An EU-funded project has developed a secure means of accessing online services that requires users to provide minimal personal information. This privacy-enhancing technology could have significant applications in large institutions such as schools, universities and organisations with high levels of customer contact.

Digital Economy

When you log into social media, access a restricted site or perform any number of online activities, the identification and authentication procedures that you have to follow help to keep your transactions safe. There are growing concerns however that the amount of personal information you are required to share could represent an unnecessary breach of your privacy. This is why the EU-funded ABC4TRUST project has developed a new approach that aims to keep systems secure while protecting users’ identities. When less is more ‘Many websites require “over-identification”, which means that they ask for knowledge about you that is simply not needed,’ explains project coordinator Prof. Dr. Kai Rannenberg from Goethe University in Frankfurt, Germany. ‘Collecting lots of information in order to identify and authenticate people could backfire if this information gets into the wrong hands.’ Through a series of ground breaking trials, Rannenberg and his team demonstrated that users can be authenticated and authorised using minimal personal information, and enabled to choose what information they are willing to share. This was accomplished using privacy-enhancing Attribute-based Credentials (Privacy ABCs). The technology has huge potential in institutions where data on individuals must be protected, such as in education, but also commercial scenarios in general. ‘Privacy-ABCs allow users to log into a service by proving that only certain parts of a larger certificate are valid, such as belonging to a specific school class,’ explains Rannenberg. ‘While minimal data is necessary to access certain services, the integrity of the user is maintained.’ Young digital pioneers The ABC4TRUST team showed in real life situations exactly how the new technology can benefit both users and institutions. At Norrtullskolan secondary school in Söderhamn, Sweden for example, pupils wishing to access online counselling services could not – until recently – use a pseudonym; they had to identify themselves by name so the school could check whether they were allowed to use them. In order to maintain anonymity while guaranteeing security, the ABC4TRUST pilot scheme issued each child with a ‘deck’ of digital certificates that validate information like their enrolment status, their date of birth and so on. Pupils, able to remain unidentified, appeared to be more willing to talk about their problems. ‘Schools have to react to ongoing digitalisation, e.g. by introducing ‘Internet competence,’ into the curriculum,’ says Rannenberg. ‘Implementing Privacy-ABCs into school networks could be part of this. Active negotiations are now underway to integrate the pilots into larger systems, so in the not so far future we expect more European public services and other organisations to switch to Privacy-ABCs.’ Another pilot trialled at the University of Patras, Greece provided students with a smart card that was used to obtain Privacy-ABCs, issued by the university. Students could use the card to anonymously collect proof of attendance by swiping it in front of a device set up in the lecture room. The card also allowed students to give anonymous feedback on their courses and lecturers, while ensuring that only students who attended classes often enough can take part in the polls. ‘While Privacy-ABC technology has been shown to be usable, improvements now need to be made, such as adapting it for smartphone applications,’ says Rannenberg. ‘Here the challenge is not so much the Privacy-ABC technology itself, but rather the insecurity of current smartphones compared to the smart cards used in trials.’ The current version of the ABC4Trust Engine source code can be obtained from the ABC4Trust resource page. ‘It was a decision by the consortium to make the architecture implementation available to all, in order to improve applications,’ says Rannenberg. ‘App developers and eID providers have shown great interest in our work.’

Keywords

ABC4TRUST, personal data, social media, cyber security, privacy ABCs, students, anonymous