Secondary use of personal information is of essential importance for the Internet of Things. The main application is resilience. Biometrics is an example for support of resilience in times of a natural disaster. The primary use of biometrics is to identify people; a secondary use is to improve healthcare services for affected people. This requires information sharing with third parties. The challenge faced for reliable support of the Internet of Things is safety. Special cases of security systems achieve safety for information flow, but they don’t scale for secondary use. Their users lose control on their identity. With the aim of improving usability of security, this research-in-progress proposes a multilateral information flow control. This is privacy as understood with informational self-determination. The key is usage control with secure delegation of rights and a secondary use of personal security-related information as Open Data.

1. Privacy with Secondary Use
of Personal Information
MKWI 2016
Sicherheit, Compliance und Verfügbarkeit von Geschäftsprozessen
March 9, 2016, Ilmenau, Germany
Dr. Sven Wohlgemuth (Visiting Researcher Goethe Universität Frankfurt, Germany)
Dr. Kazuo Takaragi (National Institute of Advanced Industrial Science and Technology, Japan)
Prof. Dr. Isao Echizen (National Institute of Informatics, Japan)

2. Helper
The Great East Japan Earthquake
03.08.16 Privacy with Secondary Use of Personal Information 2
Urushidani and Aoki 2011, JAISA 2015
Refugee
National academic ICT infrastructure (SINET) was available
Physical
Cyber
SINET 4: Cloud-type services for > 700 organizations
Telemedicine
Insufficient information in real-time for response and recovery

3. Agenda
I. Resilience and Safety
• Lessons learned
• Safety: A Zero-Knowledge Proof?
II. Towards Provable Safety
• Language-Based Information Flow Control
• Language for ICT Resilience
III. Proof System for ICT Resilience
• Zero-Knowledge Proof with Open Data
• Cryptographic Building Blocks
IV. Looking for Partners!
03.08.16 Privacy with Secondary Use of Personal Information 3

4. I. Resilience and Safety
03.08.16 Privacy with Secondary Use of Personal Information 4
Urushidani et al. 2015, JAISA 2015
Resilience by predictive IT risk management with personal data
HelperRefugee
Physical
Cyber
SINET 5: Cloud Computing with PKI and Marketplace
Telemedicine
Ground Truth 5
Courtesy of Tsukuba Univ.
Kostadinka Bizheva, et al.,
J. of Biomedical Optics,
July/ 2004 Vol.9 No.4
Petra Wilder-Smith, et al.
J. of Biomedical Optics Sep/ 2005 Vol.10 No.5
BrainEye
Tooth
Oral
Skin
Z.P.Chen, et al.,
Opt. Express, Aug/ 2007
Vol. 15 No. 16
Esophagus
Alexander Popp, et al.,
J. of Biomedical Optics, Jan/ 2004
Vol.11 No.1
Lung
Guillermo J. Tearney, et al.
J. of Biomedical Optics
Mar/ 2006 Vol.11 No.2
Cardiovascular
Pancreas
Pier Alberto, et al.
J Pancreas (Online)
2007 Vol.8 No.2 Cervix
Ilya V. Turchin, et al.,
J. of Biomedical Optics,
Nov/ 2005 Vol.10 No.6
Blood flow
Bradley A. Bower., J. of Biomedical Optics,
Jul/ 2007 Vol.12 No.4
Stomach
Yonghong He, et al.
J. of Biomedical Optics
Jan/ 2004 Vol.9 No.1
Trachea
Matthew Brenner, et al.,
J. of Biomedical Optics,
Sep/ 2007 Vol.12 No.5
Cochlea
Fangyi Chen, et al.,
J. of Biomedical Optics,
Mar/ 2007 Vol.12 No.2
Bladder
Ying T. Pan, et al.
J. of Biomedical Optics
Sep/ 2007 Vol.12 No.5
Colon
Alexandre R. Tumlinson, et al.,
J. of Biomedical Optics,
Nov/ 2006 Vol.11 No.6
Kidney
Yu Chen, et al.
J. of Biomedical Optics
Sep/ 2007 Vol.12 No.3
Bone
santec confidential SS-OCT System Inner Vision 16Application to Biometrics:
Non-invasive measurement of iris, retina, fingerprint, vascular image under skin.
OCT(Optical Coherence Tomography)
図：santec株式会社提供資料より

