National Institute of Informatics National Institute of Informatics Privacy in Business Processes - Identifying Non-Authorized Disclosure of Personal Data to Third Parties - Austria-Japan Workshop 2010 October 18, 2010 Dr. Sven Wohlgemuth Prof. Dr. Isao Echizen Prof. Dr. Noboru Sonehara National Institute of Informatics, Japan Prof. Dr. Günter Müller University of Freiburg, Germany Sven Wohlgemuth On Privacy by Observable Delegation of Personal Data 1
Privacy and Disclosure of Personal Data to Third Parties National Institute of Informatics Privacy legislation: „Privacy is the claim of individuals, groups and institutions to determ ine for them selves , when, how and to what extent information about them is communicated to others.“ (Westin, 1967 � regulations of Germany/ EU, Japan and HIPAA) User Services DC / DP d d, d’ DC / DP DP d d, d’ DC / DP d, d’ DC Disclosure of personal data to third parties DP = Data provider DC = Data consumer d, d’ = Personal data Access control No usage control for the disclosure of personal data Haas, S., Wohlgemuth, S., Echizen, I., Sonehara, N. and Müller, G., 2009 Dr. Sven Wohlgemuth Privacy in Business Processes 2
Agenda National Institute of Informatics 1 . Shift to a new Scenario 2 . User becom es a Target 3 . Usage Control by Data Provenance 4 . DETECTI VE: Data Provenance w ith Digital W aterm arking 5 . Safety of Data and Liveness of Services Dr. Sven Wohlgemuth Privacy in Business Processes 3
1. Shift to a new Scenario (e.g. Electronic Health Records, Gematik in Germany) National Institute of Informatics Current scenario New scenario Exam ination Dentist Laboratory Patient Pharm acy Hospital Patient’s data is stored in All data about the patient stored in one location: many medical systems. A central EHR Each m edical system is in Patient is in charge of this data. charge of patient’s data. Dr. Sven Wohlgemuth Privacy in Business Processes 4
2. User becomes a Target (e.g. Patient) National Institute of Informatics Patient “inherits” responsibility and risk. Dishonest parties m ay m odify or disclose personal data to 3 rd parties w ithout Dentist Laboratory authorization. � Privacy Problem How can the patient control the Exam ination Drug m aker disclosure of m edical data to 3 rd parties? Patient Different data protection legislations ( e.g. EC 9 5 / 4 6 / EC, Japan, HI PAA) Advertiser Hospital Pharm acy Em ployer Haas, S., Wohlgemuth, S., Echizen. I, Sonehara, N. and Müller, G., 2009 Dr. Sven Wohlgemuth Privacy in Business Processes 5
3. Usage Control by Data Provenance (1/2) National Institute of Informatics - Enterprise Privacy Authorization Policies Language (EPAL) - Extended Privacy Definition Tools (ExPDT) Mechanism s & Methods Preventive Reactive Before the During the After the execution execution execution - Process Rewriting - Execution Monitoring - Model Reconstruction - Workflow Patterns - Non-linkable Delegation - Audits / Forensics - Vulnerability Analysis of Rights - Architectures for Data Provenance Müller, G., Accorsi, R., Höhn, S. and Sackmann, S., 2010 Dr. Sven Wohlgemuth Privacy in Business Processes 6
Usage Control by Data Provenance (2/2) National Institute of Informatics - Data provenance – Information to determine the derivation history - I n an audit, data provenance can be used to restore the inform ation flow . Exam ple Advertiser Drug m aker Laboratory Drug m aker Medical Medical Medical Medical Data Data Data Data Patient Patient Patient Patient Advertiser Advertiser Advertiser Advertiser Laboratory Laboratory Data Provenance Dr. Sven Wohlgemuth Privacy in Business Processes 7
4. DETECTIVE: Data Provenance with Digital Watermarking National Institute of Informatics W aterm arking is a m ethod to bind provenance inform ation as a tag to data. The EHR/ Medical system m ust enforce that – disclosed data is tagged with updated provenance information – provenance information is authentic. Steps of a disclosure: 4 ) Deliver tagged data EHR/ Medical system 3 ) Apply tag W aterm arkin 2 ) Fetch data g Service Data 1 ) Access request Data consum e r ( e.g. Laboratory) Data provider ( e.g. Advertiser) Dr. Sven Wohlgemuth Privacy in Business Processes 8
Digital Watermarking and Disclosure of Personal Data National Institute of Informatics Patient Patient Patient Advertiser Advertiser Advertiser Laboratory Laboratory Laboratory Laboratory Patient Advertiser Laboratory Patient Advertiser Patient Advertiser Laboratory Drug m aker Both service providers have same digital watermark � No identification of last data provider Dr. Sven Wohlgemuth Privacy in Business Processes 9
DETECTIVE: Digital Watermarking Scheme National Institute of Informatics Data provenance inform ation – Linking identities of data provider and data consumer with access to personal data. Detection by the patient via delegated rights ( privacy policy) to personal data. Data provider Data consum er Patient Data provider Data consum er Patient Laboratory Advertiser Laboratory Advertiser ( rights) Patient 寿 ( rights) Patient Advertiser Laboratory Advertiser Laboratory Apply Tag Verify Tag Patient 寿 Patient Advertiser Advertiser Laboratory Laboratory Laboratory Advertiser Dr. Sven Wohlgemuth Privacy in Business Processes 10
DETECTIVE: Protocol Tag National Institute of Informatics Data provider Data consumer 1: pk DP_COM for commitments Commitments 2: commit to k DC & blinding: com DC_BLIND (k DC ) Commitmen t 3: confirm com DC ( k DC ): to identity of Digital signature DC 4: com DC_BLIND ( k DC ), DC signature (com DC_BLIND ( k DC )) signature DC (com DC_BLIND ( k DC ) 5: verify signature DC Digital 6: blind com DP ( k DP ): watermarking com DP_BLIND ( k DP ) Tagging and confirm by signarure DP disclosure 7: link commitments to d : of personal Computing with tag’ : = embed sym (anonCredential DC , data com DP_BLIND ( k DP )com DC_BLIND ( k DC ), d ) commitments 8: tag’ , signature DP 9: reveal tag : = Revealing 11 Sven Wohlgemuth On Privacy for Observable Delegation of Personal Data by Digital Watermarking tag’ / blinding factor DC tag Privatsphäre durch die Delegation von Rechten 11
DETECTIVE: Protocol Verify National Institute of Informatics User CA Data provider Data consumer Reconstruct 1: request anonCredentials ( rights DC ) PKI delegation for delegated rights chain 2: request com DP_BLINDED ( k DP ), pk DP_COM , and signature DC Commitments 3: com DP_BLINDED ( k DP ), pk DP_COM , and signature DC 4: request open(com DP_BLINDED ( k DP )) Digital signature Verify 5: blinded k DP enforcement of embedding Zero-knowledge 6: verify com DP_BLINDED ( k DP ) proof 7: verify signature DC 8: extract com DC ( k DC ) from tag 9: check correctness of com DC ( k DC ) by zero-knowledge proof 12
DETECTIVE: Proof-of-Concept Implementation National Institute of Informatics Case study: Telem edicine – Consulting a clinic abroad Dr. Sven Wohlgemuth Privacy in Business Processes 13
5. Safety of Data and Liveness of Services National Institute of Informatics Safety: Authorized execution Liveness: Reachable states Provisions: cover the time up to the Obligations: cover the time after the access (“past and present”) access (“future”) Provisions Obligations t request access Transparency by Policy Enforcem ent Mechanism s (e.g. DETECTIVE) Dr. Sven Wohlgemuth Privacy in Business Processes 14
Recommend
More recommend