Security issues in provenance use cases
From XG Provenance Wiki
Security and identity issues arise in many of the Provenance XG use cases. Below is a summary, highlighting the issue raised and quoting some relevant passage of the use case.
- Anonymous Information - Hiding attribution
- "A user feels important information should be shared, but is reluctant to share if the information is attributed to them."
- Simple Trustworthiness Assessment - Manipulation by providers
- "Since Eve does not want to check and verify all information she decides to consider these information objects trustworthy that originate from trusted providers."
- "While Alice is the source from which the information has been retrieved she is not the original provider of all the information. Nonetheless, the information that Alice controls the providing service may be relevant for trustworthiness assessments too, because it may give her the chance for manipulation."
- Ignoring Unreliable Data - Insecure channels
- "Bob accesses these sources using various channels, some of which are insecure. Alice, a friend of Bob, realizes Bob's dataset is a valuable source for her studies. However, she considers only these statistical records as reliable that are based on source data that are guaranteed to be unmodified. "
- "This information must include the source data items used to create each data item as well as information about how Bob retrieved these source data items. The latter should include information about the corresponding transmission channel and the result of Bob's attempts to verify digital signatures in case the retrieved data was signed."
- Provenance Tracking in the Blogosphere - Attribution while privacy
- "In the context of this blogosphere use case, a blog aggregator service or an user wants to identify the author of a blog without violating privacy laws. In some scenarios, the aggregator service or user may have only incomplete attribution information. In case the author of a blog is listed by name (first name, last name), disambiguation of an author is difficult with multiple blog authors sharing the same name and this may require use of additional user information (for example, email address) without violation of user privacy or privacy laws."
- Provenance of a Tweet - Identity
- "Determine the original author and content of a microblog message (e.g. tweet). Determine any changes and the attribution of those changes as the microblog message is reposted (e.g. retweeted)."
- "How to track the alterations to Web content outside of a web browser."
- "Identifying users that create and modify content. Do you need signatures or OpenIds or just a URL."
- Provenance and Private Data Use - Identity and provenance integrity
- "To effectively make entities accountable for misuse of information, we need to guarantee that the provenance information created by the involved entities implements some form of entity identification and provenance integrity. Then, if a problem is found in the processing of personal information, the right entity can be made accountable by checking its identity. At the same time, if provenance integrity is guaranteed, entities can be sure that the actions that they asserted are represented in the provenance information and any other entity was able to change it. This problem can be addressed by the use of cryptographic techniques, such as signatures to verify the entities’ identity and cryptographic hashes to check the integrity of provenance chains."
- Provenance of Decision Making in Emergency Response - Accessibility
- "Not all provenance information may be available to everyone involved in responding to the disaster. For example, information produced by the Police may not be accessible to the Ambulance Services or to the voluntary sector."
- Evidence for public policy - Confidential information
- "maintaining links between (confidential) data stored on paper and (usually public) intermediate data and final reports, that may not be solvable solely by provenance technology in computer systems. "
- Evidence for engineering design - Notarization
- "Obtaining completeness guarantees may require developing cryptographic standards and protocols for "notarization" by trusted observers or hardware enforcement mechanisms."
- Fulfilling Contractual Obligations - Signatures and notarization
- "Each account of processing is signed and dated as close to the source as possible and with minimal delay. (Foo Corp. primarily uses instruments that produce cryptographically signed provenance statement directly using an internal certificate, others send unsigned statements directly to a central server for signing, all records are give a signed timestamp by a third-party clock (a notary service) as early as possible)."
- "The system is capable of providing 'derived' signed records that include provenance for any of the 'related' sets of samples required (see above) and further to do so while anonymizing some samples"
- "The system is capable of providing raw provenance records to a trusted third party to generate derived anonymize and summarized records and documenting that it is the third party who is responsible/liable for asserting that the derived records are valid (correctly reflect the content of the original records)."
- "Records-related information (direct signatures, signatures notarizing and timestamping other signatures, mechanisms that provide evidence of completeness (e.g. numbering pages in a bound notebook) will need to be maintained for provenance and propagated to derived records to create chains of evidence."