Privacy-Enhancing Technologies—approaches and development

Computer Standards & Interfaces 25 (2003) 147 – 158 www.elsevier.com/locate/csi

Privacy-Enhancing Technologies—approaches and development Vanja Senicˇar, Borka Jerman-Blazˇicˇ *, Tomazˇ Klobucˇar Laboratory for Open Systems and Networks, Jozef Stefan Institute, Jamova 39, 1000 Ljubljana, Slovenia Received 25 May 2002; received in revised form 20 December 2002; accepted 8 January 2003

Abstract In this paper, we discuss privacy threats on the Internet and possible solutions to this problem. Examples of privacy threats in the communication networks are identity disclosure, linking data traffic with identity, location disclosure in connection with data content transfer, user profile disclosure or data disclosure itself. Identifying the threats and the technology that may be used for protection can provide satisfactory protection of privacy over general networks that are building today the information infrastructure. In general, these technologies are known as Privacy-Enhancing Technologies (PETs). This article analyses some of the key Privacy-Enhancing Technologies and provides view in the on-going projects developing these technologies. D 2003 Elsevier Science B.V. All rights reserved. Keywords: Privacy; Data protection; Privacy-enhancing technologies

1. Introduction In today’s society, computers have penetrated almost in all parts of our lives. Nearly every daily routine is carried out either through or with the help of the computers. Everywhere we use information services, we leave traces making it possible for anybody interested enough to collect, organise and analyse our personal data. The nature of on-line business and e-commerce led over the Web, where personal information is transferred in digital form, has led to situation privacy to be threatened every day. The lack of privacy on the Web makes us susceptible to a number of abuses, which are now * Corresponding author. Tel.: +386-1-4773-408; fax: +386-1423-2118. E-mail addresses: [email protected] (V. Senicˇar), [email protected] (B. Jerman-Blazˇicˇ), [email protected] (T. Klobucˇar).

starting to be better understood and well publicised. There are many good reasons to be concerned about privacy on the Web and on the communication networks. Possibilities range from distaste for targeted, junk e-mail to the desire for search of certain topics in private. For example, we may have a health condition that we do not wish to share with others, and there may be a wealth of information available on the Web left after a search of data related to particular health condition. In this article, we take a look at several approaches, all with technological background and supported by legislation, that are aimed towards creation of safe services regarding privacy protection. The review is based on the on-going work in the field of privacy-enhancing technology development. The focus of the article is oriented towards last developments and implementation of technical tools and methods being developed, as we are aware, that

0920-5489/03/$ - see front matter D 2003 Elsevier Science B.V. All rights reserved. doi:10.1016/S0920-5489(03)00003-5

148

V. Senicˇar et al. / Computer Standards & Interfaces 25 (2003) 147–158

the way to achieve trustworthiness that is required in the construction of well-designed systems is long and far from perfection [2,12,13,20] and is still a subject of development.

2. What does privacy mean? The definition of privacy according to Ross Anderson is ‘‘ability and/or right to protect our personal secrets, the ability and/or right to prevent invading our personal space’’ [1]. A person has privacy when two factors are in place; first, she must have ability to control information about herself, and second, she must exercise that control consistent with her values. The first factor goes to the existence of choice—the legal power to control the release of information—not how pleasant the choice is. In the commercial world, people almost always have the ability to control information about them. If we exclude pure commercial transactions, they can decide absolutely who is entitled to receive information about them. This satisfies the first factor. Exercising control of information—the second factor that delivers privacy—is difficult to be achieved. Many users, just browsing over the Internet or receiving unconsolidated mail, are unaware of how the Information Economy works, and the fact that they are unintentionally a part of it. Information about particular user behaviour is collected without user awareness that such process is in place. Good user education about the threats of the new world can help them to understand what is happening on the net and how personal data could be abused. However, there are users or consumers that have the highest sensitivity to disclosure of information, but this is not always of big help to them as companies still very rarely offer in their services an appropriate range of information practices regarding privacy protection to them. These unsatisfactory choices make the second factor in privacy protection hard to achieve. Other users or consumers of information may have a higher tolerance for information sharing or they may have senses of privacy that point toward information that are not yet touched by commerce. Their privacy may be entirely unaffected by even the broadest commercial information sharing. Good example where information must be protected is medical privacy [5].

