A Privacy-Considerate Framework for Identity Management in Mobile Services
- 253 Downloads
The subscribers’ personal information and services that mobile operators are able to provide to Web developers offer new and exciting possibilities in numerous domains. However, bringing mobile information services to the Web to enable a new generation of mobile Web services presents several research challenges on identity and privacy management. In this paper, we describe a framework for identity management in mobile services that empowers users to govern the use and release of their personal information. Our framework is based on a brokering approach that intermediates between the mobile operator’s information services and the Web service providers. By leveraging on Web services, identity management infrastructure and privacy enhancing technologies, our framework provides an effective, privacy-considerate delivery of services over the mobile Web environment. This paper describes the design principles and architecture of the framework as well as the feasibility, applicability and user-experience evaluation we have carried out.
Keywordsmobile web identity management privacy management service delivery information sharing user-centricity
This work has been partially supported by CDTI Ministry of Science and Innovation of Spain, as part of the SEGUR@ project (https://www.cenitsegura.es/), under the CENIT program, CENIT-2007/2011.
- 1.3rd Generation Partnership Project (2004) 3GPP TR 23 941, Generic User Profile (GUP), version 6.0.0.. http://www.3gpp.org/ftp/specs/html-info/23941.htm. Accessed 25 May 2011.
- 2.3rd Generation Partnership Project (2004) 3GPP TR 33.919, Generic Authentication Architecture (GAA); System description. http://www.3gpp.org/ftp/Specs/html-info/33919.htm. Accessed 25 May 2011.
- 3.3rd Generation Partnership Project (2006) 3GPP TR 33.980, Liberty Alliance and 3GPP security interworking; Interworking of Liberty Alliance Identity Federation Framework (ID-FF), Identity Web Services Framework (ID-WSF) and Generic Authentication Architecture (GAA). http://www.3gpp.org/ftp/Specs/html-info/33980.htm. Accessed 25 May 2011.
- 4.3rd Generation Partnership Project (2004) 3GPP TS 33.220, Generic Authentication Architecture (GAA); Generic bootstrapping architecture. http://www.3gpp.org/ftp/Specs/html-info/33220.htm. Accessed 25 May 2011.
- 5.Aars R, et al. (Editors) (2003) Liberty architecture framework for supporting privacy preference expression languages (PPELs). Version 1.0, Liberty Alliance.Google Scholar
- 6.Ahn GJ, Ko M (2007) User-centric privacy management for federated identity management. International Conference on Collaborative Computing: Networking, Applications and Worksharing, pp 187–195.Google Scholar
- 7.Working Party on Police and Justice (2009) Article 29 of the data protection working party, the future of privacy—joint contribution to the consultation of the European Commission on the legal framework for the fundamental right to protection of personal data, 02356/09/ENGoogle Scholar
- 8.Bessler S, Jons O (2005) A privacy enhanced service architecture for mobile users. PerCom Workshops, pp 125–129Google Scholar
- 9.Bhargav-Spantzely A, Camenisch J, Gross T, Sommer D (2007) User centricity: a taxonomy and open issues. ACM Workshop on Digital Identity Management, IOS Press, pp 493–527Google Scholar
- 10.Cadenas A, Sanchez-Esguevillas A, Carro B (2010) Building context-aware telco operator services based on web services technologies. In: Sheng Q, Yu J, Dustdar S (eds) Enabling context-aware web services: methods, architectures, and technologies. Chapman and Hall/CRC, Boca Ratón, pp 139–169CrossRefGoogle Scholar
- 11.Camarillo G, García-Martín MA (2006) The 3G IP multimedia subsystem (IMS): Merging the internet and the cellular worlds, 2nd edn. Wiley, ChichesterGoogle Scholar
- 12.Cantor S, et al. (2005). Assertions and protocols for the OASIS Security Assertion Markup Language (SAML). Standard v2.0, OASIS Standard. http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf. Accessed 25 May 2011
- 13.del Álamo JM, Monjas MA, Yelmo JC, San Miguel B, Trapero R, Fernández AM (2010) Self-service privacy: user-centric privacy for network-centric identity. International Conference on Trust Management (IFIPTM), pp 17–31Google Scholar
- 14.Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such dataGoogle Scholar
- 15.El Maliki T, Seigneur J-M (2007) User-centric mobile identity management services. SECURWARE International Conference, IARIA.Google Scholar
- 16.ETSI Standard ES 202 391-1, Open Service Access (OSA) (2006) Parlay X web services; Part 1: Common (Parlay X 2), version 1.2.1Google Scholar
- 17.Goix LW, Lamorte L, Falcarin P, Baladrón C, Yu J, Ordás I, Martínez A, Trapero R, JM Del Álamo, Stecca M (2010) Leveraging context-awareness for personalization in a user generated services platform. In: Sheng Q, Yu J, Dustdar S (eds) Enabling context-aware web services: methods, architectures, and technologies. Chapman and Hall/CRC, Boca RatónGoogle Scholar
- 18.GSMA’s OneAPI project portal. http://www.gsmworld.com/oneapi.Accessed November 2010.
