Annual WorkshopFebruary 5th, 2014

[Koen Decroix – MSEC - KU Leuven]

A Formal Approach to Analyze Privacy in Electronic Services

MSECKoen Decroix

3

Outline

• Introducing Privacy in Loyalty Services• Conceptual model of inShopnito• Framework for Formal Reasoning on Privacy• Privacy Analysis of inShopnito• Conclusions

4

Introducing Privacy in Loyalty Systems

5

Ever wondered what companies know about you?

6

… Max Schrems, an Austrian student, did!

Now he sues Facebook for their data practices on the personal data they collected about him.

7

Once, there were small local family-run stores binding customers with …

8

… with the years, they were replaced by big chains also binding customers …

9

Authenticate

Share your shopping activities with friends on Facebook

For the convenience of their customers, loyalty services evolved to electronic services integrated with other online (third-party) services. Is this the full story?

10

When registering to such services, you agreed with their terms and policies and gave them your consent for collecting, processing, and forwarding your personal data.

Not transparent to users

11

Your past online activities leave non-erasable, possibly harmful, traces behind and might get spread around.

12

Citizens must be protected for these data practices.

This is where the European data protection legislation comes into play.

… designers have to consider multiple types of requirements

Complex

13

14

Need for formal modeling, as a support during design of composite services.

15

Privacy analysis is based on user profiles built from the formal models. Its feedback must be useful for system designers and users as well.

16

Conceptual Model of inShopnito

17

Collecting loyalty points at first glance.

18

From specifications of service providers’ data practices (= service policies), we can derive that …

… but looking into more detail …

20

Conceptual model of inShopnito

21

Framework for Formal Reasoning on Privacy

Conc

lusi

ons

Logi

c Co

mpo

nent

Vocabulary(Concepts) Behavior Inference Rules

System Independent Model

Inpu

t Mod

el

Identifiability Model

User Model System Model

Trust Perception

Credentials Profiles

Identities Pseudonyms

Initial State

Organizations Services

Service Policies

Access Control

Storage

Distribution Output

Theory

24

Privacy Analysis of inShopnito

25

Privacy Analysis - Feedback

Linkabilities

CollaborationsAttributes&

Violations

26

inShopnito modeled for two user types

No trust in organizationsTrusts• Grocery Store• Loyalty Program Provider• inShopnito

Advertisers are not trusted

Loyalty credential: Idemix what if X509 is used?

28

Linkabilities in inShopnito

Scan Product

No Collab No Collab GS <->LP X509

Grocery Store Anon Pseudo Pseudo Ident

inShopnito Anon Pseudo Pseudo Ident

Loyalty Provider Anon Pseudo Pseudo Ident

Advertiser Anon Pseudo Pseudo Ident

29

Detect Violations in inShopnito

Advertisers not allowed to have the customer’s his:1. Name2. Address3. eMail address

Violations of rules 1, 2, 3 are found only in case a X509 certificate is used in case of the user model

30

Conclusions

31

• It is a formal approach to analyze privacy power to prove properties

• Approach is useful during service design– privacy by design is one of the principles in EU reform of

data protection legislation.– analyzing linkabilities, collaborations, attributes in user

profiles.– verify compliance with legislative and corporate level

rules (detecting violations).

• Approach is useful for education of people– EU reform of data protection authorities get the task to

educate people. E.g., model a user that participates to a survey about Facebook. Afterwards, perform a privacy analysis based on his assumptions and present him the difference between what he thinks and what can happen.

32

Questions