Second COST EU Workshop on Privacy Issues in Distributed Social Knowledge Graphs PIDSKG23

Start: Mon Feb 13th 2023 at 9:30 (CET) / Mon Feb 13th 2023 at 3:30 (EST) / Mon Feb 13th 2023 at 16:30 (CST)

End: Wed Feb 15th 2023 at 18:00 (CET) / Wed Feb 15th 2023 at 12:00 (EST) / Thu Feb 16th 2023 at 1:00 (CST)

Location: Viale Antonio Genovesi, Fisciano SA, 84084, Ufficio Relazioni con il Pubblico, Italy


This workshop series brings together computer scientists and legal experts, with a focus on Solid as a concrete system for data sovereignty, in order to ground a debate around emergent problems from both a technical cybersecurity perspective, and from the legal perspective of data protection. The first edition was hosted by University of Luxembourg 13-15 June 2022, and explored problems concerning privacy in distributed knowledge graphs from an interdisciplinary perspective.

In this second edition of the workshop, we aim to consolidate progress on the problems identified in the first edition of the workshop and produce a common deliverable. The program will focus on exchanging methodologies, drawing from areas such as cybersecurity and privacy law, that may be brought together to develop privacy solutions for distributed knowledge graphs. Towards this aim the program will be a mix of talks, demos, and tutorials, that aim to present the current state of research, and trajectories.

The workshop comprises talks representing papers (published or in progress), demos, and tutorials in related areas not limited to the following:

1.HCI aspects for information provision and controls


3.GDPR Compliance

4.Data Governance

5.Cybersecurity compliance (ISO standards)

6.Measures for enhancing security and privacy

7.Cyber-risk assessments and auditing

8.Automating compliance checking and accountability

9.Vulnerability assessment and management

10.Access and usage control policies

11.Emerging privacy legislation and their implications

12.Privacy-preserving data analysis technologies/ privacy enhancing technologies

13.Risk and Impact assessments

14.Data spaces

15.Solutions for Data Sovereignty

16.Relation to emerging regulatory frameworks (DGA, DSA, DMA, ePrivacy, AI Act, Data Act, Health Data Spaces

17.Identity management and authentication

This workshop will place an emphasis on discussing a potential policy layer enhancing existing authentication and authorisation mechanisms, where policies, in addition to constraining operations that agents may perform on data, express information on what is the context, norm, rules, principles, guidelines, or regulation for what/when/who/where/how data should be used, accessed, or otherwise processed. A policy layer is where the typical information for determining access (i.e. request notice) and its decision (e.g. consent or permission) are concerned. We expect an output of the workshop to include a report specifying the consensus of participants on the requirements of such a policy layer.

Travel Guide

We will hold our workshop on our university campus (building F2 - The nearest hotel is, on booking website the room rate is 68€. There are hotels in Salerno city, which is connected to the campus with a bus line (number 17). Timetable available at You can also think of booking a hotel in Napoli, and from the central train station, there is a direct bus to our campus (it takes an hour).

To reach Salerno, you have two flight options: to arrive at the Rome airport, i.e., Fiumicino airport, from where there is a direct bus to our campus, here's the timetable from

Alternatively, you can take a train to Rome central station from the airport, and a high-speed train to Salerno central station. We have two high-speed train operators: Italo and Trenitalia, and throughout their web sites (<,>) there are plenty of options from Rome to Salerno.

The other possibility is to fly directly to Napoli airport, and there are a lot of low-cost airlines serving this airport from all over Europe. From the Capodichino airport, there is a direct bus to the campus, and also to Salerno (which can be reached with direct trains from the Napoli central station).

Journal Issue

In the Luxembourg meeting we identified a journal publication opportunity for documenting your work and as a possible venue for publications based on COST collaborations. We have extended the deadline to 31 May 2023 so that outputs from the February and March COST meetings can be included.

The special issue is as follows: MDPI Information Journal Special Issue "Addressing Privacy and Data Protection in New Technological Trends" Edited by Dr. Harshvardhan J. Pandit, ADAPT, Dublin City University, Ireland Dr. Rob Brennan, ADAPT, University College Dublin, Ireland Dr. Victor Rodriguez, Ontology Engineering Group, Universidad Politécnica de Madrid, Spain

For full call see:

Please note that as editors we have agreed with MDPI that fees will be waived for 6 submissions and so cost should not be a barrier to submission for high quality papers. All publications will be open access.


