Your search keyword '"Gdpr"' showing total 28 results

1. From Technical Prerequisites to Improved Care: Distributed Edge AI for Tomographic Imaging

Author

Bilgehan Akdemir, Hafiz Faheem Shahid, Mikael A. K. Brix, Juho Laakkola, Johirul Islam, Tanesh Kumar, Jarmo Reponen, Miika T. Nieminen, and Erkki Harjula

Subjects

CBCT, distributed AI, edge computing, edge cloud continuum, GDPR, medical imaging, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

Recent years have seen a surge in AI-driven medical image processing, leading to significant improvements in diagnostic performance. However, medical imaging technologies tend to create staggering volumes of medical data, necessitating high-performance computing. Cloud systems with robust GPUs and resource capacity are optimal choices for DL-based medical image processing. However, transferring data to the cloud for processing strains communication links, introduces high communication latency, and raises privacy and security concerns. Consequently, despite the undisputed benefits of cloud computing, dedicated standalone local computers are still used for image reconstruction in today’s systems. This localized strategy uses expensive hardware inefficiently and falls short of scalability and maintainability. Edge computing emerges as an innovative concept by bringing cloud processing capabilities closer to data sources. A continuum of computing including local, edge, and cloud tiers would offer a promising solution for medical image processing. According to literature survey, there are no significant works on utilizing edge cloud continuum for CBCT imaging. To fill this gap, we introduce novel 3-TECC architectural concept, specifically designed for CBCT data reconstruction in medical imaging. This article explores the evolving synergy among medical imaging, distributed AI, containerized solutions, and edge-cloud continuum technologies, highlighting their clinical implications and illuminating the potential for transformative patient care. We uncover challenges and opportunities this convergence provides with the CBCT image reconstruction use case, while aligning with regulatory compliance. The proposed 3-TECC architecture advocates a decentralized data processing paradigm, reducing reliance on the centralized approach and emphasizing the role of local-edge computing.

Published

2025

2. WHOIS Data Redaction and its Impact on Unsolicited Emails: A Field Experiment

Author

Tobias Sattler

Subjects

Domain names, GDPR, ICANN, spam emails, WHOIS, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

The Internet Corporation for Assigned Names and Numbers (ICANN) mandates the disclosure of certain information regarding registered domain names. However, the European Union General Data Protection Regulation (GDPR) curtails publicly accessible information, including personally identifiable information (PII). It has been suggested that public disclosure of registration data leads to email spam, but no systematic academic study of this effect has been conducted. This study fills this gap by empirically assessing the impact of public PII disclosures on spam email volumes. Over a year-long field experiment, we registered 66 domain names with disclosed and undisclosed PII and analyzed incoming unsolicited email advertising. Our results revealed that, on average, domains with publicly disclosed contact information received 19.7 total emails per domain, compared to a mean of 4.2 for domains with undisclosed details. When focusing specifically on spam emails, domains with publicly disclosed contact information received 12.76 per domain, compared to only 0.12 for domains with undisclosed details. This significant increase in spam emails linked to public PII disclosures indicates a clear negative impact. ICANN stakeholders should consider these findings, recognizing the potential privacy implications and spam risks of disclosing domain contact information.

Published

2024

3. Runtime and Design Time Completeness Checking of Dangerous Android App Permissions Against GDPR

Author

Ryan Mcconkey and Oluwafemi Olukoya

Subjects

Security and privacy protection, requirement engineering, regulatory compliance, GDPR, android permission, unified modelling language, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

Data and privacy laws, such as the GDPR, require mobile apps that collect and process the personal data of their citizens to have a legally-compliant policy. Since these mobile apps are hosted on app distribution platforms such as Google Play Store and App Store, the app publishers also require the app developers who wish to submit a new app or make changes to an existing app to be transparent about their app privacy practices regarding handling sensitive user data that requires sensitive permissions such as calendar, camera, microphone. To verify compliance with privacy regulators and app distribution platforms, the app privacy policies and permissions are investigated for consistency. However, little has been done to investigate GDPR completeness checking within the Android permission ecosystem. In this paper, we investigate the design and runtime approaches towards completeness checking of sensitive (‘dangerous’) Android permission policy declarations against GDPR. In this paper, we investigate the design and runtime approaches towards completeness checking of dangerous Android permission policy declarations against GDPR. Leveraging the MPP-270 annotated corpus that describes permission declarations in application privacy policies, six natural language processing and language modelling algorithms are developed to measure permission completeness during runtime while a proof of concept Class Unified Modeling Language Diagram (UML) tool is developed to generate GDPR-compliant permission policy declarations using UML diagrams during design time. This paper makes a significant contribution to the identification of appropriate permission policy declaration methodologies that a developer can use to target particular GDPR laws, increasing GDPR compliance by 12% in cases during runtime using BERT word embedding, measuring GDPR compliance in permission policy sentences, and a UML-driven tool to generate compliant permission declarations.

Published

2024

4. Sharing is Not Always Caring: Delving Into Personal Data Transfer Compliance in Android Apps

Author

David Rodriguez, Jose M. Del Alamo, Celia Fernandez-Aller, and Norman Sadeh

Subjects

Android, compliance assessment, data protection, data transfer, dynamic analysis, GDPR, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

In an era marked by ubiquitous reliance on mobile applications for nearly every need, the opacity of apps’ behavior poses significant threats to their users’ privacy. Although major data protection regulations require apps to disclose their data practices transparently, previous studies have pointed out difficulties in doing so. To further delve into this issue, this article describes an automated method to capture data-sharing practices in Android apps and assess their proper disclosure according to the EU General Data Protection Regulation. We applied the method to 9,000 random Android apps, unveiling an uncomfortable reality: over 80% of Android applications that transfer personal data off device potentially fail to meet GDPR transparency requirements. We further investigate the role of third-party libraries, shedding light on the source of this problem and pointing towards measures to address it.

