal Information Protection Law
10. Threat to Soundness
03.08.16 Privacy with Secondary Use of Personal Information 10
Loss of control on classification (of honest verifier)
• Knowledge creation from personal data by secondary use
• “Faulty” data increases error probability of machine learning
Biggio et al 2012; Huang et al 2011
Supervised machine learning
(e.g. SVM)
0 2 4 6 8
0
0.05
0.1
0.15
0.2
0.25
0.3
0.35
0.4
% of attack points in training data
classification error (7 vs 1)
validation error
testing error
0 2 4 6 8
0
0.05
0.1
0.15
0.2
0.25
0.3
0.35
0.4
% of attack points in training data
classification error (9 vs 8)
validation error
testing error
0.25
0.3
0.35
0.4
classification error (4 vs 0)
validation error
testing error
structure of the optimal solution.
Another direction for research is the simultaneous opti-
mization of multi-point attacks, which we successfully
approached with sequential single-point attacks. The
first question is how to optimally perturb a subset of
the training data; that is, instead of individually opti-
mizing each attack point, one could derive simultane-
ous steps for every attack point to better optimize their
overall e↵ect. The second question is how to choose
the best subset of points to use as a starting point
for the attack. Generally, the latter is a subset selec-
tion problem but heuristics may allow for improved ap-
proximations. Regardless, we demonstrate that even
non-optimal multi-point attack strategies significantly
degrade the SVM’s performance.
An important practical limitation of the proposed
method is the assumption that the attacker controls
the labels of the injected points. Such assumptions
may not hold when the labels are only assigned by
trusted sources such as humans. For instance, a spam
filter uses its users’ labeling of messages as its ground
truth. Thus, although an attacker can send arbitrary
messages, he cannot guarantee that they will have the
labels necessary for his attack. This imposes an ad-
ditional requirement that the attack data must satisfy
certain side constraints to fool the labeling oracle. Fur-
ther work is needed to understand these potential side
constraints and to incorporate them into attacks.
The final extension would be to incorporate the real-
world inverse feature-mapping problem; that is, the
problem of finding real-world attack data that can
Unsupervised machine learning
(e.g. PCA)
0.00.20.40.60.81.0
Single Poisoning Period: Evading PCA
Mean chaff volume
Evasionsuccess(FNR)
0% 10% 20% 30% 40% 50%
Uninformed
Locally−informed
Globally−informed
10
0
0.00.20.40.60.81.0
Bo
Evasionsuccess(averagetestFNR)
Figure 3: Effect of poisoning attacks on the PCA-based detector [36
relative chaff volume under Single-Training Period poisoning attacks
(dotted black line) locally-informed (dashed blue line) and globally-in
success of PCA under Boiling Frog poisoning attacks in terms of the
of locally-informed poisoning for four different poisoning schedules (
size of the poisoning by factors 1.01, 1.02, 1.05, and 1.15 respectively).
11. II. Towards Provable Safety
03.08.16 Privacy with Secondary Use of Personal Information 11
Status Quo: Language-based information flow control
Rigorous
Natural
Language
Policy
High-Level
Policy
Language
Intermediate-Level
Security Policy
Flow Graph
Low-Level
Enforcement
In Practice
Take-grant, type-safety,
lattice-based access control,
obligations
Identity, cryptography,
safe public directory, monitor,
proof-carrying code
Decentralized trust
management
HIPAA, (J-)SOX,
KonTraG, 95/46/EC, JP
PII Protection Law, …
Enforcement classes,
Ponder, ExPDT
Computational complexity,
PKI, virtualization, testing
ISO/IEC 270xx, BSI IT-
Baseline Protection, IETF
AAA, NIST SCAP
Social/knowledge graph,
sticky policies
secure delegation of rights
ZKP-carrying information
cf. Sandhu 1993, Myers and Liskov, 1997; Schneider, Morrisett and Harper, 2001; Sabelfeld and Myers, 2003
12. Access control doesn‘t scale for resilience
Error propagation
Joined by Ground Truth
Role change of secondary use
Ext.: Reliable ”Big Brother”
Int.: Error propagation
Role change of secondary use
(DP, DC, data, DS, time, …)
