Chapter 43
Privacy-Enhancing Technologies1
Simone Fischer-Hbner
Professor, Karlstad University, Karlstad/Sweden
Stefan Berthold
Karlstad University
Privacy is considered a core value and is recognized
either explicitly or implicitly as a fundamental human
right by most constitutions of democratic societies. In
Europe, the foundations for the right to privacy of indi-
viduals were embedded in the European Convention on
Human Rights and Fundamental Freedoms of 1950
(Art. 8) and the Charter of Fundamental Rights of the
European Union in 2009 (Art. 7 & 8). In 1980, the
OECD recognized the importance of privacy protection
with the publication of the OECD Privacy Guidelines [1],
which served as the foundation for many national
privacy laws.
1. THE CONCEPT OF PRIVACY
Privacy as a social and legal issue has long been a con-
cern of social scientists, philosophers, and lawyers. The
first definition of privacy by legal researchers was given
by the two American lawyers Samuel D. Warren and
Louis D. Brandeis in their famous Harvard Law Review
chapter “The Right to Privacy” [2], in which they defined
privacy as “the right to be let alone.” At that time, the
risks of modern technology in the form of photography
used by the yellow press to infringe privacy rights was
the motivation for Warren and Brandeis’s discussion of
the individual’s right to privacy.
In the age of modern computing, an early and often
referred to definition of privacy was given by Alan
Westin: “Privacy is the claim of individuals, groups and
institutions to determine for themselves, when, how and
to what extent information about them is communicated
to others” [3]. Even though, according to Westin’s defini-
tion, natural persons (humans) as well as legal persons
(groups and institutions) have a right to privacy, in most
1. Parts of this work were conducted within the scope of the PetWeb II
project funded by the Norwegian Research Council (NFR) and the
U-PrIM project funded by the Swedish Knowledge (KK) Foundation.
Computer and Information Security Handbook. DOI: http://dx.doi.org/10.1016/B978-0-12-394397-2.00043-X
© 2013 Elsevier Inc. All rights reserved.
legal systems, privacy is defined as a basic human right
that only applies to natural persons.
In general, the concept of personal privacy has several
dimensions. This chapter mainly addresses the dimension
of informational privacy, which can be defined, similarly
as by Westin and by the German Constitutional Court in
its Census decision,2 as the right to informational self-
determination (the right of individuals to determine for
themselves when, how, and to what extent information
about them is communicated to others). Furthermore,
so-called spatial privacy can be defined as another dimen-
sion of the concept of privacy, which also covers the
“right to be let alone,” where spatial privacy is defined as
the right of individuals to control what is presented to
their senses [4]. Further dimensions of privacy, which
will, however, not be the subject of this chapter, are terri-
torial privacy, which concerns the setting of limits on
intrusion into the domestic, workplace, and other environ-
ments (public spaces), and bodily privacy, which con-
cerns protecting a person against undue interference, such
as physical searches, drug testing, or information violat-
ing his or her moral sense (see [5,6]).
Data protection concerns protecting personal data in
order to guarantee privacy and is only part of the concept
of privacy. Privacy, however, is not an unlimited or abso-
lute right, because it can be in conflict with other rights
or legal values and because individuals cannot participate
fully in society without revealing personal data.
Nevertheless, even in cases where privacy needs to be
restricted, the very core of privacy still needs to be pro-
tected. For this reason, the objective of privacy and data
protection laws is to define fundamental privacy princi-
ples that need to be enforced if personal data is collected,
stored, or processed.
2. German Constitutional Court, Census decision, 1983 (BVerfGE 65,1).
755
756
An Agenda for Action for Privacy-Enhancing Technologies
The Privacy-Enhancing Technology (PET) Concept: (Check
All Tasks Completed)
_____1. Enforces making sparing use of data.
_____2. Makes privacy the default.
_____3. Transfers control to individuals.
_____4. Sends tags to a secure mode automatically.
_____5. Can prove that automatic activation of the secure
mode always works.
_____6. Prevents eavesdropping of tag-reader
communication.
_____7. Protects individuals from producer.
_____8. Protects individuals from retailer.
_____9. Protection includes in-store problem.
_____10. Protects tag in secure mode against presence-
spotting.
2. LEGAL PRIVACY PRINCIPLES
In this section, we present an overview to internationally
well-accepted, basic legal privacy principles, for which
PETs implementing these principles have been developed.
These principles are also part of the general EU Data
Protection Directive 95/46/EC [7], which is an important
legal instrument for protection of privacy in Europe, as it
codifies general privacy principles that have been imple-
mented in the national privacy laws of all EU member
states and of many other states. The principles also corre-
spond to principles of the OECD Privacy Guidelines to
which we will also refer.
Legitimacy
Personal data processing has to be legitimate, which
according to Art. 7 EU Directive 95/46/EC is usually the
case if the data subject3 has given his unambiguous (and
informed) consent, if there is a legal obligation, or if there
is contractual agreement (cf. the Collection Limitation
Principle of the OECD Guidelines). The requirement of
informed consent poses special challenges for the design
of user interfaces (UIs) for PETs.
Purpose Specification and Purpose Binding
(Also Called Purpose Limitation)
Personal data must be collected for specified, explicit, and
legitimate purposes and may not be further processed in a
way that is incompatible with these purposes (Art. 6 I (b)
EU Directive 95/46/EC). The purpose limitation principle
3. A data subject is a person about whom personal data is processed.
PART | V Privacy and Access Management
_____11. Does not require individuals to take active protec-
tion measures.
_____12. Does not interfere with active protection
measures.
_____13. Avoids creation and use of central database(s).
_____14. Avoids creation and use of databases at all.
_____15. Enables functionality after point-of-sale in a secure
way.
_____16. Can be achieved without changing Radio
Frequency Identification (RFID) physical
technology.
_____17. Does not make tags much more expensive.
_____18. Does not introduce additional threats to
privacy.
_____19. Introduces additional benefits for privacy.
_____20. Provides benefits for the retailer.
is of key importance for privacy protection, as the sensi-
tivity of personal data does not only depend on how
“intimate” the details are, which the personal data are
describing, but is also mainly influenced by the purposes
of data processing and context of use. For this reason, the
data processing purposes need to be specified in advance
by the lawmaker or by the data processor before obtaining
the individual’s consent, and personal data may later not
be (mis)used for any other purposes (cf. Purpose
Specification and Use Limitation Principles of the OECD
Guidelines). The objective of privacy policy languages
and tools is to enforce this principle.
Data Minimization
The processing of personal data must be limited to data
that are adequate, relevant, and not excessive (Art. 6 I (c)
EU Directive 95/46/EC). Besides, data should not be kept
in a personally identifiable form any longer than neces-
sary (Art. 6 I (e) EU Directive 95/46/EC—cf. Data
Quality Principle of the OECD Guidelines, which requires
that data should be relevant to the purposes for which
they are to be used). In other words, the collection of per-
sonal data and the extent to which personal data are used
should be minimized because obviously privacy is best
protected if no personal data at all (or at least as little
data as possible) are collected or processed. The data
minimization principle derived from the Directive also
serves as a legal foundation for PETs (see checklist: An
Agenda for Action for Privacy-Enhancing Technologies).
that aim at protecting “traditional” privacy goals, such as
anonymity, pseudonymity, or unlinkability for users and/
or other data subjects.
Chapter | 43 Privacy-Enhancing Technologies
Transparency and Rights of the Data
Subjects
Transparency of data processing means informing a data
subject about the purposes and circumstances of data
processing, identifying who is requesting personal
data, how the personal data flow, where and how long
the data are stored, and what type of rights and controls
the data subject has in regard to his personal data.
The Directive 95/46/EC provides data subjects with
respective information rights according to its Art. 10.
Transparency is a prerequisite for informational
self-determination, as “a society, in which citizens can
no longer know who does, when, and in which situations
know what about them, would be contradictory to the
right of informational self-determination.”4 Further
rights of the data subjects include the right of access to
data (Art. 12 (a) EU Directive 95/46/EC), the right to
object to the processing of personal data (Art. 14
EU Directive 95/46/EC), and the right to correction, era-
sure, or blocking of incorrect or illegally stored data
(Art. 12 (b) EU Directive 95/46/EC, cf. Openness and
Individual Participation Principle of the OECD
Guidelines).
Security
The data controller needs to install appropriate technical
and organizational security mechanisms to guarantee the
confidentiality, integrity, and availability of personal data
(Art. 17 EU Directive 95/46/EC) (cf. Security Safeguards
Principle of the OECD Guidelines). Classical security
mechanisms, such as authentication, cryptography, access
control, or security logging, which need to be implemen-
ted for technical data protection, will, however, not be
discussed in this chapter.
In January 2012, the EU Commission published a
proposal for a new EU Regulation [8], which defines a
single set of modernized privacy rules and which (once
the regulation is in force) will be directly valid across
the EU. In particular, it includes the principle of data
protection/privacy by design and by default (Art. 23),
requiring building PETs already into the initial system
design. Besides, the requirements of transparency for
data handling and easily accessible policies (Art. 11) are
explicitly included. Furthermore, the right to be forgot-
ten (Art. 17) and a right to data portability (Art. 18) are
newly included, which require technical support by
appropriate PETs.
4. German Constitutional Court, Census decision, 1983 (BVerfGE 65,1).
757
3. CLASSIFICATION OF PETS
Privacy-enhancing technologies (PETs) can be defined as
technologies that enforce legal privacy principles in order
to protect and enhance the privacy of users of information
technology (IT) and/or data subjects (see [9]). While
many fundamental PET concepts for achieving data mini-
mization were already introduced, mostly by David
Chaum, in the 1980s (see [10
12]), the term privacy-
enhancing technologies was first introduced in 1995 in a
report on “privacy-enhancing technologies, which was
jointly published by the Dutch Registratiekamer and the
Information and Privacy Commissioner in Ontario/
Canada [13]. PETs can basically be divided into three dif-
ferent classes.
The first class comprises PETs for enforcing the legal
privacy principle of data minimization by minimizing or
avoiding the collection and use of personal data of users
or data subjects. These types of PETs provide the
“traditional” privacy goals of anonymity, unlinkability,
unobservability, and pseudonymity, which will be elabo-
rated on in the next section. This class of PETs can be
further divided, dependent on whether data minimization
is achieved on the communication or application level.
Examples for some of the most prominent data minimiza-
tion technologies will be presented in Section 6.
While data minimization is the best strategy for pro-
tecting privacy, there are many occasions in daily life
when individuals simply have to reveal personal data, or
when users want to present themselves by disseminating
personal information (especially on social network sites).
In these cases, the privacy of the individuals concerned
still needs to be protected by adhering to other relevant
legal privacy requirements). The second class of PETs
therefore comprises technologies that enforce legal pri-
vacy requirements, such as informed consent, transpar-
ency, right to data subject access, purpose specification,
and purpose binding and security, in order to safeguard
the lawful processing of personal data. In this chapter, so-
called transparency-enhancing technologies will be dis-
cussed, which are PETs that enforce or promote informed
consent and transparency. Besides, we will refer to pri-
vacy models and privacy authorization languages for
enforcing the principle of purpose binding.
The third class of PETs comprises technologies that
combine PETs of the first and second class. An example
is provided by privacy-enhancing identity management
technologies such as the ones that have been developed
within the EU FP6 project PRIME (Privacy and Identity
Management for Europe) [14]. The PRIME architecture
supports strong privacy by default by anonymizing the
underlying communication and achieving data minimiza-
tion on the application level by the use of anonymous cre-
dential protocols. Besides privacy presentation and
758
negotiation tools, privacy authorization language for
enforcing negotiated policies and tools allowing users to
“track” and access their data that they released to remote
services sides ensure the technical enforcement of all pri-
vacy requirements mentioned in the section above.
4. TRADITIONAL PRIVACY GOALS OF PETS
In this section, privacy goals for achieving data minimiza-
tion are defined, which we call traditional privacy goals
because early PETs that were developed already in the
1980s followed these goals. Data minimization as an
abstract strategy describes the avoidance of unnecessary
or unwanted data disclosures. The most fundamental
information that can be disclosed about an individual is
who he is, that is, an identifier, or which observable
events he is related to. If this information can be kept
secret, the individual remains anonymous. Pfitzmann and
Hansen, who pioneered the technical privacy research ter-
minology, define anonymity as follows: Anonymity of a
subject means that the subject is not identifiable within a
set of subjects, the anonymity set [14].
By choosing the term subject, Pfitzmann and Hansen
aim to define the term anonymity as generally as possible.
The subject can be any entity defined by facts (names or
identifiers, or causing observable events, such as by send-
ing messages). If an adversary cannot narrow down the
sender of a specific message to less than two possible
senders, the actual sender of the message remains anony-
mous. The two or more possible senders in question form
the anonymity set. The anonymity set, and particularly its
size, will be the first privacy metrics discussed in
Section 5, Privacy Metrics.
An adversary that discovers the relation between a
fact or an event and a subject identifies the subject.
Relations cannot only exist between facts or events and
subjects, but may exist between facts, actions, and sub-
jects. An adversary may, for instance, discover that two
messages have been sent by the same subject, without
knowing this subject. The two messages would be part of
the equivalence relation [15] that is formed by all mes-
sages that have been sent by the same subject. Knowing
this equivalence relation (and maybe even others) helps
the adversary to identify the subject. Pfitzmann and
Hansen define the inability of the adversary to discover
these equivalence relations as unlinkability.
Unlinkability of two or more items of interest (IOIs (subjects,
messages, actions, . . . )) from an attacker’s perspective means
that within the system (comprising these and possibly other
items), the attacker cannot sufficiently distinguish whether these
IOIs are related or not [14].
A special type of unlinkability is the unlinkability of a
sender and recipient of a message (or so-called
PART | V Privacy and Access Management
relationship anonymity), which means that the relation of
who is communicating with whom is kept secret. Data
minimization can also be implemented through obfuscat-
ing the presence of facts and events. The idea is that
adversaries who are unable to detect the presence of facts
or events cannot link them to subjects. Pfitzmann and
Hansen define this privacy goal as undetectability.
Undetectability of an item of interest (IOI) from an attacker’s
perspective means that the attacker cannot sufficiently distin-
guish whether it exists or not [14].
The strongest privacy goal in data minimization is
unobservability, which combines undetectability and ano-
nymity: Unobservability of an item of interest (IOI) means:
G undetectability of the IOI against all subjects unin-
volved in it and
G anonymity of the subject(s) involved in the IOI even
against the other subject(s) involved in that IOI [14].
The third and last way to implement data minimization,
apart from obfuscating the facts, the events (undetectabil-
ity, unobservability), or the relation between them and the
subjects (unlinkability), is the use of pseudonyms in
the place of subjects. Pseudonyms may be random num-
bers, email addresses, or (cryptographic) certificates. In
order to minimize the disclosed information, pseudonyms
must not be linkable to the subject. The corresponding pri-
vacy goal is pseudonymity: Pseudonymity is the use of
pseudonyms as identifiers [14].
Pseudonymity is related to anonymity, as both con-
cepts aim at protecting the real identity of a subject. The
use of pseudonyms, however, allows maintaining a refer-
ence to the subject’s real identity (for accountability
purposes [16]). A trusted third party could, for instance,
reveal the real identities of misbehaving pseudonymous
users. Pseudonymity also enables a user to link certain
actions under one pseudonym. For example, a user could
reuse the same pseudonym in an online auction system
(such as eBay) for building up a reputation.
The degree of anonymity protection provided by pseu-
donyms depends on the amount of personal data of the
pseudonym holder that can be linked to the pseudonym,
and on how often the pseudonym is used in various con-
texts/for various transactions. The best privacy protection
can be achieved if for each transaction a new so-called
transaction pseudonym is used that is unlinkable to any
other transaction pseudonyms and at least initially unlink-
able to any other personal data items of its holder (see
also [14]).
5. PRIVACY METRICS
Privacy metrics aim to quantify the effectiveness of
schemes or technologies with regard to the privacy goals
Chapter | 43 Privacy-Enhancing Technologies
defined in the previous section. A simple metrics for mea-
suring anonymity is the anonymity set [14]. The anonym-
ity set comprises all subjects that may have caused an
event that is observed by the adversary. The subjects in
the set cover up for each other against the adversary. The
adversary can thus not hold a single subject responsible
for the observed event as long as the set size of the ano-
nymity set is greater than one. Greater set sizes are useful
for protecting against (stronger) adversaries that would
accept false positives up to a certain threshold among the
subjects that are held responsible. In this case, the set size
has to exceed such a threshold.
The anonymity set size is also related to the metrics in
k-anonymity [17]. K-anonymity is defined as a property
or a requirement for databases that must not leak sensitive
private information. This concept was also applied as an
anonymity metrics in location-based services [18] and in
VoIP [19,20]. The underlying assumption is that database
tables store two kinds of attributes. The first kind is iden-
tifying information, and the second is identifying sensi-
tive information. The claim is that the database table is
anonymous if every search for identifying information
results in a group of at least k candidate records. The k in
k-anonymity is thus the privacy parameter that determines
the minimum group size. Groups of candidate records
form anonymity sets of identifiers in the database table.
The k-anonymity as a privacy property and k as a
metrics are not undisputed. In particular, the fact that
k-anonymity only depends on the identifying informa-
tion in the database table—that is, it is independent of
the sensitive information—leads to remaining privacy
risks [21]. A simple attack building on the k-anonym-
ity’s blindness for sensitive information is described in
[22]. The trick is to search for candidate groups where
the sensitive attribute has a constant value for all candi-
dates. The sensitive attribute value is immediately dis-
closed for all records in the candidate group; thus, privacy
is breached. A solution to these risks is a new privacy
property, l-diversity, with the privacy parameter l.
The claim of l-diversity is that a database table is anon-
ymous if the diversity of sensitive attribute values is at
least l ( . 1) in every candidate group. In some cases,
l-diversification would not sufficiently protect from
attribute disclosure or would be too difficult to estab-
lish. A third property, t-closeness [23], is solving this
problem. T-closeness restricts the distribution of sensi-
tive information within a candidate group. The claim
is that a database table is anonymous if the distribution
of sensitive information within each candidate group
differs from the table’s distribution at most up to a
threshold t.
All these privacy metrics with the exception of the
anonymity set are tailored to static database tables.
Changes in the data set are possible, but the privacy
759
properties have to be reestablished afterward. T-closeness
as one of the latest developed properties in this category
is a close relative to information-theoretic privacy
metrics. Information-theoretic metrics measure the infor-
mation that an adversary learns by observing an event or
a system, for example, all observable events in a commu-
nication system. The information always depends on the
knowledge the adversary had before his observation, the
a-priori knowledge. Knowledge is expressed as a proba-
bility distribution over the events. For a discrete set of
events X 5 fx1 ; x2 ; . . .; xn g and the probability mass func-
tion Pr: X-½0; 1, Shannon [24] defines the self-
information of xi , 1 # i # n, as
Iðxi Þ 5 2 log2 Prðxi Þ
The self-information Iðxi Þ is what an adversary learns
when he observes the event xi with his a-priori knowledge
about all possible events encoded in the probability mass
function Pr. The self-information takes the minimal value
zero for Prðxi Þ 5 1; that is, the adversary will learn mini-
mal information from observing xi , if he is a-priori certain
that xi will be observed. The self-information approaches
infinity for Prðxi Þ-0; that is, the more information
the adversary learns, the less likely the observed events
are. The expected self-information of a system with the
events X is the entropy of the system. Shannon defines
the entropy as
X
HðXÞ 5 Prðxi ÞUIðxi Þ
xi AX
The entropy is maximal when the distribution of all
events is uniform; that is, Prðxi Þ 5 1n for all 1 # i # n. The
maximal entropy is thus
1
Hmax 5 2 log2 5 log2 n
n
The entropy is minimal when one event xi is perfectly
certain; that is, Prðxi Þ 5 1 and Prðxj Þ 5 0 for all xj AX and
xj 6¼ xi .
The “degree of anonymity” is the entropy of the com-
munication system in question [25,26]. This degree of
anonymity measures the anonymity of the message’s
sender within the communication system. When the
adversary learns the actual sender of the message, he will
learn the self-information Iðxi Þ where each xi AX encodes
the fact that one specific subject is the sender of the mes-
sage. The probability distribution Pr encodes the a-priori
knowledge of the adversary about the sender. A uniform
distribution (maximal entropy) indicates minimal a-priori
knowledge (maximal sender anonymity). Absolute cer-
tainty, on the other hand (minimal entropy), indicates per-
fect a-priori knowledge (minimal sender anonymity). The
degree of anonymity can be used to compare communica-
tion systems with different features (numbers of subjects)
760 PART | V Privacy and Access Management

when normalized [25] with max entropy Hmax and other-
wise without normalization [26].
The same entropy-based metrics can be applied to
measure the anonymity provided by facts about a subject
[27]. The adversary’s a-priori knowledge, encoded in the
probability mass function Pr, comprises how well a fea-
ture vector with facts about a subject fits to each subject
xi AX. The adversary learns the self-information Iðxi Þ
when learning that the feature vector applies to the sub-
ject xi . The entropy HðXÞ can be seen as the confusion of
the adversary before he learns the subject that the feature
vector is applying to.
The entropy can be used to calculate the expected
anonymity set size, which is 2HðXÞ . The expected anonym-
ity set size is equal to the anonymity set size, if Pr corre-
sponds to the uniform distribution (if the message [25,26]
or feature vector [27] is not more or less linkable to one
subject than to any other subject in X). The anonymity set
size can be seen as an overestimation of the expected ano-
nymity set size, if Pr does not correspond to the uniform
distribution; that is, some subjects are more linkable than
others in the anonymity set. In this case, the expected
anonymity set size or the degree of anonymity is the
more accurate metrics.
Metrics that are based on entropy have the disadvan-
tage that the a-priori knowledge Pr of the adversary has
to be known when evaluating the metrics. When this a-
priori knowledge can be derived from publicly available
observations (message routing data in a network [25,26]),
the metrics are easy to apply. If the Pr depends on per-
sonal information which is not available to nonadversaries
[27], the metrics are hard to evaluate without additional
tools being effective (legal transparency tools).
6. DATA MINIMIZATION TECHNOLOGIES
technologies that we think are most relevant from a prac-
tical and scientific point of view.
DC Network
David Chaum’s DC (Dining Cryptographer) network pro-
tocol [28] is an anonymous communication protocol,
which, even though it cannot be easily used in practice, is
still very interesting from a scientific perspective. It pro-
vides unconditional sender anonymity, recipient anonym-
ity, and unobservability, even if we assume a global
adversary who can observe all communication in the net-
work. Hence, it can guarantee the strongest anonymity
properties of all known anonymous communication proto-
cols. DC nets are based on binary superposed sending.
Before any message can be sent, each participant in the
network (user station) has to exchange via a secure chan-
nel a random bit stream with at least one other user sta-
tion. These random bit streams serve as secret keys and
are at least as long as the messages to be sent. For each
single sending step (round), every user station adds mod-
ulo 2 (superposes), all the key bits it shares and its mes-
sage bit, if there is one. Stations that do not wish to
transmit messages send zeros by outputting the sums of
their key bits (without any inversions). The sums are sent
over the net and added up modulo 2. The result, which is
broadcast to all user stations, is the sum of all sent mes-
sage bits because every key bit was added twice (see
Figure 43.1). If exactly one participant transmits a
sender a
message 01001000
keywith b + 10101010
keywith c + 11100011
transmission 00000001

broadcast
In this section, we will present the most relevant PETs for
minimizing data on both communication and application
sender b
levels. It is important to note that applications (such as
message 00000000
eCommerce applications) can only be designed and used
keywith a + 10101010
anonymously if their users cannot be identified on a com-
keywith c + 00111010
munication level (via their IP addresses). Hence anony-
transmission 10010000 + 01001000
mous communication is a prerequisite for achieving
anonymity, more generally or data minimization, on the
application level. sender c
message 00000000
keywith a + 11100011
Anonymous Communication
keywith b + 00111010
Already in 1981, David Chaum presented the Mix net transmission 11011001
protocol for anonymous communication, which has
become the fundamental concept for many practical anon-
FIGURE 43.1 A DC network with three users. Sender a sends a mes-
ymous communication technologies that have been sage, but from observing the communication in the network alone, the
broadly used for many years. In this section, we will pro- adversary cannot tell whether it was sent by a, b, or c (and not even if a
vide an overview to anonymous communication meaningful message was sent at all).
Chapter | 43 Privacy-Enhancing Technologies
message, the message is successfully broadcast as the
result of the global sum to each participant. Collisions
are easily detected (as the message sent by a user and the
one that is broadcast back to him will be different) and
have to be resolved, for example, by retransmitting the
message after a random number of rounds.
In theory, superposed sending provides, in the
information-theoretic sense, perfect (unconditional)
sender anonymity and unobservability, as the fact that
someone is sending a meaningful message (and not only
zeros) is hidden by a one-time pad encryption. From a
metrics perspective, all senders in the DC network form
the anonymity set. No user is more likely to be the
sender of the message than any other user for an outside
adversary. Perfect recipient anonymity can be achieved
by reliable broadcasting. However, the DC network and
the one-time pad share the same practical shortcomings
which have prevented them from being broadly used:
the security of DC networks depends on the perfect ran-
domness of keys and the secure distribution of keys.
Moreover, each key is to be used only once, and the
keys need to be perfectly unavailable to the adversary
(the adversary may not get hold of the keys before or
after the message has been sent).
Mix Nets
Mix nets [12] are more practical than DC networks, but
do not provide security against adversaries with unlimited
resources. Nevertheless, most anonymity networks
(Mixmaster, Tor, Onion Routing, and AN.ON) build on
the mix net concept. A mix is a relay or proxy server that
performs four steps to hide the relation between incoming
and outgoing messages (see Figure 43.2):
1. Duplicates (replayed messages) are discarded. Without
this functionality, an adversary could launch a replay
attack by sending two identical messages to be for-
warded as two identical output messages by the mix.
The adversary could thus link these messages and
therefore “bridge over” the mix.
2. All messages are (randomly) delayed (by temporarily
storing them in a buffer). Without this functionality (if
messages were immediately forwarded), the anonym-
ity set for one message would be reduced to one
sender (no anonymity at all).
mix
1 filterduplicates
1 2 3 4
2 delaymessages
3 recodemessages
f (x) x<y
4 reordermessages
FIGURE 43.2 Processing steps within a mix.
761
3. All messages are recoded. This is usually done by
cryptography. Without this functionality, the adversary
could link the input with the output messages by com-
paring the contents of the messages.
4. The sending sequence of delayed messages is deter-
mined independently of the receiving sequence.
Without the delay and reordering of messages, an
adversary could link the input to the output messages
by a time correlation attack (he could be sure that the
first message is the first message out).
5. Mixes can be used to achieve unlinkability of sender
and recipient, sender anonymity as well as recipient
anonymity. For achieving the latter two properties, dif-
ferent recoding functions are used. For providing
sender anonymity, asymmetric cryptography is used.
The mix user (or more precisely his machine) encrypts
the message m with the public key eR of the recipient
and achieves enceR ðmÞ. He then encrypts enceR ðmÞ
together with the address of the recipient and a nonce
with public key e1 of the mix and sends the resulting
message ence1 ðr1 ; AR ; enceR ðmÞÞ to the mix. Adding the
nonce is necessary to achieve nondeterministic encryp-
tion, which prevents an adversary from monitoring the
output message enceR ðmÞ and address AR of the recipi-
ent, and then simply encrypt both values with the
public key of the mix and compare it with the mes-
sages sent to the mix. Moreover, it prevents the mix
from discarding one of two messages when identical
contents are intended to be sent. The mix decrypts the
message with its private key, discards the nonce, and
sends enceR ðmÞ to the address AR of the recipient.
6. Using a single mix can only provide anonymity if it is
fully trustworthy and cannot be compromised. For
improving security, several mixes can be used in a
chain or a “cascade.” Let us assume that the sender
(or more precisely his machine) chooses a chain of n
mixes with addresses Ai and public keys ei , i 5 1. . .n.
The sender will first add layers of encryptions using
the public keys of the mixes in the path in reverse
order. Each layer includes the message to be forwarded
by the mix, the address to which the message should be
sent (next mix in the chain or the final recipient), plus a
nonce to be discarded. The resulting message
ence1 ðr1 ; A2 ; ence2 ð. . .encen ðrn ; AR ; enceR ðmÞÞ. . .ÞÞ is
sent to the first mix (with the address A1 ). Each mix
on the path decrypts the message with its privacy key
and thereby gets a nonce that is discarded as well as
an encrypted message and address to which it sends
this message. The last mix in the path finally sends
enceR ðmÞ to the recipient. Unlinkability of sender and
recipient can in principle also be provided in the pres-
ence of an adversary who monitors all communication
lines, as long as the crypto operations cannot be bro-
ken and one mix in the path is trustworthy, that is, one
762
ence1 (r1,A2,ence2 (r2,R,enceR (m)))
m S Mix A1
ence2 (r2,R,enceR (m))
m R Mix A2
enceR (m)
FIGURE 43.3 Sender anonymity with two mixes.
mix that is not controlled by the adversary.
Figure 43.3 illustrates how sender anonymity can be
achieved with a path consisting of two mixes.
For achieving recipient anonymity, symmetric cryp-
tography is used as arecoding function.5 The recipient
first chooses a sequence of n mixes with addresses Ai
and public keys ei , i 5 1. . .n, a sequence of m symmet-
ric encryption keys j 5 0. . .n, and a label LR and creates
an anonymous return address RS 5 ðk0 ; A1 ; R1 Þ, which
contains a symmetric key k0 , the address of the first
mix A1 in the chain, and another anonymous return
address R1 , which is calculated according to the follow-
ing scheme:
Rj 5 encei ðkj ; Aj11 ; Rj11 Þ forj 5 1. . .n, where An11 is
the address of the recipient and Rn11 5 LR .
The recipient makes the anonymous return address
available to the sender, who uses key k0 to encrypt his
message m. The encrypted message ENCk0 fmg is then
sent along with the return address R1 to the first mix A1 .
The first mix decrypts R1 5 ence1 ðk1 ; A2 ; R2 Þ, encrypts
ENCk0 fmg with the symmetric key k1 , and sends the
encrypted message ENCk1 fENCk0 fmgg along with R2 to
the next mix with the address A2 . This is repeated for all
mixes along the path. The last mix in the path finally for-
wards ENCkn f. . .ENCk1 fENCk0 fmgg. . .g and LR to the
recipient. The label LR of the return address indicates to
the recipient which sequence of symmetric keys he has to
use to decrypt the message.
The two schemes above provide either sender or recip-
ient anonymity. By combining both schemes, it is possi-
ble for two communication partners to communicate
anonymously in both directions. Suppose that Alice anon-
ymously sends a message including an anonymous return
address to a discussion forum. Bob can then anonymously
send his reply via a self-chosen sequence of mixes to the
first mix used in the anonymous return address. If Bob’s
message also contains an anonymous return address,
5. In the following, we will use capital letters and curly brackets for the
symmetric encryption function ENC.
PART | V Privacy and Access Management
Alice can reply as well in the same manner. Thus, Alice
and Bob can communicate without knowing each other’s
identities.
The mix net protocol was invented by Chaum in 1981
for high-latency communication, such as email communi-
cation. In the mid-1990s, when interactive Internet ser-
vices became broadly used, low-latency anonymous
communication protocols were developed. The most
broadly used low-latency protocols AN.ON and Onion
Routing/Tor, which are based on the mix net concept,
will be briefly presented in the next sections.
AN.ON
AN.ON [29] is an anonymity service that was developed
and operated since the late 1990s at the Technical
University of Dresden. Because it aims at providing a net-
work of mixes for low-latency traffic routing, symmetric
cryptography is replacing asymmetric cryptography where
possible (asymmetric cryptography is only used to
exchange symmetric session keys between mixes and
users). Moreover, low latency requires that message
delays are reduced, and in fact, AN.ON mixes implement
practically no message delay. The downside of reducing
delays is that the size of the message buffer in the mixes
and thus the anonymity set decrease. In order to increase
the size of anonymity sets, AN.ON provides standard
routes through the mix network, the so-called mix cas-
cades. A mix cascade typically contains a sequence of
two or three mixes, and every message sent to the cascade
runs through the mixes in the same order as any other
message sent to the same cascade. Predefined and
stable mix cascades have a number of advantages over
dynamic routing:
1. Mixes can be audited and certified with regard to their
performance, their geographical position, the legisla-
tion in which they operate, and the operator (the com-
pany or the governmental institution operating the mix
infrastructure).
2. Cascades can be designed to cross different nations,
different legislations, and different operators in order
to enjoy the protection of the most liberal regulation;
they can also be designed to provide a certain
performance.
3. Security measures focus on a small number of mixes
while the costs can be distributed to a large number of
users.
Disadvantages of implementing mix cascades include:
1. Each mix is a possible bottleneck and thus needs to
provide a stable and high-bandwidth installation, as
one mix going offline stops all cascades in which it
was involved.
Chapter | 43 Privacy-Enhancing Technologies 763

sender (linkisTLS-encrypted) OR (linkisTLS-encrypted) OR2 (unencrypted) website

Create c , enc x
1 OR (g 1)
1

y1 )
Created c1, g , H (k1 Legend
enc(·) – public-keyencryption
Relay c1, ENC {Ex ENC{·} – symmetric encryption
k1 tend, enc (gx2)} H(·) – one-way hash
OR2
Create c , enc x
c – channel (“circuit”) id
2 OR (g 2)
2 g,x,y – Diffie-Hellman: generator,
y2 ) exponents
Created c2, g , H (k2
y
tend, g 2, H (k2)}
Relay c1, ENCk1 {Ex

Relay c1, ENC {EN

k1 Ck {Begin 〈website〉
2 :80}}
Relay c2, ENC {Be
k 2
gin 〈website〉:80 }
(TCPhandshake)
Relay c2, ENCk2 {Connected}
nected}}
Relay c1, ENCk1{ENCk2{Con

Relay c1, ENC {ENC {Dat

k1 k 2
a, ”HTTP GET . . . ”}}
Relay c2, ENC {Data, ”HTT
k 2
P GET . . . ”}
”HTTPGET...”
(response)
onse)}
Relay c2, ENCk2 {Data, (resp
a, (response)}}
Relay c1, ENCk1 {ENCk2{Dat

FIGURE 43.4 The Tor key negotiation and a simple Web site request [31].

2. Setting up and operating mixes is expensive due to the
considerable organizational overhead for establishing
mix cascades and due to the high performance
requirements.
Onion Routing/Tor
Onion Routing [30] is a low-latency, mix-based routing
protocol developed in the 1990s at the Naval Research
Laboratory. It provides anonymous socket connections by
means of proxy servers. Onion Routing uses the mix net
concept of layers of public key encryption (the so-called
onion) to build up an anonymous bidirectional virtual cir-
cuit between communication partners. The initiator’s
proxy (for the service being requested) constructs a “for-
ward onion,” which encapsulates a series of routing nodes
(“mixes”) forming a path to the responder, and sends it
with a create command to the first node. Each layer of
the onion is encrypted with the public key of each node
on the path and contains symmetric crypto function/key
pairs as a payload. After sending the onion, the anony-
mous path is established and the initiator’s proxy sends
data through this anonymous connection. The symmetric
function/key pairs are applied by each node on the path to
crypt data that will be sent along the virtual circuit. All
information (onions, data, and network control) are sent
through the Onion Routing network in uniform-sized
cells. All cells arriving at an onion router within a fixed
time interval are mixed together to reduce correlation by
network insiders. Reply onions, which correspond to
untraceable return addresses, allow for a responder to
send back anonymously a reply after its original circuit is
broken.
Since individual routing nodes in each circuit only
know the identities of adjacent nodes, and since the nodes
further encrypt multiplexed virtual circuits, traffic analy-
sis is made difficult. However, if the first node behind the
initiator’s proxy and the last node of the circuit cooperate,
they will be able to determine the source and recipient of
communication through the number of cells sent over this
circuit or through the duration for which the virtual circuit
was used.
Tor [31], the second generation of Onion Routing, has
added several improvements. In particular, it provides for-
ward secrecy. Once the session keys are deleted they can-
not be obtained any longer. Even if all communication
has been wiretapped, the long-term secret keys of the
onion routers ("mixes") become compromised. Therefore,
instead of using hybrid encryption for distributing sym-
metric session keys, the Diffie-Hellman key negotiation
protocol is used, which provides forward secrecy. The
key negotiation and a simple communication via two
onion routers are outlined in Figure 43.4. The symmetric
session key shared by the user with the first onion router
764
OR1 is negotiated by means of a Diffie-Hellman hand-
shake. The first half of the handshake gx1 is encrypted
with the public key of OR1 (to prevent man-in-the-middle
attacks), and encOR1 ðgx1 Þ is then sent to OR1 . The onion
router replies with the second half of the handshake; that
is, gy1 and a hash over the negotiated session key
k1 5 gx1 y1 . Any further communication between the sender
and OR1 will be crypted with this negotiated symmetric
session key. In order to extend the path from the sender
over OR1 to a second onion router OR2 , the sender trans-
mits ENCk1 fOR2 ; encOR2 ðgx2 Þg to OR1 . The first onion
router decrypts the symmetric encryption and forwards
the encrypted first half of a new Diffie-Hellman hand-
shake encOR2 ðgx2 Þ to OR2 . The second onion router replies
with the second half of the handshake gy2 and the hash
over the session key k2 5 gx2 y2 . The reply
ENCk1 fgy2 ; hashðk2 Þg is forwarded by OR1 back to the
sender. Only the sender and OR1 are now in possession of
k1 and only the sender and OR2 are now in possession of
k2 . The communication between sender and OR2 can now
be crypted with k2 . Once a circuit has been established,
the symmetric encryption with the negotiated session
keys is applied by each node on the path to crypt data
that will be sent along the circuit. Advantages of Tor over
AN.ON are as follows:
1. Tor provides forward secrecy.
2. It is easy to set up new onion routers (“mixes”), which
are run by many volunteers all over the world.
3. There are lower performance requirements for each
“mix.”
4. Each mix is a possible bottleneck, however, in Tor,
“mixes” that do not perform can be excluded from the
dynamic routing.
Disadvantages include:
1. Anyone can set up “mixes” independent of their per-
formance, that is, bandwidth, latency, security.
2. There is no audit or certification, thus a lack of reli-
able data about legislation and operator.
3. Bridging the “mixes” and thus breaching anonymity
by controlling the entry node and the exit node is eas-
ier for adversaries, since they can easily set up their
own new nodes. In particular, an adversary can easily
try to attract user traffic by establishing a few well-
performing exit nodes and a lot of stable intermediate
mix nodes that eventually become entry nodes [32].
Data Minimization at Application Level
Even if the communication channel is anonymized, users
can still reveal personal and identifying data on the appli-
cation level; often users have to reveal more personal
data than needed. Hence, data minimization techniques
PART | V Privacy and Access Management
are also needed on the application level. Many such data
minimization techniques are based on cryptographic pro-
tocols (see also [33] for an overview). The classical types
of privacy-protecting cryptography that have already been
applied for decades are of course encryption schemes
themselves. However, there are a number of more recent
crypto schemes for protecting data and authenticating
information, which are variations or extensions of basic
crypto schemes they have “surprising properties” that in
many cases can offer better data minimization properties
[33]. In this chapter, some of the most relevant examples
of mainly cryptographic mechanisms for protecting pri-
vacy at application level will be given.
Blind Signatures and Anonymous eCash
Blind signatures are an extension of digital signatures and
provide privacy by allowing someone to obtain a signa-
ture from a signer on a document without the signer see-
ing the actual content of the “blinded” document he is
signing. Hence, if the signer is later presented with the
signed “unblinded” document, he cannot relate it with the
signing session and with the person on behalf of whom he
has signed the document. Blind signatures were invented
by David Chaum as a basic building block for anonymous
eCash (see below). They can also be used to achieve ano-
nymity of other applications, such as eVoting, and also
serve as a basic building block for other privacy crypto
protocols, such as anonymous credentials (see below).
David Chaum et al. have invented protocols based on
blind signatures [10,34,35], which allow electronic money
to flow perfectly tracelessly from the bank through con-
sumer and merchant before returning to the bank.
Chaum’s cryptographic “online” payment protocol based
on blind signatures can be summarized as follows (see
also Figure 43.5).
Let ðe; nÞ be the bank’s private key indicating a certain
value of a signature under this key (in this example: one
dollar) and ðd; nÞ the bank’s public key.6 f is a
suitable one-way function. Electronic money has the form
ðx; f ðxÞd ðmod nÞÞ, where the one-way function is needed
to prevent forgery of electronic money (see also [36] for
more explanations).
1. The customer Alice (his computer) first generates a bank
note number x (of at least 100 digits) at random and (in
essence) multiplies it with a blinding factor r, which he
has also chosen at random: B 5 r e Uf ðxÞ ðmod nÞ. He
then signs the blinded bank note number with his private
key and sends it to the bank.
2. The bank verifies and removes Alice’s signature.
Then, it signs the blinded note (and thereby creates
6. Using the RSA encryption scheme.
Chapter | 43 Privacy-Enhancing Technologies
the blinded signature) with its “worth one dollar” sig-
nature:
Bd ðmod nÞ 5 ðr e Uf ðxÞÞa ðmod nÞ 5 rUf ðxÞd ðmod nÞ.
The bank then withdraws one dollar from his account
and returns the note with the blind signature.
3. Alice divides out the blinding factor and thereby
d
extracts: C 5 Br ðmod nÞ 5 f ðxÞd ðmod nÞ from B. For
paying the online merchant Bob one dollar, Alice
sends him the pair ðx; f ðxÞd ðmodnÞÞ.
4. Bob verifies the bank’s signature and immediately
contacts the bank to verify that the note has not
already been spent.
5. The bank verifies its signature, checks the note against
a list of those notes already spent, and credits Bob’s
account by one dollar.
The blind signature scheme provides (unconditional)
anonymity of the electronic money: Even if the bank and
the merchant cooperate, they cannot determine who spent
the notes. Since the bank does not know the blinding factors,
it cannot correlate the note it was signing blindly for Alice
with the note that was spent. (However, Alice’s identity is
only protected if he also uses an anonymized communica-
tion channel and if he does not personally reveal identifying
information, such as a personal delivery address).
In addition to the online eCash protocol version,
where the bank needs to be constantly online for checking
whether notes have already been spent, in [28] a protocol
for offline electronic money is presented by Chaum et al.
With the offline protocol, a user remains unconditionally
anonymous as long as he spends each bank note only
765
FIGURE 43.5 The flow of eCash’s untraceable
electronic money [35].
once. If, however, a note is spent twice, the bank will get
enough information to identify the spender’s account.
Disappointingly, there has been a lack of adoption of
anonymous eCash (attempts of commercial deployment
of Chaum’s schemes failed in the late 1990s), and today,
there are still no widely deployed anonymous electronic
payment services.
Zero-Knowledge Proofs
A zero-knowledge proof is defined as an interactive proof
in which a prover can prove to a verifier that a statement
is true without revealing anything else than the veracity
of the statement. Zero-knowledge proofs were first pre-
sented in 1985 by Goldwasser et al. [37]. A zero-
knowledge proof must fulfill the following three
properties:
G Completeness: If the statement is true, the honest veri-
fier will be convinced of this fact by an honest prover.
G Soundness: If the statement is false, no cheating
prover can convince the honest verifier that it is true,
except with some very small probability.
G Zero-knowledge: If the statement is true, no cheating
verifier learns anything other than this fact.
Zero-knowledge proofs are building blocks for data-
minimizing technologies, such as anonymous credential
systems. The anonymous credential protocol IdeMix is,
for example, based on proofs of knowledge, in which a
prover proves that he knows a secret value or that he is
766
able to solve some number theoretic problem, which
would contradict the assumption that the problem cannot
be solved by a polynomially bounded Turing machine.
Anonymous Credentials
A traditional credential (often also called certificate or attri-
bute certificate) is a set of personal attributes, such as birth
date, name or personal number, signed (and thereby certi-
fied) by the certifying party (the so-called issuer), and bound
to its owner by cryptographic means (by requiring the user’s
secret key to use the credential). In terms of privacy, the use
of (traditional or anonymous) credentials is better than the
direct request to the certifying party, as this prevents the cer-
tifying party from profiling the user. Traditional credentials
require, however, that all attributes are disclosed together if
the user wants to prove certain properties, so that the verifier
can check the issuer’s signature. This makes different uses
of the same credential linkable to each other. Moreover, the
verifier and issuer can link the different uses of the user’s
credential to the issuing of the credential.
Anonymous credentials (also called private certifi-
cates) were first introduced by Chaum [10] and later
enhanced by Brands [38] and by Camenisch and
Lysyanskaya [39] and have stronger privacy properties
than traditional credentials. Microsoft’s U-Prove technol-
ogy based on Brands’s protocols and IBM’s IdeMix tech-
nology based on the credential protocols by Camenisch
et al. are currently the practically most relevant anony-
mous credential technologies.
Anonymous credentials allow the user to essentially
“transform” the certificate into a new one that contains
only a subset of attributes of the original certificate (it
allows proving only a subset of its attributes to a verifier
(selective disclosure property)). Instead of revealing the
exact value of an attribute, anonymous credential systems
User Alice
2. Service request
3. Data request
4. (unlinkable) selective
disclosure
Age > 18
1. Issues
credentials
Advantages:
• Selective Disclosure
• Unlinkability of Transactions (Idemix)
• No Profiling by IdPs or Relying Parties
Issuer (Identity Provider - IdP)
PART | V Privacy and Access Management
also enable the user in the transformation to apply any
mathematical function to the (original) attribute value,
allowing him to prove only attribute properties without
revealing the attribute itself. Besides, with the IdeMix
protocol by Camenisch et al., the issuer’s signature is also
transformed in such a way that the signature in the new
certificate cannot be linked to the original signature of the
issuer [33]. Hence, different credential uses cannot be
linked by the verifier and/or issuer (unlinkability prop-
erty). Cryptographically speaking, with IdeMix, the user
is basically using a zero-knowledge proof to convince the
verifier of possessing a signature generated by the issuer
on a statement containing the subset of attributes.
