A Three Layered Model to Implement Data Privacy Policies

An increasing number of business-to-business and business-to-customer services are accomplished by means of web technologies and mobile devices. As a consequence, sensitive data are continuously exposed to the risk of being delivered to final users or intermediary actors taking part to the data transactions, who could not have the proper access rights to obtain those data. These new generation of services are often characterized by high dynamism and untrustworthiness: existing technologies for managing and applying data privacy policies could be unsuccessful when dealing with this kind of contexts, as they could require too many resources, degrade the data quality to an unacceptable level, be too pervasive for data sources or data requestors. Moreover, industrial and research community is beginning to perceive the need to embed the mechanisms for preserving data privacy within the software product and process, as it comes to light from the recent literature. This paper proposes an approach to manage data privacy, inspired to the front-end trust filter paradigm, which aims at guaranteeing high flexibility, reducing the resources required, and limiting the pervasiveness into applications and devices involved into the data exchange. Our approach has the potential to curtail the change impact due to the dynamism and to foster the reuse of strategies, and their implementations, also across organizations.

[1]  Elisa Bertino,et al.  Achieving privacy in trust negotiations with an ontology-based approach , 2006, IEEE Transactions on Dependable and Secure Computing.

[2]  Ashwin Machanavajjhala,et al.  l-Diversity: Privacy Beyond k-Anonymity , 2006, ICDE.

[3]  Sangmi Lee Pallickara,et al.  End-to-end trustworthy data access in data-oriented scientific computing , 2006, Sixth IEEE International Symposium on Cluster Computing and the Grid (CCGRID'06).

[4]  Elisa Bertino,et al.  Trust Negotiations with Customizable Anonymity , 2006, 2006 IEEE/WIC/ACM International Conference on Web Intelligence and Intelligent Agent Technology Workshops.

[5]  Rakesh Agrawal,et al.  Extending relational database systems to automatically enforce privacy policies , 2005, 21st International Conference on Data Engineering (ICDE'05).

[6]  Roberto J. Bayardo,et al.  Technological Solutions for Protecting Privacy , 2003, Computer.

[7]  Ramakrishnan Srikant,et al.  Hippocratic Databases , 2002, VLDB.

[8]  Douglas C. Schmidt,et al.  Ultra-Large-Scale Systems: The Software Challenge of the Future , 2006 .

[9]  Jan Kolter,et al.  Security Requirements for a Semantic Service-oriented Architecture , 2007, The Second International Conference on Availability, Reliability and Security (ARES'07).

[10]  Latanya Sweeney,et al.  k-Anonymity: A Model for Protecting Privacy , 2002, Int. J. Uncertain. Fuzziness Knowl. Based Syst..

[11]  Philip S. Yu,et al.  Top-down specialization for information and privacy preservation , 2005, 21st International Conference on Data Engineering (ICDE'05).

[12]  Rafael Accorsi,et al.  Personalization in privacy-aware highly dynamic systems , 2006, CACM.

[13]  José A. Montenegro,et al.  A reference model for Authentication and Authorisation Infrastructures respecting privacy and flexibility in b2c eCommerce , 2006, First International Conference on Availability, Reliability and Security (ARES'06).

[14]  Thomas Neubauer,et al.  A secure architecture for the pseudonymization of medical data , 2007, The Second International Conference on Availability, Reliability and Security (ARES'07).

[15]  Xiaofeng Zhang,et al.  A Privacy-Aware Service-oriented Platform for Distributed Data Mining , 2006, The 8th IEEE International Conference on E-Commerce Technology and The 3rd IEEE International Conference on Enterprise Computing, E-Commerce, and E-Services (CEC/EEE'06).

[16]  Stefanos Gritzalis,et al.  Using Privacy Process Patterns for Incorporating Privacy Requirements into the System Design Process , 2007, The Second International Conference on Availability, Reliability and Security (ARES'07).

[17]  Marc Langheinrich,et al.  Personal Privacy in Ubiquitous Computing , 2005 .

[18]  Gang Chen,et al.  Securely Sharing Data in Encrypted Databases , 2006, 2006 10th International Conference on Computer Supported Cooperative Work in Design.

[19]  Rathindra Sarathy,et al.  A General Additive Data Perturbation Method for Database Security , 1999 .

[20]  Gang Chen,et al.  A Database Encryption Scheme for Enhanced Security and Easy Sharing , 2006, 2006 10th International Conference on Computer Supported Cooperative Work in Design.

[21]  Ueli Maurer The role of cryptography in database security , 2004, SIGMOD '04.

[22]  Elisa Bertino,et al.  PP-trust-X: A system for privacy preserving trust negotiations , 2007, TSEC.

[23]  Charles P. Pfleeger,et al.  Security in computing , 1988 .

[24]  Tianding Chen Notice of Violation of IEEE Publication PrinciplesA Novel Method for Protecting Sensitive Knowledge in Association Rules Mining , 2006, Sixth International Conference on Intelligent Systems Design and Applications.

[25]  Guanling Lee,et al.  A novel method for protecting sensitive knowledge in association rules mining , 2005, 29th Annual International Computer Software and Applications Conference (COMPSAC'05).

[26]  Tina R. Knutson Building Privacy into Software Products and Services , 2007, IEEE Security & Privacy.

[27]  J. Saul Gonzalez-Campos,et al.  Secure Groups: Enhanced Management of Encrypted Data in Databases , 2006, 2006 Seventh Mexican International Conference on Computer Science.

[28]  Wei Zhao,et al.  Privacy-Preserving Data Mining Systems , 2007, Computer.

[29]  Marcela D. Rodríguez,et al.  Privacy-Aware Autonomous Agents for Pervasive Healthcare , 2006, IEEE Intelligent Systems.

[30]  Elisa Bertino,et al.  Trust Negotiation in Identity Management , 2007, IEEE Security & Privacy.

[31]  Paul R. Ashley,et al.  Enterprise Privacy Authorization Language , 2003 .

[32]  Hiroshi Yasuda,et al.  Provably secure anonymous access control for heterogeneous trusts , 2006, First International Conference on Availability, Reliability and Security (ARES'06).

[33]  Brian Subirana,et al.  Legal programming , 2004, CACM.

[34]  Mare Langheinrich,et al.  Personal privacy in ubiquitous computing: Tools and system support , 2005 .

[35]  M. Eric Johnson,et al.  Embedding Information Security into the Organization , 2007, IEEE Security & Privacy.

[36]  Martin S. Olivier,et al.  Privacy Contracts as an Extension of Privacy Policies , 2005, 21st International Conference on Data Engineering Workshops (ICDEW'05).