There is no question that protection of privacy in the commercial world using electronic way of doing business is hard, but it is also important to note that besides commerce there is another big player in the information highways that may be considered as potential data abuser—the government. Protecting privacy from public administration or governmental bodies is almost impossible. For example, when citizens apply for licenses or permits, fill out forms for regulators, or prepare tax returns, they do not have the power to control what kind of the provided information will be shared. They must submit information that the government requires. The first factor in privacy protection—power to control personal information—is almost totally absent in the governmental context. In order to identify the privacy-enhancing technology, we need first to identify privacy threats in the communication networks and afterwards we may proceed with study on how privacy-enhancing technologies can improve the privacy itself. Although the Internet is rapidly becoming ‘‘the’’ only widely accessible communication network, due to its origin and development it has not been engineered to preserve certain types of privacy. Fischer-Hu¨bner identifies four ways that privacy protection can be achieved [10,11]: 

Protection by government laws; Protection by privacy-enhancing technologies;  Self-regulation for fair information practise by codes of conduct promoted by businesses;  Privacy education of consumers and IT professionals. 

We will discuss in this article just the first two ways, as they are widely applicable in generic sense.

3. Threats In order to get a look at the privacy-enhancing technologies that enable the implementation of policy and protection of data as stated usually in legislative acts, it is necessary to look at the privacy threats in the communication network, such as identity disclosure, linkability of data, observability of data, location disclosure in mobile networks, or data disclosure. This section provides a brief overview of specific

V. Senicˇar et al. / Computer Standards & Interfaces 25 (2003) 147–158

threats to privacy that arise in the context of the Internet [4,8,18]. 3.1. HTTP chattering The most frequently used service on the communication networks is Web browsing enabled by the HTTP protocol. Unless an e-user takes deliberate steps to hide her personal data, she is considered to be anonymous during a web browsing session. The underpinning web protocol for a browsing session, i.e. HTTP, relies upon the exchange of personally traceable information between the remote user and the host web server. In order to establish a web session, a set of default data variables are transmitted from the ecustomer’s machine to the remote server. By default IP addresses are logged by most server software and HTTP chattering indicates the operating and browsing environment, as well as the URL location the user was at prior to loading the current web site. Thus, this information is automatically transmitted without the explicit consent (and often knowledge) of the browser. Using these IP addresses along with technology for tracing route of TCP/IP packets, an approximate geographical location can be deduced. Due to the fact that IP addresses are unique to every node on the Internet, this information allows for individuals to be traced using Internet Service Provider (ISP) records, in cases where such effort is warranted. With the advent of IPv6, which contains much more explicit geographical positioning information in HTTP headers, this is likely to become even more of a threat to privacy. Similar considerations apply to other Internet protocols (e.g. SMTP for e-mail, FTP for file transfer, etc.). Hence, in the Internet there are mechanisms available to e-business administrators to identify, either by name or by IP address, an e-customer that is visiting a site, regardless of whether an e-customer has carried out any processing at the e-business web site or filled in any data submission forms. This identification mechanism, in addition to the web technology called a cookie, can be used to provide mechanisms for tracking, profiling and monitoring the activities of an e-customer. A user cannot entirely disable this HTTP ‘chattering’ process. However, users may use anonymizing services or write browsers which will only send vital headers (not including the referrer) [16].

149

3.2. Cookies and e-privacy threats Cookies are at the core of many e-privacy incidents. The HTTP cookie is a file mechanism that creates the opportunity for more automated interaction between a web server and a client—it provides the remote server with a ‘memory’ of a user’s identity. Cookie files may typically store information about an e-customer’s personal ID, recent activities at a web site, credit card details, or site password information. Cookies can also provide some automation or ‘intelligence’ in e-commerce applications such as ‘shopping carts’ and management of user preferences. Cookies are a powerful technology for enhancing web site interactivity. However, cookies are also a technology that has a number of inherent flaws that pose additional threat to personal privacy, e.g.: Security failures: Sensitive information is often stored in cookies, which are passed openly over the Internet. The contents of a cookie are, in theory, accessible to anybody capable of intercepting the cookie on the Internet or maliciously gaining remote access to a networked computer. For that reason, cookies should be encrypted when containing personal data, but an e-customer hardly has any control over the security measures being taken with cookie file transfer and storage. Monitoring: Many people believe that user identification via cookies is an invasion of their personal privacy. People are at liberty to enter a retail store in the physical world with anonymity and without their purchases or activities being recorded or monitored. Privacy advocates feel that the same choice for anonymity should be available during online browsing. Cookies may also permit a third party to investigate the activities of an individual if they have access to their computer and their cookie files. Data disclosure: An e-commerce site that has personal information about an e-customer, stored via cookies, may exchange this data with other sites (for example, related business partners or sites that buy advertising space from them). This sharing of data may extend as far as cookies being synchronised for a group of businesses. This implies that personal information supplied volun-

150

V. Senicˇar et al. / Computer Standards & Interfaces 25 (2003) 147–158

tarily at one site may be used to track or identify an individual at other sites where they have never intentionally disclosed such information. Limited control: End-users have very little control over the content and use of cookies; in fact to most users they are a totally invisible technology. Some web browsers provide the user with an option to disable cookies (i.e. to not accept them). However, this can often make some sites totally inaccessible. For those who do decide to accept cookie files there are no browser mechanisms that inform the user as to what use is being made of the cookie or what data is being stored within it. Collecting data: One way of using cookies for collecting personal data invisibly or for assigning users a unique identifier is via links to a mechanism typically described as a Web Bug. A Web Bug is a graphic on a web page or in an e-mail message that is designed to monitor the user of the web page or reader of the e-mail message. Web Bugs are typically ‘invisible’ on a web site because they are usually defined as a blank image that is 1  1 pixels in size, and are represented as HTML image (IMG) tags. The Web Bug is typically placed on a web site by a remote third party, in order that the activities of a web site user can be monitored indirectly. Another use of Web Bugs is to provide an independent accounting of how many people have visited a particular Web site. Web Bugs are also used to gather statistics about web browser usage at different places on the Internet. Web sites that are invisibly hyperlinked (which are unconsented link diversions for instance in combination with a banner) can place cookies and collect typed keywords [6]. 3.3. E-profiling E-profiling is the process of building databases that contain the preferences, activities and characteristics of e-customers. It is a practice that has long been part of the offline commercial sector, but which has developed significantly with the growth of ecommerce. It is quite common for the profiling databases to hold references to millions of web clients. Many e-commerce web sites (including on-

line search engines) have associations with commercial information brokerage companies. These sites make use of cookies to monitor a client’s activities at the host site and record the data that was provided to the web server. Users’ interests, browsing patterns and buying choices are stored as a profile in a database without their knowledge or consent. This profile information is used to decide which advertisements or services will be offered at the affiliated web sites. The information is typically collected and stored without a user’s knowledge or, more importantly, consent. The information collected is purported to be non-personally identifiable, however, where an e-customer provides personal data to a web server (e.g. name and address) it is possible for the data to be correlated with e-mail addresses, IP addresses and demography, to create a far more personalised profile. Organisations involved in e-profiling activities stress that these activities are in the interest of the ecustomer; providing more customised and directed services through the Web. However, many see eprofiling as a violation of basic privacy rights because data is collected and distributed without the e-customer’s consent. 3.4. Embedded software In addition to the browser mechanisms described above, which permit the collection of personal data, there are also privacy threats posed by new programming paradigms. Powerful programming languages have been developed for web-based applications, which have increased the complexity and capability of the Internet by many orders of magnitude. These languages include Java, JavaScript, XML, and Active X. They permit remote servers to run applications on a client’s PC. These languages may be exploited in the commercial sector to allow an e-business to gain access to an e-customer’s personal computing environment and the data held within it. Typically e-customers are totally unaware of the privacy risks posed by Internet enabled software applications running within their computing environment. These privacy risks are more and more significant because the Internet is becoming a widespread channel for the entertainment industry (audio, video, gambling, etc.).

V. Senicˇar et al. / Computer Standards & Interfaces 25 (2003) 147–158

4. Protecting privacy Privacy can be protected by measures that include proper legislation and usage of privacy-enhancing technologies and mechanisms. In this section, we will give an overview of legislation initiatives for privacy protection and known privacy-enhancing technologies. 4.1. Legislation The European Commission has decided years ago that the security of information systems and telecommunications networks is important and cannot be left to the vagaries of market forces. Maintaining proper confidentiality with respect to location information, traffic information, and the actual data traffic itself are three of the key provisions of the new European regulatory framework for electronic communications infrastructure and associated services. The new Directive 2002/58/EC of the European Parliament and of the Council, from 12 July 2002, concerning the processing of personal data and the protection of privacy in the electronic communications sector takes into account new technological developments and enables users to take control of their personally identifiable information [7]. However, this is just a framework addressing all relevant players (users, service providers, institutions, business, commerce, etc.) in the protection of privacy over electronic communications. The goals and the framework specified in these documents can be achieved through appropriate technologies and relevant implementations and application scenarios, social aspects research and not the last—education and training. The basic foundation for implementing the Directive and other similar acts are applications based on existing and developing technologies, which are briefly elaborated in the chapters that follow. 4.2. Privacy mechanisms Several decades of legislative lobbying have yielded an impressive number of laws and regulations aimed at the protection of privacy, but in the eyes of most observers, these have not stopped its erosion. As a response to the deficits of legislation as well as to general changes in the technological set-up of our

151

societies, a new approach to the protection of personal privacy has emerged in the last couple of years. A new breed of technologies, so-called Privacy-Enhancing Technologies (PETs), has been developed to help individual users control the amount of personal information they disclose in an on-line transaction. These technologies promise to enable individuals to take control over how their data is being collected. The goal is to restore the balance of power between the individual who wants to retain privacy and many actors in the online environment who want to gather personal information. The ultimate goal of these initiatives is to make informational self-determination a practical reality and to implement emerging policy frameworks—legislation and self-regulation—aimed at minimising the occasions in which violations of privacy are attempted by restricting certain practices. Their ideal is a situation in which the individual’s privacy is protected by default and individual acts of transgression can be dealt through policy framework enabled by implementation of appropriate mechanisms. These, ideally, allow individuals to take action to protect their own privacy against frequent and unknown attempts to infringe upon it. Rather than relying on the state—or some industry association— to deal with the problem on a collective level, these technologies are designed to support action by the individual for the individual. The approach recognises that electronic communications have massively increased scope of surveillance and thus the development of the solution is aimed to remedy this situation on the same technological level: a technological fix for a technological problem. There are many different privacy-enhancing technologies available to Internet users. Certain programs allow users to manage the cookies that web sites place on their hard drives. Others provide the ability to surf on the Internet anonymously so that advertisers cannot track a user’s shopping habits. These tools provide certain privacy to the users of the Internet, so that they can take full advantage of the technology. In the following, the most important technologies and mechanisms are briefly discussed. 4.2.1. Encryption and steganography One of the oldest security mechanisms that can be used for provision of data confidentiality (data pro-

152

V. Senicˇar et al. / Computer Standards & Interfaces 25 (2003) 147–158

tection) is encryption. Encryption is the transformation of data into some unreadable form. Its purpose is to ensure privacy by keeping the information hidden from anyone for whom it is not intended, even those who can see the encrypted data. The reverse process of encryption is decryption, the transformation of encrypted data back into some intelligible form. Usually, encryption is not sufficient. User may also need to cover the fact that the data is encrypted. This can be done by steganography, the art of hiding signals inside other signals. This basically comes down to using necessary bits in an innocent file to store the sensitive data. The techniques used make it possible to detect that there is anything inside the innocent file, but the intended recipient can obtain the hidden data. This way, users not only hide the message itself, but also the fact that they are sending that message. Steganography includes a vast array of techniques for hiding messages in a variety of media [17]. 4.2.2. Blind digital signature A ‘blind digital signature’ [19] is a variant of the digital signature, which guarantees the user anonymity. The difference between the two types of signature is that a blind digital signature does not give any clues as to the identity of the person using the signed object (for example, a banknote is like an object with a blind digital signature: it gives no clues as to the identity of the person using it). That the object is genuine is confirmed by an external third party giving their digital signature: neither the user nor the user’s identity appears. This kind of digital signature is used for payment system known as electronic cash e.g. ‘Ecash’ [16]. 4.2.3. Trust centres Trust centres are required for the realisation of certain security services on the entire IT structures. The way in which such a trust centre works is often compared with that of a notary, i.e. a neutral, noninvolved body. As a rule, that body must be able to satisfy all those involved (that is, the user and any communications and business partners, and the operator of the information and communications (I/C) systems used if necessary) that they are doing their job correctly. The user, for instance, has faith that her true identity will remain confidential when using a

pseudonym and that, if her identity is lawfully revealed, she will be informed without delay about who it will be disclosed to and why. The operator of the I/C system has faith that the user’s real identity will be disclosed in defined, agreed cases of need (such as detecting abuse of power) to safeguard her legitimate interests. As well as a commercial or public trust centre (called Trusted Third Parties—TTPs), the job of a trust centre may also be done by the Personal Trust Centre (PTC) which is under control by users, e.g. ‘intelligent’ security tokens such as smart cards. The tasks, which a trust centre may perform, fall into four main areas: – Key management: Generating and revoking keys, storing (public) keys, distributing and deleting/ disabling keys; – Certification services: Issuing certificates for public keys, personalising keys: allocating them to users (identity or pseudonym), registering users (confirming identity and allocating pseudonyms if necessary), personalising PTCs, certifying/admitting PTCs; – Trustee functions: Acting as trustees for lodging, personal data, e.g. ID data, keys for data security, etc. – Server functions: Providing information to the security infrastructure online, such as lists of (public) user keys, authenticating information, time stamps, and warnings of security-critical events. Ensuring that trust centres are as trustworthy as possible requires a considerable amount of reliability and specialist knowledge. The neutrality and independence that a trust centre has to have must not be compromised by conflicts of interest; such problems may arise as the result of inappropriate combinations of a number of the (sub)tasks or roles above. It is not recommended that tasks, where a particularly high level of security is required, are carried out by a single trust centre; rather, they should be spread amongst a number of them. Trust centres are expected to work in accordance with a published policy, which states their tasks, and security requirements are clear and are as user-verifiable as possible. Not all tasks of a trust centre above are suitable for minimising the data abuse and hence to help ensure individual privacy, for example generating keys and holding public keys