5. Requirements on Safety
03.08.16 Privacy with Secondary Use of Personal Information 5
Compliance
• End-to-end security
• Declassification
• Accountability and penalty
• Adequate risk management with authentic reporting
Personal Risk Management
• Transaction-specific safety
• Just-in-time scalable knowledge creation from data
• Optimizing user’s risk with data minimization
User-centric safety
(Completeness)
Integrity of computation
(Soundness)
User-centric safe
information flow
JAISA 2015
HIPAA, (J-)SOX, KonTraG, EU GDPD, Japan Personal Information Protection Law

6. Safety: A Zero-Knowledge Proof?
03.08.16 Privacy with Secondary Use of Personal Information 6
......
• Multilateral security ⇒ User-centric safe information flow
d
d, d*
Data provider
/consumer
Data consumer
Data consumer
/provider
Data provider
Secondary usePrimary use
• Vulnerability in real-time by inevitable, hidden dependencies

7. Safety: A Zero-Knowledge Proof?
03.08.16 Privacy with Secondary Use of Personal Information 7
......
• Multilateral security ⇒ User-centric safe information flow
d
Secondary usePrimary use
• Vulnerability in real-time by inevitable, hidden dependencies
Safety by obscurity – No reliable statement on information
d, d*
Data provider
Data consumer
/provider
Data consumer Data provider

8. Safety: Decidability
03.08.16 Privacy with Secondary Use of Personal Information 8
State-of-the-art: ISO 270xx, IETF AAA (access control)
......
d
Data provider
/consumer
Data consumer
Data consumer
/provider
Data provider
d, d*
?
o1 = d o2 = d* …
s1 own, r, w ? own, r, w ?
s2 r, w own, r, w
s3 ? r, w ? r
…
General
security
system
Decidability on safety in general ⇒ Halting problem of Turing Machine
Probability of a correct statement on safety in the future = 50%
Harrison et al. 1976Hamlen et al. 2006
Enforcement

9. Threat to Completeness
03.08.16 Privacy with Secondary Use of Personal Information 9
• Information flow from different sources in real-time
• Aggregation of anonymized personal data
Loss of control on confidentiality (of honest prover)
Bob David
Explicit/friendship
Implicitly assumed friendship
Sweeney 2002
Jernigan and Mistree, 2007

10. Threat to Soundness
03.08.16 Privacy with Secondary Use of Personal Information 10
Loss of control on classification (of honest verifier)
• Knowledge creation from personal data by secondary use
• “Faulty” data increases error probability of machine learning
Biggio et al 2012; Huang et al 2011
Supervised machine learning
(e.g. SVM)
0 2 4 6 8
0
0.05
0.1
0.15
0.2
0.25
0.3
0.35
0.4
% of attack points in training data
classification error (7 vs 1)
validation error
testing error
0 2 4 6 8
0
0.05
0.1
0.15
0.2
0.25
0.3
0.35
0.4
% of attack points in training data
classification error (9 vs 8)
validation error
testing error
0.25
0.3
0.35
0.4
classification error (4 vs 0)
validation error
testing error
structure of the optimal solution.
Another direction for research is the simultaneous opti-
mization of multi-point attacks, which we successfully
approached with sequential single-point attacks. The
first question is how to optimally perturb a subset of
the training data; that is, instead of individually opti-
mizing each attack point, one could derive simultane-
ous steps for every attack point to better optimize their
overall e↵ect. The second question is how to choose
the best subset of points to use as a starting point
for the attack. Generally, the latter is a subset selec-
tion problem but heuristics may allow for improved ap-
proximations. Regardless, we demonstrate that even
non-optimal multi-point attack strategies significantly
degrade the SVM’s performance.
An important practical limitation of the proposed
method is the assumption that the attacker controls
the labels of the injected points. Such assumptions
may not hold when the labels are only assigned by
trusted sources such as humans. For instance, a spam
filter uses its users’ labeling of messages as its ground
truth. Thus, although an attacker can send arbitrary
messages, he cannot guarantee that they will have the
labels necessary for his attack. This imposes an ad-
ditional requirement that the attack data must satisfy
certain side constraints to fool the labeling oracle. Fur-
ther work is needed to understand these potential side
constraints and to incorporate them into attacks.
The final extension would be to incorporate the real-
world inverse feature-mapping problem; that is, the
problem of finding real-world attack data that can
Unsupervised machine learning
(e.g. PCA)
0.00.20.40.60.81.0
Single Poisoning Period: Evading PCA
Mean chaff volume
Evasionsuccess(FNR)
0% 10% 20% 30% 40% 50%
Uninformed
Locally−informed
Globally−informed
10
0
0.00.20.40.60.81.0
Bo
Evasionsuccess(averagetestFNR)
Figure 3: Effect of poisoning attacks on the PCA-based detector [36
relative chaff volume under Single-Training Period poisoning attacks
(dotted black line) locally-informed (dashed blue line) and globally-in
success of PCA under Boiling Frog poisoning attacks in terms of the
of locally-informed poisoning for four different poisoning schedules (
size of the poisoning by factors 1.01, 1.02, 1.05, and 1.15 respectively).

