Title: TRUST MODEL CONCERNING PROCESSING OF PERSONAL DATA

In the deliverable D14.2 “Study on Privacy in Business Processes by Identity management” of FIDIS Work package 14 (Müller and Wohlgemuth, 2007), the trust model focuses on service providers and on the privacy threat of an undesired profiling while personal data is collected and delegated. The trust model of this deliverable focuses on service providers and their activities relating to the processing of personal data. A user cannot be sure whether service providers follow the agreed privacy policy.  

Privacy threats arising by the attacks consider an undesired collection, storage and delegation as well as a misuse of personal data. If personal data has been collected by others than the addressed service provider, e.g. by impersonating him by means of a man-in-the-middle-attack, the confidentiality of personal data is not given anymore. If personal data has been stored, delegated or used contrary to the consent of the user, the confidentiality of his profile compared to the agreed privacy policy has been violated. 

The protection goals of multilateral security (Rannenberg, Pfitzmann and Müller, 1999) are the initial point of the trust model. The focus of the attacker model is on the protection goals of “confidentiality of personal data” and “accountability of service providers’ activities” relating to the use of personal data. The security criteria “anonymity” and “unobservability” of multilateral security are not considered, since users disclose explicitly personal data to service providers.  

Confidentiality of communication with respect to personal data means according to (Rannenberg, Pfitzmann and Müller, 1999):

1. The transmitted personal data is only known to its recipient 

2. The communication partners may be unknown. 

3. The location of communication partners may be secret. 

The first criterion is of relevance for personalised services, but not the second and third criteria, since users disclose explicitly personal data to service providers for the purpose of a personalised service.  

Furthermore, a confidential data processing means for this study that disclosed personal data is only used for a specific purpose and with consent of the corresponding user. The scope of this usage is pre-defined by a policy agreed by the user and service provider.

Not every service application is able to process personal data confidential and to ensure this quality to its users in advance. In this case, users should be able to verify whether their data has been used according to the agreed privacy policy. It follows that the activities of a data usage must be controllable and accountable. Multilateral security defines the protection goal accountability as follows:

1. Service providers should prove to a third party that entity X has sent or used the message or service Y. 

2. A user should be able to prove that he has sent or used a message or a service and in case of messages that he has received a given one. 

3. Nobody is able to deny fees for supplied services; at least service providers get a proof for supplied services. 

In the context of privacy, the first aspect is interpreted as a user is able to verify whether a service provider has delegated, stored or used personal data. The other criteria are of lower relevance as they follow a reactive approach. A verifiable data processing does not enforce user’s privacy interests but enables him to initiate sanctions in case of a privacy violation.