ARCHITECTING USER-CENTRIC PRIVACY-AS-A-SET-OF-SERVICES: DIGITAL IDENTITY RELATED PRIVACY FRAMEWORK

AbstractDigitalization gives to the Internet the power by allowing several virtual representations of reality, including that of identity. We leave an increasingly digital footprint in cyberspace and this situation puts our identity at high risks. Privacy is a right and fundamental social value that could play a key role as a medium to secure digital identities. Identity functionality is increasingly delivered as sets of services, rather than monolithic applications. So, an identity layer in which identity and privacy management services are loosely coupled, publicly hosted and available to on-demand calls could be more realistic and an acceptable situation. Identity and privacy should be interoperable and distributed through the adoption of service-orientation and implementation based on open standards (technical interoperability). Ihe objective of this project is to provide a way to implement interoperable user-centric digital identity-related privacy to respond to the need of distributed nature of federated identity systems. It is recognized that technical initiatives, emerging standards and protocols are not enough to guarantee resolution for the concerns surrounding a multi-facets and complex issue of identity and privacy. For this reason they should be apprehended within a global perspective through an integrated and a multidisciplinary approach. The approach dictates that privacy law, policies, regulations and technologies are to be crafted together from the start, rather than attaching it to digital identity after the fact. Thus, we draw Digital Identity-Related Privacy (DigldeRP) requirements from global, domestic and business-specific privacy policies. The requirements take shape of business interoperability. We suggest a layered implementation framework (DigldeRP framework) in accordance to model-driven architecture (MDA) approach that would help organizations' security team to turn business interoperability into technical interoperability in the form of a set of services that could accommodate Service-Oriented Architecture (SOA): Privacy-as-a-set-of- services (PaaSS) system. DigldeRP Framework will serve as a basis for vital understanding between business management and technical managers on digital identity related privacy initiatives. The layered DigldeRP framework presents five practical layers as an ordered sequence as a basis of DigldeRP project roadmap, however, in practice, there is an iterative process to assure that each layer supports effectively and enforces requirements of the adjacent ones. Each layer is composed by a set of blocks, which determine a roadmap that security team could follow to successfully implement PaaSS. Several blocks' descriptions are based on OMG SoaML modeling language and BPMN processes description. We identified, designed and implemented seven services that form PaaSS and described their consumption. PaaSS Java QEE project), WSDL, and XSD codes are given and explained.

Access to information in Switzerland : From secrecy to transparency

Access to information legislations are now present in over 50 countries world-wide. Lagging behind some of its own Cantons, the Swiss Federal government was until recently one of the few hold outs in Europe. But, in December 2004, the Confederation voted the 'Loi sur la Transparence de l'administration' or Law on Transparency (LTrans) a Law that came into effect in July 2006. This paper presents an overview of the new Law and underlines the main institutional challenges to its introduction in Switzerland.

Ambulatory healthcare information system: a conceptual framework

Despite the tremendous amount of data collected in the field of ambulatory care, political authorities still lack synthetic indicators to provide them with a global view of health services utilization and costs related to various types of diseases. Moreover, public health indicators fail to provide useful information for physicians' accountability purposes. The approach is based on the Swiss context, which is characterized by the greatest frequency of medical visits in Europe, the highest rate of growth for care expenditure, poor public information but a lot of structured data (new fee system introduced in 2004). The proposed conceptual framework is universal and based on descriptors of six entities: general population, people with poor health, patients, services, resources and effects. We show that most conceptual shortcomings can be overcome and that the proposed indicators can be achieved without threatening privacy protection, using modern cryptographic techniques. Twelve indicators are suggested for the surveillance of the ambulatory care system, almost all based on routinely available data: morbidity, accessibility, relevancy, adequacy, productivity, efficacy (from the points of view of the population, people with poor health, and patients), effectiveness, efficiency, health services coverage and financing. The additional costs of this surveillance system should not exceed Euro 2 million per year (Euro 0.3 per capita).

Adaptive Privacy Management System Design For Context-Aware Mobile Devices

While mobile technologies can provide great personalized services for mobile users, they also threaten their privacy. Such personalization-privacy paradox are particularly salient for context aware technology based mobile applications where user's behaviors, movement and habits can be associated with a consumer's personal identity. In this thesis, I studied the privacy issues in the mobile context, particularly focus on an adaptive privacy management system design for context-aware mobile devices, and explore the role of personalization and control over user's personal data. This allowed me to make multiple contributions, both theoretical and practical. In the theoretical world, I propose and prototype an adaptive Single-Sign On solution that use user's context information to protect user's private information for smartphone. To validate this solution, I first proved that user's context is a unique user identifier and context awareness technology can increase user's perceived ease of use of the system and service provider's authentication security. I then followed a design science research paradigm and implemented this solution into a mobile application called "Privacy Manager". I evaluated the utility by several focus group interviews, and overall the proposed solution fulfilled the expected function and users expressed their intentions to use this application. To better understand the personalization-privacy paradox, I built on the theoretical foundations of privacy calculus and technology acceptance model to conceptualize the theory of users' mobile privacy management. I also examined the role of personalization and control ability on my model and how these two elements interact with privacy calculus and mobile technology model. In the practical realm, this thesis contributes to the understanding of the tradeoff between the benefit of personalized services and user's privacy concerns it may cause. By pointing out new opportunities to rethink how user's context information can protect private data, it also suggests new elements for privacy related business models.

Medical and legal professionals' attitudes towards confidentiality and disclosure of clinical information in forensic settings: a survey using case vignettes.

OBJECTIVE: When potentially dangerous patients reveal criminal fantasies to their therapists, the latter must decide whether this information has to be transmitted to a third person in order to protect potential victims. We were interested in how medical and legal professionals handle such situations in the context of prison medicine and forensic evaluations. We aimed to explore the motives behind their actions and to compare these professional groups. METHOD: A mail survey was conducted among medical and legal professionals using five fictitious case vignettes. For each vignette, participants were asked to answer questions exploring what the professional should do in the situation and to explain their justification for the chosen response. RESULTS: A total of 147 questionnaires were analysed. Agreement between participants varied from one scenario to another. Overall, legal professionals tended to disclose information to a third party more easily than medical professionals, the latter tending to privilege confidentiality and patient autonomy over security. Perception of potential danger in a given situation was not consistently associated with actions. CONCLUSION: Professionals' opinions and attitudes regarding the confidentiality of potentially dangerous patients differ widely and appear to be subjectively determined. Shared discussions about clinical situations could enhance knowledge and competencies and reduce differences between professional groups.

Metadata For Identity Management of Population Registers

A population register is an inventory of residents within a country, with their characteristics (date of birth, sex, marital status, etc.) and other socio-economic data, such as occupation or education. However, data on population are also stored in numerous other public registers such as tax, land, building and housing, military, foreigners, vehicles, etc. Altogether they contain vast amounts of personal and sensitive information. Access to public information is granted by law in many countries, but this transparency is generally subject to tensions with data protection laws. This paper proposes a framework to analyze data access (or protection) requirements, as well as a model of metadata for data exchange.

Bridging the Accountability Gap: Rights for New Entities in the Information Society?

Technological developments in the information society bring new challenges, both to the applicability and to the enforceability of the law. One major challenge is posed by new entities such as pseudonyms, avatars, and software agents that operate at an increasing distance from the physical persons "behind" them (the "principal"). In case of accidents or misbehavior, current laws require that the physical or legal principal behind the entity be found so that she can be held to account. This may be problematic if the linkability of the principal and the operating entity is questionable. In light of the ongoing developments in electronic agents, there is sufficient reason to conduct a review of the literature in order to more closely examine arguments for and against legal personhood for some nonhuman acting entities. This article also includes a discussion of alternative approaches to solving the "accountability gap."

Insight into oversight : how information commissioners contribute to the achievement of access-to-information policy objectives

This thesis examines how oversight bodies, as part of an ATI policy, contribute to the achievement of the policy's objectives. The aim of the thesis is to see how oversight bodies and the work they do affects the implementation of their respective ATI policies and thereby contributes to the objectives of those policies using a comparative case study approach. The thesis investigates how federal/central government level information commissioners in four jurisdictions - Germany, India, Scotland, and Switzerland - enforce their respective ATI policies, which tasks they carry out in addition to their enforcement duties, the challenges they face in their work and the ways they overcome these. Qualitative data were gathered from primary and secondary documents as well as in 37 semi-structured interviews with staff of the commissioners' offices, administrative officials whose job entails complying with ATI, people who have made ATI requests and appealed to their respective oversight body, and external experts who have studied ATI implementation in their particular jurisdiction. The thesis finds that while the aspect of an oversight body's formal independence that has the greatest impact on its work is resource control and that although the powers granted by law set the framework for ensuring that the administration is properly complying with the policy, the commissioner's leadership style - a component of informal independence - has more influence than formal attributes of independence in setting out how resources are obtained and used as well as how staff set priorities and utilize the powers they are granted by law. The conclusion, therefore, is that an ATI oversight body's ability to contribute to the achievement of the policy's objectives is a function of three main factors: a. commissioner's leadership style; b. adequacy of resources and degree of control the organization has over them; c. powers and the exercise of discretion in using them. In effect, the thesis argues that it is difficult to pinpoint the value of the formal powers set out for the oversight body in the ATI law, and that their decisions on whether and how to use them are more important than the presumed strength of the powers. It also claims that the choices made by the commissioners and their staff regarding priorities and use of powers are determined to a large extent by the adequacy of resources and the degree of control the organization has over those resources. In turn, how the head of the organization leads and manages the oversight body is crucial to both the adequacy of the organization's resources and the decisions made about the use of powers. Together, these three factors have a significant impact on the body's effectiveness in contributing to ATI objectives.

Information and risk management during the first trimester care for pregnant women: Some reflections about the ethical challenges and the legal framework in Switzerland. [L'information et la gestion des risques dans le suivi de la grossesse lors du 1er trimestre : quelques réflexions sur le défi éthique et le cadre légal en Suisse.]

The progress in prenatal medicine raises complex questions with respect to the physician-patient relationship. The physician needs to reconcile medical aspects, ethical principles as well as judicial norms. Already, during the first trimester, the physician has to put into practice the schedule combining for each individual pregnancy physical, laboratory and other appropriate exams. Physicians are under the obligation to inform in a clear and comprehensive way without creating unnecessary anxiety for their patients. Legal requirements include informed consent, the respect for the patient's right to self-determination, and compliance with the Swiss federal law on genetic testing, especially with its articles on prenatal screening and diagnosis. This article discusses the complexity of obstetrical practice when it comes to delivering adequate information within the scope of ethical and legal requirements in Switzerland. L'évolution de la médecine prénatale soulève des enjeux complexes dans la relation médecin-patient. Il s'agit de concilier à la fois les aspects médicaux, les principes éthiques et les normes juridiques. Dès le premier trimestre de la grossesse le médecin doit poser le cadre du suivi et des examens appropriés pour chaque grossesse. Son devoir est d'informer de manière claire et précise sans inquiéter inutilement, en respectant l'exigence légale d'un consentement éclairé et plus largement le droit de la patiente à l'autodétermination ainsi que le cadre de la loi fédérale suisse sur l'analyse génétique humaine dans le domaine du dépistage et du diagnostic prénatal. Cet article discute de la complexité de l'information et de l'application des principes éthiques et légaux dans la pratique obstétricale en Suisse.