11. II. Towards Provable Safety
03.08.16 Privacy with Secondary Use of Personal Information 11
Status Quo: Language-based information flow control
Rigorous
Natural
Language
Policy
High-Level
Policy
Language
Intermediate-Level
Security Policy
Flow Graph
Low-Level
Enforcement
In Practice
Take-grant, type-safety,
lattice-based access control,
obligations
Identity, cryptography,
safe public directory, monitor,
proof-carrying code
Decentralized trust
management
HIPAA, (J-)SOX,
KonTraG, 95/46/EC, JP
PII Protection Law, …
Enforcement classes,
Ponder, ExPDT
Computational complexity,
PKI, virtualization, testing
ISO/IEC 270xx, BSI IT-
Baseline Protection, IETF
AAA, NIST SCAP
Social/knowledge graph,
sticky policies
secure delegation of rights
ZKP-carrying information
cf. Sandhu 1993, Myers and Liskov, 1997; Schneider, Morrisett and Harper, 2001; Sabelfeld and Myers, 2003

12. Access control doesn‘t scale for resilience
Error propagation
Joined by Ground Truth
Role change of secondary use
Ext.: Reliable ”Big Brother”
Int.: Error propagation
Role change of secondary use
(DP, DC, data, DS, time, …)
Data minimization
Special Cases for Safety
03.08.16 Privacy with Secondary Use of Personal Information 12
• Strict order
Natural
Language
Policy
High-Level
Policy
Language
Intermediate-Level
Security Policy
Flow Graph
Low-Level
Enforcement
• Symmetric access tree
• Safety if trees are separate • Availability of data
by declassification
Lattice-based Access Control
Sandhu 1993
Take-grant
Lipton and Snyder 1977
S1: u
S2: u S3: v
O: oS3: w
• Acyclic graph
• x <= 3 parameter
• No revocation
Type-safety
Sandhu 1992
S1: u
S2: u S3: v
O: oS3: w

13. Example: Chinese-Wall
03.08.16 Privacy with Secondary Use of Personal Information 13
Conflict
classes
Personal
datasets
Syshigh
Ground Truth
Registration
office
Medical
treatment
Required information
for enforcement
(central by Syshigh)

14. Example: Chinese-Wall
03.08.16 Privacy with Secondary Use of Personal Information 14
Conflict
classes
Personal
datasets
Syshigh
Ground Truth
Registration
office
Medical
treatment
Required information
for enforcement
(central by Syshigh)

15. Example: Chinese-Wall
03.08.16 Privacy with Secondary Use of Personal Information 15
Conflict
classes
Personal
datasets
Syshigh
Ground Truth
Registration
office
Medical
treatment
Bob David
Explicit/friendship
Implicitly assumed friendship
Required information
for enforcement
(central by Syshigh)

16. Example: Chinese-Wall
03.08.16 Privacy with Secondary Use of Personal Information 16
Conflict
classes
Personal
datasets
Syshigh
Ground Truth
Registration
office
Medical
treatment
Bob David
Explicit/friendship
Implicitly assumed friendship
Required information
for enforcement
(central by Syshigh)

17. Natural
Language
Policy
High-Level
Policy
Language
Intermediate-Level
Security Policy
Flow Graph
Low-Level
EnforcementLanguage for ICT Resilience
03.08.16 Privacy with Secondary Use of Personal Information 17
Safety for secondary use: Soundness (safety) ∧ Completeness (safety + liveness)
d, d*d
Prover/
Verifier
Verifier
Verifier/
Prover
Prover
Access control
Provisions
Provisions + observable obligations
Usage control
Enforcement ⇒ Open Data of personal security information (Ground Truth)
Open Data
on obligations
adapted from Park and Sandhu 2004; Pretschner, Hilty, and Basin 2006

18. III. Proof System for ICT Resilience
03.08.16 Privacy with Secondary Use of Personal Information 18
In practice: Inevitable vulnerability by dependencies
Safe information accountability ⇒ Zero-Knowledge Proof on origin of vulnerability
Natural
Language
Policy
High-Level
Policy
Language
Intermediate-Level
Security Policy
Flow Graph
Low-Level
Enforcement
d, d*d
Prover/
Verifier
Verifier
Verifier/
Prover
Prover
Scheduler
(Open Data)

19. III. Proof System for ICT Resilience
03.08.16 Privacy with Secondary Use of Personal Information 19
In practice: Inevitable vulnerability by dependencies
Safe information accountability ⇒ Zero-Knowledge Proof on origin of vulnerability
Natural
Language
Policy
High-Level
Policy
Language
Intermediate-Level
Security Policy
Flow Graph
Low-Level
Enforcement
d, d*d
Prover/
Verifier
Verifier
Verifier/
Prover
Prover
Scheduler
(Open Data)
sec d, d*
sec d, d*
sec d, d*
Knowledge
extractor
Knowledge
extractor
Knowledge extractor
Ground Truth with sec d, d*
Zero-Knowledge Proof (ZKP)
• Probabilistic proof system between 2 parties on graph isomorphism
• No additional knowledge for the verifier on original graph
• ICT Resilience: obligations + witnesses + compensation ⟼ Open Data
Prover Verifier
1. t random, a:=gt
2. a
3. c random out of {0,1}
4. c
5. r:=t + cm mod q
6. r
7. Check if gr = ahc
pkVerifier := (p, q, g, h) pkVerifier := (p, q, g, h)
ChallengeResponse
Goldwasser et al. 1989, Bellare and Goldreich 1993

20. III. Proof System for ICT Resilience
03.08.16 Privacy with Secondary Use of Personal Information 20
In practice: Inevitable vulnerability by dependencies
Safe information accountability ⇒ Zero-Knowledge Proof on origin of vulnerability
Natural
Language
Policy
High-Level
Policy
Language
Intermediate-Level
Security Policy
Flow Graph
Low-Level
Enforcement
d, d*d
Prover/
Verifier
Verifier
Verifier/
Prover
Prover
Scheduler
(Open Data)
sec d, d*
sec d, d*
sec d, d*
Knowledge
extractor
Knowledge
extractor
Knowledge extractor
Ground Truth with sec d, d*

21. Scheduler: Global AAA(A) Service
03.08.16 Privacy with Secondary Use of Personal Information 21
Open Internet Standard RFC 2904 AAA Authorization Framework
1: Authentication
2: Authorization
3: Accounting
+ Witness for Information Accountability
4: Accountability
Data consumer/
provider
Data consumer/
provider
Data consumer/
providerAAA(A)
service
Scheduler
sec d, d*
sec d, d*
sec d, d*

22. Scheduler: Reliable Broadcast
03.08.16 Privacy with Secondary Use of Personal Information 22
Self-organized consensus by cryptography
Data consumer/
provider
Data consumer/
provider
Data consumer/
provider
sec d, d*
…
sec d, d*
sec d, d*
• Users check users (Users as “miner“ check transactions and get reward)
Nakamoto 2009
• Block chain for safe public directory with eCoin for risk compensation
Scheduler

23. Witness: Authorization
03.08.16 Privacy with Secondary Use of Personal Information 23
• Completeness: Non-linkable delegation of rights
• Soundness: Cryptographic protocols (ISO/IEC JTC 1/SC 27 WG2)
Ground Truth: ISO/IEC 24761 ACBio – Biometrics with PKI
Data provider
Data consumer/
provider
Data consumer/
providerAAA(A)
service
Scheduler
d
Data consumer/
provider
Sonehara, Echizen, and Wohlgemuth 2011

24. Witness: Authorization
03.08.16 Privacy with Secondary Use of Personal Information 24
• Completeness: Non-linkable delegation of rights
• Soundness: Cryptographic protocols (ISO/IEC JTC 1/SC 27 WG2)
Ground Truth: ISO/IEC 24761 ACBio – Biometrics with PKI
Data provider
Data consumer/
provider
Data consumer/
providerAAA(A)
service
Scheduler
d
Data consumer/
provider
Issuer:
Public Key:
Attributes:
Ground Truth
ZKP on Xa23
r,w, own on d
Delegation,
Purpose,
…
Credential of
data subject
Sonehara, Echizen, and Wohlgemuth 2011

