7 12 2014 Revised Selected Papers 1st Edition Jan Camenisch
Visit to download the full and correct content document: https://textbookfull.com/product/privacy-and-identity-management-for-the-future-intern et-in-the-age-of-globalisation-9th-ifip-wg-9-2-9-5-9-6-11-7-11-4-11-6-sig-9-2-2-internat ional-summer-school-patras-greece-september-7-12-2014-revis/
More products digital (pdf, epub, mobi) instant download maybe you interests ...
Privacy and Identity Management Time for a Revolution
10th IFIP WG 9 2 9 5 9 6 11 7 11 4 11 6 SIG 9 2 2
International Summer School Edinburgh UK August 16 21 2015 Revised Selected Papers 1st Edition David Aspinall
https://textbookfull.com/product/privacy-and-identity-managementtime-for-a-revolution-10th-ifipwg-9-2-9-5-9-6-11-7-11-4-11-6-sig-9-2-2-international-summerschool-edinburgh-uk-august-16-21-2015-revised-selectedpapers-1st-edition-d/
Data Driven Process Discovery and Analysis 5th IFIP WG 2 6 International Symposium SIMPDA 2015 Vienna Austria December 9 11 2015 Revised Selected Papers 1st Edition
Paolo Ceravolo
https://textbookfull.com/product/data-driven-process-discoveryand-analysis-5th-ifip-wg-2-6-international-symposiumsimpda-2015-vienna-austria-december-9-11-2015-revised-selectedpapers-1st-edition-paolo-ceravolo/
Advances in
Digital Forensics XVI 16th IFIP WG 11 9
International Conference New Delhi India January 6 8 2020 Revised Selected Papers Gilbert Peterson
https://textbookfull.com/product/advances-in-digital-forensicsxvi-16th-ifip-wg-11-9-international-conference-new-delhi-indiajanuary-6-8-2020-revised-selected-papers-gilbert-peterson/
Logic Based Program Synthesis and Transformation 24th
International Symposium LOPSTR 2014 Canterbury UK September 9 11 2014 Revised Selected Papers 1st Edition
Maurizio Proietti
https://textbookfull.com/product/logic-based-program-synthesisand-transformation-24th-international-symposiumlopstr-2014-canterbury-uk-september-9-11-2014-revised-selectedpapers-1st-edition-maurizio-proietti/
Testing Software and Systems 32nd IFIP WG 6 1
International Conference ICTSS 2020 Naples Italy December 9 11 2020 Proceedings Valentina Casola
https://textbookfull.com/product/testing-software-andsystems-32nd-ifip-wg-6-1-international-conferenceictss-2020-naples-italy-december-9-11-2020-proceedings-valentinacasola/
Semantic Technology 4th Joint International Conference
JIST 2014 Chiang Mai Thailand November 9 11 2014 Revised Selected Papers 1st Edition Thepchai Supnithi
https://textbookfull.com/product/semantic-technology-4th-jointinternational-conference-jist-2014-chiang-mai-thailandnovember-9-11-2014-revised-selected-papers-1st-edition-thepchaisupnithi/
Security and Privacy Second
ISEA International Conference ISEA ISAP 2018 Jaipur India January 9 11 2019 Revised Selected Papers Sukumar Nandi
https://textbookfull.com/product/security-and-privacy-secondisea-international-conference-isea-isap-2018-jaipur-indiajanuary-9-11-2019-revised-selected-papers-sukumar-nandi/
Advances in Communication Networking 20th EUNICE IFIP
EG 6 2 6 6 International Workshop Rennes France
September 1 5 2014 Revised Selected Papers 1st Edition
Yvon Kermarrec (Eds.)
https://textbookfull.com/product/advances-in-communicationnetworking-20th-eunice-ifip-eg-6-2-6-6-international-workshoprennes-france-september-1-5-2014-revised-selected-papers-1stedition-yvon-kermarrec-eds/
Languages and Compilers for Parallel Computing 28th
International Workshop LCPC 2015 Raleigh NC USA September 9 11 2015 Revised Selected Papers 1st Edition
Xipeng Shen
https://textbookfull.com/product/languages-and-compilers-forparallel-computing-28th-international-workshop-lcpc-2015-raleighnc-usa-september-9-11-2015-revised-selected-papers-1st-editionxipeng-shen/
Jan Camenisch Simone Fischer-Hübner Marit Hansen (Eds.)
Privacy and Identity Management for the Future Internet in the Age of Globalisation 9th IFIP WG 9.2, 9.5, 9.6/11.7, 11.4, 11.6/SIG 9.2.2 International Summer School Patras, Greece, September 7–12, 2014 Revised Selected Papers
123 TU T O RIA L IFIPAdvancesinInformation andCommunicationTechnology457 Editor-in-Chief
KaiRannenberg,GoetheUniversity,Frankfurt,Germany
EditorialBoard
FoundationsofComputerScience
JacquesSakarovitch,TélécomParisTech,France
Software:TheoryandPractice
MichaelGoedicke,UniversityofDuisburg-Essen,Germany Education
ArthurTatnall,VictoriaUniversity,Melbourne,Australia
InformationTechnologyApplications
ErichJ.Neuhold,UniversityofVienna,Austria CommunicationSystems
AikoPras,UniversityofTwente,Enschede,TheNetherlands SystemModelingandOptimization
FrediTröltzsch,TUBerlin,Germany InformationSystems
JanPries-Heje,RoskildeUniversity,Denmark ICTandSociety
DianeWhitehouse,TheCastlegateConsultancy,Malton,UK ComputerSystemsTechnology
RicardoReis,FederalUniversityofRioGrandedoSul,PortoAlegre,Brazil SecurityandPrivacyProtectioninInformationProcessingSystems
YukoMurayama,IwatePrefecturalUniversity,Japan
Arti ficialIntelligence
TharamDillon,CurtinUniversity,Bentley,Australia
Human-ComputerInteraction
JanGulliksen,KTHRoyalInstituteofTechnology,Stockholm,Sweden
EntertainmentComputing
MatthiasRauterberg,EindhovenUniversityofTechnology,TheNetherlands
IFIP – TheInternationalFederationforInformationProcessing IFIPwasfoundedin1960undertheauspicesofUNESCO,followingtheFirstWorld ComputerCongressheldinParisthepreviousyear.Anumbrellaorganizationfor societiesworkingininformationprocessing,IFIP’saimistwo-fold:tosupportinformationprocessingwithinitsmembercountriesandtoencouragetechnologytransferto developingnations.Asitsmissionstatementclearlystates,
IFIP’smissionistobetheleading,trulyinternational,apoliticalorganizationwhich encouragesandassistsinthedevelopment,exploitationandapplicationofinformationtechnologyforthebenefitofallpeople.
IFIPisanon-profitmakingorganization,runalmostsolelyby2500volunteers.It operatesthroughanumberoftechnicalcommittees,whichorganizeeventsandpublications.IFIP’seventsrangefromaninternationalcongresstolocalseminars,butthe mostimportantare:
• TheIFIPWorldComputerCongress,heldeverysecondyear;
• Openconferences;
• Workingconferences.
The flagshipeventistheIFIPWorldComputerCongress,atwhichbothinvitedand contributedpapersarepresented.Contributedpapersarerigorouslyrefereedandthe rejectionrateishigh.
AswiththeCongress,participationintheopenconferencesisopentoalland papersmaybeinvitedorsubmitted.Again,submittedpapersarestringentlyrefereed.
Theworkingconferencesarestructureddifferently.Theyareusuallyrunbya workinggroupandattendanceissmallandbyinvitationonly.Theirpurposeisto createanatmosphereconducivetoinnovationanddevelopment.Refereeingisalso rigorousandpapersaresubjectedtoextensivegroupdiscussion.
PublicationsarisingfromIFIPeventsvary.ThepaperspresentedattheIFIPWorld ComputerCongressandatopenconferencesarepublishedasconferenceproceedings, whiletheresultsoftheworkingconferencesareoftenpublishedascollectionsof selectedandeditedpapers.
Anynationalsocietywhoseprimaryactivityisaboutinformationprocessingmay applytobecomeafullmemberofIFIP,althoughfullmembershipisrestrictedtoone societypercountry.FullmembersareentitledtovoteattheannualGeneralAssembly, Nationalsocietiespreferringalesscommittedinvolvementmayapplyforassociateor correspondingmembership.Associatemembersenjoythesamebenefitsasfullmembers,butwithoutvotingrights.CorrespondingmembersarenotrepresentedinIFIP bodies.Affiliatedmembershipisopentonon-nationalsocieties,andindividualand honorarymembershipschemesarealsooffered.
Moreinformationaboutthisseriesathttp://www.springer.com/series/6102
JanCamenisch • SimoneFischer-Hübner MaritHansen(Eds.)
9thIFIPWG9.2,9.5,9.6/11.7,11.4,11.6/SIG9.2.2 InternationalSummerSchool Patras,Greece,September7–12,2014
RevisedSelectedPapers
Editors
JanCamenisch
IBMResearchZurich
Rüschlikon
Switzerland
SimoneFischer-Hübner
KarlstadUniversity
Karlstad
Sweden
MaritHansen
UnabhängigesLandeszentrum fürDatenschutzSchleswig-Holstein (ULD)
Kiel Germany
ISSN1868-4238ISSN1868-422X(electronic)
IFIPAdvancesinInformationandCommunicationTechnology
ISBN978-3-319-18620-7ISBN978-3-319-18621-4(eBook) DOI10.1007/978-3-319-18621-4
LibraryofCongressControlNumber:2015938757
SpringerChamHeidelbergNewYorkDordrechtLondon © IFIPInternationalFederationforInformationProcessing2015 Thisworkissubjecttocopyright.AllrightsarereservedbythePublisher,whetherthewholeorpartofthe materialisconcerned,specificallytherightsoftranslation,reprinting,reuseofillustrations,recitation, broadcasting,reproductiononmicrofilmsorinanyotherphysicalway,andtransmissionorinformation storageandretrieval,electronicadaptation,computersoftware,orbysimilarordissimilarmethodologynow knownorhereafterdeveloped.
Theuseofgeneraldescriptivenames,registerednames,trademarks,servicemarks,etc.inthispublication doesnotimply,evenintheabsenceofaspecificstatement,thatsuchnamesareexemptfromtherelevant protectivelawsandregulationsandthereforefreeforgeneraluse.
Thepublisher,theauthorsandtheeditorsaresafetoassumethattheadviceandinformationinthisbookare believedtobetrueandaccurateatthedateofpublication.Neitherthepublishernortheauthorsortheeditors giveawarranty,expressorimplied,withrespecttothematerialcontainedhereinorforanyerrorsor omissionsthatmayhavebeenmade.
Printedonacid-freepaper
SpringerInternationalPublishingAGSwitzerlandispartofSpringerScience+BusinessMedia (www.springer.com)
Preface Newtechnologiessuchassocialmedia,cloudcomputing,bigdata,andubiquitousand ambienttechnologiesoperateonaglobalscale,theirusenotonlytouchesthecountries wheretheyoriginate(inmanycases,theUSA),butindividualsandgroupsaroundthe globe.Therecentrevelationsregardingthesurveillancepracticesfurtherprovethat personaldataiscommunicated,collected,andprocessedonaglobalscale.Privacyand identitymanagementissueshavehencebecomeglobalissuesrequiringtheattentionof multipledisciplines,bothtechnical(computerscience,cryptography)andnon-technical (law,ethics,socialsciences,philosophy),andtheneedtolookbeyondnationalborders.
Now,howcantheindividuals’ privacyrightsbeachievedeffectivelyinaglobalizinginformationsocietyinwhichbothstatesandprivateenterprisesexhibitgreatdata hunger?Whattechnologies,frameworks,andtoolsdoweneedtogain,regain,and maintaininformationalself-determinationandlifelongprivacy?Dowehavetoadvance theconceptsofprivacyandidentitymanagementinthisquicklyevolvingworld?
ThesequestionsandmanyotherswereaddressedbytheIFIPSummerSchool2014 onPrivacyandIdentityManagementfortheFutureInternetintheAgeofGlobalization.TheSummerSchoolorganizationwasajointeffsortofIFIP(International FederationforInformationProcessing,WorkingGroups9.2,9.5,9.6/11.7,11.4,11.6, SpecialInterestGroup9.2.2),theUniversityofPatras,Kritiki,andtheEUresearch projectsABC4Trust,A4Cloud,AU2EU,PRISMS,andFutureID.
TheaimoftheIFIPSummerSchoolistraditionallymanifold:toincreasethe researchcommunityinprivacyandidentitymanagement,tofurtherresearch,andto enabletheupdateofprivacy-enhancingtechnologies.Toaddressthis,theschoolhas invitedanumberofkeynotespeakersandheldsessionswithcontributedpapersand workshopsdedicatedtothediscussionofparticulartopics.
Thistime,thesummerschoolwashonoredtohavekeynotepresentationsby RehabAlnemr,KimCameron,MichaelFriedewald,ZoiKolitsi,GeorgeMetakides, MaritHansen,JoachimMeyer,GregoryNeven,ChristineO’Keefe,BartPreneel, NadyaPurtova,KaiRannenberg,MarcvanLieshout,andAimeevanWynsberghe. Thankyouallforyourgreattalks!
Complementingthekeynotes,thesummerschoolfeaturedanumberofparallel workshopsessions.Elevenofthesewerededicatedtothepresentationanddiscussion ofthepapersselectedfromthesubmissions.Inadditiontothis,therewereanumberof otherworkshopswheretopicswerediscussed.
TheABC4Trustprojectarrangedforfourworkshopsessionsdiscussingdifferent aspectsofattributed-basedcredentialssupportingprivacy(Privacy-ABCs).The fi rst workshopsessionfocusedonnewapplicationscenariosandstoragedevicesforcredentialssuchasmobiledevicesandsmartcards.Thesecondonediscussedthepractical useofinspectionandrevocationinthecontextofanonymouscredentials.Thethird workshopsessionwasconcernedwithdataprotectionandprivacyrequirementsaswell asthelegalcontextforPrivacy-ABCs.Inthefourthsession,theparticipantscouldget
theirhandsonthePrivacy-ABCs:itwasexplainedhowtodownloadandinstallthe codeavailablefromtheABC4Trustrepositoryandhowtobuildapplicationson topofit.
TheA4Cloudprojectgaveatutorialonaccountabilitymetricsandtoolsthathave beendevelopedwithintheA4Cloudproject.
Finally,aSmartSocietyProjectworkshopwasheldonethicalaspects,privacyrisks, andtechnicalprivacysolutionsinrelationtoPeerProfilinginCollectiveAdaptive Systems.
Thisbookcontainsthethoroughlyrefereedpost-conferenceproceedingsofthe summerschool.Inparticular,itcontainsrevisedpapersselectedfromnumeroussubmissions.Inthe firstround,submittedpaperswerereviewedandselectedforpresentationatthesummerschool.Mostofthesepaperswererevisedbasedonthecomments anddiscussionsatthesummerschoolandhaveundergoneasecondthoroughroundof review(by2to5reviewers),selection,andrevisiontobeincludedinthepresent proceedings.
Inadditiontothesepapers,theproceedingscontainfourkeynotepapers: “Privacy andSecurityPerceptionsofEuropeanCitizens:ATestoftheTrade-offModel” by MichaelFriedewald,MarcvanLieshout,SvenRung,MerelOoms,andJelmerYpma, “TowardsanEngineeringModelofPrivacy-RelatedDecisions” byJoachimMeyer, “PrivacyandConfi dentialityinServiceScienceandBigDataAnalytics” byChristine O’Keefe,and “ABC4Trust:ProtectingPrivacyinIdentityManagementbyBringing Privacy-ABCsintoReal-life” byAhmadSabouriandKaiRannenberg.
Finally,theProgramCommitteeChairsselectedthepaperentitled “EventInvitationsinDecentralizedOnlineSocialNetworks:FormalizationandProtocolDesign” by GuillermoRodríguez-Canoetal.fortheBestStudentPaperAward.Congratulations Guillermo!
Weexpressourgratitudetothenumerouspeoplewhomadethesummerschoolsuch asuccess:alltheauthorswhosubmittedpapers,thekeynotespeakers,theparticipants, and,lastbutclearlynotleast,themembersoftheorganizingandtheProgramand SteeringCommitteesaswellastheadditionalreviewers.Inparticular,weowespecial thankstotheLocalOrganizersfromtheUniversityofPatras,PanagiotaPanagopoulou, VasiaLiagkou,andYannisStamatiou,fortheirgreathospitalityandsupport.
Thankyou!
March2015JanCamenisch
SimoneFischer-Hübner MaritHansen
Organization ProgramCommittee
KarinBernsmedSINTEF,Norway
FranziskaBoehmMünsterUniversity,Germany
KatrinBorcea-P fitzmannTechnischeUniversitätDresden,Germany
CasparBowdenPrivacyAdvocate,UK
IanBrownOxfordUniversity,UK
SonjaBucheggerRoyalInstituteofTechnology(KTH),Sweden
JanCamenischIBMResearch,Switzerland
BartDeDeckerKatholiekeUniversiteitLeuven,Belgium PennyDuquenoyMiddlesexUniversity,UK
DavidErdosUniversityofCambridge,UK
SimoneFischer-HübnerKarlstadUniversity,Sweden
SaraForestiUniversityofMilan,Italy
MichaelFriedewaldFraunhoferInstituteforSystemsandInnovation Research(ISI),Germany
LotharFritschNorwegianComputerCenter,Norway
ThomasGrossNewcastleUniversity,UK
MaritHansenUnabhängigesLandeszentrumfürDatenschutz
Schleswig-Holstein(ULD),Germany
Jaap-HenkHoepmanRadboudUniversity,TheNetherlands
Bert-JaapKoopsTilburgUniversity,TheNetherlands EleniKostaTilburgUniversity,TheNetherlands
IoannisKrontirisHuaweiTechnologiesCo.Ltd.,Germany
LouiseLeenenCSIR,SouthAfrica
RonaldLeenesTilburgUniversity,TheNetherlands
VasilikiLiagkouUniversityofPatras,Greece
Refi kMolvaEurecom,France
MaartjeNiezenTilburgUniversity,TheNetherlands
NorbertoPatrignaniPolitecnicodiTorino,Italy
SianiPearsonHPLabs,UK
CharlesRaabEdinburghUniversity,UK
JohannekeSiljeeTNO,TheNetherlands
EinarSnekkenesGjøvikUniversityCollege,Norway
BibiVanDenBergLeidenUniversity,TheNetherlands
JozefVyskocVaF,SlovakRepublic
DianeWhitehouseTheCastlegateConsultancy,UK
DavidWrightTrilateralResearch&Consulting,UK
ErikWästlundKarlstadUniversity,Sweden
TalZarskyHaifaUniversity,Israel
Rose-Mharie ÅhlfeldtUniversityofSkövde,Sweden
Melek ÖnenEurecom,France
AdditionalReviewers
Milutinovic,Milica Put,Andreas
InvitedKeynotePapers
ABC4Trust:ProtectingPrivacyinIdentityManagementbyBringing Privacy-ABCsintoReal-Life..................................3 AhmadSabouriandKaiRannenberg
TowardsanEngineeringModelofPrivacy-RelatedDecisions............17 JoachimMeyer
TheValueofPersonalData...................................26 MarcvanLieshout
PrivacyandSecurityPerceptionsofEuropeanCitizens: ATestoftheTrade-OffModel.................................39 MichaelFriedewald,MarcvanLieshout,SvenRung,MerelOoms, andJelmerYpma
PrivacyandConfidentialityinServiceScienceandBigDataAnalytics.....54 ChristineM.O’Keefe
LegalPrivacyAspectsandTechnicalConcepts
TheCourtofJusticeoftheEuropeanUnion,DataRetentionandtheRights toDataProtectionandPrivacy – WhereAreWeNow?................73
FelixBieker
EUROSUR – ASci-fiBorderZonePatrolledbyDrones?..............87 DanielDeibler
AnonymousePetitions – AnotherStepTowardseDemocracy............110 HannahObersteller
ABriefEvaluationofIconsintheFirstReadingoftheEuropeanParliament onCOM(2012)0011.......................................125 JohnSörenPettersson
PrivacybyDesignandPrivacyPatterns
PrivacybyDesign – TheCaseofAutomatedBorderControl............139 PagonaTsormpatzoudi,DianaDimitrova,JessicaSchroers, andElsKindt
PatternsinPrivacy-APattern-BasedApproachforAssessments.........153
JörnKahrmannandInaSchiering
PrivacyTechnologiesandProtocols
ASurveyonMultimodalBiometricsandtheProtection ofTheirTemplates.........................................169
Christina-AngelikiToliandBartPreneel
EventInvitationsinPrivacy-PreservingDOSNs:Formalization andProtocolDesign........................................185
GuillermoRodríguez-Cano,BenjaminGreschbach,andSonjaBuchegger
BlankDigitalSignatures:OptimizationandPracticalExperiences.........201
DavidDerler,ChristianHanser,andDanielSlamanig
ProjectWorkshopsandTutorialPapers
ToolsforCloudAccountability:A4CloudTutorial...................219
CarmenFernandez-Gago,VasilisTountopoulos,SimoneFischer-Hübner, RehabAlnemr,DavidNuñez,JulioAngulo,TobiasPulls, andTheoKoulouris
PrivacyforPeerProfilinginCollectiveAdaptiveSystems..............237
MarkHartswood,MarinaJirotka,RonaldChenu-Abente,AlethiaHume, FaustoGiunchiglia,LeonardoA.Martucci,andSimoneFischer-Hübner
ABC4TrustWorkshoponCoreFeaturesofPrivacy-ABCs,PracticalUse, andLegalIssues...........................................253
FelixBieker,MaritHansen,GertLæssøeMikkelsen, andHannahObersteller
AuthorIndex
InvitedKeynotePapers AhmadSabouri(B) andKaiRannenberg
DeutscheTelekomChairofMobileBusinessandMultilateralSecurity, GoetheUniversityFrankfurt,Theodor-W.-Adorno-Platz4,60323Frankfurt,Germany {Ahmad.Sabouri,Kai.Rannenberg}@m-chair.de https://www.abc4trust.eu
Abstract. SecurityoftheIdentityManagementsystemorprivacyof theusers?Whynotboth?Privacy-preservingAttribute-basedCredentials(Privacy-ABCs)cancopewiththisdilemmaandofferabasisfor privacy-respectingIdentityManagementsystems.
ThispaperexplainsthedistinctfeaturesofPrivacy-ABCsasimplementedintheEU-sponsoredABC4TrustprojectviaexampleusagescenariosfromtheABC4Trustpilottrials.Inparticular,itaimsforadeeper insightfromtheapplicationperspectiveonhowPrivacy-ABCscansupportaddressingreal-lifeIdentityManagementrequirementswhileusers’ privacyisprotected.
1Introduction Asusingonlineservicespenetratesdeeperinoureverydaylife,lotsoftrustsensitivetransactionssuchasbankingandshoppingarecarriedoutonlineand manyuserswouldprefertoperformtheirtransactionsonlineratherthanfollow thetraditionalprocedures.Inthisregard,thebiggestchallengesaretodeal withproperuserauthenticationandaccesscontrol,withoutthreateningusers’ privacy.
ThecurrentlyemployedIdentityManagementsystemshavelimitationswhen itcomestousers’privacy.Nevertheless,newpromisingtechniques,knownas Privacy-ABCs,haveemergedtoenableprivacy-respectingIdentityManagement solutions.Inthisregard,theABC4TrustEUProject1 putconsiderableeffortto fosteradoptionofsuchtechnologiesbydesigninganarchitecturalframeworkfor Privacy-ABCs,implementingit,andtriallingitintwopilots.
Inthispaper,weaimtoelaborateonthemostimportantfeaturesprovidedby Privacy-ABCsviareal-lifeexampleusagescenariosfromtheABC4Trusttrials. Therestofthispaperisorganizedasfollows.Section 2 describestheissuesofthe existingIdentityManagementsystems.InSect. 3,weintroducePrivacy-ABCs andexplainhowtheywork.LaterwedescribetheABC4TrustpilotsinSect. 4.
