More Web Proxy on the site http://driver.im/

Article

Owner-controlled information

Authors:

Jacob SlonimAuthors Info & Claims

NSPW '03: Proceedings of the 2003 workshop on New security paradigms

Pages 103 - 111

https://doi.org/10.1145/986655.986670

Published: 13 August 2003 Publication History

Abstract

Information about individuals is currently maintained in many thousands of databases, with much of that information, such as name and address, replicated across multiple databases. However, this proliferation of personal information raises issues of privacy for the individual, as well as maintenance issues in terms of the accuracy of the information. Ideally, each individual would own, maintain and control his personal information, allowing access to those who needed at the time it was needed. Organizations would contact the individual directly to obtain information, therefore being assured of using current and correct information.While research has been performed on users owning and controlling access to their personal information in an electronic commerce environment, we argue that this concept should be extended to all user information including, for example, medical and financial information. The end goal is not for users to simply maintain copies of this information, but to be the source of this information.This paper presents the concept of users owning their personal information and introduces some of the issues involved in users being able to control access to this information. The security requirements, including authentication, access control and audit, as well as user interfaces and trust, for this new paradigm are given particular emphasis.

References

[1]

A. Adams and M. A. Sasse. Users are not the enemy. Communications of the ACM, 42(12):40--46, 1999.]]

Digital Library

[2]

M. Bellare and S. Goldwasser. Verifiable partial key escrow. In Proceedings of the 4th ACM Conference on Computer and Communications Security, pages 78--91, Zurich, Switzerland, 1997.]]

Digital Library

[3]

S. A. Brands. Rethinking Public Key Infrastructures and Digital Certificates: Building in Privacy. MIT Press, Cambridge, Massachusetts, 2000.]]

Digital Library

[4]

D. Chaum. Security without identification: Transaction systems to make big brother obsolete. Communications of the ACM, 28(10):1030--1044, 1985.]]

Digital Library

[5]

L. F. Cranor, J. Reagle, and M. S. Ackerman. Beyond concern: Understanding net users' attitudes about online privacy. Technical Report TR 99.4.3, AT&T Labs, Apr. 1999.]]

[6]

W. Diffie and S. Landau. Commentary: The threat of Microsoft's .NET. kingpublishing.com, 2001. Last visited: 17 July 2003.]]

[7]

J. Dobson. Private communication between John Dobson and Steven J. Greenwald at NSPW 1996 as referenced by Greenwald, 2003.]]

[8]

Electronic Privacy Information Center. Microsoft passport investigation docket, http://www.epic.org/privacy/consumer/microsoft/passport, himl, 2003. Last visited: 17 July 2003.]]

[9]

C. M. Ellison, B. Frantz, B. Lampson, R. Rivest, B. M. Thomas, and T. Ylonen. SPKI certificate theory, 1998. Internet draft, work in progress.]]

Digital Library

[10]

M. Fairhurst, R. Guest, F. Deravi, and J. George. Using biometrics as an enabling technology in balancing universality and selectivity for management of information access. In Universal Access. Theoretical Perspectives, Practice, and Experience: 7th ERCIM International Workshop on User Interfaces for All, pages 249--259, Paris, France, 2002. Springer-Verlag Heidelberg. Lecture Notes in Computer Science 2615. October 24--25, 2002.]]

[11]

J. Lettice. Big Brother Award nomination for WPA, Passport pains MS. The Register, 2001. 1 April 2003. Last visited: 17 July 2003.]]

[12]

Liberty Alliance. Liberty Alliance project. http://www.projectliberty.org//2003. Last visited: 17 July 2003.]]

[13]

P. Madsen. The Liberty Alliance. webservices.xml.com, 2003. 1 April 2003. Last visited: 17 July 2003.]]

[14]

Microsoft Corporation. Microsoft .NET passport: One easy way to sign in online. http://www.passport.net/.Last visited: 17 July 2003.]]

[15]

Microsoft Corporation. Microsoft announces "Hailstorm," a new set of xml web services designed to give users greater control. http ://www.microsoft.com/presspass/features/2001/mar01/03-19hailstorm.a%.sp, 2001. Last visited: 17 July 2003.]]

[16]

F. Monrose, M. K. Reiter, Q. Li, and S. Wetzel. Cryptographic key generation from voice. In Proceedings of the 2001 IEEE Symposium on Security and Privacy, pages 202--213, 2001.]]

Digital Library

[17]

National Institute for Standards and Technology. Escrowed encryption standard (EES), 1994.]]

[18]

J. S. Park, R. Sandhu, and G.-J. Ahn. Role-based access control on the web. ACM Transactions on Information and System Security, 4(1):37--71, 2001.]]

Digital Library

[19]

S. Pearson. Trusted agents that enhance user privacy by self-profiling. Technical Report HPL-2002-196, HP Laboratories, 2002.]]

[20]

S. Pearson. Trusted computing platforms, the next security solution. Technical Report HPL-2002-221, HP Laboratories, 2002.]]

[21]

R. L. Rivest, M. E. Hellman, J. C. Anderson, and J. W. Lyons. Responses to NIST's proposal. Communications of the ACM, 35(7):41--54, 1992.]]

Digital Library

[22]

R. L. Rivest and B. Lampson. SDSI--a simple distributed security infrastructure. http://theory.lcs.mit.edu/~rivest/sdsi10.ps, 1996. Presented at CRYPTO '96. Last visited: 27 May 2002.]]

[23]

R. S. Sandhu, E. J. Coyne, H. L. Feinnstein, and C. E. Youman. Role-based access control models. IEEE Computer, 29(2):38--47, 1996.]]

Digital Library

[24]

R. S. Sandhu and P. Samarati. Access control: principles and practice. IEEE Communications, 32(9):40--48, 1994.]]

Digital Library

[25]

M. A. Sasse. Private communication at NSPW 2003 with Carrie Gates. 20 August 2003.]]

[26]

M. A. Sasse, S. Brostoff, and D. Weirich. Transforming the 'weakest link' --- a human/computer interaction approach to usable and effective security. BT Technology Journal, 19(3):122--131, 2001.]]

Digital Library

[27]

Secure Electronic Transactions -- Devices, U.S. Army. Common access card (CAC). https: //setdweb.setd.army.mil/cac/whatiscac.htm. Last visited: 17 July 2003.]]

[28]

M. Slemko. Microsoft passport to trouble. http://alive.znep. com/~marcs/passport/, 2001. Last visited: 17 July 2003.]]

[29]

K. Toth and M. Subramanium. The persona concept: a consumer-centered identity model.http://eecs.oregonstate.edu/~ktoth/0ther/TrustBus03-Persona-Toth&Subram%aniumV1.pdf. Last visited: 15 July 2003.]]

[30]

A. Whitten and J. Tygar. Why Johnny can't encrypt: A usability evaluation of PGP 5.0. In Proceedings of the 8th USENIX Security Symposium, pages 169--184, Washington, D.C., 1999. Usenix. August 23--26, 1999.]]

Digital Library

Cited By

Jin JAhn GHu HCovington MZhang X(2011)Patient-centric authorization framework for electronic healthcare servicesComputers and Security10.1016/j.cose.2010.09.00130:2-3(116-127)Online publication date: 1-Mar-2011
https://dl.acm.org/doi/10.1016/j.cose.2010.09.001
Peyton LDoshi CHu JSeguin P(2010)Information rich monitoring of interoperating services in privacy enabled B2B networksInternational Journal of Advanced Media and Communication10.1504/IJAMC.2010.0346604:3(258-273)Online publication date: 1-Aug-2010
https://dl.acm.org/doi/10.1504/IJAMC.2010.034660
Gates CBishop M(2010)The security and privacy implications of using social networks to deliver healthcareProceedings of the 3rd International Conference on PErvasive Technologies Related to Assistive Environments10.1145/1839294.1839329(1-6)Online publication date: 23-Jun-2010
https://dl.acm.org/doi/10.1145/1839294.1839329
Show More Cited By

Owner-controlled information
1. Security and privacy
  1. Systems security
2. Social and professional topics
  1. Computing / technology policy

Recommendations

Injecting Subject Policy into Access Control for Strengthening the Protection of Personal Information

To protect stored personal information, many organizations and information systems adopt the role-based access control model (RBAC) or the mandatory access control model (MAC). Although individuals want to control their personal information, an ...
Owner-Controlled Towards Personal Information Stored in Hippocratic Database
ICCTD '09: Proceedings of the 2009 International Conference on Computer Technology and Development - Volume 02

Privacy protection has become one of the important requirement in web-based information system that deal with personal information. There are an issues arise that personal information collected should be privacy-protected. Owner should know to what ...
Architecture for user-controlled e-privacy
SAC '03: Proceedings of the 2003 ACM symposium on Applied computing

Empowering users to make informed decision-making over online release of private data is a challenge in today's society. A large majority of users has rejected many e-privacy business models including Lumeria's, Zero-Knowledge's, and Microsoft's ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

NSPW '03: Proceedings of the 2003 workshop on New security paradigms

August 2003

127 pages

ISBN:1581138806

DOI:10.1145/986655

Editors:
Christian F. Hempelmann,
Victor Raskin,
General Chair:
O. Sami Saydjari,
Program Chairs:
Simon Foley,
R. Sekar

Copyright © 2003 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control
ACSA: Applied Computing Security Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 13 August 2003

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

NSPW03

Sponsor:

SIGSAC
ACSA

NSPW03: New Security Paradigms and Workshop

August 18 - 21, 2003

Ascona, Switzerland

Acceptance Rates

Overall Acceptance Rate 98 of 265 submissions, 37%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

10
Total Citations
View Citations
1,175
Total Downloads

Downloads (Last 12 months)2
Downloads (Last 6 weeks)0

Reflects downloads up to 11 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Jin JAhn GHu HCovington MZhang X(2011)Patient-centric authorization framework for electronic healthcare servicesComputers and Security10.1016/j.cose.2010.09.00130:2-3(116-127)Online publication date: 1-Mar-2011
https://dl.acm.org/doi/10.1016/j.cose.2010.09.001
Peyton LDoshi CHu JSeguin P(2010)Information rich monitoring of interoperating services in privacy enabled B2B networksInternational Journal of Advanced Media and Communication10.1504/IJAMC.2010.0346604:3(258-273)Online publication date: 1-Aug-2010
https://dl.acm.org/doi/10.1504/IJAMC.2010.034660
Gates CBishop M(2010)The security and privacy implications of using social networks to deliver healthcareProceedings of the 3rd International Conference on PErvasive Technologies Related to Assistive Environments10.1145/1839294.1839329(1-6)Online publication date: 23-Jun-2010
https://dl.acm.org/doi/10.1145/1839294.1839329
Mannan Mvan Oorschot PBishop MProbst CKeromytis ASomayaji A(2009)Localization of credential information to address increasingly inevitable data breachesProceedings of the 2008 New Security Paradigms Workshop10.1145/1595676.1595680(13-21)Online publication date: 21-Aug-2009
https://dl.acm.org/doi/10.1145/1595676.1595680
Jin JAhn GHu HCovington MZhang XCarminati BJoshi J(2009)Patient-centric authorization framework for sharing electronic health recordsProceedings of the 14th ACM symposium on Access control models and technologies10.1145/1542207.1542228(125-134)Online publication date: 3-Jun-2009
https://dl.acm.org/doi/10.1145/1542207.1542228
Ghani NSidek Z(2009)Owner-Controlled Towards Personal Information Stored in Hippocratic DatabaseProceedings of the 2009 International Conference on Computer Technology and Development - Volume 0210.1109/ICCTD.2009.90(227-231)Online publication date: 13-Nov-2009
https://dl.acm.org/doi/10.1109/ICCTD.2009.90
Peyton LDoshi CSeguin PLyons KCouturier CSpencer BStorey M(2007)An audit trail service to enhance privacy compliance in federated identity managementProceedings of the 2007 conference of the center for advanced studies on Collaborative research10.1145/1321211.1321230(175-187)Online publication date: 22-Oct-2007
https://dl.acm.org/doi/10.1145/1321211.1321230
Carroll NCalvo RMarkauskaite L(2006)E-Portfolios and Blogs: Online Tools for Giving Young Engineers a Voice2006 7th International Conference on Information Technology Based Higher Education and Training10.1109/ITHET.2006.339736(1-8)Online publication date: Jul-2006
https://doi.org/10.1109/ITHET.2006.339736
Fægri THallsteinsen S(2006)A Software Product Line Reference Architecture for SecuritySoftware Product Lines10.1007/978-3-540-33253-4_8(275-326)Online publication date: 2006
https://doi.org/10.1007/978-3-540-33253-4_8
Beckwith RMainwaring S(2005)Privacy: personal information, threats, and technologiesProceedings. 2005 International Symposium on Technology and Society, 2005. Weapons and Wires: Prevention and Safety in a Time of Fear. ISTAS 2005.10.1109/ISTAS.2005.1452707(9-16)Online publication date: 2005
https://doi.org/10.1109/ISTAS.2005.1452707

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents