| Introduction | p. 1 |
| Privacy in the Global Information Society | p. 5 |
| Definition of Privacy and Data Protection | p. 5 |
| Historical Perspective on Data Protection Legislation | p. 6 |
| Privacy Principles of the German Census Decision | p. 8 |
| Basic Privacy Principles | p. 10 |
| The EU Directive on Data Protection | p. 11 |
| German Data Protection Legislation | p. 14 |
| The German Federal Data Protection Act (Bundesdatenschutzgesetz) | p. 14 |
| Data Protection Regulations for Information and Telecommunication Services | p. 17 |
| Threats to Privacy in the Global Networked Society | p. 18 |
| Privacy Threats at Application Level | p. 18 |
| Privacy Threats at Communication Leve | p. l20 |
| Insecure Technologies | p. 23 |
| Problems of an International Harmonisation of Privacy Legislation | p. 24 |
| The Need for Privacy Enhancing Technologies | p. 30 |
| The Importance of Privacy Education | p. 31 |
| Conclusions | p. 32 |
| IT-Security | p. 35 |
| Definition | p. 35 |
| Security Models | p. 38 |
| Harrison-Ruzzo-Ullman Model | p. 40 |
| Bell LaPadula Model | p. 41 |
| Unix System V/MLS Security Policy | p. 46 |
| Biba Model | p. 47 |
| Lattice Model of Information Flow | p. 49 |
| Noninterference Security Model | p. 51 |
| Clark-Wilson Model | p. 52 |
| Chinese Wall Model | p. 56 |
| Role-Based Access Control Models | p. 58 |
| Task-Based Authorisation Models for Workflow | p. 65 |
| Workflow Authorisation Model (WAM) | p. 66 |
| Task-Based Authorisation Controls (TBAC) | p. 68 |
| Security Models for Object-Oriented Information Systems | p. 68 |
| The Authorisation Model by Fernandez et al | p. 69 |
| The Orion Authorisation Model | p. 69 |
| The DORIS Personal Model of Data | p. 70 |
| Further Relevant Research | p. 71 |
| Resource Allocation Model for Denial of Service Protection | p. 72 |
| Multiple Security Policies Modelling Approaches | p. 75 |
| The Generalised Framework for Access Control (GFAC) | p. 75 |
| The Multipolicy Paradigm and Multipolicy Systems | p. 78 |
| Basic Security Functions and Security Mechanisms | p. 78 |
| Identification and User Authentication | p. 78 |
| Access Control | p. 79 |
| Auditing | p. 80 |
| Intrusion Detection Systems | p. 81 |
| Object Reuse Protection | p. 83 |
| Trusted Path | p. 83 |
| Cryptography | p. 83 |
| Foundations | p. 83 |
| Symmetric Algorithms | p. 85 |
| Asymmetric Algorithms | p. 87 |
| Hash Functions | p. 88 |
| Certificates | p. 88 |
| Security Evaluation Criteria | p. 90 |
| The Rainbow Series (Orange Book et al.) | p. 91 |
| European Initiatives | p. 93 |
| Overview | p. 93 |
| The German Green Book | p. 94 |
| The Information Technology Security Evaluation Criteria (ITSEC) | p. 94 |
| North American Initiatives | p. 96 |
| CTCPEC | p. 96 |
| MSFR | p. 96 |
| Federal Criteria | p. 97 |
| International Harmonisation | p. 97 |
| ISO Initiatives (ISO/IEC-ECITS) | p. 97 |
| The Common Criteria | p. 97 |
| Shortcomings of IT Security Evaluation Criteria | p. 101 |
| Conflict between IT Security and Privacy | p. 102 |
| Privacy Implications of IT Security Mechanisms | p. 102 |
| A Holistic Approach to a Privacy-Friendly Design and Use of Security Mechanisms | p. 104 |
| Privacy-Enhancing Technologies | p. 107 |
| Privacy-Enhancing Security Aspects | p. 107 |
| Privacy-Enhancing Security Aspects for Protecting the User Identities | p. 107 |
| Anonymity | p. 108 |
