A significant barrier to the adoption of cloud services is that users fear data leakage and loss of privacy if their sensitive data is processed in the cloud. This paper describes A Client-Based Privacy Manager that helps reduce this risk, and that provides additional privacy-related benefits.
Original Description:
Original Title
A Client-Based Privacy Manager for Cloud Computing
A significant barrier to the adoption of cloud services is that users fear data leakage and loss of privacy if their sensitive data is processed in the cloud. This paper describes A Client-Based Privacy Manager that helps reduce this risk, and that provides additional privacy-related benefits.
A significant barrier to the adoption of cloud services is that users fear data leakage and loss of privacy if their sensitive data is processed in the cloud. This paper describes A Client-Based Privacy Manager that helps reduce this risk, and that provides additional privacy-related benefits.
A Client-Based Privacy Manager for Cloud Computing
Miranda Mowbray Siani Pearson
HP Labs HP Labs Long Down Avenue, Stoke Gifford Long Down Avenue, Stoke Gifford Bristol, BS34 8QZ. UK Bristol, BS34 8QZ. UK +44-117-3128178 +44-117-3128438 Miranda.Mowbray@hp.com Siani.Pearson@hp.com
ABSTRACT unauthorized uses of the data by service providers and of theft of
Digital Object Identifier: 10.4108/ICST.COMSWARE2009.6493
http://dx.doi.org/10.4108/ICST.COMSWARE2009.6493 in many cases will also contain individual information about the R3. purpose limitation: data usage within the cloud has to customers who have made purchases, such as their email be limited to the purpose for which it was collected and addresses and product preferences. The security threat that we should only be divulged to those parties authorized to consider in this scenario is the theft of sales data from the service receive it. provider’s system, followed by possible resale to business R4. user centric design: the user should be given choice competitors or identity thieves. about whether or not his information is collected to be used within the cloud, his consent should be solicited 2.2 Customized End-User Services over the gathering and usage of such information and Information may be automatically gathered about end-user context he should be given control over the collection, usage and user data in the cloud assessed, in order to provide targeted and disclosure of personal and sensitive information. end user services. For example, in a non-enterprise scenario, a R5. user feedback: notice about data collection should be user could be notified which of his friends are near his current provided to the user about what information will be location. The assessed data might include: name, location, collected, how it will be used, how long it will be availability (for example, derived from calendars), stored in the cloud, etc. and there should be recommendations, likes and dislikes, names of service providers transparency about how personal information that is used, phone contacts, details of phone calls including target and collected is going to be used within the cloud. duration, lists and contact details of relatives, friends, work colleagues, etc. Privacy legislation may also impose some other requirements, such as conformance to rules on data retention and disposal, and The main threats in this type of scenario involve: data access (in the sense of users being able to get access to personal information stored about them – in this case, in the cloud • Personal information about a user being collected, used, – to see what is being held about them and to check its accuracy). stored and/or propagated in a way that would not be in A further aspect is that it is necessary to respect cross-border accordance with the wishes of this user. transfer obligations, but that is particularly difficult to ensure • People getting inappropriate or unauthorized access to within cloud computing, so it is likely that legislation will need to personal data in the cloud by taking advantage of certain evolve to allow compliance in dynamic, global environments: the vulnerabilities, such as lack of access control notion of accountability is likely to provide a way forward. enforcement, data being exposed ‘in clear’, policies being changeable by unauthorized entities, or Privacy laws differ according to country block, and also national uncontrolled and/or unprotected copies of data being legislation. The basic principles given in [13] apply to most spread within the cloud. countries, and many national privacy laws are based on them. • Legal non-compliance. In particular, restrictions on There is however a difference in view: in the EU privacy is a basic transborder data flow may apply, and also some of the right, whereas in the Asia Pacific region privacy legislation is data may be of types subject to additional regulations. more centered on avoiding harm. Depending on jurisdiction there may be additional restrictions on the processing of certain sensitive types of data, such as health or financial data. 2.3 Share Portfolio Calculation This is a more specific example than the two above. The 3. OUR SOLUTION application is the calculation of the current value of a user’s share In this section we present the overall architecture of our solution, portfolio. The application receives data from the user specifying provide more detail about the functionality provided by a central the number of shares in different companies in a portfolio. component of this solution, and then consider how this solution Whenever the user wishes to know the current value of the may address certain issues raised in the previous section. portfolio, he sends a query to the application, which looks up the current value of the relevant shares, calculates the total value of 3.1 Overall Architecture the portfolio, and returns this value to the user. The threat in this scenario is a leak of information about the user’s The overall architecture of our solution is illustrated in Figure 1. share ownership from the service provider’s system, followed by Privacy Manager software on the client helps the user to protect possible misuse. As this