Le renforcement de la loi fédérale sur la protection des données : le cas de la protection de la vie privée dès la conception (privacy by design)

La protection des données est un élément essentiel d'un Etat de droit et une société démocratique, car elle accorde à chaque individu le droit de disposer de ce qui fait partie de sa sphère privée. Actuellement en Suisse, la loi fédérale sur la protection des données (LPD) est en vigueur depuis 1993. En 2010, l'Office fédéral de la justice a supervisé une évaluation de son efficacité : il en résulte que cette dernière a été prouvée, mais tendra à diminuer fortement dans les années à suivre. Pour causes principales : l'évolution des technologies, caractérisée notamment par le développement des moyens de traitement de données toujours plus variés et conséquents, et un manque d'informations des individus par rapport à la protection des données en générale et à leurs droits. Suite à l'évaluation, cinq objectifs de révision ont été formulés par le Conseil fédéral, dont celui d'intégrer la privacy by design ou « protection de la vie privée dès la conception » dans la loi. Ce concept, qui est également repris dans les travaux européens en cours, est développé à l'origine par l'Information and Privacy Commissionner de l'Ontario (Canada), Ann Cavoukian. Le principe général de la privacy by design est que la protection de la vie privée doit être incluse dans les systèmes traitant les données lors de leur conception. Souvent évoquée comme une solution idéale, répondant au problème de l'inadéquation de la loi par la logique de prévention qu'elle promeut, la privacy by design demeure toutefois un souhait dont l'application n'est que peu analysée. Ce travail cherche justement à répondre à la question de la manière de la mettre en oeuvre dans la législation suisse. Se basant sur les textes et la doctrine juridiques et une littérature dans les domaines de l'économie, l'informatique, la politique et la sociologie des données personnelles, il propose tout d'abord une revue générale des principes et définitions des concepts-clés de la protection des données en Suisse et dans le cadre international. Puis, il propose deux possibilités d'intégration de la privacy by design : la première est une solution privée non contraignante qui consiste à promouvoir le concept et faire en sorte que les responsables de traitement décident par eux-mêmes d'intégrer la privacy by design dans leurs projets ; ce procédé est possible grâce au renforcement du processus de certification déjà en cours. La deuxième option est une solution contraignante visant à intégrer le principe directement dans la loi et de prendre les mesures pour le rendre effectif ; ce travail montre que le développement de la figure du conseiller à la protection des données permet d'atteindre cet objectif. Enfin, des considérations générales sur l'application du principe sont abordées, telles que l'influence des développements en cours dans l'Union européenne sur la Suisse par rapport à la protection des données et la limite posée par le principe de territorialité.

Privacy as a Tradeoff: Introducing the Notion of Privacy Calculus for Context-Aware Mobile Applications

Evidences collected from smartphones users show a growing desire of personalization offered by services for mobile devices. However, the need to accurately identify users' contexts has important implications for user's privacy and it increases the amount of trust, which users are requested to have in the service providers. In this paper, we introduce a model that describes the role of personalization and control in users' assessment of cost and benefits associated to the disclosure of private information. We present an instantiation of such model, a context-aware application for smartphones based on the Android operating system, in which users' private information are protected. Focus group interviews were conducted to examine users' privacy concerns before and after having used our application. Obtained results confirm the utility of our artifact and provide support to our theoretical model, which extends previous literature on privacy calculus and user's acceptance of context-aware technology.

Privacy-friendly Business Models for Location-Based Mobile Services

This paper presents a theoretical model to analyze the privacy issues around location based mobile business models. We report the results of an exploratory field experiment in Switzerland that assessed the factors driving user payoff in mobile business. We found that (1) the personal data disclosed has a negative effect on user payoff; (2) the amount of personalization available has a direct and positive effect, as well as a moderating effect on user payoff; (3) the amount of control over user's personal data has a direct and positive effect, as well as a moderating effect on user payoff. The results suggest that privacy protection could be the main value proposition in the B2C mobile market. From our theoretical model we derive a set of guidelines to design a privacy-friendly business model pattern for third-party services. We discuss four examples to show the mobile platform can play a key role in the implementation of these new business models.