1 https://abc4trust.eu
c IFIPInternationalFederationforInformationProcessing2015 J.Camenischetal.(Eds.):PrivacyandIdentity2014,IFIPAICT457,pp.3–16,2015. DOI:10.1007/978-3-319-18621-4 1
Section 5 focusesonthemostimportantfeaturesofPrivacy-ABCsandtherewe elaboratehowthesefeatureshelptodealwiththerequirementsofthepilots. LaterinSect. 6,webrieflydescribetheABC4TrustarchitectureforPrivacyABCsandthenconcludethepaperinSect. 7.
2PrivacyIssuesinIdentityManagement Thischapterdescribestheprivacyissuesinnowadaysdigitalidentitymanagementsystems.Althoughmostofthecommonlyusedstrongauthenticationtechniquesofferasuitablelevelofsecurity,theyarenotappropriatelydesignedto protecttheprivacyoftheusers.Forinstance,useofX.509[1]certificatescauses “Over-identification”bymandatingtheuserstorevealalltheattestedattributes inthecertificatetopreservethevalidityofthedigitalsignatureevenifonlya subsetofattributesisrequiredfortheauthenticationpurpose.Apartfromthis, theonlineusersalsohavetobeabletocompartmentalizetheiractivitiesindifferentdomainsandpreventprofilingbybothServiceProvidersandIdentityService Providers(IdSP).Evidently,thestaticrepresentationofX.509certificatesfails toaddresstheproblemandmakesitpossibletotraceusers’onlineactivities.
UsingonlineauthenticationandauthorizationtechniquessuchasOpenID[2], SAML[3],FacebookConnect[4],andOAuth[5]couldsupporttheminimal disclosureprinciple,astheyenabletheusertoprovidetheServiceProviderwith onlytherequestedinformationratherthanthewholeuser’sprofilestoredat theIdSP.However,alltheseprotocolssufferfromaso-called“CallingHome” problem,meaningthatforeveryauthenticationtransactiontheuserisrequired tocontacttheIdSP(e.g.,Facebook,OpenIDProvider).Thisintroducesprivacy riskstobothusersandServiceProviders.Morespecifically,itwouldnotbe difficultfortheIdSPtotracetheuserandprofileheronlineactivitiesduetothe knowledgeitgainsabouttheServiceProvidersshevisits.Moreover,theIdSP cancollectaconsiderableamountofinformationaboutaServiceProviderby analysingtheprofileoftheuserswhorequesttoauthenticatetothatspecific service.
Insummary,whendesigningidentitymanagementandaccesscontrolsystems inspiredbytheparadigmofPrivacybyDesign,thefollowingconceptsrelated todatathriftinessshallbeofdirectorindirectinterestforbodiesworkingon privacy-friendlyecosystems:
–PartialIdentitiesandPartialIdentifiers:Moreandmorepublicandprivate partiesaretryingtoovercomethenaturalbordersbetweendomainsofactivities,makingusersevermoretransparentfromevermoreperspectives,e.g.for manyServiceProvidersofferingservicesthatrelatetodifferentpartsofusers’ lives.PartialIdentitiesandPartialIdentifiersbecomemoreandmoreimportantforuserstoretainthesebordersbyreducingthedangersofunwanted linkabilityacrossdomains.ThereforethedefinitionofIdentityasa“setof attributesrelatedtoanentity”,thathasbeengloballystandardizedinthe Part1oftheframeworkforidentitymanagement[6]developedbyISO/IEC
JTC1/SC27/WG5“IdentityManagementandPrivacyTechnologies”,is usefulfordesigningprivacy-respectingidentitymanagement.
–Unlinkability:UnlinkabilityisrelatedtoPartialIdentitiesandIdentifiers,but inthiscontextfocussesonmultipleusesofserviceswithinonedomain.It ensuresthatausermaymakemultipleusesofresourcesorserviceswithout othersbeingabletoprofiletheseactivities.
–MinimalDisclosure:ItisacommonpracticethatServiceProvidersrelyon theinformationaboutusersprovidedbyotherentitiesthathaveanauthentic profileofusers’attributes.However,theseentitiestypicallypossessaricher collectionofinformationthanisneededbytherespectiveServiceProvider.In thisregard,theusersshouldhavethepossibilitytocalibratetheamountof disclosedinformationtotherequestedsetonly.Thereforeonthesideofthe ServiceProvidersriskmanagementprocessescompatiblewiththeminimal disclosureneedtobeestablished.
3Privacy-PreservingAttribute-BasedCredentials (Privacy-ABCs) Privacy-ABCscanofferstrongauthenticationandahighlevelofsecuritytoService Providerswithuserprivacypreserved,sothatitfollowstheparadigmofMultilateralSecurity[7].UserscanobtaincertifiedattributesintheformofPrivacy-ABCs, andlaterderiveunlinkabletokensthatonlyrevealthenecessarysubsetofinformationneededbytheServiceProviders.ProminentinstantiationsofsuchPrivacyABCtechnologiesareMicrosoftU-Prove2 [8]andIBMIdemix3 [9].
ACredentialisdefinedtobe“acertifiedcontainerofattributesissuedby anIssuertoaUser”[10].AnIssuervouchesforthecorrectnessoftheattribute valuesforaUserwhenissuingacredentialforher.Forexample,aschoolcan issuean“EnrolmentCredential”forapupil,whichcontainsseveralattested attributessuchasfirstname,lastname,studentidandtheenrolmentyear.
AtypicalauthenticationscenariousingPrivacy-ABCsisshowninFig. 1 whereaUserseekstoaccessanonlineserviceofferedbyaServiceProvider. TheServiceProviderperformsaso-calledVerifierroleandexpressesitsrequirementforgrantingaccesstotheserviceintheformofaPresentationPolicy.In
2 http://www.microsoft.com/uprove.
3 http://www.zurich.ibm.com/idemix/
Fig.1. Asamplepresentationscenario
Fig.2. EntitiesandrelationsinthePrivacy-ABC’sarchitecture[10]
thenextstep,theUserneedstocomeupwithacombinationofhercredentialstoderiveanacceptableauthenticationtokenthatsatisfiesthegivenpolicy. AftertheVerifierconfirmstheauthenticityandcredibilityofthePresentation Token,theUsergainsaccesstothecorrespondingservice.Itisworthnoting thatthehumanUserisrepresentedbyherUserAgent,asoftwarecomponent runningeitheronalocaldevice(e.g.,ontheUser’scomputerormobilephone) orremotelyonatrustedcloudservice.Inaddition,theUsermayalsobind credentialstospecialhardwaretokens,e.g.smartcards,toimprovesecurity.
AsFig. 2 shows,inadditionto User, Issuer,and Verifier,twoother(optional) entitiesareinvolvedduringthelife-cycleofPrivacy-ABCs[10].TheRevocation Authorityisresponsibleforrevokingissuedcredentials.BoththeUserandthe VerifiermustobtainthemostrecentrevocationinformationfromtheRevocationAuthoritytogeneratepresentationtokensandrespectively,verifythem. TheInspectorisanentitywhocande-anonymizepresentationtokensunder specificcircumstances.Tomakeuseofthisfeature,theVerifiermustspecifyin thepresentationpolicytheconditions,i.e.,whichInspectorshouldbeableto recoverwhichattribute(s)andunderwhichcircumstances.TheUserisinformed aboutthede-anonymizationoptionsatthetimethatthepresentationtokenis generatedandshehastobeinvolvedactivelytomakethispossible.
TheECfundedprojectAttribute-basedCredentialsforTrust(ABC4Trust)4 broughtallthecommonfeaturesoftheexistingPrivacy-ABCtechnologies togetherandprovidedaframeworkabstractingfromtheconcretecryptographic realizationofthemodulesunderneath.ThisgivessoftwaredeveloperstheflexibilitytobuildPrivacy-ABCenabledsystemswithoutconcernaboutwhatcryptographicschemeswillbeemployedatthebottomlayer.Asadirectresult,the
ServiceProvidersarefreetochoosefromthoseconcretecryptographiclibraries thatimplementtheABC4Trustrequiredinterfaces,andplugthemintotheir softwaresolutions.Thishelpstoavoidalock-inwithaspecifictechnology,as thethreatofalock-inreducesthetrustintoaninfrastructure.
4TriallingPrivacy-ABCsinRealLifeApplications TheABC4TrustprojectrealizedthefirsteverimplementationofPrivacy-ABC systemsinproductionenvironmentsandgatheredexperiencesonoperation, interoperability,useracceptance,andsoforthintwospecifictrials.Havingthese twopilotsgavetheopportunitytotestPrivacy-ABCsuseandperformancewith twousergroupsofdifferingskillsandneeds.OneusergroupwerewerestudentsataGreekuniversity,whereastheothergroupwerepupilsataschoolin Sweden.Thetrialsweredesignedquitedifferentinordertocoverabroadvariety ofrequirementsandthusaswellcredentials.
4.1OnlineCourseEvaluation Astandardpracticeinmostuniversitiesistocollecttheopinionsofthestudentswhohavetakenacourseandtoevaluatedifferentaspectsofthatcourse tofurtherimprovethequalityofeducation.However,boththestudentsandthe professorshavelegitimateconcernsabouttheprocessofcourseevaluation.The studentsmaybeworriedabouttheiridentitiesbeinglinkedtotheirevaluation forms,resultinginnegativeimpactsontheirgradesoreducationrecords.Meanwhile,professorsconsideraminimumlevelofparticipationinthelecturestobe necessaryforthestudentstogettherealexperienceofthecourseandtherefore tobeeligibletoevaluateit.Thescenariobecomesevenmorecomplexinterms ofsecurity,privacy,andtrust,whenelectronicevaluationisdesired.
Privacy-ABCscouldhelptoaddresstheaforementionedrequirementsinan onlinecourseevaluationsystem.Inthisregard,ABC4Trustexecutedtworounds oftrialsinFall2012andFall2013atthePatrasUniversityinGreecetorealize suchasystem.Whilsttheidentityandprivacyofthestudentswereprotected, theopinionsofthestudents,whohadattendedmorethanacertainnumberof lectures,werecollectedviaanevaluationportal.
Atthebeginningofthesemester,thepilotparticipantswereprovidedwith theirstart-upkitincludingsmartcardsandnecessarylogininformationenabling theparticipantstobootstraptheiraccesstothepilotsystem,registertheirsmart cardsandobtaintheirPrivacy-ABCsfromtheidentitymanagementsystem.
Aftertheinitializationactionsweretakenatthebeginningofthesemester, thestudentscouldrecordtheirparticipationinthelecturesontheirsmartcards. Uponenteringthelectureroom,everystudenthadtoswipehercardinfront ofthedeviceinstalledintheroominordertocollectattendanceunitsforthat specificlecture.Itisimportanttomentionthattheseunitswerecollectedanonymously,meaningthatnoidentifiableinformationwastransferredtothesystem, whichotherwisemighthaveledtoprivacybreaches.Therefore,theattendance
recordswereonlystoredonthesmartcardsofthestudentsandnotanywhere else.
Duringtheevaluationperiod,thestudentcouldaccesstheevaluationform onlineandsubmittheiropinioniftheycouldprovethat:
1.theyareastudentoftheuniversity, 2.theyareregisteredinthecourse, 3.theyhaveattendedatleastaminimumnumberofthelecturesfromthe course.
Ifalltheseconditionsweremet,thesmartcardcouldproduceaPrivacy-ABCs presentationproofthatattestedthestudent’seligibilitytoevaluatethecourse. Whileitwasnotpossibletolinktheevaluationstotheidentityoftheparticipants,theauthenticationstepwasdesignedinawaythattheevaluationportal couldpreventthesameusersfromsubmittingmultipleevaluations.
ThesecondroundofthetrialaimedtofurthertestthePrivacy-ABCs’featuresdevelopedinABC4Trustinanactualdeploymentenvironment.Newfeaturessuchasrevocationofcredentials,advanceissuance,andinspectionoftokens (de-anonymization)wereimplementedandintroducedintothepilot.Thescenariosofthefirstroundwereextendedinordertobestintegratethesenewfeatures. Morespecifically,afterthestudentssubmittedtheirevaluations,theycould receiveanewcredentialallowingthemtolatertakepartinaprivacy-friendly tombola.Whenthewinnerwasselected,heridentitywasrevealedthroughthe inspectionofherpresentationtoken.Inthisphase,therewasnoprivacyriskfor thewinnerwithregardtotheevaluationsheprovided,astheonlyinformation onecouldlearnwasthatthewinnerhadsubmittedanevaluationform.
4.2SchoolCommunityInteractionPlatform TheNorrtullskolanschoolinS¨oderhamn,Sweden,hostedthesecondpilot ofABC4Trust,whereaprivacy-friendlycommunicationplatform,builtupon Privacy-ABCs,wasdeployedtoencouragecommunicationbetweenpupils,their parentsandschoolpersonnel.Thepupilswereabletoauthenticatethemselves inordertoaccessrestrictedonlineactivitiesandrestrictedinformation.Moreover,theywereabletoremainanonymouswhentheyaskedprivateandsensitive questionstoschoolpersonnel,whilesimultaneouslyassuringtheschoolpersonnelthattheywerecommunicatingwiththeauthorisedpupilsoftherespective schoolorclass.
Theplatformwasdevelopedasaweb-basedapplicationtobeusedforchat communication,counselling,politicaldiscussions,andexchangeofsensitiveand personaldatabetweenpupils,parents,andschoolpersonnelsuchasteachers, administrators,coaches,andnurses.ThispilotspeciallyhelpedtogatherinformationontheusabilityofthePrivacy-ABCsystemsunderespeciallychallenging usabilityconditionsposedbychildrenusers.Duetothewiderangeofactivities inthistrial,thepilotwasoperatedintworoundswherethefirstroundwason asmallerscaletoinvestigatethescalabilityoftheplatformandthusbeableto addressitsshortcomingsbeforealargerscaledeployment.
Allthepilotparticipantswereequippedwiththenecessaryhardwaresothat theycouldusetheplatformfromtheirpersonalcomputersaswellasthecomputersintheschool.Thesmartcardswerepreloadedwithasetofcredentials thatspecifiedtheparticipants’basicinformationsuchasfirstname,lastname, andbirth-date,theirroles(i.e.pupil,parent,teacher,nurse,etc.),theclasses andcoursesthatthepupilswereenrolledin,consequentlygivingthechanceto definetheaccesspoliciesbasedontheseattributesinthecredentials.
Thecommunityinteractionplatformusedanabstractmodelcalled“Restricted Area”(RA)thatprovidedthevirtualenvironmentfortheaforementionedcommunicationactivities.Everyusercouldinitiatesuchaprivatespaceanddefine accesspoliciesinordertorestricttheparticipationtoherdesiredtargetgroup. Forexample,ateachercouldcreateanRAwith“Chat”functionalitytocollect theopinionsofthepupilsaboutherteachingmethodsandlimittheaccessto thischatroomtoparticipantsofaspecificclass.Inthiscase,thepupilsofthat classcouldjointhediscussionwithoutbeingidentified,whiletheotherstudents fromtheschoolwereprohibitedtoenterthischatroom.
5Privacy-ABCsFeatures InthissectionweintroducesomeofthemostimportantfeaturesofPrivacyABCsalongwithexamplesoftheirusageintherealscenariosofourtrials. Insummary,wetalkaboutpseudonymsandtheirrelationtopartialidentities, minimaldisclosure,untraceabilityandunlinkability,advancecredentialissuance techniques,Inspectionprocess,andsecuritymechanisms.
5.1MultiplePseudonyms UsingX.509certificates,auserisidentifiedbyherpublickey,whichisassociated withhersecretkey.Theissuehereisthatforeverysecretkeythereisonlyone publickey.Asaresult,theuserwillbelinkableacrossdifferentdomainswhere thepublickeyisused,unlesssheacceptsthehassleofmanagingmultiplekey pairs.Theconceptof“pseudonyms”inPrivacy-ABCsystemcanbeconsideredas equivalenttopublickeys.However,themajordifferenceisthat“many”different unlinkablepseudonymscanbederivedfromasinglesecretkey,allowingthe usertoestablishpartialidentitiesindifferentdomainsthatarenotpossibleto correlate.
TheS¨oderhamnpilotofABC4Trustheavilybenefitedfrompseudonymsto realizetheconceptof“Alias”intheirSchoolCommunityInteractionPlatform. Everypupilhasthepossibilitytoappearintheonlinecommunityundervarious humanfriendlynicknames(aliases)representingpartialidentities.Thesealiases areboundtoPrivacy-ABCpseudonymsbehindthescenes.Onceauserrequests anewalias,thesystemchecksthedatabasetoensurethatthealiasisnotalready registered.Whenthereisnoconflict,theusersubmitsapseudonymboundto theselectedaliasnametoberegisteredinthedatabase.Afterwards,whenever theuserdesirestologinunderthatalias,thesystemrequirestoproduceand
proveownershipofthesamerelatedpseudonym.Asaresult,noimpersonation ispossibleandnobodycanfigureoutwhethertwoaliasesbelongtothesame person.
5.2IdentifyingReturningUsers EventhoughunlinkablePrivacy-ABCpseudonymsareveryattractivetosupport users’privacy,sometimesasystemmayfaildeliveringitsserviceifacertain leveloflinkabilityisnotprovided.Toelaboratemoreonsuchcases,wetake theexampleoftheABC4TrustPatraspilot,whereanonlinecourseevaluation systemwasimplemented.
Aprivacy-respectingcourseevaluationsystemmustallowthestudentsto fillthequestionnaireandexpresstheiropinionwithoutbeingidentified.However,theresultcouldbemanipulatedifthestudentshavethepossibilityto establishmultiplepartialidentitiestosubmitmultipleevaluationsunderdifferentpseudonyms,andthereforepositivelyornegativelyinfluencetheaggregated results.Thus,foracorrectandaccuratedeliveryoftheservice,thecourseevaluationsystemmustbeabletolinktheuserstotheirpreviousvisitsofthesystem andonlyallowthemto“update”theirevaluations,insteadofsubmittinganew entry.Atthesametime,thereshouldnotbeawaytolearnabouttheidentity ofthestudents.
“Scope-exclusive”pseudonymsarespecialtypesofPrivacy-ABCpseudonyms thatenabletheServiceProvidertoforcetheuserstoshowthesamepseudonym giventhesame“scope”string.Therefore,whenevertheusersvisitthecourse evaluationportal,theyfaceapolicyrequiringascopeexclusivepseudonymfora fixedscope.Asaresult,theyareobligedtoproducethesamepseudonymvalue everytime,allowingthesystemtorecognizeareturninguser.
5.3Minimal,Untraceable,andUnlinkablePresentation ofCredentials InaPrivacy-ABCsystem,userscanreceivecertifiedclaimsabouttheirattributes intheformofcredentials.Forexample,aCivilRegistrationAuthorityisentitledtoissueauthenticcredentialsattestingname,lastname,birth-date,etc., representinganIDcard.
Privacy-ABCsprovidethreedistinctfeaturestotheirusers.Let’stakethe SchoolCredentialoftheS¨oderhamnpilotasthebasisforourexampleshere. TheSchoolCredential(alsocalledCredSchool)isequivalenttoamembership cardandcontainsthefirstname,lastname,birth-date,andtheschoolname.As mentionedearlier,thepupilscouldlogintothesystemusingahumanfriendly nickname,calledalias,whichisnotlinkabletotheirrealidentities.Inorderto participateinaschool-boundactivity,suchasapoliticaldiscussion,asample accesspolicywouldrequireaproofthattheyarefromthesameschool(i.e. Norrtullskolan).
X.509certificatesrequireuserstopresenttheircertificateasitisneededto preservetheintegrityofthesignature.Thisurgestheuserstodisclosetheir
firstname,lastname,andthebirth-dateeventhoughonlytheschoolname wasneeded.Conversely,Privacy-ABCssupportminimaldisclosureallowingthe userstoselectivelydiscloseasubsetoftheattributesfromtheircredentials.In theexampleoftheS¨oderhamnpilot,thepupilscouldusetheirCredSchoolto revealonlytheschoolnamewhilstkeepingtheotherattributeshidden.Inthis waythesystemdidnotlearnanyfurtherinformationthanneeded.Moreover, Privacy-ABCssupport“predicatesoverattributes”enablingtheuserstoprove somefactsabouttheirattributeswithoutactuallyrevealingthem.Forinstance, thepupilscouldprovethattheirbirth-datefromtheCredSchoolisbeforeagiven dateandthereforetheyareolderthanacertainage,andstillkeeptheiractual birth-datehidden.
AnotheradvantageofPrivacy-ABCscanbebetterexplainedwhenfocusing onthestaticrepresentationofX.509certificates.AnX.509usercouldbeimmediatelyidentifiedwhentheServiceProviderandthecertificateissuercollude. Inanotherword,theuseofthecredentialsistraceablebytheissuerduetothe staticrepresentationofthecertificatesduringtheissuanceandthepresentationsteps.Despite,Privacy-ABCsexperiencesometransformationsbetweenthe issuanceandpresentationphasesothereisnowaytotracetheirusage,unlessthe revealedattributesgivesuchanopportunity.Inourexample,thepupilscould usetheirCredSchooltoprovethattheyarepartoftheNorrtullskolan,andthis pieceofinformationwouldnotallowacolludingcredentialissuertoidentifythe users.
Similarly,thesamestaticnatureofX.509certificatesenablesanotherprivacythreattotheusers.ItwouldallowtheServiceProviderstolinkdifferent transactionsofthesameusersandbuildaprofile.Thiswouldnotbepossible withPrivacy-ABCsastheusersareabletoproduceunlinkabletokensfromtheir credentialsforeachtransaction.Inourexamplescenarios,apupilcouldusethe sameCredSchooltomakepresentationsabouttheirschoolnamewhenappearing underdifferentaliasesinthesystemandensurethatthiswouldnotintroduce anylinkabilitybetweentheiraliases.
5.4BlindTransferofAttributes Let’sintroduceanexamplescenariofromtheABC4TrustPatraspilottobetter elaborateonthefeatureofblindtransferofattributes.Toencouragethepilot participantstocontinuetothelaststep,weannouncedatombolatotakeplace attheendofthetrialforthosewhosubmittedtheirevaluationofthecourse.The approachwastoissuetothestudentsaTombolaCredentialaftersubmissionof theirevaluation.However,thenewcredentialhadtocontainthematriculation numberofthestudent.Thislookschallengingasthestudentswerenotidentified wheninteractingwiththeportal.
AdvancedcredentialissuancetechniquesofPrivacy-ABCssupportafeature called“carried-overattribute”thatallowsanissuertoissueacredentialcontaininganattributevaluetransferredfromanothercredentialthattheuserholds, withoutlearningtheattributevalue.Therefore,inthePatrastrial,aftersubmittingtheevaluationform,theTombolaCredentialIssuercouldissuecredentials
totheusersandtransferthematriculationnumberfromtheirUniversityCredentialintoitwithoutgettingtoknowwhatthematriculationnumberis.
5.5RecoveringtheIdentityviaInspection Onthefirstlook,theInspectionfeatureofPrivacy-ABCsmaybemisinterpreted asabackdoortotheprovidedanonymity.Thusexplainingandusingthisconcept anditsprocessesrequiresextracare.Thefirstimportantpointtomentionabout theInspectionisthatitwouldnotbepossiblealways,meaningthatbefore anybodywouldbeabletorecovertheidentityoftheuserbehindatransaction, theusershouldhavegoneintosomeagreementsanddeliveredextrainformation thatwouldmaketheInspectiontechnicallypossible.
WhenrequestingaccesstoaresourceprotectedbyInspection,theuserswould getinformedaboutthetermsandconditions(calledInspectionGrounds).If theuseracceptstheagreement,someadditionalinformation,suchasaunique identifierinthedomain,mustbe“verifiably”encryptedunderthepublickeyofa trustedthirdparty,calledInspector,andhastobeembeddedinthepresentation tokendeliveredtotheServiceProvider.Incaseofamisuse,theServiceProvider hasthepossibilitytoforwardthistokentotheInspectoralongwithanevidence fortheviolationoftheagreements.TheInspectorisresponsibleforinvestigating thecaseandcheckingwhethertheclaimofviolationbytheServiceProvider holds.Uponconfirmation,theInspectorcoulddecryptthetokenandrecover theidentifier.
Inspectionismainlyusedtoachieveaccountability.Forinstance,inthe S¨oderhamnpilot,theschoolislegallyresponsibleforeveryinfrastructureitprovidestothepupilsanditmustbeabletodealwithanycasethatintroduces threatstothepupils,suchasmobbing.Therefore,aprocesswasdesignedtoallow thepupilsreportinappropriatecontentsinthediscussionforum.Ifaforumis protectedbyInspection,the“InspectionBoard”,comprisingoftheschoolprincipal,someteachersandrepresentativesofthepupils,receivesthecasetojudge. Ifthecontentisagainstthetermsofuse,theysendthecorrespondingtokento theInspectortorecovertheuniqueidentifierofthepupil.
Inspectioncanbehelpfulinothertypesofscenariosaswell.Forexample, inanonlinepaymentprocess,thecreditcardnumberofthecustomercanbe deliveredinaninspectabletokenencryptedunderthepublickeyofthebank.In thisway,theonlineshopcanensurethatthecustomerisprovidingavalidcredit cardnumberwithoutactuallyseeingit.Theshopcanforwardthistothebankto performthecorrespondingtransferofcredit.Asimilarscenarioisimplemented intheABC4Trust“HotelBooking”demo5 . AnotherexampleforadifferentusageofInspectionwasdemonstratedinthe Patraspilot.Aswementionedearlier,thestudentswouldreceiveaTombola Credentialcontainingtheirmatriculationnumberaftersubmittingtheirevaluationforms.Usingthiscredentialtheycouldparticipateinatombola.However, thiscouldhavecausedthethreattoidentifywhoeversubmittedanevaluation
5 https://abc4trust.eu/demo/hotelbooking
ofthecourse.Tomaketheprocessprivacy-friendlythetombolasystemrequired theparticipantstodisclosetheirmatriculationnumberinaninspectableform andnotincleartext.Intheend,theInspectorcouldextracttheidentityofthe winneronlyandtheotherstudentscouldstayunknowntothesystem.
5.6SecuringPrivacy-ABCs Atypicalmisusecaseiswhentheuserssharetheircredentialsinordertoletthe othersbenefitfromtheresourcesthattheynormallydonothavethenecessary credentialstoaccess.Privacy-ABCstrytoovercomethisproblembyofferingthe “key-binding”feature,whichessentiallybindsacredentialtothesecretkeyof theuser.Thus,whentheuserswanttolendtheircredentials,thehavetogive outtheirsecretkeyaswell.InaPrivacy-ABCsystem,aServiceProvidercan requireacombinationofcredentials(e.g.acreditcardtogetherwithapassport) forapresentationanditcanenforcethatbothcredentialsmustbeboundtothe “samesecretkey”.The“samekeyas”policycanbeappliedonpseudonymsas well,meaningthatapresentationpolicycanaskforacredentialthatisbound tothesamesecretkeyastheoneusedtogenerateapseudonym.
Usingsmartcardsasthekey/credentialstorageimprovessecurityandportabilityofPrivacy-ABCs.Onecouldrelyonthetamper-resistanceofsmartcards andenhancethesecurityviaon-boardcomputationoftheoperationsrequiring thesecretkey.Inthisway,thesecretkeyneverhastoleavethecardandstays protectedaslongasthesmartcardisnottamperedwith.ABC4Trustalsobenefitedfromsmartcardsinitsbothpilotsandreleaseditssmartcardfirmware onGithub6 tobepubliclyavailable.
6ABC4TrustLayeredArchitecture TheABC4TrustarchitecturehasbeendesignedtodecomposefutureimplementationsofPrivacy-ABCtechnologiesintosetsofmodulesandspecifythe abstractfunctionalityofthesecomponentsinsuchawaythattheyareindependentfromalgorithmsorcryptographiccomponentsusedunderneath.The functionaldecompositionforeseespossiblearchitecturalextensionstoadditional functionalmodulesthatmaybedesirableandfeasibleusingfuturePrivacy-ABC technologiesorextensionsofexistingones.
TheinterchangeabilityofPrivacy-ABCtechniquesintheABC4Trustframeworkistheoutcomeofitslayeredarchitecturedesign.Figure 3 depictspartof thehighlevelABC4Trustarchitecturewheretwoofthemainactors,namely UserandVerifier,interactinatypicalservicerequestscenario.Thecoreofthe architectureiscalledABCE(ABCEngine)layer;itprovidesthenecessaryAPIs totheapplicationlayerresidingonthetopandutilizestheinterfacesoffered bythebottomlayercalledCE(CryptoEngine).Tocompletethepicturean XML-basedlanguageframeworkhasbeendesignedsothatABCEpeersfrom 6 https://github.com/p2abcengine/
Fig.3. ABC4Trustlayerdarchitecture,User-Verifierinteraction
differententitiesofthesystem,e.g.theUserandtheVerifier,cancommunicate inatechnology-agnosticmanner.Puttingallthepiecestogether,theapplication layerfollowsthecorrespondingstepsdefinedintheprotocolspecification[10], callstheappropriateABCEAPIs,andexchangesmessageswiththeotherparties.Furtherdowninthelayers,uponreceivinganAPIcall,theABCEperforms technology-agnosticoperations,suchasmatchingthegivenaccesspolicywith theuser’scredentials,interactingwiththeuserincaseitisneeded,andinvokingcryptoAPIsfromtheCEinordertoaccomplishcryptographicoperations. FinallythebottomlayerCEiswherethedifferentrealizationsofPrivacy-ABC technologiesappearandprovidetheirimplementationsfortherequiredfeatures.
ABC4Trustalsopresentsamodularmodelforthecryptolayer[10].Themain responsibilitiesoftheCryptographicEnginearetogeneratecryptographickey material,issuenewcredentialsbymeansofatwo-partyprotocol,generatethe cryptographicevidenceforaPresentationTokentoprovethatausersatisfies aPresentationPolicy,andverifysuchaproof.Thiscryptoarchitecturedefines thebuildingblocksofPrivacy-ABCtechnologiesandtheirinterfacesallowing implementationofadditionalfeaturesandextendingthefunctionalities.
7ConclusionandOutlook ThispaperhasdocumentedthefeaturesandtheusageofPrivacy-ABCsfor privacy-respectingidentitymanagementconsideringtheinterestsoftherespectivestakeholders.Especiallyusersareenabledtomanagetheiridentitiesand IDs.TheexamplesinSect. 5 documentprivacy-friendlyapplicationsindifferent phasesofthebusinessesprocessofthetwotrials,thatABC4Trustconducted.
Insomecasesidentityinformationflowshavebeenchanneledandrestricted accordingtoheritageseparationsofdomains,e.g.whenenablinguserstomanage multiplepseudonymswithouthavingtomanagemultiplekeypairs.Insome casesnewtypesofchannelingandrestrictingofinformationflowswereenabled bythecryptographicfeaturesusedinPrivacy-ABCs,e.g.theblindtransferof attributes.
InanycaseitturnedoutthatthedefinitionofIdentityasa“setofattributes relatedtoanentity”asgloballystandardizedinthePart1oftheframeworkfor identitymanagement[6]developedbyISO/IECJTC1/SC27/WG5“Identity ManagementandPrivacyTechnologies”isusefulfordesigningprivacy-respecting identitymanagement.
Thereareopenchallengesintheareaofassurancetokenswhichareneeded tocarrythecredentialsandprocessthecalculationofpresentationtokens.Their designneedstofollowseveralprinciples
–Enablingtheassurancetokenholdertoinfluence
• thecharacterandthedegreeofidentificationand
• theamountofidentificationinformation;
–Enablingtheassurancetokentoprotectitselfbye.g.thefollowingfeatures:
• Abilitytoverifythecontrollerbye.g.anextrachanneltoavoid,thatan attackerimpersonatesacontroller,e.g.establishesanillegitimatesmart cardreadertoexploitinformationfromthetoken;
• Aportfolioofcommunicationmechanismsforredundancytoensure,that anycontroller,thatwishestoaccessthetoken,canbeverifiedviaan anadditionalcommunicationchannelbeyondthechannelofferedbythe controller;
• Sufficientaccesscontroltowardsrelevantdata,e.g.amagnetstripeor unprotectedchipwouldnotbeenough;
• Enoughprocessingpowerforcomplexoperationssuchascryptographic operations;
–Enablingcommunication
• betweenassurancetokenholderandassurancetoken,sothattheusercan control,whattheassurancetokenisprocessingandhowitisinteracting withotherentities.
Smartcardsareusuallyabletoprotectthemselves,buttheirlimiteduserinterfaces(evenconsideringasecurereader)makesitchallengingfortheuserto influencethecharacteranddegreeofidentificationandtheamountofidentificationinformation.Moreoverthecommunicationbetweentheuserasassurance tokenholderandtheassurancetokenislimited.
Smartphonesoffermanymoreoptionsfortheinteractionbetweenuserand assurancetoken,buttheyarenotasgoodtoprotectthemselvesandthekeys storedwithinthem.Reasonforthisarethecomplexityofnowadayssmartphones orsimilardevicesandthelackofoperatingsystemsecurity.Mobilesphoneswith morerobustprotectionareurgentlyneeded.Mobilephoneswithatrustedexecutionenvironment(TEE)areastepintotherightdirection,buttheTEEmust besecurelyconnectedtotheuserinterfacemakingsure,thatusers’confidential
16A.SabouriandK.Rannenberg
inputfortheTEEisnotmisdirectedandthatoutputfromtheTEEiscorrectly displayed.
References
1.X.509:informationtechnology-opensystemsinterconnection-thedirectory:public/keyandattributecertificateframeworks. http://www.itu.int/rec/T-REC-X. 509/en
2.Openidauthentication2.0,December2007. http://openid.net/specs/openidauthentication-2 0.html
3.AssertionsandprotocolsfortheOASISsecurityassertionmarkuplanguage(saml) v2.0,March2005. http://docs.oasis-open.org/security/saml/v2.0/saml-core-2. 0-os.pdf
4.Facebooklogin. https://developers.facebook.com/products/login/
5.Hardt,D.:Oauth2.0authorizationprotocol,October2012. http://tools.ietf.org/ html/rfc6749
6.ISO/IEC2011:ISO/IEC24760–1:2011informationtechnology-securitytechniques-aframeworkforidentitymanagement-part1:terminologyandconcepts, 1stedn.15–12-2011. http://standards.iso.org/ittf/PubliclyAvailableStandards/ index.html
7.Rannenberg,K.:Multilateralsecurity-aconceptandexamplesforbalancedsecurity.In:Proceedingsofthe9thACMNewSecurityParadigmsWorkshop2000 (NSPW2000),pp.151–162.ACM,NewYork(2000)[Online].Available: http:// doi.acm.org/10.1145/366173.366208
8.Brands,S.:RethinkingPublicKeyInfrastructuresandDigitalCertificates:BuildinginPrivacy.MITPress(2000)
9.Camenisch,J.,VanHerreweghen,E.:Designandimplementationoftheidemix anonymouscredentialsystem.In:Proceedingsofthe9thACMConferenceonComputerandCommunicationsSecurity,pp.21–30.ACM(2002)
10.Bichsel,P.,Camenisch,J.,Dubovitskaya,M.,Enderlein,R.R.,Krenn,S., Krontiris,I.,Lehmann,A.,Neven,G.,DamNielsen,J.,Paquin,C.,Preiss,F.-S., Rannenberg,K.,Sabouri,A.,Stausholm,M.:Architectureforattribute-based credentialtechnologies-finalversion.In:TheABC4TrustEUProject,DeliverableD2.2(2014).Availableat https://abc4trust.eu/download/Deliverable D2.2. pdf .Lastaccessedon08–11–2014
TowardsanEngineeringModel ofPrivacy-RelatedDecisions JoachimMeyer(&)
DepartmentofIndustrialEngineering, TelAvivUniversity,TelAviv-Yafo,Israel jmeyer@tau.ac.il
Abstract. Peoplemakenumerousdecisionsthataffecttheirownorothers’ privacy,includingthedecisionstoengageincertainactivities,torevealand shareinformationortoallowaccesstoinformation.Thesedecisionsdependon propertiesoftheinformationtoberevealed,thesituationinwhichthedecision ismade,thepossiblerecipientsoftheinformation,andcharacteristicsofthe individualperson.Systemdesignshouldideallyprotectusersfromunwanted consequencesbyallowingthemtomakeinformeddecisions,attimesblocking users’ abilitytoperformcertainactions(e.g.,whentheuserisaminor).The developmentofalertingandblockingmechanismsshouldbebasedonpredictive modelsofuserbehavior,similartoengineeringmodelsinotherdomains. Thesemodelscanbeusedtoevaluatedifferentdesignalternativesandtoassess therequiredsystemspecifications.Predictivemodelsofprivacydecisionswill havetocombineelementsfromnormativedecisionmakingandfrombehavioral, descriptiveresearchondecisionmaking.Somemajorissuesinthedevelopment andvalidationofsuchmodelsarepresented.
Keywords: Privacy Decisionmaking Models Cognitiveengineering
1Introduction Privacyhasbecomeamajorconcerninpeople’sinteractionwithtechnologies.The storingofvastamountsofinformationandthepossibleaccesstothisinformationby otherpeople,bygovernmentalagencies,orbycompaniesandotherorganizations exposepeopletothethreatofothersgaininginformationaboutthemonalmostall aspectsoftheirlifes.Thepeoplewhoaccesstheinformationareusuallyunknownto theindividual,mayusetheinformationagainsttheindividual’sinterest,andthe individualgenerallyhasnowaytoredresstheissue.
Atthesametime,peoplealsogainbenefitsfromrevealinginformation.Theyreceive personalizedservices,suchasadaptedproductofferingsonwebsites,theymayhave accesstolocation-relatedrecommendations,theycangetemergencysupportwhenthey areinanaccident(iftheyareconnectedtoasystemthatmonitorstheirstatusand location),etc.Therapidlyblooming fi eldofsocialnetworksisbasedentirelyonpeople’s willingness,andevendesire,tosharepersonalinformation.Thussharinginformation andhavingothersaccessone’sinformationarenotnecessarilybad,noraretheynecessarilygood.Rather,asisusuallythecase,theyhavebothpositiveandnegativesides.
© IFIPInternationalFederationforInformationProcessing2015 J.Camenischetal.(Eds.):PrivacyandIdentity2014,IFIPAICT457,pp.17–25,2015. DOI:10.1007/978-3-319-18621-4_2
1.1PrivacyDecisionMaking Thenotionthatprovidingaccesstoone’spersonalinformationcanhaveadvantages anddisadvantagesforapersonhasbeenknownforalongtime.Itimpliesthatpeople maywanttoweightheadvantagesanddisadvantagesandchoosewhethertoreveal information.Thisideaiscentralinthedefinitionofprivacy,proposedbyWestin (1967),as “theclaimofindividuals,groupsorinstitutionstodetermineforthemselves when,how,andtowhatextentinformationaboutthemiscommunicatedtoothers.” He recognizesthedynamicnatureofthesechoicesbyalsostatingthat “… eachindividual iscontinuallyengagedinapersonaladjustmentprocessinwhichhebalancesthedesire forprivacywiththedesirefordisclosureandcommunication …”
Thusonecananalyzeaperson’sprivacyrelatedactionsastheresultofdecision processes.Theactivesharingofinformation,theengagementinactivitiesthatgenerate information,orthefailuretopreventprivateinformationfrombecomingpublic,canall beseenasresultsofdecisionprocesses.Accordingtoeconomicnormativemodelsof decisionmaking(suchastheExpectedUtilityModel),thedecisionsshouldbemade, basedontheexpectedoutcomeswheninformationisrevealedandwhenitisnot. However,forprivacydecisions,asfordecisionsinmostotherdomains,people’sactual decisionmakingdeviatesfromtheprescriptionsofclassiceconomicmodels(e.g., AcquistiandGrossklags 2005).Furthermore,privacy-relateddecisionsareinherently difficulttoanalyze,evenwithsimpleeconomicmodels,sincetheconsequences(costs andbenefits)occuratdifferentpointsinthefuture,theyoccurwithsome(largely unknown)probabilities,andtheyareinmostcasesnotdirectlytranslatableinto monetaryvalues.
Privacy-relateddecisionshaveavarietyofoutcomesthathaveverydifferent importanceandmeaningfordifferentpeople.Basically,therearethreemajorcategories ofoutcomes(seeTable 1):
Social.Privacy-relateddecisionscanaffecttherelationsapersonhaswithother people.Communicatingwithothers,by,forinstance,postingonsocialnetworks, canprovidevariousbenefits.Theseincludecommunicatingaboutaperson’s status,creatingandmanagingtheimpressionsothersmighthaveabouttheperson, maintainingrelationshipswithothers,etc.Theseactionsmayalsohavenegative consequences,suchasoffendingcertainpeople,orinformationreachingpeople whowerenotsupposedtoseeit(e.g.,thebossseeinganemployeeintoxicated).
Economic.Sharingofinformationmaybemotivatedbyeconomicbenefi tsaperson receiveswhenagreeingtosharetheinformation.Examplesarepeoplejoining customerloyaltyprograms,wheretheyreceiveminorbenefitsforagreeingtoreveal theiridentity(e.g.,swipetheircard)whenevertheyperformapurchase.Revealing informationmayalsohavenegativeeconomicimplications.Forinstance,ifan insurancecompanyobtainsinformationshowingthatapersonisatanincreasedrisk forsomechronicdisease,thecompanymayraisetheperson’sinsurancerates.
Functional.Sharingofinformationmayprovidefunctionalbenefits.Forinstance, onemustsharelocationinformationtoreceivelocation-dependentservicesor recommendations.Sharingone’sidentitywithawebsiteallowsthesitetocustomize theinformationtotheindividual’scharacteristics,etc.However,theshared
informationmayalsobemisused,ashappensinthemostextremecasewhenitis usedbyacriminal,forinstancetoperformidentitytheft.
Ideallypeopleshouldmakeprivacy-relateddecisionsafterconsideringallpossible consequences.Thisisobviouslyproblematic,anditisunrealistictoexpectthatpeople explicitlyevaluateandweigheachoftheconsequences(andtheremaybeverymany), theirprobability,andtheirutilityinsomecommonmeasure.However,itmaybe possibletopredicttosomeextentwhichpossibleconsequencespeopleconsider, dependingonthepriorinformationtheyhaveandthedisplayofrelevantinformation bythesystem.
Table1. Sometypesofcostsandbenefitsrelatedtoprivacy
BenefitsDangersandcosts
SocialCommunicatewithothers,impression management,maintainrelationship
Unintendedconsequencesof informationreachingpeople
EconomicIncentivesfromsharinginformationPossiblenegativeeffects (increasedinsurancerates, etc.)
FunctionalImprovedserviceswhenfunctionsare shared(locationbasedrecommendations)
2PrivacyEngineering Possiblemisuseofinformation (identitytheft,etc.)
Thedesignofsystemsthattakeprivacyintoaccounthastodealwithnumerousaspects ofprivacy,includingtheencryptionofinformation,theprotectionofinformationfrom unwantedaccess,thelimitationofinformationcollection,etc.Eventuallytheseboil downtotechnicaldecisionsmadebythepeoplewhodevelop,deployandmaintain systems.Thesearepartoftheengineeringofsystems,andhencetheengineeringof privacymaybearelevantterm.SpiekermanandCranor(2009)publishedananalysisof thedevelopmentofprivacy-sensitivesystems,withthetitle “engineeringprivacy”.They describetwoapproachesintheengineeringofprivacy.One,whichtheyname “privacy byarchitecture”,isthepreventionofprivacyviolationsbydesigningthesystemsothat thedatacollectionwillbeminimalorprivacyviolationswillideallybeimpossible.The otherapproach, “privacybypolicy”,dealswithcasesinwhichthepossibilityofprivacy violationsstillexists.Thensystemdesignersneedtoinformusersaboutpossibleprivacy risksandmustleaveusersthechoicewhethertoexposethemselvestosuchrisksornot (the “noticeandchoice” approach).
Gurses(2014)pointsoutthatbuildingsystemsthatcopeappropriatelywiththe plethoraoflegalandsocietalaspectsofprivacyisa “bewilderinglycomplex” task.She describesthreemajorapproachesinprivacyresearchincomputerscience,whichcan formthebasisoftheengineeringofprivacy:(1)Privacyasconfidentiality,which meanslimitingtheamountofinformationcollectedandthepossibilitythatinformation canberevealedtoothers;(2)privacyascontrol,whichmeanscreatingmechanismsthat allowpeopletocontrolthecollectionanduseofdataaboutthem;and(3)privacyas
Another random document with no related content on Scribd:
Garner Ted Armstrong. Program 501. Ambassador College. 29 min., sd., color, videotape (1/2 inch) © Ambassador College; 5Nov73; MP24999.
MP25000.
Garner Ted Armstrong. Program 428. Ambassador College. 29 min., sd., color, videotape (1/2 inch) © Ambassador College; 10Apr73; MP25000.
MP25001.
Garner Ted Armstrong. Program 444. Ambassador College. 29 min., sd., color, videotape (1/2 inch) © Ambassador College; 2May73; MP25001.
MP25002.
Garner Ted Armstrong. Program 537. Ambassador College. 29 min., sd., color, videotape (1/2 inch) © Ambassador College; 14Jan74 (in notice: 1973); MP25002.
MP25003.
Garner Ted Armstrong. Program 516. Ambassador College. 29 min., sd., color, videotape (1/2 inch) © Ambassador College; 7Dec73; MP25003.
MP25004.
Garner Ted Armstrong. Program 533. Ambassador College. 29 min., sd., color, videotape (1/2 inch) © Ambassador College; 28Dec73; MP25004.
MP25005.
Garner Ted Armstrong. Program 528. Ambassador College. 29 min., sd., color, videotape (1/2 inch) © Ambassador College; 19Dec73; MP25005.
MP25006.
Garner Ted Armstrong. Program 424. Ambassador College. 29 min., sd., color, videotape (1/2 inch) © Ambassador College; 5Apr73; MP25006.
MP25007.
Garner Ted Armstrong. Program 426. Ambassador College. 29 min., sd., color, videotape (1/2 inch) © Ambassador College; 8Apr73; MP25007.
MP25008.
Garner Ted Armstrong. Program 530. Ambassador College. 29 min., sd., color, videotape (1/2 inch) © Ambassador College; 28Dec73; MP25008.
MP25009.
Garner Ted Armstrong. Program 427. Ambassador College. 29 min., sd., color, videotape (1/2 inch) © Ambassador College; 9Apr73; MP25009.
MP25010.
Garner Ted Armstrong. Program 505. Ambassador College. 29 min., sd., color, videotape (1/2 inch) © Ambassador College; 4Nov73; MP25010.
MP25011.
Garner Ted Armstrong. Program 457. Ambassador College. 29 min., sd., color, videotape (1/2 inch) © Ambassador College; 14May73; MP25011.
MP25012.
Garner Ted Armstrong. Program 425. Ambassador College. 29 min., sd., color, videotape (1/2 inch) © Ambassador College; 6Apr73; MP25012.
MP25013.
Controlling absenteeism. 32 min., sd., color, 16 mm. (The Gellerman effective supervision film series) © BNA Communications, Inc.; 14Mar74; MP25013.
MP25014.
Life in a drop of water. A Coronet film. 10 min., sd., color, 16 mm. Prev. pub. 7Jul47, M2571. NM: some film footage & narration. © Coronet Instructional Media, a division of Esquire, Inc.; 11Aug73; MP25014.
MP25015.
Fun with speech sounds. 2nd. ed. 15 min., sd., color, 16 mm. © Coronet Instructional Media, a division of Esquire, Inc.; 31May73; MP25015.
MP25016.
Maps show our earth. A Coronet film. 10 min., sd., color, 16 mm. © Coronet Instructional Materials, a division of Esquire, Inc.; 6Jul73; MP25016.
MP25017.
Workers depend on each other. A Coronet film. 11 min., sd., color, 16 mm. © Coronet Instructional Media, a division of Esquire, Inc.; 28Jun73; MP25017.
MP25018.
V S A M concepts and access method services usage. IBM Corporation. 70 min., b&w, videotape. (IBM independent study
program) © International Business Machines Corporation, accepted alternative designation: IBM Corporation; 14Jan74 (in notice: 1973); MP25018.
MP25019.
A L C coding techniques for virtual storage. IBM Corporation. 28 min., b&w, videotape. (IBM independent study program) © International Business Machines Corporation, accepted alternative designation: IBM Corporation; 14Jan74 (in notice: 1973); MP25019.
MP25020.
Louie gets his licks. Instructional Material Systems. 13 min., sd., color, 16 mm. © IMS a. a. d. o. Instructional Material Systems; 9Aug73; MP25020.
MP25021.
Compact truck features and comparison. 17 min., sd., color, Super 8 mm. Appl. au.: Ross Roy, Inc. © Chrysler Corporation; 2Jan74 (in notice: 1973); MP25021.
MP25022.
Chrysler Newport versus Buick LeSabre and Olds 88. 18 min., sd., color, Super 8 mm. Appl. au.: Ross Roy, Inc. © Chrysler Corporation; 17Jan74 (in notice: 1973); MP25022.
MP25023.
1974 cleaner air system. 18 min., sd., color, Super 8 mm. Appl. au.: Ross Roy, Inc. © Chrysler Corporation; 18Dec73; MP25023.
MP25024.
Sell from strength. 18 min., sd., color, Super 8 mm. Appl. au.: Ross Roy, Inc. © Chrysler Corporation; 19Dec73; MP25024.
MP25025.
“Two hats,” the 1974 Dodge pickup. 18 min., sd., color, Super 8 mm. Appl. au.: Ross Roy, Inc. © Chrysler Corporation; 19Dec73; MP25025.
MP25026.
Satellite Chevelle and Torino comparison. 18 min., sd., color, Super 8 mm. Appl. au.: Ross Roy, Inc. © Chrysler Corporation; 3Dec73; MP25026.
MP25027.
Monaco, Impala, Galaxie 500 comparison. 18 min., sd., color, Super 8 mm. Appl. au.: Ross Roy, Inc. © Chrysler Corporation; 19Dec73; MP25027.
MP25028.
Monaco and Fury versus Impala and Galaxie. 18 min., sd., color, Super 8 mm. Appl. au.: Ross Roy, Inc. © Chrysler Corporation; 19Dec73; MP25028.
MP25029.
Dart / Nova / Maverick comparison. 18 min., sd., color, Super 8 mm. Appl. au.: Ross Roy, Inc. © Chrysler Corporation; 3Dec73; MP25029.
MP25030.
1974 Chrysler and Plymouth station wagons. 9 min., sd., color, Super 8 mm. Appl. au.: Ross Roy, Inc. © Chrysler Corporation; 19Dec73; MP25030.
MP25031.
1974 Dodge station wagons. 9 min., sd., color, Super 8 mm. Appl. au.: Ross Roy, Inc. © Chrysler Corporation; 19Dec73; MP25031.
MP25032.
Satellite and Charger / Coronet versus Chevelle and Torino. 18 min., sd., color, Super 8 mm. Appl. au.: Ross Roy, Inc. © Chrysler Corporation; 12Dec73; MP25032.
MP25033.
Charger / Coronet / Chevelle and Torino comparison. 18 min., sd., color, Super 8 mm. Appl. au.: Ross Roy, Inc. © Chrysler Corporation; 3Dec73; MP25033.
MP25034.
Fury / Impala / Galaxie 500 comparison. 18 min., sd., color, Super 8 mm. Appl. au.: Ross Roy, Inc. © Chrysler Corporation; 3Dec73; MP25034.
MP25035.
Dart and Duster comparison with Nova and Maverick. 18 min., sd., color, Super 8 mm. Appl. au.: Ross Roy, Inc. © Chrysler Corporation; 26Dec73; MP25035.
MP25036.
Duster / Valiant / Nova / Maverick comparison. 18 min., sd., color, Super 8 mm. Appl. au.: Ross Roy, Inc. © Chrysler Corporation; 3Dec73; MP25036.
MP25037.
VD attack plan. Walt Disney Productions. 16 min., sd., color, 16 mm. © Walt Disney Productions; 27Feb73 (in notice: 1972); MP25037.
MP25038.
I’m no fool with electricity. Walt Disney Productions. 8 min., sd., color, 16 mm. © Walt Disney Productions; 26Oct73; MP25038.
MP25039.
Geothermal power. 15 min., sd., color, 16 mm. Appl. au.: Howard J. Lindenmeyer. © Howlin Cinema Productions; 1Feb74; MP25039. MP25040.
Kiel Olympiad. Offshore Productions. Produced in cooperation with the United States International Sailing Association, Yacht Racing Magazine & Yachting Magazine. 56 min., sd., color, 16 mm. Appl. au.: Dick Enersen & Laszlo Pal. © Enersen/Pal Enterprises; 22Feb73; MP25040.
MP25041.
April showers. 30 sec., sd., color, 16 mm. Appl. au.: William Esty Company, Inc. © Colgate Palmolive Company; 7Oct73; MP25041.
MP25042.
Deep water rescue breathing. A Pierce production. 10 min., sd., color, 16 mm. Appl. au.: Albert L. Pierce. © Albert L. Pierce; 19Sep73; MP25042.
MP25043.
Teacher self appraisal observation system: a technique for improving instruction. Educational Innovators Press. 17 min., sd., b&w, videotape (1/2 inch) (Teacher self appraisal, packet V1) Add. ti.: Observation system—improving instruction. © Educational Innovators Press, a division of Multimedia Associates, Inc.; 15May73; MP25043.
MP25044.
Coding classroom introduction situations utilizing the teacher self appraisal observation system. Educational Innovators Press. 22 min., sd., b&w, videotape (1/2 inch) (Teacher self appraisal, packet V2) © Educational Innovators Press, a division of Multimedia Associates, Inc.; 15May73; MP25044.
MP25045.
Coding classroom discussion situations utilizing the teacher self appraisal observation system. Educational Innovators Press. 20 min., sd., b&w, videotape (1/2 inch) (Teacher self appraisal, packet V3) © Educational Innovators Press, a division of Multimedia Associates, Inc.; 15May73; MP25045.
MP25046.
Coding classroom review situations utilizing the teacher self appraisal observation system. Educational Innovators Press. 18 min., sd., b&w, videotape (1/2 inch) (Teacher self appraisal, packet V4) © Educational Innovators Press, a division of Multimedia Associates, Inc.; 15May73; MP25046.
MP25047.
Coding classroom activities situations utilizing the teacher self appraisal observation system. Educational Innovators Press. 20 min., sd., b&w, videotape (1/2 inch) (Teacher self appraisal, packet V5) © Educational Innovators Press, a division of Multimedia Associates, Inc.; 15May73; MP25047.
MP25048.
Establishing observer reliability with the teacher self appraisal observation system. Educational Innovators Press. 28 min., sd., b&w, videotape (1/2 inch) (Teacher self appraisal, packet V6) © Educational Innovators Press, a division of Multimedia Associates, Inc.; 15May73; MP25048.
MP25049.
Now your injector. GSRX3053. 30 sec., sd., color, 16 mm. Appl. au.: J. Walter Thompson Company. © Gillette a. a. d. o. the Gillette Company; 18Oct73; MP25049.
MP25050.
Best shave ahead. GSRX3013. 30 sec., sd., color, 16 mm. Appl. au.: J. Walter Thompson Company. © Gillette a. a. d. o. the Gillette Company; 18Oct73; MP25050.
MP25051.
The Fundamental theorem. 4 min., si., color, Super 8 mm. (Calculus in motion) Appl. au.: Bruce Cornwell & Katherine Cornwell, with editorial assistance by Duane W. Bailey. © Houghton Mifflin Company; 4May73; MP25051.
MP25052.
Derivatives. 4 min., si., color, Super 8 mm. (Calculus in motion) Appl. au.: Bruce Cornwell & Katherine Cornwell, with editorial assistance by Duane W. Bailey. © Houghton Mifflin Company; 27Jun73; MP25052.
MP25053.
Taylor polynomials. 4 min., si., color, Super 8 mm. (Calculus in motion) Appl. au.: Bruce Cornwell & Katherine Cornwell, with editorial assistance by Duane W. Bailey. © Houghton Mifflin Company; 31Jul73; MP25053.
MP25054.
Concavity and points of inflection. 4 min., si., color, Super 8 mm. (Calculus in motion) Appl. au.: Bruce Cornwell & Katherine Cornwell, with editorial assistance by Duane W. Bailey. © Houghton Mifflin Company; 31Jul73; MP25054.
MP25055.
Rolle’s theorem and the mean value theorem. 4 min., si., color, Super 8 mm. (Calculus in motion) Appl. au.: Bruce Cornwell & Katherine Cornwell, with editorial assistance by Duane W. Bailey. © Houghton Mifflin Company; 6Jul73; MP25055.
MP25056.
Limits. 4 min., si., color, Super 8 mm. (Calculus in motion) Appl. au.: Bruce Cornwell & Katherine Cornwell, with editorial assistance by Duane W. Bailey. © Houghton Mifflin Company; 27Jun73; MP25056.
MP25057.
The Definite integral. 4 min., si., color, Super 8 mm. (Calculus in motion) Appl. au.: Bruce Cornwell & Katherine Cornwell, with editorial assistance by Duane W. Bailey. © Houghton Mifflin Company; 4May73; MP25057.
MP25058.
The Wordworks 1. Houghton Mifflin Company. 11 min., sd., color, 16 mm. © Houghton Mifflin Company; 31Dec73; MP25058.
MP25059.
The Wordworks 2. Houghton Mifflin Company. 11 min., sd., color, 16 mm. © Houghton Mifflin Company; 31Dec73; MP25059.
MP25060.
The Wordworks 3. Houghton Mifflin Company. 11 min., sd., color, 16 mm. © Houghton Mifflin Company; 31Dec73; MP25060.
MP25061.
The Wordworks 4. Houghton Mifflin Company. 11 min., sd., color, 16 mm. © Houghton Mifflin Company; 31Dec73; MP25061.
MP25062.
Choice not chance — career development in New Jersey. A film by Videgraphe. 26 min., sd., color, 16 mm. Appl. au.: Robert J. Phillips. © Videgraphe Corporation; 12Dec73; MP25062.
MP25063.
Bicycle safely. 12 min., sd., color, 16 mm. © Fiesta Films; 28Feb74; MP25063.
MP25064.
Poetry for fun — dares and dreams. A Centron production. 13 min., sd., color, 16 mm. © Centron Corporation, Inc.; 13Mar74; MP25064.
MP25065.
Gettysburg — 1863. A Whitefield production. 19 min., sd., color, 16 mm. © Centron Corporation, Inc.; 13Mar74; MP25065.
MP25066.
Laudate. 6 min., sd., b&w, 16 mm. Based on Igor Stravinsky’s Symphony of psalms. Appl. au.: Nicholas Frangakis. © Nicholas Frangakis; 1Mar74 (in notice: 1973); MP25066.
MP25067.
Repairs to air conditioning condensers. 27 min., sd., color, 16 mm. © Motors Insurance Corporation; 28Feb74 (in notice: 1973); MP25067.
MP25068.
It’s your move, sergeant. Woroner Films. 24 min., sd., color, 16 mm. (Decisions) © Woroner Films, Inc.; 10Jan74 (in notice: 1973); MP25068.
MP25069.
The Language of medicine. Introd. 12 min., sd., color, videotape (3/4 inch) in cassette. Appl. au.: Wallace J. Vnuk. © Walfran Research and Educational Fund; 14Dec73; MP25069.
MP25070.
The Language of medicine. Lesson no. 1. 10 min., sd., color, videotape (3/4 inch) in cassette. Appl. au.: Wallace J. Vnuk. © Walfran Research and Educational Fund; 14Dec73; MP25070.
MP25071.
The Language of medicine. Lesson no. 2. 7 min., sd., color, videotape (3/4 inch) in cassette. Appl. au.: Wallace J. Vnuk. © Walfran Research and Educational Fund; 14Dec73; MP25071.
MP25072.
The Language of medicine. Lesson no. 3. 15 min., sd., color, videotape (3/4 inch) in cassette. Appl. au.: Wallace J. Vnuk. © Walfran Research and Educational Fund; 14Dec73; MP25072.
MP25073.
The Language of medicine. Lesson no. 4. 14 min., sd., color, videotape (3/4 inch) in cassette. Appl. au.: Wallace J. Vnuk. © Walfran Research and Educational Fund; 14Dec73; MP25073.
MP25074.
The Language of medicine. Lesson no. 5. 10 min., sd., color, videotape (3/4 inch) in cassette. Appl. au.: Wallace J. Vnuk. © Walfran Research and Educational Fund; 14Dec73; MP25074.
MP25075.
The Language of medicine. Lesson no. 6. 17 min., sd., color, videotape (3/4 inch) in cassette. Appl. au.: Wallace J. Vnuk. © Walfran Research and Educational Fund; 14Dec73; MP25075.
MP25076.
Feelings. United Methodist Communications. 29 min., videotape (3/4 inch) in cassette. (Learning to live) © Trafco, Inc.; 15Jan74 (in notice: 1973); MP25076.
MP25077.
Ego states. United Methodist Communications. 29 min., videotape (3/4 inch) in cassette. (Learning to live) © Trafco, Inc.; 15Jan74 (in notice: 1973); MP25077.
MP25078.
Games. United Methodist Communications. 29 min., videotape (3/4 inch) in cassette. (Learning to live) © Trafco, Inc.; 15Jan74 (in notice: 1973); MP25078.
MP25079.
Time structures. United Methodist Communications. 29 min., videotape (3/4 inch) in cassette. (Learning to live) © Trafco, Inc.; 15Jan74 (in notice: 1973); MP25079.
MP25080.
Scripts “B.” United Methodist Communications. 29 min., videotape (3/4 inch) in cassette. (Learning to live) © Trafco, Inc.; 15Jan74 (in notice: 1973); MP25080.
MP25081.
Scripts “A.” United Methodist Communications. 29 min., videotape (3/4 inch) in cassette. (Learning to live) © Trafco, Inc.; 15Jan74 (in notice: 1973); MP25081.
MP25082.
Strokes. United Methodist Communications. 29 min., videotape (3/4 inch) in cassette. (Learning to live) © Trafco, Inc.; 15Jan74 (in notice: 1973); MP25082.
MP25083.
Transactions. United Methodist Communications. 29 min., videotape (3/4 inch) in cassette. (Learning to live) © Trafco, Inc.; 15Jan74 (in notice: 1973); MP25083.
MP25084.
A Conversation with President Tito. A production of CBS News. 30 min., sd., color, 16 mm. (CBS News special report) © Columbia Broadcasting System, Inc.; 25Oct71; MP25084.
MP25085.
Search for the Goddess of Love. CBS News. Produced in association with the Smithsonian Institution. 60 min., sd., color, 16 mm. (Smithsonian adventure) © Columbia Broadcasting System, Inc.; 13Jun71; MP25085.
MP25086.
The Court and a free press. A production of CBS News. 60 min., sd., b&w, 16 mm. (CBS News special report) © Columbia Broadcasting System, Inc.; 1Jul71; MP25086.
MP25087.
Louis Armstrong: 1900–1971. A production of CBS News. 60 min., sd., color, 16 mm. (CBS News special) © Columbia Broadcasting
System, Inc.; 9Jul71; MP25087.
MP25088.
The Year 1200. A production of CBS News. 60 min., sd., b&w, 16 mm. (CBS News special) © Columbia Broadcasting System, Inc.; 9Aug71 (in notice: 1970); MP25088.
MP25089.
The Chappaquiddick report. A production of CBS News. 30 min., sd., b&w, 16 mm. (CBS News special) © Columbia Broadcasting System, Inc.; 29Apr70; MP25089.
MP25090.
Where we stand in Cambodia. A production of CBS News. 60 min., sd., b&w, 16 mm. (CBS News special) © Columbia Broadcasting System, Inc.; 3May70; MP25090.
MP25091.
The Catholic dilemma. A production of CBS News. 60 min., sd., b&w, 16 mm. (CBS News special) © Columbia Broadcasting System, Inc.; 5Oct70; MP25091.
MP25092.
The Court martial of William Calley. A production of CBS News. 30 min., sd., b&w, 16 mm. (CBS News special report) © Columbia Broadcasting System, Inc.; 29Mar71; MP25092.
MP25093.
The Economy: a new way to go. A production of CBS News. 60 min., sd., b&w, 16 mm. (CBS News special report) © Columbia Broadcasting System, Inc.; 15Aug71; MP25093.
MP25094.
Reston on China: a conversation with Eric Sevareid. A production of CBS News. 60 min., sd., b&w, 16 mm. (CBS News special report) © Columbia Broadcasting System., Inc.; 30Aug71; MP25094.
MP25095.
The World of Charlie Company. A production of CBS News. 60 min., sd., b&w, 16 mm. (CBS News special report) © Columbia Broadcasting System, Inc.; 13Jul70; MP25095.
MP25096.
Voices from the Russian underground. A production of CBS News. 60 min., sd., b&w, 16 mm. (CBS News special report) © Columbia Broadcasting System, Inc.; 27Jul70; MP25096.
MP25097.
Blue Christmas? An inquiry into the state of the economy. A production of CBS News. 60 min., sd., b&w, 16 mm. (CBS News special report) © Columbia Broadcasting System, Inc.; 1Dec70; MP25097.
MP25098.
Is mercury a menace? A production of CBS News. 30 min., sd., b&w, 16 mm. (CBS News special) © Columbia Broadcasting System, Inc.; 11Jan71; MP25098.
MP25099.
Southern exposures. A production of CBS News. 30 min., sd., b&w, 16 mm. (CBS News special) © Columbia Broadcasting System, Inc.; 3May71; MP25099.
MP25100.
On the road with Charles Kuralt. A production of CBS News. 60 min., sd., b&w, 16 mm. (CBS News special) © Columbia Broadcasting System, Inc.; 6Sep71; MP25100.
MP25101.
Sixty minutes. Vol. 3, no. 12. A production of CBS News. 60 min., sd., b&w, 16 mm. © Columbia Broadcasting System, Inc.; 2Mar71; MP25101.
MP25102.
Sixty minutes. Vol. 4, no. 8. A production of CBS News. 60 min., sd., b&w, 16 mm. © Columbia Broadcasting System, Inc.; 25Nov71; MP25102.
MP25103.
Sixty minutes. Vol. 4, no. 9. A production of CBS News. 60 min., sd., b&w, 16 mm. © Columbia Broadcasting System, Inc.; 28Nov71; MP25103.
MP25104.
Kids! 53 things to know about health, sex and growing up. A production of CBS News. 60 min., sd., b&w, 16 mm. (CBS News special) © Columbia Broadcasting System, Inc.; 26Jan71; MP25104.
MP25105.
New voices in the South. A production of CBS News. 30 min., sd., b&w, 16 mm. (CBS News special) © Columbia Broadcasting System, Inc.; 8Mar71; MP25105.
MP25106.
Reischauer on Asia. A production of CBS News. 30 min., sd., b&w, 16 mm. (CBS News special) © Columbia Broadcasting System, Inc.; 6Jul71; MP25106.
MP25107.
The Correspondents report. Pt. 2: America and the world. A production of CBS News. 60 min., sd., b&w, 16 mm. (CBS News special) © Columbia Broadcasting System, Inc.; 30Dec71; MP25107.
MP25108.
Pandora’s box. Perspective Films. 8 min., sd., color, 16 mm. © Perspective Films, a division of Esquire, Inc.; 22Jan74; MP25108.
MP25109.
Kyoto: exploring with Larry. A Coronet film. 10 min., sd., color, 16 mm. © Coronet Instructional Media, a division of Esquire, Inc.; 14Jan74; MP25109.
MP25110.
Hong Kong: wandering with Rick. A Coronet film. 10 min., sd., color, 16 mm. © Coronet Instructional Media, a division of Esquire, Inc.; 15Jan74; MP25110.
MP25111.
Ball game. A film by Evelyn Marienberg. 1 min., sd., color, 16 mm. © Evelyn Marienberg; 15Mar74; MP25111.
MP25112.
To a babysitter. An Alfred Higgins production. 2nd ed. 17 min., sd., color, 16 mm. © Alfred Higgins Productions, Inc.; 14Mar74; MP25112.
MP25113.
Elementary natural science — songbirds. Centron Educational Films. Produced in collaboration with Centron Corporation. 13 min., sd., color, 16 mm. © Centron Corporation, Inc.; 15Mar74; MP25113.
MP25114.
Tornado. 6 min., si., color, Super 8 mm. Appl. au.: Donald D. Patterson. Prev. reg. 17Dec73, MU8857. © Donald D. Patterson; 20Dec73; MP25114.
MP25115.
Feeding. Sutherland Learning Associates. 10 min., sd., color, Super 8 mm. (Rocom Parentaid film system, parent counseling child care) Prev. pub. 29Oct70. NM: editorial revision. © Hoffmann LaRoche, Inc.; 29Jun73; MP25115.
MP25116.
Growth and development, toilet training. Sutherland Learning Associates. 9 min., sd., color, Super 8 mm. (Rocom Parentaid film system, parent counseling child care) Prev. pub. 29Oct70. NM: editorial revision. © Hoffmann LaRoche, Inc.; 29Jun73; MP25116.
MP25117.
Troubles in the digestive tract. Sutherland Learning Associates. 10 min., sd., color, Super 8 mm. (Rocom Parentaid film system, parent counseling child care) Prev. pub. 29Oct70. NM: editorial revision. © Hoffmann LaRoche, Inc.; 29Jun73; MP25117.
MP25118.
Respiratory problems. Sutherland Learning Associates. 9 min., sd., color, Super 8 mm. (Rocom Parentaid film system, parent counseling child care) Prev. pub. 29Oct70. NM: editorial revision. © Hoffmann LaRoche, Inc.; 29Jun73; MP25118.
MP25119.
Medication and treatment, your child’s eyes. Sutherland Learning Associates. 8 min., sd., color, Super 8 mm. (Rocom Parentaid film
system, parent counseling child care) Prev. pub. 29Oct70. NM: editorial revision. © Hoffmann LaRoche, Inc.; 29Jun73; MP25119.
MP25120.
Temperature. Sutherland Learning Associates. 5 min., sd., color, Super 8 mm. (Rocom Parentaid film system, parent counseling child care) Prev. pub. 29Oct70. NM: editorial revision. © Hoffmann LaRoche, Inc.; 29Jun73; MP25120.
MP25121.
Allergy. Sutherland Learning Associates. 8 min., sd., color, Super 8 mm. (Rocom Parentaid film system, parent counseling child care) Prev. pub. 29Oct70. NM: editorial revision. © Hoffmann LaRoche, Inc.; 29Jun73; MP25121.
MP25122.
Accident prevention. Sutherland Learning Associates. 10 min., sd., color, Super 8 mm. (Rocom Parentaid film system, parent counseling child care) Prev. pub. 29Oct70, MP22907. NM: editorial revision. © Hoffmann LaRoche, Inc.; 29Jun73; MP25122.
MP25123.
The Fussy baby. Sutherland Learning Associates. 8 min., sd., color, Super 8 mm. (Rocom Parentaid film system, parent counseling child care) Prev. pub. 29Oct70. NM: editorial revision. © Hoffmann LaRoche, Inc.; 29Jun73; MP25123.
MP25124.
Immunizations. Sutherland Learning Associates. 6 min., sd., color, Super 8 mm. (Rocom Parentaid film system, parent counseling child care) Prev. pub. 29Oct70. NM: editorial revision. © Hoffmann LaRoche, Inc.; 29Jun73; MP25124.
