Privacy-Enhancing Identity Management

Abstract
Privacy-Enhancing Technologies (PET) are the technical answer to social and legal privacy requirements. PET become constituents for tools to manage users personal data. Users can thereby control their individual digital identity, i.e. their individual partial identities in an online world. Existing commercially available identity management systems (IMS) do not yet provide privacy-enhancing functionality. We discuss general concepts and mechanisms for privacy-enhancing IMS (PE-IMS) in detail and highlight where existing IMS need to be improved in order to deliver them. Derived from general concepts and incorporating existing mechanisms, we define a component-based architecture for PE-IMS. This architecture describes the basic building blocks a PE-IMS must include, and so it is meant to be used as a fundamental concept for PE-IMS in practice. Finally, we give an outlook on the future development concerning IMS. Identity, Privacy, Identity Management System, Privacy-Enhancing Technologies, PET, Privacy-Enhancing Identity Management System, Multilateral Security (one or more of) a persons partial identities in a given situation. Pervasiveness of information and communication technology has introduced a new quality of online life, combined with increased technical capabilities for surveillance and monitoring, thereby putting the established concept and right to privacy under public scrutiny. The postulate of a right to informational self-determination1 and to privacy2 still marks the status of the social discourse on the subject. In an online world, it is in principle still possible for users to manually manage their identities; however this is a cumbersome process defying the surplus value of speed and convenience offered by online transactions and processes. We assume that the majority of users will prefer an automated solution for managing their roles and identities, a so-called Identity Management System (IMS). In this context, the meaning of Identity Management is determined by the respective support for administration of information subjects versus active management of personal information. Systems supporting the latter are called Privacy-Enhancing Identity Management Systems (PE-IMS). In legal systems with support for free negotiation of privacy contracts, PE-IMS enable that both parties gain the necessary flexibility and control for successful negotiation and use. Conversely, existing European data protection legislation as well as, for example, the internationally
1 The individual [...] has the right to know and to decide on the information being processed about him. (... Befugnis des Einzelnen, grundstzlich selbst ber die Preisgabe und Verwendung seiner persnlichen Daten zu bestimmen.) German Supreme Constitutional Court in BVerfGE 65, 1, 41, 1983. 2 Privacy is the desire of people to choose freely under what circumstances and to what extent they will expose themselves, their attitude and their behavior to others. Alan F. Westin [Westin 1967].

Marit Hansen Independent Centre for Privacy Protection Schleswig-Holstein, Holstenstrae 98, 24103 Kiel, Germany; T +49 431 988 1214; marit.hansen@t-online.de Peter Berlich IBM Switzerland, Bndliweg 21, 8010 Zrich, Switzerland; T. +41 58 333 5575; peter.berlich@ch.ibm.com Jan Camenisch IBM Zurich Research Lab, Sumerstrasse 4, 8803 Rschlikon, Switzerland; T +41 1 724 8279; jca@zurich.ibm.com Sebastian Clau TU Dresden, Department of Computer Science, 01062 Dresden, Germany; T +49 351 463 38448; sc2@inf.tu-dresden.de Andreas Pfitzmann TU Dresden, Department of Computer Science, 01062 Dresden, Germany; T +49 351 463 38277; pfitza@inf.tu-dresden.de Michael Waidner IBM Zurich Research Lab, Sumerstrasse 4, 8803 Rschlikon, Switzerland; T +41 1 724 8444; wmi@zurich.ibm.com

1. Introduction
Most people possess an intuitive understanding of privacy as a defensive right to control access to ones own personal information. They are used to compartmentalizing their personal information according to context, e.g. separating private and business activities. The different aspects of a persons identity which can be used in different contexts or situations are called partial identities. Similarly, a role denominates the activation of situation-dependent identity properties. In other words, a role represents a conscious or sub-conscious activation of

1363-4127/04/ 2004, Elsevier Ltd

35

Identity Management

Marit Hansen is a computer scientist and is head of the Privacy-Enhancing Technologies (PET) Section at the Independent Centre for Privacy Protection Schleswig-Holstein (the state privacy commission), Germany. Since her diploma in 1995 she has been working on security and privacy aspects especially concerning the Internet, anonymity, pseudonymity, identity management, biometrics, multilateral security, and e-privacy from both the technical and the legal perspectives. In several projects she and her team actively participate in technology design in order to support PET and give feedback on legislation. Peter Berlich is working as Security Delivery Project Executive on a major outsourcing account at IBM Global Services. His current main focus is on security management, but he retains a broad scope of interest in security and privacy topics. Before joining IBM in 2003, he was employed as global Information Security Manager at a major industrial corporation, a position he held for several years. Prior to that, he held various IT and project management roles. Peter Berlich holds a PhD in physics. Jan Camenisch. Diploma in Electrical Engineering Science, ETH Zurich, 19871993. 1993-1998 research in cryptography, focusing on privacy-enhancing cryptography (e.g., e-cash), PhD in 1998 (Group Signatures Schemes and Payment Systems Based on the Discrete Logarithm

acknowledged Fair Information Practices3 stipulate a right to transparency about which information another person or entity has, how this party intends to use these data, and which processing capabilities it possesses so a user has the ability to make an informed decision in response to a given situation. Three main components need to be in place in order to enable pervasive privacyenhancing identity management: A secure infrastructure with the ability to support pseudonymity while supporting the required degrees of confidentiality, integrity, authenticity, and nonrepudiation and furthermore a robustness that allows protection of PEIMS as a central economic asset to the individual user and society at large. Today, a secure infrastructure of this kind is technically feasible but has not been widely deployed and weak credentials in social and technical processes (e.g. US social security number) are rather the norm than the exception, giving rise to an increasing rate of identity related crimes such as identity theft4 [Clau/Khntopp 2001]. As a prerequisite, an IMS needs to rely on certain services of an infrastructure, specifically its ability to support anonymous transactions. Base anonymity needs to be granted within a given communications network on all layers supporting the IMS in order to control linkability of personal information, for example, by associating different actions to a user by the IP address used. Anonymity services can support this
3 See, e.g. Federal Trade Commission (FTC): Privacy Online: Fair Information Practices in the Electronic Marketplace: A Federal Trade Commission Report to Congress, May 2000, http://www.ftc.gov/reports/ privacy2000/privacy2000.pdf (current Feb 2004). 4 For a practical view of identity theft prevention and response see also Identity Theft Prevention and Survival; http://identitytheft.org/ (current Feb 2004).

requirement although they will not typically implement Identity Management functionality on their own.5 Pervasiveness and capability of computer usage within the population in order to facilitate the intended widespread use of IMS. Today, a significant part of the population has access to and is familiar with the use of computers, so the entry barrier for gaining a critical mass of users is low.

2. Privacy-Enhancing Identity Management Systems

In this section we first describe the functionality of PE-IMS in general, give examples for mechanisms, and show possibilities and conditions for enhancing their functionality.

2.1. Functionality of PrivacyEnhancing Identity Management Systems

A Privacy-Enhancing IMS makes the flow of personal data transparent and gives its user a larger degree of control [Clau et al 2002]. The guiding principle is notice and choice, based on a high level of data minimization: This means user-controlled linkage of personal data.6 According to respective situation and context, such a system supports the user in making an informed choice of pseudonyms, representing partial identities. A PE-IMS supports the user in managing his or her partial identities, i.e. in particular the processes of role taking and role making. It acts as a central gateway for all communication between different applications, like
5 For an example of a free, fully operational anonymity service see JAP Anonymity and Privacy; http://anononline.de/ (current Feb 2004). 6 And by default unlinkability of different user actions so that communication partners involved in different actions by the same user cannot combine the personal data disseminated during these actions.

36

Information Security Technical Report. Vol. 9, No. 1

Marit Hansen et al Privacy-Enhancing Identity Management

browsing the web, buying in Internet shops, or carrying out administrative tasks with governmental authorities. Individuals will have to accept responsibility for their personal privacy as no agency can guarantee its protection for them. Users have to be aware of their rights and obligations, as well as the situational context they are acting in, in order to choose an appropriate partial identity. Usability of the system and education in privacy rights are prerequisite to make this a practical requirement. 2.1.1. Different degrees of data minimization Although data minimization is one of the goals of PE-IMS, it is not an overriding one, as unconditional anonymity is not always desired. A PE-IMS can be designed to offer any degree of authenticity and linkability, i.e. anything between anonymity and full identification. Applications utilizing PE-IMS would define the requirements to the use of partial identities and the range of user choices, being adaptable to the respective situation. In some cases absolute anonymity may be possible, in others, e.g. in egovernment processes, identifying data have to be presented. Sometimes authenticity and liability of the user have to be proven, sometimes this is not required. Context specific authorization maximizes the effectiveness of information exchange while minimizing linkability between disjunctive communication events and thereby preventing context-spanning profiling. 2.1.2. Trusted front-end The front-end to an Identity Management System is commonly called an Identity Management Application (IMA) [ICPP/SNG 2003]. The user should be able to access the IMA from a variety of devices (e.g. a mobile phone or PDA) and locations. At least minimal functionality and a usable interface should be provided for clients on any platform.

As the IMA stores and processes sensitive personal data, the tool itself and the corresponding infrastructure and processes should offer a sufficient level of security. Ideally, the users IMA is located in an environment trusted by the user. For reasons of availability, convenient replication, or back-up services, users may want to outsource all or part of their PE-IMS to a provider. There should be no restrictions on the selection of such a provider. According to the principle of multilateral security, the required trust within any given system or network should be minimized [Rannenberg/Pfitzmann/Mller 1999].

Problem). 1998-1999 Research Assistant Professor in Computer Science, University of Aarhus, Denmark. Since 1999 Research Staff Member at IBM Zurich and working on cryptography and network security, in particular cryptographic protocols supporting privacy and anonymity and practical secure distributed computation. For more information see http://www. zurich.ibm.com/~jca/. Sebastian Clau studied computer science at Technische Universitt Dresden from 1994 to 2000. In his diploma thesis (M.Sc.) he did research on privacy issues in multilateral negotiations on security properties. Since then he has been engaged in research on data security and privacy at the same university. He is especially interested in technologies for anonymity and identity management, and has published in these areas. Andreas Pfitzmann is a professor of computer science at Dresden University of Technology. His research interests include privacy and multilateral security, mainly in communication networks, mobile computing, and distributed applications. He has authored or co-authored about 110 papers in these fields. He received diploma and doctoral degrees in computer science from the University of Karlsruhe. He is member of ACM, IEEE, and GI, where he served as chairman of the Special Interest Group on Dependable IT Systems for ten years.

2.2. Building blocks

2.2.1. Pseudonyms and credentials Pseudonymity [Chaum 1985] comprises all degrees of linkability to a person including anonymity and full identification [Pfitzmann/Khntopp 2001]. Additionally, use of pseudonyms can be utilized to implement accountability. Reputation may be established or consolidated by re-using a pseudonym. A pseudonym together with the data linked to it forms a partial identity. Relevant properties of pseudonyms include: Authentication and authorization: Credentials or attribute certificates bound to digital pseudonyms support authentication and authorization. For authorization purposes, it is possible to use transferable digital vouchers which could be implemented by blind digital signatures or certificates. Proof of holdership: Pseudonyms can be generated by the user or generated and assigned by a third party, e.g. an application provider. In the context of identity management, the linkage between a pseudonym and its holder would not be publicly known by default. Proof of holdership is the capability to 37

Information Security Technical Report. Vol. 9, No. 1

Identity Management

Michael Waidner is institute executive of the IBM Privacy Research Institute and senior manager of Security and Privacy at the IBM Zurich Research Laboratory, and member of the IBM Academy of Technology. He is directing IBMs research activities in technologies for enterprise privacy and data protection, which involves more than 40 researchers worldwide. He is also coresponsible for IBMs strategy for research in information security and privacy. Michael Waidner joined IBM in 1994. Since then he has been working on various projects in enterprise privacy technologies, secure electronic commerce, dependability in distributed systems, provably secure cryptographic primitives, and formal verification of cryptographic protocols. Before joining IBM, he was lecturer at the University of Karlsruhe, working and teaching on various aspects of cryptography, security and fault tolerance. Michael Waidner is author of more than 100 research papers in security, privacy and cryptography, and served on the program committees of several international conferences on these topics. He received a Doctorate in Computer Science from the University of Karlsruhe, Germany, in 1991. He is member of ACM, IACR, and GI, and Fellow of the IEEE.

