……

...…

… ...

An Economic Valuation Approach for (Privacy Enhancing) Identity Management Services

Session: The economics of privacy

FIA - Future Internet Assembly2011-05-18/19Budapest, Hungary

Prof. Dr. Kai RannenbergT-Mobile Chair ofMobile Business & Multilateral SecurityGoethe University Frankfurt, Germanywww.m-chair.net

……

...…

… ...

Challenges to be addressed

Innovative business models for privacy Pricing for/of privacy Privacy as a service (product?)

An Economic valuation approach for privacy-enhancing Identity Management (IdM) services

2

……

...…

… ...

Economic valuation of privacy-enhancing IdM

services Motivation:

Valuation approach to overcome the shortcomings of decision making processes

Decision making processes of IdM service providers on market introductions of (or investments in) privacy-enhancing IdM services

Results: Set of decision relevant economic

consequences of adopting, mediating or providing privacy-enhancing IdM services

An indication to which extent privacy-enhancing IdM services are economically feasible

Testing by: Real-life IdM infrastructure scenarios

3

……

...…

… ...

Process & Structure Model

Process Model

Step 1: Description of the Baseline Option and feasible Delta Options

Step 2: Identification of each Stakeholder’s Costs and Benefits

Step 3: Selection of Key Costs and Benefits for each Stakeholder

Step 4: Clustering and Mapping of Key Costs and Benefits

Step 5: Assessment and Aggregation of clustered and mapped Key Costs and Benefits

Step 6: Visualisation of assessed and aggregated Key Costs and Benefits

Structure Model

Perspectives for each Stakeholder

Cost and Benefit Dimensions for private and institutional Perspectives

Costs and Benefits for each Dimension

Key Costs and Benefits Cause Effect Chains for

each Key Cost and Benefit Weighting Factors for each

Cause Effect Chain Dimension Values Decision Values

4

……

...…

… ...Identity Management Service

Scenarios

5

Baseline Option Delta Option 1

Attribute Verification Service Scenario

Authentication Service Scenario

Privacy Policy

Enforcement

Service Scenario

Delta Option 2

……

...…

… ...Identity Management Service

Scenarios

6

Baseline Option Delta Option 1

Attribute Verification Service Scenario

Authentication Service Scenario

Privacy Policy

Enforcement

Service Scenario

Delta Option 2

……

...…

… ...

Results of the Valuation – Exemplary Application

7

……

...…

… ...Identity Management Service

Scenarios

8

Baseline Option Delta Option 1

Attribute Verification Service Scenario

Authentication Service Scenario

Privacy Policy

Enforcement

Service Scenario

Delta Option 2

……

...…

… ...

Results of the Valuation – Exemplary Application

9

……

...…

… ...

Results of the Valuation – Exemplary Application

10

Dimension Values(Aggregated Costs

& Benefits)

Decision Values(Aggregated Dimension

Values)

……

...…

… ...

Results of the Valuation - Summary

11

Dimension Values

Decision Values

Attribute Verification Service Scenario

Authentication Service Scenario

Privacy Policy

Enforcement

Service Scenario

……

...…

… ...

BenefitsSummary

Takes into account monetary as well as non-monetary costs and benefits

Presents decision-relevant information in a simple and structured way without over-challenging the decision maker

Integrates perspectives of different stakeholders, so that interdependencies can be evaluated

Enables a stronger focus on (and integration of) privacy-effects on consumers as an essential factor for economic success

12

……

...…

… ...

BenefitsProcessing of input

Considers individual value perceptions of stakeholders to

enable application field-specific valuations of IdM services

interdependencies between costs and benefits by using cause-effect chains

Enables the aggregation of costs and benefits to a one dimensional decision factor

Offers a standardized and balanced evaluation approach by

using predetermined holistic value-systems for stakeholders

standardized procedure for a repeatedly occurring decision problem for a better comparison beyond company and department boundaries

13

……

...…

… ...

