Log In Sign Up

VICEROY: GDPR-/CCPA-compliant Enforcement of Verifiable Accountless Consumer Requests

by   Scott Jordan, et al.

Recent data protection regulations (such as GDPR and CCPA) grant consumers various rights, including the right to access, modify or delete any personal information collected about them (and retained) by a service provider. To exercise these rights, one must submit a verifiable consumer request proving that collected data indeed pertains to them. This action is relatively straightforward for consumers with active accounts with a service provider at the time of data collection, since they can use standard (e.g., password-based) means of authentication to validate their requests. However, a major conundrum arises from the need to support consumers without accounts to exercise their rights. To this end, some service providers began requiring these accountless consumers to reveal and prove their identities (e.g., using government-issued documents, utility bills or credit card numbers) as part of issuing a verifiable consumer request. While understandable as a short-term cure, this approach is, at the same time, cumbersome and expensive for service providers as well as very privacy-invasive for consumers. Consequently, there is a strong need to provide better means of authenticating requests from accountless consumers. To achieve this, we propose VICEROY, a privacy-preserving and scalable framework for producing proofs of data ownership, which can be used as a basis for verifiable consumer requests. Building upon existing web techniques and features (e.g., cookies), VICEROY allows accountless consumers to interact with service providers, and later prove – in a privacy-preserving manner – that they are the same person, with minimal requirements for both parties. We design and implement VICEROY with the emphasis on security/privacy, deployability and usability. We also thoroughly assess its practicality via extensive experiments.


page 1

page 2

page 3

page 4


Citadel: Self-Sovereign Identities on Dusk Network

The amount of sensitive information that service providers handle about ...

None Shall Pass: A blockchain-based federated identity management system

Authentication and authorization of a user's identity are generally done...

Towards Querying in Decentralized Environments with Privacy-Preserving Aggregation

The Web is a ubiquitous economic, educational, and collaborative space. ...

Rethinking Quality of Experience for Metaverse Services: A Consumer-based Economics Perspective

The Metaverse is considered to be one prototype of the next-generation I...

On the Data Fight Between Cities and Mobility Providers

E-Scooters are changing transportation habits. In an attempt to oversee ...

FORT: Right-proving and Attribute-blinding Self-sovereign Authentication

Nowadays, there is a plethora of services that are provided and paid for...

GDPR: When the Right to Access Personal Data Becomes a Threat

After one year since the entry into force of the GDPR, all web sites and...