Abstract
This paper presents a survey of technologies for personal data self-management interfacing with administrative and territorial public service providers. It classifies a selection of scientific technologies into four categories of solutions: Personal Data Store (PDS), Identity Manager (IdM), Anonymous Certificate System and Access Control Delegation Architecture. Each category, along with its technological approach, is analyzed thanks to 18 identified functional criteria that encompass architectural and communication aspects, as well as user data lifecycle considerations. The originality of the survey is multifold. First, as far as we know, there is no such thorough survey covering such a panel of a dozen of existing solutions. Second, it is the first survey addressing Personally Identifiable Information (PII) management for both administrative and private service providers. Third, this paper achieves a functional comparison of solutions of very different technical natures. The outcome of this paper is the clear identification of functional gaps of each solution. As a result, this paper establishes the research directions to follow in order to fill these functional gaps.
Similar content being viewed by others
References
Paverd A, Martin A, Brown I. Modelling and automatically analysing privacy properties for honest-but-curious adversaries. Technical Report, University of Oxford, 2014. https://www.cs.ox.ac.uk/people/andrew.paverd/casper/casperprivacy-report.pdf, Nov. 2020.
De Capitani di Vimercati S, Foresti S, Samarati P. Authorization and access control. In Security, Privacy, and Trust in Modern Data Management, Petković M, Jonker W (eds.), Springer Berlin Heidelberg, 2007, pp.39-53. DOI: https://doi.org/10.1007/978-3-540-69861-6_4.
Grassi P A, Galluzzo R, Piccarreta B M, Nadeau E M, Lefkovitz N B, Dinh A T. Attribute metadata: A proposed schema for evaluating federated attributes. Technical Report, NIST Computer Security Resource Center, 2018. https://csrc.nist.gov/publications/detail/nistir/8112/nal,Nov. 2020.
Nuñez D, Agudo I. BlindIdM: A privacy-preserving approach for identity management as a service. International Journal of Information Security, 2014. 13(2): 1615-5270. DOI: https://doi.org/10.1007/s10207-014-0230-4.
De Montjoye Y A, Shmueli E, Wang S S, Pentland A S. openPDS: Protecting the privacy of metadata through SafeAnswers. PLoS ONE, 2014, 9(7): Article No. e98790. DOI: 10.1371/journal.pone.0098790.
Papadopoulou E, Stobart A, Taylor N K, Williams H M. Enabling data subjects to remain data owners. In Proc. the 9th KES International Conference on Agent and Multi-Agent Systems: Technologies and Applications, June 2015, pp.239-248. DOI: 10.1007/978-3-319-19728-9_20.
Mortier R, Zhao J, Crowcroft J, Wang L, Li Q, Haddadi H, Amar Y, Crabtree A, Colley J, Lodge T, Brown T, McAuley D, Greenhalgh C. Personal data management with the databox: What's inside the box? In Proc. the 2016 ACM Workshop on Cloud-Assisted Networking, December 2016, pp.49-54. DOI: 10.1145/3010079.3010082.
Paquin C. U-prove technology overview V1.1 (revision 2). Technical Report, Microsoft, 2013. https://www.microsoft.com/en-us/research/publication/u-prove-technology-overview-v1-1-revision-2/, Nov. 2020.
Camenisch J, Pftzmann B. Federated identity management. In Security, Privacy, and Trust in Modern Data Management, Petković M, Jonker W (eds.), Springer Berlin Heidelberg, 2007, pp.213-238. DOI: https://doi.org/10.1007/978-3-540-69861-6_15.
Maler E, Machulak M, Richer J, Hardjono T. Usermanaged access (UMA) 2.0 grant for OAuth 2.0 authorization. Technical Report, Internet Engineering Task Force, 2019. https://datatracker.ietf.org/doc/html/draftmaler-oauthumagrant-00, Nov. 2020.
Ceccanti A, Hardt M, Wegh B, Millar P A, Caberletti M, Vianello E, Licehammer S. The INDIGO-data cloud authentication and authorization infrastructure. Journal of Physics: Conference Series, 2017, 898(10): Article No. 102016. DOI: 10.1088/1742-6596/898/10/102016.
Campbell B, Mortimore C, Jones M. RFC 7522: Security assertion markup language (SAML) 2.0 profile for OAuth 2.0 client authentication and authorization grants. Technical Report, Internet Engineering Task Force, 2015. https://tools.ietf.org/html/rfc7522, Nov. 2020.
Sakimura N, Bradley J, Jones M, De Medeiros B, Mortimore C. OpenID connect core 1.0 incorporating errata set 1. Technical Report, The OpenID Foundation, Nov. 2014. https://openid.net/specs/openid-connect-core-1 0.html, Nov. 2020.
Hardt D. RFC 6749: The OAuth 2.0 authorization framework. Technical Report, Internet Engineering Task Force, 2012. https://tools.ietf.org/html/rfc6749, Nov. 2020.
Richer J, Jones M, Bradley J, Machulak M, Hunt P. RFC 7591: OAuth 2.0 dynamic client registration protocol. Technical Report, Internet Engineering Task Force, 2015. https://tools.ietf.org/html/rfc7591, Nov. 2020.
Richer J, Jones M, Bradley J, Machulak M. RFC 7592: OAuth 2.0 dynamic client registration management protocol. Technical Report, Engineering Task Force, 2015. https://tools.ietf.org/html/rfc7592, Nov. 2020.
Campbell B, Mortimore C, Jones M, Goland Y Y. RFC 7521: Assertion framework for OAuth 2.0 client authentication and authorization grants. Technical Report, Internet Engineering Task Force, 2015. https://tools.ietf.org/html/rfc7521, Nov. 2020.
Jones M, Sakimura N, Bradley J. RFC 8414: OAuth 2.0 authorization server metadata. Technical Report, Internet Engineering Task Force, 2018. https://tools.ietf.org/html/rfc8414, Nov. 2020.
Richer J. RFC 7662: OAuth 2.0 token introspection. Technical Report, Internet Engineering Task Force, 2015. https://tools.ietf.org/html/rfc7662, Nov. 2020.
Lodderstedt T, Dronia S, Scurtescu M. RFC 7009: OAuth 2.0 token revocation. Technical Report, Internet Engineering Task Force, 2013. https://tools.ietf.org/html/rfc7009, Nov. 2020.
Fernandez G, Walter F, Nennker A, Tonge D, Campbell B. OpenID connect client initiated backchannel authentication ow—Core 1.0 draft-03. Technical Report, The OpenID Foundation, 2020. https://openid.net/specs/openid-clientinitiatedbackchannel-authentication-core-1 0.html, Nov. 2020.
Diffie W, Hellman M. New directions in cryptography. IEEE Transactions on Information Theory, 1976, 22(6): 644-654. DOI: https://doi.org/10.1109/TIT.1976.1055638.
Shamir A. How to share a secret. Commun. ACM, 1979, 22(11): 612-613. DOI: https://doi.org/10.1145/359168.359176.
Schneier B. Applied Cryptography: Protocols, Algorithms, and Source Code in C (2nd edition). John Wiley & Sons, 1996.
Blaze M, Strauss M. Atomic proxy cryptography. http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.40.493-7&rep=rep1&type=pdf, Nov. 2020.
Blum M, Feldman P, Micali S. Non-interactive zeroknowledge and its applications. In Proc. the 20th Annual ACM Symposium on Theory of Computing, January 1988, pp.103-112. DOI: 10.1145/62212.62222.
Chaum D, Evertse J H, van de Graaf J. An improved protocol for demonstrating possession of discrete logarithms and some generalizations. In Proc. the 1988 Workshop on the Theory and Application of Cryptographic Techniques, April 1988, pp.127-141. DOI: 10.1007/3-540-39118-5_13.
Haddadi H, Howard H, Chaudhry A, Crowcroft J, Madhavapeddy A, Mortier R. Personal data: Thinking inside the box. arXiv:1501.04737, 2015. http://arxiv.org/abs/1501.04737, Jun. 2017.
