Privacy enhancing technologies
Encyclopedia
Privacy enhancing technologies (PET) is a general term for a set of computer tools, applications and mechanisms which - when integrated in online services or applications, or when used in conjunction with such services or applications - allow online users
to protect the privacy
of their personally identifiable information
(PII) provided to and handled by such services or applications.
Privacy enhancing technologies can also be defined as:
. (The other main reason being to comply with legal requirements (which could be considered as coming down to a 'financial benefit' as well; the benefit of avoiding a fine for non-compliance with the law
.)) The anticipated financial benefit is the anticipated increase of income due to privacy enhancing technologies, minus the anticipated increased cost of implementing and running privacy enhanced technologies in their infrastructure. This anticipated comparison is usually done over a couple of years, whereby the income and cost of every year is cumulated.
In other words, if the anticipated additional income cumulated over a couple of years is larger than the anticipated additional cost cumulated over the same number of years, then there is a positive business case and it makes sense for the company to consider implementing and deploying the privacy enchanced technologies in question.
Note that the business case outlined here is a 'differential business case', assuming that privacy functions are added to an existing service and taking into account the additional benefits and costs caused by this added functionality. For example, it would be wrong to account all operational costs, including those that were there before the privacy enhancing functions were added. Instead, only the additional costs incurring when operating the infrastructure with implemented privacy enhancements must be counted in. If, however, the service in consideration is a pure privacy enhancing service, i.e. if the privacy enhancement is not part of or added to the service but instead is the only component of the service, then the business cost and benefit factors below become absolute (delete "additional" and "increased" in all benefits and cost components).
Anonymous credentials:
Privacy policy negotiation:
User (computing)
A user is an agent, either a human agent or software agent, who uses a computer or network service. A user often has a user account and is identified by a username , screen name , nickname , or handle, which is derived from the identical Citizen's Band radio term.Users are...
to protect the privacy
Data privacy
Information privacy, or data privacy is the relationship between collection and dissemination of data, technology, the public expectation of privacy, and the legal and political issues surrounding them....
of their personally identifiable information
Personally identifiable information
Personally Identifiable Information , as used in information security, is information that can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual...
(PII) provided to and handled by such services or applications.
Privacy enhancing technologies can also be defined as:
- Privacy-Enhancing Technologies is a system of ICT measures protecting informational privacy by eliminating or minimising personal data thereby preventing unnecessary or unwanted processing of personal data, without the loss of the functionality of the information system.
Goals of PETs
PETs aim at allowing users to take one or more of the following actions related to their personal data sent to, and used by, online service providers, merchants or other users:- increase control over their personal data sent to, and used by, online service providers and merchants (or other online users) (self-determinationInformational self-determinationThe term informational self-determination was first used in the context of a German constitutional ruling relating to personal information collected during the 1983 census....
) - data minimisation: minimise the personal data collected and used by service providers and merchants
- choose the degree of anonymity (e.g. by using pseudonyms, anonymisers or anonymous data credentials)
- choose the degree of unlinkability (e.g. by using multiple virtual identities)
- achieve informed consent about giving their personal data to online service providers and merchants
- provide the possibility to negotiate the terms and conditions of giving their personal data to online service providers and merchants (data handling/privacy policy negotiation). In Privacy Negotiations, consumers and service providers establish, maintain, and refine privacy policies as individualised agreements through the ongoing choice amongst service alternatives. In incentivised privacy negotiations, the transaction partners may additionally bundle the personal information collection and processing schemes with monetary or non-monetary rewards.
- provide the possibility to have these negotiated terms and conditions technically enforced by the infrastructures of online service providers and merchants (i.e. not just having to rely on promises, but being confident that it is technically impossible for service providers to violate the agreed upon data handling conditions)
- provide the possibility to remotely audit the enforcement of these terms and conditions at the online service providers and merchants (assurance)
- data tracking: allow users to log, archive and look up past transfers of their personal data, including what data has been transferred, when, to whom and under what conditions
- facilitate the use of their legal rights of data inspection, correction and deletion
Existing PETs
Examples of existing privacy enhancing technologies are:- Communication anonymizersAnonymizerAn anonymizer or an anonymous proxy is a tool that attempts to make activity on the Internet untraceable.It is a proxy server computer that acts as an intermediary and privacy shield between a client computer and the rest of the Internet...
hiding the real online identity (email address, IP address, etc.) and replacing it with a non-traceable identity (disposable / one-time email address, random IP address of hosts participating in an anonymising network, pseudonym, etc.). They can be applied to email, Web browsing, P2P networking, VoIP, Chat, instant messaging, etc. - Shared bogus online accounts. One person creates an account for MSN, providing bogus data for Name, address, phone number, preferences, life situation etc. They then publish their user-ID and password on the Internet. Everybody can now use this account comfortably. Thereby the user is sure that there is no personal data about him in the account profile. (Moreover, he is freed from the hassle of having to register at the site himself.)
- Access to personal data: The service provider's infrastructure allows users to inspect, correct or delete all their data stored at the service provider.
Future PETs
Examples of privacy enhancing technologies that are being researched or developed are:- Wallets of multiple virtual identities; ideally unlinkable. Such wallets allow the efficient and easy creation, management and usage of virtual identities.
- Anonymous credentials: asserted properties/attributes or rights of the holder of the credentialCredentialA credential is an attestation of qualification, competence, or authority issued to an individual by a third party with a relevant or de facto authority or assumed competence to do so....
that don't reveal the real identity of the holder and that only reveal so much information as the holder of the credential is willing to disclose. The assertion can be issued by the user herself, by the provider of the online service or by a third party (another service provider, a government agency, etc.). For example:- Online car rental. The car rental agency doesn't really need to know the true identity of the customer. It only needs to make sure that the customer is over 23 (as an example), that the customer has a driving licence, that the customer has health insurance for accidents (as an example), and that the customer is paying. Thus no real need to know her real name nor her address nor any other personal information. Anonymous credentials allow both parties to be comfortable: they allow the customer to only reveal so much data which the car rental agency needs for providing its service (data minimisation), and they allow the car rental agency to verify their requirements and get their money. When ordering a car online, the user, instead of providing the classical name, address and credit card number, provides the following credentials, all issued to pseudonymPseudonymA pseudonym is a name that a person assumes for a particular purpose and that differs from his or her original orthonym...
s, i.e. not to the real name of the customer:- An assertion of minimal age, issued by the state, proving that the holder is older than 23 (i.e. the actual age is not provided)
- A driving licence, i.e. an assertion, issued by the motor vehicle control agency, that the holder is entitled to drive cars
- A proof of insuranceProof of insuranceProof of insurance is any type of documentation that a person can provide to another individual proving that the person has valid insurance with an insurance company....
, issued by the health insurance - Digital cash
- Online car rental. The car rental agency doesn't really need to know the true identity of the customer. It only needs to make sure that the customer is over 23 (as an example), that the customer has a driving licence, that the customer has health insurance for accidents (as an example), and that the customer is paying. Thus no real need to know her real name nor her address nor any other personal information. Anonymous credentials allow both parties to be comfortable: they allow the customer to only reveal so much data which the car rental agency needs for providing its service (data minimisation), and they allow the car rental agency to verify their requirements and get their money. When ordering a car online, the user, instead of providing the classical name, address and credit card number, provides the following credentials, all issued to pseudonym
- With this data, the car rental agency is in possession of all the data it needs to rent the car, it can thus, as an example, provide the unlocking code to the customer with which she can unlock the closet where the car key is kept.
- Similar scenarios are buying wine at an Internet wine store or renting a movie at an online movie rental store.
- Negotiation and enforcement of data handling conditions. Before ordering a product or service online, the user and the online service provider or merchant negotiate the type of personal data that is to be transferred to the service provider. This includes the conditions that shall apply to the handling of the personal data, such as whether or not it may be sent to third parties (profile selling) and under what conditions (e.g. only while informing the user), or at what time in the future it shall be deleted (if at all). As an example, it can be negotiated that personal data mustn't be handed out to third parties or that the data is to be deleted after 3 months following the end of the contract. While this negotiation takes place, the online service provider communicates his requirements about the minimum amount of data he needs to provide the wanted service. Additional personal data may be asked for, too, but will be clearly labelled as optional. After the transfer of personal data took place, the agreed upon data handling conditions are technically enforced by the infrastructure of the service provider, which is capable of managing and processing and data handling obligations. Moreover, this enforcement can be remotely audited by the user, for example by verifying chains of certification based on Trusted computingTrusted ComputingTrusted Computing is a technology developed and promoted by the Trusted Computing Group. The term is taken from the field of trusted systems and has a specialized meaning. With Trusted Computing, the computer will consistently behave in expected ways, and those behaviors will be enforced by...
modules or by verifying privacy seals/labels that were issued by third party auditing organisations (e.g. data protection agencies). Thus instead of the user having to rely on the mere promises of service providers not to abuse personal data, users will be more confident about the service provider adhering to the negotiated data handling conditions.
- Data transaction log. Users can log what personal data they sent to which service provider, when and under what conditions. These logs are stored and allow users to determine what data they have sent to whom, or they can establish the type of data that is in possession by a specific service provider. This leads to more transparency, which is a pre-requisite of being in control.
The business case for PETs
Companies will usually only invest in technologies enhancing the privacy of their customers if they see a financial benefit, i.e. if they anticipate a positive business caseBusiness case
A business case captures the reasoning for initiating a project or task. It is often presented in a well-structured written document, but may also sometimes come in the form of a short verbal argument or presentation. The logic of the business case is that, whenever resources such as money or...
. (The other main reason being to comply with legal requirements (which could be considered as coming down to a 'financial benefit' as well; the benefit of avoiding a fine for non-compliance with the law
Law
Law is a system of rules and guidelines which are enforced through social institutions to govern behavior, wherever possible. It shapes politics, economics and society in numerous ways and serves as a social mediator of relations between people. Contract law regulates everything from buying a bus...
.)) The anticipated financial benefit is the anticipated increase of income due to privacy enhancing technologies, minus the anticipated increased cost of implementing and running privacy enhanced technologies in their infrastructure. This anticipated comparison is usually done over a couple of years, whereby the income and cost of every year is cumulated.
In other words, if the anticipated additional income cumulated over a couple of years is larger than the anticipated additional cost cumulated over the same number of years, then there is a positive business case and it makes sense for the company to consider implementing and deploying the privacy enchanced technologies in question.
Note that the business case outlined here is a 'differential business case', assuming that privacy functions are added to an existing service and taking into account the additional benefits and costs caused by this added functionality. For example, it would be wrong to account all operational costs, including those that were there before the privacy enhancing functions were added. Instead, only the additional costs incurring when operating the infrastructure with implemented privacy enhancements must be counted in. If, however, the service in consideration is a pure privacy enhancing service, i.e. if the privacy enhancement is not part of or added to the service but instead is the only component of the service, then the business cost and benefit factors below become absolute (delete "additional" and "increased" in all benefits and cost components).
Cost components
The anticipated additional cost components for an online service due to enhancing it with privacy protecting technologies are:- additional hardware
- additional software licences
- personnel costs for designing, developing, implementing, testing and deploying the privacy enhanced service (project costs)
- additional personnel costs for
- running / operating and maintaining the privacy enhanced service (with respect to what it would be if there were no such privacy enhancements)
- fixing additional system failures or problems due to increased system complexity (more functionality means higher complexity which leads to higher vulnerability)
- product management of the additional privacy enhancing functions (more functions require more time spent to manage them)
- more complex new developments of the infrastructure used to run the service
- training customer support and supporting customers
- additional marketing communications costs
- loss of income as a consequence of additional service downtimes or problems due to increased service / system complexity
Benefit components
The anticipated additional income for an online service due to enhancing it with privacy protecting technologies divide up into the following components:- Increased usage of online services by existing customers and increased number of new customers due to
- fulfilment of the need for privacy of customers (Some customers may only use the service if their privacy needs are fulfilled, other may use the service more often.)
- higher trust of customers in the service
- increased public image and trust (especially if the privacy friendly attitude is advertised)
- competitive advantage (if the competition doesn't have a similar offer)
- increased customer retention (Customers appreciate the privacy enhancing functions of the service and don't like the idea of not finding them with competing services.)
- lower the risk of being fined for violating legal data protection requirements
See also
- Information privacy
- I2P - The Anonymous NetworkI2PI2P is a mixed-license, free and open source project building an anonymous network .The network is a simple layer that applications can use to anonymously and securely send...
- Digital credentialDigital credentialDigital credentials are the digital equivalent of paper-based credentials. Just as a paper-based credential could be a passport, a Driver's license, a membership certificate or some kind of ticket to obtain some service, such as a cinema ticket or a public transport ticket, a digital credential is...
s - Identity managementIdentity managementIdentity management is a broad administrative area that deals with identifying individuals in a system and controlling access to the resources in that system by placing restrictions on the established identities of the individuals.Identity management is multidisciplinary and covers many...
- Information processingInformation processingInformation processing is the change of information in any manner detectable by an observer. As such, it is a process which describes everything which happens in the universe, from the falling of a rock to the printing of a text file from a digital computer system...
- Information securityInformation securityInformation security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction....
- PrivacyPrivacyPrivacy is the ability of an individual or group to seclude themselves or information about themselves and thereby reveal themselves selectively...
- Privacy-enhanced Electronic MailPrivacy-enhanced Electronic MailPrivacy Enhanced Mail , is a 1993 IETF proposal for securing email using public-key cryptography. Although PEM became an IETF proposed standard it was never widely deployed or used....
- Privacy policyPrivacy policyPrivacy policy is a statement or a legal document that discloses some or all of the ways a party gathers, uses, discloses and manages a customer or client's data...
External links
PETs in general:- Stanford CIS wiki database of PETs
- The EU PRIME research project (2004 to 2008) aiming at studying and developing novel PETs
- About PETs from the Center for Democracy and Technology
- Annual symposium on PETs
- Report about PETs from the META Group, published by the Danish ministry of science
- Activities of the EU Commission in the area of PETs broken link
Anonymous credentials:
- IBM Zürich Research Lab's idemix
- Stefan BrandsStefan BrandsStefan Brands is an entrepreneur and former cryptography researcher whose work has focused on digital identity, electronic money, and information privacy. He obtained his doctorate from Eindhoven University of Technology while at CWI in Amsterdam. In 2002 Stefan founded Credentica to advance his...
' 'credentica' - Microsoft's U-Prove
Privacy policy negotiation:
- The W3C's P3PP3PThe Platform for Privacy Preferences Project, or P3P, is a protocol allowing websites to declare their intended use of information they collect about browsing users...
- IBM's EPAL
- Sören Preibusch: Implementing Privacy Negotiations in E-Commerce, Discussion Papers of DIW Berlin 526, 2005