Resources
- Identity Use Cases & Scenarios.
- FIDIS Deliverables.
- IDIS Journal.
- FIDIS Interactive.
- Press & Events.
- In-House Journal.
- Booklets
- Identity in a Networked World.
- Identity R/Evolution.
D11.1: Collection of Topics and Clusters of Mobility and Identity – Towards a Taxonomy of Mobility and Identity
An initial starting-point for this document and the other deliverables of Work Package 11: “Mobility and Identity” was the technical survey on mobile identity management of deliverable D3.3 “Study on Mobile Identity Management”. It focuses on mobile users, which have a personal communication device, e.g. a smartphone or portable digital assistant with wireless connectivity, and on how identity management empowers them to protect their privacy. The key messages of this study are:
Protection of both identifying data: Personal data and device characteristics.
User-friendly interfaces need to be developed for the non-expert to prevent unintentional misuse.
Verifiable linkage between real and digital identity on user’s device is important to prevent impersonation. Published identifying data must be protected against misuse by peers.
Protection of Identifying Data: Personal Data and Device Characteristics
The transformation of the right of self-determination on information to the digital world requires (digital) anonymity mechanisms. Unless there are fundamental flaws in the implementation of anonymity mechanisms, the effect of profiling will be restricted, i.e. profiled information cannot be linked to a single person. Since it is hard to prove anything against profilers, the data protection legislation and the required unambiguous consent is difficult to enforce. In our opinion it is a misbelieve that personal data will not be profiled if no consent is given. Even if a company is not profiling, personal data may become public knowledge due to technical defects in the access control. A possible illegal profiling by third party can neither be prevented nor revoked. Hence, we should take action to minimise the acquisition of information that is possible by profiling not only by legal measures (cf. chapter ). There are already mechanisms which enable the user to perform transactions anonymously. This is a prerequisite for users who do not like to give away their identity and other personal data that emerge as tradeable goods without anything in return. Due to the increased mobility we have to consider the question of how to guarantee the anonymity of the users of mobile devices.
As scenarios described in deliverable D3.3 have shown, two types of identifying data arise:
Personal data that identify the end user and
Device characteristics that identify the end user’s device.
These identifying data arise all the time because of the frequent usage of mobile devices. An attacker, which might be an untrustworthy service provider or an eavesdropper, is able to trace and identify a mobile user via the location of this user and the characteristics of his mobile device, e.g. IP and MAC address, or via disclosed personal data of the user. According to the TCP/IP reference model, different kinds of anonymity mechanisms are needed to prevent tracing a mobile user. Deliverable D3.3 presented the identity management system iManager for the application layer, and the anonymity mechanisms FLASCHE and mCrowds for the transport, network and physical layer.
Zugenmaier derives requirements for mobile use that anonymity mechanisms have to fulfil to guarantee the anonymity of the user (Zugenmaier, A., 2005). He shows that the existing anonymity mechanisms like DC-networks, mixes, onion routing, and crowds do not fulfil these criteria, i.e. they are not suitable for mobile use if anonymity is required. Mobility was simply not considered in the design of these mechanisms.
The ‘attacker model’ of Zugenmaier considers the specific aspects of mobility, namely the separation of
the device used to perform an action,
the action itself,
the user,
and the place where the user and the device are located.
An attacker has certain possibilities to reveal the identity of the user via the relationship of these four entities. We can derive classes of possible anonymising mechanisms from the ‘relationship model’. One of these classes (cp. , upper left) is especially suitable for mobile use because it permits the use of a personal device as well as location-dependent optimisation in the network.
Figure : Four possibilities for anonymity with a minimum of relations that must be concealed (dashed arrows) by the anonymity mechanism (Zugenmaier, A., 2005)
The mechanism associated with this class is called ‘location addressing’. It exploits the fact that the relationship between location and user as well as between location and device is not fixed because of the user’s mobility. If the location of the user and the device cannot be linked to the user’s identity, an attacker is allowed to know where an action is performed. However, the properties that identify the device or the user must be kept confidential. Since there are already mechanisms which ensure that a user does not reveal any personally identifying properties in an action, the location addressing mechanism only has to guarantee in addition that the device does not release any properties identifying the device itself.
One such mechanism (FLASCHE) was designed based on existing communication protocols. All identifying properties of the layers in the protocol stack have to be blinded, i.e. replaced by random values. The most important identifying property is the device address. Since an address is necessary to deliver a message to the right location, it cannot be completely random. The address of the device is derived from its location. This offers the possibility to optimise the routing in the network. The address also serves as a reference to assign a message to a connection and, hence, must not be changed during a connection.
User-friendly interface for the non-expert to prevent unintentional misuse
Security is not a primary goal of the user, i.e. users do not use security mechanisms in order to be productive. However, users underestimate the consequences of insufficient security and thus are rarely willing to invest a lot of effort in order to learn how to use these security mechanisms. Unintentional misuse of a security system by a user has a negative effect on the user’s security. A mobile user has to configure anonymity and identity management systems if he wants to protect his identifying data. FIDIS deliverable D3.3 presents results from studies of P3P for mobile phones, (e.g. that the vocabulary of P3P is too technical to be readily intelligible for lay English users), and the managing of partial identities by using identity managers, such as iManager, for non-security experts.
Verifiable linkage between real and digital identity on the user’s device is important to prevent impersonation
A user manages his identity or partial identities (FIDIS deliverable D2.1 - Nabeth, Hildebrandt, 2004) on his personal device. If his device is stolen, the thief has access to this identity and is therefore able to impersonate the user. It follows that the digital identity of a user has to be protected against unauthorised access. An approach for authentication of a mobile user is to link his real with his digital identity by using biometrics. With regard to this topic, FIDIS deliverable D3.3 presents a biometric authentication systems based on a smart card.
Published identifying data must be protected against misuse by peers
The anonymity and identity management systems presented by FIDIS deliverable D3.3 empower a user to control the disclosure of identifying data. This follows the principle of data economy. Business processes with personalised services and services acting as a proxy for a mobile user require a disclosure of identifying data and access rights of a mobile user to these services. Besides linkability, privacy threats of sharing disclosed attributes of a user without his consent and misusing these attributes arise. This deliverable D11.1 investigates potential privacy threats while delegating access rights from a user to service providers.
Denis Royer | 8 / 58 |