Skip to main content
SpringerLink
Log in

Machine-Readable Privacy Certificates for Services

  • Conference paper
On the Move to Meaningful Internet Systems: OTM 2013 Conferences (OTM 2013)

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 8185))

Abstract

Privacy-aware processing of personal data on the web of services requires managing a number of issues arising both from the technical and the legal domain. Several approaches have been proposed to matching privacy requirements (on the clients side) and privacy guarantees (on the service provider side). Still, the assurance of effective data protection (when possible) relies on substantial human effort and exposes organizations to significant (non-)compliance risks. In this paper we put forward the idea that a privacy certification scheme producing and managing machine-readable artifacts in the form of privacy certificates can play an important role towards the solution of this problem. Digital privacy certificates represent the reasons why a privacy property holds for a service and describe the privacy measures supporting it. Also, privacy certificates can be used to automatically select services whose certificates match the client policies (privacy requirements).

Our proposal relies on an evolution of the conceptual model developed in the Assert4Soa project and on a certificate format specifically tailored to represent privacy properties. To validate our approach, we present a worked-out instance showing how privacy property Retention-based unlinkability can be certified for a banking financial service.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Ardagna, C., Camenisch, J., Kohlweiss, M., Leenes, R., Neven, G., Priem, B., Samarati, P., Sommer, D., Verdicchio, M.: Exploiting cryptography for privacy-enhanced access control: A result of the prime project. Journal of Computer Security (JCS) 18(1), 123–160 (2010)

    Google Scholar 

  2. Ardagna, C., Cremonini, M., De Capitani di Vimercati, S., Samarati, P.: A privacy-aware access control system. Journal of Computer Security (JCS) 16(4), 369–392 (2008)

    Google Scholar 

  3. Ardagna, C., De Capitani di Vimercati, S., Foresti, S., Paraboschi, S., Samarati, P.: Minimizing disclosure of private information in credential-based interactions: A graph-based approach. In: Proc. of the 2nd IEEE International Conference on Information Privacy, Security, Risk and Trust (PASSAT), Minneapolis, Minnesota, USA (August 2010)

    Google Scholar 

  4. Ashley, P., Hada, S., Karjoth, G., Schunter, M.: E-P3P privacy policies and privacy authorization. In: Proc. of the ACM workshop on Privacy in the Electronic Society (WPES), Washington, DC, USA (November 2002)

    Google Scholar 

  5. Moses, T.: eXtensible Access Control Markup Language (XACML) Version 2.0 (February 2005), http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-core-spec-os.pdf

  6. W3C: Platform for privacy preferences (P3P) project (April 2002), http://www.w3c.org/TR/P3P/

  7. Bock, K.: Europrise trust certification. Datenschutz und Datensicherheit - DuD 32(9), 610–614 (2008)

    Article  Google Scholar 

  8. Trust-E: website, http://www.truste.com

  9. Ali, M., Sabetta, A., Bezzi, M.: A marketplace for business software with certified security properties. In: Proc. of Cyber Security and Privacy EU Forum (2013)

    Google Scholar 

  10. Assert4Soa consortium: Assert4Soa project website, http://www.assert4soa.eu

  11. Herrmann, D.: Using the Common Criteria for IT security evaluation. Auerbach Publications (2002)

    Google Scholar 

  12. Bezzi, M., Sabetta, A., Spanoudakis, G.: An architecture for certification-aware service discovery. In: Proc. of the 1st International Workshop on Securing Services on the Cloud (IWSSC), pp. 14–21. IEEE (2011)

    Google Scholar 

  13. Kaluvuri, S.P., Koshutanski, H., Di Cerbo, F., Maña, A.: Security assurance of services through digital security certificates. In: Proc. of the 20th IEEE International Conference on Web Services (ICWS), pp. 539–546. IEEE (2013)

    Google Scholar 

  14. Rost, M., Bock, K.: Privacy by Design and the Protection Goals - English translation of Privacy By Design und die Neuen Schutzziele - Grundsätze, Ziele und Anforderungen. DuD 35(1), 30–35 (2011), https://www.european-privacy-seal.eu/results/articles/BockRost-PbD-DPG-en.pdf (2010)

  15. Hansen, M.: Top 10 mistakes in system design from a privacy perspective and privacy protection goals. In: Camenisch, J., Crispo, B., Fischer-Hübner, S., Leenes, R., Russello, G. (eds.) Privacy and Identity Management for Life. IFIP AICT, vol. 375, pp. 14–31. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  16. Cavoukian, A.: Privacy by design. IEEE Technology and Society Magazine 31(4), 18–19 (2012)

    Article  Google Scholar 

  17. Anisetti, M., Ardagna, C.A., Damiani, E., Saonara, F.: A test-based security certification scheme for web services. ACM Trans. Web 7(2), 5:1–5:41 (2013)

    Google Scholar 

  18. Damiani, E., Ardagna, C., Ioini, N.E.: Open source systems security certification. Springer, New York (2009)

    Book  Google Scholar 

  19. Frantzen, L., Tretmans, J., Willemse, T.A.C.: A symbolic framework for model-based testing. In: Havelund, K., Núñez, M., Roşu, G., Wolff, B. (eds.) FATES 2006 and RV 2006. LNCS, vol. 4262, pp. 40–54. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  20. Microsoft: Understanding Retention Tags and Retention Policies (December 2012), http://technet.microsoft.com/en-us/library/dd297955%28v=exchg.141%29.aspx

