Privacy-Enhancing Identity Management in Business

DOI: 10.1007/978-3-642-19050-6_7

ABSTRACT Businesses make use of data routinely for daily operations, including sensitive and/or personal data. Personal data and information
are, inter alia, seen as means towards customization of services for employees and for customers.

Some elements of this processing of personal information and some practices have come under increasing scrutiny due to privacy
concerns. There is undoubtedly a call for better privacy management in organisations, and a tendency to strengthen privacy
regulations and policies up to the point where some of the current processes may even become impossible to execute or become
outlawed. However, a basic fact is that even if users want maxmium privacy in business dealings, unless organisations can
support these privacy requests, the users will not get their wish.

  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: The emergence of identity management indicates that the process of identification has reached a stage where analog and digital environments converge. This is also reflected in the increased efforts of governments to introduce electronic ID systems, aiming at security improvements of public services and unifying identification procedures to contribute to administrative efficiency. Though privacy is an obvious core issue, its role is rather implicit compared to security. Based on this premise, this paper discusses a control dilemma: the general aim of identity management to compensate for a loss of control over personal data to fight increasing security and privacy threats could ironically induce a further loss of control. Potential countermeasures demand user-controlled anonymity and pseudonymity as integral system components and imply further concepts which are in their early beginnings, e.g., limiting durability of personal data and transparency enhancements with regard to freedom of information to foster user control. Keywordsprivacy–IDM–e-ID–user control–e-government–transparency–freedom of information
    04/2011: pages 206-218;
  • [Show abstract] [Hide abstract]
    ABSTRACT: Article 17 (1) of the Directive 95/46/EC (DPD) requires that the controller must implement appropriate technical and organizational measures to protect personal data. ICT offers solutions in the shape of privacy protection for users, consumers and citizens. The application of ICT to protect privacy has become widely known under the name Privacy-Enhancing Technologies (PET or PETs). This paper tries to explain what factors influence the adoption of privacy enhancing technologies (PETs). This research question first explores whether PETs is an innovation. It then applies Roger’s theory on the diffusion of innovation on PETs. Conceptual models are presented on the main factors of adoption of PETs and the necessary maturity of an organization before adoption of PETs can occur. The paper points out that a positive business case for the economic justification of investments in PETs is needed before a positive decision on the investment will be taken.
    12/2010: pages 309-341;
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: This paper focuses on authentication with three types of entities: a user who sends an authentication request, anser- vice provider who receives and verifies the request, and a database who supplies the authentication-server with infor- mation for verifying the request. This paper presents novel authentication protocols that satisfy the following impor- tant properties: (1) secure against replay attacks and (2) the database cannot identify which user is authenticating First, we show a protocol with a single database which satisfies Properties (2). Second, we show a protocol which satisfies Properties (1) and (2). A key idea of our authentication protocols is to useprivate information retrieval (PIR) (Chor et al. J. ACM, 1998).