| Unobservability | p. 109 |
| Unlinkability | p. 110 |
| Pseudonymity | p. 110 |
| Privacy-Enhancing Security Criteria for Protecting the Usee Identities | p. 112 |
| Depersonalisation | p. 112 |
| The Risk of Re-identification | p. 113 |
| Privacy-Enhancing Security Aspects for Protecting Personal Data | p. 119 |
| System Concepts for Protecting User Identities | p. 120 |
| The Identity Protector | p. 120 |
| Protecting User Identities at Communication Level | p. 121 |
| Recipient Anonymity through Message Broadcast and Implicit Addresses | p. 122 |
| Dummy Traffic | p. 122 |
| DC-Nets | p. 123 |
| Mix-Nets | p. 127 |
| Crowds | p. 134 |
| Protecting User Identities at System Level | p. 135 |
| Pseudonymous System Accounts | p. 135 |
| Anonymous System Access and Use through Authorisation Certificates | p. 135 |
| Protecting User Identities at Application Level | p. 137 |
| Prepaid Cards | p. 137 |
| Untraceable Electronic Money through Blind Signatures | p. 137 |
| Protecting User Identities in Audit Data through Pseudonymous Auditing | p. 141 |
| Functionality of Pseudonymous Auditing | p. 142 |
| Pseudonymisation of User Identifying Data in Audit Records | p. 143 |
| Pseudonymisation Techniques | p. 145 |
| Protecting User Identities from other Users and Services | p. 145 |
| The Need for Anonymity and the Problem of Its Potential Misuse | p. 146 |
| System Concepts for Protecting Usee Identities - Inference Controls for Statistical Database Systems | p. 147 |
| System Concepts and Mechanisms for Protecting Personal Data | p. 152 |
| Steganographic Systems | p. 153 |
| Access Control Models for Personal Data Protection | p. 156 |
| Privacy Criteria for Security Models | p. 156 |
| Privacy Evaluation of Security Models | p. 157 |
| Privacy Evaluation of IT Security Evaluation Criteria | p. 163 |
| Conclusions | p. 164 |
| A Task-Based Privacy Model | p. 167 |
| Introduction | p. 167 |
| Model Description | p. 167 |
| Model Elements (State Variables) | p. 167 |
| Model Invariants and Constraints (Privacy Properties) | p. 174 |
| Privacy Invariants | p. 174 |
| Privacy Constraints | p. 175 |
| Model Rules (State Transition Functions) | p. 175 |
| General Transition Functions | p. 176 |
| Privileged Transition Functions | p. 178 |
| Information Flow Control | p. 186 |
| Revocation of Authorisations | p. 194 |
| Example: Application of the Privacy Model in a Hospital Information System | p. 198 |
| Analysis of the Privacy Model | p. 199 |
| Specification and Implementation of the Privacy Policy Following the Generalised Framework for Access Control-Approach | p. 201 |
| Introduction | p. 201 |
| The Specification of the Privacy Policy Rules Component | p. 203 |
| Access Control Information (ACI) | p. 204 |
| Access Control Enforcement Facility (AEF) and Its Interface to ADF | p. 210 |
| Access Control Decision Facility (ADF) | p. 227 |
| Implementation | p. 253 |
| RSBAC Implementation | p. 253 |
| Integration of Heuristic Policy Rules | p. 254 |
| Outlook | p. 256 |
| Concluding Remarks | p. 259 |
| Formal Mathematical Privacy Model | p. 261 |
| Model Components | p. 261 |
| Privacy-Oriented System | p. 264 |
| Theorems | p. 268 |
| Formal Definition of the Model Rules | p. 289 |
| Proofs | p. 304 |
| Implementation of a Hospital Scenario as a Demonstration Example | p. 325 |
| References | p. 331 |
| Table of Contents provided by Publisher. All Rights Reserved. |
