Start: Mon Feb 13th 2023 at 9:30 (CET) / Mon Feb 13th 2023 at 3:30 (EST) / Mon Feb 13th 2023 at 16:30 (CST)
End: Wed Feb 15th 2023 at 18:00 (CET) / Wed Feb 15th 2023 at 12:00 (EST) / Thu Feb 16th 2023 at 1:00 (CST)
Location: Viale Antonio Genovesi, Fisciano SA, 84084, Ufficio Relazioni con il Pubblico, Italy
This workshop series brings together computer scientists and legal experts, with a focus on Solid as a concrete system for data sovereignty, in order to ground a debate around emergent problems from both a technical cybersecurity perspective, and from the legal perspective of data protection. The first edition was hosted by University of Luxembourg 13-15 June 2022, and explored problems concerning privacy in distributed knowledge graphs from an interdisciplinary perspective.
In this second edition of the workshop, we aim to consolidate progress on the problems identified in the first edition of the workshop and produce a common deliverable. The program will focus on exchanging methodologies, drawing from areas such as cybersecurity and privacy law, that may be brought together to develop privacy solutions for distributed knowledge graphs. Towards this aim the program will be a mix of talks, demos, and tutorials, that aim to present the current state of research, and trajectories.
The workshop comprises talks representing papers (published or in progress), demos, and tutorials in related areas not limited to the following:
1.HCI aspects for information provision and controls
2.Consenting
3.GDPR Compliance
4.Data Governance
5.Cybersecurity compliance (ISO standards)
6.Measures for enhancing security and privacy
7.Cyber-risk assessments and auditing
8.Automating compliance checking and accountability
9.Vulnerability assessment and management
10.Access and usage control policies
11.Emerging privacy legislation and their implications
12.Privacy-preserving data analysis technologies/ privacy enhancing technologies
13.Risk and Impact assessments
14.Data spaces
15.Solutions for Data Sovereignty
16.Relation to emerging regulatory frameworks (DGA, DSA, DMA, ePrivacy, AI Act, Data Act, Health Data Spaces
17.Identity management and authentication
This workshop will place an emphasis on discussing a potential policy layer enhancing existing authentication and authorisation mechanisms, where policies, in addition to constraining operations that agents may perform on data, express information on what is the context, norm, rules, principles, guidelines, or regulation for what/when/who/where/how data should be used, accessed, or otherwise processed. A policy layer is where the typical information for determining access (i.e. request notice) and its decision (e.g. consent or permission) are concerned. We expect an output of the workshop to include a report specifying the consensus of participants on the requirements of such a policy layer.
We will hold our workshop on our university campus (building F2 - https://web.unisa.it/vivere-il-campus/unisa-experience/campus-map). The nearest hotel is https://www.hoteldeiprincipati.it/, on booking website the room rate is 68€. There are hotels in Salerno city, which is connected to the campus with a bus line (number 17). Timetable available at https://www.fsbusitalia.it/content/fsbusitalia/it/campania/orari-e-linee.html. You can also think of booking a hotel in Napoli, and from the central train station, there is a direct bus to our campus (it takes an hour).
To reach Salerno, you have two flight options: to arrive at the Rome airport, i.e., Fiumicino airport, from where there is a direct bus to our campus, here's the timetable from https://www.omio.com/.
Alternatively, you can take a train to Rome central station from the airport, and a high-speed train to Salerno central station. We have two high-speed train operators: Italo and Trenitalia, and throughout their web sites (<https://www.italotreno.it/it, https://www.trenitalia.com/it.html>) there are plenty of options from Rome to Salerno.
The other possibility is to fly directly to Napoli airport, and there are a lot of low-cost airlines serving this airport from all over Europe. From the Capodichino airport, there is a direct bus to the campus, and also to Salerno (which can be reached with direct trains from the Napoli central station).
In the Luxembourg meeting we identified a journal publication opportunity for documenting your work and as a possible venue for publications based on COST collaborations. We have extended the deadline to 31 May 2023 so that outputs from the February and March COST meetings can be included.
The special issue is as follows: MDPI Information Journal Special Issue "Addressing Privacy and Data Protection in New Technological Trends" Edited by Dr. Harshvardhan J. Pandit, ADAPT, Dublin City University, Ireland Dr. Rob Brennan, ADAPT, University College Dublin, Ireland Dr. Victor Rodriguez, Ontology Engineering Group, Universidad Politécnica de Madrid, Spain
For full call see: https://www.mdpi.com/journal/information/special_issues/Addressing_Privacy_Data_Protection
Please note that as editors we have agreed with MDPI that fees will be waived for 6 submissions and so cost should not be a barrier to submission for high quality papers. All publications will be open access.
9:30-11:00: Ross Horne welcome 15mins, Christian Esposito 20mins on Solid Verif: Verifiable Credentials and Solid, Dragan Ivanovic, University of Novi Sad 45mins Chair: Ross Horne
Speaker: Dragan Ivanovic, University of Novi Sad Title: Implementation of authorization aspects into the VIVO dynamic API Abstract: At the moment VIVO platform supports SPARQL API endpoint which can be used for getting/ingesting data by using SPARQL select and construct queries. We have started working on Dynamic API which should enable making endpoints for fetching and ingesting data from/to knowledge based graphs by using the Dynamic API ontology. One part of the ontology will be used for authorization. Besides covering security aspects for ingesting new data, it should also enable the definition of which part of data from the graph can be fetched by whom in accordance with GDPR and other privacy legislations. Moreover, the ontology for definition of the endpoint will enable VIVO customers to develop endpoints in accordance with needs and privacy regulations at their institutions. An interest group within the VIVO community has been formed to work on this issue - https://wiki.lyrasis.org/display/VIVO/Dynamic+API+Task+Force.
11:00-11:30: buffet second breakfast
11:30-13:00: Christoph Braun 45mins, Anastasia Dimou 45mins Chair: Beatriz Esteves
Speaker: Anastasia Dimou, KU Leuven Title: Interpreting access control policies in raw data as access control policies for the RDF graph Abstract: To support real-world applications with knowledge graphs based on Solid or Semantic Web technologies in general, suitable access control needs to be in place. Different access control models, policies and enforcement frameworks were proposed in the past. Different models which were originally proposed for raw data, were also applied to RDF graphs, such as the Discretionary Access Control (DAC), Mandatory Access Control (MAC), Role- Based Access Control (RBAC), Attribute-Based Access Control (ABAC) or View-Based Access Control (VBAC). Different languages were proposed as well to describe policies, e.g., the Open Digital Rights Language (ODRL), the eXtensible Access Control Markup Language (XACML) and the DAML+OIL, accompanied by corresponding enforcement frameworks, such as the XACML engine to enforce the policies described with XACML and DQL queries for DAML+OIL query patterns. In particular in the case of Solid, the Access Control List (ACL) model was considered, enforced with Web Access Control, and the Access Control Policy (ACP).
In all cases, the access control policy is defined over the knowledge graph, ignoring any access control policy that holds for the original raw data where the RDF graphs come from. RDF graphs are often constructed from (semi-)structured heterogeneous data such as tabular-structured data, e.g., data in DB's tables or in CSV format, or hierarchical-structured data, e.g., data in XML or JSON format. These data are originally stored in e.g., relational or NoSQL databases, files, Web APIs etc. and are subject to access control policies. When the RDF graph is constructed from e.g., a relational database, the access control policies which are already established, are not transferred to the RDF graph. So far, it was not thoroughly investigated how the access control polices for the raw data can be aligned with access control policies for the RDF graph which were constructed based on this raw data. Only Kiranne in her PhD dissertation discussed a Proof of Concept for a use case where the access control of the database is considered but the solution is not generalizable.
In our ongoing work, we are looking into how the access control policies of the raw data can be interpreted to access control policies for the RDF graph. We investigate how the different access control models and policies that apply to the raw data can be translated to the same or other access control models and policies for the RDF graph and how they can be enforced both in the case of materialized and virtual RDF graphs both for the construction of a knowledge graph as well as for the update of a knowledge graph as they come with different challenges. Applying this solution to the Solid ecosystem would facilitate the access control administration and maintenance as the RDF graph will be constructed with some preliminary access control policy in place. The access control policies only need to be refined then and kept in synchronisation with the original data.
Speaker: Christoph Braun, Karlsruhe Insitute of Technology (KIT), Germany, Ross Horne, University of Luxembourg, Luxembourg, Tobias Käfer, Karlsruhe Insitute of Technology (KIT), Germany Title: Authentication Protocols based on Verifiable Credentials Abstract: We examine authentication protocols in the various use cases of the recently emerging Web standards of the W3C Verifiable Credential (VC) data model and W3C Decentralised Identifiers (DIDs). We analyse the trust models underlying these use cases and the desired security properties. We verify that these protocols are robust against man-in-the-middle attacks. This approach yields us precisely evaluated guidelines for implementing authentication protocols employing the latest standards of VC, DIDs and related proposals. Applying and combining the VC recommendation and related specifications in authentication protocols may seem trivial at first, but preliminary investigations show that existing guidelines are not sufficiently tight to guard against man-in-the-middle attacks.
13:00-14:30: Buffet lunch
14:30-15:30: Jan Lindquist, Swedish institute of Standards (SIS) and Beatriz Esteves, Universidad Politécnica de Madrid, Spain, 1:30h presentation & discussion
Speakers: Jan Lindquist, Swedish institute of Standards (SIS) Beatriz Esteves, Universidad Politécnica de Madrid, Spain Title: Privacy Receipts in Solid Pods Abstract: There are areas in Solid that need to be further developed both at specification and open source levels. This article will explore some of these limitations and propose a way forward with potentially some prototypes for demonstration. The main goal is to tie it to standard developments like the ISO/IEC 27560 Consent Record Information Structure and the Kantara Consent Receipt Specification. In addition, the ODRL profile for Access Control (OAC) policies will be explored and extended to deal with the requirements brought by the previously mentioned standards and to provide standardised privacy receipts as a form of data sharing agreements for the provision of data stored in Solid Pods while recording metadata regarding entities, data sources, and other provenance information. The questions to be answered by the article are:
15:30-16:00: Coffee and refreshment
16:00-18:00: Marcu Florea 40min, Efstratios Koulierakis 40mins, Livio Robaldo 40mins. Chair: Arianna Rossi
Speaker: Livio Robaldo, Swansea University, UK Title: Deontic statements in RDF Abstract: Representing deontic statements (obligations, prohibitions, etc.) from legislation, while connecting them with context-specific roles, data categories, etc. is not very useful unless automated inferential rules to check their compliance on input states of affairs are provided. Checking compliance of deontic statements has been addressed in decades of past literature in deontic logic and normative reasoning. However, most of this literature focuses on the propositional level; thus, the proposed approaches are inadequate to handle data in RDF, which is a first-order format. The evolution of these approaches in that sense is the object of current research. In fact, it appears crucial to research and implement compliance checkers able to directly process data in RDF format, under the hypothesis that more and more (big) data in this format are becoming available nowadays worldwide, in a multitude of different domains. The workshop will present two possible formalizations in SHACL and ASP-Core-2 and a comparison between the two, also in terms of simulations with respect to shared synthetic datasets. This will complement ongoing research initiatives in Solid-based compliance checking of Data Protection requirements, within the present COST Action and beyond.
Speaker: Marcu Florea, University of Groningen, Netherlands Title: Pre-configured privacy preferences and consent under GDPR Abstract: The SOLID model promises to give individuals more power by allowing them to control the access to and the modification of their data. The data is decoupled from the services that use it and hosted in a personal repository called a data pod. Whilst this structure is promoting autonomy and self-determination, its feasibility might be undermined by the time and effort that exercising such control requires. If the access to the data is possible only with the permission of the user, the data subjects will be faced with a myriad of choices. Considering their limited time and cognitive capacity, the promised control might lose its meaning and be transformed into a formal and repetitive approval. This contribution analyzes a potential solution to avoid this information and choice overload: matching predefined choices made by users to application requests to process the personal data stored in a SOLID data pod.
Speaker: Efstratios Koulierakis, Faculty of Law, University of Groningen Title: The Importance of Expressing GDPR Certificates and Codes of Conduct in Machine Readable Format Abstract: The present submission is a contribution to the topic of automation of compliance checking and accountability. Specifically, there are policy languages, vocabularies as well as transparency and compliance techniques that make use of Resource Description Frameworks, Extensible Markup Language and linked data principles with the aim of achieving compliance with the obligations of the General Data Protection Regulation (GDPR). Such examples are the SPECIAL Policy Language, the SPECIAL Log Vocabulary and the Data Privacy Vocabulary (DPV). Meanwhile, there is ongoing scientific work for the usage of such tools within the context of SOLID. With the use of these technical solutions one can transpose compliance and accountability policies into machine readable format.
Thus, there are tools that aim at expressing data protection policies. However, the question that arises from a legal perspective is what kind of policies should be implemented. In that regard, the GDPR uses abstract expressions which make it difficult for developers of digital applications to understand what it takes to bring their products in compliance with EU data protection law.
In relation to that challenge, the present submission proposes that documents, which have been officially approved in accordance with the GDPR can offer guidance as to what policies one should express in machine readable format. In particular, the focus is on officially approved codes of conduct (article 41 GDPR) and data protection certificates (articles 42-43 GDPR). In that regard, the contribution analyses the importance of officially approved data protection certificates and codes of conduct in comparison to documents that have been developed outside of the GDPR framework. Furthermore, it gives illustrative examples, where these officially approved documents lay down specific personal data processing policies.
In conclusion, this submission proposes the use of the existing policy languages and vocabularies with the aim of expressing the policies in certificates and codes of conduct that have been developed within the GDPR framework.
19:00 dinner: La Bottega Dei Mangiari, Via Roma, 35, 84084 Fisciano SA
9:30-11:00: Arianna Rossi, University of Luxembourg, Iris Xu & Aurelia Tamo-Larrieux, Maastricht University Part I: HCI and privacy
11:00-11:30: second breakfast
11:30-13:00: Arianna Rossi, University of Luxembourg, Iris Xu & Aurelia Tamo-Larrieux, Maastricht University Part II: HCI and privacy
Abstract: We have different styles of elaborating data-related information (eg experts vs laypeople) as well as varying data sharing preferences. Asking users to continuously interact with data permission requests does not necessarily enhance their autonomy and their agency over their data - quite the contrary. The personalisation of transparency and data permissions may constitute an answer to such challenges: it can be achieved through manual configuration, based on the user social networks, personalized assistance (e.g. chatbots), data-driven personalization based on past preferences and behaviors, and many more. This 3 hours workshop will explore this topic in an interdisciplinary manner through foresight techniques like backcasting. Guiding questions:
13:00-14:30 Buffet lunch
14:30-16:00: parallel collaboration sessions TBC.
16:00-16:30: coffee and refreshments
16:30-18:00: Gertjan De Mulder 45min, Ines Akaichi 45mins Chair: Livio Robaldo
Speaker: Gertjan De Mulder, SolidLab, Ghent University – imec Ruben Verborgh, SolidLab, Ghent University – imec Title: End-user identity in Solid: the interoperability problem space
Abstract: The Solid ecosystem uses a decentralized mechanism of WebIDs to identify agents and to manage their access control. As the number of participants in the ecosystem increases, the question of how to manage a multitude and variety of WebIDs becomes increasingly pressing. To this end, we performed an assessment of the current state of end-user identity and the demands going forward. This document examines the interoperability angle for personal identity within Solid, providing strict technical as well as looser interpretations of the WebID concept, building upon these to outline the problem space as well as directions for solutions. We discuss the necessity of a shared understanding, and describe challenges including anonymity and pseudonymity, extending the identifier space, and disambiguating different WebIDs and identity providers pertaining to the same end-users. We thereby provide a blueprint for the work needed to mature the Solid ecosystem with regard to identity.
Speaker: Ines Akaichi, Giorgos Flouris, Irini Fundulaki, Sabrina Kirrane Institute for Information Systems and New Media, WU, Vienna, Austria Foundation for Research and Technology, Crete, Greece Title: A Semantic Policy Language for Usage Control
Abstract: Growing dynamic and distributed environments, such as the web or IoT-based data sharing systems, pose new challenges in terms of unpredictability and dynamicity, which require tools that offer fine-grained and continuous protection of digital assets. Usage control is a powerful approach to ensure compliance with data protection, copyright and institutional policies. Despite considerable progress in specifying and enforcing access control policies, most current solutions to enforcing usage control lack support for automated compliance checking. This is usually attributed to the fact that their policy languages lack underlying formal semantics. Usage control policies cover who can access what data (permissions and prohibitions), but also how data may or may not be used after access has been granted (obligations and dispensations), under which conditions. At present, there exists a limited number of logic-based usage control policy languages that aim to provide support for either conditional permissions or obligations with support for limited types of conditions. Given that formal semantics are needed to account for the unpredictability and dynamics of distributed environments by ensuring policy consistency and continuous compliance, our work focuses on developing a flexible and general logic-based policy language for usage control. Our language is based on deontic conditional rules, which allows various usage control requirements to be described in terms of permissions, prohibitions, obligations, dispensations, and various related usage conditions that are encountered in usage control scenarios.
19:00 dinner: Madegra, Piazza della Concordia, 35, 84123 Salerno SA
9:30-11:00: Parallel session for paper and proposal collaborations, chairs TBC
11:00-10:30: second breakfast
11:30-13:00: Broadcast of workshop outcomes, chair Ross Horne
12:30-14:00: lunch
14:30-18:00: Pompeii
Inès Akaichi, Vienna university of Economics and Business, Austria
Rob Brennan, University College Dublin, Ireland
Beatriz Esteves, Universidad Politécnica de Madrid, Spain
Christian Esposito, University of Salerno, Italy
Olaf Hartig, Linkoping University, Sweden
Ross Horne, University of Luxembourg, Luxembourg
Harshvardhan Pandit, Dublin City University, Ireland
Chang Sun, Maastricht University, Netherlands
Livio Robaldo, Legal Innovation Lab Wales, Swansea University, UK
Arianna Rossi, University of Luxembourg, Luxembourg