Security and privacy are often seen as opposite, irreconcilable, goals. Privacy advocates and security hawks cling to rigid viewpoints, fighting each other in an ageing war of trenches. As a result, measures to increase our security scorn our privacy. And privacy enhancing technologies do very little to address legitimate security concerns. Revocable privacy aims to bridge the two sides of the debate to break the status quo. Revocable privacy is a design principle (including the necessary toolbox) to build information systems that balance security and privacy needs. The underlying principle is to design a system that guarantees the privacy of its users, unless a user violates a predefined rule. In that case, (personal) information will be released. Laws and regulations by itself are insufficient: they can be changed or sidestepped later on. That is why the principle of "code as code" is taken as point of departure: the rules and regulations must be hard-wired into the architecture of the system itself.
Privacy is a hard concept to define [25, 12]. It has many dimensions (locational privacy, physical privacy, informational privacy, etc.) and is very context dependent: its importance and meaning depend on social-cultural backgrounds, and individual preferences. Moreover, technological developments (like the invention of the computer and the rise of the Internet) have had profound implications on the privacy of citizens in a society. Similarly to freedom of speech, privacy is not only a personal value but also a societal value. It is a prerequisite for realising all of one's own potentials and to be able to develop one's own opinion, which in turns contributes to the development and innovation of society as a whole. See Solove [21] for a thorough discussion on this. It is therefore protected by laws and regulations, both at a European level [10] and by nation states [26].
Our focus is on the informational dimension of privacy, and we loosely define privacy as the right (and the means) to control the release of personal information even when that data is already stored by a third party. Technical definitions for several aspects of privacy, like anonymity, unlinkability, undetectability, unobservability, pseudonymity, and even identity management are given by Pfitzmann and Hansen [20]
Security is also an important value for society, and one that has grown considerably in importance over the last decades. Even before the gruesome terrorist attacks on the World Trade Centre in New York on September 11, 2001, large numbers of surveillance cameras were being installed in public places to prevent crime. Already back then, the Netherlands were the number one phonetapping nation in the world [16]. To combat terrorism and to stop cybercrime security is ranked high on the political agenda these days.
Unfortunately security and privacy are seen as each others enemies. It is thought, without ground, that one cannot be achieved without sacrificing the other. Privacy advocates and security sharks are stuck in a war of trenches. Given the high political importance given to homeland security these days, this has resulted in approaches to increase societal safety that disregard the privacy of the citizens. Similarly, when designing privacy enhancing technologies (PET), no attention is being paid to the quite reasonable request to also consider societal security issues.
Legal or regulatory attempts to remedy the situation are inadequate. Rules and regulations may change over time, allowing for more possibilities to gather information about people after the fact. Such "function creep" occurs frequently: once the system, in principle, allows certain ways to collect data, sooner or later politicians or police investigators will ask for an extension of powers. Therefore, the solution must be found in limiting possibilities at the outset, through technical means, in the architecture and design of the system. Unfortunately, because of the high importance given politically to security, security countermeasures are being implemented without much regard for privacy. Examples, in the Netherlands and elsewhere, include camera surveillance, proposals for road pricing systems, smart payment systems for public transport, identity management systems, and the like.
To balance the security and privacy needs and achieve a reasonable trade off [27], we are developing revocable privacy. In this paper we present some models and definitions, indicate viable technical approaches, and show how they can help to resolve the status quo.
As argued above, there is an inherent conflict of interest between security proponents and privacy advocates. We aim to strike a balance between security and privacy needs when developing large scale information systems. Legal or procedural approached are insufficient, because they can easily be circumvented or changed. Proper solutions therefore need to be developed at the architectural level, using techniques for revocable privacy. In essence the idea is to design systems in such a way that no personal information is collected, unless a user violates the (pre-established) terms of service. Only in that case, his personal details and when and how he violated the terms are revealed. The data is only revealed to authorised parties, of course.
We define revocable privacy as follows.
