Abstract
The project “ABC4Trust – Attribute-based Credentials for Trust” presented its two pilot trials in a workshop and engaged participants in discussions on the two existing as well as potential future application scenarios. Participants were asked to assess several different scenarios in order to determine when an inspection could be carried out without jeopardizing the potential of Privacy-ABCs to protect users’ rights. Their findings have been incorporated in a model inspection process that can be adapted to arbitrary scenarios.
The research leading to these results has received funding from the European Community’s Seventh Framework Programme (FP7/2007-2013) under Grant Agreement no. 257782 for the project Attribute-based Credentials for Trust (ABC4Trust).
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Rannenberg, K., Camenisch, J., Sabouri, A. (eds.): Attribute-based Credentials for Trust – Identity in the Information Society. Springer, Heidelberg (2015)
Sabouri, A., Rannenberg, K.: ABC4Trust: protecting privacy in identity management by bringing privacy-ABCs into real-life. In: Camenisch, J., Fischer-Hübner, S., Hansen, M. (eds.) Privacy and Identity 2014. IFIP AICT, vol. 457, pp. xx–yy (2015)
Bcheri, S., Goetze, N., Orski, M., Zwingelberg, H.: Application description for the school deployment. deliverable D6.1 of the ABC4Trust Project (2012). https://abc4trust.eu/download/ABC4Trust-D6.1-Application-Description-School.pdf. Accessed 22 March 2015
Abendroth, J., Bcheri, S., Damgaard K., Ghani, H., Luna, J., Mikkelsen, G.L., Moneta, M., Orski, M., Suri, N., Zwingelberg, H.: Necessary hardware and software package for the school pilot deployment. Deliverable D6.2 of the ABC4Trust project (2013). https://abc4trust.eu/download/ABC4Trust-D6.2.Hard-and-Software-Package-for-School-Pilot.pdf. Accessed 22 March 2015
Bcheri, S., Björk, E., Deibler, D., Hånell, G., Lerch, J., Moneta, M., Orski, M., Schlehahn, E., Tesfay, W.: Evaluation of the school pilot. Deliverable D6.3 of the ABC4Trust Project (2014). https://abc4trust.eu/download/Deliverable%20D6.3.pdf. Accessed 22 March 2015
Abendroth, J., Liagkou, V., Pyrgelis, A., Raptopoulos, C., Sabouri, A., Schlehahn, E., Stamatiou, Y., Zwingelberg, H.: Application description for students. Deliverable D7.1 of the ABC4Trust project (2012). https://abc4trust.eu/download/ABC4Trust-D7.1-Application-Description-Students.pdf. Accessed 22 March 2015
Damgaard, K, Ghani, H., Goetze, N., Lehmann, A., Liagkou, V., Luna, J., Mikkelsen, G.L., Pyrgelis, A., Stamatiou, Y.: Necessary hardware and software package for the student pilot deployment. Deliverable D7.2 of the ABC4Trust project (2012). https://abc4trust.eu/download/ABC4Trust-D7.2.Hard-and-Software-Package-for-Student-Pilot.pdf. Accessed 22 March 2015
Deibler, D., Engeler, M., Krontiris, I., Liagkou, V., Pyrgelis, A., Schlehahn, E., Stamatiou, Y., Tesfay, W., Zwingelberg, H.: Evaluation of the student pilot. Deliverable D7.3 of the ABC4Trust Project (2014). https://abc4trust.eu/download/Deliverable%20D7.3.pdf. Accessed 22 March 2015
Bieker, F., Hansen, M., Zwingelberg, H.: Towards a privacy-preserving inspection process for authentication solutions with conditional identification. In: Hühnlein, D., Roßnagel, H. (eds.) Proceedings of Open Identity Summit 2014. LNI, vol. P-237, pp. 85–96. Gesellschaft für Informatik, Bonn (2014)
Bieker, F., Hansen, M.: Modelling the inspection process considerations concerning the revocation process. In: Rannenberg, K., Camenisch, J., Sabouri, A. (eds.) Attribute-Based Credentials for Trust Identity in the Information Society, pp. 155–161. Springer, Heidelberg (2015)
Alexandra Institute, Miracle, and IBM Research – Zurich: Privacy-Preserving Attribute-Based Credential Engine (p2abcengine). Repository on GitHub (2015). https://github.com/p2abcengine/p2abcengine. Accessed 22 March 2015
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Appendix
A Appendix
This appendix contains the five scenario descriptions that were handed out to the participants of the workshop. Each group had to assess one of the scenarios (school, e-commerce, casino, car rental, e-petitions) and think of solutions for different escalating situations.
