Privacy Token: An Improved and Verified Mechanism for User's Privacy Specification in Identity Management Systems for the Cloud

Villarreal, María Elena; Villarreal, Sergio Roberto; Merkle Westphall, Carla; Werner, Jorge

Home // International Journal On Advances in Security, volume 10, numbers 3 and 4, 2017 // View article

Privacy Token: An Improved and Verified Mechanism for User's Privacy Specification in Identity Management Systems for the Cloud

Authors:
María Elena Villarreal
Sergio Roberto Villarreal
Carla Merkle Westphall
Jorge Werner

Keywords: Privacy; Cloud Computing; Identity Management.

Abstract:
With the increasing amount of personal data stored and processed in the cloud, economic and social incentives to collect and aggregate such data have emerged. Therefore, secondary use of data, including sharing with third parties, has become a common practice among service providers and may lead to privacy breaches and cause damage to users since it involves using information in a non-consensual and possibly unwanted manner. Despite numerous works regarding privacy in cloud environments, users are still unable to control how their personal information can be used, by whom and for which purposes. This paper presents a mechanism for identity management systems that instructs users about the possible uses of their personal data by service providers, allows them to set their privacy preferences and sends these preferences to the service provider along with their identification data in a standardized, machine-readable structure, called privacy token. This approach is based on a three-dimensional classification of the possible secondary uses of data, four predefined privacy profiles and a customizable one, and a secure token for transmitting the privacy preferences. The applicability and the utility of the proposal were demonstrated through a case study, and the technical viability and the correct operation of the mechanism were verified through a prototype developed in Java in order to be incorporated, in future work, to an implementation of the OpenID Connect protocol. The main contributions of this work are the preference specification model and the privacy token, which invert the current scenario where users are forced to accept the policies defined by service providers by allowing the former to express their privacy preferences and requesting the latter to align their actions.

Pages: 208 to 222

Publication date: December 31, 2017

Published in: journal

ISSN: 1942-2636