Tesis sobre el tema "Privicy protection"

La présente thèse propose une analyse approfondie du cadre juridique entourant la protection des données personnelles au sein de l'Union Économique et Monétaire Ouest-Africaine (UEMOA), particulièrement le Burkina Faso, la Côte d’Ivoire, le Niger et le Sénégal – l’espace étudié. Elle s'attarde sur les motivations ayant conduit ces États à adopter des législations spécifiques influencées par des modèles étrangers, notamment le modèle français de la Loi Informatique et Libertés, plutôt que de se baser sur des références nationales ou communautaires.Cette analyse explore le processus de création de ces réglementations, du développement législatif aux initiatives des institutions internationales. Un intérêt particulier est accordé à l'influence de l'Organisation Internationale de la Francophonie (OIF) ainsi que la Commission de l’Informatique et des Libertés française dans la promotion des premières législations nationales au sein de cet espace.La thèse procède également à une comparaison détaillée entre les réglementations en vigueur au sein de l'UEMOA et le Règlement Général sur la Protection des Données (RGPD) de l'Union européenne. Cette comparaison met en lumière les similitudes et les distinctions significatives, notamment en ce qui concerne la portée d'application, la responsabilité des acteurs, et les droits des individus concernés.En outre, l'étude examine la mise en œuvre pratique de ces réglementations, en se penchant sur le rôle des acteurs clés notamment les autorités de contrôle, les responsables de traitement, des Organisations de la Société Civile (OSC) ainsi que les personnes protégées de chaque État. Elle analyse les défis auxquels sont confrontées les autorités de contrôle et les politiques de coopération visant à renforcer l'effectivité du droit des données personnelles.Enfin, la thèse explore les limites de ce droit des données personnelles, notamment son interaction avec les politiques publiques dans le domaine des télécommunications et les enjeux liés à la cybercriminalité.Dans l'ensemble, ce travail offre une vision complète et nuancée du droit des données personnelles au sein de l'UEMOA, mettant en lumière les motivations, les réalisations, les obstacles et les perspectives dans un contexte juridique africain en constante évolution. Il constitue une contribution significative à la compréhension de la protection des données personnelles dans le contexte africain sur le plan juridique
This thesis provides an in-depth analysis of the legal framework surrounding the protection of personal data within the West African Economic and Monetary Union (WAEMU), specifically focusing on Burkina Faso, Côte d'Ivoire, Niger, and Senegal – the areas under study. It delves into the motivations that led these states to adopt specific legislations influenced by foreign models, notably the French model of the "Loi Informatique et Libertés," rather than relying on national or community references.This analysis explores the development process of these regulations, from legislative evolution to international institutions' initiatives. Special attention is given to the influence of the International Organization of La Francophonie (IOF) and the French Commission for Data Protection (Commission de l'Informatique et des Libertés) in promoting the initial national legislations within this region.Furthermore, the thesis conducts a detailed comparison between the existing regulations within WAEMU and the European Union's General Data Protection Regulation (GDPR). This comparison highlights significant similarities and differences, particularly concerning the scope of application, stakeholders' responsibilities, and the rights of the individuals concerned.Moreover, the study examines the practical implementation of these regulations, focusing on key actors, including regulatory authorities, data controllers, Civil Society Organizations (CSOs), and data subjects in each state. It analyzes the challenges faced by regulatory authorities and cooperation policies aimed at enhancing the effectiveness of personal data rights.Finally, the thesis explores the limitations of personal data rights, particularly in their interaction with public policies in the telecommunications sector and the issues related to cybercrime.Overall, this work offers a comprehensive and nuanced perspective on personal data rights within WAEMU, shedding light on the motivations, achievements, challenges, and prospects in the ever-evolving African legal context. It constitutes a significant contribution to the understanding of personal data protection in the African legal context

The main purpose of the thesis is to study Privacy and how protecting Privacy, including the new regulation framework proposed by EU the GDPR, investigating how static analysis could help GDPR enforcement, and develop a new static analysis prototype to fulfill this task in practice. GDPR (General Data Protection Regulation) is a recent European regulation to harmonize and enforce data privacy laws across Europe, to protect and empower all EU citizens data privacy, and to reshape the way organizations deal with sensitive data. This regulation has been enforced starting from May 2018. While it is already clear that there is no unique solution to deal with the whole spectrum of GDPR, it is still unclear how static analysis might help enterprises to fulfill the constraints imposed by this regulation.

Cloud is becoming the most popular computing infrastructure because it can attract more and more traditional companies due to flexibility and cost-effectiveness. However, privacy concern is the major issue that prevents users from deploying on public clouds. My research focuses on protecting user's privacy in cloud computing. I will present a hardware-based and a migration-based approach to protect user's privacy. The root cause of the privacy problem is current cloud privilege design gives too much power to cloud providers. Once the control virtual machine (installed by cloud providers) is compromised, external adversaries will breach users’ privacy. Malicious cloud administrators are also possible to disclose user’s privacy by abusing the privilege of cloud providers. Thus, I develop two cloud architectures – MyCloud and MyCloud SEP to protect user’s privacy based on hardware virtualization technology. I eliminate the privilege of cloud providers by moving the control virtual machine (control VM) to the processor’s non-root mode and only keep the privacy protection and performance crucial components in the Trust Computing Base (TCB). In addition, the new cloud platform can provide rich functionalities on resource management and allocation without greatly increasing the TCB size. Besides the attacks to control VM, many external adversaries will compromise one guest VM or directly install a malicious guest VM, then target other legitimate guest VMs based on the connections. Thus, collocating with vulnerable virtual machines, or ”bad neighbors” on the same physical server introduces additional security risks. I develop a migration-based scenario that quantifies the security risk of each VM and generates virtual machine placement to minimize the security risks considering the connections among virtual machines. According to the experiment, our approach can improve the survivability of most VMs.

The prevalence of wireless networks and the convenience of mobile cameras enable many new video applications other than security and entertainment. From behavioral diagnosis to wellness monitoring, cameras are increasing used for observations in various educational and medical settings. Videos collected for such applications are considered protected health information under privacy laws in many countries. Visual privacy protection techniques, such as blurring or object removal, can be used to mitigate privacy concern, but they also obliterate important visual cues of affect and social behaviors that are crucial for the target applications. In this dissertation, we propose to balance the privacy protection and the utility of the data by preserving the privacy-insensitive information, such as pose and expression, which is useful in many applications involving visual understanding. The Intellectual Merits of the dissertation include a novel framework for visual privacy protection by manipulating facial image and body shape of individuals, which: (1) is able to conceal the identity of individuals; (2) provide a way to preserve the utility of the data, such as expression and pose information; (3) balance the utility of the data and capacity of the privacy protection. The Broader Impacts of the dissertation focus on the significance of privacy protection on visual data, and the inadequacy of current privacy enhancing technologies in preserving affect and behavioral attributes of the visual content, which are highly useful for behavior observation in educational and medical settings. This work in this dissertation represents one of the first attempts in achieving both goals simultaneously.

Online privacy has become one of the greatest concerns in the United States today. There are currently multiple stakeholders with interests in online privacy including the public, industry, and the United States government. This study examines the issues surrounding the protection of online privacy. Privacy laws in the United States are currently outdated and do little to protect online privacy. These laws are unlikely to be changed as both the government and industry have interests in keeping these privacy laws lax. To bridge the gap between the desired level of online privacy and what is provided legally users may turn to technological solutions.

Our personal privacy is being eroded from various directions as modern technologies bring lots of new threats towards our personal privacy. Unfortunately, people are often oblivious about it and accept invasion of privacy to a great extent without questions. This thesis is a presentation of our study dealing with privacy violations while using the Internet. It also includes a further investigation about unsolicited bulk email, which is one of many consequences of bad privacy protection. We have also examined the differences between the United States and the European Union and found that the fundamental privacy protection is better in the European Union. We have used different methods to complete this thesis such as studies of literature and articles as well as performing a spam study. Using these methods we have concluded that privacy violations on the Internet is a significant problem and that the Internet users have a right to an adequate privacy protection.

Abstract An unparalleled surge in video surveillance has occurred in recent years, due to some tragic events such as terror attacks, bank robberies and the activities of organized crime. Video surveillance technology has advanced significantly, which has even enabled the automatic tracking of individuals. However, in the opinion of the public the increase in security has brought about a decrease in personal privacy. Through video surveillance citizens could be monitored more easily than ever before, thus considerably intruding into their personal privacy. It was assumed that security and privacy in video surveillance was a zero-sum game in which citizens were forced to choose one over the other. This study was based on the belief that this notion is false. It was assumed that it can be possible to keep personal privacy while guaranteeing the utmost security. A solution to this issue was sought using Hevner’s design science research guidelines and design science research cycles. A video surveillance system was designed and constructed that would protect the personal privacy of uninvolved individuals under surveillance while still providing a high level of security, namely the Privacy Enhancing Video Surveillance system PEVS. PEVS protected the privacy of individuals by automatically scrambling the image regions where people were present in video streams. If a criminal act should take place, it was possible, with the proper authorization, to selectively unscramble the data of individuals of interest to analyze the situation. This enabled to analyze the situation without intruding into the privacy of uninvolved people on the one hand, while on the other hand using the data as evidence of possible criminal activity. Hence, the privacy of individuals was protected while maintaining the same level of security. PEVS provided the first technology-based video surveillance solution, which showed only relevant individuals in the image while leaving the identity of everyone else unrevealed. Therefore, the main contribution of this thesis was the construction of a novel approach to video surveillance systems, capable of selectively protecting the privacy of individuals. This included introducing an architecture for a privacy preserving video surveillance system, which consisted of several sub-constructs. These included storage techniques for privacy data and shadow detection and segmentation methods, which increased the accuracy and speed of previous methods. Further, novel security and privacy metrics for video surveillance were introduced. The overall system was a significant improvement over the existing knowledge base that has thus far seen only first steps to selective privacy protection but has failed to provide a complete system
Tiivistelmä Videovalvonnassa on tapahtunut viime vuosina merkittävää kasvua johtuen järkyttävistä tapahtumista kuten terrori-iskut, pankkiryöstöt ja järjestäytyneen rikollisuuden toimet. Videovalvontateknologia on kehittynyt merkittävästi mahdollistaen jopa yksittäisten ihmisten automaattisen seurannan. Turvallisuuden lisääntymisen katsotaan kuitenkin vähentäneen yksityisyyttä. Videovalvonnan avulla ihmisiä pystytään seuraamaan helpommin kuin koskaan aikaisemmin tunkeutuen täten heidän yksityisyytensä alueelle. On oletettu, että turvallisuus ja yksityisyys videovalvonnassa on nollasummapeliä, jossa kansalaisten on valittava yksityisyyden ja turvallisuuden välillä. Tämä tutkimus perustuu olettamukseen, että edellä esitetty ei pidä paikkaansa, vaan että on mahdollista suojata yksityisyys samalla taaten täysi turvallisuus. Ratkaisua tähän ongelmaan etsittiin suunnittelutieteellisen tutkimuksen avulla. Työssä suunniteltiin ja toteutettiin videovalvontajärjestelmä PEVS (Privacy Enhancing Video Surveillance system), joka suojaa valvonnanalaisten sivullisten yksityisyyttä ja siitä huolimatta tuottaa korkean turvallisuustason.. PEVS suojaa henkilöiden yksityisyyttä salaamalla automaattisesti videoaineistosta ne kuva-alat, joissa esiintyy ihmisiä. Mikäli laitonta toimintaa havaittaisiin, olisi riittävillä käyttöoikeuksilla mahdollista purkaa salaus mielenkiinnon kohteena olevien henkilöiden kohdalta tilanteen analysoimiseksi. Tämä mahdollisti yhtäältä puuttumattomuuden sivullisten yksityisyyteen ja toisaalta tiedon käyttämisen todistusaineistona mahdollisen rikoksen tutkimisessa. Tällä järjestelmällä yksityisyys oli mahdollista suojata samanaikaisesti, kun turvallisuudesta huolehdittiin. PEVS mahdollisti ensimmäistä kertaa maailmassa videovalvonnan, joka näyttää vain relevantit henkilöt jättäen muiden henkilöllisyyden paljastamatta. Sen takia tämän tutkimuksen merkittävin kontribuutio oli uudenlaisen lähestymistavan kehittäminen videovalvontaan, joka kykenee valikoivasti suojelemaan ihmisten yksityisyyttä. Tämä ratkaisu sisältää yksityisyyden suojaavan, useita rakenneosia sisältävän videovalvontajärjestelmäarkkitehtuurin esittelyn. Rakenneosiin kuuluu yksityisen tiedon tallennusmenetelmiä ja varjontunnistus- ja segmentointimetodeja, jotka paransivat aiemmin käytettyjen metodien tarkkuutta ja nopeutta. Lisäksi esiteltiin uudenlainen turvallisuus- ja yksityisyysmetriikka videovalvonnalle. Toteutettu järjestelmä on huomattava lisäys nykytietämykseen, jossa yksityisyyden suojan osalta on otettu vasta ensiaskelia ja joka ei mahdollista kattavaa järjestelmää

Tremendous advances in wearable computing and storage technologies enable us to record not just snapshots of an event but the whole human experience for a long period of time. Such a \life-logandamp;quot; system captures important events as they happen, rather than an after-thought. Such a system has applications in many areas such as law enforcement, personal archives, police questioning, and medicine. Much of the existing eandamp;reg;orts focus on the pattern recognition and information retrieval aspects of the system. On the other hand, the privacy issues raised by such an intrusive system have not received much attention from the research community. The objectives of this research project are two-fold: andamp;macr;rst, to construct a wearable life-log video system, and second, to provide a solution for protecting the identity of the subjects in the video while keeping the video useful. In this thesis work, we designed a portable wearable life-log system that implements audio distortion and face blocking in a real time to protect the privacy of the subjects who are being recorded in life-log video. For audio, our system automatically isolates the subject's speech and distorts it using a pitch- shifting algorithm to conceal the identity. For video, our system uses a real-time face detection, tracking and blocking algorithm to obfuscate the faces of the subjects. Extensive experiments have been conducted on interview videos to demonstrate the ability of our system in protecting the identity of the subject while maintaining the usability of the life-log video.

Dans cette thèse, nous nous intéressons à l'expression des principes de protection de la vie privée. Nous spécifions ces exigences de vie privée en proposant de les introduire dans les modèles des politiques de sécurité existants. Ainsi, nous suggérons l'application d'un seul modèle pour le contrôle d'accès et la protection de la vie privée. Le modèle de contrôle d'accès doit être étendu par de nouvelles conditions d'accès et de paramètres, à savoir les contextes, constituant les exigences de la vie privée. Pour cela, nous définissons le modèle Privacy-aware Organisation-Based Access Control (PrivOrBAC). L'administration de PrivOrBAC est manifestement différente des modèles d'administration des modèles contrôles d'accès. Nous identifions trois cas à introduire dans le modèle d'administration. Premièrement, à cause de l'attractivité des nouveaux services, les utilisateurs définissent généralement une politique de vie privée trop permissive qui ne correspond pas réellement à leurs préférences. Nous proposons que le contrôleur des données puisse prendre en charge la définition de la politique en se basant sur le contrat de service (SLA) incluant les préférences utilisateurs. Deuxièmement, le modèle d'administration doit prendre en compte la modélisation des interceptions légales. Cet accès est prioritaire vis à vis des préférences utilisateurs. Troisièmement, nous présentons le cas où les deux organisations, le contrôleur de données et les fournisseurs de services, doivent partager l'accès à la même ressource. Grâce au modèle d'interopérabilité O2O, les préférences utilisateurs peuvent être propagées et ainsi respectées par les organisations tierces demandant l'accès. Nous nous sommes focalisés sur les données de localisation qui représentent les données privées à protéger dans notre étude. Nous proposons une architecture prête à être déployer dans les systèmes d'information des services de localisation (LBS). Nous utilisons MotOrBAC, le prototype du modèle OrBAC, pour adapter notre solution au cadre des réseaux cellulaires. Nous avons aussi étendu la passerelle Parlay X par une nouvelle Privacy web service pour permettre un accès sécurisé et respectant la vie privée des fournisseurs de services aux données enregistrées dans les réseaux cellulaires
In this dissertation, we propose the expression and the modelling of the most important principles of privacy. We deduce the relevant privacy requirements that should be integrated in existing security policy models, such as RBAC models. We suggest the application of a unique model for both access control and privacy requirements. Thus, an access control model is to be enriched with new access constraints and parameters, namely the privacy contexts, which should implement the consent and the notification concepts. For this purpose, we introduce the privacy-aware Organisation role Based Access Control (OrBAC) model. The administration of this new model is significantly different from previous models. Three cases are identified. First, the privacy policy may be defined by the data collector but data owners have the possibility to set their preferences through a contracted Service Level Agreement (SLA). Second, the administration model allows legal organisations, for legal purposes, to impose their needs by bypassing user's preferences. Third, we present the case of a privacy policy which is negotiated between the data collector and the requestor based on user's preferences, defined in the SLA. Overall, our proposal is a distributed administration of privacy policies. Focusing on Location Based Services (LBSs), we finally propose a complete privacy framework ready to be deployed in information systems. We use the model prototype to adapt our solution to cellular networks when the requesters are the service providers. This prototype uses parlay gateways with web services. We also extend the set of Parlay X gateway standardised web services by proposing a dedicated privacy web service to enforce privacy protection

In many prevalent application domains, such as business to business network, social networks, and sensor networks, graphs serve as a powerful model to capture the complex relationships inside. These graphs are of significant importance in various domains such as marketing, psychology, and system design. The management and analysis of these graphs is a recurring research theme. The increasing scale of data poses a new challenge on graph analysis tasks. Meanwhile, the revealed edge uncertainty in the released graph raises new privacy concerns for the individuals involved. In this dissertation, we first study how to design an efficient distributed triangle listing algorithms for web-scale graphs with MapReduce. This is a challenging task since triangle listing requires accessing the neighbors of the neighbor of a vertex, which may appear arbitrarily in different graph partitions (poor locality in data access). We present the “Bermuda” method that effectively reduces the size of the intermediate data via redundancy elimination and sharing of messages whenever possible. Bermuda encompasses two general optimization principles that fully utilize the locality and re-use distance of local pivot message. Leveraging these two principles, Bermuda not only speeds up the triangle listing computations by factors up to 10 times but also scales up to larger datasets. Second, we focus on designing anonymization approach to resisting de-anonymization with little utility loss over uncertain graphs. In uncertain graphs, the adversary can also take advantage of the additional information in the released uncertain graph, such as the uncertainty of edge existence, to re-identify the graph nodes. In this research, we first show the conventional graph anonymization techniques either fails to guarantee anonymity or deteriorates utility over uncertain graphs. To this end, we devise a novel and efficient framework Chameleon that seamlessly integrates uncertainty. First, a proper utility evaluation model for uncertain graphs is proposed. It focuses on the changes on uncertain graph reliability features, but not purely on the amount of injected noise. Second, an efficient algorithm is designed to anonymize a given uncertain graph with relatively small utility loss as empowered by reliability-oriented edge selection and anonymity-oriented edge perturbing. Experiments confirm that at the same level of anonymity, Chameleon provides higher utility than the adaptive version of deterministic graph anonymization methods. Lastly, we consider resisting more complex re-identification risks and propose a simple-yet-effective Galaxy framework for anonymizing uncertain graphs by strategically injecting edge uncertainty based on nodes’ role. In particular, the edge modifications are bounded by the derived anonymous probabilistic degree sequence. Experiments show our method effectively generates anonymized uncertain graphs with high utility.

In recent years there has been a growing increase in the number of users that use smartphones,tablets, wearable technologies and other devices that users have with them constantly. The capability of these latest generation mobile devices to detect the position of the users has led to the emergence of ad-hoc services as well as geo-aware social networks (GeoSN). Even if the sharing of our locations can enhance many useful services, there are several practical cases that unveil the danger of sharing location indiscriminately. For instance, let’s suppose that a user has just told everyone that he is on vacation (and not at his house): if he adds how long his trip is, then thieves know exactly how much time they have to rob him. Many contributions in the scientific literature have shown how through the location information it is possible to infer several information about the user. It has been shown that it is possible to identify user’s identity, if he is anonymous in the LBS, and, if the user is not anonymous, it is feasible to infer user’s home location, habits and also politic preferences and sexual orientation. The scientific literature reflects this concerns, proposing many contributions that deal with privacy, in general, and location privacy, specifically. This dissertation deals with location privacy in Location Based Services and Geo-Social Networks. The goal is two-fold: on one hand we want to motivate the importance of the location privacy topic by identifying the privacy threats of sharing locations. In particular we study a new privacy threat, the co-location threat, and we further study an already known threat stemming from the use of distance preserving transformations.On the other hand, we want to propose privacy preserving techniques and tools: we propose a novel privacy preserving technique as well as presenting three (spatial and/or temporal) cloaking techniques, specifically designed for privacy techniques in which the privacy is granted by the use of a location’s generalisation.

Includes bibliographical references.
Personal privacy issues are relevant to the GIS community. The distribution and dissemination of personal data is greatly facilitated through GIS tools. The use of these tools has been expanded from traditionally geographical operations to applications in geodemographics, and it is particularly in geodemographics where the protection of privacy becomes an issue. This thesis examines existing privacy protection guidelines put forward by international commercial and governmental sectors; the current international position with regards to the protection of privacy is reviewed, and South African legislation pertaining to these issues is explored. On this basis, a set of privacy protection guidelines is developed which can assist GIS managers in South Africa in ensuring that data collection and management do not infringe on personal privacy.

El desenvolupament de noves tecnologies ha introduït el concepte de Computació Ubiqua, a on els objectes que ens envolten poden tenir processadors integrats i establir la comunicació amb altres sistemes, amb la finalitat d'oferir serveis personalitzats per ajudar-nos amb les nostres tasques habituals. No obstant això, a causa de que és possible tenir ordinadors en gairebé qualsevol lloc o objecte, això ha obert noves discussions sobre temes tals com la privadesa i la seguretat, considerats des de diferents punts de vista, com el desenvolupaments jurídics, socials, econòmics i tecnològics, amb una importància cada vegada major al món actual. En aquesta tesi discutim i analitzem algunes de les principals qüestions de seguretat i privadesa a les tecnologies actuals, tals com a telèfons intel·ligents, dispositius RFID o ciutats intel·ligents, i proposem alguns protocols per fer front a aquests temes garantint la privadesa dels usuaris a tot moment.
El desarrollo de nuevas tecnologías ha introducido el concepto de Computación Ubicua , en donde los objetos que nos rodean pueden tener procesadores integrados y establecer la comunicación con otros sistemas, con el fin de ofrecer servicios personalizados para ayudarnos con nuestras tareas habituales. Sin embargo, debido a que es posible tener ordenadores en casi cualquier lugar u objeto, esto ha abierto nuevas discusiones sobre temas tales como la privacidad y la seguridad, considerado desde diferentes puntos de vista, como el desarrollos jurídicos, sociales, económicos y tecnológicos, con una importancia cada vez mayor en el mundo actual. En esta tesis discutimos y analizamos algunas de las principales cuestiones de seguridad y privacidad en las tecnologías actuales, tales como teléfonos inteligentes, dispositivos RFID o ciudades inteligentes, y proponemos algunos protocolos para hacer frente a estos temas garantizando la privacidad de los usuarios en todo momento.
The development of new technologies has introduced the concept of Ubiquitous Computing, whereby the objects around us can have an embedded computer and establish communications with each other, in order to provide personalized services to assist with our tasks. However, because it is possible to have computers almost anywhere and within any object, this has opened up new discussions on issues such as privacy and security, considered from many different views, such as the legal, social, economic and technological development perspectives, all taking an increasingly significant importance in today’s world. In this dissertation we discuss and analyze some of the main privacy and security issues in current technologies, such as smartphones, RFIDs or smart cities, and we propose some protocols in order to face these issues guarantying users' privacy anytime.

Thesis (S.M.)--Massachusetts Institute of Technology, Engineering Systems Division, Technology and Policy Program, 2007.
Includes bibliographical references (p. 82-87).
As applications of Radio Frequency Identification (RFID) become more profuse, the technology itself is stirring up some controversy. Due to its potential for amassing large amounts of information about both people and things, and the possibility of using the information for marketing, tracking, or even spying, numerous consumer groups are spearheading efforts to ensure that RFID does not breach their privacy rights. While there are some privacy laws regulating specific aspects of commerce, there are no laws which currently apply to the collection and use of information as it pertains to RFID. This lack of formal regulation allows companies to legally engage in practices which may encroach on consumers' privacy. However, RFID has the potential to optimize supply chain practices as well as provide other benefits to both consumers and businesses. As RFID use becomes more widespread, regulatory strategies should be considered to protect consumers' right to privacy while obtaining the benefits of using the technology. This thesis explores consumer and industry opinion of RFID through a customized survey. Results of the survey found that consumer and industry opinion are similar in many aspects, especially in the concern for protecting privacy and the desire for a regulatory mechanism to enforce those privacy rights. This thesis addresses the question of whether market-based solutions, self-regulation, or government regulation is the best option for addressing consumers' legitimate concerns of privacy while allowing businesses to reap the benefits of using the technology.
(cont.) The regulatory options are compared and then discussed based on the needs of consumers and industry members as determined by the survey. Finally, four recommendations are suggested to provide guidance for ensuring a positive acceptance of RFID while acknowledging the privacy rights of consumers.
by Deanna R. Laufer.
S.M.

With the rapid growth of mobile, ubiquitous and wearable computing, location-based services become an indispensable part of mobile internet. These services rely on the geographical position of the mobile devices and provide location-dependent contents or services to users, such as location-based in- stant messaging, POI browsing, map navigation, and location-based virtual reality games. Most existing systems implement these location-based services by always storing and transmitting raw, plaintext GPS coordinates. However, location information is arguably a private asset of individual user, and the disclosure of such information could lead to severe privacy disclosure of other even more sensitive information, such as religion, sexuality, medical condition, or political affiliation. To address this issue, researchers have proposed a series of techniques to protect user location privacy against location-based service providers. How- ever, it is challenging to apply these theoretical and sophisticated techniques ii to practical location systems because of the computational or network over- head imposed on the mobile devices as well as the complexity of the secure protocols and algorithms for application developers. In this thesis, I will study two real-life privacy-preserving location systems and show how they can be adopted by developers with little security background. The rst is outdoor proximity detection that determines whether two users (or a user and an ob- ject) are within a given distance threshold. This is a fundamental service in many geo-social or map services. For example, \People nearby" in Wechat and QQ interconnect users because of their locality and/or mutual interests in some topics, such as food and movies. The second is indoor location mon- itoring and tracking. Wearable devices such as smart watch and bracelets continually broadcast Bluetooth Low Energy signals, which can be easily cap- tured by monitoring devices such as WiFi routers and Bluetooth scanners. As more and more wearable devices emerge, unauthorized monitoring and track- ing by adversary becomes great privacy threats not only in the cyberworld, but also in the physical world. To protect location privacy, I develop a real- life location monitoring system that is based on Bluetooth Low Energy (BLE) privacy feature that changes the device physical address periodically. To en- able users to better control their privacy level while still providing monitoring and tracking service to authorized parties (e.g., for child and elderly care), I extend BLE privacy by enriching its privacy semantics with a comprehensive set of metrics, such as simple opt-in/out, k-anonymity, and granularity-based anonymity. Both systems have been posted online and evaluated in terms of accuracy and user study.

[EN] Nowadays, online social networks (OSNs) have become a mainstream cultural phenomenon for millions of Internet users. Social networks are an ideal environment for generating all kinds of social benefits for users. Users share experiences, keep in touch with their family, friends and acquaintances, and earn economic benefits from the power of their influence (which is translated into new job opportunities). However, the use of social networks and the action of sharing information imply the loss of the users’ privacy. Recently, a great interest in protecting the privacy of users has emerged. This situation has been due to documented cases of regrets in users’ actions, company scandals produced by misuse of personal information, and the biases introduced by privacy mechanisms. Social network providers have included improvements in their systems to reduce users’ privacy risks; for example, restricting privacy policies by default, adding new privacy settings, and designing quick and easy shortcuts to configure user privacy settings. In the privacy researcher area, new advances are proposed to improve privacy mechanisms, most of them focused on automation, fine-grained systems, and the usage of features extracted from the user’s profile information and interactions to recommend the best privacy policy for the user. Despite these advances, many studies have shown that users’ concern for privacy does not match the decisions they ultimately make in social networks. This misalignment in the users’ behavior might be due to the complexity of the privacy concept itself. This drawback causes users to disregard privacy risks, or perceive them as temporarily distant. Another cause of users’ behavior misalignment might be due to the complexity of the privacy decision-making process. This is because users should consider all possible scenarios and the factors involved (e.g., the number of friends, the relationship type, the context of the information, etc.) to make an appropriate privacy decision. The main contributions of this thesis are the development of metrics to assess privacy risks, and the proposal of explainable privacy mechanisms (using the developed metrics) to assist and raise awareness among users during the privacy decision process. Based on the definition of the concept of privacy, the dimensions of information scope and information sensitivity have been considered in this thesis to assess privacy risks. For explainable privacy mechanisms, soft paternalism techniques and gamification elements that make use of the proposed metrics have been designed. These mechanisms have been integrated into the social network PESEDIA and evaluated in experiments with real users. PESEDIA is a social network developed in the framework of the Master’s thesis of the Ph.D. student [15], this thesis, and the national projects “Privacy in Social Educational Environments during Childhood and Adolescence” (TIN2014-55206- R) and “Intelligent Agents for Privacy Advice in Social Networks” (TIN2017-89156-R). The findings confirm the validity of the proposed metrics for computing the users’ scope and the sensitivity of social network publications. For the scope metric, the results also showed the possibility of estimating it through local and social centrality metrics for scenarios with limited information access. For the sensitivity metric, the results also remarked the users’ misalignment for some information types and the consensus for a majority of them. The usage of these metrics as part of messages about potential consequences of privacy policy choices and information sharing actions to users showed positive effects on users’ behavior regarding privacy. Furthermore, the findings of exploring the users’ trade-off between costs and benefits during disclosure actions of personal information showed significant relationships with the usual social circles (family members, friends, coworkers, and unknown users) and their properties. This allowed designing better privacy mechanisms that appropriately restrict access to information and reduce regrets. Finally, gamification elements applied to social networks and users’ privacy showed a positive effect on the users’ behavior towards privacy and safe practices in social networks.
[ES] En la actualidad, las redes sociales se han convertido en un fenómeno cultural dominante para millones de usuarios de Internet. Las redes sociales son un entorno ideal para la generación de todo tipo de beneficios sociales para los usuarios. Los usuarios comparten experiencias, mantienen el contacto con sus familiares, amigos y conocidos, y obtienen beneficios económicos gracias al poder de su influencia (lo que se traduce en nuevas oportunidades de trabajo). Sin embargo, el uso de las redes sociales y la acción de compartir información implica la perdida de la privacidad de los usuarios. Recientemente ha emergido un gran interés en proteger la privacidad de los usuarios. Esta situación se ha debido a los casos de arrepentimientos documentados en las acciones de los usuarios, escándalos empresariales producidos por usos indebidos de la información personal, y a los sesgos que introducen los mecanismos de privacidad. Los proveedores de redes sociales han incluido mejoras en sus sistemas para reducir los riesgos en privacidad de los usuarios; por ejemplo, restringiendo las políticas de privacidad por defecto, añadiendo nuevos elementos de configuración de la privacidad, y diseñando accesos fáciles y directos para configurar la privacidad de los usuarios. En el campo de la investigación de la privacidad, nuevos avances se proponen para mejorar los mecanismos de privacidad la mayoría centrados en la automatización, selección de grano fino, y uso de características extraídas de la información y sus interacciones para recomendar la mejor política de privacidad para el usuario. A pesar de estos avances, muchos estudios han demostrado que la preocupación de los usuarios por la privacidad no se corresponde con las decisiones que finalmente toman en las redes sociales. Este desajuste en el comportamiento de los usuarios podría deberse a la complejidad del propio concepto de privacidad. Este inconveniente hace que los usuarios ignoren los riesgos de privacidad, o los perciban como temporalmente distantes. Otra causa del desajuste en el comportamiento de los usuarios podría deberse a la complejidad del proceso de toma de decisiones sobre la privacidad. Esto se debe a que los usuarios deben considerar todos los escenarios posibles y los factores involucrados (por ejemplo, el número de amigos, el tipo de relación, el contexto de la información, etc.) para tomar una decisión apropiada sobre la privacidad. Las principales contribuciones de esta tesis son el desarrollo de métricas para evaluar los riesgos de privacidad, y la propuesta de mecanismos de privacidad explicables (haciendo uso de las métricas desarrolladas) para asistir y concienciar a los usuarios durante el proceso de decisión sobre la privacidad. Atendiendo a la definición del concepto de la privacidad, las dimensiones del alcance de la información y la sensibilidad de la información se han considerado en esta tesis para evaluar los riesgos de privacidad. En cuanto a los mecanismos de privacidad explicables, se han diseñado utilizando técnicas de paternalismo blando y elementos de gamificación que hacen uso de las métricas propuestas. Estos mecanismos se han integrado en la red social PESEDIA y evaluado en experimentos con usuarios reales. PESEDIA es una red social desarrollada en el marco de la tesina de Master del doctorando [15], esta tesis y los proyectos nacionales “Privacidad en Entornos Sociales Educativos durante la Infancia y la Adolescencia” (TIN2014-55206-R) y “Agentes inteligentes para asesorar en privacidad en redes sociales” (TIN2017-89156-R). Los resultados confirman la validez de las métricas propuestas para calcular el alcance de los usuarios y la sensibilidad de las publicaciones de las redes sociales. En cuanto a la métrica del alcance, los resultados también mostraron la posibilidad de estimarla mediante métricas de centralidad local y social para escenarios con acceso limitado a la información. En cuanto a la métrica de sensibilidad, los resultados también pusieron de manifiesto la falta de concordancia de los usuarios en el caso de algunos tipos de información y el consenso en el caso de la mayoría de ellos. El uso de estas métricas como parte de los mensajes sobre las posibles consecuencias de las opciones de política de privacidad y las acciones de intercambio de información a los usuarios mostró efectos positivos en el comportamiento de los usuarios con respecto a la privacidad. Además, los resultados de la exploración de la compensación de los usuarios entre los costos y los beneficios durante las acciones de divulgación de información personal mostraron relaciones significativas con los círculos sociales habituales (familiares, amigos, compañeros de trabajo y usuarios desconocidos) y sus propiedades. Esto permitió diseñar mejores mecanismos de privacidad que restringen adecuadamente el acceso a la información y reducen los arrepentimientos. Por último, los elementos de gamificación aplicados a las redes sociales y a la privacidad de los usuarios mostraron un efecto positivo en el comportamiento de los usuarios hacia la privacidad y las prácticas seguras en las redes sociales.
[CA] En l’actualitat, les xarxes socials s’han convertit en un fenomen cultural dominant per a milions d’usuaris d’Internet. Les xarxes socials són un entorn ideal per a la generació de tota mena de beneficis socials per als usuaris. Els usuaris comparteixen experiències, mantenen el contacte amb els seus familiars, amics i coneguts, i obtenen beneficis econòmics gràcies al poder de la seva influència (el que es tradueix en noves oportunitats de treball). No obstant això, l’ús de les xarxes socials i l’acció de compartir informació implica la perduda de la privacitat dels usuaris. Recentment ha emergit un gran interès per protegir la privacitat dels usuaris. Aquesta situació s’ha degut als casos de penediments documentats en les accions dels usuaris, escàndols empresarials produïts per usos indeguts de la informació personal, i als caires que introdueixen els mecanismes de privacitat. Els proveïdors de xarxes socials han inclòs millores en els seus sistemes per a reduir els riscos en privacitat dels usuaris; per exemple, restringint les polítiques de privacitat per defecte, afegint nous elements de configuració de la privacitat, i dissenyant accessos fàcils i directes per a configurar la privacitat dels usuaris. En el camp de la recerca de la privacitat, nous avanços es proposen per a millorar els mecanismes de privacitat la majoria centrats en l’automatització, selecció de gra fi, i ús de característiques extretes de la informació i les seues interaccions per a recomanar la millor política de privacitat per a l’usuari. Malgrat aquests avanços, molts estudis han demostrat que la preocupació dels usuaris per la privacitat no es correspon amb les decisions que finalment prenen en les xarxes socials. Aquesta desalineació en el comportament dels usuaris podria deure’s a la complexitat del propi concepte de privacitat. Aquest inconvenient fa que els usuaris ignorin els riscos de privacitat, o els percebin com temporalment distants. Una altra causa de la desalineació en el comportament dels usuaris podria deure’s a la complexitat del procés de presa de decisions sobre la privacitat. Això es deu al fet que els usuaris han de considerar tots els escenaris possibles i els factors involucrats (per exemple, el nombre d’amics, el tipus de relació, el context de la informació, etc.) per a prendre una decisió apropiada sobre la privacitat. Les principals contribucions d’aquesta tesi són el desenvolupament de mètriques per a avaluar els riscos de privacitat, i la proposta de mecanismes de privacitat explicables (fent ús de les mètriques desenvolupades) per a assistir i conscienciar als usuaris durant el procés de decisió sobre la privacitat. Atesa la definició del concepte de la privacitat, les dimensions de l’abast de la informació i la sensibilitat de la informació s’han considerat en aquesta tesi per a avaluar els riscos de privacitat. Respecte als mecanismes de privacitat explicables, aquests s’han dissenyat utilitzant tècniques de paternalisme bla i elements de gamificació que fan ús de les mètriques propostes. Aquests mecanismes s’han integrat en la xarxa social PESEDIA i avaluat en experiments amb usuaris reals. PESEDIA és una xarxa social desenvolupada en el marc de la tesina de Màster del doctorant [15], aquesta tesi i els projectes nacionals “Privacitat en Entorns Socials Educatius durant la Infància i l’Adolescència” (TIN2014-55206-R) i “Agents Intel·ligents per a assessorar en Privacitat en xarxes socials” (TIN2017-89156-R). Els resultats confirmen la validesa de les mètriques propostes per a calcular l’abast de les accions dels usuaris i la sensibilitat de les publicacions de les xarxes socials. Respecte a la mètrica de l’abast, els resultats també van mostrar la possibilitat d’estimarla mitjançant mètriques de centralitat local i social per a escenaris amb accés limitat a la informació. Respecte a la mètrica de sensibilitat, els resultats també van posar de manifest la falta de concordança dels usuaris en el cas d’alguns tipus d’informació i el consens en el cas de la majoria d’ells. L’ús d’aquestes mètriques com a part dels missatges sobre les possibles conseqüències de les opcions de política de privacitat i les accions d’intercanvi d’informació als usuaris va mostrar efectes positius en el comportament dels usuaris respecte a la privacitat. A més, els resultats de l’exploració de la compensació dels usuaris entre els costos i els beneficis durant les accions de divulgació d’informació personal van mostrar relacions significatives amb els cercles socials habituals (familiars, amics, companys de treball i usuaris desconeguts) i les seves propietats. Això ha permés dissenyar millors mecanismes de privacitat que restringeixen adequadament l’accés a la informació i redueixen els penediments. Finalment, els elements de gamificació aplicats a les xarxes socials i a la privacitat dels usuaris van mostrar un efecte positiu en el comportament dels usuaris cap a la privacitat i les pràctiques segures en les xarxes socials.
Alemany Bordera, J. (2020). Measures of Privacy Protection on Social Environments [Tesis doctoral no publicada]. Universitat Politècnica de València. https://doi.org/10.4995/Thesis/10251/151456
TESIS

This doctoral thesis consists of three essays within the field of economics of information privacy examined through the lens of behavioral and experimental economics. Rapid development and expansion of Internet, mobile and network technologies in the last decades has provided multitudinous opportunities and benefits to both business and society proposing the customized services and personalized offers at a relatively low price and high speed. However, such innovations and progress have also created complex and hazardous issues. One of the main problems is related to the management of extensive flows of information, containing terabytes of personal data. Collection, storage, analysis, and sharing of this information imply risks and trigger users’ concerns that range from nearly harmless to significantly pernicious, including tracking of online behavior and location, intrusive or unsolicited marketing, price discrimination, surveillance, hacking attacks, fraud, and identity theft. Some users ignore these issues or at least do not take an action to protect their online privacy. Others try to limit their activity in Internet, which in turn may inhibit the online shopping acceptance. Yet another group of users gathers personal information protection, for example, by deploying the privacy-enhancing technologies, e.g., ad-blockers, e-mail encryption, etc. The ad-blockers sometimes reduce the revenue of online publishers, which provide the content to their users for free and do not receive the income from advertisers in case the user has blocked ads. The economics of privacy studies the trade-offs related to the positive and negative economic consequences of personal information use by data subjects and its protection by data holders and aims at balancing the interests of both parties optimising the expected utilities of various stakeholders. As technology is penetrating every aspect of human life raising numerous privacy issues and affecting a large number of interested parties, including business, policy-makers, and legislative regulators, the outcome of this research is expected to have a great impact on individual economic markets, consumers, and society as a whole. The first essay provides an extensive literature review and combines the theoretical and empirical evidence on the impact of advertising in both traditional and digital media in order to gain the insights about the effects of ad-blocking privacy-enhancing technologies on consumers’ welfare. It first studies the views of the main schools of advertising, informative and persuasive. The informative school of advertising emphasizes the positive effects of advertising on sales, competition, product quality, and consumers’ utility and satisfaction by matching buyers to sellers, informing the potential customers about available goods and enhancing their informed purchasing decisions. In contrast, the advocates of persuasive school view advertising as a generator of irrational brand loyalty that distorts consumers’ preferences, inflates product prices, and creates entry barriers. I pay special attention to the targeted advertising, which is typically assumed to have a positive impact on consumers’ welfare if it does not cause the decrease of product quality and does not involve the extraction of consumers’ surplus through the exploitation of reservation price for discriminating activities. Moreover, the utility of personalized advertising appears to be a function of its accuracy: the more relevant is a targeted offer, the more valuable it is for the customer. I then review the effects of online advertising on the main stakeholders and users and show that the low cost of online advertising leads to excessive advertising volumes causing information overload, psychological discomfort and reactance, privacy concerns, decreased exploration activities and opinion diversity, and market inefficiency. Finally, as ad-blocking technologies filter advertising content and limit advertising exposure, I analyze the consequences of ad-blocking deployment through the lens of the models on advertising restrictions. The control of advertising volume and its partial restriction would benefit both consumers and businesses more than a complete ban of advertising. For example, advertising exposure caps, which limit the number of times that the same ad is to be shown to a particular user, general reduction of the advertising slots, control of the advertising quality standards, and limitation of tracking would result in a better market equilibrium than can offer an arms race of ad-blockers and anti-ad-blockers. Finally, I review the solutions alternative to the blocking of advertising content, which include self regulation, non-intrusive ads programs, paywall, intention economy approach that promotes business models, in which user initiates the trade and not the marketer, and active social movements aimed at increasing social awareness and consumer education. The second essay describes a model of factors affecting Internet users’ perceptions of websites’ trustworthiness with respect to their privacy and the intentions to purchase from such websites. Using focus group method I calibrate a list of websites’ attributes that represent those factors. Then I run an online survey with 117 adult participants to validate the research model. I find that privacy (including awareness, information collection and control practices), security, and reputation (including background and feedback) have strong effect on trust and willingness to buy, while website quality plays a marginal role. Although generally trustworthiness perceptions and purchase intentions are positively correlated, in some cases participants are likely to purchase from the websites that they have judged as untrustworthy. I discuss how behavioral biases and decision-making heuristics may explain this discrepancy between perceptions and behavioral intentions. Finally, I analyze and suggest what factors, particular websites’ attributes, and individual characteristics have the strongest effect on hindering or advancing customers’ trust and willingness to buy. In the third essay I investigate the decision of experimental subjects to incur the risk of revealing personal information to other participants. I do so by using a novel method to generate personal information that reliably induces privacy concerns in the laboratory. I show that individual decisions to incur privacy risk are correlated with decisions to incur monetary risk. I find that partially depriving subjects of control over the revelation of their personal information does not lead them to lose interest in protecting it. I also find that making subjects think of privacy decisions after financial decisions reduces their aversion to privacy risk. Finally, surveyed attitude to privacy and explicit willingness to pay or to accept payments for personal information correlate with willingness to incur privacy risk. Having shown that privacy loss can be assimilated to a monetary loss, I compare decisions to incur risk in privacy lotteries with risk attitude in monetary lotteries to derive estimates of the implicit monetary value of privacy. The average implicit monetary value of privacy is about equal to the average willingness to pay to protect private information, but the two measures do not correlate at the individual level. I conclude by underlining the need to know individual attitudes to risk to properly evaluate individual attitudes to privacy as such.

This doctoral thesis consists of three essays within the field of economics of information privacy examined through the lens of behavioral and experimental economics. Rapid development and expansion of Internet, mobile and network technologies in the last decades has provided multitudinous opportunities and benefits to both business and society proposing the customized services and personalized offers at a relatively low price and high speed. However, such innovations and progress have also created complex and hazardous issues. One of the main problems is related to the management of extensive flows of information, containing terabytes of personal data. Collection, storage, analysis, and sharing of this information imply risks and trigger users’ concerns that range from nearly harmless to significantly pernicious, including tracking of online behavior and location, intrusive or unsolicited marketing, price discrimination, surveillance, hacking attacks, fraud, and identity theft. Some users ignore these issues or at least do not take an action to protect their online privacy. Others try to limit their activity in Internet, which in turn may inhibit the online shopping acceptance. Yet another group of users gathers personal information protection, for example, by deploying the privacy-enhancing technologies, e.g., ad-blockers, e-mail encryption, etc. The ad-blockers sometimes reduce the revenue of online publishers, which provide the content to their users for free and do not receive the income from advertisers in case the user has blocked ads. The economics of privacy studies the trade-offs related to the positive and negative economic consequences of personal information use by data subjects and its protection by data holders and aims at balancing the interests of both parties optimising the expected utilities of various stakeholders. As technology is penetrating every aspect of human life raising numerous privacy issues and affecting a large number of interested parties, including business, policy-makers, and legislative regulators, the outcome of this research is expected to have a great impact on individual economic markets, consumers, and society as a whole. The first essay provides an extensive literature review and combines the theoretical and empirical evidence on the impact of advertising in both traditional and digital media in order to gain the insights about the effects of ad-blocking privacy-enhancing technologies on consumers’ welfare. It first studies the views of the main schools of advertising, informative and persuasive. The informative school of advertising emphasizes the positive effects of advertising on sales, competition, product quality, and consumers’ utility and satisfaction by matching buyers to sellers, informing the potential customers about available goods and enhancing their informed purchasing decisions. In contrast, the advocates of persuasive school view advertising as a generator of irrational brand loyalty that distorts consumers’ preferences, inflates product prices, and creates entry barriers. I pay special attention to the targeted advertising, which is typically assumed to have a positive impact on consumers’ welfare if it does not cause the decrease of product quality and does not involve the extraction of consumers’ surplus through the exploitation of reservation price for discriminating activities. Moreover, the utility of personalized advertising appears to be a function of its accuracy: the more relevant is a targeted offer, the more valuable it is for the customer. I then review the effects of online advertising on the main stakeholders and users and show that the low cost of online advertising leads to excessive advertising volumes causing information overload, psychological discomfort and reactance, privacy concerns, decreased exploration activities and opinion diversity, and market inefficiency. Finally, as ad-blocking technologies filter advertising content and limit advertising exposure, I analyze the consequences of ad-blocking deployment through the lens of the models on advertising restrictions. The control of advertising volume and its partial restriction would benefit both consumers and businesses more than a complete ban of advertising. For example, advertising exposure caps, which limit the number of times that the same ad is to be shown to a particular user, general reduction of the advertising slots, control of the advertising quality standards, and limitation of tracking would result in a better market equilibrium than can offer an arms race of ad-blockers and anti-ad-blockers. Finally, I review the solutions alternative to the blocking of advertising content, which include self regulation, non-intrusive ads programs, paywall, intention economy approach that promotes business models, in which user initiates the trade and not the marketer, and active social movements aimed at increasing social awareness and consumer education. The second essay describes a model of factors affecting Internet users’ perceptions of websites’ trustworthiness with respect to their privacy and the intentions to purchase from such websites. Using focus group method I calibrate a list of websites’ attributes that represent those factors. Then I run an online survey with 117 adult participants to validate the research model. I find that privacy (including awareness, information collection and control practices), security, and reputation (including background and feedback) have strong effect on trust and willingness to buy, while website quality plays a marginal role. Although generally trustworthiness perceptions and purchase intentions are positively correlated, in some cases participants are likely to purchase from the websites that they have judged as untrustworthy. I discuss how behavioral biases and decision-making heuristics may explain this discrepancy between perceptions and behavioral intentions. Finally, I analyze and suggest what factors, particular websites’ attributes, and individual characteristics have the strongest effect on hindering or advancing customers’ trust and willingness to buy. In the third essay I investigate the decision of experimental subjects to incur the risk of revealing personal information to other participants. I do so by using a novel method to generate personal information that reliably induces privacy concerns in the laboratory. I show that individual decisions to incur privacy risk are correlated with decisions to incur monetary risk. I find that partially depriving subjects of control over the revelation of their personal information does not lead them to lose interest in protecting it. I also find that making subjects think of privacy decisions after financial decisions reduces their aversion to privacy risk. Finally, surveyed attitude to privacy and explicit willingness to pay or to accept payments for personal information correlate with willingness to incur privacy risk. Having shown that privacy loss can be assimilated to a monetary loss, I compare decisions to incur risk in privacy lotteries with risk attitude in monetary lotteries to derive estimates of the implicit monetary value of privacy. The average implicit monetary value of privacy is about equal to the average willingness to pay to protect private information, but the two measures do not correlate at the individual level. I conclude by underlining the need to know individual attitudes to risk to properly evaluate individual attitudes to privacy as such.

Les identités numériques sont, de nos jours, utilisées à grande échelle (par exemple, dans les services publics, les réseaux sociaux, le travail, etc.). Cela n'est pas sans poser des défis d'utilisabilité car les utilisateurs sont contraints de gérer de multiples identités et attributs pour des objectifs de contrôle d'accès et de partage de données.En outre, se posent des défis en sécurité et respect de la vie privée du fait que les entités en interaction, celles qui délivrent, traitent et collectent ces identités peuvent du fait de leur comportement ou d'insuffisances de sécurité aboutir aux vols d'identité, à la collecte massive de données et au traçage des utilisateurs.Cette thèse vise à trouver le meilleur compromis entre sécurité, préservation de la vie privée et utilisabilité pour les systèmes de gestion des identités, en s'appuyant sur des primitives cryptographiques. Les deux premières contributions s'intéressent à la gestion des identités pour le contrôle d'accès et considèrent des identités et attributs réels qui contiennent des informations personnelles (ex : âge) et sensibles (ex : caractéristiques biométriques).La première contribution propose un système de gestion des identités centré sur l'utilisateur et respectueux de la vie privée dans lequel les utilisateurs gardent le contrôle sur leurs attributs. Un utilisateur, qui reçoit des attributs certifiés par un fournisseur d'identité, peut interagir de façon pseudonymisée avec un fournisseur de services et lui prouver l'authenticité des attributs présentés tout en minimisant le nombre de ces attributs. Cette solution s'appuie sur un nouveau schéma de signature malléable qui permet aux utilisateurs de transformer le certificat issu du fournisseur d'identités sur ses attributs de façon restreinte et contrôlée. Elle préserve aussi la vie privée en satisfaisant les propriétés de non-associabilité entre des fournisseurs de services curieux qui tenteraient d'associer différentes transactions à un même utilisateur.La deuxième contribution porte sur un nouveau schéma d'authentification biométrique qui offre des garanties de robustesse et de respect de la vie privée. Trois étapes sont nécessaires. Tout d'abord, l'utilisateur se rend physiquement chez le fournisseur d'identités qui pousse le modèle biométrique chiffré et certifié sur son smartphone. Puis il s'enregistre à distance auprès d'un fournisseur de services, de façon anonyme. Enfin, il s'authentifie hors ligne auprès du fournisseur de services qui capture la modalité biométrique, cette modalité étant vérifiée localement via le smartphone. En s'appuyant sur des signatures malléables, la solution proposée empêche l'utilisation de fausses identités biométriques et garantit la fiabilité de l'authentification. La non-associabilité et l'anonymat, sont aussi préservées.La troisième contribution apporte une solution au besoin de partager des données dans un système de gestion d'identités, et en particulier étudie la gestion des attributs éphémères des utilisateurs dans le contexte du traçage de proximité pour les systèmes d'e-santé. La solution proposée assure la cohérence et l'intégrité des données et préserve la vie privée des utilisateurs qui partagent leurs informations de contact avec les personnes à proximité. Des alertes sont émises vers les personnes ayant été en contact avec des personnes infectées. L'architecture hybride utilisée qui repose sur un serveur centralisé et des proxies décentralisés empêche les utilisateurs malveillants d'injecter de fausses alertes, et empêche de relier toute information de contact à un même utilisateur et de réidentifier les utilisateurs impliqués dans un contact avec une personne infectée
Digital identities are, nowadays, used at a large scale (i.e., in public services, social medias, at work, online shopping, etc.). This brings usability issues as users are constrained to deal with multiple identities and attributes for access control and data sharing objectives. In addition, security and privacy challenges have arisen as the interacting entities, those that issue, process and collect these identities can, due to their behavior or security deficiencies, lead to identity theft, massive data collection and tracking of users' behaviors on the Internet.This thesis aims at finding the best trade-off between security, privacy and usability for identity management systems, based on cryptographic primitives. The first two contributions focus on identity management for access control and consider real identities and attributes that contain personal (e.g., age) and sensitive (e.g., biometric traits) information.The first contribution proposes a user-centric and privacy-preserving identity management system in which users keep control over their attributes. A user, that receives attributes certified by an identity provider, is able to interact, in a pseudonymized manner, with a service provider and prove the authenticity of the provided attributes while ensuring that he discloses only the minimum number of attributes. This solution is based on a new malleable signature scheme that allows users to modify the certificate issued by the identity provider on his attributes in a restricted and controlled manner. It also preserves privacy by satisfying the unlinkability property between curious service providers that try to link different transactions to the same user.The second contribution presents a new biometric authentication scheme that offers robustness and privacy guarantees. Three steps are required. First, the user physically visits the identity provider that pushes an encrypted and certified biometric template onto his smartphone. Then he remotely enrolls at a service provider, in an anonymous manner. Finally, he authenticates offline to the service provider that captures a new biometric template in order to be locally verified via the smartphone. By relying on malleable signatures, the proposed solution prevents the use of fake biometric identities and guarantees the authentication soundness. Unlinkability and anonymity are also preserved.The third contribution provides a solution to meet the need of data sharing in an identity management system. In particular, it studies the management of users ephemeral attributes in the context of proximity tracing for e-healthcare systems. The proposed solution ensures data consistency and integrity and preserves the privacy of users who share their contact information with people in proximity. Alerts are issued to users who have been in contact with infected persons. The use of a hybrid architecture, which relies on a centralized server and decentralized proxies, allows to prevent malicious users from injecting false alerts, and to prevent the linkability of contact information to the same user and the re-identification of users involved in contact with an infected person

Thesis (M.A. in Security Studies (Homeland Security and Defense))--Naval Postgraduate School, September 2009.
Thesis Advisor(s): Bergin, Richard D. ; Josefek, Robert A. "September 2009." Description based on title screen as viewed on November 9, 2009. Author(s) subject terms: Information Sharing Environment, privacy, collaboration, constitutionality, Transportation Security Administration, Program Manager Information Sharing Environment, information sharing. Includes bibliographical references (p. 89-96). Also available in print.

Data about individuals is being increasingly collected and disseminated for purposes such as business analysis and medical research. This has raised some privacy concerns. In response, a number of techniques have been proposed which attempt to transform data prior to its release so that sensitive information about the individuals contained within it is protected. A:-Anonymisation is one such technique that has attracted much recent attention from the database research community. A:-Anonymisation works by transforming data in such a way that each record is made identical to at least A: 1 other records with respect to those attributes that are likely to be used to identify individuals. This helps prevent sensitive information associated with individuals from being disclosed, as each individual is represented by at least A: records in the dataset. Ideally, a /c-anonymised dataset should maximise both data utility and privacy protection, i.e. it should allow intended data analytic tasks to be carried out without loss of accuracy while preventing sensitive information disclosure, but these two notions are conflicting and only a trade-off between them can be achieved in practice. The existing works, however, focus on how either utility or protection requirement may be satisfied, which often result in anonymised data with an unnecessarily and/or unacceptably low level of utility or protection. In this thesis, we study how to construct /-anonymous data that satisfies both data utility and privacy protection requirements. We propose new criteria to capture utility and protection requirements, and new algorithms that allow A:-anonymisations with required utility/protection trade-off or guarantees to be generated. Our extensive experiments using both benchmarking and synthetic datasets show that our methods are efficient, can produce A:-anonymised data with desired properties, and outperform the state of the art methods in retaining data utility and providing privacy protection.

De nos jours, avec la large propagation de différents appareils mobiles, de nombreux capteurs accompagnent des utilisateurs. Ces capteurs peuvent servir à collecter des données de mobilité qui sont utiles pour des urbanistes ou des chercheurs. Cependant, l'exploitation de ces données soulèvent de nombreuses menaces quant à la préservation de la vie privée des utilisateurs. En effet, des informations sensibles tel que le lieu domicile, le lieu de travail ou même les croyances religieuses peuvent être inférées de ces données. Durant la dernière décennie, des mécanismes de protections appelées "Location Privacy Protection Mechanisms (LPPM)" ont été proposé. Ils imposent des guarenties sur les données (e.g., k-anonymity ou differential privacy), obfusquent les informations sensibles (e.g., efface les points d'intéret) ou sont une contre-mesure à des attaques particulières. Nous portons notre attention à la ré-identification qui est un risque précis lié à la préservation de la vie privée dans les données de mobilité. Il consiste en a un attaquant qui des lors qu'il reçoit une trace de mobilité anonymisée, il cherche à retrouver l'identifiant de son propriétaire en la rattachant à un passif de traces non-anonymisées des utilisateurs du système. Dans ce cadre, nous proposons tout d'abords des attaques de ré-identification AP-Attack et ILL-Attack servant à mettre en exergue les vulnérabilités des mécanismes de protections de l'état de l'art et de quantifier leur efficacité. Nous proposons aussi un nouveau mécanisme de protection HMC qui utilise des heat maps afin de guider la transformation du comportement d'un individu pour qu'il ne ressemble plus au soi du passée mais à un autre utilisateur, le préservant ainsi de la ré-identification. Cet modification de la trace de mobilité est contrainte par des mesures d'utilité des données afin de minimiser la qualité de service ou les conclusions que l'on peut tirer à l'aide de ces données
With the wide propagation of handheld devices, more and more mobile sensors are being used by end users on a daily basis. Those sensors could be leveraged to gather useful mobility data for city planners, business analysts and researches. However, gathering and exploiting mobility data raises many privacy threats. Sensitive information such as one’s home or workplace, hobbies, religious beliefs, political or sexual preferences can be inferred from the gathered data. In the last decade, Location Privacy Protection Mechanisms (LPPMs) have been proposed to protect user data privacy. They alter data mobility to enforce formal guarantees (e.g., k-anonymity or differential privacy), hide sensitive information (e.g., erase points of interests) or act as countermeasures for particular attacks. In this thesis, we focus on the threat of re-identification which aims at re-linking an anonymous mobility trace to the know past mobility of its user. First, we propose re-identification attacks (AP-Attack and ILL-Attack) that find vulnerabilities and stress current state-of-the-art LPPMs to quantify their effectiveness. We also propose a new protection mechanism HMC that uses heat maps to guide the transformation of mobility data to change the behaviour of a user, in order to make her look similar to someone else rather than her past self which preserves her from re-identification attacks. This alteration of mobility trace is constrained with the control of the utility of the data to minimize the distortion in the quality of the analysis realized on this data

The United States Whistleblower Program’s inadequate protections have placed the privacy and confidentiality rights of United States taxpayers in a vulnerable state. By using the United States Whistleblower Program as an example, this paper seeks to illustrate the risk of eroding the confidentiality and privacy rights of the taxpayer, which is a risk that other national and international governments should likewise attempt to mitigate in their own whistleblower protection programs.

An authorisation system determines who is authorised to do what i.e. it assigns privileges to users and provides a decision on whether someone is allowed to perform a requested action on a resource. A traditional authorisation decision system, which is simply called authorisation system or system in the rest of the thesis, provides the decision based on a policy which is usually written by the system administrator. Such a traditional authorisation system is not sufficient to protect privacy of personal data, since users (the data subjects) are usually given a take it or leave it choice to accept the controlling organisation’s policy. Privacy is the ability of the owners or subjects of personal data to control the flow of data about themselves, according to their own preferences. This thesis describes the design of an authorisation system that will provide privacy for personal data by including sticky authorisation policies from the issuers and data subjects, to supplement the authorisation policy of the controlling organisation. As personal data moves from controlling system to controlling system, the sticky policies travel with the data. A number of data protection laws and regulations have been formulated to protect the privacy of individuals. The rights and prohibitions provided by the law need to be enforced by the authorisation system. Hence, the designed authorisation system also includes the authorisation rules from the legislation. This thesis describes the conversion of rules from the EU Data Protection Directive into machine executable rules. Due to the nature of the legislative rules, not all of them could be converted into deterministic machine executable rules, as in several cases human intervention or human judgement is required. This is catered for by allowing the machine rules to be configurable. Since the system includes independent policies from various authorities (law, issuer, data subject and controller) conflicts may arise among the decisions provided by them. Consequently, this thesis describes a dynamic, automated conflict resolution mechanism. Different conflict resolution algorithms are chosen based on the request contexts. As the EU Data Protection Directive allows processing of personal data based on contracts, we designed and implemented a component, Contract Validation Service (ConVS) that can validate an XML based digital contract to allow processing of personal data based on a contract. The authorisation system has been implemented as a web service and the performance of the system is measured, by first deploying it in a single computer and then in a cloud server. Finally the validity of the design and implementation are tested against a number of use cases based on scenarios involving accessing medical data in a health service provider’s system and accessing personal data such as CVs and degree certificates in an employment service provider’s system. The machine computed authorisation decisions are compared to the theoretical decisions to ensure that the system returns the correct decisions.

Biometrics is defined by the International Organization for Standardization (ISO) as “the automated recognition of individuals based on their behavioral and biological characteristics” Examples of distinctive features evaluated by biometrics, called biometric traits, are behavioral characteristics like the signature, gait, voice, and keystroke, and biological characteristics like the fingerprint, face, iris, retina, hand geometry, palmprint, ear, and DNA. The biometric recognition is the process that permits to establish the identity of a person, and can be performed in two modalities: verification, and identification. The verification modality evaluates if the identity declared by an individual corresponds to the acquired biometric data. Differently, in the identification modality, the recognition application has to determine a person's identity by comparing the acquired biometric data with the information related to a set of individuals. Compared with traditional techniques used to establish the identity of a person, biometrics offers a greater confidence level that the authenticated individual is not impersonated by someone else. Traditional techniques, in fact, are based on surrogate representations of the identity, like tokens, smart cards, and passwords, which can easily be stolen or copied with respect to biometric traits. This characteristic permitted a wide diffusion of biometrics in different scenarios, like physical access control, government applications, forensic applications, logical access control to data, networks, and services. Most of the biometric applications, also called biometric systems, require performing the acquisition process in a highly controlled and cooperative manner. In order to obtain good quality biometric samples, the acquisition procedures of these systems need that the users perform deliberate actions, assume determinate poses, and stay still for a time period. Limitations regarding the applicative scenarios can also be present, for example the necessity of specific light and environmental conditions. Examples of biometric technologies that traditionally require constrained acquisitions are based on the face, iris, fingerprint, and hand characteristics. Traditional face recognition systems need that the users take a neutral pose, and stay still for a time period. Moreover, the acquisitions are based on a frontal camera and performed in controlled light conditions. Iris acquisitions are usually performed at a distance of less than 30 cm from the camera, and require that the user assume a defined pose and stay still watching the camera. Moreover they use near infrared illumination techniques, which can be perceived as dangerous for the health. Fingerprint recognition systems and systems based on the hand characteristics require that the users touch the sensor surface applying a proper and uniform pressure. The contact with the sensor is often perceived as unhygienic and/or associated to a police procedure. This kind of constrained acquisition techniques can drastically reduce the usability and social acceptance of biometric technologies, therefore decreasing the number of possible applicative contexts in which biometric systems could be used. In traditional fingerprint recognition systems, the usability and user acceptance are not the only negative aspects of the used acquisition procedures since the contact of the finger with the sensor platen introduces a security lack due to the release of a latent fingerprint on the touched surface, the presence of dirt on the surface of the finger can reduce the accuracy of the recognition process, and different pressures applied to the sensor platen can introduce non-linear distortions and low-contrast regions in the captured samples. Other crucial aspects that influence the social acceptance of biometric systems are associated to the privacy and the risks related to misuses of biometric information acquired, stored and transmitted by the systems. One of the most important perceived risks is related to the fact that the persons consider the acquisition of biometric traits as an exact permanent filing of their activities and behaviors, and the idea that the biometric systems can guarantee recognition accuracy equal to 100\% is very common. Other perceived risks consist in the use of the collected biometric data for malicious purposes, for tracing all the activities of the individuals, or for operating proscription lists. In order to increase the usability and the social acceptance of biometric systems, researchers are studying less-constrained biometric recognition techniques based on different biometric traits, for example, face recognition systems in surveillance applications, iris recognition techniques based on images captured at a great distance and on the move, and contactless technologies based on the fingerprint and hand characteristics. Other recent studies aim to reduce the real and perceived privacy risks, and consequently increase the social acceptance of biometric technologies. In this context, many studies regard methods that perform the identity comparison in the encrypted domain in order to prevent possible thefts and misuses of biometric data. The objective of this thesis is to research approaches able to increase the usability and social acceptance of biometric systems by performing less-constrained and highly accurate biometric recognitions in a privacy compliant manner. In particular, approaches designed for high security contexts are studied in order improve the existing technologies adopted in border controls, investigative, and governmental applications. Approaches based on low cost hardware configurations are also researched with the aim of increasing the number of possible applicative scenarios of biometric systems. The privacy compliancy is considered as a crucial aspect in all the studied applications. Fingerprint is specifically considered in this thesis, since this biometric trait is characterized by high distinctivity and durability, is the most diffused trait in the literature, and is adopted in a wide range of applicative contexts. The studied contactless biometric systems are based on one or more CCD cameras, can use two-dimensional or three-dimensional samples, and include privacy protection methods. The main goal of these systems is to perform accurate and privacy compliant recognitions in less-constrained applicative contexts with respect to traditional fingerprint biometric systems. Other important goals are the use of a wider fingerprint area with respect to traditional techniques, compatibility with the existing databases, usability, social acceptance, and scalability. The main contribution of this thesis consists in the realization of novel biometric systems based on contactless fingerprint acquisitions. In particular, different techniques for every step of the recognition process based on two-dimensional and three-dimensional samples have been researched. Novel techniques for the privacy protection of fingerprint data have also been designed. The studied approaches are multidisciplinary since their design and realization involved optical acquisition systems, multiple view geometry, image processing, pattern recognition, computational intelligence, statistics, and cryptography. The implemented biometric systems and algorithms have been applied to different biometric datasets describing a heterogeneous set of applicative scenarios. Results proved the feasibility of the studied approaches. In particular, the realized contactless biometric systems have been compared with traditional fingerprint recognition systems, obtaining positive results in terms of accuracy, usability, user acceptability, scalability, and security. Moreover, the developed techniques for the privacy protection of fingerprint biometric systems showed satisfactory performances in terms of security, accuracy, speed, and memory usage.

This thesis investigates whether English law ought to be further developed to provide fuller protection for the privacy of the corporation. As an essential preliminary step, the thesis first explores the concept of privacy in general – privacy interests, definitions of privacy, rationales of privacy; and then proceeds to formulate a concept of privacy for the corporation. The thesis advances to consider the level of protection of the privacy of the corporation in English law, and finds that only a limited level of protection is provided – in broadcasting matters – by the Broadcasting Act 1996. The thesis then proceeds to critically examine whether the extended action for breach of confidence which protects an individual's privacy can and ought to be further developed to provide protection for the corporation’s privacy, and argues that the corporation’s privacy can and ought to be so developed. The thesis also investigates whether, in the alternative, the corporation’s privacy would be more suitably protected if it were developed as a property right under Article 1 of Protocol 1 ECHR, and finds that Article 1 of Protocol 1 would not suitably protect the corporation’s privacy. Instead, the thesis upholds the extended action for breach of confidence as a more natural and suitable home for the protection of the privacy of the corporation in English law. The thesis concludes with recommendations on the structural framework for the proposed protection of the corporation’s privacy under the extended action for breach of confidence. This research is undertaken primarily through doctrinal analysis; it analyses English Courts’ jurisprudence, the European Court of Human Rights jurisprudence, as well as the jurisprudence of the Court of Justice of the European Union where it concerns the administration of Article 8 ECHR. Theoretical arguments are also engaged in when it comes to defining and justifying the protection of the corporation’s privacy.

In recent times we are witnessing the emergence of a wide variety of information systems that tailor the information-exchange functionality to meet the specific interests of their users. Most of these personalized information systems capitalize on, or lend themselves to, the construction of profiles, either directly declared by a user, or inferred from past activity. The ability of these systems to profile users is therefore what enables such intelligent functionality, but at the same time, it is the source of serious privacy concerns. Although there exists a broad range of privacy-enhancing technologies aimed to mitigate many of those concerns, the fact is that their use is far from being widespread. The main reason is that there is a certain ambiguity about these technologies and their effectiveness in terms of privacy protection. Besides, since these technologies normally come at the expense of system functionality and utility, it is challenging to assess whether the gain in privacy compensates for the costs in utility. Assessing the privacy provided by a privacy-enhancing technology is thus crucial to determine its overall benefit, to compare its effectiveness with other technologies, and ultimately to optimize it in terms of the privacy-utility trade-off posed. Considerable effort has consequently been devoted to investigating both privacy and utility metrics. However, most of these metrics are specific to concrete systems and adversary models, and hence are difficult to generalize or translate to other contexts. Moreover, in applications involving user profiles, there are a few proposals for the evaluation of privacy, and those existing are not appropriately justified or fail to justify the choice. The first part of this thesis approaches the fundamental problem of quantifying user privacy. Firstly, we present a theoretical framework for privacy-preserving systems, endowed with a unifying view of privacy in terms of the estimation error incurred by an attacker who aims to disclose the private information that the system is designed to conceal. Our theoretical analysis shows that numerous privacy metrics emerging from a broad spectrum of applications are bijectively related to this estimation error, which permits interpreting and comparing these metrics under a common perspective. Secondly, we tackle the issue of measuring privacy in the enthralling application of personalized information systems. Specifically, we propose two information-theoretic quantities as measures of the privacy of user profiles, and justify these metrics by building on Jaynes' rationale behind entropy-maximization methods and fundamental results from the method of types and hypothesis testing. Equipped with quantifiable measures of privacy and utility, the second part of this thesis investigates privacy-enhancing, data-perturbative mechanisms and architectures for two important classes of personalized information systems. In particular, we study the elimination of tags in semantic-Web applications, and the combination of the forgery and the suppression of ratings in personalized recommendation systems. We design such mechanisms to achieve the optimal privacy-utility trade-off, in the sense of maximizing privacy for a desired utility, or vice versa. We proceed in a systematic fashion by drawing upon the methodology of multiobjective optimization. Our theoretical analysis finds a closed-form solution to the problem of optimal tag suppression, and to the problem of optimal forgery and suppression of ratings. In addition, we provide an extensive theoretical characterization of the trade-off between the contrasting aspects of privacy and utility. Experimental results in real-world applications show the effectiveness of our mechanisms in terms of privacy protection, system functionality and data utility.

A recommender system is an automatic system that, given a customer model and a set of available documents, is able to select and offer those documents that are more interesting to the customer. From the point of view of security, there are two main issues that recommender systems must face: protection of the users' privacy and protection of other participants of the recommendation process. Recommenders issue personalized recommendations taking into account not only the profile of the documents, but also the private information that customers send to the recommender. Hence, the users' profiles include personal and highly sensitive information, such as their likes and dislikes. In order to have a really useful recommender system and improve its efficiency, we believe that users shouldn't be afraid of stating their preferences. The second challenge from the point of view of security involves the protection against a new kind of attack. Copyright holders have shifted their targets to attack the document providers and any other participant that aids in the process of distributing documents, even unknowingly. In addition, new legislation trends such as ACTA or the ¿Sinde-Wert law¿ in Spain show the interest of states all over the world to control and prosecute these intermediate nodes. we proposed the next contributions: 1.A social model that captures user's interests into the users' profiles, and a metric function that calculates the similarity between users, queries and documents. This model represents profiles as vectors of a social space. Document profiles are created by means of the inspection of the contents of the document. Then, user profiles are calculated as an aggregation of the profiles of the documents that the user owns. Finally, queries are a constrained view of a user profile. This way, all profiles are contained in the same social space, and the similarity metric can be used on any pair of them. 2.Two mechanisms to protect the personal information that the user profiles contain. The first mechanism takes advantage of the Johnson-Lindestrauss and Undecomposability of random matrices theorems to project profiles into social spaces of less dimensions. Even if the information about the user is reduced in the projected social space, under certain circumstances the distances between the original profiles are maintained. The second approach uses a zero-knowledge protocol to answer the question of whether or not two profiles are affine without leaking any information in case of that they are not. 3.A distributed system on a cloud that protects merchants, customers and indexers against legal attacks, by means of providing plausible deniability and oblivious routing to all the participants of the system. We use the term DocCloud to refer to this system. DocCloud organizes databases in a tree-shape structure over a cloud system and provide a Private Information Retrieval protocol to avoid that any participant or observer of the process can identify the recommender. This way, customers, intermediate nodes and even databases are not aware of the specific database that answered the query. 4.A social, P2P network where users link together according to their similarity, and provide recommendations to other users in their neighborhood. We defined an epidemic protocol were links are established based on the neighbors similarity, clustering and randomness. Additionally, we proposed some mechanisms such as the use SoftDHT to aid in the identification of affine users, and speed up the process of creation of clusters of similar users. 5.A document distribution system that provides the recommended documents at the end of the process. In our view of a recommender system, the recommendation is a complete process that ends when the customer receives the recommended document. We proposed SCFS, a distributed and secure filesystem where merchants, documents and users are protected
Este documento explora c omo localizar documentos interesantes para el usuario en grandes redes distribuidas mediante el uso de sistemas de recomendaci on. Se de fine un sistema de recomendaci on como un sistema autom atico que, dado un modelo de cliente y un conjunto de documentos disponibles, es capaz de seleccionar y ofrecer los documentos que son m as interesantes para el cliente. Las caracter sticas deseables de un sistema de recomendaci on son: (i) ser r apido, (ii) distribuido y (iii) seguro. Un sistema de recomendaci on r apido mejora la experiencia de compra del cliente, ya que una recomendaci on no es util si es que llega demasiado tarde. Un sistema de recomendaci on distribuido evita la creaci on de bases de datos centralizadas con informaci on sensible y mejora la disponibilidad de los documentos. Por ultimo, un sistema de recomendaci on seguro protege a todos los participantes del sistema: usuarios, proveedores de contenido, recomendadores y nodos intermedios. Desde el punto de vista de la seguridad, existen dos problemas principales a los que se deben enfrentar los sistemas de recomendaci on: (i) la protecci on de la intimidad de los usuarios y (ii) la protecci on de los dem as participantes del proceso de recomendaci on. Los recomendadores son capaces de emitir recomendaciones personalizadas teniendo en cuenta no s olo el per l de los documentos, sino tambi en a la informaci on privada que los clientes env an al recomendador. Por tanto, los per les de usuario incluyen informaci on personal y altamente sensible, como sus gustos y fobias. Con el n de desarrollar un sistema de recomendaci on util y mejorar su e cacia, creemos que los usuarios no deben tener miedo a la hora de expresar sus preferencias. Para ello, la informaci on personal que est a incluida en los per les de usuario debe ser protegida y la privacidad del usuario garantizada. El segundo desafi o desde el punto de vista de la seguridad implica un nuevo tipo de ataque. Dado que la prevenci on de la distribuci on ilegal de documentos con derechos de autor por medio de soluciones t ecnicas no ha sido efi caz, los titulares de derechos de autor cambiaron sus objetivos para atacar a los proveedores de documentos y cualquier otro participante que ayude en el proceso de distribuci on de documentos. Adem as, tratados y leyes como ACTA, la ley SOPA de EEUU o la ley "Sinde-Wert" en España ponen de manfi esto el inter es de los estados de todo el mundo para controlar y procesar a estos nodos intermedios. Los juicios recientes como MegaUpload, PirateBay o el caso contra el Sr. Pablo Soto en España muestran que estas amenazas son una realidad.

The prevalent use of the Internet not only brings with it numerous advantages, but also some drawbacks. The biggest of these problems is the threat to the individual’s personal privacy. This privacy issue is playing a growing role with respect to technological advancements. While new service-based technologies are considerably increasing the scope of information flow, the cost is a loss of control over personal information and therefore privacy. Existing privacy protection measures might fail to provide effective privacy protection in these new environments. This dissertation focuses on the use of new technologies to improve the levels of personal privacy. In this regard the WSP3 (Web Service Model for Personal Privacy Protection) model is formulated. This model proposes a privacy protection scheme using Web Services. Having received tremendous industry backing, Web Services is a very topical technology, promising much in the evolution of the Internet. In our society privacy is highly valued and a very important issue. Protecting personal privacy in environments using new technologies is crucial for their future success. These facts, combined with the detail that the WSP3 model focusses on Web Service environments, lead to the following realizations for the model: The WSP3 model provides users with control over their personal information and allows them to express their desired level of privacy. Parties requiring access to a user’s information are explicitly defined by the user, as well as the information available to them. The WSP3 model utilizes a Web Services architecture to provide privacy protection. In addition, it integrates security techniques, such as cryptography, into the architecture as required. The WSP3 model integrates with current standards to maintain their benefits. This allows the implementation of the model in any environment supporting these base technologies. In addition, the research involves the development of a prototype according to the model. This prototype serves to present a proof-of-concept by illustrating the WSP3 model and all the technologies involved. The WSP3 model gives users control over their privacy and allows everyone to decide their own level of protection. By incorporating Web Services, the model also shows how new technologies can be used to offer solutions to existing problem areas.

Thesis (Ph. D.)--Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, 2001.
Includes bibliographical references (leaves 213-216) and index.
Today's globally networked society places great demand on the dissemination and sharing of person specific data for many new and exciting uses. When these data are linked together, they provide an electronic shadow of a person or organization that is as identifying and personal as a fingerprint even when the information contains no explicit identifiers, such as name and phone number. Other distinctive data, such as birth date and ZIP code, often combine uniquely and can be linked to publicly available information to re-identify individuals. Producing anonymous data that remains specific enough to be useful is often a very difficult task and practice today tends to either incorrectly believe confidentiality is maintained when it is not or produces data that are practically useless. The goal of the work presented in this book is to explore computational techniques for releasing useful information in such a way that the identity of any individual or entity contained in data cannot be recognized while the data remain practically useful. I begin by demonstrating ways to learn information about entities from publicly available information. I then provide a formal framework for reasoning about disclosure control and the ability to infer the identities of entities contained within the data. I formally define and present null-map, k-map and wrong-map as models of protection. Each model provides protection by ensuring that released information maps to no, k or incorrect entities, respectively. The book ends by examining four computational systems that attempt to maintain privacy while releasing electronic information. These systems are: (1) my Scrub System, which locates personally-identifying information in letters between doctors and notes written by clinicians; (2) my Datafly II System, which generalizes and suppresses values in field-structured data sets; (3) Statistics Netherlands' pt-Argus System, which is becoming a European standard for producing public-use data; and, (4) my k-Similar algorithm, which finds optimal solutions such that data are minimally distorted while still providing adequate protection. By introducing anonymity and quality metrics, I show that Datafly II can overprotect data, Scrub and p-Argus can fail to provide adequate protection, but k-similar finds optimal results.
by Latanya Sweeney.
Ph.D.

Leakage of personal information in online conversations raises serious privacy concerns. For example, malicious users might collect sensitive personal information from vulnerable users via deliberately designed conversations. This thesis tackles the problem of privacy leakage in textual conversations and proposes to mitigate the risks of privacy disclosure by detecting and rewriting the risky utterances. Previous research on privacy protection in text has a focus on manipulating the implicit semantic representations in a continuous high dimensional space, which are mostly used for eliminating trails of personal information to machine learning models. Our research has a focus on the explicit expressions of conversations, namely sequences of words or tokens, which are generally used between human interlocutors or human-computer interactions. The new setting for privacy protection in text could be applied to the conversations by individual human users, such as vulnerable people, and artificial conversational bots, such as digital personal assistants. This thesis consists of two parts, answering two research questions: How to detect the utterances with the risk of privacy leakage? and How to modify or rewrite the utterances into the ones with less private information? In the first part of this thesis, we aim to detect the utterances with privacy leakage risk and report the sensitive utterances to authorized users for approval. One of the essential challenge of the detection task is that we cannot acquire a large-scale aligned corpus for supervised training of natural language inference for private information. A compact dataset is collect to merely validate the privacy leakage detection models. We investigate weakly supervised methods to learn utterance-level inference from coarse set-level alignment signals. Then, we propose novel alignment models for utterance inference. Our approaches manage to outperform competitive baseline alignment methods. Additionally, we develop a privacy-leakage detection system integrated in Facebook Messenger to demonstrate the utility of our proposed task in real-world usage scenarios. In the second part of this thesis, we investigate two pieces of work to rewrite the privacy-leakage sentences automatically into less sensitive ones. The first work discusses obscuring personal information in form of classifiable attributes. We propose to reduce the bias of sensitive attributes, such as gender, political slant and race, using an obscured text rewriting models. The rewriting models are guided by corresponding classifiers for the personal attributes to obscure. Adversarial training and fairness risk measurement are proposed to enhance the fairness of the generators, alleviating privacy leakage of the target attributes. The second work protects personal information in the form of open-domain textual descriptions. We further explore three feasible rewriting strategies, deleting, obscuring, and steering, for privacy-aware text rewriting. We investigate the possibility of fine-tuning a pre-trained language model for privacy-aware text rewriting. Based on our dataset, we further observe the relation of rewriting strategies to their semantic spaces in a knowledge graph. Then, a simple but effective decoding method is developed to incorporate these semantic spaces into the rewriting models. As a whole, this thesis presents a comprehensive study and the first solutions in varying settings for protecting privacy in conversations. We demonstrate that both privacy leakage detection and privacy-aware text rewriting are plausible using machine learning methods. Our contributions also include novel ideas for text alignment for natural language inference, training technologies for attribute obfuscating, and open-domain knowledge guidance to text rewriting. This thesis opens up inquiries into protecting sensitive user information in conversations from the perspective of explicit text representation.

碩士
國立臺灣大學
科際整合法律學研究所
102
Abstract Since the enactment of the Personal information Protection Act, enterprises have been facing potential risks of civil claims for damages. In addition to the authentication approach to examine conformity to the requirements by the Act, enterprises are also taking insurance measures to transfer the risks. As a result, demands on liability insurance of privacy protection come into being. This paper attempts to analyze the issues brought about by this new type of insurance, and tries to use the substantive law, procedural law, and pro forma contract approach to find solutions and build proposals. Firstly, this is a liability insurance, and therefore its insurance coverage is with the nature of recurrence, continuity, and potentiality. To insurer, this type of insurance incidences is prone to long-tail responsibilities. This problem should be handled with the insurance coverage design. Furthermore, the indemnification liability needs to go through litigation proceedings for verdict, and due to the domestic Insurance Law, Article 65, Item 3,this requirement can easily get the insured trapped in the statute of time limitations. Therefore, this problem needs to be solved by way of the procedural law and contract approach as well as law amendment. Secondly, what damages should be covered by the liability insurance of privacy protection responsibility? This paper divides the coverage into two parts: indemnification coverage amount and other relevant legal fees. Chapter 4 deals with the insured’s internal management staff, employees, and outsource contractors for their deliberate or negligent behaviors that cause data leakage incidences, and discusses whether these affiliates need to pay for the insurance and whether they are entitled for subrogation. Chapter 5 discusses the Double Insurance between the coexistent liability insurance of privacy protection and other insurances, and how they should be handled. Hopefully, the discourse presented in this paper can offer the public institutions and private enterprises some references in underwriting or insuring the liability insurance of privacy protection. Moreover, the author hopes that this paper can be a useful reference for the domestic insurance companies in their insurance design.

In our highly computerized and networked society, privacy of individuals is precious and becomes increasingly important. Problems particularly arise in the context of authentication protocols where, as a general rule, entities actively reveal their respective identities to each other. To encounter this issue, different privacy-preserving authentication methods have been developed in the last decades. The list of these techniques comprises, apart from identity escrow, ring authentication, hidden and anonymous credentials, and several others, the concept of affiliation-hiding authentication (AHA). Such protocols offer the appealing and seemingly contradictory service to enable users to authenticate each other as members of a certain group without revealing their affiliation to group outsiders. In AHA protocols (also known as Secret Handshakes), users become group members by registering with group authorities (GAs) and obtaining individual membership credentials. Group members then use their credentials to privately authenticate each other, optionally also establishing a secure session key. The pivotal privacy property that contrasts AHA with classical authentication or authenticated key establishment is that parties learn each other's affiliations to groups and compute common session keys if and only if their groups match. Prior work has succeeded in constructing AHA protocols that offer different degrees of security, privacy, and efficiency. However, a set of essential problems have been left open. These include a close study of the level of trust that intrinsically has to be placed into participants of such systems (including into GAs), the extension of the single-group setting with only one GA to a setting where users are affiliated to multiple groups and, through AHA, want to discover matching ones, and certainly the question of efficient implementability. We argue that all these topics are highly relevant for practical deployment of privacy-preserving authentication in general, and AHA in particular. In this thesis, the author concretizes and cryptographically models these challenges, and offers provably secure solutions. Furthermore, this thesis treats privacy-related challenges that are posed in the context of network-based social interactions. Without doubt, online social networks, that help participants to build and reflect their social relations to other participants, have taken an essential role in people's daily life. A key step in the constitution of new links between participants consists of the reconciliation of shared contacts or friends. The author develops techniques to discover common contacts in social networks in a privacy-aware manner, i.e., without disclosing non-matching contacts. Besides formalizing this task and offering appropriate solutions, the thesis analyzes an interesting connection between AHA protocols and the challenge of private discovery of common contacts. By identifying and solving a variety of relevant open problems in the context of privacy-aware authentication, this thesis contributes to wide-scale deployment of methods that respect and regain user privacy in p2p systems, mobile ad hoc networks, and social networking applications.

碩士
明新科技大學
資訊管理研究所
95
Interests continue to grow in recent years for the adoption of Radio Frequency Identification (RFID) in many different areas including transportation and supply chain management. Those RFID-included objects can be targeted more efficiently by real-time tracking and instant management. However, because of the contact-less type of RFID remote retrieval, the transmission of data in the air is very vulnerable to eavesdropping or appropriation. A primary security concern surrounding RFID technology is the illicit tracking of consumer location and analyzing of their shopping habits or behavior. Recently, there are many solutions are proposed for RFID security, but each solution has pros and cons. This research will propose two protocols to lower the cost and enhance the security. Besides, most of the existing solutions assume the channel between RFID reader and the back-end database is secure, for it is structured in the wired environment of enterprise’s interior. However, nowadays the wireless portable RFID readers are widely used to connect back-end databases. Therefore, this research will also propose a lightweight secure protocol without the assumption.

Radio Frequency IDentification (RFID) is a technology of automatic object identification. Retailers and manufacturers have created compelling business cases for deploying RFID in their supply chains. Yet, the uniquely identifiable objects pose a privacy threat to individuals. In this paper, we study the privacy threats caused by publishing RFID data. Even if the explicit identifying information, such as name and social security number, has been removed from the published RFID data, an adversary may identify a target victim's record or infer her sensitive value by matching a priori known visited locations and time. RFID data by its nature is high-dimensional and sparse, so applying traditional k -anonymity to RFID data suffers from the curse of high-dimensionality, and results in poor information usefulness. We define a new privacy model and develop an anonymization algorithm to accommodate special challenges on RFID data. Then, we evaluate its effectiveness on synthetic data sets.

碩士
中原大學
資訊工程研究所
103
Mobile apps is moving power behind the prevalence of intelligent mobile devices, which, in turn, bring in the exponentially growing number of mobile apps being developed. The personalized and ubiquitous characteristics of intelligent mobile devices, with the added variety of record taking and data sensing capabilities become a serious threat to user privacy when linked with the communication ability of the mobile devices. How to allow us to enjoy all the conveniences and services without privacy risk is an important issue to all users of mobile devices. The available privacy protection schemes or methods either require change made at the mobile device system framework and core, or require complicate technology process and skill. In this thesis, we proposed a proxy server based approach to develop a solution practical to ordinary users. A prototype has been implemented to demonstrate the practicality and usability of the privacy protection mechanism.

碩士
明新科技大學
資訊管理研究所
96
Bluetooth, a short range wireless communication standard, has made possible a number of digital devices totally free from being bonded to wires and cables. It’s application which used to serve mostly cell phones and headsets has widely extended to PCs and PDAs. Given the data transferred has come to a greater degree of sensitivity, security issues involving Bluetooth transmission have raised many concerns. However, during the authentication and key exchange process of Bluetooth communication, a lot of information is transferred in plaintext, which allows a malicious third party to spoof the legal Bluetooth device to make it through the authentication, or to deduce the encryption key to eavesdrop the transferring data. The revised version of standard, Bluetooth V2.1, came forth in 2007 with a new security mechanism, Secure Simple Pairing, which seemly eradicated the problems legacy pairing had missed out such as spoofing attacks and eavesdropping attacks. However, as authentication is done by visual confirming on displayed 6-digit numbers to avoid man-in-the-middle attacks, there are quite a few instances of user error that will result in security and privacy breaches. This paper will introduce and analyze the security mechanism of Bluetooth first, then discuss the security drawbacks on this mechanism, and finally an improved scheme is proposed that could be applied in high security demanding applications.

碩士
明新科技大學
資訊管理研究所
97
As the Radio Frequency Identification technology progresses and cost decreases, the enterprises induct RFID to enhance the operational efficiency of enterprises. RFID has thus been widely used in many domains, such as supply chain, access control, transportation tickets, automatic toll collection, livestock management and contactless credit cards etc. As its cost declines and function extends, RFID is anticipated to be widely used in our daily life. However, the transmission of data in the air is vulnerable to eavesdrop-ping, interruption, or modification. Adversaries may use the illegal reader to violate the privacy or trace the position of users. On top of this, its prevalence has brought the stress on its security and privacy issues. Therefore, privacy protection will become a major topic of RFID in the near future. Many RFID security mechanisms for privacy protection have been proposed in re-cent years. Those mechanisms can be categorized into two types: pseudonyms, and shared secret update. However, most of those mechanisms assume the channel between the reader to the server is secure. And a large number of complex computations are needed. Moreover, some of those mechanisms can not prevent replay and denial of ser-vice attacks. This study aims to discuss the privacy protection of RFID, analyze the existing se-curity mechanisms and propose an improved protocol to effectively promote RFID se-curity, allowing consumers to enjoy the technological convenience brought by RFID.

碩士
東吳大學
法律學系
97
As the Internet is becoming widely used and the number of users is growing everyday, the Internet has already become a part of human life. However, as the uncertainty of the electronic commerce is higher than that of the physical store, also the qualities of goods vary from stores to stores on the Internet, and due to attacks by hackers, fraud, faked cards, personal information leakage and other adverse news report about the Internet, secure transaction has thus become a very important issue. It is necessary that the government establishes a complete operation regulation of the Internet security, transaction mechanism and etc , so as to increase online transactions as well as the business opportunities of the electronic commerce. Only by providing a reliable and mutually unobstructed electronic commerce environment can we enhance our overall global competitiveness of the domestic industries. Hence, it is expected that this research proposes an effective solution for secure transactions, thus achieving gaining the consumers’ trust on internet and increasing the economic growth. This paper discusses the importance of the Internet security by investigating the types of information privacy violation. Recommendations on our current regulations are proposed based on the privacy regulation of Organization for Economic Cooperation and Development, APEC Electronic Commerce Steering Group, European Union, the United States, Japan and other countries, and the privacy protection mechanisms are discussed from the aspects of website disciplinary regulation, Sign-in seal, Trustmark and etc. In addition, with regard to the legislation of privacy protection of the B2C transaction by the government not being able to respond to the fast development of electronic commerce, this paper also proposes ways for individual consumers and the online shop owners to enhance the online transaction security, thus creating a double-win situation and increasing the overall competitiveness of Taiwan.

Dissertação de Mestrado em Engenharia Informática apresentada à Faculdade de Ciências e Tecnologia da Universidade de Coimbra.
Privacy is for a long time a concern when data is being discussed. Nowadays, with an increasing amount of personal and confidential data being transmitted and stored online, data curators have to assure certain guarantees of data protection and privacy. This Master Dissertation presents a background of anonymization and concealing techniques. Their characteristics and capabilities are described, as well as tools to implement and evaluate anonymization and concealing. The evaluation of the applicability of the DNA-inspired concealing algorithm is the main objective of this work. Usually, various metrics are used to measure aspects like risk or utility of the anonymized data. This work presents a new approach of evaluating how well concealed is the data. By using the Cosine Similarity as a measure of similarity between the private and concealed data, this metric proves its worthiness not only in information retrieval or text mining applications but also in the analysis of concealed or anonymized files. Nowadays there is a continuously growing demand for Cloud services and storage. The evaluation in the Master Dissertation is directed to find how suitable is the application of the DNA-inspired concealing algorithm over the data being stored or transmitted in the Cloud. The evaluation is made by analyzing the concealing results as well as the performance of the algorithm itself. The application of the algorithm is made over various texts and audio files with different characteristics, like size or contents. However, both file types are unstructured data. Which is an advantage for being accepted as an input by the algorithm. Unlike many anonymization algorithms which demand structured data. With the final results and analysis, it will be possible to determine the applicability and performance of the referred algorithm for a possible integration with the Cloud.

碩士
中國文化大學
法律學研究所
98
Chinese community in the long period of martial law martial pains, its development has become increasingly democratic, Right Protection of the public about their growing importance, the Government has also provided services to aspiration, to achieve this goal, government information is not public avoid the trend. Implementation of a public policy of any government, who must monitor citizen participation and rational, so the policy can meet the people expect. Freedom of information for the protection of the Constitution stipulates that freedom, negative freedom as a right, not only the protection of personal privacy violations, on the positive side, the right to freedom of information as a constitutional right to public freedom of information how to apply the right to promote the public welfare, use of information, create a fair, just and justice of the modern welfare state, the government can not evade responsibility. This paper tries to self-constitution, rule by law the principle of the viewpoint, of the Government Information Disclosure in administrative acts to the people the right to be protected, and analysis of Chinese government information public legal system, the development process and structure, and try on the current situation to be improved between recommendations and the letter On the Regulations on Open Government in China to receive his mountain effect. The thesis is divided into five chapters; the first chapter is an introduction, an overview of this research motivation, research methods, expected results of the study limitations and paper structure; second chapter of the Constitution to protect the basic rights of freedom of information, an overview of the Constitution Evolution and change, after the principles expounded the basic concepts of the rule of law country, gradually cut into the free flow of information to be explored; the third chapter of the conflict, information disclosure and privacy, the information outlined in our open system of germination, establishment of rule of law, the current situation, and with neighboring Japan open system of government information protection and privacy of a comparison; the fourth is an overview of the open system of cross-strait information and privacy protection compared with an overview of open government information in China the status of the legal system, and discusses its Open Government Information Ordinance Legislative History and local information in its public discourse whom the rule of law; fifth chapter is the conclusion and recommendations; this chapter as a summary of this thesis, the Chinese government information disclosure law a number of proposals to serve as a reference for future amendments.

碩士
國立清華大學
科技法律研究所
99
With the rapid development of information technology, on one hand, the daily life becomes more convenient; but on the other hand, it also brings about more complicated issues on the privacy and security than ever. Cloud computing service is not a brand new technology, but a new business service model. With the diversification of the cloud computing service applications, its impact on protection of personal privacy is more influential than any other technologies. The essay, through the interaction between privacy, security, information technology, will not only analyze the exclusivity, variability, right of self-determination, right of resistance, and property rights of information privacy, but also will explore the possible legal issues and risks which the cloud computing service may incur in terms of protection on information privacy. Meanwhile, based upon Safe Harbor framework, the essay will also study the gaps between the intentions of the service providers on privacy protection and legal mechanism. The output of the study will serve as a valuable reference for domestic service providers when elaborating and implementing privacy policies. Through the introduction of proper legal and auditing system, the dynamic balance between possible risks and technological development can be achieved. The privacy protection cannot run smoothly without following the frameworks of objective environment, laws and regulations, and reasonable privacy expectation. The essay also intends to propose feasible suggestions for the protection of information privacy in cloud computing service, which may be applied or related to the undergoing detailed regulations of Personal Data Protection Act.

The individual of today incessantly insists on more protection of his/her personal privacy than a few years ago. During the last few years, rapid technological advances, especially in the field of information technology, directed most attention and energy to the privacy protection of the Internet user. Research was done and is still being done covering a vast area to protect the privacy of transactions performed on the Internet. However, it was established that almost no research has been done on the protection of the privacy of personal data that are stored in tables of a relational database. Until now the individual had no say in the way his/her personal data might have been used, indicating who may access the data or who may not. The individual also had no way to indicate the level of sensitivity with regard to the use of his/her personal data or exactly what he/she consented to. Therefore, the primary aim of this study was to develop a model to protect the personal privacy of the individual in relational databases in such a way that the individual will be able to specify how sensitive he/she regards the privacy of his/her data. This aim culminated in the development of the Hierarchical Privacy-Sensitive Filtering (HPSF) model. A secondary aim was to test the model by implementing the model into query languages and as such to determine the potential of query languages to support the implementation of the HPSF model. Oracle SQL served as an example for text or command-based query languages, while Oracle SQL*Forms served as an example of a graphical user interface. Eventually, the study showed that SQL could support implementation of the model only partially, but that SQL*Forms was able to support implementation of the model completely. An overview of the research approach employed to realise the objectives of the study: At first, the concepts of privacy were studied to narrow down the field of study to personal privacy and the definition thereof. Problems that relate to the violation or abuse of the individual’s personal privacy were researched. Secondly, the right to privacy was researched on a national and international level. Based on the guidelines set by organisations like the Organisation for Economic Co-operation and Development (OECD) and the Council of Europe (COE), requirements were determined to protect the personal privacy of the individual. Thirdly, existing privacy protection mechanisms like privacy administration, self-regulation, and automated regulation were studied to see what mechanisms are currently available and how they function in the protection of privacy. Probably the most sensitive data about an individual is his/her medical data. Therefore, to conclude the literature study, the privacy of electronic medical records and the mechanisms proposed to protect the personal privacy of patients were investigated. The protection of the personal privacy of patients seemed to serve as the best example to use in the development of a privacy model. Eventually, the Hierarchical Privacy-Sensitive Filtering model was developed and introduced, and the potential of Oracle SQL and Oracle SQL*Forms to implement the model was investigated. The conclusion at the end of the dissertation summarises the study and suggests further research topics.
Prof. M.S. Olivier