A technical approach to privacy based on mobile agents protected by tamper-resistant hardware

摘要

We address the problem of protecting the privacy of individuals in the information society. Our goal is to devise technical means that allow users to actively participate in the management and use of information related to them. The advent of the information society creates serious challenges for the privacy of individuals. Due to the drastically improving communication infrastructure, ever larger amounts of ever more precise information become available. The problem with the free availability of this information is not only the risk that the information can be abused by powerful institutions, but also that this can lead to an unconfined mutual surveillance of individuals, which can have adverse effects on society as a whole. We argue that individuals should be empowered to define for themselves the level of privacy they are comfortable with. This can be achieved by notifying them whenever information on them is created, accessed, or modified and by giving them some control over the use of this information. The notification informs individuals who is using what information on them and allows to detect possible problems with this use. The control allows individuals to resolve most (or at least some) of these problems. Obviously this requires that the individuals can trust the users of information to properly implement these notifications and to offer an effective control. We analyze the concept of trust more closely and distinguish between the optimistic and the pessimistic approach to trust, which can both provide the foundation for the protection of privacy. The former is based on the classical concepts of control and sanctions, while the latter tries to prevent malicious behaviour. We choose to pursue the pessimistic approach and investigate in technical means that can be used for this purpose. A promising technology is the mobile agent paradigm, which is a new approach to structure distributed applications. Its main idea is to move both the code and the state of an object to another principal for remote execution. This indicates that the mobile agent paradigm also embraces the object-oriented programming paradigm, which allows us to encapsulate a data item and to specify an access control policy on it. Since the mobile agent is physically moved to a remote location that is under the control of a different principal, it needs to be protected from this principal who is responsible for its execution. This problem constitutes the major diffculty for using the mobile agent paradigm for privacy protection and is explored in great detail. Based on the discussion in the relevant literature, we decide on an approach that relies on a trusted and tamper-resistant hardware device, which is developed on a conceptual level. The approach is further explored in the context of the mobile agent paradigm, where it allows us to realize more elaborate protection goals that may be desirable for the owner of the mobile agent. These are developed in the form of conducts, which regroup the goal, the requirements, as well as a specification of the necessary collaboration to achieve this goal. Finally, we return to the original problem and describe how the presented technology can be used to improve the protection of privacy. This results in a rather complex framework, in which information on individuals cannot be used freely, but where this use is constrained by the level of privacy desired by the subject of the information. The major problem of this framework is the increased complexity that individuals have to deal with. This problem is addressed with an additional level of indirection that attempts to confine the complexity and to delegate it to trusted experts. We believe that this approach, despite its complexity, is a viable means to address the urgent problems of privacy protection, which do not lend themselves to simple solutions.