Figure 43.6 provides a scenario illustrating how data
minimization can be achieved in an identity management
online transaction: First, user Alice obtains an anonymous
driving license credential issued by the Swedish Road
authority (the so-called identity provider), with personal
attributes typically stored in the license, including her
birth date. Later, she would like to purchase a video from
an online shop (the so-called relying party, which is also
the verifier in this scenario), which is only permitted for
adults. After sending a service request, the online shop
will answer her with a data request for a proof that she is
older than 18. Alice can now take advantage of the selec-
tive disclosure feature of the anonymous credential proto-
col to prove with her credential just the fact that she is
older than 18 without revealing her birth date or any other
attributes of her credential. If Alice later wants to pur-
chase another video that is only permitted for adults at
the same video online shop, she can use the same anony-
mous credential for a proof that she is over 18. If the
IdeMix protocol is used, the video shop is unable to rec-
ognize that the two proofs are based on the same creden-
tial. Hence, the two rental transactions cannot be linked
to the same person.
Verifier (Relying Party) FIGURE 43.6 Example for
achieving data minimization for
an online transaction by the use of
anonymous credentials.
Chapter | 43 Privacy-Enhancing Technologies
Private Information Retrieval
Private Information Retrieval (PIR) allows a user to
retrieve an item (record) from a database server without
revealing which item he is interested in; that is, the pri-
vacy of the item of interest is provided. A typical appli-
cation example is a patent database from which
inventors would like to retrieve information without
revealing their interests. A trivial approach would be to
simply download the entire database and to make a local
selection, which would, however, be too costly
bandwidth-wise. In [40], one of the first PIR solutions
was introduced, which requires the existence of t 1 1
noncooperating identical database servers (with n
records each). To each server, one n-bit query vector
(out of a set of t 1 1 query vectors) is sent via an
encrypted channel, where each bit represents one record
of the queried database: If the bit is one, then the record
is selected; otherwise not. The user creates t of the
query vectors randomly. The remaining t 1 1st vector is
calculated by XOR-ing (superposing) all random vectors
and flipping the bit representing the record of interest.
One of the query vectors is sent to each database. All
selected records are superposed (XOR-ed). The result is
exactly the requested database item. If each of the bits
in the t random query vectors is set to 1 with a probabil-
ity of 0.5, then an adversary who has access to at most t
of the requests or responses associated with the query
vectors will gain no information about the database item
that the user is retrieving.
A disadvantage of a multi-database solution is, how-
ever, that several identical databases must be obtained.
Especially updates are complex, as changes should
take place simultaneously. Besides information-theoretic
PIR schemes with database replication, several single-
database (computational) PIR schemes have been
subsequently developed and advanced (see, for instance,
[41,42] for surveys and references). Oblivious transfer
[42] is private information retrieval, where additionally
the user may not learn any item other than the one that he
requested.
7. TRANSPARENCY-ENHANCING TOOLS
As we elaborated above, transparency is a basic legal
principle. It is also an important social trust factor, as
trust in an application can be enhanced if procedures are
clear, transparen,t and reversible, so that users feel they
are in control [43]. Transparency-enhancing technologies
provide tools to the end users or their proxies acting on
behalf of the user’s interests (such as data protection com-
missioners), for making personal data processing more
transparent to them.
767
Classification
Transparency-enhancing tools (TETs) for privacy pur-
poses can be classified into the following categories (see
also [44]):
1. TETs that provide information about the intended data
collection and processing to the data subject, in order
to enhance the data subject’s privacy;
2. TETs that provide the data subject with an overview
of what personal data have been disclosed to which
data controller under which policies;
3. TETs that provide the data subject, or his proxy,
online access to his personal data, to information on
how his data have been processed and whether this
was in line with privacy laws and/or negotiated poli-
cies, and/or to the logic of data processing in order to
enhance the data subject’s privacy;
4. TETs that provide “counter-profiling” capabilities to
the data subject, helping him to “guess” how his data
match relevant group profiles, which may affect his
future opportunities or risks;
TETs of the first and last categories are also called
ex-ante TETs, as they provide transparency of any
intended data processing to the data subjects before they
are releasing any personal data. TETs of the second and
third categories provide transparency in regard to the
processing of personal data, which the user has already
disclosed, and are therefore called ex-post TETs.
Ex-ante Transparency-Enhancing Tools
Examples of ex-ante TETs are privacy policy languages
tools and Human Computer Interaction (HCI) components
that make privacy policies of services sides more trans-
parent, such as the Platform for Privacy Preferences
(P3P) language [45] and P3P user agents, such as the pri-
vacy bird.7 P3P enables Web sites to express their privacy
policy (basically stating what data are requested by
whom, for what purposes, and how long the data will be
retained) in a standard (machine-readable XML) format
that can be retrieved automatically and interpreted easily
by user agents and matched with the user’s privacy pre-
ferences. Thus, P3P user agents enable users to be better
informed of a Web site’s data-handling practices (in both
machine- and human-readable formats).
Recently developed visualization techniques for dis-
playing P3P-based privacy policies are based on the meta-
phor of a “Nutrition Label,” assuming that people already
understand other nutrition, warning, and energy labeling,
which consequently can also allow users to find and
digest policy-related information with a proposed privacy
7. http://www.privacybird.org.
768
FIGURE 43.7 “Send Data?” PPL user interface [48].
label design more accurately and quickly (see [46]). A
more advanced policy language, the PrimeLife Policy
Language (PPL), was developed in the EU FP7 project
PrimeLife [47]. PPL is a language used to specify not only
the privacy policies of data controllers but also those of
third parties (so-called downstream controllers) to whom
data are further forwarded as well as privacy preferences
of users. It is based on two widespread industry standards,
XACML (eXtensible Access Control Markup Language)
and SAML (Security Assertion Markup Language). The
data controller and downstream data controller have poli-
cies basically specifying which data are requested from the
user and for which purposes and obligations (e.g., under
the obligation that the data will be deleted after a certain
time period). PPL allows specifying both uncertified data
requests and certified data requests based on proofs of the
possession of (anonymous IdeMix or traditional X.509)
credentials that fulfill certain properties. The user’s prefer-
ences allow expressing for each data item to which data
controllers and downstream data controllers the data can
be released and how the user expects his data to be treated.
The PPL engine conducts an automated matching of the
data controller’s policy and the user’s preferences. The
result can be a mutual agreement concerning the usage of
data in the form of a so-called sticky policy, which should
be enforced by the access control systems at the backend
PART | V Privacy and Access Management
sides and which will “travel” with the data transferred to
downstream controllers.
As PPL has many features that P3P does not provide
(downstream data controllers, credential selection for cer-
tified data, and obligations), the design of usable PPL
user interfaces provides many challenges. The “Send
Data?” user interfaces for letting the PPL engine interact
with the user for displaying the result of policy matches,
identity/credential selection and for obtaining informed
consent to disclose selected certified and uncertified data
items were developed and presented [48]. Figure 43.7
depicts an example PPL “Send Data?” dialogue.
The PPL user interfaces follow the Art. 29 Data
Protection Working Party recommendation of providing
policy information in a multilayered format [49] for mak-
ing policies more understandable and usable. According
to this recommendation, a short privacy notice on the top
layer offers individuals the core information required
under Art. 10 EU Directive 95/46/EC, including at least
the identity of the service provider and the purpose of
data processing. In addition, a clear indication (in the
form of URLs—in our example the “privacy policy”
URLs of the two data controllers) must be given as to
how the individuals can access the other layers presenting
the additional information required by Art. 10 and
national privacy laws.
Chapter | 43 Privacy-Enhancing Technologies
Ex-Post Transparency-Enhancing Tools8
An important transparency-enhancing tool that falls into
categories 2 and 3 of our classification is the data track
that has been developed in the PRIME9 and PrimeLife10
projects [51]. The data track is a user side transparency
tool, which includes both a history function and online
access functions. The history function keeps for each
transaction, in which a user discloses personal data to a
communication partner, a record for the user on which
personal data are disclosed to whom (the identity of the
controller), for which purposes, which credentials and/or
pseudonyms have been used in this context, as well as the
details of the negotiated or given privacy policy. These
transaction records are either stored at the user side or
centrally (in the Cloud—see [52]) in a secure and
privacy-friendly manner. User-friendly search functionali-
ties, which allow the user to easily get an overview about
who has received what data about him or her, are also
included. The Online access functions allow end users to
exercise their rights to access their data at the remote ser-
vices sides online. In this way, they can compare what
data they have disclosed to a services side with what data
are still stored by the services side. This allows them to
check whether data have been changed, processed, or
deleted (in accordance with data retention periods of the
negotiated or given privacy policy). Online access is
granted to a user if he can provide a unique transaction
ID (currently implemented as a 16-byte random number),
which is shared between the user (stored in his data track)
and the services side for each transaction of personal data
disclosure. This in principle also allows anonymous or
pseudonymous users to access their data.
While the data track is still in the research prototype
stage, the Google Dashboard is already available in prac-
tice and grants its users access to a summary of the data
stored with a Google account, including account data and
the users’ search query history, which are, however, only
a part of the personal data that Google processes. It does
not provide any insight into how these data provided by
the users (the users’ search queries) have subsequently
been processed by Google. Besides, access is provided
only to authenticated Google users.
Further examples of transparency tools that allow
users to view and control how their personal data have
been processed and to check whether this is in compli-
ance with a negotiated or given privacy policy are based
8. This section corresponds to most parts of Section 2.4.2 that the lead-
ing author has contributed to ENISA’s study on “Privacy, Accountability
and Trust—Challenges and Opportunities,” published in 2011 [50].
9. EU FP6 project PRIME (Privacy and Identity Management for
Europe), www.prime-project.eu.
10. EU FP7 project PrimeLife (Privacy and Identity Management for
Life), www.primelife.eu.
769
on secure logging systems that usually extend the Kelsey-
Schneier log [53] and protect the integrity and the confi-
dentiality of the log data. Such a secure logging system
and an automated privacy audit facility are key compo-
nents of a privacy evidence approach proposed by [54].
This privacy evidence system allows a user to inspect all
log entries that are recording actions of that user with a
special view tool and permits sending the log view cre-
ated by that tool to the automated privacy audit compo-
nent, which compares the log view with the privacy
policy and to construct privacy evidence. This privacy
evidence indicates to the user whether the privacy policy
has been violated.
The unlinkability of log entries, which means that
they should not be stored in the sequence of their crea-
tion, is needed to prevent an adversary from correlating
the log with other information sources, such as other
external logs, which could allow him to identify data sub-
jects to whom the entries refer (cf. [55]). Also, anony-
mous access is needed to prevent an adversary from
observing who views which log entries and in this way
conclude to whom the log entries refer. Wouters et al.
[56] have presented such a secure and privacy-friendly
Logging for eGovernment Services. However, it
addresses the unlinkability of logs between logging sys-
tems in eGovernment rather than the unlinkability of log
entries within a log. Moreover, it does not address insider
attacks, nor does it allow anonymous access to log
entries.
Within the PrimeLife project, a secure logging system
has been developed, which addresses these aspects of the
unlinkability of log entries and anonymous user access. In
particular, it fulfills the following requirements (see [55]):
G Only the data subject can decrypt log entries after
they have been committed to the log.
G A user can check the integrity of his log entries. A ser-
vice provider can check the integrity of the whole log
file.
G It is not possible for an attacker to secretly modify log
entries, which have been committed to the log before
the attacker took over the system (forward integrity).
G It is practically impossible to link log entries, which
refer to the same user.
G For efficiency reasons, it should be possible for a data
subject to read his log entries without the need to
download and/or fully traverse the whole log database.
The need and requirements of tools that can anticipate
profiles (category 4 of our definition above) have been
analyzed within studies of the FIDIS project (see, for
instance, [57]). To the best of our knowledge, no practical
transparency-enhancing tools fulfill the requirements. In
academia, promising approaches [58,59] have been for-
mulated and are the subject of research.
770 PART | V Privacy and Access Management

8. SUMMARY and not excessive (Art. 6 I (c) EU Directive 95/

46/EC).
This chapter has provided an introduction to the area of 5. True or False? Transparency of data processing means
privacy-enhancing technologies. We presented the legal informing a data subject about the purposes and cir-
foundation of PETs and provided a classification of cumstances of data processing, identifying who is
PETs, as well as a selection of some of the most rele- requesting personal data, how the personal data flow,
vant PETs. Following the Privacy by Design paradigm where and how long the data are stored, and what type
for effectively protecting privacy, privacy protection of rights and controls the data subject has in regard to
should be incorporated into the overall system design (it his personal data.
should be embedded throughout the entire system life
cycle).
While technical PET solutions to many practical pri-
vacy issues have existed for many years, these solutions Multiple Choice
have not been widely adopted by either industry or users. 1. What needs to install appropriate technical and organi-
The main factors contributing to this problem are low zational security mechanisms to guarantee the confi-
demand by industry, which, rather, is under competitive dentiality, integrity, and availability of personal data
business pressure to exploit and monetize user data, and (Art. 17 EU Directive 95/46/EC)?
low user awareness in combination with a lack of easily A. Privacy-enhancing technology
usable, efficient PET implementations (see also [60]). B. Location technology
While this chapter is part of a technical computer security C. Web-based
handbook and has therefore focused on the technical (and D. Technical improvement
partly legal) aspects of PETs, clearly the economic, E. Data controller
social, and usability aspects of PETs also need further 2. What can be defined as technologies that are enforcing
attention in the future. legal privacy principles in order to protect and
Finally, let’s move on to the real interactive part of enhance the privacy of users of information technol-
this chapter: review questions/exercises, hands-on pro- ogy (IT) and/or data subjects?
jects, case projects, and optional team case project. The A. Information technology
answers and/or solutions by chapter can be found in the B. Location technology
Online Instructor’s Solutions Manual. C. Web-based
D. Privacy-enhancing technologies
E. Web technology
CHAPTER REVIEW QUESTIONS/EXERCISES 3. What as an abstract strategy describes the avoidance
of unnecessary or unwanted data disclosures?
True/False A. Data minimization
1. True or False? Data protection concerns the protection B. XACML
of personal data in order to guarantee privacy and is C. XML-based language
only a part of the concept of privacy. D. Certification authority
2. True or False? Personal data processing has to be E. Security
legitimate, which according to Art. 7 EU Directive 95/ 4. What aim quantifies the effectiveness of schemes or
46/EC is usually the case if the data subject11 has technologies with regard to the privacy goals defined
given his ambiguous (and informed) consent, if there in the previous section?
is a legal obligation, or if there is contractual agree- A. Privacy metrics
ment (cf. the Collection Limitation Principle of the B. Languages
OECD Guidelines). C. Privacy-Aware Access Control
3. True or False? Personal data must be collected for D. Privacy preferences
specified, explicit, and legitimate purposes and E. Taps
may be further processed in a way incompatible 5. What is a prerequisite for achieving anonymity, more
with these purposes (Art. 6 I b EU Directive 95/ generally, or data minimization, on an application
46/EC). level?
4. True or False? The processing of personal data must A. Release policies
not be limited to data that are adequate, relevant B. Anonymous communication
C. Data-handling policies
D. Intellectual property
11. A data subject is a person about whom personal data is processed. E. Social engineering
Chapter | 43 Privacy-Enhancing Technologies
EXERCISE
Problem
Why now? Why is the National Strategy for Trusted IDs
in Cyberspace needed?
Hands-On Projects
Project
Won’t having a single password and credential be less
secure and private than having many usernames and
passwords?
Case Projects
Problem
Who will make sure that companies follow the rules?
Optional Team Case Project
Problem
Will new laws be needed to create the Identity
Ecosystem?
REFERENCES
[1] OECD, Guidelines on the Protection of Privacy and Transborder
Flows of Personal Data, September 1980.
[2] S.D. Brandeis, L.D. Warren, The right to privacy, Harv. Law Rev.
5 (1890) 193
220.
[3] A. Westin, Privacy and Freedom, Atheneum, New York, 1967.
[4] G. Hogben, Annex A, i PRIME project deliverable D14.0a

PRIME Framework V0, June 2004.
[5] Global Internet Liberty Campaign, PRIVACY AND HUMAN
RIGHTS—An International Survey of Privacy Laws and Practice,
[Online]. Available: ,http://gilc.org/privacy/survey..
[6] R. Rosenberg, The Social Impact of Computers, Academic Press,
1992.
[7] European union, directive 95/46/EC of the European Parliament
and of the Council of 24 October 1995 on the protection of indivi-
duals with regard to the processing of personal data and on the
free movement of such data, Off. J. L 281 (1995).
[8] Proposal for a REGULATION OF THE EUROPEAN
PARLIAMENT AND OF THE COUNCIL on the protection of
individuals with regard to the processing of personal data and on
the free movement of such data (General Data Protection
Regulation), COM(2012) 11 final, 2012/00, January 25, 2012.
[Online]. Available: ,http://ec.europa.eu/justice/data-protection/
document/review2012/com_2012_11_en.pdf..
[9] S. Fischer-Hübner, Anonymity, Encyclopedia of Database
Systems, Springer, Heidelberg, 2009, pp. 90
91.
[10] D. Chaum, Security without identification: card computers to
make big brother obsolete, Informatik Spektrum 10 (1987)
262
277.
771
[11] D. Chaum, The dining cryptographers problem: unconditional
sender and recipient untraceability, J. Cryptol. 1 (1) (January
1988) 65
75.
[12] D. Chaum, Untraceable electronic mail, return addresses, and dig-
ital pseudonyms, Commun. ACM 24 (2) (February 1981) 84
88.
[13] Registratiekamer & Information and Privacy Commissioner of
Ontairo, Privacy-Enhancing Technologies: The Path to
Anonymity, Achtergrondstudies en Verkenningen 5B, vol. I & II,
Rijswijk, August 1995.
[14] A. Pfitzmann och M. Hansen, Anonymity, Unlinkability,
Undetectability, Unobservability, Pseudonymity, and Identity
Management—A Consolidated Proposal for Terminology
(2010). [Online]. Available: ,http://dud.inf.tu-dresden.de/Anon_
Terminology.shtml..
