Scroll Top

Privacy Technologies

Privacy and security are sometimes perceived as opposing concepts, with the argument that ensuring user privacy can undermine security. However, privacy is a cornerstone of cybersecurity. Without it, users and systems are more vulnerable to sophisticated threats, as attackers can leverage precise information about users’ behavior, preferences, and habits.

In recent years, privacy has gained more attention thanks to the development of regulatory and legal frameworks like the General Data Protection Regulation (GDPR). At NICS Lab, however, we have been working on privacy protection since the early 2000s within the PRIVILEGE project. At that time, research efforts focused on developing anonymous attribute certificates [1], which enhanced X.509 attribute certificates to make them conditionally anonymous. We also designed a protocol based on blind signatures to obtain these certificates while safeguarding user privacy. Building on this foundation, we defined a formal framework to measure the degree of anonymity of transactions in credentials-based systems [2]. Additionally, we explored advanced cryptographic primitives like Fair Traceable Multi-Group Signatures [3], which incorporate mechanisms for fair anonymity revocation in collaboration with designated fairness authorities, supporting scenarios where accountability is required without compromising the privacy of uninvolved users. More recently, in the context of the ARES project, NICS Lab developed a solution for anonymous age verification [4], leveraging the electronic national identity card (DNIe).

Another key area of our research is privacy protection in resource-constrained devices carried out in several research projects including SPRINT and ARES project. This includes extensive studies on location privacy in both sensor networks and mobile location-based services. After demonstrating that anti-traffic analysis techniques were ineffective in sensor networks [5], we tackled the challenge of protecting the location of critical sensors [6], such as source nodes [7] and base stations [8]. These challenges also apply to the Internet of Things (IoT) [9]. In addition, NICS Lab proposed solutions for safeguarding privacy in location-based services. For instance, within the scope of the NESSoS EU project, we designed a deterministic function that maps a geographic position to a grid cell on the map, thereby preventing information leaks at cell boundaries or during user movement [10]. Similarly, we have examined the advantage of attackers capable of conducting proximity queries [11] as part of the SAVE project.

Research lines

 

Privacy can also be safeguarded through controlled data release. NICS Lab has contributed to this area by creating solutions tailored to different contexts. For example, in the context of the CyberSec4Europe EU project, we developed a privacy assistant to manage access to data collected by personal IoT devices [12], leveraging the distributed resources of edge technologies, which is the primary focus of the SMOG and SecurEDGE projects. Additionally, we designed a solution to protect user queries made through sensor platforms [13] as part of the PERSIST project. This approach combines proxy re-encryption and k-anonymity techniques to secure not only query content but also the devices involved. Within the PERSIST project, we also proposed a privacy-by-design solution enabling software developers to integrate privacy controls into the software development lifecycle, thereby limiting data exposure [14]. Furthermore, as part of the IoTest project we introduced a methodology that incorporates privacy principles and mechanisms into digital forensic frameworks [15], fostering collaboration in digital investigations.

Morever, NICS Lab has addressed privacy issues in the context of Big Data and artificial intelligence (AI) with several projects including Big(Priv)Data and CiberIA. In the context of Big Data, we developed solutions for providing delegated access for Hadoop clusters [16] based on proxy re-encryption for privacy-enhanced computation outsourcing. To date, our efforts in AI have focused on generating synthetic data with strong privacy guarantees [17]. Our future research will aim to protect AI models to ensure they can be shared without exposing sensitive information and to use obfuscated or encrypted data for model training and operation without compromising their utility. This research is being conducted under the CiberIA project and the Catedra INCIBE-UMA 2023