is financial data, the user may be his privacy when accessing cloud services. A central feature of the particularly keen to keep it private, and there may also be Privacy Manager is that it can provide an obfuscation and de- additional regulations limiting its communication and use. obfuscation service, to reduce the amount of sensitive information 2.4 Requirements held within the cloud. In addition, the Privacy Manager assists the user to express privacy preferences about the treatment of his A set of requirements arise from privacy legislation and personal information, use multiple personae, review and correct consideration of the scenarios above: information stored in the cloud, etc. Further detail about these R1. minimization of personal and sensitive data used features is given below. and stored within the cloud infrastructure R2. security protection of data used and stored within the cloud infrastructure: safeguards must prevent unauthorized access, disclosure, copying, use or modification of personal information
Digital Object Identifier: 10.4108/ICST.COMSWARE2009.6493
http://dx.doi.org/10.4108/ICST.COMSWARE2009.6493 resultant policies can then be associated with data sent to the Data cloud, and preferably cryptographically bound to it (by encrypting Obfuscated both the policy and data under a key shared by the sender and Data receiver). For stickiness of the privacy policy to the data, public Cloud Application key enveloping techniques can be used. Alternatively, it is possible to use policy-based encryption of credential blobs (a Internet form of Identifier-Based Encryption (IBE) technology) [2]: the policies could be used directly as IBE encryption keys to encrypt the transferred material [3]. Client Part of this specification could involve the purpose for which the Privacy Manager personal data might be used within the cloud, and this could be checked within the cloud before access control were granted, Obfuscation using mechanisms specified via [4]. Note that, unlike the Preferences Feedback obfuscation feature, this feature is only useful if there is a corresponding policy enforcement mechanism within the cloud. User Data access Personae
3.2.3 Data access
The Privacy Manager contains a module that allows users to access personal information in the cloud, in order to see what is being held about them, and to check its accuracy. This is Figure 1: Overview of our solution essentially an auditing mechanism which will detect privacy violations once they have happened, rather than a mechanism to . prevent violations from happening in the first place. Nevertheless the basic principles of data access and accuracy [13] are considered to be part of privacy in many national privacy laws. So 3.2 Privacy Manager under these laws, the service providers need to be able to make In this section we describe the features of the Privacy Manager in this information accessible to the user. This module enables, more detail. organises and logs this access on the client machine. Providing data access when data is spread over a very large number of 3.2.1 Obfuscation machines is a highly challenging problem, although it may be a The first feature of the Privacy Manager provides obfuscation and legal requirement: solving this problem is outside the scope of this de-obfuscation of data. This feature can automatically obfuscate paper. If the data is spread over only a few machines, it should be some or all of the fields in a data structure before it is sent off to relatively straightforward for the service provider to enable data the cloud for processing, and translate the output from the cloud access. back into de-obfuscated form. The obfuscation and de-obfuscation is done using a key which is chosen by the user and not revealed 3.2.4 Feedback to cloud service providers. This means that applications in the The Feedback module manages and displays feedback to the user cloud cannot de-obfuscate the data. Moreover, an attacker who regarding usage of his personal information, including notification uses the same application will not be able to de-obfuscate the of data usage in the cloud. This module could monitor personal user’s data by observing the results when he obfuscates his own data that is transferred from the platform – for example location data, since his obfuscation key will not be the same as the user’s information, usage tracking, behavioural analysis, etc. (while the key. Since this obfuscation is controlled by the user, it should be Preferences feature would allow the user to control such more attractive to privacy-sensitive users than techniques for data collection). It could also have an explanatory role, including minimization that they do not control. education about privacy issues and providing informed choice to In general, the more information that is obfuscated within a data the user, beyond expression of preferences. structure, the smaller the set of applications which can run using the obfuscated data structure as input, and the slower the 3.2.5 Personae obfuscation process. In some cases, it is not an option to obfuscate This feature allows the user to choose between multiple personae all the personal and sensitive data in the data structure. Data items when interacting with cloud services. For example, in some that are not obfuscated may be used by cloud services for contexts a user might not want to reveal any personal information personalization of user content and targeting of advertising. The and just act in an anonymous manner, whereas in other contexts other features of the Privacy Manager allow users some control he might wish for partial or full disclosure of identity. The user’s over the handling of these data items by the cloud services. choice of persona may drive the strength of obfuscation that is used. For example, there may be certain data items within a data 3.2.2 Preference setting set which the obfuscation mechanism will obfuscate if the data is A second feature of the Privacy Manager is a method for allowing associated with one persona, but not if it is associated with other users to set their preferences about the handling of personal data personae of the same user. that is stored in an unobfuscated form within the cloud. A similar approach has been taken within P3P [21] and PRIME [19]. The
