[PPT] - Privacy in Business Processes - Identifying Non-Authorized Disclosure PowerPoint Presentation

SLIDE 1

1 Sven Wohlgemuth On Privacy by Observable Delegation of Personal Data

National Institute of Informatics

Privacy in Business Processes

Identifying Non-Authorized Disclosure of Personal Data to Third Parties -

Austria-Japan Workshop 2010 October 18, 2010

Dr. Sven Wohlgemuth
Prof. Dr. Isao Echizen
Prof. Dr. Noboru Sonehara

National Institute of Informatics, Japan

Prof. Dr. Günter Müller

University of Freiburg, Germany

National Institute of Informatics

SLIDE 2

Access control No usage control for the disclosure of personal data

2

National Institute of Informatics

Privacy and Disclosure of Personal Data to Third Parties

User d

Privacy legislation:

„Privacy is the claim of individuals, groups and institutions to determ ine for them selves, when, how and to what extent information about them is communicated to others.“

(Westin, 1967 regulations of Germany/ EU, Japan and HIPAA)

DP = Data provider DC = Data consumer d, d’ = Personal data

Disclosure of personal data to third parties

d, d’ d Services d, d’ d, d’ DP DC / DP DC / DP DC / DP

DC

Haas, S., Wohlgemuth, S., Echizen, I., Sonehara, N. and Müller, G., 2009

Privacy in Business Processes

Dr. Sven Wohlgemuth

SLIDE 3

National Institute of Informatics

Agenda

1 . Shift to a new Scenario 2 . User becom es a Target 3 . Usage Control by Data Provenance 4 . DETECTI VE: Data Provenance w ith Digital W aterm arking 5 . Safety of Data and Liveness of Services

3 Privacy in Business Processes

Dr. Sven Wohlgemuth

SLIDE 4

National Institute of Informatics

1. Shift to a new Scenario

(e.g. Electronic Health Records, Gematik in Germany)

All data about the patient stored in one location: A central EHR Patient is in charge of this data. Patient’s data is stored in many medical systems. Each m edical system is in charge of patient’s data. Hospital Laboratory Exam ination Dentist Pharm acy Current scenario New scenario Patient

4 Privacy in Business Processes

Dr. Sven Wohlgemuth

SLIDE 5

National Institute of Informatics Patient “inherits” responsibility and risk. Dishonest parties m ay m odify or disclose personal data to 3 rd parties w ithout authorization.

Privacy Problem

How can the patient control the disclosure of m edical data to 3 rd parties? Hospital Exam ination Dentist Pharm acy Laboratory Advertiser Em ployer Patient

2. User becomes a Target

(e.g. Patient)

Haas, S., Wohlgemuth, S., Echizen. I, Sonehara, N. and Müller, G., 2009

Drug m aker Different data protection legislations

( e.g. EC 9 5 / 4 6 / EC, Japan, HI PAA)

5 Privacy in Business Processes

Dr. Sven Wohlgemuth

SLIDE 6

National Institute of Informatics

3. Usage Control by Data Provenance (1/2)

Reactive Preventive

Mechanism s & Methods Before the execution During the execution After the execution Policies

Process Rewriting
Workflow Patterns
Vulnerability Analysis
Enterprise Privacy Authorization

Language (EPAL)

Extended Privacy Definition Tools

(ExPDT)

Model Reconstruction
Audits / Forensics
Architectures for Data

Provenance

Execution Monitoring
Non-linkable Delegation
f Rights

Müller, G., Accorsi, R., Höhn, S. and Sackmann, S., 2010

6 Privacy in Business Processes

Dr. Sven Wohlgemuth

SLIDE 7

National Institute of Informatics

Usage Control by Data Provenance (2/2)

Data provenance

– Information to determine the derivation history

I n an audit, data provenance can be used to restore the inform ation flow .

Exam ple

Medical Data Patient Advertiser Medical Data Patient Advertiser Medical Data Patient Advertiser Laboratory Medical Data Patient Advertiser Laboratory Data Provenance Advertiser Laboratory Drug m aker Drug m aker

7 Privacy in Business Processes

Dr. Sven Wohlgemuth

SLIDE 8

National Institute of Informatics

4. DETECTIVE: Data Provenance with Digital Watermarking

W aterm arking is a m ethod to bind provenance inform ation as a tag to data. The EHR/ Medical system m ust enforce that – disclosed data is tagged with updated provenance information – provenance information is authentic. EHR/ Medical system Data

Data consum er

( e.g. Laboratory) W aterm arkin g Service 2 ) Fetch data 3 ) Apply tag 4 ) Deliver tagged data Steps of a disclosure: 1 ) Access request

Data provider

( e.g. Advertiser)

8 Privacy in Business Processes

Dr. Sven Wohlgemuth

SLIDE 9

National Institute of Informatics

No identification of last data provider

Both service providers have same digital watermark

Digital Watermarking and Disclosure of Personal Data

Drug m aker Advertiser Laboratory Patient Patient Advertiser Laboratory Patient Advertiser Laboratory Patient Advertiser Laboratory Patient Advertiser Laboratory Patient Advertiser Laboratory

9 Privacy in Business Processes

Dr. Sven Wohlgemuth

SLIDE 10

National Institute of Informatics Data provenance inform ation – Linking identities of data provider and data consumer with access to personal data. Detection by the patient via delegated rights ( privacy policy) to personal data.

Data provider Data consum er

Apply Tag

Patient Data provider

Verify Tag

Data consum er

Patient Advertiser Laboratory Patient ( rights) Advertiser Laboratory Patient ( rights) Patient Advertiser Laboratory Advertiser Laboratory Laboratory Advertiser

寿

DETECTIVE: Digital Watermarking Scheme

Patient Advertiser Laboratory Laboratory Advertiser

寿

10 Privacy in Business Processes

Dr. Sven Wohlgemuth

SLIDE 11

11 Sven Wohlgemuth

National Institute of Informatics

DETECTIVE: Protocol Tag

On Privacy for Observable Delegation of Personal Data by Digital Watermarking

11 Privatsphäre durch die Delegation von Rechten

Tagging disclosure

f personal

data Commitmen t to identity of DC

Data consumer

Revealing tag

Data provider

9: reveal tag : = tag’ / blinding factorDC

Computing with commitments

7: link commitments to d: tag’ : = embedsym(anonCredentialDC, com DP_BLIND(k DP)com DC_BLIND(k DC), d) 5: verify signatureDC 6: blind com DP(k DP): com DP_BLIND(k DP) and confirm by signarureDP 8: tag’, signatureDP

Digital watermarking

1: pkDP_COM for commitments 2: commit to k DC & blinding: com DC_BLIND(kDC) 4: com DC_BLIND(k DC), signatureDC(com DC_BLIND(k DC) 3: confirm com DC(k DC): signatureDC (com DC_BLIND(k DC))

Commitments Digital signature

SLIDE 12

12

National Institute of Informatics

DETECTIVE: Protocol Verify

Reconstruct delegation chain Verify enforcement

f embedding

Data provider

CA

Data consumer

1: request anonCredentials (rightsDC) for delegated rights 2: request com DP_BLINDED(k DP), pkDP_COM, and signatureDC 3: com DP_BLINDED(k DP), pkDP_COM, and signatureDC 4: request open(com DP_BLINDED(k DP)) 5: blinded k DP 6: verify com DP_BLINDED(k DP) 7: verify signatureDC 8: extract com DC(k DC) from tag 9: check correctness of com DC(k DC) by zero-knowledge proof

PKI Commitments Digital signature Zero-knowledge proof

User

SLIDE 13

National Institute of Informatics

DETECTIVE: Proof-of-Concept Implementation

Case study: Telem edicine – Consulting a clinic abroad

13 Privacy in Business Processes

Dr. Sven Wohlgemuth

SLIDE 14

National Institute of Informatics

5. Safety of Data and Liveness of Services

Transparency by Policy Enforcem ent Mechanism s (e.g. DETECTIVE) Safety: Authorized execution Liveness: Reachable states t

Provisions

request access Provisions: cover the time up to the access (“past and present”)

Obligations

Obligations: cover the time after the access (“future”)

14 Privacy in Business Processes

Dr. Sven Wohlgemuth