Title: EXECUTIVE SUMMARY

Executive Summary

This study refers (a) to the usage of disclosed personal data according to agreed rules between users and service providers and (b) to the suitability of Trusted Computing for enforcing privacy rules. In business processes for personalised services, personal data is used by service providers, e.g. for storing or delegating it to other service providers. The rules for processing personal data are published by service providers by means of privacy statements. Users give their consent to these privacy statements if they agree to the standard business conditions. However, since privacy enhancing technologies (PET) mainly focus on the access on personal data in terms of their collection, users are neither able to enforce the agreed rules nor to verify whether service providers have followed these rules. Consequently, trust of users in service providers according to the enforcement of these rules is mandatory. In order to extend this trust model so that users need not trust service providers in this context, this study presents approaches for technically observing the behaviour of service providers with respect to the agreed privacy rules. 

This study introduces this privacy problem by two use cases: information filtering and personalised services. The first one appears in recommender systems and second one in customer relationship management, e.g. loyalty programmes. Both describe a delegation of collected personal data from one service provider to another. In order to enforce rules on the delegation of personal data, this study presents a monitor in combination with a technique of information flow analysis in order to identify delegation of personal data contrary to the agreed rules. In order to verify the information flow by the user, a service provider gives the user a proof that it uses such a monitor and presents him the transcript of the observations. The approach presented in this study makes use of Trusted Computing in reverse in comparison to its common use: Trusted Computing is used in the information system of the service provider and not in the system of the user. The investigation in Trusted Computing discusses its shortcomings for this kind of deployment and presents a solution for the presented “time problem”. 

The conclusion that is drawn from this investigation is that delegation and storing activities of a service provider concerning personal data can be observed by the presented monitor in combination with the use of Trusted Computing. For example, medical service providers which make use of the electronic patient record can deploy this approach to show their trustworthiness to their users. Users do not need to trust them anymore that they follow the agreed privacy rules concerning the storage and delegation of personal data. 

However, most of the technologies related to Trusted Computing are not widely used or even available today. The specification for usage of Trusted Computing on servers as published by the Trusted Computing group seems to be very preliminary. It does not address problems related to Trusted Computing and modern server side technologies like virtualisation and partitioning. The last revision (0.8) is from March 23rd, 2005. No visible changes seem to happen since then. Moreover many of the proposed security and privacy solutions are based on very clear and static overall processing environments. In practice a dynamic environment (e.g. new version of or patches for the operating system and the business software etc.) will be used. At the moment, it is not clear if and how the integrity measurements (including remote attestation) should work in a dynamic environment.