Skip to main content
Springer Nature Link
Log in

Conceptual Framework and Architecture for Privacy Audit

  • Conference paper
Privacy Technologies and Policy (APF 2012)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8319))

Included in the following conference series:

  • 1885 Accesses

Abstract

Many ICT applications involve the collection of personal information or information on the behaviour of customers, users, employees, citizens, or patients. The organisations that collect this data need to manage the privacy of these individuals. In many organisations there are insufficient data protection measures and a low level of trust among those whose data are concerned. It is often difficult and burdensome for organisations to prove privacy compliance and accountability especially in situations that cross national boundaries and involve a number of different legal systems governing privacy. In response to these obstacles, we describe instruments facilitating accountability, audit, and meaningful certification. These instruments are based on a set of fundamentaldata protection goals (DPG): availability, integrity, confidentiality, transparency, intervenability, and unlinkability. By using the data protection goals instead of focusing on fragmented national privacy regulations, a well defined set of privacy metrics can be identified recognising privacy by design requirements and widely accepted certification criteria. We also describe a novel conceptual framework and architecture for defining comprehensive privacy compliance metrics and providingassessment tools for ICT applications and services using as much automation as possible. The proposed metrics and tools will identify gaps, provide clear suggestions and will assist audit and certification to support informed decisions on the trustworthiness of ICT for citizens and businesses.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Unabhaengiges Landeszentrum fuer Datenschutz (ULD). Juristische Fragen im Bereich Altersgerechter Assistenzsysteme, pre-study on behalf of VDI/VDE-IT, funded by the German Bundesministerium fuer Bildung und Forschung, https://www.datenschutzzentrum.de/projekte/aal/

  2. Acunetix Web Vulnerability Scanner, http://www.acunetix.com/vulnerability-scanner/

  3. IBM Rational AppScan, http://www-01.ibm.com/software/awdtools/appscan/

  4. The Article 29 Data Protection Working Party was set up under Article 29 of Directive 95/46/EC, http://ec.europa.eu/justice/policies/privacy/index_en.htm

  5. Bezzi, M.: Expressing privacy metrics as one-symbol information. In: Proc. of the 2010 EDBT/ICDT Workshops (2010)

    Google Scholar 

  6. Byun, J.-W., Li, N.: Purpose based access control for privacy protection in relational database systems. VLDB J. 17(4), 603–619 (2008)

    Article  Google Scholar 

  7. Bock, K., Meissner, S.: Datenschutz-Schutzziele im Recht. DuD – Datenschutz und Datensicherheit 36(6), 425–431 (2012)

    Article  Google Scholar 

  8. German Federal Office for Information Security, http://www.bsi.bund.de

  9. Xiao, X., Wang, G., Gehrke, J.: Interactive Anonymization of Sensitive Data. In: SIGMOD 2009 (2009)

    Google Scholar 

  10. ISACA: COBIT Framework for IT Governance and Control, http://www.isaca.org/Knowledge-Center/COBIT/Pages/Overview.aspx

  11. The Compliance Meter, http://www.compliancehelper.com/compliance-meter/

  12. Colombo, P., Ferrari, E.: Towards a modeling and analysis framework for privacy aware systems. Technical report, University of Insubria (2012) (submitted for publication)

    Google Scholar 

  13. Datta, A., et al.: Understanding and Protecting Privacy: Formal Semantics and Principled Audit Mechanisms. In: Proc. of the International Conference on Information Systems Security (2011)

    Google Scholar 

  14. Datta, A., Franklin, J., Garg, D., Kaynar, D.K.: A Logic of Secure Systems and its Application to Trusted Computing. In: Proc. of the IEEE Symposium on Security and Privacy (2009)

    Google Scholar 

  15. DeYoung, H., Garg, D., Jia, L., Kaynar, D., Datta, A.: Experiences in the Logical Specification of the HIPAA and GLBA Privacy Laws. In: Proc. of 9th ACM Workshop on Privacy in the Electronic Society (October 2010)

    Google Scholar 

  16. Ein modernes Datenschutzrecht fuer das 21. Jahrhundert, Eckpunkte; Konferenz der Datenschutzbeauftragten des Bundes und der Laender, http://www.lfd.m-v.de/dschutz/beschlue/Eckpunkte.pdf (presented on March 18, 2010)

