Figure 1: Facebook mised applications
Who fault was it?
The story began with an application developed by Aleksandr Kogan from the University of Cambridge. His application collected personal data from the participants in a personality test. The participants agreed to have their data collected for academic use. However, their "friend" connections on Facebook are also available to the application. As a result, the application had access to 50 million accounts. In the end, Kogan sold this data further to the company Cambridge Analytica (Figure 1).
To understand who was fault, we will first give you an overview about the EU Data Protection Directive as follows:
EU Data Protection Directive
In short, when a service provider (or an application) collects personal data, it has to state clearly (to the users) for which purposes their data will be used. Then user data will be used for the same purposes. After the purposes are fulfilled, the service have to delete the data. In Figure 2, a user Bob submits his "address" to "purchase" a product in Germany. A shopping application can use his data to deliver the package, but a "marketing" application are not allowed. After delivering the product, the service must delete Bob's data.
Figure 2: An example of EU Data Protection Directive
The EU General Data Protection Regulation (GDPR)
The protection directive has been out there since 1995. However, the EU Commission let each member intepretate and implement the directive differently. On May 2018, the directive will be updated for the first time. It is now a regulation, not a directive anymore. In the following, we will name some interesting differences:
Previously, a service provider do not need to protect a phone number without an associated name or address. Now if the service provider stores a phone number from a user, it must protect this information as well.
A service provider must report the data breaches within 72 hours to a supervisory and to the user. In EU, we now have one supervisory authority that controls data breaches access the entire union.
An organisation have to pay 4% of their global turnover or 20 Million EUR if user data is breached.
Any companies who sell or receive data from the EU citizens will be affected.
Any companies store data of the EU citizens outside of the EU or transfer it to another country will be affected.
Are we ready?
The regulation will be effective in May this year. The question is, if the companies in EU have any implementations that are complaints to the GDPR? Unfortunately not. How can they deal with this upcoming regulation?
In our Facebook example, Facebook gained access to Kogan in a legitimate way (i.g., for "research" purpose) and through the proper channels (i.e., users accepted it). But Kogan forwarded it to a different company which used the data for a different purpose (i.g., commercial "analysis"). Also, Kogan did not delete the data, after the purpose was fulfilled according to the law.
In Figure 3, after we allowed an application to access our data, we will loose control. It means we cannot control that our data will be used correctly, and the application will not forward our data to another company without our consent. In short, the traditional authorization system so far (that is based on roles or based on an explicit application) is not enough.
Figure 3: We will loose control for our data to an application on Facebook after we click "OKAY"
Solution
At the university, we have developed a trusted Identity Provider that supports mobile users to encrypt their data with a disclosure policy. The encryption is based on "purpose", "time", "domain", and "country".
For example: A user Bob uses Kogan's research application (i.e., "research" is a purpose condition). Bob wants to make sure that an administrator of Kogan's application cannot read his data on the server. Also, Kogan cannot forward Bob's data further to a partner company in China (i.e., "europe" is a country condition). If Kogan forwards Bob's data to Cambridge Analytica for commercial "analysis", Facebook will be awared of the new purpose. After 2 months, the Kogan's application cannot decrypt Bob's data anymore (i.e., limited access time is a condition). As a result, Facebook does not need to tell Kogan: "please do delete user data!".
In the example, our service makes sure that Bob's data, which is collected for "research" purpose hosted within "europe", cannot be decrypted for either "analysis" purpose or outside this union or after 2 months. In short, this is an implementation that is completely compliant to the EU Protection Directive. We may deliver a plugin that any mobile users, companies, governments can install and use this service on demand.
We have a working prototype and expect to complete at the end of this year.
For more information, please read our publication in IEEE or contact me.
Reference: https://www.researchgate.net/publication/323869635_Privacy-preserving_user_identity_in_Identity-as-a-Service
No comments:
Post a Comment