25. Sonehara, Echizen, and Wohlgemuth 2011
Witness: Authorization
03.08.16 Privacy with Secondary Use of Personal Information 25
• Completeness: Non-linkable delegation of rights
• Soundness: Cryptographic protocols (ISO/IEC JTC 1/SC 27 WG2)
Ground Truth: ISO/IEC 24761 ACBio – Biometrics with PKI
Data provider
Data consumer/
provider
Data consumer/
providerAAA(A)
service
Scheduler
d
Data consumer/
provider
Issuer:
Public Key:
Attributes:
Ground Truth
ZKP on Xa23
r,w, own on d
Delegation,
Purpose,
…
Credential of
data subject Issuer:
Public Key:
Attributes:
Miner
ZKP on Xa23
r on d
Delegation to
helper,
medical,
Time, Price …
Credential on d
Issuer:
Public Key:
Attributes:
Miner
ZKP on Xa23
r on d*
Delegation to
logistics,
transport,
Time, Price,…
Credential on d*

26. Witness: Accountability
03.08.16 Privacy with Secondary Use of Personal Information 26
• Completeness: User’s data provenance with asymmetric fingerprinting
• Soundness: Users’ cryptographic commitment on data processing
Ground Truth: ISO/IEC 24761 ACBio – Biometrics with PKI
Data provider
Data consumer/
provider
Data consumer/
providerAAA(A)
service
Scheduler
d
Data consumer/
provider
d
Refugee
Ground Truth
Wohlgemuth, Echizen, Sonehara, and Müller 2010

27. Witness: Accountability
03.08.16 Privacy with Secondary Use of Personal Information 27
• Completeness: User’s data provenance with asymmetric fingerprinting
• Soundness: Users’ cryptographic commitment on data processing
Ground Truth: ISO/IEC 24761 ACBio – Biometrics with PKI
d
Data provider
Data consumer/
provider
Data consumer/
providerAAA(A)
service
Scheduler
d
Data consumer/
provider
d
Refugee
Ground Truth
d
Refugee
Ground Truth
Helper
Wohlgemuth, Echizen, Sonehara, and Müller 2010

28. Witness: Accountability
03.08.16 Privacy with Secondary Use of Personal Information 28
• Completeness: User’s data provenance with asymmetric fingerprinting
• Soundness: Users’ cryptographic commitment on data processing
Ground Truth: ISO/IEC 24761 ACBio – Biometrics with PKI
d
d*
Data provider
Data consumer/
provider
Data consumer/
providerAAA(A)
service
Scheduler
d
Data consumer/
provider
d
Refugee
Ground Truth
d
Refugee
Ground Truth
Helper
d*
Refugee
Ground Truth
Logistics
Wohlgemuth, Echizen, Sonehara, and Müller 2010

29. Knowledge Extractor: Accounting
03.08.16 Privacy with Secondary Use of Personal Information 29
• Reduce error probability by different witnesses on users
d, d*d
Prover/
Verifier
Verifier
Verifier/
Prover
Prover
trust rights
cert data provenance
rec delegation of rights
conf benchmarking
comp profit sharing
• Probabilistic logical statement on safety from user‘s view (on a PKI)
AAA(A)
service
Scheduler
AutDC,DPd ?
AutDC,DPd, d* ?AutDP, DCd, d* ?
AutDP, DCd, d*, d** ?
adapted from Maurer 1996, Wohlgemuth 2015

30. Knowledge Extractor: Accounting
03.08.16 Privacy with Secondary Use of Personal Information 30
• Reduce error probability by different witnesses on users
d, d*d
Prover/
Verifier
Verifier
Verifier/
Prover
Prover
trust rights
cert data provenance
rec delegation of rights
conf benchmarking
comp profit sharing
• Probabilistic logical statement on safety from user‘s view (on a PKI)
ICT Resilience = Completeness + Soundness
ICT Resilience = Informational self-determination + Compliance
AAA(A)
service
Scheduler
AutDC,DPd ?
AutDC,DPd, d* ?AutDP, DCd, d* ?
AutDP, DCd, d*, d** ?

31. IV. Looking for Partners!
03.08.16 Privacy with Secondary Use of Personal Information 31
Challenge: Creating a Sustainable Society
Multilateral Security
IoT Integrated Society
Data consumer/
provider
Data consumer/
provider
Data consumer/
provider
sec d, d*
…
sec d, d*
sec d, d*
Scheduler
Resilient Risk Assessment (RA1)
Resilient ICT Services (RA2)
Resilient ICT Infrastructure (RA3)
Technical
Human Legal et al.
Privacy
by
Design