You are here: Resources > FIDIS Deliverables > Identity of Identity > D2.2: Set of use cases and scenarios > 

D2.2: Set of use cases and scenarios

Scenario: Shopping using pseudonyms  Title:


Globally Unique Identifiers and databases


Globally Unique Identifiers (GUID) are bit strings (or character strings) which are coded into hardware, software or other data. Usually this bit string either is embedded in digital documents or transmitted during on-line communication. GUIDs can be used for the purpose of identification. 

Especially in the private sector hardware and software is mainly used by one person or a small and homogenous group such as a family. Thus GUIDs enable indirect user tracking in many different ways. Therefore, GUIDs are widely discussed as being potentially privacy-violating. Upcoming technologies such as Digital Rights Management (DRM) are planning to make excessive use of GUIDs. Since data collections being associated to a single GUID usually are not known to the user, privacy and data protection regulations and thereby the right to informational self-determination might be violated 

In the context of Digital Rights Management an increasing amount of Unique Identifiers is emerging. Documents as well as multimedia files are marked by their respective authors to trace duplication. In this case DRM is used to enforce the right of reproduction. 

GUIDs empower others (mainly hardware vendors, software developers and holders of rights of digital documents in general) to accumulate information about users. Latest technologies like RFID (Radio Frequency Identification) even extend the idea of such identifiers: Usually GUIDs are thought of as being linked to on-line services. RFID technology blurs the borders between on-line and off-line world. Like being "tagged" with a cookie while surfing the Internet one may even leave linkable traces in the physical world while visiting a restaurant ‑ provided the visitors wear an RFID chip somewhere in their clothing or accessory. Thus the idea of Unique Identifiers trespasses on the environment of direct computer usage. 

Concerning privacy aspects, any identifier should fulfil the following requirements: 

  1. Users must be informed about creation and usage of any identifier that can be connected to personal information (e.g., with respect to "smart dust", the existence and possible design of "decent dust" which should inform the user in a proper way was discussed).

  2. The usage of the identifier and the correlated database entries must be transparent to the user. 

  3. Terms and conditions of usage of identifier-generated database entries must be documented; restrictions have to be enforced. 



Scenario: Identity on your own ‑ GUIDs, customer data and informational self-determination


The usage of GUIDs creates partial identities. They are based upon database entries that the user usually has no access to. Linking such GUID-based partial identities leads to more comprehensive data collections about the user. Users that are confronted with decisions made upon profiles generated from database entries may be surprised to learn what conclusion e.g. a company has drawn from these profiles. 

Privacy-compliant use and building of profiles must primarily be transparent to the user. Traditionally the user transmits his GUID to the server, thereby revealing personal data. The server then delivers content personalised according to the user profile linked to this partial identity. Furthermore it adds information gathered during the actual session to the profile. From a privacy point of view the transmission of the GUID must not happen in the background without the user’s knowledge. Also the linked profile should be in the domain of the user. In an idealised model, the profile would be stored on the user’s computer or digital device. This way the information gathered is visible and even editable to the user. Technically there are some obstacles in this model: 

  1. Stored data must be processed to derive actions from it. This data processing would have to be done on the user’s device. Therefore program code would have to be transmitted to and run on the device. This is highly undesirable. 

  2. Data processing can only be done when the user is on-line and enables services to access the stored data. The sending of a newsletter e.g. based upon specific user profiles would virtually be impossible. 


Storage and processing of the complete user profile on the user’s digital device therefore seems impractical. 


Scenario: Download and usage of MP3 files 

To illustrate how a privacy-compliant usage of GUIDs could be achieved, well take a look at some imaginary multimedia software that can play MP3 files. Therefore we assume that the vendor of the software provides a service to suggest commercial MP3 downloads based on the users preferences. Playback of the MP3 files is done locally. The software gathers information about what is played, what is skipped and when playback is started and stopped. This leads to a user profile saved on the local machine. Whenever the user visits the vendors website to download MP3 files, the stored usage profile is needed for recommending songs. The service provider specifies which specific data are needed, e.g., songs played and songs skipped, but not the postal address or the real name.


Figure : Current processing and storage of profiles using MP3 files


At this point, the user can decide if the data that are to be transmitted comply with his preferences. This can possibly be decided automatically via P3P-compliant declarations. After confirmation either by the user or by a P3P agent, the required data are encrypted and transmitted. 

Digital Rights Management nowadays is widely understood as technology to enforce rights of authors to prevent unauthorised duplication and/or editing of digital documents in general. Taken literally, these technologies can also be used to defend the user’s (digital) right of informational self-determination. Provided that service providers comply with privacy legislation in general and their own privacy policy in particular, profile transmission for data processing can be tagged for one-time usage. Other possibilities include permission for a limited time or limited amount of data. 



Figure : Privacy-aware processing and storage of profiles using MP3 files

So data collection is done entirely on the users device, processing is done remotely by the service provider.



Scenario: Shopping using pseudonyms  fidis-wp2-del2.2.Cases_stories_and_Scenario_04.sxw  Conclusion
11 / 69