usable privacy and transparency for the cloud*aikmitr/wcc15/simone.pdfon the datatrack program (on a...
TRANSCRIPT
Usable Privacy and Transparency for the Cloud*
Simone Fischer-HübnerSTINT Workshop, Chalmers TH
10h March 2015
*Funded by A4Cloud, PRISMACLOUD & Google Research Award Projects, joint work withJulio Angulo, Tobias Pulls, John Sören Pettersson, Erik Wästlund
Overview
I. Background Challenges & Requirements, Definitions, A4Cloud
II. Transparency-enhancing Tools Usable Data Track Privacy-Preserving Transparency Logging
III. Remaining ChallengesIV. Outlook: PRISMACLOUD
Usability of Anonymous Credentials
I. BackgroundLack of control related to Cloud Computing(Art. 29 WP Opinion 05/2012)
Lack of Transparency in regardto Cloud Service’s operations: Chain with multiple processors
& subcontractors Different geographic locations
within the EEA Transfer to 3rd countries
outside the EEA Disclosure requests by law
enforcement
Lack of Intervenability: Lack of tools provided for
exercising data subjects’ rightsPicture: Siani Pearson, NordSec 2014, Springer LNCS.
Further issues identified at A4Cloud HCI Stakeholder Workshop @ KAU (Feb. 2013)
Unclear responsibilities: Who is data controller? What liabilities do data processors, service brokers have? How do I get redress? Service brokers use services sides in other countries Service provider appears to be placed in Sweden
(Swedish website/address/tel no, etc.), but is locatedin another country
Insufficient support for service cancellation or data export
Difficulties to understand trust seals, policies, etc.
Transparency & Intervenability
Legal privacy principles EU Data Protetcion Directive: Rights to
information, notification, access to data & logicsinvolved in automatic processing, rights tocorrection/blocking/deletion
Swedish Data Patient Act: Rights to access healthrecords and log information
Transparency vs. ConfidentialityExamples
Log files in eHealth – privacy issues: Information about who (e.g., psychiatrist)
accessed EHR is sensitive for patients Monitoring of performance/quality of work of
medical personnel
Business secrets in relation to profiling (cf. Recital 41 Data Protection Directive)
Regulators, auditors, business governance
service service service
Cloud service supply chain/network
Trusted services supporting
accountability
Chain of Accountability
Cloud service users
Cloud service
FP7 project A4Cloud
Corrective
Detective
Preventive
Cloud service users: control and transparency over how their data is used, and support in obtaining redress
Service providers: techniques to make services more trustworthy, satisfy business policies and allow differentiation
Regulators/auditors: assurance about compliance with policies and regulations
II. Transparency Enhancing Tools (TETs)
UserService Provider
Ex post TETs: Data Track
Data disclosure & transaction pseudonym
Data Track entry
& Privacy Policy
Data subject access (transaction pseudonym)
PrimeLife Data Track:
History Function User-side based Online Functions for
exercising rights(anonymously)
Reference: PrimeLife D4.2.2, D2.2, PrimeLife Book
PrimeLife Data Track:
Usability issues:Difficulties to differentiateentries at user side and services sides
A4Cloud Graphical Data Track:
What data did Spotify get about me?
What data did Spotify, Blogger & Facebook get about me?
Who received my pseudonym “The Bobster79”?
What data has Facebook stored about in relation to a previous data disclosure?
Do users find the trace view of the Data Track intuitive and comprehensible?
Do users appreciate the functionality of the Data Track?
Do users understand that there are two different views (data records stored under the users’ control (locally or in a privacy-friendly cloud infrastructure) and data records stored at the service provider)
19
User evaluations:
Where are the Data Track records stored? Frequency Percent
On the DataTrack program (on a cloud/Internet storage) 9 52.9
On the DataTrack program (locally in computer) 4 23.5
On the Internet somewhere 1 5.9
On the services that I have given information to 3 17.6
20
How often do you believe you would use the DataTrack program?
Very rarely (almost never or never) 1
Rarely (a few times per year) 1
Sometimes (a few times per month) 7
Often (around two to four times per week) 4
Very often (almost always) 4
How often do you think you would have the program turned on so that it tracks the information you give to Internet services?
Never tracking (-0% of the time) 2
Rarely tracking (25% of the time) 3
Often tracking (75% of the time) 5
Always tracking (100% of the time) 7
Usability test results
Prototyping more realistic use-cases
Source: Angulo, Fischer-Hübner et al., CHI 2015 (WiP).
1. discloses data & privacy policy
5. Match?
2. performsprocessing
3. generates logs
4. retrieves log entries
fork
Data Track & Transparency Logging
Source: T. Pulls et al., Privacy-Preserving Transparency Logging, WPES 2013
User Alice withData Track
Service Provider Bob
Service Provider Dave
Distributed Privacy-PreservingTransparency Logging –Security Properties
Integrity: no undetectable modificationsto logged data (committed prior tocompromise)
Secrecy: only the data subject can read the data logged for her
Unlinkability of log entries and useridentifiers accross data processors
Interplay of A4Cloud Tools
A-PPLE
Data Transfer Monitoring Tool
Audit Agent System
Incident Response Tool
TransparencyLog
Data Track
Redress & RemediationTool
1
3
4
5
26
Remaining Challenges
Analysis of Log Data – what information can be extracted that is of interest for the users? Violation of policies and/or laws Data leackage ”Reverse Engineering” of profiling, inferred
data
Outlook: EU H2020 PRISMACLOUD(Privacy and Security Maintaining Services in the Cloud)
Objective: Develop next-generation cryptographically secured services & novel cryptographic tools and mechanisms for the cloud providing: Authenticity & Verifiable Computation:
Malleable Signatures Functional Signatures
Confidentiality & Privacy: Secret Sharing Anonymous Credentials
…
Challenges: Uptake by end users and business Usability - Evoking correct mental models