Published

2024

5. Challenges and Enablers for GDPR Compliance: Systematic Literature Review and Future Research Directions

Author

Nemer Alberto Zaguir, Guilherme Henrique de Magalhaes, and Mauro de Mesquita Spinola

Subjects

Challenges, enablers, enterprise architecture management, GDPR, general data protection regulation, information governance, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

Compliance with the General Data Protection Regulation (GDPR) or related laws by organizations could require organizational and technological changes. This topic has gained significant attention from management and scholars alike. Although the literature presents some reviews and research articles discussing challenges and enablers for GDPR compliance, they are often scattered and fragmented. One particular challenge is the implementation roadmap gap that arises when using ISO-based standards for compliance in isolation. On the other hand, as enablers for compliance, it raises the potential use of information governance (IG) and enterprise architecture management (EAM) disciplines. This research aims to provide a systematic literature review of the challenges and enablers for GDPR compliance and address this gap. The findings include a categorized list of challenges and enablers, a strategy for bridging the roadmap gap using IG and EAM, and the development of five propositions based on some challenges and enablers around this gap. Moreover, the study proposes a research agenda that includes conceptual work to build an IG-EAM framework, empirical research to verify those propositions, and developing new hypotheses stemming from the review’s challenges and enablers. These contributions enhance the body of knowledge providing practical insights for organizations striving for GDPR compliance.

Published

2024

6. A Blockchain-Based Hybrid Architecture for Auditable Consent Management

Author

Ozgu Can, Tunahan Dag, and Murat Kantarcioglu

Subjects

Accountability, auditability, blockchain, consent management, GDPR, privacy, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

Consent management has become an important issue with the increased usage of the Internet and also smart devices that collect personal data. Each country enacts its regulations and laws for consent management. These laws ensure that personal data is not collected without the individual’s consent and cannot be processed with a purpose other than the stated purpose. The General Data Protection Regulation (GDPR) has strict rules regarding collecting and processing personal data. This paper proposes a new approach for auditable hybrid consent management systems using blockchain technology and a purpose tree. The suggested approach includes (1) the implementation of a GDPR-compliant consent management system using blockchain and purpose tree; (2) the implementation of an audit mechanism that detects consent violations and corrects consents; and (3) the use of both on-chain and off-chain technologies. The audit mechanism proposed in this paper detects possible violations by performing inspections on every transaction in the system. Besides, it immediately informs the data subject and the competent authorities regarding the relevant violations. As part of this study, a prototype of the architecture is developed as a proof of concept to evaluate the performance of critical components. The obtained experimental results show that the proposed hybrid architecture that use purpose tree effectively supports consent sharing between the parties.

Published

2024

7. A Formal Model for Integrating Consent Management Into MLOps

Author

Neda Peyrone and Duangdao Wichadakul

Subjects

GDPR, AI act, consent management, event-B, AI governance, MLOps, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

In the artificial intelligence (AI) era, data has become increasingly essential for learning and analysis. AI enables automated decision-making that may lead to violation of the General Data Protection Regulation (GDPR). The GDPR is the data protection law within the European Union (EU) that allows individuals (‘data subjects’) to control their personal data. According to the law, automated decision-making can be permitted where data subjects give explicit consent. Therefore, consent management (CM) has become an essential software component for managing data subjects’ data lifecycle and their consent. Bringing machine learning (ML) into production needs machine learning operations (MLOps). MLOps is a set of processes for delivering ML artifacts reliably and efficiently. However, current MLOps frameworks neglect the integration of CM into their processes, leading to the risk of GDPR violations. This research proposes a formal model for integrating CM into MLOps that takes upfront privacy by design (PbD). Finally, we provided a mapping from the formal model to a class diagram as guidelines to integrate CM into MLOps and demonstrated how to apply the proposed class diagram to existing ML developments, such as machine unlearning, in conjunction with the Purchase dataset.

Published

2024

8. Expandable Mix-Zones as a Deception Technique for Providing Location Privacy on Internet-of- Battlefield Things (IoBT) Deployments

Author

Ismail Butun and Imadeldin Mahgoub

Subjects

IoBT, IoT, cyber-physical systems, location privacy, security, GDPR, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

Internet of Battlefield Things (IoBT) is one of the latest technological advancements in combat-aid services, designed to enhance the battlefield operations of elite teams, such as seals and special operation units. Based on the general concept of the Internet of Things, IoBT establishes a set of devices connected via a communication channel that can interact with each other and share data easily over the battlefield area. In contexts characterized by a high level of difficulties in operation, location information of soldiers should be kept at accuracies that are the highest. This need forms the basis for location privacy, where protection of the positional information of soldiers is ‘deception’, and on which this academic paper is based. Within the ambit of deception strategies for IoT, this article delves into the nuanced intricacies of one particularly promising approach, ‘mix-zones’, which we previously proposed by us for IoBT environments. These zones facilitate the amalgamation and anonymization of multiple user locations within expansible spatial boundaries, thereby offering a robust mechanism for preserving location privacy amidst dynamic battlefield environments. This article is the extension of our previously published explanation work “Expandable Mix-Zones for the IoBT”. For this version, we extend the proposed scheme by including a Random Walk model, hence strengthening the theoretical basis with empirical analysis. More specifically, in this work, we try to estimate the approximate precision of the position information inside and outside mix-zone boundaries. By incorporating the Random Walk model, we try to explain the dynamic interaction between location privacy protection and the inherent uncertainty of the battlefield. The simulations are done in the Python environment, and the associated graphics for each are provided. This approach allows one not only to ensure reproducibility but also to enhance readers’ involvement with the provision of full-scale visual exploration of comparative studies. Concretely, this work investigates the efficacy of the mix-zone concept in real-world scenarios to derive practical insights that are essential for creating robust and resilient IoBT infrastructures.

Published

2024

9. ChildGAN: Large Scale Synthetic Child Facial Data Using Domain Adaptation in StyleGAN

Author

Muhammad Ali Farooq, Wang Yao, Gabriel Costache, and Peter Corcoran

Subjects

Dataset, GANs, GDPR, transformations, transfer learning, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

In this research work, we proposed a novel ChildGAN, a pair of GAN networks for generating synthetic boys and girls facial data derived from StyleGAN2. ChildGAN is built by performing smooth domain transfer using transfer learning. It provides photo-realistic, high-quality data samples. A large-scale dataset is rendered with a variety of smart facial transformations: facial expressions, age progression, eye blink effects, head pose, skin and hair color variations, and variable lighting conditions. The dataset comprises more than 300k distinct data samples. Further, the uniqueness and characteristics of the rendered facial features are validated by running different computer vision application tests which include CNN-based child gender classifier, face localization and facial landmarks detection test, identity similarity evaluation using ArcFace, and lastly running eye detection and eye aspect ratio tests. The results demonstrate that synthetic child facial data of high quality offers an alternative to the cost and complexity of collecting a large-scale dataset from real children. The complete dataset along with the trained model are open-sourced on our GitHub website and GitHub page: https://github.com/MAli-Farooq/ChildGAN.

Published

2023

10. Consent Receipts for a Usable and Auditable Web of Personal Data

Author

Vitor Jesus and Harshvardhan J. Pandit

Subjects

Accountability, consent, GDPR, personal data, web, consent receipt, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

Consenting on the Web, in the context of online privacy and data protection, is universally accepted as a difficult problem, mainly because of its cross-disciplinarity. For example, any approach to online Consenting needs to meet usability, legal, regulatory, technical, and business requirements. To date, effort has been predominantly focused on meeting compliance with regulations and automation, and less on the true re-empowerment of users with respect to their personal data. One approach that has not seen sufficient research is the use of ‘Consent Receipts’, which offer a new paradigm of recording interactions concerning consent and using them as proofs in future actions, similar to familiar use of a common shopping receipt. In addition to being a record, receipts encourage accountability in how technology handles consent and is beneficial for all involved stakeholders. For organisations, it assists with legal requirements for demonstration of valid consent, while for users it provides transparency and accountability by being a proof to be used against malpractices related to consent. Receipts also have uses in addition to those related to consent, such as for authorising the holder in exercising related rights. This paper analyses the requirements, uses, and benefits offered by Consent Receipts with an extensive and broad literature review. Since receipts are a novel concept, we identify properties and requirements, and then new mechanisms necessary for the Web to support receipts. We then demonstrate feasibility of receipts through proof-of-concepts in three common real-world use-cases: (a) acceptance of a privacy policy and its subsequent changes; (b) choices expressed via consent dialogues or cookie banners; and (c) verbal interactions with Amazon Alexa.

Published

2022

11. SmartAccess: Attribute-Based Access Control System for Medical Records Based on Smart Contracts

Author

Marcela Tuler De Oliveira, Lucio Henrik Amorim Reis, Yiannis Verginadis, Diogo Menezes Ferrazani Mattos, and Silvia Delgado Olabarriaga

Subjects

Attribute-based access control, blockchain, cross-organisation security, electronic medical records, GDPR, healthcare information system, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

Cross-organisation data sharing is challenging because all the involved organisations must agree on ‘how’ and ‘why’ the data is processed. Due to a lack of transparency, the organisations need to trust that others comply with the agreements and regulations. We propose to exploit blockchain and smart contracts technologies to define an Attribute-Based Access Control System for cross-organisation medical records sharing, coined SmartAccess. SmartAccess offers joint agreement over access policies and dynamic access control besides blockchain transparency and auditability. We leverage the Attribute-Based Access Control model to implement smart contracts. We deploy and test them on a private and permissioned blockchain, transforming the access control process into a distributed smart contract execution. This paper proposes the SmartAccess system and its application in two healthcare use cases. We introduce the threat model and perform a security analysis of the system. To demonstrate the feasibility of our proposal, we implement a proof-of-concept of the smart contracts, written in Solidity language, with a size-efficient policy representation, and analyse the complexity and scalability of the contracts’ functions. Furthermore, we present performance results, measuring the latency and throughput of the transactions to execute the access control functions with different blockchain network consensus setups. We also compare the performance of the SmartAccess system against two open-source Solidity implementations of smart contract-based access control, Role-based Access Control and Access Control List. Finally, we discuss the strengths and drawbacks of our proposal. SmartAccess requires the overhead of a decentralised system, but the trade-off is transparency, regulation compliance and auditability for complex cross-organisation data sharing.