  17. Dwork, C.: Differential Privacy: A Survey of Results. In: Agrawal, M., Du, D.-Z., Duan, Z., Li, A. (eds.) TAMC 2008. LNCS, vol. 4978, pp. 1–19. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  18. Evesti, A., Ovaska, E., Savola, R.: From Security Modelling to Run-time Security Monitoring. In: Proc. of the Fifth European Conference on Model-driven Architecture Foundations and Applications, Enchede, The Netherlands (June 2009)

    Google Scholar 

  19. EuroPriSe, the European Privacy Seal for IT Products and IT-Based Services, http://www.european-privacy-seal.eu

  20. Geisberger, E., Broy, M. (eds.): AgendaCPS, Integrierte Forschungsagenda Cyber-Physical Systems, acatech Studie, Deutsche Akademie der Technikwissenschaften (2012)

    Google Scholar 

  21. IBM Hippocratic Database (HDB) Technology Projects, http://www.almaden.ibm.com/cs/projects/iis/hdb/hdb_projects.shtml

  22. Herrmann, D.S.: Complete guide to security and privacy metrics – measuring regulatory compliance, operational resilience and ROI. Auerbach Publications (2007)

    Google Scholar 

  23. Heyman, T., Scandariato, R., Huygens, C., Joosen, W.: Using security patterns to combine security metrics. In: Proc. of the 3rd Int. Conf. on Availability, Reliability and Security (ARES) (2008)

    Google Scholar 

  24. The Privacy Management Toolkit, http://www.informationshield.com/privacy_main.html

  25. Arraj, V.: ITIL - IT Infrastructure Library, The Basics, White Paper, http://www.itil-officialsite.com/AboutITIL/WhatisITIL.aspx (downloaded January 1, 2012)

  26. Jaquith, A.: Security metrics: replacing fear, uncertainty and doubt. Addison-Wesley (2007)

    Google Scholar 

  27. Jouault, F., Allilaire, F., Bézivin, J., Kurtev, I.: Atl: A model transformation tool. Science of Computer Programming 72(1-2) (2008)

    Google Scholar 

  28. Schleswig-Holstein Act on the Protection of Personal Information of February 9, 2000 last amended by Article 1 of the Act to amend the State Data Protection Act (January 11, 2012) (GVOBl. Schl.-H. p. 78)

    Google Scholar 

  29. Li, N., Li, T., Venkatasubramanian, S.: t-closeness: Privacy beyond k-anonymity and l-diversity. In: Proc. of the 23rd IEEE International Conference on Data Engineering (ICDE 2007). IEEE Computer Society (April 2007)

    Google Scholar 

  30. Martin, E.: Testing and Analysis of Access Control Policies. In: ICSE 2007 (2007)

    Google Scholar 

  31. Managing Assurance, Security and Trust for Services, European research project, http://cordis.europa.eu/fetch?CALLER=PROJ_ICT&ACTION=D&CAT=PROJ&RCN=85559

  32. Machanavajjhala, A., Gehrke, J., Kifer, D., Venkitasubramaniam, M.: l-diversity: Privacy beyond k-anonymity. In: Proc. of the 22nd IEEE International Conference on Data Engineering (ICDE 2006). IEEE Computer Society, Washington, DC (2006)

    Google Scholar 

  33. OMG, Object Constraint Language (OCL) (2012), http://www.omg.org/spec/OCL/2.3.1

  34. PARAT, http://www.privacyanalytics.ca/products.asp

  35. European Commission (EC): The Privacy Impact Assessment Framework for RFID Applications: PIA Framework (January 2011), http://ec.europa.eu/information_society/policy/rfid/pia/index_en.htm

  36. Privacy and Identity Management for Community Services, European research project, http://cordis.europa.eu/fetch?CALLER=PROJ_ICT&ACTION=D&CAT=PROJ&RCN=85533

  37. Ni, Q., Bertino, E., Lobo, J., Brodie, C., Karat, C.-M., Karat, J., Trombeta, A.: Privacy-aware role-based access control. ACM Trans. Inf. Syst. Secur. 13(3), Article 24 (July 2010)

    Google Scholar 

  38. Generische Schutzmassnahmen für Datenschutz-Schutzziele. DuD – Datenschutz und Datensicherheit 36(6), 439–444 (2012), https://www.european-privac-seal.eu/results/articles/201206-DuD-Probst.pdf

  39. OMG, Meta Object Facility (MOF) 2.0 Query/View/Transformation (QVT) (2011), http://www.omg.org/spec/QVT/1.1

  40. Rebollo-Monedero, D., Forne, J., Domingo-Ferrer, J.: From t-closeness-like privacy to postrandomization via information theory. IEEE Transactions on Knowledge and Data Engineering 99(1) (2009)