  21. IBM: IBM, Enterprise Privacy Authorization Language (EPAL (1.2) (November 2003), http://www.w3.org/Submission/2003/SUBM-EPAL-20031110

  22. Ardagna, C., Bussard, L., di Vimercati, S.D.C., Neven, G., Pedrini, E., Paraboschi, S., Preiss, F., Samarati, P., Trabelsi, S., Verdicchio, M.: Primelife policy language. In: Proc. of the W3C Workshop on Access Control Application Scenarios, W3C (2009)

    Google Scholar 

  23. Chandramouli, R., Blackburn, M.: Automated testing of security functions using a combined model and interface-driven approach. In: Proc. of the 37th Annual Hawaii International Conference on System Sciences (HICSS), Big Island, HI, USA (January 2004)

    Google Scholar 

  24. Jürjens, J.: Model-based security testing using UMLsec: A case study. Electronic Notes in Theoretical Computer Science 220(1), 93–104 (2008)

    Article  Google Scholar 

  25. Zulkernine, M., Raihan, M.F., Uddin, M.G.: Towards model-based automatic testing of attack scenarios. In: Buth, B., Rabe, G., Seyfarth, T. (eds.) SAFECOMP 2009. LNCS, vol. 5775, pp. 229–242. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  26. Bozkurt, M., Harman, M., Hassoun, Y.: Testing web services: A survey. Technical Report TR-10-01. Department of Computer Science, King’s College London (January 2010)

    Google Scholar 

  27. Canfora, G., di Penta, M.: Service-oriented architectures testing: A survey. In: De Lucia, A., Ferrucci, F. (eds.) ISSSE 2006-2008. LNCS, vol. 5413, pp. 78–105. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  28. Heckel, R., Lohmann, M.: Towards contract-based testing of web services. In: Proc. of the International Workshop on Test and Analysis of Component Based Systems (TACoS), Barcelona, Spain (March 2004)

    Google Scholar 

  29. Bentakouk, L., Poizat, P., Zaïdi, F.: Checking the behavioral conformance of web services with symbolic testing and an SMT solver. In: Gogolla, M., Wolff, B. (eds.) TAP 2011. LNCS, vol. 6706, pp. 33–50. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  30. Endo, A., Simao, A.: Model-based testing of service-oriented applications via state models. In: Proc. of the 8th IEEE International Conference of Service Computing (SCC), Washington, DC, USA (July 2011)

    Google Scholar 

  31. Salva, S., Laurencot, P., Rabhi, I.: An approach dedicated for web service security testing. In: Proc. of the 2010 Fifth International Conference on Software Engineering Advances, ICSEA 2010, pp. 494–500. IEEE Computer Society, Washington, DC (2010)

    Chapter  Google Scholar 

  32. Le Traon, Y., Mouelhi, T., Baudry, B.: Testing security policies: going beyond functional testing. In: Proc. of the International Symposium on Software Reliability Engineering, ISSRE, Sweden (2007)

    Google Scholar 

  33. Martin, E.: Automated test generation for access control policies. In: Companion to the 21st ACM SIGPLAN Symposium on Object-Oriented Programming Systems, Languages, and Applications, OOPSLA 2006, pp. 752–753 (2006)

    Google Scholar 

  34. Mouelhi, T., Fleurey, F., Baudry, B., Le Traon, Y.: A model-based framework for security policy specification, deployment and testing. In: Czarnecki, K., Ober, I., Bruel, J.-M., Uhl, A., Völter, M. (eds.) MoDELS 2008. LNCS, vol. 5301, pp. 537–552. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Dipartimento di Informatica, Università degli Studi di Milano, Italy

    Marco Anisetti, Claudio A. Ardagna & Ernesto Damiani

  2. SAP Product Security Research, Sophia-Antipolis, France

    Michele Bezzi & Antonino Sabetta

Authors
  1. Marco Anisetti
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Claudio A. Ardagna
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Michele Bezzi
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Ernesto Damiani
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Antonino Sabetta
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. STAR Lab, Vrije Universiteit Brussel, Bldg G/10, Pleinlaan 2, 1050, Brussels, Belgium

    Robert Meersman

  2. CRAN, University of Lorraine, Campus Sciences, BP 70239, 54506, Vandoevre-les-Nancy, France

    Hervé Panetto

  3. Computer Science and Computer Engineering, La Trobe University, 3086, Melbourne, Victoria, Australia

    Tharam Dillon

  4. Dept. of Informatics Systems, University of Klagenfurt, Universitaetsstrasse 65, 9020, Klagenfurt, Austria

    Johann Eder

  5. LIRMM, University of Montpellier II, 161 Rue Ada, 34392, Montpellier Cedex 5, France

    Zohra Bellahsene

  6. Department of Informatics, University of Hamburg, 22527, Hamburg, Germany

    Norbert Ritter

  7. Department of Computer Sciences, VU University Amsterdam, De Boelelaan 1081, 1081 HV, Amsterdam, The Netherlands

    Pieter De Leenheer

  8. Computer and Information Science Department, University of Oregon, 97403, Eugene, OR, USA

    Deijing Dou

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Anisetti, M., Ardagna, C.A., Bezzi, M., Damiani, E., Sabetta, A. (2013). Machine-Readable Privacy Certificates for Services. In: Meersman, R., et al. On the Move to Meaningful Internet Systems: OTM 2013 Conferences. OTM 2013. Lecture Notes in Computer Science, vol 8185. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-41030-7_31

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-41030-7_31

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-41029-1

  • Online ISBN: 978-3-642-41030-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation