Title: EXECUTIVE SUMMARY

Executive Summary

Privacy is not only a concern of customers. Service providers also fear privacy violations as a main hurdle for the acceptance of personalised services (Sackmann and Strüker, 2005). Furthermore, the protection of privacy is an interest of service providers who take on customer relationship management activities of several service providers. They manage customers’ profiles, e.g. in loyalty programs and e-health scenarios with electronic patient records, and offer the service of aggregation. If it is possible to link profiles of a customer without the need of such service providers, latter would not benefit from their aggregation service.

The objective of this study is to identify privacy threats in business processes with personalised services, to suggest process models for modelling privacy-aware business processes and to derive security requirements for user-centric identity management in order to preserve privacy.

Figure 1.1 shows the approach of this study. Based on privacy as informational self-determination, privacy are identifies in business processes by the reference scenario. This reference scenario is used as an orientation for the authors of this study. Undesired profiling is in particular investigated by case studies. The investigation of profiling differs in unconscious collection of customers’ data by service providers and in externally stored customers’ profiles and delegation of access on some of these profiles by customers. To get a survey on the use of collected customers’ data in business processes, to derive access rights on these data from data protection legislations and agreements and to suggest a method for evaluating privacy-aware business processes, two process models are described. From the technical viewpoint, representatives of user-centric identity management protocols based on credentials are applied on single-stage and in particular on multi-stage business processes in order to show their suitability for preventing undesired profiling. Security requirements for user-centric identity management in multi-stage business processes are the result of this investigation. As countermeasures for (a) undesired profiling with delegation of rights and (b) unconscious collection of customers’ data, the extensions (a) DREISAM for an unlinkable delegation of rights and (b) Data Track for tracking disclosure of personal data by customers are introduced as extensions for identity management.

The results of this study differs in unconscious collection of customers’ data and in the prevention of profiling if customers delegate rights to service providers in order to get access on some profiles for a specific purpose.

Unconscious collection of customers’ data and their aggregation with individualised profiles lead to a threat to personal autonomy because customers are not aware of the way their preferences are manipulated. Customers should have the opportunity to access on unconscious collected and aggregated profiles and to adapt their profiles in order to make these profiles transparent to them. Since data protection legislations lack of effectiveness in the sense that service provider implements the minimal part so that they are not sanctioned and in the lack of control of each service provider, customers should have an instrument for counter profiling so that they are aware of an unconscious data collection. The Data Track mechanism is an approach for such a transparency instrument; however, it supports solely conscious data collections up to now.

Concerning delegation of profiles, current user-centric identity management systems do not achieve data economy. If current identity management systems are used, a service provider acting on behalf of a customer gets access to customer’s complete identity. The challenge is to control the disclosure of personal data to personalised services and at the same time to prevent undesired profiling about the customer. The DREISAM protocols achieve an unlinkable delegation and revocation of access rights. Proxies do not get identifying data of customers by a delegation, if identifying data are not needed for the purpose of their service. Thus, the knowledge of service providers managing customers’ profiles is kept confidential and they are able to benefit by an aggregation of their profiles under restriction of customers’ consent. Therefore, DREISAM implements a mechanism for usage control with regard to customers’ data.

Further work investigates on the verification of service providers, whether they have processed customers’ data according to the negotiated arrangement between service provider and customers as well as according to the given data protection legislation. The objective is to get evidences concerning the use of customers’ profiles. In order to technically re-trace the information flow of disclosed customers’ data, the study “D14.3: Study on the Suitability of Trusted Computing to support Privacy in Business Processes” of the FIDIS Work Package 14 “Privacy in Business Processes” investigates on trusted computing as a platform to support the enforcement of privacy policies by service providers.

Figure 1. Approach of FIDIS deliverable D14.2.