V. Senicˇar et al. / Computer Standards & Interfaces 25 (2003) 147–158

with identities. Examples of trust centres, which could be mentioned here, are First Virtual and public-key certification authorities. 4.2.4. The identity protector An identity protector may be viewed as an element of the system that controls the release of an individual’s true identity to various processes within the information system. Its effect is to cordon off certain areas of the system, which do not require access to true identity. The identity protector works in such a way as to protect the interests of the user. One of its most important functions is to convert a user’s actual identity into a pseudo-identity—an alternate (digital) identity that the user may adopt when using the system (Fig. 1). Alternate identities also exist in conventional systems such as bank account numbers, social insurance/ social security numbers, health insurance numbers, etc. But these cannot be viewed as pseudo-identities since they may easily be linked to one’s true identity. In the privacy-protective systems of the future, the identity protector would most likely take the form of a smart card controlled by the user, which could generate pseudo-identities as desired. An identity protector performs the following functions: 

Generates pseudo-identities as needed; Converts pseudo-identities into actual identities (as desired);  Combats fraud and misuse of the system. 

Since the identity protector is under the control of the user, she can set it to perform a variety of functions such as revealing one’s actual identity to certain service providers but not to others. When an

Fig. 1. Hiding user’s identity.

153

identity protector is integrated into an information system, the user may use the services or engage in transactions anonymously, thereby elevating privacy to an all-time high. When an identity protector is introduced into an information system, two domains are created: an identity domain and a pseudo domain—one in which the user’s actual identity is known and accessible, and one in which it is not. The identity protector functions so as to separate the two domains and may be applied anywhere in the system where personal data can be accessed. A simple guideline for designers of new information systems is to minimise the identity domain wherever possible and maximise the pseudo domain. The identity protector permits the designer of a system to minimise the personal data stored in a database. In effect, the service provider would not record the user’s privileges or activities under their true identity but rather, under their pseudo-identity. While the service provider must be able to determine what the user is authorised to do, this may be accomplished without learning the user’s true identity. Since the identity protector acts somewhat as an intermediary between the user and the service provider, both parties must trust it. However, there is no disadvantage to service providers since their ability to verify the user’s privileges/eligibility for services remains intact. Indeed, the identity protector is designed in a way, which prevents fraud and improper use. The latter can take various forms ranging from prevention, detection, and correction. It can prevent the user from using her anonymity as a shield to commit fraud, and, in appropriate circumstances, can lead to having the true identity of the user being revealed to the service provider and/or the authorities. For example, cryptographic techniques may be used to prevent a sum of money (digital cash) from being used anonymously more than once, or a service being used but not charged to the user [1,3]. 4.2.5. Cookie management Another tool for protecting user’s privacy is dealing with cookies. As we already specified in the first part of this article, a cookie is an HTML data file that sits on user’s computer hard disk. It is placed there by a remote web server that the user has visited using a web browser (e.g. Netscape Communicator, MS Inter-

154

V. Senicˇar et al. / Computer Standards & Interfaces 25 (2003) 147–158

net Explorer). Whilst being a very powerful technology for enhancing web site interactivity, cookies are a technology that can be misused in ways that present an abuse of personal privacy. Sensitive information is often stored in cookie files (passwords, credit card details), which passes openly over the Internet. The contents of the cookie would be, in theory, accessible to anybody capable of intercepting the cookie on the Internet or maliciously gaining remote access to the user’s computer. Cookie files should be encrypted when containing personal data, but as a client, the user has no control over the security measures being taken with cookie file transfer and storage. One of the remedies can be disabling HTTP Cookie Files. HTTP cookie files are one of the major privacy threats associated with web-based browsing or interactions. As a result, a number of organisations (both commercial and public) have issued tools and mechanisms for managing cookies. Cookie management software allows cookies to be deleted routinely. These tools allow a user to: 

Disable cookie files—preventing cookie files being stored on your machine;  Selectively accept cookie files—allowing a user choice of who they accept cookie files from;  View Cookie files—allowing a user to search the contents of cookies and establish what information is being stored. 4.2.6. Anonymizers There are also other tools that strip out personal information in order to protect privacy. Anonymizing services allow a user to browse the Internet without fear. A number of schemes have been proposed, for example anonymous proxies, anonymous/pseudonymous servers, firewalls or solution called Freedom. The principle of anonymous proxies is simple—an account is created with a ‘trusted’ Internet Service Provider (that is an ISP that is trusted by both users and commercial organisations). A user can register her personal details with assurance that they will not be passed onto other parties or used for marketing purposes. Number of pseudonyms or ‘aliases’ can be created, which the user can use whilst carrying out transactions on the Web. In some cases, models have been proposed where it is possible to have purchasing powers arranged via the trusted third party,