Published

2022

12. SPChain: A Smart and Private Blockchain-Enabled Framework for Combining GDPR-Compliant Digital Assets Management With AI Models

Author

Wei-Shan Lee, John A, Hsiu-Chun Hsu, and Pao-Ann Hsiung

Subjects

Blockchain, AI smart contracts, GDPR, digital asset management, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

In the traditional approach to a digital asset management system, the data processing mechanism is not transparent or visible to the data owners since the data is managed solely by the service provider. With the rapid development of blockchain technology, the above issues can be resolved by leveraging the tamper-resistance and decentralization characteristics of blockchain. However, post the implementation of the EU General Data Protection Rules (GDPR) in 2018, the protection of data owners has taken center stage. This has led to several principles of personal data deletion, such as Storage Limit and the Right to Be Forgotten to conflict with the blockchain. It is also observed that, out of the various smart contracts deployed to manage digital assets, often only specific smart contracts are invoked, while the rest of the deployed smart contracts are rarely invoked, leading to smart contract designs exhibiting similar patterns with very little creativity. This current scenario has motivated us to propose SPChain, a smarter and private GDPR-compliant digital asset management framework enabled by blockchain. In this approach, a decentralized InterPlanetary File System has been adopted to solve the problem of SPOF. In addition, the combination of digital assets with artificial intelligence models has been proposed so as to make digital assets accessible to a larger number of applications and to enable better creativity. In this design, artificial intelligence models have been run in independent, virtualized containers and invoked through smart contracts. The proposed SPChain can be applied to the field of digital art management to provide a complete implementation based on the Hyperledger Fabric. Using this proposed framework, model developers, digital art creators, collectors, service providers, as well as third parties can not only benefit from securely managing digital assets and combining them with AI models, but also from simultaneously complying with the rights stipulated in the GDPR. During the course of the experiments conducted, the latency, throughput, and resource consumption of different functions in the smart contracts have been measured. After adjusting the batch timeout of the block and the maximum number of transactions in a block, the throughputs were observed to be about 500 TPS, with 10 to 15 TPS for reading and writing operations, respectively. The latency ranges were found to range from 0 to 7 seconds, with 2.5 to 5 seconds for reading and writing operations, respectively.

Published

2022

13. Will EU’s GDPR Act as an Effective Enforcer to Gain Consent?

Author

Junhyoung Oh, Jinhyoung Hong, Changsoo Lee, Jemin Justin Lee, Simon S. Woo, and Kyungho Lee

Subjects

GDPR, privacy policy, consent, privacy, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

Since the GDPR was implemented in 2018, organizations that collect data from the EU residents are required to receive the user’s consent. Organizational measures to ensure that the organizations are compliant to the recently enacted GDPR are still abstract and ambiguous. Moreover, data subjects and controllers have demanded the practice of obtaining consent from organizations. By observing the case law and guidelines related to the GDPR provisions, we deduced four consent conditions. Then, we examined how online service provider’s websites are making efforts to implement the GDPR framework. For this, we identified key characteristics of these websites, such as the existence of consent buttons. In order to help the data subjects obtain consent, we proposed an automatic tool that can check the consent conditions by checking the websites. Our study examined 10,000 websites for 26 days using the Python libraries with the tool automatically crawling the website information and analyzes the HTML structure according to the specified conditions. In addition, this tool crawls the privacy policy of each website. Moreover, it automatically determines whether it meets the four consent conditions by calculating it according to the formula defined in the consent condition. To evaluate the tool’s accuracy, the researchers manually analyzed 500 websites and compared the manual analysis with the results of the tool’s automatic analysis. We found that this tool differentiates itself through qualitative comparisons with other GDPR meters.

Published

2021

14. AI Ethics: Algorithmic Determinism or Self-Determination? The GPDR Approach

Author

Maria Milossi, Eugenia Alexandropoulou-Egyptiadou, and Konstantinos E. Psannis

Subjects

AI, privacy, data protection, ethics, GDPR, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

Artificial Intelligence (AI) refers to systems designed by humans, interpreting the already collected data and deciding the best action to take, according to the pre-defined parameters, in order to achieve the given goal. Designing, trial and error while using AI, brought ethics to the center of the dialogue between tech giants, enterprises, academic institutions as well as policymakers. Ethical challenges in AI brought ethical AI framework in place in an attempt to regulate people’s lives and interactions, used for the benefit of society, for the human rights’ protection as well as for the respect of individual’s privacy and autonomy. The paper aims to summarize and critically evaluate the basic principles for the use of AI, with emphasis to the General Data Protection Regulation’s (GDPR) approach, concerning data subject’s consent, data protection principles and data subject’s rights in a context of ‘privacy by design’ architecture.

Published

2021

15. A Study of South Asian Websites on Privacy Compliance

Author

Yousra Javed, Khondaker Musfakus Salehin, and Mohamed Shehab

Subjects

Accessibility, data protection, GDPR, privacy compliance, privacy law, readability, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

Privacy laws in South Asian countries are still at a nascent stage. Therefore, South Asian websites are susceptible to user privacy violation. This paper presents an assessment of website privacy policies from 10 sectors in the three largest South Asian economies, namely, India, Pakistan, and Bangladesh. Using a manual qualitative analysis on a dataset of 284 popular websites, we assessed the policies based on accessibility, readability, and compliance with 11 privacy principles. Our findings show that overall, the privacy statement accessibility, and privacy compliance of websites from the three countries is low especially in the education, healthcare, and government sectors. Readability is quite low for websites in all 10 sectors of the three countries. Privacy compliance in each country is the highest for the principles of data processing and third-party transfer, whereas it is the lowest for protection of children's data, data retention and portability. Indian websites performed comparatively better amongst the three countries on all three metrics, followed by Pakistan, and Bangladesh. Based on our results, we provide recommendations involving all stakeholders (i.e., website owners, privacy regulators, and users) to help improve privacy protection of user data in South Asia.

Published

2020

16. Smart City IoT Platform Respecting GDPR Privacy and Security Aspects

Author

Claudio Badii, Pierfrancesco Bellini, Angelo Difino, and Paolo Nesi

Subjects

End-2-end, GDPR, IoT, security, smart city, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

The Internet of Things (IoT) paradigm enables computation and communication among tools that everyone uses daily. The vastness and heterogeneity of devices and their composition offer innovative services and scenarios that require a new challenging vision in interoperability, security and data management. Many IoT frameworks and platforms claimed to have solved these issues, aggregating different sources of information, combining their data flows in new innovative services, providing security robustness with respect to vulnerability and respecting the GDPR (General Data Protection Regulation) of the European Commission. Due to the potentially very sensible nature of some of these data, privacy and security aspects have to be taken into account by design and by default. In addition, an end-to-end secure solution has to guarantee a secure environment at the final users for their personal data, in transit and storage, which have to remain under their full control. In this paper, the Snap4City architecture and its security solutions that also respect the GDPR are presented. The Snap4City solution addresses the full stack security, ranging from IoT Devices, IoT Edge on premises, IoT Applications on the cloud and on premises, Data Analytics, and Dashboarding, presenting a number of integrated security solutions that go beyond the state of the art, as shown in the platform comparison. The stress test also included the adoption of penetrations tests verifying the robustness of the solution with respect to a large number of potential vulnerability aspects. The stress security assessments have been performed in a piloting period with more than 1200 registered users, thousands of processes per day, and more than 1.8 million of complex data ingested per day, in large cities such as Antwerp, Helsinki and the entire Tuscany region. Snap4City is a solution produced in response to a research challenge launched by the Select4Cities H2020 research and development project of the European Commission. Select4Cities identified a large number of requirements for modern Smart Cities that support IoT/IoE (Internet of Things/Everything) in the hands of public administrations and Living Labs, and selected a number of solutions. Consequently, at the end of the process after 3 years of work, Snap4City has been identified as the winning solution.

Published

2020

17. GDPR Interference With Next Generation 5G and IoT Networks

Author

Stavroula Rizou, Eugenia Alexandropoulou-Egyptiadou, and Konstantinos E. Psannis

Subjects

Data privacy, 5G networks, GDPR, the IoT, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

This article examines the specific data protection framework with regards to 5G networks, which is the current high-end evolution of the previous four generations of cellular technology networks. Taking into consideration practical issues, that have emerged from 5G (Fifth Generation) technology, the scope is the presentation of legal solutions. As this digital mobile transformation will begin from 2020, affecting applications of a wide range of services in energy sector, transport services, banking sector, health field, as well as in industrial control systems, and progressively in everyday life through all smart devices. It is crucial to specialize and sum up the interference between European data protection legal framework and 5G networks, in order to provide a new path to the addressing issues.

Published

2020

18. Engineering Privacy in Smartphone Apps: A Technical Guideline Catalog for App Developers

Author

Majid Hatamian

Subjects

App, developers, GDPR, guideline catalog, privacy engineering, smartphone apps, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

With the rapid growth of technology in recent years, we are surrounded by or even dependent on the use of technological devices such as smartphones as they are now an indispensable part of our life. Smartphone applications (apps) provide a wide range of utilities such as navigation, entertainment, fitness, etc. To provide such context-sensitive services to users, apps need to access users' data including sensitive ones, which in turn, can potentially lead to privacy invasions. To protect users against potential privacy invasions in such a vulnerable ecosystem, legislation such as the European Union General Data Protection Regulation (EU GDPR) demands best privacy practices. Therefore, app developers are required to make their apps compatible with legal privacy principles enforced by law. However, this is not an easy task for app developers to comprehend purely legal principles to understand what needs to be implemented. Similarly, bridging the gap between legal principles and technical implementations to understand how legal principles need to be implemented is another barrier to develop privacy-friendly apps. To this end, this paper proposes a privacy and security design guide catalog for app developers to assist them in understanding and adopting the most relevant privacy and security principles in the context of smartphone apps. The presented catalog is aimed at mapping the identified legal principles to practical privacy and security solutions that can be implemented by developers to ensure enhanced privacy aligned with existing legislation. Through conducting a case study, it is confirmed that there is a significant gap between what developers are doing in reality and what they promise to do. This paper provides researchers and developers of privacy-related technicalities an overview of the characteristics of existing privacy requirements needed to be implemented in smartphone ecosystems, on which they can base their work.

Published

2020

19. MuLViS: Multi-Level Encryption Based Security System for Surveillance Videos

Author

Amna Shifa, Mamoona N. Asghar, Martin Fleury, Nadia Kanwal, Mohammad S. Ansari, Brian Lee, Marco Herbst, and Yuansong Qiao

Subjects

GDPR, ontology, partial encryption, privacy protection, video surveillance, surveillance cameras, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

Video Surveillance (VS) systems are commonly deployed for real-time abnormal event detection and autonomous video analytics. Video captured by surveillance cameras in real-time often contains identifiable personal information, which must be privacy protected, sometimes along with the locations of the surveillance and other sensitive information. Within the Surveillance System, these videos are processed and stored on a variety of devices. The processing and storage heterogeneity of those devices, together with their network requirements, make real-time surveillance systems complex and challenging. This paper proposes a surveillance system, named as Multi-Level Video Security (MuLViS) for privacy-protected cameras. Firstly, a Smart Surveillance Security Ontology (SSSO) is integrated within the MuLViS, with the aim of autonomously selecting the privacy level matching the operating device's hardware specifications and network capabilities. Overall, along with its device-specific security, the system leads to relatively fast indexing and retrieval of surveillance video. Secondly, information within the videos are protected at the times of capturing, streaming, and storage by means of differing encryption levels. An extensive evaluation of the system, through visual inspection and statistical analysis of experimental video results, such as by the Encryption Space Ratio (ESR), has demonstrated the aptness of the security level assignments. The system is suitable for surveillance footage protection, which can be made General Data Protection Regulation (GDPR) compliant, ensuring that lawful data access respects individuals' privacy rights.

Published

2020

20. Visual Surveillance Within the EU General Data Protection Regulation: A Technology Perspective

Author

Mamoona N. Asghar, Nadia Kanwal, Brian Lee, Martin Fleury, Marco Herbst, and Yuansong Qiao

Subjects

Blockchain, CCTV, cryptography, data protection-by-design, gdpr, pseudonymisation, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

From an individual's perspective, technological advancement has merits and demerits. Video captured by surveillance cameras while a person goes about their daily life may improve their personal safety but the images collected may also represent an invasion of their privacy. Because of the ease of digital information sharing, there exists a need to protect that visual information from illegal utilization by untrusted parties. The European parliament has ratified the General Data Protection Regulation (GDPR), which has been effective since May 2018 with a view to ensuring the privacy of European Union (EU) citizens' and visitors' personal data. The regulation has introduced data safeguards through Pseudonymisation, Encryption, and Data protection-by-design. However, the regulation does not assist with technical and implementation procedures, such as video redaction, to establish those safeguards. This paper refers to the GDPR term “personal data” as “visual personal data” and aims to discuss regulatory safeguards of visual privacy, such as reversible protection, from the technological point-of-view. In the context of GDPR, the roles of machine learning (i.e. within computer vision), image processing, cryptography, and blockchain are explored as a way of deploying Data Protection-by-Design solutions for visual surveillance data. The paper surveys the existing market-based data protection solutions and provides suggestions for the development of GDPR-compliant Data Protection-by-Design video surveillance systems. The paper is also relevant for those entities interacting with EU citizens from outside the EU and for those regions not currently covered by such regulation that may soon implement similar provisions.

Published

2019

21. Decision Provenance: Harnessing Data Flow for Accountable Systems

Author

Jatinder Singh, Jennifer Cobbe, and Chris Norval

Subjects

Accountability, AI, algorithmic & automated decision-making, data management, GDPR, governance, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

Demand is growing for more accountability regarding the technological systems that increasingly occupy our world. However, the complexity of many of these systems—often systems-of-systems—poses accountability challenges. A key reason for this is because the details and nature of the information flows that interconnect and drive systems, which often occur across technical and organizational boundaries, tend to be invisible or opaque. This paper argues that data provenance methods show much promise as a technical means for increasing the transparency of these interconnected systems. Specifically, given the concerns regarding ever-increasing levels of automated and algorithmic decision-making, and so-called “algorithmic systems” in general, we propose decision provenance as a concept showing much promise. Decision provenance entails using provenance methods to provide information exposing decision pipelines: chains of inputs to, the nature of, and the flow-on effects from the decisions and actions taken (at design and run-time) throughout systems. This paper introduces the concept of decision provenance, and takes an interdisciplinary (tech-legal) exploration into its potential for assisting accountability in algorithmic systems. We argue that decision provenance can help facilitate oversight, audit, compliance, risk mitigation, and user empowerment, and we also indicate the implementation considerations and areas for research necessary for realizing its vision. More generally, we make the case that considerations of data flow, and systems more broadly, are important to discussions of accountability, and complement the considerable attention already given to algorithmic specifics.

Published

2019

22. Analysis of Facebook Interaction as Basis for Synthetic Expanded Social Graph Generation

Author

Luka Humski, Damir Pintar, and Mihaela Vranic

Subjects

Clustering users, correlation matrix, Dunbar’s number, expanded social graph, Facebook, GDPR, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

Social networks have long been the subject of scientific researches, frequently hindered by the unavailability of representative datasets. The advent of online social networks (OSNs), which store data about interactions between billions of people, has greatly alleviated this problem. Since user interaction on the OSNs can correspond to their real-life relationships, OSN datasets quickly became a highly sought-after resource for social network research. However, enabling open access to such data entails serious security and privacy risks, especially after the introduction of the European General Data Protection Regulation. Some researchers mitigate this problem through anonymization, while others argue for the creation of synthetic datasets. We consider synthetic datasets preferable since they circumvent the security and privacy issues. Existing synthetic dataset generators produce a social graph containing only information whether a pair of nodes are connected. However, interpersonal relationships are much more complex. Because of that, our research considers the possibility of generating a synthetic expanded social graph which, in addition to the information about the existence of a connection between a pair of users, also provides information about the types and intensities of users’ interactions. As Facebook is the leading OSN today, we performed an extensive analysis of Facebook users’ interaction records with the aim of getting an insight into real-life interaction patterns. In this paper, we present results of this analysis at ego-user level and offer the conceptual solution for synthetic expanded social graph generation, which uses conducted analysis results as its basis.

