You are here: Resources > FIDIS Deliverables > Privacy and legal-social content > D14.2: Study on Privacy in Business Processes by Identity Management > 
'Ambient Law'  Title:
 Case Study: Using Attributes as Access Rights in eGovernment


Privacy and Security Threats

As can be seen from the historical development of the term privacy, there is no standard definition for it. Privacy is in fact developing due to the technical developments and the associated possibilities of the partially oblivious formation of profiles, e.g. via surveillance cameras and goods marked with RFID tags (Sackmann, Strüker and Accorsi, 2006), and the processing of the profiles formed hardly comprehensible to the persons concern (Roßnagel, 2005). For this reason, privacy is defined for this work indirectly via the possibilities of information gain about the customer and the use of profiles formed for providers of personalised services. The interpretations of privacy above only assume a threat during an activity if the customer has not agreed to it. It is therefore assumed in the following that there is no agreement of the customer concerned on hand and that it involves activities of service providers and thus threats to his privacy.

A conception classification on the basis of the possible damages was made in 1960 by William Prosser (Prosser, 1960) and 2006 by Daniel J. Solove (Solove, 2006a). Prosser extended and structured the damage events of Warren and Brandeis (Warren and Brandeis, 1890). He defines the four damage categories of intrusion, public disclosure, false light and appropriation. However, Prosser refers exclusively to civil law offences. Moreover, technology on ubiquitous data processing for spontaneous networking of computers of varying computing capacity, network connection and sise has advanced since 1960. Solove considers this technical development in his conception (Solove, 2006a). Based on his classification of the potentially damage-producing activities, the threats for a customer in single and multi-stage business processes are derived in the following.

Use of Personal Data

The activities of a service provider with the personal data of his customers apply in the CRM area to (1) collection, (2) processing, (3) storage and (4) transmission of customer data and to the (5) breaking into the customer’s system and theft of his data. The threats relate exclusively to data that is confidential for the customers concerned and should therefore only be known to him and a circle of participants chosen by him. If this circle is extended without his consent, then his privacy is violated. The participants in the privacy model based on (Solove, 2006b) are a customer, service providers, and observer of the communication relationships between customer and service providers. 

The threats to private communication relations are based on a communication of a third party not participating in the communication that could both actively modify the communication and with it the data of the customer as well as pass himself off as customer and by that be a man-in-the-middle. As passive observer, the threats of a profile creation about the customer by means of his communication with service providers emanate from him. Figure 4.1 shows this first part of the attacker model. 

Figure 4. Activities with relation to the personal data of a customer.

The second part applies to the threats to personal data. Figure 4.2 highlights the participants concerned from whom the threats emanate and the related activities. An end device of the customer is assumed for the communication with the service provider. This can be any computer with connection to a computer network, e.g. a personal digital assistant (PDA) with radio networking possibilities. A web browser is used as application for the interaction. The entire personal data of the customer concerned is pooled under his identity and governed either on his end device or with a trustworthy party. 

Figure 4. Activities of a man-in-the-middle with relation to personal data of a customer.

Collection of Personal Data

The collection of personal data takes place both consciously and obliviously to the customer. In the case of a conscious collection of data, a service provider requests certain personal data of a customer. Examples are delivery address or credit payment details. Web forms serve, amongst others, for the input. A customer can then decide whether he wishes to release the requested data to this service provider. In the case of oblivious data collection as happens, for example, with surveillance through video cameras in businesses (Ball, Lyon, Wood, Norris and Raab, 2006), with the collection of the IP address of the customer’s computer or end device (Zugenmaier, 2003; Müller and Wohlgemuth, 2005) and with the readout of RFID-tagged goods (Strüker and Sackmann, 2004; Langheinrich, 2005), that the customer has purchased, he does not have this opportunity to decide.

While the customer recognises the purpose for a conscious collection of data by means of the associated service, an oblivious collection of data poses a threat to his privacy. This is due to the customer on the one hand not knowing what data about him is collected and, on the other, does not know the recipient and purpose of use of this data. The threats come from an observer of the communication of the end customer and service provider with whom he is communicating.

The collection of clearly identifying data about the customer presents a further threat to privacy. Examples of clearly identifying data are his personal identity card number, social insurance number and the MAC address of his end device. A linking of his transactions is possible by means of this data which, in turn, leads to a connection of individual profiles on the customer.

A profile about the customer ultimately emerges that contains data from a data collection agreed to and an oblivious one. As the oblivious part is unknown to the customer, the situation of an asymmetric information distribution arises between the customer and the service provider. Price discrimination is a negative consequence for the customer, i.e. a product is offered to him at a higher price compared to other customers. Pricing therefore leads to his disadvantage and cannot be comprehended by him (Eifert, 2004).

Processing of Collected Personal Data

The processing of collected personal data exclusively concerns the use of the data collected. The storage and transmission of personal data is also separately examined in the following sections. Data about a customer from possibly various sources is pooled in a business process during processing. Such a profile formation can have advantages for the customer. Hence, uses customer data to recommend individual products to them on the basis of their previous purchasing history. Through the use of so-called recommender systems, the effort in searching similar products is reduced (Lam, Frankowksi and Riedl, 2006). However, such profiles can become disadvantageous for the customer if they are used for decisions, e.g. for the approval of a funding, and in doing so the data in the profiles is not up-to-date. This can lead to the desired service being declined or offered on poorer terms on the basis of outdated customer data, although it would be offered for up-to-date customer data and, as the case may be, on better terms (Solove, 2006b).

A further threat to a customer’s privacy in business processes is the use of collected data for purposes other than intended. On the one hand, this is the aggregation of individual profiles about the customer. If it takes place without his consent, the service providers involved gain access to customer data to which they should not really be able. In consequence, service providers can derive additional interests, ways of behaviour, his creditworthiness and, in the case of a mobile customer, also his movement profiles (Müller and Wohlgemuth, 2005), about which they should not gain any knowledge. The confidentiality of individual profiles is no longer given and his privacy is violated. 

From the main property of multi-stage business processes, the delegation of personal data to a service provider to use where further service providers are concerned, results in an abuse of this data as a further threat. A use for purposes other than intended and therefore an abuse of this data is the case when it is used by a service provider for a purpose other than the one to which the customer gave his consent for collection or delegation. In this case, there is a breach of trust by the acting service provider. The consequences of an abuse depend on its type of application. For instance, a case of abuse is if the data is used for advertising which the customer considers to be a nuisance and if financial damage is incurred for the customer through the data abuse. An example is the abuse of credit card data, if it is used for unauthorised payments by his proxy. Since the proxy appears under a partial identity of the customer, the last type of abuse is tantamount to an identity theft.

Storage of Collected Personal Data

It can be generally assumed that the purpose of a data collection and processing stretches over a certain period of time. The data collected is then stored by the service provider. The service provider has access to this data within this period of time. Since the purpose-related access takes place with the customer’s consent, his privacy is maintained. Storage presents a threat to his privacy when the data storage temporally exceeds the customer’s consent and an obsolete profile of the customer is used for the service of the service provider. 

If the purpose of the data collection is fulfilled, e.g. a service provider has completed his task as proxy and rendered his service, the transaction between a customer and proxy is terminated. The customer’s consent to the data processing also expires with this termination, i.e. the respective service provider is no longer authorised to access this data. However, if it is still possible for him to access his data, then this situation presents a threat to privacy. A potential attack is the appearance of a service provider with the stored (partial) identity of the customer after the course of a transaction. It is also to be considered here, however, that data can be stored beyond the purpose for the collective good. This is how things stand with the retention of telecommunication data to be used for tracing criminal offences (European Commission, 2006).

Delegation of Collected Personal Data

In the scenario of multi-stage business processes, personal data is disclosed by a service provider acting as proxy to further service providers. This, in turn, takes place with the consent of the respective customer. With his consent, the customer has specified the amount of subjects who can have access to and use this data. Delegation poses a threat, however, as a proxy can also disclose the data to other service providers. The amount of access and usage subjects specified by the customer is then relinquished. This proxy has consequently contravened the interests of the customer and violated his privacy. Such a disclosure constitutes a loss of confidentiality of this data and of the trust of the customer in his proxy. The linking of profiles and identification of the customer can, among others, be negative consequences, unless his data does not implicitly identify him. 

The European Privacy Policy stipulates the notification of the person concerned with the first-time transmission of his data (European Commission, 1995). The German Teleservices Data Protection Act (TDDSG) allows the transmission of customer data for the purpose of market research which must however be anonymous (German Federal Government, 1997). 

Intrusion into the Customer’s System

In the scenarios of single and multi-stage business processes, it is assumed that a customer governs his data either on his personal end device or externally with a trustworthy party. He or the trustworthy party thereby governs the access to his data. A threat lies in faulty and damaged software, such as viruses or Trojan horses, whose aim is access to and a delegation of this data. 

Threats to the Security of Service Providers

Privacy, however, does not only concern the interests of the individual and, in this case, the customer. The European Data Privacy Directive 95/46/EG, as German Federal Data Protection Act and the “census judgment” of the Federal Constitutional Court explicitly enable exceptions if the general interest predominantly necessitates this. This applies, amongst others, in the case of state prosecution (European Commission, 1995). There is then a case of fraud through the customer or his proxy. 

In the first case, a customer denies a service received. The second case arises in multi-stage processes and assumes a fraudulent proxy. The threat lies in that this proxy deals in the customer’s name and denies the transaction made with regard to the service providers concerned and the customer. In order that a prosecution is possible, the service provided must be able to be clearly related to the customer or his proxy. This complies with the protection goal of accountability of the multilateral security concept (Rannenberg, Pfitzmann and Müller, 1999). 


'Ambient Law'  fidis_wp14_d14.2-study_on_privacy_in_business_processes_by_identity_management-v09_02.sxw  Case Study: Using Attributes as Access Rights in eGovernment
16 / 38