ABC4Trust organised a workshop at this year’s CSP Forum Conference, held in Athens, Greece. The workshop ‘ABC4Trust – Putting Privacy-ABCs into Practice’ consisted of two parts. (‘Track 12’ and ‘Track 15’ on the conference programme.)
All presentations can be found here.
Gregory Neven (IBM) - The Concept of Privacy-ABCs
Jonas Lindstrøm Jensen (Alexandra Institute) - Privacy-ABCs on Mobile Devices
Souheil Bcheri (Eurodocs AB) - Community Interaction Among Pupils
Yannis Stamatiou (Diophantus) - Privacy Preserving Course Evaluation in Educational Institutes
Ahmad Sabouri (Goethe University Frankfurt/Main) - Enabling Privacy Friendly Integration of Cloud Services into Enterprises
Chair: Hannah Obersteller (ULD)
In the first part, Gregory Neven introduced the audience to the idea and the functionalities of Privacy-enhancing Attribute-based Credentials (Privacy-ABCs). After describing existing identification schemes and their weaknesses, Dr. Neven explained the advantages of Privacy-ABCs. Privacy-ABCs allow the user to choose which information – in other words: which attribute – he is willing to reveal. In the following, he focused on the more advanced features such as pseudonyms, revocation, and inspection. While by default Privacy-ABCs allow the user to access a service completely anonymously, the optional feature “inspection” can be enabled if needed. This means, the identity of the user can be revealed conditionally. The user must be informed in advance if inspection is enabled and under which circumstances (inspection grounds) his identity may be revealed. The revocation feature allows the issuer of the credentials to revoke them. This might become necessary if a certain attribute of the user changes; e.g. if he is not a student anymore.
Jonas Lindstrøm Jensen showed examples of how Privacy-ABCs can be used on mobile devices. While the project’s trials were using laptops as devices, it is also possible to use mobile devices like mobile phones or tablets. The advantage is, that most potential users already have one, so there is no need for additional hard ware like smart cards and smart card readers. Mr. Lindstrøm Jensen referred to new use cases and the security and privacy problems that, in turn, appear.
Souheil Bcheri presented the results of one of ABC4Trust’s trials. ABC4Trust set up a School Communication System at a Secondary School in Söderhamn/Sweden. Functionalities like chat and document sharing are provided as well as counselling sessions and political discussions. The pupils, their parents and teachers are enabled to access the network pseudonymously or anonymously, depending on the service they want to use. Since there had not been a similar application before, ABC4Trust had to create it from sketch. The network offers certain “rooms” – Restricted Areas – to certain group of users. Depending on the individual access policy of each of those Restricted Areas, there can be e.g. a chat room that allows access for everyone who can prove that she is not elder than 14 and a girl. The users can create own Restricted Areas and determine their access policies as well.
Building on what had been presented in the first part, in the second part Yannis Stamatiou reported on the results of the second trial of ABC4Trust, also by showing screenshots and video sequences. The project implemented a Course Evaluation System at the University of Patras, Greece. The students are enabled to evaluate their Courses anonymously. At the same time the system guarantees that only duly accredited students can participate in the evaluation. As an incentive to the students to participate in the trial, the students could choose to get another credential. This so-called Tombola credential allowed them to participate in a Tombola at the end of the semester. The inspection feature was used to reveal the identity of the winner. All other credentials were not inspected. The revocation feature was employed to allow the university to revoke a student’s credential when he leaves the university. After the explanation of the system, Prof. Stamatiou talked about the results of an anonymous questionnaire that was answered by the students who participated in the trial. According to the evaluation the students understood the functionality and also trusted the system. Prof. Stamatiou also reported on the future exploitation of the system.
Finally, Ahmad Sabouri gave a presentation on a special future use case of Privacy-ABCs: Use on the Cloud. After giving an introduction to Cloud Services in general, he talked about what might keep enterprises from using them. One major issue is privacy and identity concerns. Identity management in the cloud is different. Mr. Sabouri described the Privacy requirements in the Cloud. While the IdMaaS must not learn about the services the user accesses, the Cloud Provider may be neither able to link a user to his identity, nor to profile the user based on his different accesses. Furthermore, the Cloud Service Provider should not learn about the use of resources and services, while the enterprises should be able to audit those. Then, he explained in how far Privacy-ABCs meet those requirements and mapped the roles of the entities of a Privacy-ABC system.
Questions were answered during and after each presentation.