School Scenario. Task: You are the people in charge of deciding on the case detailed below. Which measures can you adopt to remedy the situation while achieving a balanced result? How can this process of revealing a user’s identity best be implemented in practice to ensure a system of checks and balances?
The N School runs a Privacy-ABC based communication system. All pupils of the school can use the communication system, inter alia for chatting with each other, sharing documents and seeking advice from the school’s counsellors. The pupils act under pseudonyms they can choose anew any time.
Inspection grounds:
To guarantee the physical and mental safety of each participating pupil, the School Communication System foresees in all restricted areas except those for political discussions the revelation of the pupil’s identity (called inspection) in certain predefined emergency situations (called inspection grounds).
Inspection grounds:
-
Situations implying a severe threat to the life, or the physical/mental integrity of a person.
-
Situations demanding an intervention according to the school policy against discrimination and degrading treatment. It strives to prevent discrimination based on gender, sexual orientation, ethnic background, religion. The policy also sanctions harassment and other threats to the safety of students, including offensive language. It is a legal requirement to report such behavior and the names of the perpetrators to the school authority.
-
An existing court order or other valid administrative request.
-
Damage compensation (protection of third people’s rights claims).
Class 9b has opened a chat room “9B Only”, their own restricted area, accessible only to pupils and teachers of class 9b. The class and its teachers use this chat room especially for exchanging information on class activities – for instance a boat trip to the small rock islands along the shoreline.
Situations to be discussed:
-
1.
The boat trip was fun. The pupils took hundreds of photos. Pupil A shares several photos she took in the restricted area of class 9b. One of the photos is a portrait picture of B. B is not happy with the photo visible for the whole class. She recently has decided to be a punk and therefore dyed her hair green. But on the picture, taken two days ago, she is still naturally blonde. She demands deletion, first via chat and then in front of the class. A thinks that B has simply gone bonkers and decides neither to say that it was her who uploaded the picture nor to delete it. B thinks she has the right to deletion of the picture and to know who uploaded it. She demands inspection. She wants to confront the “photographer” personally.
-
2.
Finally, B found out that it was A who uploaded the picture. She is extremely disappointed, since she had thought A was her friend. B writes a chat message to all: “I never thought A would not respect other people’s feelings. I think everyone has the right to express her own personality. I am very disappointed that A did not delete the picture. I am not her friend anymore.” A feels offended – she is sure that it was B who wrote this. Since she is kind of clever, she decides not to answer in a way that would identify her as A. She writes: “I think what A did was alright. B is always exaggerating – she is such a wannabe and a drama queen and just silly.” A lively discussion is initiated. X1, X2, and X3 agree with what A wrote and call B “birdbrained”, “dumb blonde” and “insane”.
-
3.
B is devastated. No one understands her or even seems to take her seriously. Furthermore, everyone is making fun of her because of her new style. Former friends seem to stay away from her. So, late at night, after a day full of frustration, B writes the following chat message to “9B Only”: “I will kill you all. I got a reason, I got the means – tomorrow I will use the opportunity!”
E-Commerce Scenario. Task: You are the people in charge of deciding on the case detailed below. Which measures can you adopt to remedy the situation while achieving a balanced result? How can this process of revealing a user’s identity best be implemented in practice to ensure a system of checks and balances?
The e-commerce platform E-Buy offers traders to sell their goods via its portal. It is based on Privacy-ABC technologies. Users/potential customers do not reveal their identity to E-Buy nor to the sellers when registering to E-Buy and going shop**. They act under pseudonyms they can choose anew any time. Users can also rate the products they bought. The rating is visible to everyone who visits the platform. A user can have her products delivered to a central store, and pick them up there by identifying herself using the credential she gets from E-Buy when buying the respective products.
Customer C is looking for a mosquito blind. He makes a find among the products provided by D who mainly sells pesticides and other means to control pests. C buys the mosquito blind. When unpacking the mosquito blind, C finds a manual how to fix the mosquito blind on windows. One has to cut it to the proper size. C reads the manual carefully. But, however, he comes to the conclusion that one has to measure the internal side of the window’s frame. In fact, one has to measure the outer dimensions. Consequently, the mosquito blind is too small for the window and C cannot make use of it like this. C tries to call the seller D. D just says the product and manual were fine.
Inspection grounds:
-
Situations implying a severe threat to the life, or the physical/mental integrity of a person.
-
An existing court order or other valid administrative request because of criminal proceedings.
-
Damage compensation (protection of third people’s rights claims).
Situations to be discussed:
-
1.
