PriS Methodology: Incorporating Privacy Requirements into the System Design Process Christos Kalloniatis1, Evangelia Kavakli1, Stefanos Gritzalis2 Cultural Informatics Laboratory, Department of Cultural Technology and Communication University of the Aegean, Harilaou Trikoupi & Faonos Str., 81100 Mytilene, Greece 2 Information and Communication Systems Security Laboratory, Department of Information and Communications Systems Engineering, University of the Aegean, 83200 Samos, Greece {ch.kalloniatis, kavakli}@ ct.aegean.gr,
[email protected] 1
Abstract In the global information society, avoiding privacy violation is becoming an increasingly critical issue. Related literature includes a number of Privacy Enhancing Technologies, such as the Anonymizer, Crowds, Onion Routing, Tor, GAP, Hordes, Dc-Nets and Mix-Nets, for ensuring system privacy. However, each of the above technologies focuses on specific issues without providing an integrated solution for meeting all four basic privacy requirements (i.e., anonymity, pseudonymity, unlinkability, and unobservability). Current research in the area of security requirements engineering advocates that privacy requirements should be considered earlier in the system development process, during the design rather than the implementation level. In this paper, we propose a new methodology, called PriS, which aims to incorporate privacy requirements into the system design process adopting a goal-oriented approach. Each privacy requirement is treated as a separate “goal” to be met during the system design process; goals are collaboratively realised by processes, which in turn are supported by IT systems. In this way, tracing between high-level organisational objectives and detailed support mechanisms is achieved. We argue that PriS provides a solution that overcomes some of the limitations of existing approaches.
1. Introduction The Internet as a contemporary data highway on which the global information society is built, is known for many security risks. The rapid development of new information infrastructures increases our dependability on the Internet and might lead to a vulnerable information society based on insecure technologies. In this way, individual privacy is seriously endangered and is becoming an international problem. Indeed, more and more personally identifiable information are electronically transmitted and disseminated over insecure networks and processed by websites and databases, which lack proper privacy protection mechanisms and tools.
Therefore, the need for a methodology that considers and safely guards the privacy requirements (i.e., anonymity, pseudonymity, unlinkability, and unobservability) is immense. To this end, many countries have developed a privacy legislation framework, which only solves some legal aspects of privacy within country’s borders. An international harmonisation of privacy legislations is needed but is hardly achievable due to cultural differences. From a software systems perspective, a number of security oriented technologies and architectures have been proposed in the literature. Despite the fact, that these architectures are more privacy oriented than security oriented, they focus only on specific issues without providing an intergraded solution for meeting all four basic privacy requirements. Furthermore, recent research supports the need for considering privacy requirements earlier in the system development process during the design rather than implementation level [2]. This paper presents a new methodology, called PriS - Privacy Safeguard, for incorporating basic privacy requirements into the system design process. PriS provides a set of concepts for modelling privacy requirements in terms of organisational goals during the system design process. In addition, it describes a systematic way of working for analysing the impact of privacy goals onto the organisational processes and the associated software systems supporting these processes. PriS concepts are based on the Enterprise Knowledge Development framework described in [3, 4]. PriS methodology has a high degree of applicability on systems that wish to provide services to their users based on the four privacy requirements mentioned above like anonymous browsing, untraceable transactions etc. The paper is structured as follows. Section 2 defines the basic privacy requirements. Section 3 describes the privacyenhancing technologies developed for addressing these requirements. The PriS methodology is presented in section 4. In section 5 an e-voting project is presented in order to demonstrate the underlying methodology. Section 6 provides a discussion on related research approaches in the area of software requirements engineering and privacy. Finally, in section 7 conclusion and future work are mentioned.
