Privacy in Identity and Access Management Systems

Privacy in Identity and Access Management Systems

Andreas Pashalidis (Katholieke Universiteit Leuven, Belgium) and Chris J. Mitchell (Royal Holloway, University of London, UK)
DOI: 10.4018/978-1-61350-498-7.ch016
OnDemand PDF Download:
No Current Special Offers


This chapter surveys the approaches for addressing privacy in open identity and access management systems that have been taken by a number of current systems. The chapter begins by listing important privacy requirements and discusses how three systems that are being incrementally deployed in the Internet, namely SAML 2.0, CardSpace, and eID, address these requirements. Subsequently, the findings of recent European research projects in the area of privacy for I&AM systems are discussed. Finally, the approach taken to address the identified privacy requirements by ongoing projects is described at a high level. The overall goal of this chapter is to provide the reader with an overview of the diversity of privacy issues and techniques in the context of I&AM.
Chapter Preview

Privacy Requirements For I&Am Systems

The need for user privacy in open I&AM system arises from the need to reduce the risks of unnecessary or otherwise unwanted disclosure of personal information. In recent years, legislation in Europe, both at EU and at national levels, has become an important driver for the introduction of privacy and transparency enhancing techniques within I&AM systems. This is because many of these laws require businesses to follow the principles of data minimization, data protection, and, in some cases, data retention. The data minimization principle requires that personal data is not disclosed to a transacting partner unless that information is strictly needed in order to carry out the transaction. In order to establish such strict necessity, the purpose of disclosure must be specified for each data item to be disclosed. Data protection and retention require that users have access to, and can update, their personal information when it is stored at an organization, but also that organizations have to keep records in a way that facilitates effective investigation of past transactions. In this context, ‘personal data’ is any data that could potentially lead to the identification of an individual, even if this is only possible in combination with additional information.

The following more concrete requirements arise from the requirement to minimize the personal data that is transferred between parties. We say that a privacy-preserving I&AM system should enable its users to:

  • selectively disclose personal data to organizations and other users;

  • create multiple identities or pseudonyms;

  • attach different pieces of personal information to different identities;

  • review data disclosed in the past;

  • maintain different identities towards different organizations;

  • formulate ‘sticky’ policies that follow personal data and that govern under which conditions the data may be disclosed and used;

  • minimize the amount of trust users are required to place in third parties and infrastructural components in general; and

  • provide explicit consent for sharing personal information, and enable users to revoke previously given consent.

Complete Chapter List

Search this Book: