|Autor:||S. Labitzke||Links:||PDF-Version der DissertationTitelbild der Dissertation|
|Quelle:||Dissertation, ISBN 978-3-7315-0094-0, KIT Scientific Publishing, 2013|
Today's online IT services are provided more and more ubiquitously. However, many of these services can only be used if they are provided with personally identifiable information (PII) either by the users themselves or another service that provides the information. IT service providers make use of this PII to perform access control decisions or to provide the service at all. Although users can often adjust certain settings to influence the accessibility or forwarding of PII, a significant number of users are not aware of the risks, e.g., privacy risks, combined with certain possible flows of PII. Hence, we can often identify a lack of understanding of the implications of flows of PII that, in turn, would constitute an essential basis to adjust provided settings adequately. In particular, in the context of Online Social Networks (OSNs), such inappropriately adjusted settings induce unintended flows of PII to third parties. Since those third parties can make use of this PII to, for instance, create comprehensive digital images of a particular user (i.e., profiling), shared PII poses privacy risks and can induce damage. Therefore, in the following, we state the main research questions addressed in this dissertation: How can the unintended proliferation of PII be quantified? How can developers and administrators of an enterprise environment, as well as users within an OSN environment be supported to control and monitor existing unintended data flows and how can they avoid unintended flows of PII before their occurrence? Furthermore, the thesis addresses which pieces of personally identifiable information can how often be gathered, correlated, or even predicted (if not accessible) by third parties to be used for their (possibly illegal) business. In light of the aforementioned research questions, the goals of this dissertation are twofold: On the one hand, we investigate components provided within enterprise environments that constitute a basis to integrate IT services in order to provide uniform service access, i.e., enterprise identity management systems. On the other hand, we focus on OSNs and the users' behavior regarding publicly sharing of information in order to quantify the mass of data available to the public and to identify corresponding privacy risks. For both areas of research, i.e., enterprise identity management and OSNs, we initially identify PII that can potentially be accessed by third parties in an unintended manner. Furthermore, we investigate the implications of publicly shared PII and, finally, we introduce implemented measures to avoid unintended flows of PII and for demonstrating users the potential receivers of their shared information, as well as corresponding privacy risks.