Machine-Readable Privacy Certificates for Services

TL;DR

This paper proposes a machine-readable privacy certification scheme that automates privacy assurance and service selection, reducing human effort and compliance risks in web services.

Contribution

It introduces a novel privacy certificate format and conceptual model for certifying privacy properties, demonstrated through a case study on unlinkability in banking services.

Findings

Privacy certificates can automatically verify privacy properties.

Certificates enable automated service matching based on privacy requirements.

The approach reduces manual effort in privacy assurance.

Abstract

Privacy-aware processing of personal data on the web of services requires managing a number of issues arising both from the technical and the legal domain. Several approaches have been proposed to matching privacy requirements (on the clients side) and privacy guarantees (on the service provider side). Still, the assurance of effective data protection (when possible) relies on substantial human effort and exposes organizations to significant (non-)compliance risks. In this paper we put forward the idea that a privacy certification scheme producing and managing machine-readable artifacts in the form of privacy certificates can play an important role towards the solution of this problem. Digital privacy certificates represent the reasons why a privacy property holds for a service and describe the privacy measures supporting it. Also, privacy certificates can be used to automatically select services whose certificates match the client policies (privacy requirements). Our proposal relies on an evolution of the conceptual model developed in the Assert4Soa project and on a certificate format specifically tailored to represent privacy properties. To validate our approach, we present a worked-out instance showing how privacy property Retention-based unlinkability can be certified for a banking financial service.