such that web-based transactions can be charged indirectly to the client via the trusted third party accounts. Examples of these schemes can be found in e-cash payment system. The weakness of those systems is in establishing the credibility and trust of the third party provider. Anonymous/Pseudonymous servers allow users to set up anonymous e-mail accounts. Each anonymous account is assigned a unique ID so that recipients can respond to an anonymous e-mail message. The servers provide accounts for both e-mail and Usenet (newsgroups) activities and web browsing activities. Under anonymizers we can also understand proxies and firewalls. Proxies and firewalls are barriers between a computer and the Internet. Communications are only allowed under certain circumstances and certain types of communications can be blocked entirely. The proxy computer can be set up to block communications such as cookies, junk mail. Firewall is a protection device for protecting a network against unauthorised access. Firewalls enforce an access policy by operating as a gateway between two networks. Several software products allow a user to set up personal firewalls that depend on her preferences. The Zero knowledge system proposes software called ‘‘Freedom’’ (http://www.zeroknowledge.com). This solution is based on at least three TCP/IP relays combined with strong (with symmetric key at least 128 bits long) encryption. Because the TCP/IP is used by every service on the Net, every service thereby can be encrypted and anonymized. Each of the three TCP/ IP intermediary stations knows only the TCP address of the predecessor. They keep no logbook in such a way that even two relays put together are unable to trace back the information asked or retrieved. Of course, the routing of the information is dynamic and will likely change even during a very brief communication [6]. 4.2.7. Re-mailers There are several anonymous re-mailer services running on the Internet. These are programs that accept mail, strip off information that would identify the origin of the message, and forward the mail to the designated recipient. This simple scheme alone, however, is insecure if the anonymous re-mailer becomes compromised (or if the re-mailer was set up by an

V. Senicˇar et al. / Computer Standards & Interfaces 25 (2003) 147–158

untrustworthy party in the first place). Whoever controls the re-mailer will have access to the identities of senders and recipients. Chaining re-mailers will not help a user much without encryption; E-mail messages are normally sent in the clear. Everyone can read the entire message and see who is sending what. If the user is applying, for example, PGP on her messages to the re-mailers, that is no longer possible. Each re-mailer will only know where the message came from and where it is going to, but not who else are in the chain or what the actual message is. 4.2.8. Crowds Crowds is a system for protecting user privacy while browsing the Web. For example, Crowds prevents a web server that a user visits from learning information that could identify her. The system Crowds operates by grouping users into a large and geographically diverse group (crowd) that collectively issues requests on behalf of its members. Web servers are unable to learn the true source of a request because it is equally likely to have originated from any member of the crowd, and indeed collaborating crowd members cannot distinguish the originator of a request from a member who is merely forwarding the request on behalf of another. Crowds provides a mechanism for hiding user’s identity from others while obtaining the information that she desires. A proxy running on user’s local machine (or another machine you trust) executes the Crowds protocol on her behalf. Participating in a Crowd simply requires that the user starts this proxy and sets her browser to use it as the browser’s proxy [15]. 4.2.9. Crypto-Heaven Crypto-Heaven is a user-friendly, no-compromise information-heaven crypto system, where no third parties, including server administrators, government agencies, big brothers and others watching, have access to plain text version of transmitted information. Information is stored in encrypted form on the server as generated by the client, and only the sender and the recipient possess the keys to gain access to the information. Having the entire logs of all transmissions made and all of the data stored on the server, does not give access to the plain text version of information (www.cryptoheaven.com).

155

5. Projects There are several on-going projects that are researching and developing privacy-enhancing technologies. We are presenting here briefly the most known. 5.1. P3P P3P (Platform for Privacy Preferences) [18], developed by W3C, is a standard, designed to provide Internet users with a clear understanding of how personal information will be used by a particular web site. The P3P is designed to enable users to communicate simply and automatically. It is based on a web site’s stated privacy policies, and how they compare with the user’s own policy preferences. The P3P specification brings ease and regularity to web users wishing to decide whether and under what circumstances to disclose personal information. User’s confidence in online transactions increases as they are presented with meaningful information and choices about web site privacy practices. P3P does not set minimum standards for privacy, nor can it monitor whether sites adhere to there own stated procedures. It just enables to the user good view on the possibilities of its privacy protection on the Web. Addressing all of the complied, fundamental issues surrounding privacy on the Web require appropriate combination of technology, a legal framework and self-regulatory practices to be applied all together. Despite its original and far-reaching plans, P3P 1.0 is in its essentials a language for privacy policies. Although P3P developers, and some supporters, rightly and honestly acknowledge the limitation of P3P, some vendors have made grandiose promises about what P3P can do to solve online privacy problems. Whether P3P will be adopted remains to be seen. As technologies like P3P come and go, it is necessary for these tools to be evaluated critically [18]. Here are some references to P3P implementations, utilities and services that have been developed so far: 

