Honored as one of the best papers of IFIP SEC 2010 Security & Privacy - Silver Linings in the Cloud
Privacy in cloud computing is at the moment simply a promise to be kept by the software service providers. Users are neither able to control the disclosure of personal data to third parties nor to check if the software service providers have followed the agreed-upon privacy policy. Therefore, disclosure of the users‘ data to the software service providers of the cloud raises privacy risks. In this article, we show a privacy risk by the example of using electronic health records abroad. As a countermeasure by an ex post enforcement of privacy policies, we propose to observe disclosures of personal data to third parties by using data provenance history and digital watermarking.
AlbaniaDreamin24 - How to easily use an API with Flows
Tagging Disclosure of Personal Data to Third Parties to Preserve Privacy
1. 1Sven Wohlgemuth On Privacy by Observable Delegation of Personal Data
National Institute of Informatics
Tagging Disclosure of Personal Data to Third
Parties to Preserve Privacy
25th International Information Security Conference (SEC 2010)
Security & Privacy – Silver Linings in the Cloud
Session: SEC: Access control and privacy
September 23rd, 2010
Dr. Sven Wohlgemuth
Prof. Dr. Isao Echizen
Prof. Dr. Noboru Sonehara
National Institute of Informatics, Japan
Prof. Dr. Günter Müller
University of Freiburg, Germany
National Institute of Informatics
2. Access control No usage control for the disclosure of personal data
2
National Institute of Informatics
Privacy and Disclosure of Personal Data to Third Parties
User
d
Privacy legislation:
„Privacy is the claim of individuals, groups and institutions to determine for themselves,
when, how and to what extent information about them is communicated to others.“
(Westin, 1967 è regulations of Germany/EU, Japan and HIPAA)
DP = Data provider
DC = Data consumer
d, d’ = Personal data
Disclosure of personal data to third parties
d, d’
d
Services
d, d’
d, d’
DP
DC / DP
DC / DP
DC / DP
DC
Haas, S., Wohlgemuth, S., Echizen, I., Sonehara, N. and Müller, G., 2009
Tagging Disclosures of Personal Data to Third Parties to Preserve Privacy
3. National Institute of Informatics
Agenda
1. Shift to a new Scenario
2. User becomes a Target
3. Usage Control by Data Provenance
4. DETECTIVE: Data Provenance with Digital Watermarking
5. Safety of Data and Liveness of Services
3Dr. Sven Wohlgemuth Tagging Disclosures of Personal Data to Third Parties to Preserve Privacy
4. National Institute of Informatics
1. Shift to a new Scenario
(e.g. Electronic Health Records, Gematik in Germany)
All data about the patient stored in one location:
A central EHR
Patient is in charge of this data.
Patient’s data is stored in
many medical systems.
Each medical system is in
charge of patient’s data.
Hospital
Laboratory
Examination
Dentist
Pharmacy
Current scenario New scenario
Patient
4Dr. Sven Wohlgemuth Tagging Disclosures of Personal Data to Third Parties to Preserve Privacy
5. National Institute of Informatics
Patient “inherits” responsibility and risk.
Dishonest parties may modify or disclose
personal data to 3rd parties without
authorization.
Ø Privacy Problem
How can the patient control the
disclosure of medical data
to 3rd parties?
Hospital
Examination
Dentist
Pharmacy
Laboratory
Advertiser
Employer
Patient
5Dr. Sven Wohlgemuth
2. User becomes a Target
(e.g. Patient)
Haas, S., Wohlgemuth, S., Echizen. I, Sonehara, N. and Müller, G., 2009
Drug maker
Different data protection
legislations
(e.g. EC 95/46/EC, Japan, HIPAA)
Tagging Disclosures of Personal Data to Third Parties to Preserve Privacy
6. National Institute of Informatics
3. Usage Control by Data Provenance (1/2)
ReactivePreventive
Mechanisms &
Methods
Before the
execution
During the
execution
After the
execution
Policies
- Process Rewriting
- Workflow Patterns
- Vulnerability Analysis
- Enterprise Privacy Authorization
Language (EPAL)
- Extended Privacy Definition Tools
(ExPDT)
- Model Reconstruction
- Audits / Forensics
- Architectures for Data
Provenance
- Execution Monitoring
- Non-linkable Delegation
of Rights
6Dr. Sven Wohlgemuth
Müller, G., Accorsi, R., Höhn, S. and Sackmann, S., 2010
Tagging Disclosures of Personal Data to Third Parties to Preserve Privacy
7. National Institute of Informatics
Usage Control by Data Provenance (2/2)
- Data provenance
– Information to determine the derivation history
- In an audit, data provenance can be used to restore the information flow.
Example
Medical
Data
Patient
Advertiser
Medical
Data
Patient
Advertiser
Medical
Data
Patient
Advertiser
Laboratory
Medical
Data
Patient
Advertiser
Laboratory
Data Provenance
AdvertiserLaboratoryDrug maker Drug maker
7Dr. Sven Wohlgemuth Tagging Disclosures of Personal Data to Third Parties to Preserve Privacy
8. National Institute of Informatics
4. DETECTIVE: Data Provenance with Digital Watermarking
Watermarking is a method to bind provenance information as a tag to data.
The EHR/Medical system must enforce that
– disclosed data is tagged with updated provenance information
– provenance information is authentic.
EHR/Medical system
Data Data consumer
(e.g. Laboratory)
Watermarking
Service
2) Fetch data
3) Apply tag
4) Deliver tagged data
Steps of a disclosure:
1) Access request
Data provider
(e.g. Advertiser)
8Dr. Sven Wohlgemuth Tagging Disclosures of Personal Data to Third Parties to Preserve Privacy
9. National Institute of Informatics
è No identification of last data provider
Both service providers have same digital watermark
Digital Watermarking and Disclosure of Personal Data
Drug maker
Advertiser
Laboratory
Patient
Patient
Advertiser
Laboratory
Patient
Advertiser
Laboratory
Patient
Advertiser
Laboratory
Patient
Advertiser
Laboratory
Patient
Advertiser
Laboratory
9Dr. Sven Wohlgemuth Tagging Disclosures of Personal Data to Third Parties to Preserve Privacy
10. National Institute of Informatics
Data provenance information
– Linking identities of data provider and data consumer with access to personal data.
Detection by the patient via delegated rights (privacy policy) to personal data.
Data provider Data consumer
Apply Tag
Patient Data provider
Verify Tag
Data consumer
Patient
Advertiser
Laboratory
Patient
(rights)
Advertiser Laboratory
Patient
(rights)
Patient
Advertiser
Laboratory
Advertiser
Laboratory
Laboratory
Advertiser
DETECTIVE: Digital Watermarking Scheme
Patient
Advertiser
LaboratoryLaboratory Advertiser
10Dr. Sven Wohlgemuth Tagging Disclosures of Personal Data to Third Parties to Preserve Privacy
11. 11
Sven Wohlgemuth
National Institute of Informatics
DETECTIVE: Protocol Tag
On Privacy for Observable Delegation of Personal Data by Digital Watermarking
11Privatsphäre durch die Delegation von Rechten
Tagging
disclosure
of personal
data
Commitmen
t
to identity of
DC
Data consumer
Revealing
tag
Data provider
9: reveal tag :=
tag’ / blinding factorDC
Computing with
commitments
7: link commitments to d:
tag’ := embedsym(anonCredentialDC,
comDP_BLIND(kDP)comDC_BLIND(kDC), d)
5: verify signatureDC
6: blind comDP(kDP):
comDP_BLIND(kDP)
and confirm by signarureDP
8: tag’, signatureDP
Digital
watermarking
1: pkDP_COM for commitments
2: commit to kDC & blinding:
comDC_BLIND(kDC)
4: comDC_BLIND(kDC),
signatureDC(comDC_BLIND(kDC)
3: confirm comDC(kDC):
signatureDC
(comDC_BLIND(kDC))
Commitments
Digital
signature
12. 12
National Institute of Informatics
DETECTIVE: Protocol Verify
Reconstruct
delegation
chain
Verify
enforcement
of embedding
Data providerCA Data consumer
1: request anonCredentials (rightsDC)
for delegated rights
2: request comDP_BLINDED(kDP), pkDP_COM, and signatureDC
3: comDP_BLINDED(kDP), pkDP_COM, and signatureDC
4: request open(comDP_BLINDED(kDP))
5: blinded kDP
6: verify comDP_BLINDED(kDP)
7: verify signatureDC
8: extract comDC(kDC) from tag
9: check correctness of comDC(kDC) by zero-knowledge proof
PKI
Commitments
Digital signature
Zero-knowledge
proof
User
13. National Institute of Informatics
DETECTIVE: Proof-of-Concept Implementation
13Dr. Sven Wohlgemuth
Case study: Telemedicine – Consulting a clinic abroad
Tagging Disclosures of Personal Data to Third Parties to Preserve Privacy
14. National Institute of Informatics
5. Safety of Data and Liveness of Services
14Dr. Sven Wohlgemuth
Transparency by Policy Enforcement Mechanisms (e.g. DETECTIVE)
Safety: Authorized execution Liveness: Reachable states
t
Provisions
request access
Provisions: cover the time up to the
access (“past and present”)
Obligations
Obligations: cover the time after the
access (“future”)
Tagging Disclosures of Personal Data to Third Parties to Preserve Privacy