Secure and Privacy-Preserving Authentication for Data Subject Rights Enforcement

In light of the GDPR, data controllers (DC) need to allow data subjects (DS) to exercise certain data subject rights. A key requirement here is that DCs can reliably authenticate a DS. Due to a lack of clear technical specifications, this has been realized in different ways, such as by requesting co...

Full description

Saved in:
Bibliographic Details
Published inarXiv.org
Main Authors Hansen, Malte, Büttner, Andre
Format Paper Journal Article
LanguageEnglish
Published Ithaca Cornell University Library, arXiv.org 24.04.2024
Subjects
Authentication
Computer Science - Cryptography and Security
Privacy
Online AccessGet full text

Cover

More Information
Summary:In light of the GDPR, data controllers (DC) need to allow data subjects (DS) to exercise certain data subject rights. A key requirement here is that DCs can reliably authenticate a DS. Due to a lack of clear technical specifications, this has been realized in different ways, such as by requesting copies of ID documents or by email address verification. However, previous research has shown that this is associated with various security and privacy risks and that identifying DSs can be a non-trivial task. In this paper, we review different authentication schemes and propose an architecture that enables DCs to authenticate DSs with the help of independent Identity Providers in a secure and privacy-preserving manner by utilizing attribute-based credentials and eIDs. Our work contributes to a more standardized and privacy-preserving way of authenticating DSs, which will benefit both DCs and DSs.
Bibliography:SourceType-Working Papers-1
ObjectType-Working Paper/Pre-Print-1
content type line 50
ISSN:2331-8422
DOI:10.48550/arxiv.2404.15859