U-PrIM - Usable Privacy-enhancing Identity Management for smart applications
U-PrIM (Usable Privacy-enhancing Identity Management for smart applications) is a research project involving the departments of Computer Science, Information Systems and Psychology at Karlstad University (KaU), in collaboration with industry partners Nordea Bank in Denmark and Gemalto in Sweden.
The purpose of the project is to find ways of using future mobile technologies that are secure, privacy-friendly and easy to use. Using e-shopping scenarios and focusing on e-banking solutions, this research project will explore the different challenges surrounding:
- Users' mobile banking behaviours, expectations and goals.
- Secure authentication to sensitive platforms (e.g. banks) while "on the move"
- Secure and privacy-friendly architectures for Identity Management and authentication
- User-friendly Identity Management on mobile devices
- Users' understanding of privacy related issues when using mobile technology
In the non-electronic world, individuals usually had better control over the releases of their personal information and partial identities to other parties, in the information age users have more or less lost effective control over their personal spheres. When communicating via the Internet, users are leaving many personal data traces at various sites, which can be easily compiled to extensive personal profiles. It is however critical to our society and to democracy to retain and maintain the individual’s autonomy and thus to protect privacy and particularly the individual’s right to informational self-determination. Findings of Eurobarometer in 2008 and other surveys have shown that the majority of European Internet users have little trust in personal data management on the Internet and that EU citizens are concerned about privacy issues, which can also have an impact on their usage of eCommerce services.
Powerful tools for technically enforcing user control and informational self-determination as well as the privacy principle of data minimization can be provided by privacy-enhancing Identity Management (IDM) systems. Identity management means managing various partial identities (i.e. set of attributes, usually denoted by pseudonyms) of a person. Privacy-enhancing IDM is also enforcing data minimization, which is a basic legal privacy principle, meaning that only the minimal amount of data needed for an application or in a specific context is revealed. Besides, they should sufficiently preserve unlinkability (as seen by an attacker) between the partial identities of an individual person required by the applications.
Mobile research studies foresee a massive increase of smart phone applications and growth of the mobile internet. Mobile payment and mobile money transfer have been identified as belonging to the top 10 Consumer Mobile Applications for 2012 . With the growing number of mobile eCommerce and eGovernment applications, there will be an increasing need for usable tools for a secure and privacy-friendly management of identities on smart devices. Such IDM tools can not only help to technically enforce legal privacy principles, but can also enhance the user’s trust in mobile eCommerce and eGovernment applications.
Privacy-enhancing identity management however implies that users can make informed choices about the releases of personal data, the selections of credentials for proving personal properties, and about their privacy and trust policy settings. For enabling users to make well-informed decisions, user interfaces (UIs) are needed that inform them about the trustworthiness and the privacy policies of their communication partners as well as the implications of personal data releases, and which help them to manage their partial identities. These user interfaces should be informative while being perceived as non-intrusive, they should be intuitive, legally compliant and trustworthy. These requirements pose several challenges, especially if mobile devices such as smart phones with limited capabilities and screen sizes are used.