3rd Symposium on Requirements Engineering for Information Sequrity (SREIS 2005) In conjunction with RE 05 - 13th IEEE International Requirements Engineering Conference Paris, France, August 29, 2005
addresses unlinkability in the following formal way. Let XE,F denote the event that events E and F have a corresponding characteristic X. Two events E and F are unlinkable in regard of a characteristic X for an attacker A, if for each observation B that A can make, the probability that E and F are corresponding in regard of X given B is greater than zero and less than one:
2. Defining Privacy Review of current research in the area of user privacy highlights the path for user privacy protection in terms of four privacy requirements namely anonymity, pseudonymity, unlinkability and unobservability [1,5]. By addressing these requirements one aims to minimize or eliminate the collection of user identifiable data. In more detail, J. C. Cannon in [5] expresses anonymity as the state of being anonymous or virtually invisible; having the ability to operate online without being tracked. S. Fischer-Hübner in [1] presents anonymity as the ability of a user to use a resource or service without disclosing his/her identity. A formal definition for anonymity is given by A. Pfitzmann in [7]. Let RU denote the event that an entity U (e.g. a user) performs a role R during an event E. Let A denote an attacker and NCA the set of entities that are not cooperating with A. An entity U is called anonymous in role R for an event E against an attacker A if for each observation B that A can make the following relation holds: (1) ∀ U΄ ∈ NCA:0 < P(RU΄⎪B) < 1
0 < P(XE,F⎪B) < 1
(2)
The ability to link transactions could give a stalker an idea of the user’s daily habits or an insurance company an idea of how much alcohol his/her family consumes over a month. Ensuring unlinkability is vital for protecting user’s privacy. Finally, unobservability protects users from being observed or tracked while browsing the Internet or accessing a service. Unobservability is similar to unlinkability in the sense that the attacker aims to reveal users identifiable information by observing rather than linking the information he/she retrieves. In [7] a formal representation of unobservability is stated as follows. An event E is unobservable for an attacker A if for each observation B that A can make, the probability of E given B is greater than zero and less than 1.
Summarising the above definitions, anonymity serves the great purpose of hiding personal identifiable information when there is no need of revealing them. Browsing the Internet only for collecting information is one of many issues that anonymity plays a significant role and must be attained. Pseudonymity is the user’s ability to use a resource or service by acting under one or many pseudonyms, thus hiding his/her real identity. However, under certain circumstances the possibility of translating pseudonyms to real identities exists. Pseudonyms are aliases for a user’s real identity. Users are allowed to operate under different aliases. Nevertheless revelation of user’s real identity occurs when acting unlawfully. Pseudonymity has characteristics similar to anonymity in that user is not identifiable but can be tracked through the aliases he/she uses [5]. Pseudonymity is used for protecting user’s identity in cases where anonymity cannot be provided (e.g. if the user has to be held accountable for his/her activities [1]. The third privacy principle is Unlinkability. As J. C. Cannon states in [5], unlinkability expresses the inability to link related information. In particular, unlinkability is successfully achieved when an attacker is unable to link specific information with the user that processes that information. Also unlinkability can be successfully achieved between a sender and a recipient. In that case unlinkability means that though the sender and recipient can both be identified as participating in some communication, they cannot be identified as communicating with each other. A. Pfitzmann in [7]
0 < P(E⎪B) < 1
(3)
3. Privacy Enhancing Technologies Many architectures, tools and protocols have been designed for protecting user’s privacy. Specifically, Anonymizer presented in [9] is a third-party web site, which acts as a middle layer between the user and the site to be visited providing user’s anonymity. Crowds is an agent developed also for protecting user’s anonymity. It is based on the idea that people can be anonymous when they blend into the crowd [11]. Onion Routing is a general-purpose infrastructure for private communications over a public network. It provides anonymous connections that are strongly resistant to both eavesdropping and traffic analysis [12,13]. DC-Net (Dining Cryptographers Network) proposed in [14,15] allows participants to send and receive messages anonymously in an arbitrary network. It can be used for providing perfect sender anonymity. Mix-Networks is another technique introduced in [16] and further discussed in [17]. It realises unlinkability of sender and recipient as well as sender anonymity against recipient and optionally recipient anonymity. Hordes is a protocol designed for utilising multicast communication for the reverse path of anonymous connections, achieving not only anonymity but also sender unlinkability and unobservability. A detailed description of Hordes is given in [18]. GAP
2
(GNUnet’s Anonymity Protocol) presented in [19] is a recently presented protocol that achieves anonymous data transfers. However, GAP is customised to the functionality of a peer-to-peer network. Finally, Tor, presented in [20] is an architecture based on the Onion Routing architecture with an improved way of working. An extended comparison of these architectures can be found in [6].
implemented in terms of appropriate system architectures. In this way, a connection between system purpose and system structure is established. Based on this schema, PriS models privacy requirements as a special type of goal (privacy goals) which constraint the causal transformation of organisational goals into processes. From a methodological perspective reasoning about privacy goals comprises of the following activities: (a) Elicit privacyrelated goals, (b) Analyse the impact of privacy goals on processes and (c) Identify the technique(s) that best support/implement the above processes. The PriS way-ofworking is described in the following section.
4. The PriS Methodological Framework 4.1. PriS conceptual model The previous sections provided an overview of the basic privacy requirements and the most common techniques that may be used in order to ensure these requirements. However, these techniques focus on the software implementation alone, irrespective of the organisational context in which the system will be incorporated. In other words, there is no obvious link between the enterprise processes that are constrained by the privacy requirements and the supporting software systems; an enterprise is defined as the organisation about which the proposed software system is to provide some service. This lack of knowledge makes it difficult to determine which software solution best fits the organisational needs or to evaluate alternatives. Understanding the relationship between the user needs in the organisational domain and the capabilities of the supporting software systems is of critical importance. To this end, this section introduces the PriS Privacy Safeguard methodology. PriS is a privacy requirements engineering methodology, which provides a set of concepts for modelling privacy requirements in the organisation domain and a systematic way-of-working for translating these requirements into system models. The conceptual model used in PriS is based on the Enterprise Knowledge Development (EKD) framework [3, 4], which is a systematic approach to developing and documenting enterprise knowledge, helping enterprises to consciously develop schemes for implementing changes (e.g., the introduction of a new software system). Modelling of organisational knowledge in EKD is achieved through the modelling of: (a)organisational goals, that express the intentional objectives that control and govern its operation, (b)the ‘physical’ processes, that collaboratively operationalise organisational goals and (c) the software systems, that support the above processes. EKD adopts a goal-oriented approach to software engineering. For an overview of goal-oriented methodologies please refer to [37]. The EKD generic schema is shown in figure1. As shown in figure 1, processes represent WHAT needs to be done, goals justify WHY the associated processes exist, while systems describe HOW processes can be
Figure 1. The EKD Schema.
4.2. Applying the PriS way-of-working The first step concerns the elicitation of the privacy goals that are relevant to the specific organisation. This task usually involves a number of stakeholders and decision makers (managers, policy makers, system developers, system users, etc). Therefore elicitation of privacy goals is described the following activities: perform stakeholder analysis and organise stakeholder workshop; identify privacy issues; and agree on a structures set of privacy goals. Identifying privacy issues is guided by the four basic privacy concerns (anonymity, pseudonymity, unlinkability and unobservability) identified in section 2. The aim is to interpret the general privacy requirements with respect to the specific application context into consideration. The second step is to analyse the impact of these privacy goals on processes and related support systems. Answering this question involves the following tasks: identify the influence of privacy goals on organisational goals and analyse the impact on processes. A summary of this process is shown in the following figure 2. As shown in figure 2, for each privacy goal PriS identifies the impact it may have on other organisational goals. This impact may lead to the introduction of new goals or to the improvement / adaptation of existing goals. Introduction of new goals may lead to the introduction of new processes while improvement / adaptation of goals may lead to the adaptation of associated processes accordingly. Repeating
3
this process for every privacy goal and its associated organisational goals leads to the identification of alternative ways for resolving privacy requirements. For each Privacy goal
Privacy Goal n Privacy Goal 2 Privacy Goal 1
The main scope of the e-voting system is to provide eligible citizens the right to cast a vote over the internet rather than visiting an election district aiming to simplify the election processes thus increasing the degree of citizens’ participation during elections. The e-voting system is described by four main principles that form the four primary organisational goals namely: a) Generality, b) Equality, c) Freedom and d) Directness. Specifically, generality implies that all citizens above a certain age should have the right to participate in the election process. Equality implies that both political parties - that participate in the election process - and voters have equal rights before, during and after the election process and neither the system nor any other third party is able to alternate this issue. Freedom implies that the entire election process is conducted without any violence, coercion, pressure, manipulative interference or other influences, exercised either by the state or by one or more individuals. Finally, directness implies that no intermediaries chime in the voting procedure and that each and every ballot is directly recorded and counted. Based on the four primary goals of the e-voting system the EKD methodology was applied for constructing system’s goal model and for identifying the relevant processes that realize the operationalised subgoals. EKD produced the model presented in figure 3. In the last line the doted boxes are the relevant processes that satisfy each sub-goal(s).
Privacy goals under consideration
G For each organisational goal and its immediate subgoals
5.1. The electronic voting system
G1
Organisational Goals
G2
G3 Impact on processes Adapt G
Introduce Alternative to G
Improve G1
Improve process P1
Cease G2
Maintain G3
Introduce process P2 for improving G1
Suggested Implementation
Improve process P1
Implementation Technique 1
Introduce process P2 for improving G1
Implementation Technique 2
Figure 2. PriS way-of-working
The result of this process modelled in the spirit of and extended AND/OR goal graph. The last step is to define the system architecture that best supports the privacy-related process identified in the previous step. As discussed in section 3 a number of alternative system implementation architectures may be used depending on the privacy requirement that one wishes to achieve. Therefore, instead of prescribing a single solution PriS identifies and suggests a number of implementation techniques and architectures that best support the realisation of each privacy-related process in the system’s development phase. The developer is then responsible for choosing which architecture is best for the developing system based on organisation’s priorities such as, cost, systems efficiency etc. Based on the previous example, for the implementation of the process P2, which is related to the unobservability privacy goal, PriS suggests a number of techniques such as Tor, Onion Routing, Hordes, etc. Based on organisation’s criteria, developers will choose which architecture best satisfy system’s requirements.
5.2. Applying PriS The goal model of figure 3 forms the basis upon which the 3 PriS activities (presented in section 4) are applied, as described in the following sections. 5.2.1. Identify Privacy-Related Goals. After performing a stakeholder analysis and an identification of the basic privacy concerns for the e-voting system, it is agreed that two out of four privacy goals need to be considered for the specific system: Unlinkability and Unobservability. The other two are not considered since it is forbidden for a voter to be anonymous or even pseudonymous because that will disallow him/her to cast a vote.
5. Applicability of PriS methodology in e-Voting This section demonstrates the application of the PriS methodology on an electronic voting project. A detailed description of the e-voting project can be found in [36].
4
Figure 3. Goal-Model of the e-voting System Table2. Processes that realize identified goals
5.2.2. Analyse the impact of privacy-goals on processes. After the elicitation of privacy goals the relevant goals-subgoals that unlinkability and unobservability have an impact on based on the application context are identified. The identified goals for each privacy goal based on the system’s goal model are shown in table 1. For every sub-goal the relevant processes that realise this goal is also identified. These are shown in table 2. It is obvious that one process may realise more than one goals, which may not be directly affected from the introduction of the specific privacy goals. In this case, further impact analysis is performed on each one of the goals linked to the specific process in order to ensure that any alternations of the relevant process will not hinder the realisation of the goals.
Affected Goals G1.1.3)Provide e-access to all eligible Voters G2.1.3)Ensure Integrity of Voter’s Ballot G2.2.1)Ensure Voter’s eligibility G2.1.1)Ensure transparency of voting procedure
Ensuring Unobservability
P7)Authenticate Voter P6)Verify Integrity
Result
For every goal identified, the new privacy goals are realized either by modifying/altering the specific goal or by introducing new ones. Specifically, for the goal “Ensure the participation of all eligible Voters” and the relevant subgoal “Provide e-access to all eligible voters” two new subgoals for realizing the Unlinkability goal are introduced namely “Provide e-access” and “ Ensure that others won’t be able to link the voter with the vote he/she casts”. In particular, the e-voting system is responsible to provide eligible voters with a pair of username and password before the election’s starting date. Based on the organizations context the communication between the system and the user during the dispatch of username and password must be done in an unlinkable way meaning that any malicious third party will not be able to reveal to whom the data are send to even if he/she gets to disclose part of the information being send, thus protecting users personal identified information. The structure of the current goal as well as the suggested modification is shown in figure 4.
Table1. Goals identified during the elicitation process
Ensuring Unlinkability
Processes P3)Send Authentication Means to all eligible Voters P8)Cast Vote
Affected Goals G1.1)Ensure the participation of all eligible voters G1.1.3) Provide e-access to all eligible Voters G2.1)Equality for political Parties G2.1.3) Ensure Integrity of Voter’s Ballot G2.2)Equality for Voter G2.2.1) Ensure Voter’s eligibility G2.1) Equality for political Parties G2.1.1) Ensure transparency of voting procedure
5
The unlinkability goal was also identified to have an impact on the subgoal “Ensure Integrity of Voter’s ballot”. In this case unlinkability is necessary for protecting user’s privacy since during the process of a
Finally, for satisfying voter’s unobservability, the goal “Ensure transparency of voting procedure” is identified. Based on system’s specification, eligible voters have the right to verify results’ integrity after the
Figure 4. Altering “Provide e-access to all eligible users” sub-goal
Figure 6. Altering “Ensure Voter’s eligibility” sub-goal
election process is terminated. In many cases voters do not wish others to know which services they access and for which results they have an interest on. Unobservability provides them with this ability since no one especially third parties are able to observe which services are used even if they are able to locate which users are connected to the system. Figure 7 illustrates the transformation of goal “Ensure transparency of voting procedure”. After the modifications on the goal-process structure we move to the next step where a number of implementation techniques based on the above models are suggested to the developer of the system who then is responsible for choosing the most appropriate one.
legitimate user casting a vote third parties must not be able to link the vote with the voter thus revealing not only personal information about the voter but also which his/her political beliefs are. For protecting users privacy during casting procedure two additional goals are introduced as shown in figure 5.
5.2.3. Identify the technique(s) that best support/implement the above processes. A number of implementation techniques that best support the above processes can be used, based on the current system’s architecture. The e-voting system architecture is shown in figure 8. Particularly, it consists of a mail server, through which authentication means are send to all eligible voters, a database server, where information about all eligible voters are stored, a number of election districts servers where voters cast their vote, and a main web server which gives access to all eligible voters, reallocates them to the relevant election district server, collects the results from every election district server, performs the tally vote procedure and is responsible for resolving any abnormalities inside the network. The circle in figure 8 denotes that for security reasons the entire network belongs to a virtual private network and only the main server is communicating with the internet. Due to this communication a firewall is attached to the main server
Figure 5. Altering “Ensure Integrity of Voter’s ballot” sub-goal
Subgoal “ensure eligibility of voter” also needs refinement since during authentication process unlinkability is of vital importance for protecting voter’s privacy. Particularly, malicious third parties must be unable to “steal” any information that afterwards may lead to voters’ personal information. Thus, during authentication procedure the system should provide unlinkability services. For achieving this goal the “ensure eligibility of Voter” subgoal is transformed to the one shown in figure 6.