    Google Scholar 

  41. Rost, M., Pfitzmann, A.: Datenschutz-Schutzziele – revisited. DuD – Datenschutz und Datensicherheit 33(6), 353–358 (2009)

    Article  Google Scholar 

  42. Rost, M.: Datenschutz in 3D. DuD – Datenschutz und Datensicherheit 35(5), 351–353 (2011)

    Article  Google Scholar 

  43. Rost, M., Bock, K.: Privacy by Design und die neuen Schutzziele. DuD – Datenschutz und Datensicherheit 35(1), 30–35 (2011)

    Article  Google Scholar 

  44. Savola, R., Abie, H.: Development of Measurable Security for a Distributed Messaging System. International Journal on Advances in Security 2(4), 358–380 (2010) ISSN 1942-2636

    Google Scholar 

  45. Savola, R.: A Requirement Centric Framework for Information Security Evaluation. In: Yoshiura, H., Sakurai, K., Rannenberg, K., Murayama, Y., Kawamura, S.-i. (eds.) IWSEC 2006. LNCS, vol. 4266, pp. 48–59. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  46. Savola, R.: Towards a Risk-Driven Methodology for Privacy Metrics Development. In: Proc. of the Symposium on Privacy and Security Applications (PSA 2010) (August 2010)

    Google Scholar 

  47. Schmidt, D.C.: Model-Driven Engineering. IEEE Computer 39(2) (2006)

    Google Scholar 

  48. Seddigh, N., Pieda, P., Matrawy, A., Nandy, B., Lambadaris, J., Hatfield, A.: Current trends and advances in information assurance metrics. In: Proc. of the 2nd Annual Conference on Privacy Security and Trust (2004)

    Google Scholar 

  49. Sweeney, L.: k-anonymity: a model for protecting privacy. International Journal on Uncertainty, Fuzziness and Knowledge-based Systems 10(5), 557–570 (2002)

    Article  MATH  MathSciNet  Google Scholar 

  50. TRUSTe, http://www.truste.com/privacy_seals_and_services/enterprise_privacy/web_privacy_seal

  51. OMG, Unified Modeling Language, v2.4.1 (2011), http://www.omg.org/spec/UML/2.4.1/

  52. UTD Anonymization ToolBox, http://cs.utdallas.edu/dspl/cgi-bin/toolbox/index.php

  53. Vaniea, K., Ni, Q., Cranor, L., Bertino, E.: Access control policy analysis and visualization tools for security professionals. In: USM 2008: Workshop on Usable IT Security Management (2008)

    Google Scholar 

  54. OASIS eXtensible Access Control Markup Language (XACML), http://www.oasis-open.org/committees/xacml/

  55. Zwingelberg, H., Hansen, M.: Privacy Protection Goals and Their Implications for eID Systems. In: Camenisch, J., Crispo, B., Fischer-Hübner, S., Leenes, R., Russello, G. (eds.) Privacy and Identity Management for Life – 7th IFIP WG 9.2, 9.6/11.7, 11.4, 11.6 International Summer School Trento, Italy (September 2011); Revised Selected Papers. Springer, Boston (2012) (to appear)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Unabhaengiges Landeszentrum fuer Datenschutz (ULD), Germany

    Kirsten Bock

  2. Science and Technology LTD, IBM Israel, Israel

    Ksenya Kveler, Tamar Domany & Alan Hartman

  3. Department of Theoretical and Applied Science, University of Insubria, Italy

    Pietro Colombo & Elena Ferrari

Authors
  1. Ksenya Kveler
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Kirsten Bock
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Pietro Colombo
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Tamar Domany
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Elena Ferrari
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Alan Hartman
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Dept. of Electrical Engineering-ESAT, KU Leuven and iMinds, Kasteelpark Arenberg 10 Bus 2452, 3001, Leuven-Heverlee, Belgium

    Bart Preneel

  2. Information Security & Data Protection Unit, ENISA, 1 Vasilissis Sofias, Marousi, 15124, Athens, Greece

    Demosthenes Ikonomou

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Kveler, K., Bock, K., Colombo, P., Domany, T., Ferrari, E., Hartman, A. (2014). Conceptual Framework and Architecture for Privacy Audit. In: Preneel, B., Ikonomou, D. (eds) Privacy Technologies and Policy. APF 2012. Lecture Notes in Computer Science, vol 8319. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-54069-1_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-54069-1_2

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-54068-4

  • Online ISBN: 978-3-642-54069-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics