Departamento de Ciências e Tecnologias da Informação

MESTRADO EM ENGENHARIA DE TELECOMUNICAÇÕES E INFORMÁTICA

PROPOSTA DE DISSERTAÇÃO
Número da Proposta​ ​(a preencher pelos serviços)​:
Título: An Decentralized Architecture for dealing with sensitive data by applying privacy-by-design

Nome do orientador: XXXXX

Nome do co-orientador:
Acompanhante de empresa
Nome: Penguin Formula Unipessoal
Email: info@penguinformula.com Telefone: (+351) 213471301
Nome e morada da empresa: Avenida da Liberdade, 230, 1st & 5th floor 1250-148 Lisbon
Enquadramento (​ tema, área científica, projecto, etc.; limitar a descrição a 1000 caracteres)
In the last decade, there has been more and more focus on the topic of information privacy, especially
considering the ever increasing digital transformations that both businesses and the society are
experiencing. As a right of individuals to “control when, how and to what extent information about them
is communicated to others”, privacy has become an important expectation of users. A recent study in the
EU showed that more than 70% of the citizens are not willing to sacrifice their privacy in exchange for a
service. The paradigm of Privacy-by-Design (PbD) has become more important nowadays, which has also
become a regulatory requirement by the EU General Data Protection Regulation (GDPR), which came into
force in May 2018. PbD as a paradigm defines principles promoting the integration of privacy goals
already during the design of an ICT system. However, translating those principles into engineering
requirements is seen as a challenge.

Fig. 1: A simplified structure that is GDPR compliant.

Blockchain technology is a revolutionary way of executing business processes in a decentralised
architecture. In centralised applications, the basic operations of persistent storage are often described as
CRUD, which stands for ​Create-Read-Update-Delete.​ Operations on Blockchain can be described as CRAB,
which stands for ​Create-Retrieve-Append-Burn.​ [1] The focus of this study is to analyze the difference
between sensitive and personal data security responsibilities practices when to build centralized and
decentralized applications. Understand how privacy technologies can be used to reduce privacy risks
when sensitive and personal data are used in distributed systems[2,3]

In this context, this project aims to apply PbD principles in the design of the architecture for a privacy-
enhanced cloud-based platform. This work consists on the investigation comparatively of existing
approaches for a real use case as like Igloo Project by Penguin Formula and SocialCoin. [4, 5] Therefore,
it aims to identify further improvement points and goes one step further by providing concrete
enhancements to the evaluated methods in terms of: i) productivity; ii) case of use; and iii) reliability. In
an effort to perform this systematically, we aim to evaluate the LINDDUN, STRIDE and PRIPARE methods
as privacy threat modelling frameworks to mitigate such threats[6, 7, 8]

References:
[1] Buocz, T., Ehrke-Rabel, T., Hödl, E., & Eisenberger, I. (2019). Bitcoin and the GDPR: Allocating
responsibility in distributed networks. Computer Law & Security Review, 35(2), 182-198.
[2] Fabiano, N. (2017, June). Internet of Things and blockchain: legal issues and privacy. The challenge for
a privacy standard. In 2017 IEEE International Conference on Internet of Things (iThings) and IEEE Green
Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom)
and IEEE Smart Data (SmartData) (pp. 727-734). IEEE.
[3] Russo, B., Valle, L., Bonzagni, G., Locatello, D., Pancaldi, M., & Tosi, D. (2018). Cloud Computing and
the New EU General Data Protection Regulation. IEEE Cloud Computing, 5(6), 58-68.
​ an Dijk, N., Tanas, A., Rommetveit, K., & Raab, C. (2018). Right engineering? The redesign of privacy
[4] V
and personal data protection. International Review of Law, Computers & Technology, 32(2-3), 230-256.
[5] Mina Deng, Kim Wuyts, Riccardo Scandariato, Bart Preneel, and Wouter Joosen. 2011. A privacy
threat analysis framework: supporting the elicitation and fulfillment of privacy requirements.
Requirements Engineering 16, 1 (2011), 3–32.
[6] Khan, R., McLaughlin, K., Laverty, D., & Sezer, S. (2017, September). STRIDE-based threat modeling for
cyber-physical systems. In 2017 IEEE PES Innovative Smart Grid Technologies Conference Europe
(ISGT-Europe) (pp. 1-6). IEEE.
[7] Notario, N., Crespo, A., Martín, Y. S., Del Alamo, J. M., Le Métayer, D., Antignac, T., ... & Wright, D.
(2015, May). PRIPARE: integrating privacy best practices into a privacy engineering methodology. In 2015
IEEE Security and Privacy Workshops (pp. 151-158). IEEE.
[8] Kung, A., Kargl, F., Suppan, S., Cuellar, J., Pöhls, H. C., Kapovits, A., ... & Martin, Y. S. (2017). A privacy
engineering framework for the internet of things. In Data Protection and Privacy:(In) visibilities and
Infrastructures (pp. 163-202). Springer, Cham.

Objectivos ​(limitar a descrição a 800 caracteres)

The main contributions of this project are to 1) apply PbD principles in the design of a privacy-enhanced
cloud-based HR and SocialCoin platform and 2) present a personal data management system that
combines blockchain (considered as an access control moderator) and off-blockchain storage solution.
Proper analysis allows you to assess risks and prevent misuse of personal data in ​different ​technological
contexts, central and distributed systems.
The most specific objectives consists on the research of existing approaches to identify security branches
and threats in a real scenario (Igloo and SocialCoin). Besides being involved in the design of the
architecture, it is intended to perform an assessment of the privacy risks and data protection of the
architecture before its implementation, identifying privacy threats and defining mechanisms to mitigate
those very same threats.

Descrição das actividades a desenvolver ​(limitar a descrição a 1000 caracteres):​

The activities to be developed are in line with the objectives mentioned above,
● Compliance of credits related to the disciplines of the Master course;
● Survey of bibliographic material related to the privacy methods;
● To evaluate comparatively the different privacy methodologies for the systems under study.
● Verify some issues with potential consequences for data security and liability in both contexts.
● To establish a systematic and comparative study of privacy methods in the main topics on Big
Data and the blockchain.
● Implemented systems to report analysis for use cases;
● Perform the writing of the dissertation;
● Measurement, validation and evaluation of results;
● Analysis of results and comparison of models / algorithms;
● Elaboration of at least one scientific text;
● Preparation of the thesis;
● Presentation;

Requisitos ​(e.g. média, disciplinas concluídas):​ ​It is intended that the student has good knowledge of
programming, log audits, inspection of source codes, information security. It is also appreciated that the
student has some GDPR concepts, as well as the desire to learn and compose .

Resultado esperado ​(protótipo, algoritmo, software, demonstração, …):​ ​As a final result of this work, it is
expected that the student can develop a software algorithm for detection, vulnerability assessment and
the accomplishment of a set of tests that allows to evaluate the same.

URL da descrição detalhada da dissertação ​(opcional):​

Local da realização da dissertação: ​ISCTE-IUL/ISTAR
Observações: