Abstract
We have identified the following three problems for the processing of aggregated personal information with respect to privacy preferences: Unverifiable proof of consent, unverifiable proof of consent for aggregated personal data, and no verification if the consent is still established. We constructed a solution based on a hash tree structure and digitally signed only the hash tree’s root value. Thus, a verifiable signature can be retained even if data items are omitted and a valid signature serves as signal of consent. To re-assure that no change of consent has taken place we propose the use of certificate revocation mechanisms. As a side-effect these mechanisms allow to maintain a record of personal data usage and thus creates a win-win situation for both parties involved.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Berners-Lee, T.: Semantic Web Road map (September 1998), http://www.w3.org/DesignIssues/Semantic.html
Carminati, B., Ferrari, E., Bertino, E.: Securing XML data in third-party distribution systems. In: Proceedings of 14th ACM CIKM, pp. 99–106 (2005)
Devanbu, P., Gertz, M., Kwong, A., Martel, C., Nuckolls, G., Stubblebine, S.: Flexible authentication of XML documents. In: 8th ACM Conf. on Computer and Comm. Security (2001)
Bertino, E., Carminati, B., Ferrari, E., Thuraisingham, B., Gupta, A.: Selective and authentic third-party distribution of XML documents. IEEE TKDE 16, 1263–1278 (2004)
EU. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (October 1995)
Google. Google Friend Connect (May 2008), www.google.com/intl/en/press/annc/20080512_friend_connect.html
Housley, R., Polk, W., Ford, W., Solo, D.: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. RFC 3280 (Proposed Standard), Updated by RFC 4325 (April 2000)
Housley, R., Polk, W., Ford, W., Solo, D.: RFC 3280 - internet X.509 PKI certificate and certificate revocation list (CRL) profile (April 2002)
Hutter, D., Volkamer, M.: Information flow control to secure dynamic web service composition. In: Clark, J.A., Paige, R.F., Polack, F.A.C., Brooke, P.J. (eds.) SPC 2006. LNCS, vol. 3934, pp. 196–210. Springer, Heidelberg (2006)
Lai, Y.-L., Hui, K.L.: Internet opt-in and opt-out: investigating the roles of frames, defaults and privacy concerns. In: Shayo, C., Kaiser, K., Ryan, T. (eds.) CPR, pp. 253–263. ACM Press, New York (2006)
Le, Z., Ouyang, Y., Xu, Y., Ford, J., Makedon, F.: Preventing unofficial information propagation. In: ICICS, pp. 113–125 (2007)
Madden, M., Fox, S., Smith, A., Vitak, J.: PEW internet & american life project report: Digital footprints (December 2007), http://www.pewinternet.org/pdfs/PIP_Digital_Footprints.pdf
Merkle, R.C.: Secrecy, Authentication, and Public Key Systems, PhD thesis, Stanford (1979)
Merkle, R.C.: Protocols for public key cryptosystems. In: IEEE Symposium on Security and Privacy, p. 122 (1980)
Muñoz, J.L., Forné, J., Castro, J.C.: Evaluation of Certificate Revocation Policies: OCSP vs. Overissued-CRL. In: DEXA Workshops, pp. 511–518. IEEE Computer Society Press, Los Alamitos (2002)
Myers, M., Ankney, R., Malpani, A., Galperin, S., Adams, C.: X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP. RFC 2560 (Proposed Standard) (June 1999)
O’Reilly, T.: What is Web 2.0 (September 2005), http://www.oreillynet.com/lpt/a/6228
Pöhls, H.C.: ConCert: Content revocation using certificates. In: Sicherheit 2008, Saarbrücken, Germany GI-Edition Lecture Notes in Informatics (LNI), vol. 128, pp. 149–162. GI (April 2008)
Squicciarini, A.C., Bhargav-Spantzel, A., Czeskis, A., Bertino, E.: Traceable and automatic compliance of privacy policies in federated digital identity management. In: Danezis, G., Golle, P. (eds.) PET 2006. LNCS, vol. 4258, pp. 78–98. Springer, Heidelberg (2006)
Szydlo, M.: Merkle tree traversal in log space and time. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027. Springer, Heidelberg (2004)
W3C. The platform for privacy preferences 1.0 (P3P1.0) specification (April 2002), http://www.w3.org/TR/P3P/
Weitzner, D.J.: Reciprocal Privacy (ReP) for the Social Web (December 2007), http://dig.csail.mit.edu/2007/12/rep.html
Weitzner, D.J., Abelson, H., Berners-Lee, T., Feigenbaum, J., Hendler, J., Sussman, G.J.: Information accountability. Technical Report MIT-CSAIL-TR-2007-034, MIT (June 2007)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Pöhls, H.C. (2008). Verifiable and Revocable Expression of Consent to Processing of Aggregated Personal Data. In: Chen, L., Ryan, M.D., Wang, G. (eds) Information and Communications Security. ICICS 2008. Lecture Notes in Computer Science, vol 5308. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-88625-9_19
Download citation
DOI: https://doi.org/10.1007/978-3-540-88625-9_19
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-88624-2
Online ISBN: 978-3-540-88625-9
eBook Packages: Computer ScienceComputer Science (R0)