Abstract
The increasing number of linkable vendor-operated databases present unique threats to customer privacy and security intrusions, as personal information communicated in online transactions can be misused by the vendor. Existing privacy enhancing technologies fail in the event of a vendor operating against their stated privacy policy, leading to loss of customer privacy and security. Anonymity may not be applicable when transactions require identification of participants. We propose a service-oriented technically enforceable system that preserves privacy and security for customers transacting with untrusted online vendors. The system extends to support protection of customer privacy when multiple vendors interact in composite web services. A semi-trusted processor is introduced for safe execution of sensitive customer information in a protected environment and provides accountability in the case of disputed transactions.
Chapter PDF
Similar content being viewed by others
References
Ashley, P., Hada, S., Karjoth, G., Powers, C, and Schunter, M. (2003). Enterprise Privacy Authorization Language (EPAL). Research Report 3485, IBM Research.
Berthold, O. and Köhntopp, M. (2001). Identity management based on P3P. In Lecture Notes in Computer Science, volume 2009, pages 141–160.
Campbell, R., Al-Muhtadi, I, Naldurg, P., Sampemane, G., and Mickunas, M. Dennis (2002). Towards security and privacy for pervasive computing. In Proceedings of the International Symposium on Software Security, Keio University, Keio University, Tokyo, Japan.
M. Casassa Mont, S. Pearson, P. Bramhall. Towards Accountable Management of Privacy and Identity Information. ESORICS 2003: 146–161
Chan, H., Lee, R., Dillon, T., and Chang, E. (2002). E-Commerce: Fundamentals and Applications. pages 287–298. ISBN: 0-471-49303-1.
Chaum, D. (1981). Untraceable Electronic Mail, Return Addresses and Digital Pseudonyums. Communications of the ACM, 24(2):84–90.
Chaum, D. (1982). Blind Signatures for Untraceable Payments. Crypto, pages 199–203.
Chaum, D., Fiat, A., and Naor, M. (1990). Untraceable electronic cash. Proceedings on Advances in cryptology. California, United States, pages 319–327.
Collberg, C. and Thomborson, C. (2002). Watermarking, Tamper-Proofing, and Obfuscation-Tools for Software Protection. In IEEE Transactions on Software Engineering, volume 28, pages 735–746.
Dierks, T. and Rescorla, E. (2004). The TLS Protocol Version 1.1. Internet Draft http: //www.potaroo.net/ietf/ids-wg-tls.html.
Dingledine, R., Mathewson, N., and Syverson, P. (2004). Tor: The Second-Generation Onion Router. In In Proceedings of the 13th USENIX Security Symposium.
Donovan, B., Norris, P., and Lowe, G. (1999). Analyzing a library of security protocols using Casper and FDR. In Workshop on Formal Methods and Security Protocols.
Ian Goldberg. Privacy-enhancing Technologies for the Internet, II: Five Years Later. Workshop on Privacy Enhancing Technologies. April 2002
internetnews.com, Staff: (2003). Acxiom Hacked, Customer Information Exposed. Website: www.internetnews.com/storage/article.php/2246461.
Jakobsson, M. and Juels, A. (2001). An Optimally Robust Hybrid Mix Network. In Proceedings of the twentieth annual ACM symposium on Principles of distributed computing, pages 284–292. ACM Press.
Jendricke, U., Kreutzer, M., and Zugenmaier, A. (2004). Pervasive Privacy with Identity Management. In Proceedings of ACM Symposium on Applied Computing, pages 1593–1599. ACM Press.
PRIME: Privacy and Identity Management for Europe. Website: http://www.prime-proiect.eu.org/ Last accessed: 15-11-2004.
Kenny, S. and Korba, L. (2002). Applying digital rights management systems to privacy rights management. Computers & Security, 21(7):648–664.
Medjahed, B., Benatallah, B., Bouguettaya, A., Ngu, A. H. H., and Elmagarmid, A. K. (2003). Business-to-business interactions: issues and enabling technologies. The International Journal on Very Large Data Bases, 12(1):59–85.
Pearce, C., Bertok, P., and Thevathayan, C. (2004a). A Protocol for Secrecy and Authentication within Proxy-Based SPKI/SDSI Mobile Networks. AusCERT Asia Pacific Information Technology Security Conference ISBN: 1864997745.
Pearce, C, Ma, Y., and Bertok, P. (2004b). A Secure Communication Protocol for Ad-Hoc Wireless Sensor Networks. IEEE International Conference on Intelligent Sensors, Sensor Networks & Information Processions, Melbourne, Australia.
W3C (2002). Platform for Privacy Preferences (P3P). W3C Recommendation www.w3c.org/TR/2002/REC-P3P-20020416/.
Waldman, M., Rubin, A., and Cranor, L. (2000). Publius: A robust, tamper-evident, censorship-resistant, web publishing system. In Proc. 9th USENIX Security Symposium, pages 59–72.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 International Federation for Information Processing
About this paper
Cite this paper
Pearce, C., Bertok, P., Van Schyndel, R. (2005). Protecting Consumer Data in Composite Web Services. In: Sasaki, R., Qing, S., Okamoto, E., Yoshiura, H. (eds) Security and Privacy in the Age of Ubiquitous Computing. SEC 2005. IFIP Advances in Information and Communication Technology, vol 181. Springer, Boston, MA. https://doi.org/10.1007/0-387-25660-1_2
Download citation
DOI: https://doi.org/10.1007/0-387-25660-1_2
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-25658-0
Online ISBN: 978-0-387-25660-3
eBook Packages: Computer ScienceComputer Science (R0)