Netscape 7.0 introduces two new privacy-related features based on the P3P standard:  Know privacy practices of web sites with the P3P Privacy Policy;

156

V. Senicˇar et al. / Computer Standards & Interfaces 25 (2003) 147–158



Viewer is informed about cookies with P3P Cookie Management.  JRC P3P Proxy Version 2.0 acts as an intermediary agent (the middleman) that controls access to remote web servers dependent upon the privacy preferences a user has specified. A new version has now been released with improved speed, user interfaces, identity management, special P3P menu integrated into every HTML page, and a complete toolkit for exploring P3P. There is also a local version of agent, which does not require a separate proxy server and can work in conjunction with a company proxy.  Internet Explorer 6 helps protect user privacy on the Web by giving the user more control over cookies and more information on a web site’s privacy policy.  The AT&T Privacy Bird will help Internet users stay informed about how information they provide to web sites could be used. The tool automatically searches for privacy policies at every web site a user visits. The user can tell the software about her privacy concerns, and it will tell her whether each site’s policies match her personal privacy preferences by using bird icons. 5.2. PISA The Privacy Incorporated Software Agent (PISA) [14] project aims to build a privacy guardian for the electronic age by demonstrating privacy-enhancing technology as a secure technical solution to protect privacy of citizens when they are dealing with ecommerce or m-commerce applications. PISA offers a co-operative framework for participants to agree on and realise the first steps that will lead to new service infrastructure, where a user can manage privacy. There is demand for such services demonstrated just by popularity of mobile phone services. The key actions of PISA are: – To develop and validate novel, scalable and interoperable technologies, mechanisms and architectures for trust and security in organisations and infrastructures; – To scale up, integrate, validate and demonstrate trustful and confident privacy-enhancing technologies for business and every day life.

5.3. Rapid The Roadmap for Advanced Research in Privacy and Identity Management (RAPID) project is developing a strategic roadmap for applied research in the area of privacy and identity management (PIM). RAPID will build a robust forum of leading experts and stakeholders and provide a platform in which these stakeholders can develop a detailed technology roadmap. The two tasks that we are most interested in include: – Privacy-Enhancing Technologies (PETs) for enterprise; – PETs in infrastructure. RAPID will be undertaken in co-operation with a reference group, consisting of stakeholders working in various areas related to privacy and identity management. The results will be an overall roadmap that considers privacy and identity management in an adequately holistic way. 5.4. GUIDES The EU GUIDES project (principal partners Joint Research Centre and Price Waterhouse Coopers) was funded by DG Enterprise and completed in April 2002. The aim of the 12-month GUIDES project was to develop a set of guidelines on a European level for assessing the compliance of Internet-based data processing technologies to the EU Data Protection Directive (95/46/EC)—DPD. The GUIDES project used case study analysis of typical web information processing systems in the areas of e-commerce, health and government in order to characterise the Internet-based data handling practices, particularly those pertinent to personal data. Subsequently, these practices were assessed within the context of the principles for privacy protection defined within the DPDs. The mechanisms that are being used to exploit personal and private data were analysed and categorised in relation to the EU DPD. In addition, the mechanisms, that are being developed or proposed to support the implementation of privacy principles, particularly technologies such as P3P, digital signatures and anonymous agents, were assessed to identify how closely they satisfy the requirements of the DPDs. The outcome of the project was

V. Senicˇar et al. / Computer Standards & Interfaces 25 (2003) 147–158

the production of a set of guidelines that clearly elaborate on the privacy issues relevant to current data processing practices based upon Internet and WWW technologies. The GUIDES set of guidelines is advisory only. The guidelines are drafted in a manner that is technology-neutral and gives an e-business a ‘quick guide’ to helpful information about DPD 95/46/EC. The purpose of the guidelines is to assist an e-business in Europe to adopt best privacy practice and comply with DPD in respect to their web sites and related back-offices. Whilst there are many valid privacy concerns for other Internet services and Internet service providers (which result from their role as intermediaries), these are considered outside the scope of GUIDES. The GUIDES set of guidelines could be used as a template for other sector specific guidelines (e.g. e-payment, e-health, HRM applications, online advertising, etc.). The final set of guidelines has been defined in consultation with representatives from the standardisation, industry, government and academic privacy field. The main Guides document contains an introductory section, a section on applicability issues of DPD 95/46/EC and the main section with the ecommerce guidelines on DPD 95/46/EC. The guidelines section consists of best practices illustrated with examples (using fictional entities). During the latter stages of the GUIDES project, the European Commission was formulating the new legislation covering the e-commerce sector and telecom sectors, mentioned in Section 4.1. Unfortunately, it was not possible to address it within GUIDES, and perhaps a useful follow-up to GUIDES would be to integrate the new legislative issues within the guidelines [9].

6. Conclusion Over the last 35 years, legislation has not been able to stop the continuous erosion of privacy, and PETs, more recently, have shown to be useful only in very narrow domains. The failure of the first PETs developed specifically to prevent invasions of privacy that occur even more frequently online shows that we have barely begun to integrate the Internet into everyday life. There is little indication that the boundary

157

between the private and the public is not blurring. It will take a lot of effort to develop the kind of PETs that will suffice the needs of users and protect their privacy on the Internet.

References [1] R. Anderson, Security Engineering: A Guide to Building Dependable Distributed System, Wiley Computer Publishing, New York, 2001, 612 pp. [2] B. Jerman-Blazˇicˇ, W. Schneider, T. Klobucˇar (Eds.), Advanced Security Technologies in Networking, IOS Press, Amsterdam, 2001, 257 pp. [3] Borking, et al., Privacy-Enhancing Technologies: The Path to Anonymity, Information and Privacy Commissioner/Ontario Canada and Registratiekamer, The Netherlands, 1995. [4] R. Clarke, Privacy On the Internet—Threats, Department of Computer Science, Australian National University, Canberra, 1997. [5] M. Curtin (Ed.), Developing Trust: Online Privacy and Security, Apress, Berkeley, 2002. [6] J.-M. Dinant, ESPRIT Project 27028, Electronic Commerce Legal Issues Platform, 1999. [7] Directive 2002/58/EC of the European Parliament and of the Council (Directive on privacy and electronic communications), Brussels, 2002. [8] I. Avrum Goldberg, A Pseudonymous Communications Infrastructure for the Internet, University of California, Berkeley, 2000. [9] GUIDES Project, Final Report: Deliverable D5.2, 2002. [10] S. Fischer-Hu¨bner, D. Thomas, Privacy and security at risk in the Global Information Society, in: B. Loade (Ed.), Cybercrime, Routledge, London, 2000. [11] S. Fischer-Hu¨bner, Privacy-Enhancing Technologies (PET), Course Description, Karlstad University Division for Information Technology, Karlstad, Sweden, 2001. [12] A. Escudero Pascual, Anonymous Untraceable Communications—Location privacy in mobile internetworking, Licentiate Thesis, Royal Institute of Technology, June 2001. [13] A. Escudero Pascual, Privacy in the Next Generation Internet, Royal Institute of Technology, Kista, Sweden, 2001. [14] Privacy Incorporate Software Agent (PISA), Building a privacy guardian for the electronic age, 2000, Available at: http://www.tno.nl/instit/fel/pisa. [15] M.K. Reiter, A.D. Rubin, Crowds: Anonymity for Web Transaction, ACM Transactions on Information & System Security, Vol. Issue 1, ACM Press, New York, 1998, pp. 66 – 92. [16] F. Stalder, The voiding of privacy, Sociological Research Online 7 (2) (2002) 1 – 33. [17] D. Sellars, An Introduction to Steganography, Computer Science Department, University of Capetown South Africa, 1999. [18] W3C, Platform for Privacy Preferences, P3P 1.0, 2002. [19] Working Group on ‘‘Privacy Enhancing Technologies’’ of the Committee on ‘‘Technical and organizational aspects of data

158

V. Senicˇar et al. / Computer Standards & Interfaces 25 (2003) 147–158

protection’’ of the German Federal and State Data Protection Commissioners, Privacy Enhancing Technologies, 1997. [20] Working Group on ‘‘Data Protection in Telecommunications’’ of the Committee on ‘‘Technical and organizational aspects of data protection’’ of the German Federal and State Data Protection Commissioners, Privacy Enhancing Technologies in Telecommunications, 1997. Vanja Senicˇar received her Dipl. Ing. degree in Mathematics from the University of Ljubljana in 2002. The same year, she joined Jozef Stefan Institute, where she is working towards a MSc degree. Her research interests include data security and privacy.

Prof. Dr. Borka Jerman Blazˇicˇ is head of the Laboratory for open systems and networks at Jozef Stefan Institute with more than 15 years of experience in networking. She is also teaching postgraduate and undergraduate courses on Telecommunication Services at the Faculty for Economics, University of Ljubljana. Her research currently focuses on security in telecommunications, multimedia network services, and advanced computer network technologies. She is author of more than 200 published scientific papers and books.

Tomazˇ Klobucˇar studied mathematics at University of Ljubljana, and later computer science and informatics at the same university where he got his PhD degree (2000). Currently, he is a research assistant at Jozef Stefan Institute. His main interests are computer and network security, especially public key infrastructures, electronic signatures and formal security policies. For the last few years, he has been involved in establishing, and operation of, the first Slovenian certification authority SI-CA.