Dealing with Privacy Issues during the System Design Process Christos Kalloniatis1, Evangelia Kavakli1, Stefanos Gritzalis2 1
Cultural Informatics Laboratory, Department of Cultural Technology and Communication University of the Aegean, Harilaou Trikoupi & Faonos Str., 81100 Mytilene, Greece 2 Laboratory of Information and Communication Systems Security, Department of Information and Communications Systems Engineering, University of the Aegean, 83200 Samos, Greece {ch.kalloniatis, kavakli}@ ct.aegean.gr,
[email protected] Abstract-In the global information society, avoiding privacy violation is becoming an increasingly critical issue. Related literature includes a number of Privacy Enhancing Technologies for ensuring system privacy. However, each of the above technologies focuses on specific issues without providing an integrated solution for meeting all four basic privacy requirements (i.e., anonymity, pseudonymity, unlinkability, and unobservability). Current research in the area of security requirements engineering advocates that privacy requirements should be considered earlier in the system development process, during the design rather than the implementation level. In this paper, we propose a new methodology, called PriS, which aims to incorporate privacy requirements into the system design process adopting a goal-oriented approach. Each privacy requirement is treated as a separate “goal” to be met during the system design process; goals are collaboratively realised by processes, which in turn are supported by IT systems. In this way, tracing between high-level organisational objectives and detailed support mechanisms is achieved. We argue that PriS provides a solution that overcomes some of the limitations of existing approaches. Keywords- Privacy requirements, requirements engineering methodology.
I. INTRODUCTION The Internet as a contemporary data highway on which the global information society is built, is known for many security risks. The rapid development of new information infrastructures increases our dependability on the Internet and might lead to a vulnerable information society based on insecure technologies. In this way, individual privacy is seriously endangered and is becoming an international problem. Indeed, more and more personally identifiable information are electronically transmitted and disseminated over insecure networks and processed by websites and databases, which lack proper privacy protection mechanisms and tools. Therefore, the need for a methodology that considers and safely guards the privacy requirements (i.e., anonymity, pseudonymity, unlinkability, and unobservability) is immense. To this end, many countries have developed a privacy legislation framework, which only solves some legal aspects of privacy within country’s borders. An international harmonization of privacy legislations is needed but is hardly achievable due to cultural differences. From a software systems perspective, a
number of security oriented technologies and architectures have been proposed in the literature. Despite the fact, that these architectures are more privacy oriented than security oriented, they focus only on specific issues without providing an intergraded solution for meeting all four basic privacy requirements. Furthermore, recent research supports the need for considering privacy requirements earlier in the system development process during the design rather than implementation level [1, 2]. This paper presents a new methodology, called PriS - Privacy Safeguard, for incorporating basic privacy requirements into the system design process. PriS provides a set of concepts for modeling privacy requirements in terms of organisational goals during the system design process. In addition, it describes a systematic way of working for analyzing the impact of privacy goals onto the organisational processes and the associated software systems supporting these processes. PriS concepts are based on the Enterprise Knowledge Development framework described in [3, 4]. PriS methodology has a high degree of applicability on systems that wish to provide services to their users based on the four privacy requirements mentioned above like anonymous browsing, untraceable transactions etc. II. DEFINING PRIVACY Review of current research in the area of user privacy highlights the path for user privacy protection in terms of four privacy requirements namely anonymity, pseudonymity, unlinkability and unobservability [1, 5]. By addressing these requirements one aims to minimize or eliminate the collection of user identifiable data. In more detail, J. C. Cannon in [5] expresses anonymity as the state of being anonymous or virtually invisible; having the ability to operate online without being tracked. In [1, 19] anonymity is defined as the ability of a user to use a resource or service without disclosing his/her identity. Anonymity serves the great purpose of hiding personal identifiable information when there is no need of revealing them. Browsing the Internet only for collecting information is one of many issues that anonymity plays a significant role and must be attained. Pseudonymity is the user’s ability to use a resource or service by acting under one or many pseudonyms, thus
5th IEEE International Symposium on Signal Processing and Information Technology Athens, Greece, December 18 - 21, 2005
hiding his/her real identity. However, under certain circumstances the possibility of translating pseudonyms to real identities exists. Pseudonyms are aliases for a user’s real identity. Users are allowed to operate under different aliases. Nevertheless revelation of user’s real identity occurs when acting unlawfully. Pseudonymity has characteristics similar to anonymity in that user is not identifiable but can be tracked through the aliases he/she uses [5]. Pseudonymity is used for protecting user’s identity in cases where anonymity cannot be provided (e.g. if the user has to be held accountable for his/her activities [1]. The third privacy principle is Unlinkability. As J. C. Cannon states in [5], unlinkability expresses the inability to link related information. In particular, unlinkability is successfully achieved when an attacker is unable to link specific information with the user that processes that information. Also unlinkability can be successfully achieved between a sender and a recipient. In that case unlinkability means that though the sender and recipient can both be identified as participating in some communication, they cannot be identified as communicating with each other. The ability to link transactions could give a stalker an idea of the user’s daily habits or an insurance company an idea of how much alcohol his/her family consumes over a month. Ensuring unlinkability is vital for protecting user’s privacy. Finally, unobservability protects users from being observed or tracked while browsing the Internet or accessing a service. Unobservability is similar to unlinkability in the sense that the attacker aims to reveal users identifiable information by observing rather than linking the information he/she retrieves. III. PRIVACY ENHANCING TECHNOLOGIES Many architectures, tools and protocols have been designed for protecting user’s privacy. Specifically, Anonymizer presented in [6] is a third-party web site, which acts as a middle layer between the user and the site to be visited providing user’s anonymity. Crowds is an agent developed also for protecting user’s anonymity. It is based on the idea that people can be anonymous when they blend into the crowd [7]. Onion Routing is a generalpurpose infrastructure for private communications over a public network. It provides anonymous connections that are strongly resistant to both eavesdropping and traffic analysis [8, 9]. DC-Net (Dining Cryptographers Network) proposed in [10, 11] allows participants to send and receive messages anonymously in an arbitrary network. It can be used for providing perfect sender anonymity. MixNetworks is another technique introduced in [12] and further discussed in [13]. It realizes unlinkability of sender and recipient as well as sender anonymity against recipient and optionally recipient anonymity. Hordes is a protocol designed for utilizing multicast communication
for the reverse path of anonymous connections, achieving not only anonymity but also sender unlinkability and unobservability. A detailed description of Hordes is given in [14]. GAP (GNUnet’s Anonymity Protocol) presented in [15] is a recently presented protocol that achieves anonymous data transfers. However, GAP is customized to the functionality of a peer-to-peer network. Finally, Tor, presented in [16] is an architecture based on the Onion Routing architecture with an improved way of working. IV. THE PRIS METHODOLOGICAL FRAMEWORK A. PriS conceptual model This section introduces the PriS - Privacy Safeguard methodology. PriS is a privacy requirements engineering methodology, which provides a set of concepts for modeling privacy requirements in the organization domain and a systematic way-of-working for translating these requirements into system models. The conceptual model used in PriS is based on the Enterprise Knowledge Development (EKD) framework [3, 4], which is a systematic approach to developing and documenting enterprise knowledge, helping enterprises to consciously develop schemes for implementing changes (e.g., the introduction of a new software system). Modelling of organisational knowledge in EKD is achieved through the modelling of: (a) organisational goals, which express the intentional objectives that control and govern its operation, (b) the ‘physical’ processes, that collaboratively operationalise organisational goals and (c) the software systems that support the above processes. EKD adopts a goal-oriented approach to software engineering. For an overview of goal-oriented methodologies please refer to [18]. The EKD generic schema is shown in figure1. As shown in figure 1, processes represent WHAT needs to be done, goals justify WHY the associated processes exist, while systems describe HOW processes can be implemented in terms of appropriate system architectures. In this way, a connection between system purpose and system structure is established. Based on this schema, PriS models privacy requirements as a special type of goal (privacy goal) which constraint the causal transformation of organisational goals into processes. From a methodological perspective reasoning about privacy goals comprises of the following activities: (a) Elicit privacyrelated goals, (b) Analyze the impact of privacy goals on processes and (c) Identify the technique(s) that best support/implement the above processes. The PriS way-ofworking is described in the following section.
For each Privacy goal
Privacy Goal n Privacy Goal 2 Privacy Goal 1
Privacy goals under consideration
G For each organisational goal and its immediate subgoals
G1
Organisational Goals
G2
G3 Impact on processes Adapt G
Introduce Alternative to G
Improve G1
Cease G2
Maintain G3
Fig 1. The EKD Schema. Improve process P1
Introduce process P2 f or improving G1
Suggested Implementation
B. The PriS way-of-working Improve process P1
The first step concerns the elicitation of the privacy goals that are relevant to the specific organization. This task usually involves a number of stakeholders and decision makers (managers, policy makers, system developers, system users, etc). Therefore elicitation of privacy goals is described by the following activities: perform stakeholder analysis and organize stakeholder workshop; identify privacy issues; and agree on a structured set of privacy goals. Identifying privacy issues is guided by the four basic privacy concerns (anonymity, pseudonymity, unlinkability and unobservability) identified in section 2. The aim is to interpret the general privacy requirements with respect to the specific application context into consideration. The second step is to analyze the impact of these privacy goals on processes and related support systems. Answering this question involves the following tasks: identify the influence of privacy goals on organisational goals and analyze the impact on processes. A summary of this process is shown in the following figure 2. As shown in figure 2, for each privacy goal PriS identifies the impact it may have on other organisational goals. This impact may lead to the introduction of new goals or to the improvement / adaptation of existing goals. Introduction of new goals may lead to the introduction of new processes while improvement / adaptation of goals may lead to the adaptation of associated processes accordingly. Repeating this process for every privacy goal and its associated organisational goals leads to the identification of alternative ways for resolving privacy requirements. The result of this process modeled in the spirit of and extended AND/OR goal graph. The last step is to define the system architecture that best supports the privacy-related process identified in the previous step. As discussed in section 3 a number of alternative system implementation architectures may be used depending on the privacy requirement that one wishes to achieve. Therefore, instead of prescribing a single solution PriS identifies and suggests a number of implementation techniques and architectures that best
Implemen tation Technique 1
Introduce process P2 for improving G1
Imp lemen tation Technique 2
Fig 2. PriS way-of-working
support the realization of each privacy-related process in the system’s development phase. The developer is then responsible for choosing which architecture is best for the developing system based on organization’s priorities such as, cost, systems efficiency etc. Based on the previous example, for the implementation of the process P2, which is related to the unobservability privacy goal, PriS suggests a number of techniques such as Tor, Onion Routing, Hordes, etc. Based on organization’s criteria, developers will choose which architecture best satisfies system’s requirements. V. APPLICABILITY OF PRIS METHODOLOGY IN THE UNIVERSITY OF THE AEGEAN CAREER OFFICE SYSTEM This section presents the application of the PriS methodology on the University of the Aegean Career Office. For a detailed description of the Career Office please refer to [17]. A. The Aegean Career Office System The main objective of the University of the Aegean Career Office system is boundary management, i.e. helping students to manage the choices and transitions they need to make on exit from their studies in order to proceed effectively to the next step of their life. The career office system is described by three main principles that form the three primary organisational goals namely: a) Provide Career Information, b) Offer Guidance through Events and c) Maintain a lifelong communication with the graduates. Specifically, the first principle implies that the career office should maintain a career information system, which will be continuously
updated from various sources (press, web-sites etc), and will be on open access to the academic community. The second principle implies that the career office will provide educational, vocational and careers guidance to the students through particular events (with highly experienced speakers from the business world, from universities, from embassies etc). Also it will have the responsibility to organize summer jobs for the undergraduate students. Finally, the third principle implies that the career office will have to maintain a lifelong relationship with the graduate students concerning their relevance to employment. Based on the above the EKD methodology was applied for constructing the career office goal model and for identifying the relevant processes that realize the operationalised subgoals. The produced model is presented in figure 3. The doted boxes are the relevant processes that satisfy each subgoal.