BenefitsOrganisation of decision

making Leads to an improved decision making basis and to a

higher transparency of the decision making process Reduces intuitive (and consequently highly subjective)

valuations, or rather, makes them at least more transparent for others

Structures complex decision processes and simplifies a separation into transparent sub-aspects

Enables a division of work and thereby a specialization on sub-

problems parallelization of separate evaluation- and decision-steps

Provides a structured basis for discussions within a decision making group

Considers impacts on the decision maker’s individual goals and overall strategy

14

Example (economic and business) concerns

Typical issues with regard to the dependence on thecloud computing provider:

1. Risks for availability and business continuity;2. Absence of contracts between the customer

and provider;3. Lack of “power-balancing” regulation, that

exists for other utilities.

www.cepis.orgwww.cepis.org/index.jsp?p=641&n=825fwww.cepis.org/media/CEPIS_Cloud_Computing_Security_v172.pdf

2011 StatementCloud Computing

Security and Privacy Issues

• Description of common characteristics of the identified most important services

• Possible threats to user’s information privacy & security

• What are the elements of trust, which are currently unsatisfied and what role can technology play

• Technology requirements & roadmap

• Law and policy driven design of technology enabling democratic structures, honours human rights and freedoms

• Validation of important services in the light of upcoming EU legislation

• Investigation of the economic and societal impact of new trustworthy ICT solutions

• Definition of a R&D project portfolio with impact.

16

Working Group meetingsJune 15, Espoo, Finland

……

...…

… ...

17

Conclusion and Outlook

New ICT services are coming ever closer to people. Privacy requires e.g.

Minimisation and decentralisation of data Empowering users (“Multilateral Security”) on e.g. data

flows Privacy by Design Related economic analysis and regulation

PrimeLife Summit Event, 2011-06-07 Lucernewww.sec2011.org

Kai.Rannenberg@m-chair.net www.m-chair.net www.primelife.eu www.picos-project.eu www.abc4trust.eu www.fidis.net www.prime-project.eu

……

...…

… ...

18

References

Ann Cavoukian: Privacy by Design … Take the Challenge; www.privacybydesign.ca FIDIS: Future of Identity in the Information Society; www.fidis.net Stefan Figge, Gregor Schrott, Jan Muntermann, Kai Rannenberg: EARNING M-ONEY - A

Situation based Approach for Mobile Business Models; Forthcoming in: Proceedings of the 11th European Conference on Information Systems (ECIS) 2003; June 19-21, 2003, Naples, Italy

ISO/IEC JTC 1/SC 27/WG 5: Identity Management and Privacy Technologies; www.jtc1sc27.din.de

Kahl, Christian; Boettcher, Katja; Tschersich, Markus; Heim, Stephan; Rannenberg, Kai (2010): How to enhance Privacy and Identity Management for Mobile Communities: Approach and User driven Concepts of the PICOS Project, In: Proceedings of 25th IFIP International Information Security Conference Security & Privacy − Silver Linings in the Cloud (IFIP SEC 2010) Springer (2010), 20-23 September 2010, Brisbane, Australia, ISBN: 978-3642152566

PICOS: Privacy and Identity Management for Community Services; www.picos-project.eu PRIME: Privacy and Identity Management for Europe; www.prime-project.eu PrimeLife: Privacy and Identity Management for Life; www.primelife.eu PrimeLife Deliverable 6.1.2 (upcoming): Economic valuation of Identity Management Enablers Kai Rannenberg: Multilateral Security – A concept and examples for balanced security; Pp.

151-162 in: Proceedings of the 9th ACM New Security Paradigms Workshop 2000, September 19-21, 2000 Cork, Ireland; ACM Press; ISBN 1-58113-260-3

Kai Rannenberg: CamWebSim and Friends: Steps towards Personal Security Assistants; Pp. 173 - 176 in Viktor Seige et al.: The Trends and Challenges of Modern Financial Services – Proceedings of the Information Security Summit; May 29-30, 2002, Prague; Tate International; ISBN 80-902858-5-6

Kai Rannenberg: Identity management in mobile cellular networks and related applications; Information Security Technical Report; Vol. 9, No. 1; 2004; pp. 77 – 85; ISSN 1363-4127

Kai Rannenberg: Contribution to the European Commission Consultation on the legal framework for the fundamental right to protection of personal data; 2009-12-31; http://ec.europa.eu/justice_home/news/consulting_public/news_consulting_0003_en.htm

T-Mobile Chair for Mobile Business & Multilateral Security; www.m-chair.net Jan Zibuschka, Lothar Fritsch, Mike Radmacher, Tobias Scherner, Kai Rannenberg: Enabling

Privacy of Real-Life LBS: A Platform for Flexible Mobile Service Provisioning; in Proceedings of the 22nd IFIP TC-11 International Information Security Conference 2007; 14-16 May 2007, Sandton, South Africa; Springer IFIP Series

Jan Zibuschka, Mike Radmacher, Tobias Scherner, Kai Rannenberg: Empowering LBS Users: Technical, Legal and Economic Aspects; in: Proceedings of the eChallenges conference 2007; The Hague, The Netherlands