Data minimization
Special Cases for Safety
03.08.16 Privacy with Secondary Use of Personal Information 12
• Strict order
Natural
Language
Policy
High-Level
Policy
Language
Intermediate-Level
Security Policy
Flow Graph
Low-Level
Enforcement
• Symmetric access tree
• Safety if trees are separate • Availability of data
by declassification
Lattice-based Access Control
Sandhu 1993
Take-grant
Lipton and Snyder 1977
S1: u
S2: u S3: v
O: oS3: w
• Acyclic graph
• x <= 3 parameter
• No revocation
Type-safety
Sandhu 1992
S1: u
S2: u S3: v
O: oS3: w
13. Example: Chinese-Wall
03.08.16 Privacy with Secondary Use of Personal Information 13
Conflict
classes
Personal
datasets
Syshigh
Ground Truth
Registration
office
Medical
treatment
Required information
for enforcement
(central by Syshigh)
14. Example: Chinese-Wall
03.08.16 Privacy with Secondary Use of Personal Information 14
Conflict
classes
Personal
datasets
Syshigh
Ground Truth
Registration
office
Medical
treatment
Required information
for enforcement
(central by Syshigh)
15. Example: Chinese-Wall
03.08.16 Privacy with Secondary Use of Personal Information 15
Conflict
classes
Personal
datasets
Syshigh
Ground Truth
Registration
office
Medical
treatment
Bob David
Explicit/friendship
Implicitly assumed friendship
Required information
for enforcement
(central by Syshigh)
16. Example: Chinese-Wall
03.08.16 Privacy with Secondary Use of Personal Information 16
Conflict
classes
Personal
datasets
Syshigh
Ground Truth
Registration
office
Medical
treatment
Bob David
Explicit/friendship
Implicitly assumed friendship
Required information
for enforcement
(central by Syshigh)
18. III. Proof System for ICT Resilience
03.08.16 Privacy with Secondary Use of Personal Information 18
In practice: Inevitable vulnerability by dependencies
Safe information accountability ⇒ Zero-Knowledge Proof on origin of vulnerability
Natural
Language
Policy
High-Level
Policy
Language
Intermediate-Level
Security Policy
Flow Graph
Low-Level
Enforcement
d, d*d
Prover/
Verifier
Verifier
Verifier/
Prover
Prover
Scheduler
(Open Data)
19. III. Proof System for ICT Resilience
03.08.16 Privacy with Secondary Use of Personal Information 19
In practice: Inevitable vulnerability by dependencies
Safe information accountability ⇒ Zero-Knowledge Proof on origin of vulnerability
Natural
Language
Policy
High-Level
Policy
Language
Intermediate-Level
Security Policy
Flow Graph
Low-Level
Enforcement
d, d*d
Prover/
Verifier
Verifier
Verifier/
Prover
Prover
Scheduler
(Open Data)
sec d, d*
sec d, d*
sec d, d*
Knowledge
extractor
Knowledge
extractor
Knowledge extractor
Ground Truth with sec d, d*
Zero-Knowledge Proof (ZKP)
• Probabilistic proof system between 2 parties on graph isomorphism
• No additional knowledge for the verifier on original graph
• ICT Resilience: obligations + witnesses + compensation ⟼ Open Data
Prover Verifier
1. t random, a:=gt
2. a
3. c random out of {0,1}
4. c
5. r:=t + cm mod q
6. r
7. Check if gr = ahc
pkVerifier := (p, q, g, h) pkVerifier := (p, q, g, h)
ChallengeResponse
Goldwasser et al. 1989, Bellare and Goldreich 1993
20. III. Proof System for ICT Resilience
03.08.16 Privacy with Secondary Use of Personal Information 20
In practice: Inevitable vulnerability by dependencies
Safe information accountability ⇒ Zero-Knowledge Proof on origin of vulnerability
Natural
Language
Policy
High-Level
Policy
Language
Intermediate-Level
Security Policy
Flow Graph
Low-Level
Enforcement
d, d*d
Prover/
Verifier
Verifier
Verifier/
Prover
Prover
Scheduler
(Open Data)
sec d, d*
sec d, d*
sec d, d*
Knowledge
extractor
Knowledge
extractor
Knowledge extractor
Ground Truth with sec d, d*
21. Scheduler: Global AAA(A) Service
03.08.16 Privacy with Secondary Use of Personal Information 21
Open Internet Standard RFC 2904 AAA Authorization Framework
1: Authentication
2: Authorization
3: Accounting
+ Witness for Information Accountability
4: Accountability
Data consumer/
provider
Data consumer/
provider
Data consumer/
providerAAA(A)
service
Scheduler
sec d, d*
sec d, d*
sec d, d*
23. Witness: Authorization
03.08.16 Privacy with Secondary Use of Personal Information 23
• Completeness: Non-linkable delegation of rights