questionnaires to the graduates and b) Ensure Graduate’s anonymity when collecting responses. The rationale for the introduction of these two subgoals is explained bellow. In particular, for conducting the graduates’ survey, the career office sends questionnaires to all university graduates. Specifically, the career office is creating a database with the contact details of all the graduates of the University of the Aegean. It receives the relevant data from the secretariats of each Department and compares them with the data it has collected from the previous graduate’s survey. Then questionnaires are posted to the career office portal. Emails are sent to graduates with a link to the corresponding page in the career office’s portal. For graduates without an email, a letter is posted with the questionnaire and a return Table1. Goals identified during the elicitation process
B. Applying PriS The goal model of figure 3 forms the basis upon which the 3 PriS activities (presented in section 4) are applied, as described in the following sections. Elicit Privacy-Related Goals. After performing a stakeholder analysis and an identification of the basic privacy concerns for the career office system it is agreed that the anonymity principle needs to be considered for the specific system. Specifically, when graduates send information through the career office portal it must be ensured that others won’t be able to reveal their personal identifiable information. Analyze the impact of privacy-goals on processes. After the elicitation of privacy goals the relevant goals-subgoals that anonymity has an impact on based on the application context are identified. The identified goals for the specific privacy goal based on the system’s goal model are shown in table 1. For every subgoal the relevant processes that realize this goal are also identified. These are shown in table 2. Subsequently, the identified goals are either modified or new goals are introduced, in order to realize anonymity. Specifically, for the goal “Maintain a lifelong communication with the graduates” and the relevant subgoal “Make follow-up research concerning the employment and the professional progress of the graduates of the University by sending questionnaires to the graduates” two more subgoals for realizing the anonymity goal are introduced namely a) Send
Ensuring Anonymity
Affected Goals G3) Maintain a lifelong communication with the graduates G 3.3) Make follow-up research concerning the employment and the professional progress of the graduates of the University by sending questionnaires to the graduates
Table2. Processes that realize identified goals
Affected Goals G 3.3) Make follow-up research concerning the employment and the professional progress of the graduates of the University by sending questionnaires to the graduates
Processes P4) Conduct graduates Survey P 4.3) Collect Responses
envelope with a pre-paid postage stamp. Responses are then collected either through the career office’s portal or by email. Based on the organizations context graduates must be ensured that nobody especially malicious third parties will be able to reveal the name or other elements that may lead to the identification of the graduate that submits the answered questionnaire. Thus altering the specific goal is immense for protecting graduate’s anonymity. The structure of the current goal as well as the suggested modification is shown in figure 4. As it can be seen from figure 3 the process “conduct graduates survey” is realized by a number of sub-processes.
Fig 3. Goal-Model of the University of the Aegean Career Office System
namely “Collect Responses by protecting graduates anonymity”. In some cases one or more of the identified processes may realize more than one goals that may not be directly affected from the introduction of the specific privacy goals. In this case PriS marks the specific goals and performs an impact analysis on each one of them for ensuring that after the alternations of relevant processes the specific goals are not affected. After the modifications on the goal-process structure we move on to the next step where a number of implementation techniques are suggested to the developer of the system who is then responsible for choosing the most appropriate one.
Fig 4. Modifying “Make follow-up research concerning the employment and the professional progress of the graduates of the University by sending questionnaires to the graduates” subgoal
After the introduction of anonymity goal the relevant sub-process “Collect Responses” identified that also needs to be modified. Thus, as it is shown on figure 4 the specific sub-process has been modified to the one
Identify the technique(s) that best support/implement the A number of implementation above processes. techniques that best support the above processes can be used based on the current system’s architecture. The career office system architecture is shown in figure 5. Ιt consists of a mail server through which undergraduate and graduate students can communicate and receive information from the career office, the career office portal, a subsystem developed to provide the user interface of the system via the Web, the argumentation subsystem which supports the discussion (consultation) of various participants as part of the career office activities, a database subsystem used for the management of the database, a knowledge base used for supporting the argumentation process, a database used for storing data related to the graduates’ survey and a main server which
supports the argumentation and database subsystems as well as the career office’s portal. Considering the specific architecture and the privacy goals that were introduced from the previous steps PriS produces a list of suggested implementation techniques for realizing anonymity (shown in table 3). Developers are then responsible of choosing the
Fig 5. Career Office System Architecture
technique that best conforms to system needs, also taking into consideration additional criteria e.g. implementation cost, architecture complexity etc. Table 3. Implementation Techniques that realize Anonymity goal
Anonymizer Crowds Onion Routing DC-Nets Mix-Nets Hordes GAP Tor
Anonymity Yes Yes Yes Yes Yes Yes Yes Yes
VI. CONCLUSIONS In this paper, PriS, a new methodology for incorporating privacy user requirements into the system design process, is introduced. PriS identifies which goals need privacy protection, identifies the relevant privacy requirements that need to be satisfied, identifies the processes that satisfy these goals and proposes a number of methodologies where these processes can be realized. Many architectures and methodologies have been developed for protecting user’s privacy. However, most of them are near the implementation level or early in the design process and none treats privacy as a separate design criterion. As A. Cavoukian states in [5], the concept of privacy by design is the only way to solve the existing vulnerabilities in the privacy domain. Future steps include the design of a software tool that will automatically identify the impact of privacy goal in the goal-process structure. Also it will provide developers with a description of each implementation technique and
a guiding procedure for applying the selected technique on the developing system. REFERENCES [1] Fischer-Hübner, S.: IT-Security and Privacy, LNCS Vol. 1958. Springer (2001) [2] Kalloniatis, C., Kavakli, E., Gritzalis, S.: Security Requirements Engineering for e-Government Applications, DEXA EGOV’04 Conference, LNCS Vol. 3183. Springer (2004) 66-71 [3] Loucopoulos, P., Kavakli, V., Enterprise Knowledge Management and Conceptual Modelling. LNCS Vol. 1565. Springer (1999) 123-143 [4] Loucopoulos, P.: From Information Modelling to Enterprise Modelling. In: IS Engineering: State of the Art and Research Themes. Springer (2000) 67-78 [5] Cannon, J., C.: Privacy, What Developers and IT Professionals Should Know. Addison-Wesley (2004) [6] Anonymizer, available at www.anonymizer.com [7] Reiter, K.M., Rubin, D.A.: Anonymous Web Transactions with Crowds. Communications of the ACM, Vol. 42, No. 2 (1999) 32-38 [8] Reed, M., Syverson, P., Goldschlag, D.: Anonymous connections and Onion Routing. IEEE Journal on Selected areas in Communications, Vol. 16, No. 4 (1998) 482-494 [9] Goldschlag, D., Syverson, P., Reed, M.: Onion Routing for anonymous and private Internet connections. Communications of the ACM, Vol. 42,No. 2 (1999) 39-41 [10] Chaum, D.: Security without identification: Transactions Systems to make Big Brother Obsolete. Communications of the ACM, Vol. 28, No.10 (1985) 1030-1044 [11] Chaum, D.: The Dining Cryptographers Problem: Unconditional Sender and Recipient Untraceability. Journal of Cryptology, Vol. 1, No. 1 (1988) 65-75 [12] Chaum, D.: Untraceable Electronic Mail, return Addresses, and Digital Pseudonyms. Communications of the ACM, Vol. 24, No. 2 (1981) 84-88 [13] Pfitzmann, A., Waidner, M.: Networks without user Observability. Computers & Security, Vol. 6, Issue 2 (1987) 158-166 [14] Shields, C., Levine, N.B.: A protocol for anonymous communication over the Internet. In: Samarati, P. and Jajodia, S. (eds.): Proceedings of the 7th ACM Conference on Computer and Communications Security. ACM Press New York NY, (2000) 33-42 [15] Bennett, K., Grothoff, C.: GAP-Practical Anonymous networking. Proceeding of the Workshop on PET2003 Privacy Enhancing Technologies (2003), also available at http://citeseer.nj.nec.com/bennett02gap.html [16] Dingledine, R., Mathewson, N., Syverson, P.: Tor: The Second-Generator Onion Router. Proceedings of the 13th USENIX Security Symposium, San Diego, CA, USA (2004) [17] ICTE-PAN: Methodologies and Tools for Building Intelligent Collaboration and Transaction Environments in Public Administration Networks, Project Deliverable D 3.1b, University of the Aegean, Greece [18] Kavakli, E.: Modeling organizational goals: Analysis of current methods, Proceedings of the 2004 ACM Symposium on Applied Computing, Nicosia, CY, March 2004, ISBN:1-58113812-1, pp. 1339 - 1343. [19] Common Criteria Project, http://csrc.nist.gov/cc/
