Towards Privacy-Aware Identity Management
by Ernesto Damiani, Sabrina De Capitani di Vimercati and Pierangela Samarati
The overall goal of the PRIME project (Privacy and Identity Management for Europe) is the development of a privacy-enhanced identity management system that allows users to control the release of their personal information. The PRIME architecture includes an Access Control component allowing the enforcement of protection requirements on personal identifiable information (PII).
Nowadays, a global information infrastructure connects remote parties worldwide through the use of large-scale networks, relying on application-level protocols and services such as the World Wide Web. Human activities are increasingly based on the use of remote resources and services, and on the interaction between remotely located parties that may (and sometimes should) know little about each other. Because of the vast amount of personal information thus available, concerns are growing regarding the privacy of users: effective information sharing and dissemination can take place only if users have some assurance that disclosure of sensitive information is not a risk. Digital identity management is therefore of paramount importance for supporting successful interaction. A comprehensive identity management solution should provide complete support for the definition and the life-cycle management of digital identities and profiles, as well as infrastructure for exchanging and validating this information.
Emerging scenarios of user-service interactions in the digital world are also pushing toward the development of powerful and flexible privacy-enhanced access control models and languages. The need for privacy means that access control policies and models must be rethought, and new forms of authorization specification and enforcement developed. In particular, two major issues exist: i) access control needs to operate even when interacting parties wish to remain anonymous or to disclose only specific attributes about themselves; ii) data collected during access control as well as data stored by the different parties may contain sensitive information on which privacy policies need to be applied.
In the context of the PRIME project, our main task is the development of the Access Control Decision Function (ACDF) module, together with the definition of a privacy-aware model and language for specifying and enforcing protection requirements on PII.
The access control component is based on a simple and expressive language whose main features are summarized as follows:
- Flexible and expressive access control rules. Access control rules make use of partial identities associated with users. It is also possible to specify access control rules relating to subjects accessing the information and to resources to be accessed, in terms of rich ontology-based metadata.
- Interactive enforcement. An access control component may not have all the information it needs to decide whether or not access should be granted. On the other side, requesters may not know in advance which information they need to present to get access. As a consequence, the access control process is a way of negotiating with the access requester the disclosure of additional personal information to achieve a final access decision.
- Client-side restrictions. In addition to traditional server-side access control rules, users should be able to place restrictions on the use of their personal information once released to a third party. For this purpose, we introduce the notion of release policies governing the release of properties, credentials and PII of the party.
- Anonymity and end-user control. The access control system enables full end-user control over the digital identity to be used. In other words, access control needs to operate even when interacting parties wish to remain anonymous or to disclose only specific attributes about themselves.
- Interchangeable policy format. Parties need to specify protection requirements on the data they make available using a format that is readable by both humans and machines, and is easy to inspect and interchange. The language therefore has a simple declarative form.
The ACDF module is under development and will be integrated with the PRIME architecture, which will be developed in collaboration by Compagnie IBM France, IBM Research GmbH (Switzerland), Unabhangiges Landeszentrum fuer Datenschutz (Germany), Technische University Dresden (Germany), Deutsche Lufthansa AG (Germany), Katholieke Universiteit Leuven (Belgium), T-Mobile Deutschland GmbH (Germany), Hewlett-Packard Ltd (UK), Karlstads Universitet (Sweden), Universita' degli Studi di Milano (Italy), Joint Research Centre (Italy), Centre National de la Recherche Scientifique (France), Johann Wolfgang Goethe Universitaet Frankfurt (Germany), Chaum LLC (USA), Rheinisch-Westfalische Technische Hochschule Aachen (Germany), Institut EURECOM (France), Erasmus Universiteit Rotterdam (The Netherlands), Stichting Katholieke Universiteit Brabant (The Netherlands), Fondazione Centro San Raffaele del Monte Tabor (Italy), and Swisscom AG (Switzerland).
PRIME project: http://www.prime-project.eu.org/
Security Group at the Dipartimento di Tecnologie dell'Informazione, Universita' degli Studi di Milano: http://seclab.dti.unimi.it
Pierangela Samarati, Universitá degli Studi di Milano, Italy