• Soundness: Cryptographic protocols (ISO/IEC JTC 1/SC 27 WG2)
Ground Truth: ISO/IEC 24761 ACBio – Biometrics with PKI
Data provider
Data consumer/
provider
Data consumer/
providerAAA(A)
service
Scheduler
d
Data consumer/
provider
Sonehara, Echizen, and Wohlgemuth 2011
24. Witness: Authorization
03.08.16 Privacy with Secondary Use of Personal Information 24
• Completeness: Non-linkable delegation of rights
• Soundness: Cryptographic protocols (ISO/IEC JTC 1/SC 27 WG2)
Ground Truth: ISO/IEC 24761 ACBio – Biometrics with PKI
Data provider
Data consumer/
provider
Data consumer/
providerAAA(A)
service
Scheduler
d
Data consumer/
provider
Issuer:
Public Key:
Attributes:
Ground Truth
ZKP on Xa23
r,w, own on d
Delegation,
Purpose,
…
Credential of
data subject
Sonehara, Echizen, and Wohlgemuth 2011
25. Sonehara, Echizen, and Wohlgemuth 2011
Witness: Authorization
03.08.16 Privacy with Secondary Use of Personal Information 25
• Completeness: Non-linkable delegation of rights
• Soundness: Cryptographic protocols (ISO/IEC JTC 1/SC 27 WG2)
Ground Truth: ISO/IEC 24761 ACBio – Biometrics with PKI
Data provider
Data consumer/
provider
Data consumer/
providerAAA(A)
service
Scheduler
d
Data consumer/
provider
Issuer:
Public Key:
Attributes:
Ground Truth
ZKP on Xa23
r,w, own on d
Delegation,
Purpose,
…
Credential of
data subject Issuer:
Public Key:
Attributes:
Miner
ZKP on Xa23
r on d
Delegation to
helper,
medical,
Time, Price …
Credential on d
Issuer:
Public Key:
Attributes:
Miner
ZKP on Xa23
r on d*
Delegation to
logistics,
transport,
Time, Price,…
Credential on d*
26. Witness: Accountability
03.08.16 Privacy with Secondary Use of Personal Information 26
• Completeness: User’s data provenance with asymmetric fingerprinting
• Soundness: Users’ cryptographic commitment on data processing
Ground Truth: ISO/IEC 24761 ACBio – Biometrics with PKI
Data provider
Data consumer/
provider
Data consumer/
providerAAA(A)
service
Scheduler
d
Data consumer/
provider
d
Refugee
Ground Truth
Wohlgemuth, Echizen, Sonehara, and Müller 2010
27. Witness: Accountability
03.08.16 Privacy with Secondary Use of Personal Information 27
• Completeness: User’s data provenance with asymmetric fingerprinting
• Soundness: Users’ cryptographic commitment on data processing
Ground Truth: ISO/IEC 24761 ACBio – Biometrics with PKI
d
Data provider
Data consumer/
provider
Data consumer/
providerAAA(A)
service
Scheduler
d
Data consumer/
provider
d
Refugee
Ground Truth
d
Refugee
Ground Truth
Helper
Wohlgemuth, Echizen, Sonehara, and Müller 2010
28. Witness: Accountability
03.08.16 Privacy with Secondary Use of Personal Information 28
• Completeness: User’s data provenance with asymmetric fingerprinting
• Soundness: Users’ cryptographic commitment on data processing
Ground Truth: ISO/IEC 24761 ACBio – Biometrics with PKI
d
d*
Data provider
Data consumer/
provider
Data consumer/
providerAAA(A)
service
Scheduler
d
Data consumer/
provider
d
Refugee
Ground Truth
d
Refugee
Ground Truth
Helper
d*
Refugee
Ground Truth
Logistics
Wohlgemuth, Echizen, Sonehara, and Müller 2010
29. Knowledge Extractor: Accounting
03.08.16 Privacy with Secondary Use of Personal Information 29
• Reduce error probability by different witnesses on users
d, d*d
Prover/
Verifier
Verifier
Verifier/
Prover
Prover
trust rights
cert data provenance
rec delegation of rights
conf benchmarking
comp profit sharing
• Probabilistic logical statement on safety from user‘s view (on a PKI)
AAA(A)
service
Scheduler
AutDC,DPd ?
AutDC,DPd, d* ?AutDP, DCd, d* ?
AutDP, DCd, d*, d** ?
adapted from Maurer 1996, Wohlgemuth 2015
30. Knowledge Extractor: Accounting
03.08.16 Privacy with Secondary Use of Personal Information 30
• Reduce error probability by different witnesses on users
d, d*d
Prover/
Verifier
Verifier
Verifier/
Prover
Prover
trust rights
cert data provenance
rec delegation of rights
conf benchmarking
comp profit sharing
• Probabilistic logical statement on safety from user‘s view (on a PKI)
ICT Resilience = Completeness + Soundness
ICT Resilience = Informational self-determination + Compliance
AAA(A)
service
Scheduler
AutDC,DPd ?
AutDC,DPd, d* ?AutDP, DCd, d* ?
AutDP, DCd, d*, d** ?