This document discusses privacy-friendly and secure access control via mobile devices. It proposes a framework that minimizes personal data disclosure through anonymous credentials, local profiles controlled by the user, and micro-incentives. This allows for customization and prevents abuse while rewarding loyalty. The framework separates concerns for software developers, service providers, technology providers and users to facilitate integration in a privacy-friendly manner. Two example applications (inShopnito and avisPoll) are evaluated using this framework.

1. Privacy-friendlybut secureaccess control via mobile devices
Bart De Decker
KU Leuven, iMinds-DistriNetCelestijnenlaan 200A, 3001 Heverlee
e-mail:Bart (DOT) DeDecker (AT) cs (DOT) kuleuven (DOT) be
URL:mobcom.org

2. Overview
•Context: MobCom project
•Data minimization
•Objections
•Framework
•Evaluation
•Conclusion

3. Context

4. Context: Project goals
Privacy
Data minimization
Unlinkability
Assurance
Trustworthiness of data
Customization
Less personal data
Crime/abuse
Prevention / detection / punishment

5. Data minimization
•Minimize disclosure of personal data
•Avoid “traces”
–Difficult to erase
OfflineDigital/Online

6. Data minimization
•Authorized users Identified users
•Anonymous credentials
–“Prove” ownership
–Selective disclosure
–Unlinkable
•Examples:
–Idemix (IBM)
–U-Prove (MS)
Name
=
Birth date
= 1973/01/26
Subscription= 31/12/2014

7. Data minimization
Signed by XYZ
Birthdate before 27/11/1996
Subscription after 1/12/2014
User to mobileauthentication

8. Objections
•Customization?
•Abuse?
•Loyalty?

9. Objection I: Customization
•We need to know our customers
–Large profiles
•Protection
•Liabilities
–Data mining
–Monetizationof customer data

10. Solution I: Customization
•Local profiles
–Cover more
–User in control
–Avoid cold start
–If needed: Pseudonym

11. Objection II: Abuse
•Anonymity provokes abuse
–Abuse the infrastucture
–Money laundring
–...

12. Solution II: Anti-Abuse
•Prevention
•Pseudonymity
•Deanonymization

13. Objection III: Loyalty
•Reward recurrent behaviour ?

14. Solution III: uCentives
•= Micro-incentive
–Anonymous
–Bound to the user’s identity
–Redeem: Prove “ownership”
Value
Exp. date

15. Framework
•SW developers security/privacy experts
•Security/privacy often “afterthought”
•Framework
–Technology-agnostic
–Policy-driven
–[Context-aware]
–Separation of Concerns
•SW developer, Service provider, Technology provider, User

16. Framework

17. Evaluation
inShopnito
•Shopping assistant
avisPoll
•Anonymous but Verifiable, Internet Service POLL System

18. Invitation
•Hands-on session (PriMan Framework)
–When: Tue Dec 16, 13:30 –17:00
–Where: KU Leuven, Dept. Computer Science
–URL: mobcom.org/announcements/priman-workshop
•Closing workshop MobCom & SecureApps
–When: Wed Dec 17, 9:45 –17:30
–Where: Faculty Club, Leuven
–URL: mobcom.org/announcements/closing-workshop

19. Conclusion
•Mobile privacy-friendly AC is feasible
–Local profiles customization
–Combat Abuse
–Loyalty rewarded “anonymously”
•Framework allows for easy integration
–Separation of concerns
•Efficient

20. Q&A