Community Research and Development Information Service - CORDIS

H2020

OPERANDO Report Summary

Project ID: 653704
Funded under: H2020-EU.3.7.

Periodic Reporting for period 1 - OPERANDO (Online Privacy Enforcement, Rights Assurance and Optimization)

Reporting period: 2015-05-01 to 2016-04-30

Summary of the context and overall objectives of the project

The goal of the OPERANDO project is to specify, implement, field-test, validate and exploit an innovative privacy enforcement framework that will enable the Privacy as a Service (PaS) business paradigm and create a broad market for online privacy services.
Online privacy is a pervasive European market need. Europe’s citizen privacy laws are world-leading. However, the evolving data protection and privacy frameworks are yet to be implemented in a transparent and user-friendly way, enabling users to understand and control how their personal data are used and to partake in monetization of their economic value. Currently, users have no control over the personal data that were disclosed to service providers, and cannot verify that the data are not passed onto 3rd parties. Lack of visible privacy protection limits the willingness of users to use online services. Moreover, the economic value of personal data is neither adequately understood nor taken advantage of by users, while providers of online services monetize it and enjoy its full benefits.
The OPERANDO project will develop a platform that will be used by independent Privacy Service Providers (PSPs) to provide comprehensive user privacy enforcement in the form of a dedicated online service, called “Privacy Authority”. The OPERANDO platform will support flexible and viable business models, including targeting of individual market segments such as public administrations, social networks and Internet of Things.
OPERANDO aims to contribute to the entire ecosystem of online privacy stakeholders: Users, PSPs, Online Service Providers (OSP) and their technology suppliers, and Regulators. Federation of specialized Privacy Authorities will be supported to increase the range of the services and their uptake. The OPERANDO platform will be positioned for endorsement by European governments and standardization bodies. To increase the transparency of the privacy services and dissemination of results, OPERANDO outcomes will be implemented as Open Source, and will be made available to the community for further evolution and value-adding beyond the scope of the project.
The objectives of the project can be summarised as follows:
O1 - Enable user-friendly privacy enforcement
Provide users with easy-to-use tools and interfaces for granular control over access and use of their personal data, as well as the ability to trade the value of the personal data for economic benefits.
O2 - Implement Privacy-by-Design
Enable existing and new online services to comply with Privacy-by-Design legislation and principles. Create the technology for semantic input and enforcement of existing and future European privacy laws, along with best practices and user privacy preferences, including privacy protection in cross-border services.
O3 - Create viable business and trust models
Provide built-in support for a range of Privacy Service Provider business models and profitability strategies, along with strong value for Online Service Providers, while keeping the service free for users. Create strong trust models easily understood and accepted by users.
O4 - Demonstrate and validate the solution
Implement, test and validate the solution through use by multiple real Online Service Providers representing different market segments.
O5 - Ensure that OPERANDO framework is sustainable
Identify, document and initiate a joint exploitation strategy between OPERANDO partners, building on project demonstrations and endorsements and their dissemination, and other mechanisms such as Open Source release where appropriate. Gain endorsement of the solution by data protection authorities and consumer organizations, and position it for endorsement by governments.

Work performed from the beginning of the project to the end of the period covered by the report and main results achieved so far