prove ownership to a pseudonym without disclosing additional personal information. Digital pseudonyms could be realized as a public key to test digital signatures where the holder of the pseudonym can prove holdership by forming a digital signature, which is created using the corresponding private key. For instance, PGP public keys, which are bound to e-mail addresses, are digital pseudonyms. Cross-contextual linkability: If the same pseudonym is used many times or in different contexts, the corresponding data about the holder, disclosed in any of these events, can be linked. In general, anonymity is the stronger, the less often and the less context-spanning the same pseudonyms are used. We distinguish transaction pseudonyms, which are only used for a single transaction, a group of pseudonyms, which are used in a specific context (e.g., according to the role of the holder or the relationship to the communication partner), and contextspanning person pseudonyms as substitutes for the holders name respectively civil identity. Convertibility7: In an anonymous credential system as introduced by David Chaum [Chaum 1985] users are known to different organizations by different pseudonyms. Different pseudonyms of the same user cannot be linked. Yet, an organization can issue a credential (attribute certificate) to a pseudonym, and the corresponding user can prove possession of this credential to another organization (who knows her by a different pseudonym), without revealing anything more than the fact that she owns such a credential. Possession of a credential can be demonstrated repeatedly under different pseudonyms without these pseudonyms becoming
7 I.e. transferability of attributes of one pseudonym to another.

linkable. Nevertheless, proving possession of several credentials obtained under different pseudonyms is only possible when these credentials were indeed issued to the same user, i.e. different users cannot pool their credentials. Certain credential systems such as idemix8 optionally allow for conditional anonymity, i.e., when possession of a credential is demonstrated the parties can agree upon a trusted third party that will be able to reveal the users pseudonym with the issuer of the credential, or even the users identity. Idemix allows a user to selectively reveal information about a credentials attributes such as expiration dates or a proof of being of age. To be considered privacy-enhancing, an IMS needs to allow the user to choose his required and acceptable degree of pseudonymity while maintaining the conventional capabilities for identification, authentication, authorization, and nonrepudiation. Depending on the situation, different properties are needed. A PE-IMS should be flexible in adaptation of properties to situations. For maximizing privacy, the default setting for PE-IMS should be transaction pseudonyms respectively rolerelationship pseudonyms where linkability in the specific context is desired. The PEIMS should support anonymous credentials. 2.2.2. History and context interpretation In order to achieve a usable presentation of data flow to the user, meaningful history and context representations within the PEIMS are needed. History information includes the extent, nature, and linkability of data released in the past. Context information may include additional information, e.g. specific tags to
8 idemix: http://www.zurich.ibm.com/security/idemix/ (current Feb 2004)

38

Information Security Technical Report. Vol. 9, No. 1

Marit Hansen et al Privacy-Enhancing Identity Management

express when actions have to be linked or what properties a new pseudonym should have. They can be provided by communication partners, third parties such as a privacy information service or even the Internet community. Automatic context detection to help the user in managing his identities9 may be added to the communication protocol (integrated in an Identity Management Protocol Set). The latter would have to be standardized to be effective and should not only describe the context, but requirements or degrees of freedom concerning pseudonym properties as well.