Digital Object Identifier: 10.4108/ICST.COMSWARE2009.6493
http://dx.doi.org/10.4108/ICST.COMSWARE2009.6493 3.3 How Our Solution Addresses the Problem As mentioned in Section 3.2.1, not all applications can operate on input data that has been obfuscated in a non-trivial way, but many Scenarios useful applications can. The marketing literature for We now consider how this solution may be used to address the Salesforce.com’s Sales Force Automation suite lists 87 features. issues raised within the scenarios presented in Section 2. We have determined that 80 of these can theoretically be implemented using input data that has been obfuscated in the 3.3.1 Sales Force Automation manner described above. The remaining seven features either use Suppose that the sales data sent to the cloud for a Sales Force the ability to send mass emailing directly from Salesforce.com – Automation service has entries consisting of a customer, product, and so require Salesforce.com to have access to unobfuscated status (purchase, failure etc), price and time. The Privacy Manager customer email lists – or allow the calculation of arbitrary obfuscation module translates the customer, product and status mathematical functions on data elements. into pseudonyms, multiplies the price by a factor, and moves the We describe this feature as “obfuscation” rather than “encryption” time forward by a time interval. The obfuscation software will because the obfuscated data still retains some information about generate new pseudonym maps and price factors for each new the original data. It may be possible for some types of information user. (The pseudonym maps may be implemented by association about the sales to be obtained by analysis of the obfuscated data. tables, or by a deterministic symmetric encryption function; in the For example, with the obfuscation method just described, by latter case different maps correspond to different keys.) guessing that the most common status will correspond to Typical queries such as the names and total sales revenue of the “purchase” it may be possible to deduce from the obfuscated data ten best-selling products, and the email address of the customer what the ratio is of the total purchase values of the most popular who spent most on these, can then be run on obfuscated data in and second most popular products. For additional security, more the cloud. In this case the obfuscation software translates back the complex obfuscation methods can be chosen; for example the answer from the cloud by mapping back the product and customer pseudonym corresponding to the status could depend on the pseudonyms, and dividing the revenue figure by the secret factor. customer as well as the actual status value, and fake data entries can be added whose effect on the answer from the cloud will be The process is illustrated in Figure 2. An enterprise sales rep removed by the obfuscation of queries and de-obfuscation of wants to find the email address of the customer who has spent answers. Nevertheless, even the simple obfuscation method most on the CoolWidget product. His client runs Privacy Manager described above ensures that customer email addresses or product software, whose integrity is protected by a Trusted Platform names and prices cannot be stolen directly from the service Module. The obfuscation feature of the Privacy Manager provider’s system, as they are never present in the clear in this obfuscates his query, and sends the result to a cloud-based system. application for sales force automation, running on the service provider’s hardware. The application consults the obfuscated sales Database records that have been obfuscated using different keys database for the enterprise and sends back an answer. The answer cannot be compared directly, so the obfuscation feature has to is in obfuscated form: the software de-obfuscates it to reveal the take key management into account. A way of addressing this issue required email address. The answer might be sent with an is for the privacy manager to retain a record of which keys were advertisement targeted by using information from the enterprise used during which date ranges, to query database records from a account and the services that the enterprise user previously used. given date range using the appropriate obfuscation key, and to combine the de-obfuscated answers for each relevant date range. For a sales database application most queries are likely to involve only one or at most a small number of date ranges. Provided that keys are not changed very frequently, the amount of state that will need to be kept will be small. Backup copies of this state can be Obfuscated data Cloud Application mjm75k 42ilu jcr7.. stored so that it is still possible to de-obfuscate past sales data if … … this state is accidentally deleted. Internet Useful applications in areas other than sales force automation – Q: 42ilu fan’s such as orchestrating marketing campaigns and assessing their A: mjm75k email? effectiveness – can be obfuscated in a very similar way. boundary 3.3.2 Customized End-User Services Enterprise In this scenario, the user sets his preferences at to the treatment of personal data using the Preference setting feature of the privacy Privacy Manager manager. For instance, for the service telling him which of his friends are near, he might state a preference for his friends’ Q: A: contact details not to be used for direct marketing by third parties, CoolWidget fan’s joe@example.com while accepting that his own identity and location will be used to email? target advertisements sent to him with the service. He may use the Persona feature as a simple and intuitive way of selecting one Figure 2: Using a cloud service with obfuscation to find the particular set of preferences for the use of data in a given context. address of the customer who has spent most on CoolWidgets. For example the user may have one preset persona for communications with friends and another for communications with colleagues, which specify different sets of preferences..
