Privacy has become a major concern for citizens and consumers in the emerging Information Society. From a scientific viewpoint, privacy protection can be seen as a facet of data security, since it is meant to protect the confidentiality of personal data (and meta-data). But as a matter of fact, other security techniques recommended, or even made mandatory by recent or future regulations are endangering the privacy of honest citizens: data exchange traceability, strong authentication, distributed collection and crossing of characterizing information, data mining, etc.

It is thus necessary to develop authorization schemes that would be efficient to protect personal information, including on remote sites that are not under direct user control, and means and mechanisms that would be able to give users confidence that they can enforce their sovereignty on how their personal information is used. In summary, to develop privacy-enhancing technologies that do not impede security, and security technologies that do not jeopardize personal liberty.

Concerning privacy-preserving authorization schemes, we propose to apply an approach that we developed previously for securing applications distributed on the Internet, i.e., the separation between access control decision and access control enforcement. For optimal efficiency, access control decision has to be made at a coarse-granularity level (e.g., the level of a global transaction) to take a decision on the semantics of the request, while enforcement must be done at a fine-grain level (e.g., at each data access) to prevent any malicious bypass.

We have also developed a new technique to anonymize personal data, in such a way that the person controls 1) the collection of the data and 2) the disanonymizing process, when necessary. This is an important problem, in particular for medical data, since such data are very sensitive, but also very useful for epidemiology and therapeutics researches, and even for a better monitoring of healtcare costs. The technique we developed uses a patient smartcard (similar to the French Vitale card) to generate an anonymous identifier that enables to link all data relative to a particular patient for a particular research project, even if they come form several independent sources (doctors, hospitals, …), while preventing any crossing with data collected for other projects. The patient consent is guaranteed by the use of his personal card, and this card is also necessary to re-identifiy the patient, e.g., when a new therapy can cure his specific case [Abou El Kalam et Deswarte 2005].

We have also addressed the problem of anonymous communications, which are necessary to guarantee user privacy in networks where metadata such as IP addresses can identify all the communications of a given user. The classical solution to this problem is to use anonymity relays (called MIXes), so that an observer cannot identify which user is communicating with whom, but only user-to-MIX and MIX-to-MIX communications. Such a solution induces transmission delays which are incompatible with new applications such as VoIP. By using various cryptographic techniques (DC-nets, ciphered padding, Private Information Retrieval), we have shown that it was possible to create a single relay that would be as trustworthy than as set of relays in the sense that it cannot obtain any information on the communications going through it. With such a relay, it is possible to reduce the communication latency to cope with VoIP requirements [Aguilar-Melchor et al. 2007, Aguilar-Melchor et Deswarte 2009].

A promising way to protect privacy is to enable individuals to manage different virtual identities for their relations with other parties, e.g., for different merchants, different services, etc. For each identity, the person can select the best characteristics, in particular life span (including single use identities) and authentication strength. This is preferable to “single-sign-on” solutions and to remote identity management services (e.g., Liberty Alliance), for which the user has no direct control.

Another important research axis is to separate identification and authorization: a person should be able to prove his rights and privileges by means of anonymous credentials, i.e., without having to declare his identity. Cryptographic solutions exist, but they need to be applied to real world problems. As an extreme example, we propose a “blank” national identity card, which would disclose no personal information on its owner, except by replying yes or no to a specific question (e.g., is the owner older than 18 years, is he a French citizen, etc.). Such an identity would be a contact-smartcard, with no personal information written on it (a blank plastic card, see Figure 1). The ownership would be proven by biometric authentication by the chip on the card [Deswarte et Gambs 2009].

Figure 1: A blank national identity card

Publications

[Deswarte et Gambs 2009] Yves Deswarte, Sébastien Gambs, “Towards a privacy-preserving national identity card”, Proceedings of the 4th International Workshop on Data Privacy Management (DPM’09), co-organisé avec ESORICS’09, Saint Malo (France), 24 septembre 2009, Springer, LNCS, pp.32-46. Une version étendue de cet article est disponible à http://hal.archives-ouvertes.fr/hal-00411838/fr/

[Aguilar-Melchor et Deswarte 2009] Carlos Aguilar-Melchor, Yves Deswarte, “Trustable Relays for Anonymous Communication”, Transactions on Data Privacy, Vol. 2, n°2, 2009, pp.101-130.
http://www.tdp.cat/issues/tdp.a016a09.pdf

[Aguilar-Melchor et al. 2007] Carlos Aguilar-Melchor, Yves Deswarte, Julien Igutchi-Cartigny, “Closed-Circuit Unobservable Voice Over IP”, 23^rd Annual Computer Security Applications Conference (ACSAC 2007), 10-14 décembre 2007, Miami Beach (FL, USA), IEEE CS Press, pp. 119-128.

[Abou El Kalam et Deswarte 2005] Anas Abou El Kalam, Yves Deswarte, “Privacy Requirements Implemented with a JavaCard”, Proc. 21st Annual Computer Security Applications Conference (ACSAC 2005), Tucson, (AZ, USA), 5-9 décembre 2005, IEEE CS Press, pp. 527-536.