"The first year of OPERANDO has seen the project progress through the communication, definition, and development of the first prototype milestones. The methodology of the project is iterative, producing working software every six months to test with users. Therefore, this progress in the first year builds the foundation for the remaining work on the project, where subsequent releases of the software will be developed and tested, leading to the creation of a valuable product.
The communication package milestone saw the consortium work on producing processes and guidelines, including a communication and dissemination plan and effective project management processes. Following this, the definition milestone of the project was completed where many vital activities for the first year took place. This included the creation of the product requirements and marketing requirements documents for the project. These resulted from user requirements gathering with members of the User Advisory Board, and inclusion of legal and ethical aspects. Based upon this knowledge, the product architecture was specified, as well as the specifications for the individual components of this whole.
The final months in year one focused on the development and delivery of the first prototype of the software. This was delivered in M12 (month 12), where the stub implementations of functionality and interfaces between components have been developed. This prototype provides the groundwork for the minimum viable product in M18, where the basic functionality of the software will be delivered allowing initial user testing to begin across three sites in the UK and Italy.
In addition to releasing the first prototype of the platform, research into privacy methods have resulted in six scientific publications in prestigious venues which extend current state of the art in security and privacy; an Android application for improving the privacy of mobile users; and a framework for the privacy of mobile users. Also, wireframes of the user interface have been developed to show the user journeys and interactions with the platform for B2C (Business to Consumer) and G2C (Government to Consumer) Online Service Provider’s (OSPs) and end-users. These wireframes will be used to gather feedback, but also to gain interest in the project and the main concepts. The main audience for this work are the existing customer bases and networks.
During these first phases, the planning for the testing and validation sites has been started and refined, including research protocols, ethical approvals, approval to collect personal data and testing requirements. In addition the ethics management board has been set up to oversee ethical issues and give advice from experts which are internal and external to the project.
The consortium have been active regarding the dissemination of the project results, where two journals, five conference papers and four events have been attended in the first year, for example participation in the DPSP (Data Protection, Security and Privacy in cloud) cluster at NetFutures 2016. This cluster of projects, are analysing the challenges on data protection, security and privacy in cloud, in order to define the next workprogramme 2018 – 2020. Furthermore, the whitepaper resulting from this cluster will be used by the European Commission for the definition of several regulations from the technological point of view.
In addition to these activities, the Marketing Advisory Board and User Advisory Board Workshops were held to engage end users, consumer organisations and OSPs. The project also has an active website, with over two and a half thousand visits in the first year. The project twitter account is also active, providing the daily diary for the consortium, as well as articles and news for those interested in data privacy and security.
The exploitation of the project results is another area which has been a focus for the consortium in the first year of the project. Successful implementation of the Advisory board marketing workshop included meaningful feedback from the advisory board members that led to sharpening of the focus in the B2C market and changes in solution features. Direct discussions with G2C customers determined viable business models and definition of G2C features that will increase the customers’ control over their data, increasing their trust level. In addition, the exploitation plan for the project was defined and delivered. The focus on exploitation will increase in the next two years of the project, especially following the release of the minimum viable product.
Regarding the privacy-by-design concept, this approach has been defined, and guidelines delivered for legal compliance. Moreover, we stated relevant ethical values and legal data protection principles for OPERANDO market segments. The OPERANDO business models will build on the privacy aspects of user control as well as the other legal to be able to claim "privacy by design". The plan for the next two years is now to prepare the validation of Privacy-by-Design for OPERANDO by documenting policymaking and regulation recommendations as well as a technical standardization proposal, and the investigation into the legal aspects of marketing of online privacy services."

Progress beyond the state of the art and expected potential impact (including the socio-economic impact and the wider societal implications of the project so far)

OPERANDO will advance beyond the state of the art in these main areas: legal compliance, automated policy analysis and management, enabling privacy of cloud-stored data and data anonymisation methods.
OPERANDO advances the state of the art by translating privacy and data protection into technical concepts, which the Commission considers “extremely difficult” (COM(2012) 417 p. 11), ensuring that PSPs can demonstrate the actual application of the Privacy-by-Design (PbD) method to Data Protection Authorities, as follows: PSPs follow a normative methodology taking account of ethical values, legal principles and privacy goals; Consumers and PSPs (Privacy Service Provider) have the flexibility to set design options appropriate for their individual case (full functionality); and PSPs can consider other crosscutting criteria such as IT security, usability, etc. to better integrate the PbD method into the overall product lifecycle.
In the first year of the project, the Privacy-by-Design method has been described in terms of the legal principles and design goals, including pseudo-identifiers, anonymisation, decentralised system and raw data deletion. These goals define a comprehensive approach for online privacy services in response to the general EU legal requirement of privacy by design. All design goals are based on work on legal guidelines for the project. In order to implement the privacy goal of pseudo-identifiers, we have identified and researched the methods and algorithms for OPERANDO, which will be applied within the Anonymisation Engine, Big Data Analytics and Privacy for Benefit modules of the platform.
Future work of OPERANDO will focus on specifying the privacy design goals in a set of properties of the OPERANDO architecture and modules to finalise the translation of the ethical and legal concepts into the overall OPERANDO implementation.
The concepts defined and described in project deliverables so far, and their implementation, enable two significant benefits for project impact. First, on the basis of what we have outlined, OPERANDO will make a proposal to the standards bodies working on the standardisation of “Privacy by Design” such as the activities in the framework of the European Commission Standardisation Request M/530 on privacy by design for the security industry. In addition, the pseudo-identifier system will allow flexibility in support of OSPs (Online Service Provider) and PSPs whilst respecting and optimising the legal safeguards and ethical values of end users. In this way, we aim to support the marketing of OPERANDO as one of the first products that will meet the future standard. Thus, the implementation of these features will achieve the expected impact to implement Privacy-by-Design architectures.
In addition to work on legal compliance, OPERANDO will advance beyond the state of the art in automated policy analysis and management. OPERANDO will combine different sources of privacy policies, user preferences, OSP incentives and privacy laws, in order to come up with an authorization decision whether an access to the user data should be granted to an OSP. OPERANDO will address this by integrating SAM (SERSCIS Access Modeller) functionality as a service, allowing run-time computation of policy implications, e.g. if an OSP composes services dynamically from more primitive elements (e.g. for data storage and access, or data transcription or analytics). This will be used to decide at run-time whether it is safe (for a given user) to delegate or allow access rights to a particular service.
The first prototype of the platform allows access to certain authorised users for specific fields of data for an individual. This follows the release plan for the Policy Computation (PC) module, where the first release in M12 contains the stub implementation of basic interfaces with other components. The MVP release (Minimum Viable Product) will see the implementation of the ability to compute a user privacy policy, where the PC module takes as input a user’s privacy preferences, privacy regulations, and OSP privacy guarantees and settings; and from these automatically computes the policies specific to the user (for example, an access policy for a particular OSP to be allowed access to personal data). This module will also add the ability to maintain a user privacy policy (UPP), evaluation of compliance of the OSP service behaviour and privacy guarantees.
As current tools are off-line for design-time analysis, this technology extends the current state of the art by integrating the decision-making functionality as a service, which will enable access control and privacy policy outcome prediction available for run-time policy management. A key expected impact is OPERANDO serving as a ready-to-use, modular platform for testing and validation of new privacy-enabling techniques and architectures. Therefore the work on policy computation contributes to the expected impact to facilitate and spur innovation, considering that the interest in providing privacy-aware cloud computing is very high and that the current state of the art privacy solutions are inadequate.
Another main area of focus for research is enabling privacy of cloud-stored data. To further extend the features that a user can have without compromising their privacy, OPERANDO will deploy a set of novel methodologies for enabling search over encrypted data, perform private aggregation, and allowing OSPs to perform operations without accessing the sensitive data. Additionally, to hide users’ traces, OPERANDO will develop anonymous authentication mechanisms and exploit homomorphic encryption to develop methods which decrease users’ exposure without compromising the needed functionality. For example, OPERANDO will propose new techniques in Private Equality Testing and Private Proximity Testing in order to provide new libraries which can be easily ported by developers in their applications, so that they can enable the functionality, e.g. proximity testing, without exposing the users’ whereabouts. Moreover, OPERANDO will work on some extensions such as Private Similarity Testing, where the scope is to test whether two sets; not values, are similar to each other.
Alongside this, OPERANDO will develop a set of data anonymisation methodologies. As users store much information in documents, OPERANDO will explore the use of document sanitization or redacting techniques to identify and obfuscate sensitive pieces of information. The partial obfuscation of the document will allow seamless operations over the non-hidden parts, like sorting, summarizing, or aggregating data. To publish datasets, OPERANDO will try to decrease the data loss of anonymized data by performing a range of transformations to provide e.g. l-diversity, differential privacy or other. Also, OPERANDO will enable PPCF (Privacy Preserving Collaborative Filtering) functionality to allow users to have personalized recommendations without compromising their privacy.
For these areas, in the first year, methods for secure cloud storage and cloud authentication have been studied and are gradually being integrated in the platform e.g. order preserving encryption algorithms. We have studied current state of the art and practice in terms of private data transmission and processing that led to the publication of three conference papers and two journal papers. In addition to this research, a comprehensive study of current literature in anonymisation algorithms has been completed, and a novel algorithm based on lattice-based encryption for privacy-preserving recommender systems has been developed and is being tested. The architecture of the private data repository has been delivered, and privacy-preserving methods for authentication have been studied.
Following the creation of a more complete software solution in the second and third years of the project, the methods and algorithms designed during the project will be incorporated into the modules in the software to advance the state of the art in privacy of cloud-stored data and data anonymisation. These methods are currently under research and testing after the first year, however a comprehensive study of these techniques has been presented which will underpin future work in these areas. Therefore, so far in the project, the impact of the work in these more technical areas centres largely on advancing knowledge and disseminating the project concepts in the scientific community due to the publication of scientific papers and research into new methods for privacy preservation. However, this work will contribute to the expected impacts to provide a practical and user friendly implementation of the legal obligations related to personal data processing and prior consent.

Related information

Record Number: 194931 / Last updated on: 2017-02-17