Definition of Revocable privacy. A system implements revocable privacy if the architecture of the system guarantees that personal data is revealed only if a predefined rule has been violated.
This definition can be refined by requiring that
Also, the guarantees should hold for the design and implementation as well. We distinguish two variants of revocable privacy.
Spread responsibility: One or more trusted third parties verify whether all conditions for releasing personal data have been met, and grant access (or release the data) if this is the case.
Self-enforcing architecture: The rules to release data are hard-coded into the architecture. If the rules are violated, the data is released automatically. If no rules are trespassed, no information can be obtained at all.
The idea of revocable privacy is certainly not a new one: back in 1988 Chaum et al. [7] proposed a scheme for off-line digital cash where double spending a coin would reveal the identity of the owner of the coin. He did this in the context of more general work of privacy enhancing technologies [5, 6]. More recent examples are limiting the amount one can spend at a single merchant while remaining anonymous [3], or revoking anonymity of users that do not pay their bill at a merchant [2]. General techniques are scarce however, and their value in real world application has not been properly investigated.
Many of the techniques currently in use for revocable privacy are based on the use of trusted third parties. By spreading the power over many such parties (using secret sharing techniques or similar), one can mitigate the likelihood of corruption or subversion. However, such systems are in essence still procedure based: by changing the procedures and replacing the trusted parties, one can still change the rules of the game. We therefore believe that self-enforcing approaches to revocable privacy are the way forward. There is no need to trust an entity anymore in this case (which is a problem in third-party based solutions as argued above [9]). This line of reasoning follows the idea of "architecture is politics" and "code as code" [19], and is inspired by the "Select before you collect" principle [15, 14]. Our approach is privacy respecting [17] but not unconditionally privacy guaranteeing.
The PhD thesis of Marcus Stadler [22] from 1996 on revocable privacy serves as a valuable starting point. This provides us with the following toolbox of cryptographic primitives for revocable privacy.
The latter method has been successfully applied to implement an offline traceable payment scheme. The main drawback is that abuse is not prevented outright, and that abuse of the system may surface only much later, only after a lot of damage to particular persons may have been done.
Perhaps, anonymity control could also be implemented in pseudonymous identity management systems. That would help to decrease resistance (from government) against such systems. However, the anonymity control in idemix [4] is quite rudimentary, as it is based on an all-or-nothing approach, and only prevents against pooling of credentials among users.
There are also other techniques that appear to be promising. One example are so called homomorphic cryptographic techniques, like threshold encryption [11], where a group of n users encrypt a value using their own private key, with the property that in order to decrypt the value (using a single public key) one needs at least t different encrypted values.
To see how threshold encryption can help achieve revocable privacy, consider the following real-life example. So called "canvas cutters" are criminals that roam the parking places along highways looking for trucks with valuable content (by cutting the canvas). To identify possible canvas cutters, one could set up ANPR (Automatic Number Plate Recognition) systems at the entry of each parking space, and search the resulting data stream for cars that entered multiple parking spaces along the same highway on a single day. Apart from identifying police cars and the AA (that have similar driving patterns), this should identify canvas cutters as well. Clearly this poses a privacy threat, as data of all cars visiting a parking place are retained. One could choose to retain the data coming from a single ANPR system for only a couple of hours. But this is only a procedural measure. Another option is to encrypt all number plates recognised by each ANPR system immediately using a threshold encryption scheme, and only store these encrypted number plates. Setting the threshold at a suitable level, e.g., 3, the authorities only retrieve number plates of cars that visited at least 3 parking spaces on a single day along a single stretch of highway.
Another approach that deserves further study is the work of Galindo and Verheul [13] on pseudonymous data sharing. Their system allows so-called researchers to execute queries over combined data coming from different suppliers, that register data against mutually disjoint pseudonyms. So-called accumulators, that are semi-trusted, stand between the researchers and the suppliers to combine data that belong to the same entity using knowledge of the underlying structure of the pseudonyms.
[…] I have been arguing for the technical realisation of a related concept called Revocable Privacy for a few years […]