6
for raising networks degree of security. Finally, each election district server has a database with the list of the eligible voters belonging to that specific district. In case that a non eligible voter manages to pass through the main
above goals. The place where the specific architecture must be built is shown in figure 8. Table 3. Implementation Technique that realise Unlinkability and Unobservability goals
Anonymizer Crowds Onion Routing DC-Nets Mix-Nets Hordes GAP Tor Y: Yes / N: No
Unlinkability N N Y N Y Y Y Y
Unobservability N N N N N Y Y Y
6. Related Work Besides the development of privacy enhancing technologies, a number of requirement engineering methodologies have been proposed for managing security issues in the design level (NFR [21,22], Tropos [24,25,26], KAOS [27], i* [23], RBAC [28], M-N framework [29], GBRAM [30,31). All the above methodologies address privacy along with other security goals, however as it is discussed in this paper privacy should be considered as a separate design criterion in the whole system’s development process. Furthermore, the majority of the proposed methodologies (with the exception of GBRAM) consider the elicitation of security requirements from business goals but do not address how these requirements are translated into system components, nor do they suggest any relevant implementation techniques. The RBAC methodology is the only one which considers the generation of system policies based on the elicited security requirements but, opposite to PriS, it does not suggest any way for eliciting and managing these requirements. Bellotti and Sellen in [32] developed a framework for privacy-aware design in ubiquitous computing. This framework proposes a procedure designers may follow through a set of questions in order to evaluate a system. The evaluation is accomplished by identifying a set of new requirements, which must be implemented by the developers. A recent variation of this framework is proposed by Hong et al in [34]. In spite of the fact that these frameworks are inexpensive to use and not very time-consuming a number of disadvantages exist. Firstly, they do not address/suggest any implementation techniques for realizing the identified requirements. A gap between design and implementation exists since they do not suggest a way for guiding the developer from the design to the implementation level. Also these frameworks produce a static set of vulnerabilities (which
Figure 7. Altering “Ensure transparency of voting procedure” sub-goal
server, he/she won’t be able to cast a vote since he/she will not belong to any of the election districts list. E-Voting System Architecture «TCP/IP», «SSL» TOR Architecture
«TCP/IP»
» «S SL »,
»
» SL
«T C
«T
«S
P/ IP
SL «S
», IP P/
Data Base (List of Voters of election District 1)
, P»
Data Base Server (List of all Voters) C «T
Election District 1 Server
/I CP
«TCP/IP», «SSL»
«T
«DB Protocol»
Main Server
Mail Server Voter
Virtual Private Network
Firewall
CP /I
P» ,
«S
SL
»
Election District 2 Server
Election District 3 Server
Election District 4 Server
Data Base (List of Voters of election District 2)
Data Base (List of Voters of election District 3)
Data Base (List of Voters of election District 4)
Election District n Server
Data Base (List of Voters of election District n)
Figure 8. E-voting System Architecture
Considering the specific architecture and the privacy goals that were introduced in the previous steps a list of suggested implementation techniques for realizing unlinkability and unobservability are shown in table 3. Developers are then responsible of choosing the technique that best conforms to system also taking into consideration additional criteria e.g. implementation cost, architecture complexity etc. In particular, based on the information provided in table 2, developers can see which implementation techniques address the realisation of the suggested privacy goals and choose the most suitable technique that best conforms to organisational needs. Let us assume that developers choose Tor architecture for implementing the
7
the current system must overcome) and leave the designer to re-evaluate the entire system since they do not take iteration into account as part of the design process. Changing one part in the system’s design may affect multiple other parts in terms of privacy. Based on the afore-mentioned vulnerabilities these frameworks are more likely to be employed once at the end of the design cycle rather than become a part of the design process. The STRAP framework proposed in [33] takes a further step compared to the previous frameworks. Specifically, it is based on the above frameworks while borrowing methods from requirements engineering and goal-oriented analysis. In particular, at the beginning STRAP performs a goal-oriented analysis of the system for identifying the relevant actors, goals and major system components. Then a list of vulnerabilities is produced by asking a number of questions similar to the ones proposed in [32], [34] on every goal and sub-goal. Vulnerabilities are categorized based on the four Federal Information Practices presented in [35]. Once vulnerabilities are identified the steps of refinement, evaluation and iteration follow. While STRAP successfully combines goaloriented analysis and heuristic-based frameworks for addressing privacy vulnerabilities, opposite to PriS, it does not take the next step of discovering/suggesting the relevant implementation techniques needed for eliminating these vulnerabilities.
[1] Fischer-Hübner, S.: IT-Security and Privacy, Design and Use of Privacy Enhancing Security Mechanisms. Lecture Notes in Computer Science, Vol. 1958. SpringerVerlag, Berlin Heidelberg New York (2001) [2] Kalloniatis, C., Kavakli, E., Gritzalis, S.: Security Requirements Engineering for e-Government Applications, DEXA EGOV’04 Conference, LNCS Vol. 3183. Springer (2004) 66-71 [3] Loucopoulos, P., Kavakli, V., Enterprise Knowledge Management and Conceptual Modelling. LNCS Vol. 1565. Springer (1999) 123-143 [4] Loucopoulos, P.: From Information Modelling to Enterprise Modelling. In: Information Systems Engineering: State of the Art and Research Themes. Springer-Verlag, Berlin Heidelberg New York (2000) 6778 [5] Cannon, J.,C.: Privacy, What Developers and IT Professionals Should Know. Addison-Wesley (2004) [6] Gritzalis, S.: Enhancing Web privacy and anonymity in the digital era. Information Management and Computer Security, Vol. 12, No. 3. Emerald Group Publishing Limited (2004) 255-288 [7] Pfitzmann,A.:Diensteintegrierende,Kommunikations mnetze mit teilnehmerüberprüfbaren Datenschutz. Informatik-Fachberichte 234. Springer-Verlag, Berlin Heidelberg New York (1990) [8] Pfitzmann, B., Waidner, M., Pfitzmann, A.: Rechsicherheit trotz Anonymität in offenen digitalen Systemen. Datenschutz und Datensicherheit (DuD) No. 6 (1990) 243-253 (Part 1), No. 7 (1990) 305-315 (Part 2) [9] Anonymizer, available at www.anonymizer.com [10] Reiter, K.M., Rubin, D.A.: Crowds: Anonymity for Web Transactions. ACM Transactions of Information and System Security, Vol. 1, No. 1 (1998) 66-92 [11] Reiter, K.M., Rubin, D.A.: Anonymous Web Transactions with Crowds. Communications of the ACM, Vol. 42, No. 2 (1999) 32-38 [12] Reed, M., Syverson, P., Goldschlag, D.: Anonymous connections and Onion Routing. IEEE Journal on Selected areas in Communications, Vol. 16, No. 4 (1998) 482-494 [13] Goldschlag, D., Syverson, P., Reed, M.: Onion Routing for anonymous and private Internet connections. Communications of the ACM, Vol. 42,No. 2 (1999) 39-41 [14] Chaum, D.: Security without identification: Transactions Systems to make Big Brother Obsolete. Communications of the ACM, Vol. 28, No.10 (1985) 1030-1044 [15] Chaum, D.: The Dining Cryptographers Problem: Unconditional Sender and Recipient Untraceability. Journal of Cryptology, Vol. 1, No. 1 (1988) 65-75 [16] Chaum, D.: Untraceable Electronic Mail, return Addresses, and Digital Pseudonyms. Communications of the ACM, Vol. 24, No. 2 (1981) 84-88
7. Conclusions In this paper, PriS, a new methodology for incorporating privacy user requirements into the system design process, is introduced. PriS identifies which goals needs privacy protection, identify the relevant privacy requirements that need to be satisfied, identify the processes that satisfy these goals and proposes a number of methodologies where these processes can be realised. Many architectures and methodologies have been developed for protecting user’s privacy. However, most of them are near the implementation level or early in the design process and none treats privacy as a separate design criterion. As A. Cavoukian states in [5], “the concept of privacy by design-the need for privacy to be designed into an information management system, right from the beginning” is the only way to solve the existing vulnerabilities in the privacy domain. Future steps include the design of a software tool for supporting this methodology. Specifically, we aim to built a tool that will automatically identify the impact of privacy goal in the goal-process structure. Also it will provide developers with a description of each implementation technique and a guiding procedure for applying the selected technique on the developing system.