References

  1. Vicente Benjumea and Javier Lopez and Jose A. Montenegro and Jose M. Troya (2004): A First Approach to Provide Anonymity in Attribute Certificates. In: 2004 International Workshop on Practice and Theory in Public Key Cryptography (PKC’04), pp. 402-415, Springer Springer, 2004.
  2. Vicente Benjumea and Javier Lopez and Jose M. Troya (2008): Anonymity Analysis in Credentials-based Systems: A Formal Framework. In: Computer Standards & Interfaces, vol. 30, no. 4, pp. 253-261, 2008, ISSN: 0920-5489.
  3. Vicente Benjumea and Seung G. Choi and Javier Lopez and Moti Yung (2008): Fair Traceable Multi-Group Signatures. In: Financial Cryptography and Data Security (FC’08), pp. 265-281, Springer Springer, Cozumel, Mexico, 2008.
  4. Jose A. Onieva and Isaac Agudo and Javier Lopez and Gerard Draper-Gil and M. Francisca Hinarejos (2012): Como proteger la privacidad de los usuarios en Internet. Verificación anónima de la mayoría de edad. In: XII Reunión Española sobre Criptología y Seguridad de la Información – RECSI 2012, pp. 297-302, Mondragon Mondragon, San Sebastian (Spain), 2012, ISBN: 978-84-615-9933-2.
  5. Ruben Rios and Javier Lopez (2013): (Un)Suitability of Anonymous Communication Systems to WSN. In: IEEE Systems Journal, vol. 7, no. 2, pp. 298 – 310, 2013, ISSN: 1932-8184.
  6. Ruben Rios and Javier Lopez and Jorge Cuellar (2016): Location Privacy in Wireless Sensor Networks. Taylor & Francis, 2016, ISBN: 9781498776332.
  7. Ruben Rios and Javier Lopez (2011): Exploiting Context-Awareness to Enhance Source-Location Privacy in Wireless Sensor Networks. In: The Computer Journal, vol. 54, pp. 1603-1615, 2011, ISSN: 0010-4620.
  8. Ruben Rios and Jorge Cuellar and Javier Lopez (2015): Probabilistic receiver-location privacy protection in wireless sensor networks. In: Information Sciences, vol. 321, pp. 205 – 223, 2015, ISSN: 0020-0255.
  9. Javier Lopez and Ruben Rios and Feng Bao and Guilin Wang (2017): Evolving privacy: From sensors to the Internet of Things. In: Future Generation Computer Systems, vol. 75, pp. 46–57, 2017, ISSN: 0167-739X.
  10. Jorge Cuellar and Martin Ochoa and Ruben Rios (2012): Indistinguishable Regions in Geographic Privacy. In: Ossowski, Sascha; Lecca, Paola (Ed.): Proceedings of the 27th Annual ACM Symposium on Applied Computing (SAC 2012), pp. 1463-1469, ACM ACM, Riva del Garda (Trento), Italy, 2012, ISBN: 978-1-4503-0857-1.
  11. Xueou Wang and Xiaolu Hou and Ruben Rios and Nils Ole Tippenhauer and Martin Ochoa (2022): Constrained Proximity Attacks on Mobile Targets. In: ACM Transactions on Privacy and Security (TOPS), vol. 25, no. 10, pp. 1 – 29, 2022, ISSN: 2471-2566.
  12. Ruben Rios and Jose A. Onieva and Rodrigo Roman and Javier Lopez (2022): Personal IoT Privacy Control at the Edge. In: IEEE Security & Privacy, vol. 20, pp. 23 – 32, 2022, ISSN: 1540-7993.
  13. Ruben Rios and David Nuñez and Javier Lopez (2017): Query Privacy in Sensing-as-a-Service Platforms. In: Vimercati, Sabrina De Capitani; Martinelli, Fabio (Ed.): 32nd International Conference on ICT Systems Security and Privacy Protection (IFIP SEC 2017), pp. 141–154, Springer Springer, Roma, Italy, 2017.
  14. Ruben Rios and Carmen Fernandez-Gago and Javier Lopez (2018): Modelling Privacy-Aware Trust Negotiations. In: Computers & Security, vol. 77, pp. 773-789, 2018, ISSN: 0167-4048.
  15. Ana Nieto and Ruben Rios and Javier Lopez (2017): A Methodology for Privacy-Aware IoT-Forensics. In: 16th IEEE International Conference On Trust, Security And Privacy In Computing And Communications (TrustCom 2017), pp. 626-633, IEEE IEEE, Sydney (Australia), 2017, ISSN: 2324-9013.
  16. David Nuñez and Isaac Agudo and Javier Lopez (2014): Delegated Access for Hadoop Clusters in the Cloud. In: IEEE International Conference on Cloud Computing Technology and Science (CloudCom 2014), pp. 374-379, IEEE IEEE, Singapore, 2014, ISBN: 978-1-4799-4093-6.
  17. Pablo Sánchez-Serrano and Ruben Rios and Isaac Agudo (2024): Privacy-preserving tabular data generation: Systematic Literature Review. In: 19th DPM International Workshop on Data Privacy Management (DPM 2024), Springer, Bydgoszcz, Poland, Forthcoming.