Published

2019

23. Modifiable Public Blockchains Using Truncated Hashing and Sidechains

Author

Nam-Yong Lee, Jinhong Yang, Md Mehedi Hassan Onik, and Chul-Soo Kim

Subjects

Bitcoin, GDPR, multichain, proof of work, right to be forgotten, truncated hash function, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

The immutability of the blockchain technology facilitates it to establish a general consensus in a trustless environment, enabling a wide range of new applications, including distributed general-purpose data management and digital data sharing marketplace. This immutability, however, presents disadvantages for the blockchain technology, when it is used in other areas where the modification of data in blockchain is demanded. In this study, we propose a method for building modifiable blockchains in decentralized public network. To be specific, in computing the hash value of the block, the proposed method uses truncated hash values (these are called ‘target values’ in this paper) of the transactions that are modifiable upon future requests, instead of transactions themselves. By doing so, the proposed method provides an opportunity to modify those transactions by making truncated hash values of modified versions equal to their original target values. The proposed method uses several cryptographic techniques to prevent the modification of the transaction from being performed for malicious purposes, and a multichain structure to improve the efficiency in transaction modification. By accommodating the modification feature to the blockchain, proposed architecture complies to key demands of the data protection regulations such as ‘right to rectification’, ‘right to withdraw consent’, and ‘right to be forgotten’, et cetera. In addition, detailed threat analysis demonstrates that the proposed truncated hash-based modification is sufficiently secure to open up a wide range of new blockchain based services through added modifiability feature.

Published

2019

24. Tools for Achieving Usable Ex Post Transparency: A Survey

Author

Patrick Murmann and Simone Fischer-Hubner

Subjects

GDPR, HCI, privacy, transparency, usability, visualization, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

Transparency of personal data processing is a basic privacy principle and a right that is well acknowledged by data protection legislation, such as the EU general data protection regulation (GDPR). The objective of ex post transparency enhancing tools (TETs) is to provide users with insight about what data have been processed about them and what possible consequences might arise after their data have been revealed, that is, ex post. This survey assesses the state of the art in scientific literature of the usability of ex post TETs enhancing privacy and discusses them in terms of their common features and unique characteristics. The article first defines the scope of usable transparency in terms of relevant privacy principles for providing transparency by taking the GDPR as a point of reference, and usability principles that are important for achieving transparency. These principles for usable transparency serve as a reference for classifying and assessing the surveyed TETs. The retrieval and screening process of the publications is then described, as is the process for deriving the subsequent classification of the characteristics of the TETs. The survey not only looks into what is made transparent by the TETs but also how transparency is actually achieved. A main contribution of this survey is a proposed classification that assesses the TETs based on their functionality, implementation and evaluation as described in the literature. It concludes by discussing the trends and limitations of the surveyed TETs in regard to the defined scope of usable TETs and shows possible directions of future research for addressing these gaps. This survey provides researchers and developers of privacy enhancing technologies an overview of the characteristics of state of the art ex post TETs, on which they can base their work.

Published

2017

25. Smart City IoT Platform Respecting GDPR Privacy and Security Aspects

Author

Angelo Difino, Pierfrancesco Bellini, Claudio Badii, and Paolo Nesi

Subjects

IoT, General Computer Science, Computer science, Data management, Interoperability, Vulnerability, Cloud computing, 02 engineering and technology, security, Computer security, computer.software_genre, Smart city, 11. Sustainability, 0202 electrical engineering, electronic engineering, information engineering, General Materials Science, GDPR, business.industry, General Engineering, 020206 networking & telecommunications, End-2-end, smart city, General Data Protection Regulation, 020201 artificial intelligence & image processing, lcsh:Electrical engineering. Electronics. Nuclear engineering, business, computer, lcsh:TK1-9971

Abstract

The Internet of Things (IoT) paradigm enables computation and communication among tools that everyone uses daily. The vastness and heterogeneity of devices and their composition offer innovative services and scenarios that require a new challenging vision in interoperability, security and data management. Many IoT frameworks and platforms claimed to have solved these issues, aggregating different sources of information, combining their data flows in new innovative services, providing security robustness with respect to vulnerability and respecting the GDPR (General Data Protection Regulation) of the European Commission. Due to the potentially very sensible nature of some of these data, privacy and security aspects have to be taken into account by design and by default. In addition, an end-to-end secure solution has to guarantee a secure environment at the final users for their personal data, in transit and storage, which have to remain under their full control. In this paper, the Snap4City architecture and its security solutions that also respect the GDPR are presented. The Snap4City solution addresses the full stack security, ranging from IoT Devices, IoT Edge on premises, IoT Applications on the cloud and on premises, Data Analytics, and Dashboarding, presenting a number of integrated security solutions that go beyond the state of the art, as shown in the platform comparison. The stress test also included the adoption of penetrations tests verifying the robustness of the solution with respect to a large number of potential vulnerability aspects. The stress security assessments have been performed in a piloting period with more than 1200 registered users, thousands of processes per day, and more than 1.8 million of complex data ingested per day, in large cities such as Antwerp, Helsinki and the entire Tuscany region. Snap4City is a solution produced in response to a research challenge launched by the Select4Cities H2020 research and development project of the European Commission. Select4Cities identified a large number of requirements for modern Smart Cities that support IoT/IoE (Internet of Things/Everything) in the hands of public administrations and Living Labs, and selected a number of solutions. Consequently, at the end of the process after 3 years of work, Snap4City has been identified as the winning solution.

Published

2020

26. GDPR Interference With Next Generation 5G and IoT Networks

Author

Konstantinos E. Psannis, Eugenia Alexandropoulou-Egyptiadou, and Stavroula Rizou

Subjects

General Computer Science, Scope (project management), Computer science, business.industry, 020208 electrical & electronic engineering, General Engineering, 020206 networking & telecommunications, 02 engineering and technology, Industrial control system, the IoT, Field (computer science), 5G networks, Order (exchange), 0202 electrical engineering, electronic engineering, information engineering, Cellular network, Data Protection Act 1998, General Materials Science, lcsh:Electrical engineering. Electronics. Nuclear engineering, GDPR, Telecommunications, business, Everyday life, Data privacy, lcsh:TK1-9971, 5G

Abstract

This article examines the specific data protection framework with regards to 5G networks, which is the current high-end evolution of the previous four generations of cellular technology networks. Taking into consideration practical issues, that have emerged from 5G (Fifth Generation) technology, the scope is the presentation of legal solutions. As this digital mobile transformation will begin from 2020, affecting applications of a wide range of services in energy sector, transport services, banking sector, health field, as well as in industrial control systems, and progressively in everyday life through all smart devices. It is crucial to specialize and sum up the interference between European data protection legal framework and 5G networks, in order to provide a new path to the addressing issues.

Published

2020

27. Modifiable Public Blockchains Using Truncated Hashing and Sidechains

Author

Chul-Soo Kim, Jinhong Yang, Mehedi Hassan Onik, and Nam-Yong Lee

Subjects

proof of work, Blockchain, General Computer Science, Computer science, Distributed computing, Data management, Hash function, Cryptography, 02 engineering and technology, 0202 electrical engineering, electronic engineering, information engineering, Data Protection Act 1998, multichain, right to be forgotten, General Materials Science, Electrical and Electronic Engineering, GDPR, Block (data storage), business.industry, General Engineering, 020206 networking & telecommunications, truncated hash function, Key (cryptography), 020201 artificial intelligence & image processing, lcsh:Electrical engineering. Electronics. Nuclear engineering, business, Database transaction, lcsh:TK1-9971, Bitcoin

Abstract

The immutability of the blockchain technology facilitates it to establish a general consensus in a trustless environment, enabling a wide range of new applications, including distributed general-purpose data management and digital data sharing marketplace. This immutability, however, presents disadvantages for the blockchain technology, when it is used in other areas where the modification of data in blockchain is demanded. In this study, we propose a method for building modifiable blockchains in decentralized public network. To be specific, in computing the hash value of the block, the proposed method uses truncated hash values (these are called `target values' in this paper) of the transactions that are modifiable upon future requests, instead of transactions themselves. By doing so, the proposed method provides an opportunity to modify those transactions by making truncated hash values of modified versions equal to their original target values. The proposed method uses several cryptographic techniques to prevent the modification of the transaction from being performed for malicious purposes, and a multichain structure to improve the efficiency in transaction modification. By accommodating the modification feature to the blockchain, proposed architecture complies to key demands of the data protection regulations such as `right to rectification', `right to withdraw consent', and `right to be forgotten', et cetera. In addition, detailed threat analysis demonstrates that the proposed truncated hash-based modification is sufficiently secure to open up a wide range of new blockchain based services through added modifiability feature.

Published

2019

28. Visual Surveillance Within the EU General Data Protection Regulation: A Technology Perspective

Author

Nadia Kanwal, Mamoona Naveed Asghar, Marco Herbst, Brian Lee, Martin Fleury, and Yuansong Qiao

Subjects

Blockchain, General Computer Science, Computer science, Parliament, media_common.quotation_subject, Internet privacy, Context (language use), Cryptography, ComputingMilieux_LEGALASPECTSOFCOMPUTING, 02 engineering and technology, Encryption, 0202 electrical engineering, electronic engineering, information engineering, Data Protection Act 1998, media_common.cataloged_instance, General Materials Science, CCTV, European union, GDPR, Pseudonymisation, Data protection-by-design, media_common, cryptography, business.industry, Information sharing, Perspective (graphical), General Engineering, 020207 software engineering, gdpr, Visual privacy, data protection-by-design, Video redaction, General Data Protection Regulation, Crytography, Reversible protection, pseudonymisation, 020201 artificial intelligence & image processing, lcsh:Electrical engineering. Electronics. Nuclear engineering, business, lcsh:TK1-9971, Software Research Institute AIT

Abstract

From an individual's perspective, technological advancement has merits and demerits. Video captured by surveillance cameras while a person goes about their daily life may improve their personal safety but the images collected may also represent an invasion of their privacy. Because of the ease of digital information sharing, there exists a need to protect that visual information from illegal utilization by untrusted parties. The European parliament has ratified the General Data Protection Regulation (GDPR), which has been effective since May 2018 with a view to ensuring the privacy of European Union (EU) citizens' and visitors' personal data. The regulation has introduced data safeguards through Pseudonymisation, Encryption, and Data protection-by-design. However, the regulation does not assist with technical and implementation procedures, such as video redaction, to establish those safeguards. This paper refers to the GDPR term “personal data” as “visual personal data” and aims to discuss regulatory safeguards of visual privacy, such as reversible protection, from the technological point-of-view. In the context of GDPR, the roles of machine learning (i.e. within computer vision), image processing, cryptography, and blockchain are explored as a way of deploying Data Protection-by-Design solutions for visual surveillance data. The paper surveys the existing market-based data protection solutions and provides suggestions for the development of GDPR-compliant Data Protection-by-Design video surveillance systems. The paper is also relevant for those entities interacting with EU citizens from outside the EU and for those regions not currently covered by such regulation that may soon implement similar provisions.

Published

2019