C feels his problems were treated as a joke or something. He is angry and rates the mosquito blind with only one of five possible stars. Additionally he states, “In my opinion, the instruction manual provided by the seller was inadequate. Like this it is de facto impossible to fix this mosquito blind. The manual clearly states that in order to find the right size one has to measure the internal side of the window’s frame. In fact, one has to measure the outer dimensions. Otherwise the mosquito blind is too small.” D does not want this comment to ruin his impeccable reputation. In fact, he does not sell any mosquito blind during the following week. D is convinced that C’s rating irritates other customers. He demands the revelation of this customer’s identity, in order to claim compensation from C.
-
2.
C is furious. His rating of D is gone! Fortunately D still sells goods on E-Buy. C picks a nice rat trap. Actually C just wanted to have another possibility to rate D on E-Buy. So, after the trap was delivered, C writes, “No rat trap is big enough to trap the biggest rat on E-Buy: Its seller. D is a fraudster and sells inferior crap.” D thinks this is a severe offence and wants to make a complaint.
-
3.
Alternative: C is really furious. His rating is gone. Fortunately D still sells goods on E-Buy. C picks some poisonous gas (meant to be used for parasite prevention). After the gas was delivered, C writes, “Caution you pest! I got the gas and I know where you live. You will not live through this night!”
-
4.
Additional question: On the E-Buy platform some traders sell alcohol and cigarettes. According to the self-imposed rules of E-Buy such products may not be sold to persons under age 18. At which point should the potential customer have to prove that she is over 18?
Casino Scenario. Task: You are the people in charge of deciding on the case detailed below. Which measures can you adopt to remedy the situation while achieving a balanced result? How can this process of revealing a user’s identity best be implemented in practice to ensure a system of checks and balances?
J has is addicted to gambling. Since J is a junkie, but has a sense of style he only visits casinos of the LB Group. Admission only to members. LB casinos have a Privacy-ABC based access control system. This means, members can prove their membership (and access permission) via their smartphones when entering the casinos. The membership credentials also contain information about how much money is stored on a member’s account, since one cannot pay in cash at LB casinos. The LB Group only learns that a member has entered one of their casinos, but not which member. It cannot analyze the member’s usage behavior.
In the past five years, it got worse and worse. J lost his friends, because he borrowed money from them and never gave it back and lost his job because he repeatedly was gone for days without permission. Finally, his girlfriend threatens to move out if J does not stop gambling, because she cannot stand it anymore. Sitting on his mount of debt – round about EUR 250,000 – J comes to the conclusion that something has to change.
Inspection grounds:
-
Situations implying a severe threat to the life, or the physical/mental integrity of a person.
-
An existing court order or other valid administrative request because of criminal proceedings.
-
Damage compensation (protection of third people’s rights claims).
Situations to be discussed:
-
1.
Via the Privacy-ABC based LB communication system for members, J resigns his LB casino membership contract. LB Group accepts the notice, but denies releasing J from the membership contract immediately. It insists on the notice period of 3 months. J is devastated. Once committed to get rid of his gambling addiction by just kee** himself from going to the casino, he wants to make sure that he cannot access LB casinos anymore. Even though for the next 3 months he still will be a member. His girlfriend does not believe him that he will not go to the casino anymore although he still could.
-
2.
Although J managed not to gamble anymore for 4 weeks, his girlfriend left him for a professional poker player. J does not see any reason why he should not start gambling again. He wants to have access to the LB casinos again. In the end, he might still make a fortune … The LB Group is very generous and accepts the withdrawal of the notice. J will stay a member. But his membership credential is not valid anymore. He does not want a whole new membership credential, because there is still money stored on his original one.
-
3.
Believe it or not – J won 2 million Euros in one night. Boosted by such a success, J visits several LB casinos in the following days. Now that he is rich he can travel. And he keeps winning. The LB Group – due to Privacy-ABCs – does not know that it is always the same member who is winning tons of money. But the management is suspicious. In statistics, this is more than the standard deviation. LB Group’s lawyers suspect fraud. All the money is won in Black Jack. LB Group wants to know if it is the same person who is winning all the time.
Car Rental Scenario. Task: You are the people in charge of deciding on the case detailed below. Which measures can you adopt to remedy the situation while achieving a balanced result? How can this process of revealing a user’s identity best be implemented in practice to ensure a system of checks and balances?
Ride Ltd. runs a conventional car rental via an online platform. The platform is Privacy-ABC based. Users do not reveal their identity to Ride Ltd. when registering to the platform and renting cars. They act under pseudonyms they can choose anew any time. Users can pick up the car keys and the car from a central parking lot by identifying themselves using the credential they get from Ride Ltd. when renting a car. Ride Ltd. terms and conditions of business determine that in case of damages up to an amount of EUR 100, it is entitled to just debit the amount from the customer’s account. Such damages include minor accident damages, reimbursement of costs related to inappropriate use of the car, and giving back the car in a non-contractual condition. Customers are required to give back the car refueled.
