VICEROY: GDPR-/CCPA-compliant Enforcement of Verifiable Accountless Consumer Requests

by   Scott Jordan, et al.

Recent data protection regulations (such as GDPR and CCPA) grant consumers various rights, including the right to access, modify or delete any personal information collected about them (and retained) by a service provider. To exercise these rights, one must submit a verifiable consumer request proving that collected data indeed pertains to them. This action is relatively straightforward for consumers with active accounts with a service provider at the time of data collection, since they can use standard (e.g., password-based) means of authentication to validate their requests. However, a major conundrum arises from the need to support consumers without accounts to exercise their rights. To this end, some service providers began requiring these accountless consumers to reveal and prove their identities (e.g., using government-issued documents, utility bills or credit card numbers) as part of issuing a verifiable consumer request. While understandable as a short-term cure, this approach is, at the same time, cumbersome and expensive for service providers as well as very privacy-invasive for consumers. Consequently, there is a strong need to provide better means of authenticating requests from accountless consumers. To achieve this, we propose VICEROY, a privacy-preserving and scalable framework for producing proofs of data ownership, which can be used as a basis for verifiable consumer requests. Building upon existing web techniques and features (e.g., cookies), VICEROY allows accountless consumers to interact with service providers, and later prove – in a privacy-preserving manner – that they are the same person, with minimal requirements for both parties. We design and implement VICEROY with the emphasis on security/privacy, deployability and usability. We also thoroughly assess its practicality via extensive experiments.


page 1

page 2

page 3

page 4


Citadel: Self-Sovereign Identities on Dusk Network

The amount of sensitive information that service providers handle about ...

Streamlining personal data access requests: From obstructive procedures to automated web workflows

Transparency and data portability are two core principles of modern priv...

Towards Querying in Decentralized Environments with Privacy-Preserving Aggregation

The Web is a ubiquitous economic, educational, and collaborative space. ...

An Architecture to Support the Invocation of Personal Services in Web Interactions

This paper proposes an architecture to enable Web service providers to i...

On the Data Fight Between Cities and Mobility Providers

E-Scooters are changing transportation habits. In an attempt to oversee ...

Rethinking Quality of Experience for Metaverse Services: A Consumer-based Economics Perspective

The Metaverse is considered to be one prototype of the next-generation I...

FORT: Right-proving and Attribute-blinding Self-sovereign Authentication

Nowadays, there is a plethora of services that are provided and paid for...

Please sign up or login with your details

Forgot password? Click here to reset