TothememoryofourcolleagueandfriendAndreasPfitzmann Theprotectionofpeople’sprivacywasdeartoAndreas’heart.Hewasan inspirationtoallofus,andmanyoftheresultspresentedinthisbookowetohim. Preface Publicationisaself-invasionofprivacy. MarshallMcLuhan IndividualsintheInformationSocietywanttosafeguardtheirautonomyandretain controlovertheirpersonalinformation,irrespectiveoftheiractivities.Information technologiesgenerallydonotconsiderthoseuserrequirements,therebyputtingthe privacyofthecitizenatrisk.Atthesametime,theInternetischangingfromaclient- servertoacollaborativeparadigm.Individualsarecontributingthroughouttheirlife leavingalife-longtraceofpersonaldata.Thisraisessubstantialnewprivacychal- lenges. Savingdigitalprivacy.By2008,theEuropeanprojectPRIME(PrivacyandIdentity Management for Europe) had demonstrated that existing privacy technologies can enable citizens to execute their legal rights to control their personal information inon-linetransactions.Ithadraisedconsiderableawarenessamongststakeholders andhassignificantlyadvancedthestateoftheartintheareasofprivacyandidentity management.PrimeLifehasbeenbuildingonthemomentumcreatedandtheresults achieved by PRIME to address emerging challenges in the areas of privacy and identitymanagementandreallybringprivacyandidentitymanagementtolive: A first, short-term goal of PrimeLife was to provide scalable and configurable • privacyandidentitymanagementinnewandemerginginternetservicesandap- plicationssuchasvirtualcommunitiesandWeb2.0collaborativeapplications. Asecond,longer-termgoalofPrimeLifewastoprotecttheprivacyofindividuals • overtheirwholespanoflife.Eachindividualleavesamultitudeoftracesduring alifetimeofdigitalinteractions.Technologicaladvancementsfacilitateextensive datacollection,unlimitedstorage,aswellasreuseandlife-longlinkageofthese digitaltraces. A third goal of PrimeLife was to support privacy and identity management by • progressingthestateofthearton – toolsguaranteeingprivacyandtrust, vii viii Preface – theusabilityexperienceofprivacyandidentitymanagementsolutions, – securityandprivacypolicysystems,and – privacy-enablinginfrastructures. ThelastbutcertainlyimportantgoalofPrimeLifewastodisseminateourresults • andenabletheiruseinreallife.WeorganizedinterdisciplinarySummerSchools of Privacy, organized and participated in standardization groups and meetings, and made the source code and documentation of most of our prototypes and implementationsavailableforfreeuse. ThisBook.AftermorethanthreeyearsofworkinPrimeLife,thisbookaimsatgiv- inganoverviewoftheresultsachieved.Itisthereforestructuredintoanintroduction andsixpartscoveringthemostimportantareasofprivacyandidentitymanagement consideringthelifeoftoday:Severalaspectsof“PrivacyinLife”arediscussedin Part I, followed by Part II “Mechanisms for Privacy.” Part III is dedicated to “Hu- manComputerInteraction(HCI),”andPartIVto“PolicyLanguage.”PartVfocuses on“InfrastructuresforPrivacyandIdentityManagement,”beforePartVI“Privacy Live” comes full circle describing how PrimeLife is reaching out to the life of to- day’sandthefuture’snetizens. Acknowledgements. Editing and writing a multidisciplinary book like this is not possible without many contributors that dedicated their knowledge, expertise, and time to make the work a success. Among the many people that worked on this PrimeLifebook,wewouldliketogiveaspecialthanksto: The partner organisations and individual researchers in PrimeLife that con- • tributedtothisbookandtheunderlyingPrimeLifedeliverables.Theycomefrom 7MemberStatesoftheEuropeanUnion,Switzerland,andtheUSA. ElsvanHerreweghenwhowasinstrumentalinwritingandsubmittingtheproject • proposalandDieterSommerwhodidawonderfuljobascoordinator. TheinternationalteamofreviewersthatasfriendsofPrimeLifededicatedtheir • time to improve and streamline the parts of this book. We are particularly grateful to Bart De Decker, Ian Glazer, David-Olivier Jaquet-Chiffelle, Vaclav Matyas, Vincent Naessens, Lasse Øverlier, Jakob