[15] S. Steinbrecher, S. Köpsell, Modelling unlinkability, in:
Workshop on Privacy Enhancing Technologies, 2003.
[16] Common Criteria for Information Technology Security Evaluation,
Version 3.1, Part 2: Security Functional Requirements, Common
Criteria Project (September 2006). [Online]. Available: ,www.
commoncriteriaportal.org..
[17] L. Sweeney, k-Anonymity: a model for protecting privacy, Int. J.
Uncertain. Fuzz. Knowl. Based Syst. 10 (5) (2002) 571
588.
[18] M. Gruteser, D. Grunwald, Anonymous usage of location-based
services through spatial and temporal cloaking, Proceedings of the
1st International Conference on Mobile Systems, Applications and
Services (MobiSys), 2003.
[19] W. Wang, M. Motani, V. Srinivasan, Dependent link padding
algorithms for low latency anonymity systems, Proceedings of the
15th ACM Conference on Computer and Communications
Security (CCS), 2008.
[20] M. Srivatsa, A. Iyengar, L. Liu, Privacy in VoIP networks: a
k-anonymity approach, Proceedings of the IEEE INFOCOM
2009, 2009.
[21] A. Narayanan, V. Shmatikov, Robust de-anonymization of large
sparse datasets, Proceedings of the IEEE 29th Symposium on
Security and Privacy, Oakland, CA, USA, 2008.
[22] A. Machanavajjhala, D. Kifer, J. Gehrke, M. Ventikasubramaniam,
l-Diversity: privacy beyond k-anonymity, ACM Trans. Knowl.
Discov. Data 1 (2007).
[23] N. Li, T. Li, S. Venkatasubramanian, t-Closeness: privacy beyond
k-Anonymity and l-Diversity, Proceedings of the IEEE 23rd
International Conference on Data Engineering, 2007.
[24] C.E. Shannon, A mathematical theory of communications, Bell
Syst. Tech. J. 27 (1948) 379
423623
656
[25] C. Diaz, S. Seys, J. Claessens, B. Preneel, Towards measuring
anonymity, Workshop on Privacy Enhancing Technologies, 2002.
[26] A. Serjantov, G. Danezis, Towards an information theoretic metric
for anonymity, Workshop on Privacy Enhancing Technologies,
2002.
[27] S. Clauss, A framework for quantification of linkability within a
privacy-enhancing identity management system, Emerg. Trends
Inf. Commun. Secur. (ETRICS) (2006).
[28] D. Chaum, The dining cryptographers problem: unconditional
sender and recipient untraceabilit, J. Cryptol. 1 (1) (January 1988)
65
75.
[29] [Online]. ,http://anon.inf.tu-dresden.de., [Använd August 29,
2012].
[30] D.M. Goldschlag, M.G. Reed, P.F. Syverson, Hiding routing
information, Inf. Hiding (1996).
772
[31] R. Dingledine, N. Mathewson, P. Syverson, Tor: The Second-
Generation Onion Router, Naval Research Lab, Washington, DC,
2004.
[32] R. Böhme, G. Danezis, C. Dı́az, S. Köpsell, A. Pfitzmann, On the
PET Workshop Panel “Mix Cascades Versus Peer-to-Peer: Is One
Concept Superior?”, Workshop on Privacy-Enhancing
Technologies (PET) 2004, 2005.
[33] Jan Camenish, Maria Dubovitskaya, Markulf Kohlweiss, Jorn
Lapon, Gregory Neven, Cryptographic mechanisms for privacy,
Privacy and Identity Management for Life, Springer,
Heidelberg, 2011, pp. 117
134.
[34] D. Chaum, A. Fiat, M. Naor, Untraceable Electronic Cash, Adv.
Cryptol. Crypto’88 (1988).
[35] D. Chaum, Achieving electronic privacy, Sci. Am. (1992)
76
81.
[36] S. Fischer-Hübner, LNCS IT-Security and Privacy—Design and
Use of Privacy-Enhancing Security Mechanisms, Springer,
Heidelberg, 2001.
[37] S. Goldwasser, S. Micali, C. Rackoff, The knowledge complexity
of interactive proof systems, Proceedings of the 17th ACM
Symposium on Theory of Computing, 1985, pp. 291
304.
[38] S. Brands, Rethinking Public Key Infrastructure and Digital
Certificates—Building in Privacy, PhD thesis. Eindhoven.
Institute of Technology, 1999.
[39] J. Camenisch, A. Lysyanskaya, Efficient non-transferable anony-
mous multi-show credential system with optional anonymity revo-
cation, Adv. Cryptol. Eurocrypt 2045 (2001) 93
118.
[40] D. Cooper, K. Birman, Preserving privacy in a network of mobile
computers, Proceedings of the 1995 IEEE Symposium on Security
and Privacy, Oakland, May 1995.
[41] R. Ostrovsky, W. Skeith, A Survey of Single-Database Private
Information Retrieval: Techniques and Applications, Public Key
Cryptography
PKC 2007, Springer, 2007.
[42] H. Lipmaa, Oblivious Transfer or Private Information Retrieval,
[Online]. Available: ,http://www.cs.ut.ee/Blipmaa/crypto/link/
protocols/oblivious.php..
[43] R. Leenes, M. Lips, R. Poels, M. Hoogwout, User aspects of
Privacy and Identity Management in Online Environments:
Towards a theoretical model of social factors, PRIME Framework
V1 (Chapter 9) project Deliverable, 2005.
[44] H. Hedbom, A survey on transparency tools for privacy purposes,
Proceedings of the 4th FIDIS/IFIP Summer School, published by
Springer, 2009, Brno, September 2008.
[45] W3C, P3P—The Platform for Privacy Preferences 1.1 (P3P1.1)
Specification, 2006. [Online]. Available: ,http://www.w3.org/
P3P/..
[46] P. Kelley, L. Cesca, J. Bresee, L. Cranor, Standardizing privacy
notices: an online study of the nutrition label approach,
Proceedings of the 28th International Conference on Human
Factors in Computing Systems ACM, 2010, p. 1573.
PART | V Privacy and Access Management
[47] PrimeLife, Privacy and Identity Management in Europe for Life-
Policy Languages, [Online]. Available: ,http://primelife.ercim.
eu/results/primer/133-policy-languages..
[48] J. Angulo, S. Fischer-Hübner, E. Wästlund, T. Pulls, Towards
usable privacy policy display & management for primelife, Inf.
Manag. Comput. Secur. (Emerald) 20 (1) (2012) 4
17.
[49] Opinion on More Harmonised Information provisions. 11987/04/
EN WP 100, Chapter 29 Data Protection Working Party,
November 25, 2004. [Online]. Available: ,http://ec.europa.eu/
justice_home/fsj/privacy/docs/wpdocs/2004/wp100_en.pdf..
[50] ENISA, Privacy, Accountability and Trust—Challenges and
Opportunities, 2011. [Online]. Available: ,http://www.enisa.
europa.eu/activities/identity-and-trust/privacy-and-trust/library/
deliverables/pat-study..
[51] E. Wästlund, S. Fischer-Hübner, End User Transparency Tools:
UI Prototypes, PrimeLife Deliverable D4.2.2. ,www.primelife.
eu., June 2010.
[52] T. Pulls, Privacy-Friendly Cloud Storage for the Data Track: An
Educational Transparency Tool, NordSec—17th Nordic
Conference on Secure IT Systems will be held at Blekinge
Institute of Technology, Karlskrona, October 2012.
[53] B. Schneier, J. Kelsey, Cryptographic Support for Secure Logs on
Untrusted Machines, The Seventh USENIX Security Symposium
Proceedings, USENIX Press, 1998, pp. 53
62.
[54] S. Sackmann, J.A.R. Strüker, Personalization in privacy-aware
highly dynamic systems, Commun. ACM 49 (9) (September 2006).
[55] H. Hedbom, T. Pulls, P. Hjärtquist, A. Lavén, Adding Secure
Transparency Logging to the PRIME Core, i 5th IFIP WG 9.2,9.6/
11.7,11.4,11.6 / PrimeLife International Summer School, revised
selected papers, published by Springer in 2010, Nice, France, 2009.
[56] K. Wouters, K. Simoens, D. Lathouwers, B. Preneel, Secure and
Privacy-Friendly Logging for eGovernment Services, 3rd
International Conference on Availability, Reliability and Security
(ARES 2008), IEEE, 2008, pp. 1091
1096.
[57] M. Hildebrandt, Biometric Behavioral Profiling and Transparency
Enhancing Tools, FIDIS Deliverable D 7.12, ,www.fidis.net.,
2009.
[58] S. Berthold, R. Böhme, Valuating privacy with option pricing the-
ory, in: T. Moore, D.J. Pym, C. Ioannidis (Eds.), Economics of
Information Security and Privacy, Red. Springer, 2010,
pp. 187
209.
[59] S. Berthold, Towards a Formal Language for Privacy Options,
Privacy and Identity Management for Life, 6th IFIP WG 9.2,9.6/
11.7, 11.4, 11.6/PrimeLife International Summer School 2010,
Revised Selected Papers, 2011.
[60] S. Fischer-Hübner, C.J. Hoofnagle, I. Krontiris, K. Rannenberg,
M. Waidner, Online privacy: towards informational self-
determination on the internet (Dagstuhl Perspectives Workshop
11061), Dagstuhl Manifestos 1 (1) (2011) 1
20.