Digital Object Identifier: 10.4108/ICST.COMSWARE2009.6493
http://dx.doi.org/10.4108/ICST.COMSWARE2009.6493 The Privacy Manager can use this preference information to 3.3.4 Assessment of our Approach determine the appropriate degree of obfuscation to be carried out In this section we trace the requirements given in Subsection 2.4 on the data. This helps balance privacy protection against the to the architecture proposed above. The following solutions at user’s desire for customized services. least partially address these requirements R1-R5: The user’s preferences are sent by the Privacy Manager on the • Data minimization is provided via the obfuscation client to a service-side component which governs enforcement of feature (addressing R1) the policies. The service-side component ensures that these preferences remain attached to any personal information stored, • We assume that access control, etc. will be deployed on used and shared in the cloud, and follow that data if it were the services side in order to protect any data stored transferred or propagated, preventing it being used in any way that within the cloud (addressing R2) is not compatible with that policy and thereby ensuring that the • Purpose limitation (R3) is addressed by the preference user has control over the usage of his data. setting feature and its service-side component. In some cases it may be that the service cannot be provided • Our architecture has a user-centric design (R4). In according to the user’s stated preferences. In that case, a service- particular, the preference-setting feature allows the user side component communicates with the Feedback module of the greater control over the usage of his data, and the Privacy Manger, which consults the user to notify him and find personae feature makes this more intuitive. out the action he wishes to take. • Feedback (R5) is provided via the feedback and data Once the user has released data into the cloud, there are two ways access features. in which he may learn of the ways that his data is being used. One is that the service-side Feedback component may contact the Feedback module of the Privacy Manager and notify him of data 3.4 Discussion: When Our Solution is Not use, without him having to actively request this. The other is that Suitable he uses the Data Access module of the Privacy Manager to request Our solution is not suitable for all cloud applications. access to his data (for example, to check the accuracy of data Theoretically, a user with data x and a service provider with data y stored about him). The Data Access module communicates with could use Yao’s protocol for secure two-party computation [22] to yet another service-side component that is responsible for enable the user to learn f(x,y) without the service provider learning ensuring compliance with legal requirements of data access. x or the user learning y, where f is any polynomial-time functionality. So theoretically any polynomial-time application 3.3.3 Share Portfolio Calculation could be calculated in a fully obfuscated fashion, if the service For this scenario it is possible to use obfuscation to protect provider were willing to implement the application using Yao’s information about the user’s share ownership from being misused. protocol. However, the implementation of Yao’s protocol on a The client does not communicate the user’s portfolio directly to large data set x in general may require the user to have a rather the application. Instead, it constructs two different portfolios such large amount of storage and computation power. (The obfuscation that the true portfolio is some linear combination of these. (The methods described in this paper require much less computation coefficients of the linear equation relating the portfolios act as the and storage by the user than Yao’s protocol would need to user’s obfuscation/deobfuscation key, and are not revealed to the compute the same results for a large data set.) For users with service provider.) The client sends the two portfolios to the limited computing resources there is thus a tradeoff between the application separately, as the obfuscated input data. When the user extent to which data is obfuscated and the set of applications that wishes to know the current value of his portfolio, the client sends can effectively be used, even when the service provider gives full a request for the current value of each of the two of portfolios in cooperation. Nevertheless, if the service provider cooperates then the obfuscated data. It then combines the two answers from the the other features of our solutions can still be used. cloud using the linear equation to obtain the current value of the The picture is different if the service provider does not provide user’s portfolio. full cooperation. Some cloud service providers that base their The unobfuscated data describing the user’s true portfolio is never business models on the sale of user data to advertisers (or other present in the service provider’s system (or anywhere else in the third parties) may not be willing to allow the user to use their cloud) So it cannot leak from this system, even if the service applications in a way that preserves his privacy. Other providers provider is malicious. may be willing to respect users’ privacy wishes, but not to Notice that for this scenario our solution does not require the implement the service-side code that is necessary for some of the service provider to make any changes to the application, or to privacy manager’s features. Yet other service providers may claim provide any additional services (such as the service-side parts of to cooperate, but not be trustworthy. In these cases, the features of data access and feedback). Exactly the same application can be our solution other than obfuscation will not be effective, since used for obfuscated and unobfuscated input data. Indeed, the they require the honest cooperation of the service provider. service provider may be unaware that a pair of portfolios is the There is still a possibility that in these cases a user may be able to obfuscated portfolio of a single customer rather than the use obfuscation to protect the privacy of his data. However, the unobfuscated portfolios of two different customers. ability to use obfuscation without any cooperation from the service provider depends not only on the user having sufficient computing resources to carry out the obfuscation and de- obfuscation, but also on the application having been implemented in such a way that it will work with obfuscation. For example, a
Digital Object Identifier: 10.4108/ICST.COMSWARE2009.6493
http://dx.doi.org/10.4108/ICST.COMSWARE2009.6493 service that is customized with a map showing the area around a within audit records by encryption. Secondly, the AID (Adaptive US user’s zip code might theoretically be implemented in a way Intrusion Detection) system [6] uses encryption by a secret that would allow a user to obtain the correct customized result (shared) key for the pseudonymisation process; this key is without revealing his zip code to the service provider. But a changed from time to time; the usage of public key encryption was common method of implementing this type of service is to pass also examined. Some special pseudonyms may be defined for the input zip code directly to a map server, and mash up the map groups where the identity of a single member can only be revealed with the result from the rest of the service. With such an by cooperation of a certain number of group members. One implementation it is difficult for the user to obtain the correct example would be where the key for decryption could be split into result without revealing the correct zip code to the application. As two halves, which are given to the security administrator and the a more general example, for some applications it may be difficult data protection officer. to discover the set of input values that are treated as valid by the Furthermore, Pinkas and Lindell [10] introduced the idea of application. Without some knowledge of the set of valid inputs, it privacy-preserving data mining in which two parties owning is not possible to design an obfuscation function such that the confidential data cooperate to efficiently obtain the result of a obfuscated input data is still valid input. function which depends on both sets of data, in such a way that Despite this, based on our analysis of SalesForce’s service the only information that either learns is what can be deduced offerings, we believe that many existing cloud services can be from the result of the function. This work builds on Yao’s used in an obfuscated fashion without any cooperation from the protocol [22], and there is a body of research on this problem – service provider. see [11] for a bibliography. A consumer and provider of a cloud service who agree to use one of the protocols for privacy 4. OTHER APPROACHES AND RELATED preserving data mining might be able to ensure that no more WORK information is transferred from the customer to the provider than the minimum necessary for the service. However, these protocols Some companies obfuscate data by hand, in an ad-hoc fashion, assume that both parties have sufficient computing power to before sending the obfuscated data to the cloud for processing. A operate the protocol, which may require the storage and large pharmaceutical company has complained that this is a major bottleneck for expanded use of cloud computing [12]. processing of a large amount of data. The common business scenario for cloud computing is that the consumer of the service One approach to the problem focuses on security of sensitive or has only limited computing power available in-house, and almost personal data once it is in the cloud, for example ensuring all the computing power necessary for the service is provided by separation of different customers’ data, encrypting data in transit the service provider. but allowing applications to decrypt it, and checking virtual Proxy systems, such as the now defunct anonymizer.com, re- machine security. This approach is necessary to protect sensitive package Web surfing requests to disguise their origin. However data items that cannot be obfuscated, but it does not address some they do not alter data entered on the Web page. A proxy system of the legal issues. Moreover ensuring security within a large could be used in conjunction with data obfuscation for users who complex cloud system is a hard technical problem. Where wish to keep their identity as well as their data confidential. sensitive data items can be obfuscated, it is safer for the customer to obfuscate them, so that they are never present in the cloud in Some products perform deep content inspection on network traffic the clear, and the customer does not have to rely on the service and detect or filter based on policies and linguistic analysis [16]. provider’s security controls. However, they are designed to block communications that contain sensitive data, to encrypt at the file level and do not turn an output Some storage-as-a service providers, such as JungleDisk, Amazon containing obfuscated data back into the original. S3 and Mozy, encrypt data files with a key stored only on the user’s machine. Storage-as-a-service with no personalization can The Privacy Manager features described in 3.2.2-3.2.5 build upon use data files encrypted in such a way that no-one but the user can similar approaches used in client-server and Peer to Peer (P2P) decrypt them (in particular, cloud applications cannot decrypt systems [6, 9]. In particular: them). However, cloud services which process or use some items • The preference setting feature is similar to privacy of the data cannot use such encrypted files as input. Some such management tools that enable inspection of service-side cloud services could use as input databases that had been polices about the handling of personal data (for obfuscated using Voltage’s Format-Preserving Encryption [20]. example, software that allows browsers to automatically This encrypts specific data fields while retaining the format of detect the privacy policy of websites and compare it to data records, and preserving referential integrity. Similarly, TC3 the preferences expressed by the user, highlighting any Health Inc.’s HIPAA-compliant software pseudonymizes sensitive clashes [21]) items before processing data using cloud computing [1]. However, it appears that cloud services which calculate the sum of • The feedback feature can use a range of HCI techniques several data entries cannot use data encrypted using these methods for improving notice [14], and could also play a role in as input. Hence these methods are not sufficient to deal with, for pseudonymous audit [19]. example, the database queries described in Section 3.4.1. • The data access feature is similar to secure online access Related obfuscation techniques have been used within other mechanisms to enable individuals to check and update domains: for example, within intrusion detection, two research the accuracy of their personal data [17] prototypes encrypt parts of the log that relate to personal information: firstly, in the IDA (Intrusion Detection and Avoidance) prototype [19], that pseudonymises the subject fields
Digital Object Identifier: 10.4108/ICST.COMSWARE2009.6493
http://dx.doi.org/10.4108/ICST.COMSWARE2009.6493 • The personae feature could offer an anonymous As a next step we are investigating other ways of enhancing persona, by means of using network anonymity privacy in cloud computing, in particular to ensure the provision techniques and providing pseudonymisation tools that of relevant notice, choice, legitimacy and purpose limitation. allow individuals to withhold their true identity from the These include use of privacy infomediaries and enforceable cloud, and only reveal it when absolutely necessary [6, ‘sticky’ electronic privacy policies. These may be combined with, 9, 15]. Existent technologies include anonymous web or used independently of, the solution described above. Notably, browsers, pseudonymous email and pseudonymous the client software above could be extended to manage personal payment. The mechanisms may be designed for privacy controls that are enforced within the cloud. Specifically, complete anonymity, or else pseudonymity (i.e. we plan to investigate how consent and revocation of consent can anonymity that is reversible if needed, for example in be provided within cloud computing environments, as part of case of fraud). research carried out within EnCoRe (Ensuring Consent and Revocation) – a UK project examining solutions in the area of consent and revocation with respect to personal information [5]. 5. CURRENT STATUS This is work in progress. We have implemented a proof-of- concept demo of the obfuscation feature of the privacy manager in 6. ACKNOWLEDGEMENTS the first scenario. It implements the more complex obfuscation Thanks to Rob Whitmore for technical assistance, and to the methods described in Section 3.4.1. Figure 3 is part of a anonymous referees for their useful comments on an earlier draft screenshot from this demo. This demo shows that obfuscation of this paper. works for an application which performs some processing on the input data.
Figure 3: User interface for Privacy Manager sales database
[2] Boneh, D. and Franklin, M. 2001. Identity-based Encryption
7. REFERENCES from the Weil Pairing. In Advantages in Cryptology – [1] Amazon Web Services LLC. 2009. Case Studies: TC3 CRYPTO 2001, G. Goos, J. Hartmanis and J. van Leeuwen, Health. Web page, http://aws.amazon.com/solutions/case- Eds. Springer LNCS Series 2139. Springer, Berlin / studies/tc3-health/
Digital Object Identifier: 10.4108/ICST.COMSWARE2009.6493
http://dx.doi.org/10.4108/ICST.COMSWARE2009.6493 Heidelberg, 213-229. DOI= http://dx.doi.org/10.1007/3-540- [12] Mather, T. 2008. More Cloud Computing. RSA Conference 44647-8_13 365 blog (26 Sept 2008). [3] Casassa Mont, M., Pearson, S. and Bramhall, P. 2003. https://365.rsaconference.com/blogs/tim_mather/2008/09/26/ Towards Accountable Management of Identity and Privacy: more-cloud-computing Sticky Policies and Enforceable Tracing Services. In [13] Organization for Economic Co-operation and Development Proceedings of the IEEE Workshop on Data and Expert (OECD). 1980. Guidelines Governing the Protection of Systems Applications (Prague, Czech Republic, September 1 Privacy and Transborder Flow of Personal Data (1980). – 5, 2003). DEXA’03. IEEE Computer Society, Washington OECD, Geneva. DC, USA, 377-382.. DOI= [14] Patrick, A. and Kenny, S. 2003. From Privacy Legislation to http://dx.doi.org/10.1109/DEXA.2003.1232051 Interface Design: Implementing Information Privacy. In [4] Casassa Mont, M. and Thyne, R. 2006. A Systemic Human-Computer Interactions, R. Dingledine (ed.), PET Approach to Automate Privacy Policy Enforcement in 2003, LNCS 2760, Springer-Verlag Berlin, pp. 107-124. Enterprises. In Proceedings of the 6th Workshop on Privacy [15] PRIME, Privacy and Identity Management for Europe. 2008. Enhancing Technologies (Cambridge, UK, June 28 – 30, Project web page. https://www.prime-project.eu/ 2006). PET’06. Springer LNCS series 4258, Springer Berlin/ Heidelberg, 118-134. DOI= [16] RSA Security. 2008. Data Loss Prevention (DLP) Suite. Web http://dx.doi.org/10.1007/11957454_7 page. http://www.rsa.com/node.aspx?id=3426 [5] EnCoRe. EnCoRe: Ensuring Consent and Revocation. [17] Salesforce.com, Inc. 2000-2009. Sales Force Automation. Project web site. http://www.encore-project.info Web page. http://www.salesforce.com/products/sales-force- automation/ [6] Fischer-Hűbner, S. 2001. IT-Security and Privacy: Design and Use of Privacy-Enhancing Security Mechanisms. [18] Salmon, J. 2008. Clouded in uncertainty – the legal pitfalls Springer LNCS series 1958, Springer Berlin / Heidelberg. of cloud computing. Computing magazine (24 Sept 2008). DOI= http://dx.doi.org/10.1007/3-540-45150-1 http://www.computing.co.uk/computing/features/2226701/cl ouded-uncertainty-4229153 [7] Greenberg, A. 2008. Cloud Computing’s Stormy Side. Forbes Magazine (19 Feb 2008). [19] Sobirey, M., Fischer-Hűbner, S. and Rannenberg, K. 1997. Pseudonymous Audit for Privacy Enhanced Intrusion [8] Horrigan, J.B. 2008. Use of cloud computing applications Detection. Elsevier Computers and Security 16 (3),p. 207. and services. Pew Internet & American Life project memo DOI= http://dx.doi.org/10.1016/S0167-4048(97)84519-1 (Sept 2008). [20] Voltage Security, 2009. Format-Preserving Encryption. Web [9] Information Commissioner’s Office, UK, 2007. Privacy page. enhancing techologies (PETs). Data protection guidance note http://www.voltage.com/technology/Technology_FormatPres (29 March 2007). ervingEncryption.htm [10] Lindell, Y. and Pinkas, B. 2008. Privacy Preserving Data [21] World Wide Web Consortium (W3C). Platform for Privacy Mining. J. Cryptology 15 (3) (2002), 151-222. DOI= Preferences (P3P) Project web site. http://www.w3.org/P3P http://dx.doi.org/10.1007/s00145-001-0019-2 [22] Yao, A. C. 1986. How to Generate and Exchange Secrets. [11] Liu, K. 2006. Privacy Preserving Data Mining Bibliography. Proceedings of the 27th Symposium of Foundations of Web site. Computer Science (FoCS), IEEE, pp.162-167. http://www.cs.umbc.edu/~kunliu1/research/privacy_review.h tml
Digital Object Identifier: 10.4108/ICST.COMSWARE2009.6493