D3.9: Study on the Impact of Trusted Computing on Identity and Identity Management

Title: TC IDENTITY AND CONSUMER PRIVACY

TC identity and Consumer Privacy

TPM Unique Digital Identity

The unique digital identity of a TPM is represented by the Endorsement Key (EK). As explained in section 4.2.3, this key never leaves the TPM, and is used to create the Endorsement Credential and the AIK. Since the EK is an RSA key, its public key is contained in the Endorsement Credential. The validity of the EK and corresponding Endorsement Credential are necessary for establishing the AIK. In order to certify the public part of the AIK, the Privacy Certification Authority should check the validity of the Endorsement Key and Credential. At this point, the identity of the TPM is revealed to the Privacy Certification Authority. This would create anonymity problems as will be explained in section 8.6.1.  

Privacy Risks

As it is unlikely that large numbers of TTPs will survive the market, and as TTPs were capable of easily linking different pseudonyms to the same person, this would result in a concentration of detailed profiles of people at a small amount of places [125]. Therefore, this can be regarded as a privacy-invading scenario. 

Transactions in the above context can not only be the purchase of DRM-protected digital goods but also communication or authentication processes. If authentication processes were protected by TC (preferably using DAA) identity theft could be reduced.  

As already mentioned Trusted Computing may be used to support enforcement of policies when processing data such as EPAL (see chapter 6.2.2). EPAL may well be used in future for basic data and mined results in the context of profiling (type 2 identity management). 

TC-Requirements for privacy-aware IdM

Depending on the type of identity management introduced already in chapter 8.2 requirements for privacy awareness are different.  

One of the basic privacy problems with type 1 IMS is the use of global unique identifiers. They support linkability of communications and transactions crossing the border of communicational contexts. TC should support the use context or sector specific identifiers that are linkable only (a) based on legal norms, (b) agreed policies or (c) consent of the data subject on an individual case basis. In any case transparency of linking activities is required as a general rule taking defined exceptions for example in case of criminal investigations into consideration.  

From the perspective of type 2 IMS (Profiling) TC should support Transparency Enhancing Technologies (TETs), allowing the data subject to understand what results (knowledge) was generated how (method) based on which data (basic data) and used for what purpose. In this case a stable link between (a) basic data and corresponding privacy policies and (b) data controller and his policy for usage of basic data and mined results is required to facilitate supporting tools for automated uncovering and comparison of data with the corresponding policies and notification mechanisms about the comparison results.  

In the context of type 3 IMS TC should support the unrestricted generation and use of identifiers managed and controlled by the user. Again prevention of linkability is the main goal that should be achieved.