The document discusses three pillars for building a smart data ecosystem: trust, security, and privacy. It summarizes an event on these topics from the i3-MARKET project. Trust can be achieved through blockchain technologies like consensus-based governance, tamper-proof ledgers, and verifiable credentials. Security involves hardware wallets, encryption, and multi-factor authentication. Privacy addresses GDPR requirements like data minimization, user consent, and accountability through self-sovereign identity, selective disclosure of information, and auditable accounting of data exchanges.
Three pillars for building a Smart Data Ecosystem: Trust, Security and Privacy
1. Three pillars for
building a Smart
Data Ecosystem:
Trust, Security and
Privacy
27/10/20201
Marketplaces
Semantics
Security, Privacy
and Trust
i3-MARKET Webinar
https://www.i3-market.eu/
2. +
Agenda
2 27/10/2020
The i3-Market Project: A brief introduction
TRUST: Everything under control
SECURITY: Unlock data with a key
PRIVACY: Meet and overcome GDPR
Q&A
4. +
i3-Market Project
4 27/10/2020
i3-market leverages the
blockchain technologies to
build a trusted, secure,
interoperable and
decentralised Backplane
paying special attention in
regulatory aspects around
sensitive data assets
i3-market aims to connect
Data Marketplaces from
different countries and
businesses as the initial
step towards a smart data
economy
8. +
What should we trust?
8 27/10/2020
Consensus-based Governance
Tamper-proof Ledger
Non-repudiation protocol
Verifiable Credentials
Transactions
Identity
Accounting
Governance
9. +
Blockchain technologies
9 27/10/2020
Consensus-based Governance
Changes to the system must be approved by all the nodes
Tamper-proof Ledger
Transactions are recorded in a chain of related block
and a malicious attack would broken chain integrity
Cryptographic keys
All transaction are signed with Cryptographic keys
which provide security and reliablility
Verifiable credentials
All stakeholders are identified by tamper-evident credentials
that has authorship that can be cryptographically verified.
Non-repudiation protocol
Data exchanges and payments are made through a P2P
communication protocol with cryptographically signed proofs
10. +
Verifiable Credentials
10 27/10/2020
Issuer: did:eth:0xk7bhac37c498d8e2386....
Role: Data Consumer
Country: Italy
Business: Automotive
Verifiable Data Registry
id: did:eth:0xk7bhac37c498d8e2386....
Public Key: H3C2AVvLMv6gmMNa...
Role: Data Marketplace
Country: Spain
Business: Automotive
id: did:eth:0xt3noiz45c744....
Public Key: did:eth:0xt3noi....
Role: Data Marketplace
Country: Germany
Business: Health
ISSUE ISSUE
PRESENT
VERIFY VERIFY
Issuer: did:eth:0xt3noiz45c744....
Role: Data Provider
Country: Italy
Business: Health
13. + Blockchain Basics
13 27/10/2020
Nodes
Check validity of transactions
towards their version of the
ledger.
Form new blocks.
“users”: transactions events
“ledger”
Produce transactions.
Send them to the network.
Ownership of assets is
proven by a cryptographic
signature
Blocks are validated as
honest or rejected.
Miners agree on the
ledger through a
consensus mechanism.
network
22. +
Data
minimization
User consent
Accountability
Privacy by
design
Secure Data
Transfers
GDPR Technology Requirements
27/10/2020
Self-Sovereign
Identities:
•Decentralized Identifiers
•Verifiable Credentials
•Selective Disclosure
Explicit User
Consent
Auditable
Accounting
i3-market Privacy Pillars
GDPR blockchain
22
23. +
How many identities do we have? Who has
control over them?
People have many online personas at many organizations
Federated auth. (OAuth2, OIDC) partially solves the
problem
IdPs manage user identities
censorship
surveillance → bad for privacy!
23 27/10/2020
I have to update my
email account
everywhere
Lots of sites
to hack!
Users must have a stable
identifier created by
themselves
They must manage (verified)
claims about their identity
They must manage what
information to share at every
interaction
Give control back to users
24. +
Self sovereign identity
24 27/10/2020
Issuer: did:eth:0xk7bhac37c498d8e2386....
Subject: did:eth:0xf3beacff02a498d93f79a....
Role: Car Owner
Name: Mario
Surname: Rossi
Country: Italy
Age: 58
id: did:eth:0xf3beacff02a498d93f79a....
Public Key: 0xf3beacff02a498d93f79a...
Claim Holder
Credential Issuer
Local Storage
id: did:eth:0xk7bhac37c498d8e2386....
Public Key: H3C2AVvLMv6gmMNa...
Role: Data Marketplace
Country: Spain
Business: Automotive
Verifiable credentials
25. +
Selective disclosure
25 27/10/2020
Issuer: did:eth:0xk7bhac37c498d8e2386....
Subject: did:eth:0xf3beacff02a498d93f79a....
Role: Data Owner
Name: Mario
Surname: Rossi
Country: Italy
Age: 58
id: did:eth:0xf3beacff02a498d93f79a....
Public Key: 0xf3beacff02a498d93f79a...
Data Owner
Data Marketplace
Data Provider
Issuer: did:eth:0xk7bh....
Role: Data Owner
Country: Italy
Age: >18
Issuer: did:eth:0xk7bh....
Role: Data Owner
role?
role, age, country?
id: did:eth:0xt3noiz45c744....
Public Key: did:eth:0xt3noi....
Role: Data Marketplace
Country: Germany
Business: Health
Issuer: did:eth:0xt3noiz45c744....
Role: Data Provider
Country: Italy
Business: Health
26. GDPR: Data Minimization
• personal data must be “collected
for specified, explicit and
legitimate purposes” and it must
be “adequate, relevant and not
excessive in relation to the
purposes for which they are
collected and/or further
processed”.
Art. 6.1 Dir. 95/46/EC and
Art. 4.1 Reg. EC 45/2001
Data
minimization
Less sensitive
information stored
Reduced impact
of data leaks
Less interest for
attackers
Reduced security-level
compliance required
Less cost
27/10/202026
27. +
Explicit user consent
i3-market solution:
Explicit user consent is issued by the data subject in the form of a verifiable
credential (W3C VC).
The consent can be easily verified but cannot be faked or mangled
i3-market operation will prevent the data exchange without the proper consents
The data subject can withdraw his or her consent at any time
27 27/10/2020
• The controller shall be able to demonstrate that the data subject has consented to processing
of his or her personal data.
• The data subject shall have the right to withdraw his or her consent at any time.
GDPR Article 7
28. +
Auditable Accounting
Accounting of selected operations:
Access, modification, deletion of sensitive data
Payment data
Contractual agreements
Reliable, privacy-guaranteed proofs of data exchange
will support any future claim regarding a data trade
Proofs cannot be repudiated by the involved stake
holders
Backed up by a public blockchain the accounting
cannot can not be faked or tampered
Data
Owner
Data
Consumer
Data
Provider
blockchain
signed
actions
27/10/202028
People have hundreds of online personas at hundreds of organizations.
People maintain (or should have to) many passwords to interact with many systems.
These ‘silos’ become gold mines to hackers and toxic liabilities for anyone obligated to store the data.
If you need to change your address or update a credit card, you need to deal with each of these hundreds of systems.
Federated authentication/authorization partially solves the problem
Sites delegate authentication of users to third party identity providers (OAuth2, OIDC)
However, our identity is controlled by others
IdP can control how, where and with what purpose an identity is used
censorship
surveillance
Only low impact use case, e.g. not healthcare