Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Secure and Privacy-Preserving Authentication for Data Subject Rights Enforcement

Malte Hansen, Andre Büttner

TL;DR

The paper tackles the challenge of securely authenticating data subjects exercising GDPR data subject rights by reviewing current practices and proposing a standardized, privacy-preserving architecture that leverages EU eID and attribute based credentials. It introduces two deployment models, SSI and FIM, within a role-based architecture that includes User Devices, Service Providers, Identity Providers and Identity Issuers, and discusses potential involvement of Data Intermediaries. The approach aims to minimize data disclosure by using selective attribute claims and verifiable credentials, while enabling reliable authentication through a threshold of credentials mapped to data sets. It analyzes the trade-offs between decentralization and centralized control, data minimization, and cross-border applicability, and outlines open issues such as authentication thresholds, credential negotiation, semantic normalization, and non-European DS handling. The work contributes a concrete framework intended to standardize privacy-preserving DS authentication in the EU data landscape and to support data controllers lacking robust authentication mechanisms.

Abstract

In light of the GDPR, data controllers (DC) need to allow data subjects (DS) to exercise certain data subject rights. A key requirement here is that DCs can reliably authenticate a DS. Due to a lack of clear technical specifications, this has been realized in different ways, such as by requesting copies of ID documents or by email address verification. However, previous research has shown that this is associated with various security and privacy risks and that identifying DSs can be a non-trivial task. In this paper, we review different authentication schemes and propose an architecture that enables DCs to authenticate DSs with the help of independent Identity Providers in a secure and privacy-preserving manner by utilizing attribute-based credentials and eIDs. Our work contributes to a more standardized and privacy-preserving way of authenticating DSs, which will benefit both DCs and DSs.

Secure and Privacy-Preserving Authentication for Data Subject Rights Enforcement

TL;DR

The paper tackles the challenge of securely authenticating data subjects exercising GDPR data subject rights by reviewing current practices and proposing a standardized, privacy-preserving architecture that leverages EU eID and attribute based credentials. It introduces two deployment models, SSI and FIM, within a role-based architecture that includes User Devices, Service Providers, Identity Providers and Identity Issuers, and discusses potential involvement of Data Intermediaries. The approach aims to minimize data disclosure by using selective attribute claims and verifiable credentials, while enabling reliable authentication through a threshold of credentials mapped to data sets. It analyzes the trade-offs between decentralization and centralized control, data minimization, and cross-border applicability, and outlines open issues such as authentication thresholds, credential negotiation, semantic normalization, and non-European DS handling. The work contributes a concrete framework intended to standardize privacy-preserving DS authentication in the EU data landscape and to support data controllers lacking robust authentication mechanisms.

Abstract

In light of the GDPR, data controllers (DC) need to allow data subjects (DS) to exercise certain data subject rights. A key requirement here is that DCs can reliably authenticate a DS. Due to a lack of clear technical specifications, this has been realized in different ways, such as by requesting copies of ID documents or by email address verification. However, previous research has shown that this is associated with various security and privacy risks and that identifying DSs can be a non-trivial task. In this paper, we review different authentication schemes and propose an architecture that enables DCs to authenticate DSs with the help of independent Identity Providers in a secure and privacy-preserving manner by utilizing attribute-based credentials and eIDs. Our work contributes to a more standardized and privacy-preserving way of authenticating DSs, which will benefit both DCs and DSs.
Paper Structure (17 sections, 6 figures, 1 table)

This paper contains 17 sections, 6 figures, 1 table.

Table of Contents

  1. Introduction
  2. Background
  3. Related Work
  4. Review of Authentication Systems
  5. Identity Models
  6. EU Digital Identity Wallet
  7. Using eID for Authenticating DSR Requests
  8. Attribute-based eID Authentication for Data Subject Rights Enforcement
  9. Architecture
  10. Process Flow
  11. Analysis
  12. Discussion and Open Issues
  13. Authentication threshold
  14. Credential negotiation
  15. Semantics
  16. ...and 2 more sections

Figures (6)

  • Figure 1: Centralized identity model
  • Figure 2: Federated identity model
  • Figure 3: Decentralized identity model based on ABCs
  • Figure 4: Overview of Components in the Architecture
  • Figure 5: Simplified flow of an SSI authentication process
  • ...and 1 more figures