- 19.Higgins Web Site: http://www.eclipse.org/higgins/. Accessed November 2010.
- 20.InfoCard Web Site: http://informationcard.net/. Accessed November 2010.
- 21.Jorstad I, Van Thuan D, Jonvik T, Van Thanh D (2007) Bridging cardspace and liberty alliance with SIM authentication. ICINGoogle Scholar
- 22.Jorstad, I., Van Thuan, D., Jonvik, T., Van Thanh, D. (2008). Utilising Emerging Identity Management Frameworks in IMS. ICIN.Google Scholar
- 23.Kantara Project Web Site: http://kantarainitiative.org/. Accessed November 2010
- 24.Liberty Alliance Web Site: http://projectliberty.org. Accessed November 2010
- 25.Liberty IGF Privacy Constraints Specification. http://projectliberty.org/liberty/content/download/4323/28921/file/draft-liberty-igf-privacy-constraints-v1.0-04.pdf. Accessed March 2011
- 26.Light-Weight Identity Web Site: http://lid.netmesh.org. Accessed November 2010
- 28.Microsoft Cardspace Web Site: http://windows.microsoft.com/en-us/windows-vista/Windows-CardSpace. Accessed November 2010
- 29.Moses T (Ed.) (2005) Extensible Access Control Markup Language (XACML), Version 2.0. OASIS Standard, OASIS eXtensible Access Control Markup Language (XACML) TCGoogle Scholar
- 30.Nie P, et al. (2009) Flexible single sign-on for SIP: bridging the identity chasm. 2009 IEEE International Conference on CommunicationsGoogle Scholar
- 31.Nilsson M, et al. (2001) Privacy enhancements in the mobile internet. IFIP WG 9.6/11.7 Working Conf. on Security and Control of IT in Society.Google Scholar
- 32.Open Mobile Alliance Website. http://www.openmobilealliance.org/. Accessed November 2010
- 33.OpenID Web Site. http://openid.net/. Accessed November 2010.
- 34.Organisation for Economic Cooperation and Development—Recommendation of the Council Concerning Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data, 23 September 1980.Google Scholar
- 35.Privacy 2.0: Give a little, take a little, The Economist. http://www.economist.com/node/15350984?story_id=15350984. Accessed 28 January 2010
- 37.Titkov L, Poslad S, Jim Tan J (2006) An integrated approach to user-centered privacy for mobile information services. Appl Artif Intell. doi: 10.1080/08839510500484181
- 38.The Friend Of a Friend (FOAF) Project Web Site. http://www.foaf-project.org/. Accessed November 2010
- 39.W3C: Composite Capability/Preference Profiles (CC/PP): Structure and Vocabularies 1.0: World Wide Web consortium site, http://www.w3.org/TR/CCPP-struct-vocab. Accessed 25 May 2011
- 40.Windley P (2005) Digital identity. O’Really Media, SebastopolGoogle Scholar
- 41.Wireless Application Forum (2008) Wireless application protocol user agent profile specification. http://www.openmobilealliance.org/tech/affiliates/wap/wap-248-uaprof-20011020-a.pdf. Accessed 25 May 2011.
- 42.Yavatkar R, Pendarakis D, Guerin R (2000) A framework for policy-based admission control, IETF RFC, p 2753Google Scholar