Protecting Consumer Data in Composite Web Services

The increasing number of linkable vendor-operated databases present unique threats to customer privacy and security intrusions, as personal information communicated in online transactions can be misused by the vendor. Existing privacy enhancing technologies fail in the event of a vendor operating against their stated privacy policy, leading to loss of customer privacy and security. Anonymity may not be applicable when transactions require identification of participants. We propose a service-oriented technically enforceable system that preserves privacy and security for customers transacting with untrusted online vendors. The system extends to support protection of customer privacy when multiple vendors interact in composite web services. A semi-trusted processor is introduced for safe execution of sensitive customer information in a protected environment and provides accountability in the case of disputed transactions.

[1]  David A. Wagner,et al.  Privacy-enhancing technologies for the Internet , 1997, Proceedings IEEE COMPCON 97. Digest of Papers.

[2]  Gavin Lowe Analyzing a Library of Security Protocols using Casper and FDR , 1999 .

[3]  Markus Jakobsson,et al.  An optimally robust hybrid mix network , 2001, PODC '01.

[4]  Christian S. Collberg,et al.  Watermarking, Tamper-Proofing, and Obfuscation-Tools for Software Protection , 2002, IEEE Trans. Software Eng..

[5]  Ian Goldberg,et al.  Privacy-Enhancing Technologies for the Internet, II: Five Years Later , 2002, Privacy Enhancing Technologies.

[6]  David Chaum,et al.  Untraceable electronic mail, return addresses, and digital pseudonyms , 1981, CACM.

[7]  C. Pearce,et al.  A secure communication protocol for ad-hoc wireless sensor networks , 2004, Proceedings of the 2004 Intelligent Sensors, Sensor Networks and Information Processing Conference, 2004..

[8]  Craig L. Pearce,et al.  A Protocol for Secrecy and Authentication within proxy-based SPKI/SDSI Mobile Networks , 2004 .

[9]  Michael Kreutzer,et al.  Pervasive Privacy with Identity Management , 2002 .

[10]  Aviel D. Rubin,et al.  Publius: a robust, tamper-evident, censorship-resistant web publishing system , 2000 .

[11]  Amos Fiat,et al.  Untraceable Electronic Cash , 1990, CRYPTO.

[12]  Oliver Berthold,et al.  Identity Management Based on P3P , 2000, Workshop on Design Issues in Anonymity and Unobservability.

[13]  Anne H. H. Ngu,et al.  Business-to-business interactions: issues and enabling technologies , 2003, The VLDB Journal.

[14]  David Chaum,et al.  Blind Signatures for Untraceable Payments , 1982, CRYPTO.

[15]  Roy H. Campbell,et al.  Towards Security and Privacy for Pervasive Computing , 2002, ISSS.

[16]  Siani Pearson,et al.  Towards Accountable Management of Privacy and Identity Information , 2003, ESORICS.

[17]  Nick Mathewson,et al.  Tor: The Second-Generation Onion Router , 2004, USENIX Security Symposium.

[18]  Larry Korba,et al.  Applying digital rights management systems to privacy rights management , 2002, Comput. Secur..

[19]  Lorrie Faith Cranor,et al.  The platform for privacy preferences , 1999, CACM.

[20]  Raymond S. T. Lee,et al.  E-Commerce: Fundamentals and Applications , 2001 .

[21]  Christopher Allen,et al.  The TLS Protocol Version 1.0 , 1999, RFC.

[22]  Lorrie Faith Cranor,et al.  Platform for Privacy Preferences - P3P , 2000, Datenschutz und Datensicherheit.