Pagter, Michael Pedersen, ClaireVishik,andJozefVyskocfortheirmostvaluablecommentsandsugges- tions. Thepeoplewhohelpedtocreatethisbook: • – MichelleCryerfortransformingmuchofthenerds’Englishinthedraftver- sionsofthisbookintoEnglish. – The PrimeLife “Activity Leaders” Katrin Borcea-Pfitzmann, Sandra Stein- brecher,PierangelaSamarati,GregoryNeven,Go¨khanBal,andMaritHansen for their support and coordination of the respective parts. Gregory also pro- videdthelatextemplatesandwisdomonhowtoputthedifferentchaptersand partstogetherintothisbook. Preface ix – Our colleagues at IBM Research – Zurich, Karlstad University, and Goethe University Frankfurt for keeping our backs covered when we were working onthisbook. – SaskiaWerdmu¨llerforthefinalcheckingofthemanuscript. – ChristianRauscheratSpringerforhelpinguswithpublicationofthebook. The European Commission for funding PrimeLife and our Project Officers • Manuel Carvalhosa and Maria-Concepcion Anton-Garcia, their management, Jacques Bus, Jesus Villasante, Thomas Skordas, Gustav Kalbe, and Dirk van Rooy, and the project reviewers Jean-Marc Dinant, Alberto Escudero-Pascual, andMassimoFeliciformostvaluablefeedbackandencouragement. Last,butcertainlynotleast,allthemembersofthePrimeLifeReferenceGroup • formanyinspiringdiscussionsandlotsofvaluableandhelpfulfeedback. Wehopethatthisbookwillcontributetotheunderstandingthatdigitalprivacycan beareality:Manytoolsexistandarewaitingtobedeployedinpractise. Zurich,Karlstad,Frankfurt, JanCamenisch March2011 SimoneFischer-Hu¨bner KaiRannenberg x Preface ListofContributorstothisBook StefanoParaboschi,GerardoPelosi,MarioVerdicchio Universita` degliStudidiBergamo,DIIMM VialeMarconi25,Dalmine,I-24044 CorneliaGraf,ChristinaHochleitner,ManfredTscheligi,PeterWolkerstorfer CURE–CenterforUsabilityResearchandEngineering Modecenterstrasse17,Vienna,A-1110 Katrin Borcea-Pfitzmann, Jaromir Dobias, Benjamin Kellermann, Stefan Ko¨psell,AndreasPfitzmann,StefaniePo¨tzsch,SandraSteinbrecher DresdenUniversityofTechnology,DepartmentofComputerScience No¨thnitzerStrasse46,Dresden,D-01187 Marc-MichaelBergfeld,StephanSpitz Giesecke&Devrient Prinzregentenstrasse159,Mu¨nchen,D-81677 Go¨khanBal,SaschaKoschinat,KaiRannenberg,ChristianWeber GoetheUniversityFrankfurt,ChairofMobileBusiness&MultilateralSecurity Gru¨neburgplatz1,Frankfurt/Main,D-60629 JanCamenisch,MariaDubovitskaya,GregoryNeven,Franz-StefanPreiss IBMResearch–Zurich Sa¨umerstrasse4,Ru¨schlikon,CH-8803 JulioAngulo KarlstadUniversity,DepartmentofInformationSystems Universitetsgatan2,Karlstad,S-65188 SimoneFischer-Hu¨bner,HansHedbom,TobiasPulls KarlstadUniversity,DepartmentofComputerScience Universitetsgatan2,Karlstad,S-65188 ErikWa¨stlund KarlstadUniversity,DepartmentofPsychology Universitetsgatan2,Karlstad,S-65188 FilipeBeato,MarkulfKohlweiss,JornLapon,StefanSchiffner,KarelWouters KatholiekeUniversiteitLeuven,ESAT-COSIC KasteelparkArenberg10,Leuven,B-3001 LaurentBussard,UlrichPinsdorf MicrosoftEMIC Preface xi Ritterstrasse23,Aachen,D-52072 ClaudioA.Ardagna,SabrinaDeCapitanidiVimercati,SaraForesti,Giovanni Livraga,ErosPedrini,PierangelaSamarati Universita` degliStudidiMilano,Dip.diTecnologiedell’Informazione ViaBramante65,Crema,I-26013 MicheleBezzi,AkramNjeh,StuartShort,SlimTrabelsi SAPLabsFrance 805,AvenueduDocteurMauriceDonat,BP1216,MouginsCedex,F-06254 BibivandenBerg,LauraKlaming,RonaldLeenes,ArnoldRoosendaal UniversiteitvanTilburg,TILT Postbus90153,Tilburg,NL-5000LE Marit Hansen, Leif-Erik Holtz, Ulrich Ko¨nig, Sebastian Meissner, Jan Schallabo¨ck,KatalinStorf,HaraldZwingelberg Unabha¨ngigesLandeszentrumfu¨rDatenschutzSchleswig-Holstein Holstenstrasse98,Kiel,D-24103 CarineBournez,DaveRaggett,RigoWenning WorldWideWebConsortium(W3C) RoutedesLucioles,BP93,Sophia-Antipolis,F-06902 Contents Introduction 1 PrimeLife.................................................. 5 AndreasPfitzmann,KatrinBorcea-Pfitzmann,andJanCamenisch 1.1 Motivation ............................................... 5 1.2 VisionandObjectivesofthePrimeLifeProject................. 7 1.3 DefiningPrivacy .......................................... 8 1.4 FromIdentityviaIdentityManagementtoPrivacybyIdentity Management ............................................. 9 1.4.1 Identity–WhatItIs ............................... 10 1.4.2 PresentationofIdentities–Pseudonyms............... 13 1.4.3 TimeAspectsofIdentityManagementandPrivacy ..... 17 1.5 FurtherFacetsofPrivacy ................................... 19 1.6 HowtoProtectPrivacyandPrimeLife’sContributions .......... 20 1.6.1 PartI-PrivacyinLife.............................. 22 1.6.2 PartII-MechanismstoEnablePrivacy ............... 22 1.6.3 PartIII-UserInterfacesforPrivacyManagement ...... 23 1.6.4 PartIV-PoliciestoControlPrivacy.................. 24 1.6.5 PartVI-InfrastructuresforPrivacy .................. 25 1.6.6 PartVII-PrivacyLive!............................. 25 ReferencesIntroduction............................................. 27 PartI PrivacyinLife 2 PrivacyinSocialSoftware .................................... 33 Bibi van den Berg, Stefanie Po¨tzsch, Ronald Leenes, Katrin Borcea-Pfitzmann,andFilipeBeato 2.1 ScenariosandRequirements ................................ 33 2.1.1 Scenario1:ASocialNetworkSite ................... 35 2.1.2 Scenario2:AForum............................... 36 xiii xiv Contents 2.1.3 GeneralRequirements.............................. 36 2.2 TwoPrototypesforPrivacy-EnhancedSocialNetworking........ 37 2.2.1 Introduction ...................................... 37 2.2.2 PrivacyIssuesinSocialNetworkSites................ 38 2.2.3 Clique:AnOverview .............................. 42 2.2.4 Scramble!:AnOverview ........................... 46 2.3 Privacy-EnhancingSelectiveAccessControlforForums ........ 50 2.3.1 Objectives........................................ 50 2.3.2 Introducing phpBB Forum Software and PRIME Framework....................................... 51 2.3.3 ExtendingphpBBwithSelectiveAccessControl ....... 52 2.3.4 ScenarioRevisited................................. 54 2.3.5 Privacy-AwarenessInformation...................... 55 2.3.6 UserSurvey ...................................... 55 2.4 ConcludingRemarks ...................................... 59 2.5 Acknowledgements ....................................... 60 3 TrustworthinessofOnlineContent............................. 61 JanCamenisch,SandraSteinbrecher,RonaldLeenes,StefaniePo¨tzsch, BenjaminKellermann,andLauraKlaming 3.1 Introduction.............................................. 61 3.2 Scenariosandrequirements................................. 63 3.2.1 Scenarios ........................................ 63 3.2.2 High-levelmechanisms............................. 65 3.2.3 Requirementsofmechanisms ....................... 66 3.3 Experiments.............................................. 70 3.3.1 Bindingmetadatatodata ........................... 71 3.3.2 UserReputationandCertification .................... 74 3.4 Demonstrators............................................ 76 3.4.1 TrustworthyBlogging.............................. 76 3.4.2 EncouragingCommentswithIncentives............... 78 3.4.3 Author reputation system and trust evaluation of contentinMediaWiki .............................. 80 3.5 ConclusiveRemarks....................................... 84 3.6 Acknowledgements ....................................... 85 4 IdentityandPrivacyIssuesThroughoutLife..................... 87 JaromirDobias,MaritHansen,StefanKo¨psell,MarenRaguse,Arnold Roosendaal,AndreasPfitzmann,SandraSteinbrecher,KatalinStorf, andHaraldZwingelberg 4.1 ChallengesandRequirements ............................... 87 4.1.1 DealingwithDynamics ............................ 87 4.1.2 DigitalFootprint .................................. 91 4.1.3 ConceptsforDelegation............................ 94 4.2 Demonstrator............................................. 99 4.2.1 OverviewoftheBackupDemonstratorArchitecture.....102