8. References 8
[31] Antόn, I., A., Earp, B., J.: Strategies for Developing Policies and Requirements for Secure Electronic Commerce Systems. 1st ACM Workshop on Security and Privacy in E-Commerce (2000) [32] Bellotti V., Sellen, A.: Design for Privacy in Ubiquitous Computing Environments, In: Michelis, G., Simone, C., Schmidt, Kjeld (ed.): Proceedings of the Third European Conference on Computer Supported Cooperative Work - ECSCW 93. 1993. p.93-108 [33] Jensen, C., Tullio, J., Potts, C., Mynatt, D., E.: STRAP: A Structured Analysis Framework for Privacy, GVU Technical Report. January 2005 [34] Hong, J.I, J.Ng, S.Lederer, J.A. Landay: Privacy Risk Models for Designing Privacy-Sensitive Ubiquitous Computing Systems. Designing Interactive Systems (DIS2004), Boston M.A. [35] Code of Fair Information Practices (The), US. Department of Health, Education and Welfare, 1973. [36] EU-Information Society DG, IST Programme 2000#29518 “E-vote: An Internet-Based Electronic Voting System”, Project Deliverable D 7.6, University of the Aegean, Greece. [37] Kavakli, E.: Modeling organizational goals: Analysis of current methods, Proceedings of the 2004 ACM Symposium on Applied Computing, Nicosia, CY, March 2004, ISBN:1-58113-812-1, pp. 1339 - 1343.
[17] Pfitzmann, A., Waidner, M.: Networks without user Observability. Computers & Security, Vol. 6, Issue 2 (1987) 158-166 [18] Shields, C., Levine, N.B.: A protocol for anonymous communication over the Internet. In: Samarati, P. and Jajodia, S. (eds.): Proceedings of the 7th ACM Conference on Computer and Communications Security. ACM Press New York NY, (2000) 33-42 [19] Bennett, K., Grothoff, C.: GAP-Practical Anonymous networking. Proceeding of the Workshop on PET2003 Privacy Enhancing Technologies (2003), also available at http://citeseer.nj.nec.com/bennett02gap.html [20] Dingledine, R., Mathewson, N., Syverson, P.: Tor: The Second-Generator Onion Router. Proceedings of the 13th USENIX Security Symposium, San Diego, CA, USA (2004) [21] Chung, L.: Dealing with Security Requirements during the development of Information Systems. CaiSE ’93. The 5th Int. Conf of Advanced Info. Systems Engineering. Paris, France, (1993) [22] Mylopoulos, J., Chung L., Nixon, B.: Representing and Using Non-Functional Requirements A Process Oriented Approach. IEEE Trans. Soft Eng., vol. 18. (1992) 483-497 [23] Liu, L., Yu, E., Mylopoulos, J.: Analyzing Security Requirements as Relationships among Strategic Actors. (SREIS'02), Raleigh, North Carolina, Oct 15-16, (2002) [24] Liu, L., Yu, E., Mylopoulos, J.: Security and Privacy Requirements Analysis within a social Setting. 11th IEEE International Requirements Engineering Conference (RE'03), Monterey Bay, California, USA, (2003) [25] Mouratidis, H., Giorgini, P., Manson, G.: Integrating Security and Systems Engineering: Towards the Modelling of Secure Information Systems. CAiSE ’03, Springer-Verlag, Berlin Heidelberg, LNCS 2681 (2003) 63-78 [26] Mouratidis, H., Giorgini, P., Manson, G.: An Ontology for Modelling Security: The Tropos Project. Proceedings of the KES 2003 Invited Session Ontology and Multi-Agent Systems Design (OMASD'03), United Kingdom, University of Oxford, (2003) [27] van Lamsweerde, A., Letier, E.: Handling Obstacles in Goal-Oriented Requirements Engineering. IEEE Transactions on Software Engineering, vol. 26, (2000) 978-1005 [28] He, Q., Antόn, I., A.: A Framework for modelling Privacy Requirements in Role Engineering. Int'l Workshop on Requirements Engineering for Software Quality (REFSQ) Austria Klagenfurt / Velden (2003) [29] Moffett, D., J., Nuseibeh, A., B.: A Framework for Security Requirements Engineering. Report YCS 368, Department of Computer Science, University of York, (2003) [30] Antόn, I., A.: Goal-Based Requirements Analysis. ICRE ’96 IEEE Colorado Springs Colorado USA (1996) 136-144
9