apply to transmitted data. As a prerequisite, communication partners will strive for maximum transparency in expressing their privacy policies, especially how they will process the users data, whom to disclose, for what purposes and which lifetime the data will have. In particular the requirements to pseudonyms demanded by the application should be clear to both parties. Ideally, a standardized mechanism embedded in the communication protocol used would inform a users identity management device about the required pseudonym properties (possibly including third party identity management services), the minimum lifetime of the pseudonym (e.g. by notifying the beginning and end of a transaction), and the effects of re-using pseudonyms versus creating new ones. Privacy control functionality can supplement the PE-IMS by giving each user information about his stored personal data (i.e. his personal data given to others), allowing him access to these data, and giving him the means to manage them, i.e. to correct, remove them, or to grant or revoke consent everything built-in into the application and thereby directly supported by the system [Enzmann/Schulze 2001]. This functionality could thus implement legal privacy rights by overcoming the inhibition of having to resort to off-line world methods to assert ones rights. Direct access to the servers databases of course normally requires modifications in their software and should not impact the security level previously achieved. 2.3.2. Identity management and third party support Third parties will offer various services in an infrastructure supporting PE-IMS, either in support of basic or extended functionality or for convenience. 39

2.3. Support by other parties

Purely unilateral IMS solutions are limited to managing identities on the users side, effectively forcing users to make assumptions about the situational context and the rule-set applied to the context.10 These unilateral solutions neither offer third-party certification of pseudonyms nor other services to separate knowledge and power. A pervasive Privacy-Enhancing IMS will rely on support from application providers (e.g. content providers, web shops), and various third-party services [Clau/Khntopp 2001] in addition to client-side tools. 2.3.1. Identity Management and Communication Partner Support Users and service providers can negotiate the data processing practice that should

9 E.g. by interpretation of hints which are related to known contexts or situations or by interpretation of specific tags to express when actions have to be linked or what properties a new pseudonym should have. 10 This is also experienced by [Jendricke/Kreutzer/ Zugenmaier 2002] in the ATUS (A Toolkit for Usable Security) project which provides mainly unilateral PEIMS functionality: http://www.iig.uni-freiburg.de/ telematik/forschung/projekte/kom_technik/atus/ (current Feb 2004).

Information Security Technical Report. Vol. 9, No. 1

Identity Management

Infrastructure security and resilience: The communication infrastructure operated by service providers needs to support basic security and privacy as well as robustness. It should be possible for users to enforce their trust preferences, e.g. demanding always encrypted communication lines. Certification services: Third parties can provide certification services needed for secure authentication. They may support various degrees of data minimization, e.g. by allowing pseudonymous but accountable authentication. Mediator services: Trustees may offer different mediator services: Identity brokers, for instance, reveal the identity of a pseudonym holder under specific circumstances. Liability services clear a debt or settle a claim on behalf of the pseudonym holder. A value broker may perform the exchange of goods without revealing additional personal data. Separation of knowledge: Unlinkability of the who (buys) and the what (is bought) in a partially on-line purchase may be achieved by applying separation of knowledge between payment and delivery services (i.e. neither the party handling payment nor the party handling delivery has the full details of the user). Reference information: A privacy information service can give input on privacy information data such as security and privacy risks with respect to the IMA deployed, which may influence the behavior of the system. Thereby the user is supported in appropriately estimating privacy risks. For instance, users could get information on the linkability of personally related data and public registers, which enables them to approximately reproduce the knowledge of an observer. Furthermore, privacy tools and configuration recommendations could be provided. 40

Instead of centrally organized service providers, a community might offer such privacy information services in a peer-topeer manner: Users may prefer integrating preference configurations or rules from other sources, e.g. other users with similar interests or third parties, which may provide specific, e.g. privacy-checked files.

3 Existing Identity Management Systems

A wide range of systems in the market address different aspects of identity management. There are two main overlapping operational areas of IMS: 1. Access Management IMA which support access management deal mainly with authentication, authorization, and accounting (AAA), i.e. controlling access to computer resources, enforcing policies, auditing usage, and providing the information necessary to bill for services. Many IMA only support partial functionality, e.g. password and account management or single sign-on. Examples for access management solutions are Microsoft .NET Passport11 and the Liberty Alliance Project.12 Additionally the use of digital signatures can be supported by access management. Reachability management is another example in this category: The IMA simplifies the communication between users by managing addresses and allowing a direct connection to a communication partner. An example for a reachability solution is Reachability Manager [Damker/Pordesch/Reichenbach 1999]. 2. Pseudonym Management The primary goal of pseudonym management is keeping separate different partial identities,

11 Microsoft .NET Passport: http://passport.com/ (current Feb 2004) see also the relevant section in [Art. 29 DPWP 2003]. 12 Liberty Alliance: http://projectliberty.com/ (current Feb. 2004) see also [Pfitzmann 2003].

Information Security Technical Report. Vol. 9, No. 1

Marit Hansen et al Privacy-Enhancing Identity Management

denoted by pseudonyms. E-mail clients such as Microsoft Outlook Express13 or web-based mail services support the use of various pseudonyms in e-mail addresses and signatures. Not only the pseudonyms by themselves, but also different sets of personal data bound to pseudonyms can be managed (e.g. when filling in forms14). Examples for form filling solutions are browsers like Mozilla15 or Microsoft Internet Explorer and the local proxy CookieCooker.16 Another important feature which can be offered by IMA is reputation management. The study Identity Management Systems (IMS): Identification and Comparison [ICPP/SNG 2003] analyzes some typical commercially available IMA.17 Evaluating these IMA according to the PE-IMS design goals as introduced in Section 2.1, the study points out that user-controlled linkage of personal data is not realized. In particular most IMA do not support the user well in data minimization, i.e. users are easily unaware of which data are disclosed during a transaction, and different degrees of data minimization are not offered within the IMA. Furthermore, most IMA have deficiencies in security and privacy functionality and therefore do not provide

appropriate possibilities for do-it-yourself data protection. Insufficient usability prevents users from effective use of the security and privacy functionality offered. Additionally, many commercially available IMS prefer a centralized identity model, i.e. a single IMS provider manages the users identities on their behalf, as implemented in Microsoft .NET passport. These solutions are easier to maintain and mean less effort in user support. However, they concentrate personal data of their users, i.e. both content and data trails, which inherently increases the security risk at the provider side. Not only does the user need to trust a centralized IMS provider not to misuse personal data, these providers are also attractive targets for attackers and may act as convenient data bases of other interested parties, for example by specific governmental authorities or secret services extending the purpose of the stored personal data. Other IMS use the federated identity approach, i.e. there is no single IMS provider. This model fits better in the PEIMS paradigm, as centralized identity management is not easily reconcilable with the principles of unlinkability and multilateral security (see Section 2.1.2). Liberty Alliance propagates federated identities with different circles of trust involving multiple IMS providers [Pfitzmann 2003]. Another possibility for federated identity management is the full user-side identity administration which enables users control, but also puts bigger (and potentially unsatisfiable) responsibilities on them including taking appropriate measures for sufficiently securing the data. Until now, no fully functional PE-IMS has been made commercially available. Those IMS, which are available today, do not implement the security and privacy requirements imperative to achieving 41

13 Microsoft Outlook Express: http://www.microsoft. com/outlook/ 14 Note that browser-based form fill-in solutions normally comprise password management for web sites as the passwords can be seen as strings which have to be filled in. 15 Mozilla Foundation: http://mozilla.org/ (current Feb 2004) 16 CookieCooker: http://cookiecooker.de/ (current Feb 2004) 17 [ICPP/SNG 2003] gives further results which are not directly related to PE-IMS, e.g. no support of digital evidence by IMA, no comprehensive and standardized solutions, no effective measures against identity theft. IMS are still regarded as a playground for users and service providers rather than really professional solutions.

Information Security Technical Report. Vol. 9, No. 1

Identity Management

Figure 1 Proposed high-level component architecture for an IMA.

privacy-enhancing functionality, e.g. no encrypted storage and transfer of personal data by default, no support for data minimization, only limited control by the user. A comprehensive compilation, listing achievements and gaps of well-known systems, is available in the study Identity Management Systems (IMS): Identification and Comparison [ICPP/SNG 2003].

4. Architecture of a PrivacyEnhancing Identity Management System

We describe the components of a proposed privacy and identity management architecture (Figure 1). This architecture is conceptually identical for both client and server side; although its various components might have different levels of complexity and independent types of implementation for the two sides. In particular for the users side, they may depend on the devices they run on. 42

The communication component of the Identity Management Application provides secure end-to-end communication. By default, communication will be anonymous, at least for the initiator of the communication. Communication needs to provide confidentiality, e.g. messages sent over the channel get encrypted; if a level of identification and/or authentication of one or both parties is needed, it can be done later, e.g. by running an identification protocol over the established channel. The functional group of components consists of Session Control, Identity Control System, and Monitor. The Session Control component ensures that different parts of the IMA can use the same communication session by providing and managing session identifiers. This allows for the gradual establishment, where required, of different attributes (e.g. name, address, age, place of birth, skills, etc.) of the communication partners in the course of a transaction.

Information Security Technical Report. Vol. 9, No. 1

Marit Hansen et al Privacy-Enhancing Identity Management

The collection of such attributes about the communication partner, providing (certified) attributes about the user of the system, as well as making statements about other parties is handled by the Identity Control System component. For this the component draws on various credential components providing the necessary functionality. Such components can for instance provide the mechanisms for an anonymous credential system as described in Section 2.2.1, provide an interface to systems using SAML (Security Assertion Mark-up Language), or provide the functionality to query third parties for information about a communication partner. The process of collecting, providing and stating attributes is governed by policies. A specific engine that is provided by the Policy Evaluation component evaluates these policies; the policies themselves are stored in the Policies component (see below). Storage of all policies is handled by the Policy component, storage of logs such as transaction logs or access to data by the Log component, and storage of all other data by the Data component. Access to data retained by these components is controlled by the Monitor component which, in order to decide whether or not to allow access, draws on the Policy component for storing and retrieving polices (this is a special case of a data base) and the Policy Evaluation component for evaluating them. There is of course also a component to administrate the policies (Policy Admin). On the users side there will be a PIM (Privacy and Identity Management) Console component on top of the Identity Control System component that allows the users to control the flow of information about them, i.e. to manage their identities. This will easily be the component posing the biggest challenge to develop, because it must be intuitive and easy to use on the one hand,

while giving the user extensive control on the other hand. Finally, various supplemental services are represented by the Application component. These applications also include trusted third party services such an identity brokers or law enforcement interfaces.

5. Conclusions and outlook

Technical trends such as the expected proliferation of ubiquitous computing call for adequate privacy protection. Privacy risks based on unconscious disclosure of information combined with an increased level of surveillance, biometric recognition and universal identifiers need to be balanced in order to preserve the level of privacy commensurate to social privacy expectations and values. The legal requirement for law enforcement will be reconciled with the legal requirement for privacy. Role management will become more important and probably more explicit in the near future. Trends in the working environment, such as remote working; the increased availability of services of all kinds through the Internet, such as e-commerce, e-health, and e-government services call for the ability to manage and quickly switch between roles. Technical support for meeting these privacy challenges will come from IMS, more specifically user controlled and thereby Privacy-Enhancing IMS. Technology for PE-IMS is readily available in form of software standards, libraries and implementations and its effectiveness has been demonstrated. Their practical application will become a competitive advantage in meeting the anticipated demand for privacy-enhancing solutions. Therefore, Privacy and Identity Management is a key objective of the Information Society Technologies (IST) 43

Information Security Technical Report. Vol. 9, No. 1

Identity Management

priority within the EUs Sixth Framework Programme. Starting in spring 2004, the project Privacy and Identity Management for Europe (PRIME)18 will be funded by this programme. Its goal is to develop PEIMS, while adhering to legal, socioeconomic, usability, and application requirements. PRIMEs research areas comprise human-computer interfaces, ontologies, authorization, cryptology, assurance, and architectures. The project will also build application prototypes to demonstrate how PE-IMS can be used in applications. As we have demonstrated, PE-IMS enable people to assert their privacy rights in the online world. In the course of the next few years IMS will become widespread. If they do not provide privacy-enhancing functionalities such as the ones we described, society will lose todays concept of privacy.

[Damker/Pordesch/Reichenbach 1999] H. Damker, U. Pordesch, and M. Reichenbach: Personal Reachability and Security Management Negotiation of Multilateral Security, G. Mller and K. Rannenberg, eds.: Multilateral Security in Communications, vol. 3: Technology, Infrastructure, Economy, Addison-Wesley, Mnchen, 1999, pp. 95-111. [Enzmann/Schulze 2001] M. Enzmann and G. Schulze: DASIT: Privacy Protection in the Internet by User Control, Electronic Payment Systems Observatory (ePSO) Newsletter, vol. 9, Sept. 2001, http://epso.jrc.es/newsletter/vol09/4.html (current Feb 2004). [ICPP/SNG 2003] Independent Centre for Privacy Protection (ICPP) Schleswig-Holstein and Studio Notarile Genghini (SNG): Identity Management Systems (IMS): Identification and Comparison, study prepared under contract for Institute for Prospective Technological Studies, Joint Research Centre Seville, Spain, Sept 2003. [Jendricke/Kreutzer/Zugenmaier 2002] U. Jendricke, M. Kreutzer, and A. Zugenmaier: Mobile Identity Management, Technical Report 178, Institut fr Informatik, Universitt Freiburg, Oct. 2002, Workshop on Security in Ubiquitous Computing (UBICOMP 2002), ftp://ftp.informatik.unifreiburg.de/documents/reports/report178/report00178.p s.gz (current Feb 2004). [Pfitzmann/Khntopp 2001] A. Pfitzmann and M. Khntopp: Anonymity, Unobservability, and Pseudonymity A Proposal for Terminology, Draft v0.14, 2003-05-27, http://freehaven.net/anonbib/papers/Anon_Terminology_ v0.14.pdf (current Feb. 2004) (v0.8 in H. Federrath, ed., Designing Privacy Enhancing Technologies, Proc. Workshop on Design Issues in Anonymity and Unobservability, LNCS 2009, 2001, pp. 1-9). [Pfitzmann 2003] B. Pfitzmann: Privacy in Enterprise Identity Federation, Policies for Liberty Single Signon, in: R. Dingledine, ed., Privacy Enhancing Technologies, Proc. Third International Workshop, PET 2003, Dresden, Germany, Mar. 26-28, 2003, pp. 189-204. [Rannenberg/Pfitzmann/Mller 1999] K. Rannenberg, A. Pfitzmann and G. Mller: IT Security and Multilateral Security, G. Mller and K. Rannenberg, eds.: Multilateral Security in Communications, vol. 3: Technology, Infrastructure, Economy, Addison-Wesley, Mnchen, 1999, pp. 21-29. [Westin 1967] A.F. Westin: Privacy and Freedom, Atheneum, New York, 1967.

6. References
[Art. 29 DPWP 2003] Article 29 Data Protection Working Party: Working Document on On-line Authentication Services, WP 68, 10054/03/EN, adopted on 29 January 2003, http://europa.eu.int/comm/internal_market/privacy/docs /wpdocs/2003/wp68_en.pdf (current Feb 2004). [Chaum 1985] D. Chaum: Security Without Identification: Transaction Systems to Make Big Brother Obsolete, Communications of the ACM, vol. 28 no. 10, Oct. 1985, pp. 1030-1044, http://chaum.com/articles/Security_Wthout_Identificatio n.htm (current Feb. 2004). [Clau/Khntopp 2001] S. Clau and M. Khntopp: Identity Management and Its Support of Multilateral Security, Computer Networks, vol. 37 (2001), Special Issue on Electronic Business Systems, Elsevier, NorthHolland, 2001, pp. 205-219. [Clau et al. 2002] S. Clau, A. Pfitzmann, M. Hansen, and E. Van Herreweghen: Privacy-Enhancing Identity Management, IPTS Report, vol. 67, JRC Seville, Spain, Sept. 2002, pp. 8-16, http://www.jrc.es/pages/iptsreport/ vol67/english/IPT2E676.html (current Feb 2004).

18 http://www.prime-project.eu.org (current Feb. 2004)

44

Information Security Technical Report. Vol. 9, No. 1