DeepAI
Log In Sign Up

VICEROY: GDPR-/CCPA-compliant Enforcement of Verifiable Accountless Consumer Requests

05/14/2021
by   Scott Jordan, et al.
0

Recent data protection regulations (such as GDPR and CCPA) grant consumers various rights, including the right to access, modify or delete any personal information collected about them (and retained) by a service provider. To exercise these rights, one must submit a verifiable consumer request proving that collected data indeed pertains to them. This action is relatively straightforward for consumers with active accounts with a service provider at the time of data collection, since they can use standard (e.g., password-based) means of authentication to validate their requests. However, a major conundrum arises from the need to support consumers without accounts to exercise their rights. To this end, some service providers began requiring these accountless consumers to reveal and prove their identities (e.g., using government-issued documents, utility bills or credit card numbers) as part of issuing a verifiable consumer request. While understandable as a short-term cure, this approach is, at the same time, cumbersome and expensive for service providers as well as very privacy-invasive for consumers. Consequently, there is a strong need to provide better means of authenticating requests from accountless consumers. To achieve this, we propose VICEROY, a privacy-preserving and scalable framework for producing proofs of data ownership, which can be used as a basis for verifiable consumer requests. Building upon existing web techniques and features (e.g., cookies), VICEROY allows accountless consumers to interact with service providers, and later prove – in a privacy-preserving manner – that they are the same person, with minimal requirements for both parties. We design and implement VICEROY with the emphasis on security/privacy, deployability and usability. We also thoroughly assess its practicality via extensive experiments.

READ FULL TEXT

page 1

page 2

page 3

page 4

01/23/2023

Citadel: Self-Sovereign Identities on Dusk Network

The amount of sensitive information that service providers handle about ...
07/05/2022

None Shall Pass: A blockchain-based federated identity management system

Authentication and authorization of a user's identity are generally done...
08/14/2020

Towards Querying in Decentralized Environments with Privacy-Preserving Aggregation

The Web is a ubiquitous economic, educational, and collaborative space. ...
08/01/2022

Rethinking Quality of Experience for Metaverse Services: A Consumer-based Economics Perspective

The Metaverse is considered to be one prototype of the next-generation I...
04/20/2020

On the Data Fight Between Cities and Mobility Providers

E-Scooters are changing transportation habits. In an attempt to oversee ...
02/18/2022

FORT: Right-proving and Attribute-blinding Self-sovereign Authentication

Nowadays, there is a plethora of services that are provided and paid for...
05/04/2020

GDPR: When the Right to Access Personal Data Becomes a Threat

After one year since the entry into force of the GDPR, all web sites and...