Towards an Accountable Web of Personal Information: The Web-of-Receipts

Jesus, Vitor

doi:10.1109/access.2020.2970270

Cited by 12 publications

(13 citation statements)

References 37 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In this, we advance the state of the art, as outlined in Section.III-C, by further providing a detailed analysis of requirements across disciplines and creating a concrete proposal for the socio-technical utilisation of consent receipts on the web. In addition to addressing the challenges identified in [17], we also demonstrate the relevance and applicability of legal and standardisation efforts (see Section.III) and its implications for consent and consent receipts. Finally, the three real-world applications of consent receipt validate their usefulness as -(1) a powerful tool for legal compliance as well as user empowerment; and (2) a technically and practically feasible solution for users and user-agents.…”

Section: Introductionmentioning

confidence: 89%

“…A receipt, if designed as a secure bearer token [17], provides a straightforward solution for both the service provider and the user to communicate and interact in a truly anonymous, but verifiable and secure, fashion. It decouples the identification and authentication problems from reusing sensitive identity information (such as ID cards) and instead provides a solution scoped to the context whereby the parties involved can determine their own methods for identity and identification.…”

Section: ) Receipts Decouple Identity From Authenticationmentioning

confidence: 99%

“…Only by trusting the service records (the very ones in doubt and under investigation) can one know which privacy notice applied for a particular user at a particular moment in time. Receipts simplify this problem by explicitly requiring a link to the specific version of notice applicable at the time of consent interaction [17].…”

Section: A Legal Requirementsmentioning

confidence: 99%

See 2 more Smart Citations

Consent Receipts for a Usable and Auditable Web of Personal Data

Jesus

Pandit

2022

IEEE Access

Self Cite

View full text Add to dashboard Cite

Consenting on the Web, in the context of online privacy and data protection, is universally accepted as a difficult problem, mainly because of its cross-disciplinarity. For example, any approach to online Consenting needs to meet usability, legal, regulatory, technical, and business requirements. To date, effort has been predominantly focused on meeting compliance with regulations and automation, and less on the true re-empowerment of users with respect to their personal data. One approach that has not seen sufficient research is the use of 'Consent Receipts', which offer a new paradigm of recording interactions concerning consent and using them as proofs in future actions, similar to familiar use of a common shopping receipt. In addition to being a record, receipts encourage accountability in how technology handles consent and is beneficial for all involved stakeholders. For organisations, it assists with legal requirements for demonstration of valid consent, while for users it provides transparency and accountability by being a proof to be used against malpractices related to consent. Receipts also have uses in addition to those related to consent, such as for authorising the holder in exercising related rights. This paper analyses the requirements, uses, and benefits offered by Consent Receipts with an extensive and broad literature review. Since receipts are a novel concept, we identify properties and requirements, and then new mechanisms necessary for the Web to support receipts. We then demonstrate feasibility of receipts through proof-of-concepts in three common real-world use-cases: (a) acceptance of a privacy policy and its subsequent changes; (b) choices expressed via consent dialogues or cookie banners; and (c) verbal interactions with Amazon Alexa.

show abstract

Section: Introductionmentioning

confidence: 89%

Section: ) Receipts Decouple Identity From Authenticationmentioning

confidence: 99%

See 1 more Smart Citation

Consent Receipts for a Usable and Auditable Web of Personal Data

Jesus

Pandit

2022

IEEE Access

Self Cite

View full text Add to dashboard Cite

show abstract

“…Among many other use cases such as financial platforms [15], online voting or even digital identity, Agarwal et al [1] tries adapting blockchain for CMS. The idea is not new and was introduced before the [41,9,40,21,7]. However, Agarwal et al focus is implementing a scalable system.…”

Section: Related Workmentioning

confidence: 99%

Cloud Solutions for Private Permissionless Blockchain Deployment

Grodzicka

Kędziora

Madeyski

2021

cai

View full text Add to dashboard Cite

This paper aims to survey the security and scalability problems occurring in private permissionless blockchain systems and solutions to them. The emphasis is put on the blockchain systems hosted by cloud vendors in the form of Blockchain-as-a-Service (BaaS). The currently available solutions offered by the most appreciated cloud providers are reviewed. The most promising services are tested for the real deployment of the consent management system (CMS). Implementing the CMS atop BaaS leads to creating Consent-as-a-Service (CaaS). Through experiments, the proposed system's replication ability and its scalability are examined, along with assessing the feasibility of the consent management system development in the provided cloud environment.

show abstract

“…Furthermore, since tokens can be revoked at any time with immediate effect, it promotes compliance with virtually all regulations. Thirdly, we reuse the notion of Personal Data Receipt from the Data Protection communities [17]. BRUE provides acknowledgement Receipts for all operations of the involved entities.…”

Section: B Contribution Of This Papermentioning

confidence: 99%

User-Controlled, Auditable, Cross-Jurisdiction Sharing of Healthcare Data Mediated by a Public Blockchain

Zhou

Jesus

Wang

et al. 2020

2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)

Self Cite

View full text Add to dashboard Cite

We tackle the problem of sharing eHealth data across different jurisdictions. As a general rule, and due to the sensitive nature of the information, different national regulations impose severe limits on what can be exchanged, even in case of emergencies. Furthermore, different systems in different jurisdictions do not communicate. We propose BRUE as a scheme that allows eHealth data to be securely exchanged, with the data subject always in the position of mediation. We combine several technologies, namely, Blockchain, OAuth and User-Managed Access, and concept Receipts, to achieve our aim.Index Terms-eHealth data exchange, blockchain, smartcontracts, distribute, cross-jurisdiction mediates all steps and is, effectively, the (cryptographically) trusted communication channel between all the parties. Second, we combine a set of technologies and standards, each addressing a particular requirement. For authorisation and managing access to the records, we use and extend OAuth'sbased User-Managed Access (UMA) [1]. For a trusted and confidential communication channel, distributed discoverability and overall accountability, we use a public blockchain able to run smart-contracts. To handle the requirement of demonstration of valid consent, we use Kantara's Consent Receipts [2]. This combination of technologies motivates the name of our scheme: Blockchain, Receipts and UMA for eHealth data exchange (BRUE).To illustrate the problem, we informally analyse a simple working scenario of international eHealth data exchange.Alice (A) has had heart trouble since she was born in France. She has registered a GP (F GP ) in her original city. Then she moved to the UK after 10 years. When she was 20 years old and travelled to Canada, she fell sick and visited a GP (CGP ) to get e temporary treatment in Canada. After that trip, she returned to the UK and visited her British doctor (BGP , where GP stands for "General Practitioner"). She would like to share the British GP with her previous medical data which is stored respectively in Canada and France. However, she doesn't want to simply give British GP her personal credential but would rather authorize British GP which could gain access using GP's credential.In the scenario, there are four entities: the data subject A, a requesting party BGP , and data controllers which are healthcare service providers F GP and CGP . To note that A, BGP , CGP , and F GP , are independent parties located in different jurisdictions. Some of them are not known to the others; their only point of contact is their relationship with A, the patient and data subject. Furthermore, we assume, as is overwhelmingly the case, that there is no global system in place that allows all parties to directly communicate, find each other, or self-certify. In other words, BGP needs to access A's medical data from F GP and CGP but F GP and CGP do not recognise BGP so A needs to intermediate the request and grant access.

show abstract

Towards an Accountable Web of Personal Information: The Web-of-Receipts

Cited by 12 publications

References 37 publications

Consent Receipts for a Usable and Auditable Web of Personal Data

Consent Receipts for a Usable and Auditable Web of Personal Data

Cloud Solutions for Private Permissionless Blockchain Deployment

User-Controlled, Auditable, Cross-Jurisdiction Sharing of Healthcare Data Mediated by a Public Blockchain

Contact Info

Product

Resources

About