Abstract
Unlike traditional monolithic approaches to web-service composition, modern web services are built by integrating various external sub-services, such as OpenID authentication, cloud-based IaaS for compute and storage, payment gateways, and more. Additionally, application-specific sub-services, like JavaScript libraries and web-analytics, are often incorporated-particularly in e-commerce platforms. This modern modular approach offers clear advantages, including faster deployment, enhanced user convenience, and lower service delivery costs. However, it also raises significant privacy concerns, as users’ interactions with these services are exposed to third-party sub-services, allowing for observation and inference. In the early days of online banking, David Chaum proposed eCash, a system that allowed banks to authenticate payments without monitoring their customers’ transaction details. Beyond payments, however, the issue of linking users to their online actions—by both the primary service provider and its associated sub-services—has made it difficult to identify and prevent privacy violations. Schneier and Raghavan introduced strategies to enhance privacy in online services through the decoupling principle, which focuses on separating user actions from their identity to prevent linkability. The foundation of privacy breaches in online transactions is the ability to observe and connect an authenticated user’s identity with their actions. SPKI (Simple Public Key Infrastructure) offers a way to define, use, and manage identity and authorizations independently. In this paper, we propose an SPKI-based framework that can be integrated into online transaction processes to decouple identity from actions. Through illustrative examples, we demonstrate the framework’s utility and argue that it provides greater expressiveness and flexibility compared to existing privacy frameworks.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Users seldom read/understand privacy policies [36].
- 2.
References
Abdelaziz, Y., Napoli, D., Chiasson, S.: End-users and service providers: Trust and distributed responsibility for account security. In: 2019 17th International Conference on Privacy, Security and Trust (PST), pp. 1–6. IEEE Computer Society (2019). https://doi.org/10.1109/PST47121.2019.8949041
Alliance, F.: Passkeys (2022). https://fidoalliance.org/passkeys/
Brunner, C., Gallersdörfer, U., Knirsch, F., Engel, D., Matthes, F.: Did and VC: untangling decentralized identifiers and verifiable credentials for the web of trust. In: Proceedings of the 3rd International Conference on Blockchain Technology and Applications, pp. 61–66. ACM (2021). https://doi.org/10.1145/3446983.3446992
Chaum, D.: Blind signatures for untraceable payments. In: Chaum, D., Rivest, R.L., Sherman, A.T. (eds.) Advances in Cryptology, pp. 199–203. Springer, Boston, MA (1983). https://doi.org/10.1007/978-1-4757-0602-4_18
Chaum, D.: Untraceable electronic mail, return addresses and digital pseudonyms. In: Gritzalis, D.A. (ed.) Secure Electronic Voting. AIS, vol. 7, pp. 211–219. Springer, Boston (2003). https://doi.org/10.1007/978-1-4615-0239-5_14
Clarke, D.E.: SPKI/SDSI HTTP server/certificate chain discovery in SPKI/SDSI. Ph.D. thesis, Massachusetts Institute of Technology (2001)
Davidson, A., Goldberg, I., Sullivan, N., Tankersley, G., Valsorda, F.: Privacy pass: bypassing internet challenges anonymously. Proc. Priv. Enhancing Technol. 2018(3), 164–180 (2018). https://doi.org/10.1515/POPETS-2018-0026
Dingledine, R., Mathewson, N., Syverson, P.: Tor: the second-generation onion router. In: 13th USENIX Security Symposium. USENIX Association (2004)
Dwork, C.: A firm foundation for private data analysis. Commun. ACM 54(1), 86–95 (2011). https://doi.org/10.1145/1866739.1866758
Ellison, C.: Establishing identity without certification authorities. In: 6th USENIX Security Symposium, p. 7. USENIX Association (1996)
Ellison, C.: SPKI Requirements. RFC 2692 (1999). https://www.rfc-editor.org/info/rfc2692
Eskandarian, S., Messeri, E., Bonneau, J., Boneh, D.: Certificate Transparency with Privacy. CoRR abs/1703.02209 (2017)
Ferdous, M.S., Chowdhury, F., Alassafi, M.O.: In search of self-sovereign identity leveraging blockchain technology. IEEE Access 7, 103059–103079 (2019). https://doi.org/10.1109/ACCESS.2019.2931173
Foundation, H.: Hyperledger indy (2024). https://www.hyperledger.org/projects/hyperledger-indy
Foundation, T.S.: Sovrin basics (2024). https://sovrin.org/library/
Gurevich, Y., Hudis, E., Wing, J.M.: Inverse privacy. Commun. ACM 59(7), 38–42 (2016). https://doi.org/10.1145/2838730
Hardt, D.: The OAuth 2.0 Authorization Framework. RFC 6749 (2012). https://doi.org/10.17487/RFC6749
Kales, D., Omolola, O., Ramacher, S.: Revisiting user privacy for certificate transparency. In: 2019 IEEE European Symposium on Security and Privacy (EuroS &P), pp. 432–447 (2019). https://doi.org/10.1109/EuroSP.2019.00039
Khan, S., et al.: Accountable and transparent TLS certificate management: an alternate public-key infrastructure with verifiable trusted parties. Sec. Comm. Netw. (2018)
Korir, M., Parkin, S., Dunphy, P.: An empirical study of a decentralized identity wallet: usability, security, and perspectives on user control. In: Eighteenth Symposium on Usable Privacy and Security (SOUPS 2022), pp. 195–211. USENIX Association (2022)
Mayrhofer, A., Klesev, D., Sabadello, M.: The Decentralized Identifier (DID) in the DNS. Internet-Draft draft-mayrhofer-did-dns-05, Internet Engineering Task Force (2021). https://datatracker.ietf.org/doc/draft-mayrhofer-did-dns/05/, work in Progress
Narayanan, A., Shmatikov, V.: Myths and fallacies of “personally identifiable information’’. Commun. ACM 53(6), 24–26 (2010). https://doi.org/10.1145/1743546.1743558
Narayanan, A., Toubiana, V., Barocas, S., Nissenbaum, H., Boneh, D.: A critical look at decentralized personal data architectures. CoRR abs/1202.4503 (2012)
Patil, V., Gasti, P., Mancini, L., Chiola, G.: Resource management with X.509 inter-domain authorization certificates (InterAC). In: Martinelli, F., Preneel, B. (eds.) EuroPKI 2009. LNCS, vol. 6391, pp. 34–50. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-16441-5_3
Patil, V., Shyamasundar, R.K.: Trust management for e-transactions. Sadhana 30(2), 141–158 (2005). https://doi.org/10.1007/BF02706242
Patil, V., Shyamasundar, R.: ROADS: role-based authorization and delegation system. In: International Conference on Computational & Experimental Engineering and Sciences (2003)
Patil, V., Shyamasundar, R.: Evolving role of PKI in facilitating trust. In: 2022 IEEE International Conference on Public Key Infrastructure and its Applications (PKIA), pp. 1–7. IEEE, USA (2022). https://doi.org/10.1109/PKIA56009.2022.9952249
Raghavan, B., Schneier, B.: A bold new plan for preserving online privacy and security: Decoupling our identities from our data and actions could safeguard our secrets in the cloud. IEEE Spectr. 60(12), 22–29 (2023)
Reed, D., Law, J., Hardman, D.: The technical foundations of Sovrin. The Technical Foundations of Sovrin (2016)
Schmitt, P., Iyengar, J., Wood, C., Raghavan, B.: The decoupling principle: a practical privacy framework. HotNets, Association for Computing Machinery (2022)
Schwoon, S., Wang, H., Jha, S., Reps, T.: Distributed certificate-chain discovery in SPKI/SDSI. Technical report. University of Wisconsin-Madison Department of Computer Sciences (2005)
Sporny, M., Longley, D., Sabadello, M., Reed, D., Steele, O., Allen, C.: Decentralized Identifiers (DIDs) v1.0 (2022). https://www.w3.org/TR/did-core/
Wouters, P.: DNS-Based Authentication of Named Entities (DANE) Bindings for OpenPGP. RFC 7929 (2016). https://doi.org/10.17487/RFC7929
Ylonen, T., Thomas, B., Lampson, B., Ellison, C., Rivest, R.L., Frantz, W.S.: SPKI Certificate Theory. RFC 2693 (1999)
Zhang, L., et al.: Identity confusion in WebView-based mobile app-in-app ecosystems. In: 31st USENIX Security Symposium, pp. 1597–1613. USENIX Association (2022)
Zhou, L., et al.: Policycomp: counterpart comparison of privacy policies uncovers overbroad personal data collection practices. In: Proceedings of the 32nd USENIX Conference on Security Symposium, SEC 2023. USENIX Association, USA (2023)
Acknowledgements
This work is carried out as a part of the project RD/0120-NCSC001-001 “AI Powered Security Operation Product Suite for National Critical Information Infrastructure”, funded by the NSCS, Government of India.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2025 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Patil, V., Shyamasundar, R.K. (2025). A Decoupling Mechanism for Transaction Privacy. In: Patil, V.T., Krishnan, R., Shyamasundar, R.K. (eds) Information Systems Security. ICISS 2024. Lecture Notes in Computer Science, vol 15416. Springer, Cham. https://doi.org/10.1007/978-3-031-80020-7_21
Download citation
DOI: https://doi.org/10.1007/978-3-031-80020-7_21
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-80019-1
Online ISBN: 978-3-031-80020-7
eBook Packages: Computer ScienceComputer Science (R0)