N rents a car for a nice weekend trip to the sea side.
Inspection grounds:
-
Situations implying a severe threat to the life, or the physical/mental integrity of a person.
-
An existing court order or other valid administrative request because of criminal proceedings.
-
Damage compensation (protection of third people’s rights claims).
Situations to be discussed:
-
1.
N is back from the seaside. It has been a long day and he just wants to go home. The tank is really empty and N hardly makes it to the parking lot. Whatever – N just parks the car on the parking lot of Ride Ltd. and places the keys in the letter-box. The next morning, E – an employee of Ride Ltd. – checks the car and finds the empty tank. He cannot even drive the car to the gas station. E has to haul the gasoline canister to the car … thank you very much, dear customer …
-
2.
After refueling the car, E checks the interior. What the …? The whole backseat is full of blood. Indeed, N went fishing and made a pretty good catch. Unfortunately, the fish obviously had not had properly bled when N threw it on the back seat. Put briefly, the back seat is ruined and cannot be cleaned. The replacement will cost about EUR 3,000. Ride Ltd. contacts the customer – N – but of course Ride Ltd. only knows the pseudonym of the customer who had rented the car via the internal communication system. N does not answer. Ride Ltd. wants to claim compensation from him.
-
3.
While the lawyers of Ride Ltd. are preparing the civil proceedings against N, there is an incoming call. It is the police. A witness alleges that a man has just forced a girl into a car of Ride Ltd. The police suspect a crime – kidnap** or abduction – and want to know who has currently rented the car.
E-Petitions Scenario. Task: You are the people in charge of deciding on the case detailed below. Which measures can you adopt to remedy the situation while achieving a balanced result? How can this process of revealing a user’s identity best be implemented in practice to ensure a system of checks and balances?
In country X everyone has the right to petition to the parliament. It is a fundamental right which guarantees that the public authorities at least have to file the petition. If the public authority lacks competence concerning a petition’s content, it may dismiss the petition as inadmissible. Within the parliament there is a petition committee which is competent to decide on and answer petitions. Petitions offer the possibility to raise an issue and oblige the democratically elected representatives to address this issue. They can be filed in writing (via post) or electronically, via an online form which is provided on the petition committee’s website. The website employs Privacy-ABCs. This means, users can petition anonymously. Petitions are published automatically online if the petitioner does not object when filing the petition. Since the petitions are not manually checked before they are published online, you sometimes find interesting howlers inside …
Inspection grounds:
-
Situations implying a severe threat to the life, or the physical/mental integrity of a person.
-
An existing court order or other valid administrative request because of criminal proceedings.
-
Damage compensation (protection of third people’s rights claims).
Situations to be discussed:
-
1.
“After almost 10 years of female rule of President M we are only inches away from the abyss. Everything will run down the drain if we do not stop them. We need to take a step back, back to the days when the world was still governed by worthy men – and only by men. Reasonable, reliable, and down-to-earth. Women are nothing but a victim of their genes and hormones. We cannot let them govern our homeland any longer. Abolish women’s suffrage!!!”
-
2.
“The killing of male chicks is a blatant injustice which cannot be accepted anymore! We, the National Chicken Liberation Forces, demand satisfaction! The killing must be stopped immediately. If the parliament does not adopt an anti-male-chicken-killing law within the next 48 h, we will free all chicken farms!”
-
3.
In country X all armament deals are subject to the approval of a supervisory board. In general, weapons from X may not be sold and delivered to countries which are currently considered as “region in crisis”. Y owns an arms company. Business is going pretty bad since, due to all those crises in the world, the supervisory board does not easily give the green light to all deals anymore. Y panics a bit. So he petitions the parliament: “If you do not drop the prior approval, I will give you a product presentation right in the middle of the parliament! Our tanks will break your walls and make you approve them!”
-
4.
Additional question: Assumed, someone is petitioning all the time – say, twice a day. What to do?
Rights and permissions
Copyright information
© 2015 IFIP International Federation for Information Processing
About this paper
Cite this paper
Bieker, F., Hansen, M., Mikkelsen, G.L., Obersteller, H. (2015). ABC4Trust Workshop on Core Features of Privacy-ABCs, Practical Use, and Legal Issues. In: Camenisch, J., Fischer-Hübner, S., Hansen, M. (eds) Privacy and Identity Management for the Future Internet in the Age of Globalisation. Privacy and Identity 2014. IFIP Advances in Information and Communication Technology, vol 457. Springer, Cham. https://doi.org/10.1007/978-3-319-18621-4_17
Download citation
DOI: https://doi.org/10.1007/978-3-319-18621-4_17
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-18620-7
Online ISBN: 978-3-319-18621-4
eBook Packages: Computer ScienceComputer Science (R0)