Osborn S L. Role-based access control. In Security, Privacy, and Trust in Modern Data Management, Petković M, Jonker W (eds.), Springer Berlin Heidelberg, 2007, pp.55-70. DOI: 10.1007/978-3-540-69861-6_5.
Ferraiolo D F, Sandhu R, Gavrila S, Kuhn D R, Chandramouli R. Proposed NIST standard for role-based access control. ACM Trans. Inf. Syst. Secur., 2001, 4(3): 224-274. DOI: https://doi.org/10.1145/501978.501980.
Birgisson A, Politz J G, Erlingsson Ú, Taly A, Vrable M, Lentczner M. Macaroons: Cookies with contextual caveats for decentralized authorization in the cloud. In Proc. the 2014 Network and Distributed System Security Symposium, February 2014. DOI: 10.14722/ndss.2014.23212.
Henriksen-Bulmer J, Jeary S. Re-identification attacks| A systematic literature review. International Journal of Information Management, 2016, 36(6): 1184-1192. DOI: https://doi.org/10.1016/j.ijinfomgt.2016.08.002.
Maler E. Controlling data usage with user-managed access (UMA). Technical Report, W3C Privacy and Data Usage Control Workshop, 2010. https://www.w3.org/2010/policy-ws/papers/18-Maler-Paypal.pdf, Nov. 2020.
Machulak M, Richer J. Federated authorization for user-managed access (UMA) 2.0. Technical Report, Internet Engineering Task Force, 2018. https://docs.kantarainitiative.org/uma/wg/rec-oauth-uma-federated-authz-2.0.html, Nov. 2020.
Rackoff, Simon D R. Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack. In Proc. the 1991 Annual International Cryptology Conference, August 1991, pp.433-444. DOI: 10.1007/3-540-46766-1_35.
Lizar M, Turner D. Consent receipt specification. Technical Report, Kantara Initiative, 2018. https://kantarainitiative.org/_le-downloads/consent-receipt-specification-v1-1-0/, Nov. 2020.
Lizar M, Wunderlich J. Minimum viable consent receipt (MVCR) Specification. Technical Report, Kantara Initiative, Nov. 2014. https://kantarainitiative.org/conuence/display/archive/Minimum+Viable+Consent+Receipt+-%28MVCR%29+Speci_cation+v.05, Nov. 2020.
Leech M D, Ganis M, Lee Y et al. RFC 1928: SOCKS protocol version 5. Technical Report, Internet Engineering Task Force, 1996. https://tools.ietf.org/html/rfc1928, Nov. 2020.
Fielding R T. REST: Architectural styles and the design of network-based software architectures [Ph.D. Thesis]. Department of Information and Computer Science, University of California at Irvine, 2000.
Turner M, Budgen D, Brereton P. Turning software into a service. Computer, 36(10): 38-44. DOI: 10.1109/MC.2003.1236470.
Reschke J. RFC 7617: The ‘Basic’ HTTP authentication scheme. Technical Report, Internet Engineering Task Force, 2015. https://tools.ietf.org/html/rfc7617, Nov. 2020.
Jones M, Campbell B, Mortimore C. RFC 7523: JSON web token (JWT) profile for OAuth 2.0 client authentication and authorization grants. Technical Report, Internet Engineering Task Force, 2015. https://tools.ietf.org/html/rfc7523, Nov. 2020.
Andersdotter A, Jensen-Urstad A. Evaluating websites and their adherence to data protection principles: Tools and experiences. In Privacy and Identity Management. Facing up to Next Steps, Lehmann A, Whitehouse D, Fischer-Hübner S, Fritsch L, Raab C (eds.) Springer, 2016, pp.39-51. DOI: 10.1007/978-3-319-55783-0 4.
Author information
Authors and Affiliations
Corresponding author
Supplementary Information
ESM 1
(PDF 2069 kb)
Rights and permissions
About this article
Cite this article
Marillonnet, P., Laurent, M. & Ates, M. Personal Information Self-Management: A Survey of Technologies Supporting Administrative Services. J. Comput. Sci. Technol. 36, 664–692 (2021). https://doi.org/10.1007/s11390-021-9673-z
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11390-021-9673-z