Monday 13 February 2023 (short papers):

9:30-11:00: Ross Horne welcome 15mins, Christian Esposito 20mins on Solid Verif: Verifiable Credentials and Solid, Dragan Ivanovic, University of Novi Sad 45mins Chair: Ross Horne

Speaker: Dragan Ivanovic, University of Novi Sad Title: Implementation of authorization aspects into the VIVO dynamic API Abstract: At the moment VIVO platform supports SPARQL API endpoint which can be used for getting/ingesting data by using SPARQL select and construct queries. We have started working on Dynamic API which should enable making endpoints for fetching and ingesting data from/to knowledge based graphs by using the Dynamic API ontology. One part of the ontology will be used for authorization. Besides covering security aspects for ingesting new data, it should also enable the definition of which part of data from the graph can be fetched by whom in accordance with GDPR and other privacy legislations. Moreover, the ontology for definition of the endpoint will enable VIVO customers to develop endpoints in accordance with needs and privacy regulations at their institutions. An interest group within the VIVO community has been formed to work on this issue -

11:00-11:30: buffet second breakfast

11:30-13:00: Christoph Braun 45mins, Anastasia Dimou 45mins Chair: Beatriz Esteves

Speaker: Anastasia Dimou, KU Leuven Title: Interpreting access control policies in raw data as access control policies for the RDF graph Abstract: To support real-world applications with knowledge graphs based on Solid or Semantic Web technologies in general, suitable access control needs to be in place. Different access control models, policies and enforcement frameworks were proposed in the past. Different models which were originally proposed for raw data, were also applied to RDF graphs, such as the Discretionary Access Control (DAC), Mandatory Access Control (MAC), Role- Based Access Control (RBAC), Attribute-Based Access Control (ABAC) or View-Based Access Control (VBAC). Different languages were proposed as well to describe policies, e.g., the Open Digital Rights Language (ODRL), the eXtensible Access Control Markup Language (XACML) and the DAML+OIL, accompanied by corresponding enforcement frameworks, such as the XACML engine to enforce the policies described with XACML and DQL queries for DAML+OIL query patterns. In particular in the case of Solid, the Access Control List (ACL) model was considered, enforced with Web Access Control, and the Access Control Policy (ACP).

In all cases, the access control policy is defined over the knowledge graph, ignoring any access control policy that holds for the original raw data where the RDF graphs come from. RDF graphs are often constructed from (semi-)structured heterogeneous data such as tabular-structured data, e.g., data in DB's tables or in CSV format, or hierarchical-structured data, e.g., data in XML or JSON format. These data are originally stored in e.g., relational or NoSQL databases, files, Web APIs etc. and are subject to access control policies. When the RDF graph is constructed from e.g., a relational database, the access control policies which are already established, are not transferred to the RDF graph. So far, it was not thoroughly investigated how the access control polices for the raw data can be aligned with access control policies for the RDF graph which were constructed based on this raw data. Only Kiranne in her PhD dissertation discussed a Proof of Concept for a use case where the access control of the database is considered but the solution is not generalizable.

In our ongoing work, we are looking into how the access control policies of the raw data can be interpreted to access control policies for the RDF graph. We investigate how the different access control models and policies that apply to the raw data can be translated to the same or other access control models and policies for the RDF graph and how they can be enforced both in the case of materialized and virtual RDF graphs both for the construction of a knowledge graph as well as for the update of a knowledge graph as they come with different challenges. Applying this solution to the Solid ecosystem would facilitate the access control administration and maintenance as the RDF graph will be constructed with some preliminary access control policy in place. The access control policies only need to be refined then and kept in synchronisation with the original data.

Speaker: Christoph Braun, Karlsruhe Insitute of Technology (KIT), Germany, Ross Horne, University of Luxembourg, Luxembourg, Tobias Käfer, Karlsruhe Insitute of Technology (KIT), Germany Title: Authentication Protocols based on Verifiable Credentials Abstract: We examine authentication protocols in the various use cases of the recently emerging Web standards of the W3C Verifiable Credential (VC) data model and W3C Decentralised Identifiers (DIDs). We analyse the trust models underlying these use cases and the desired security properties. We verify that these protocols are robust against man-in-the-middle attacks. This approach yields us precisely evaluated guidelines for implementing authentication protocols employing the latest standards of VC, DIDs and related proposals. Applying and combining the VC recommendation and related specifications in authentication protocols may seem trivial at first, but preliminary investigations show that existing guidelines are not sufficiently tight to guard against man-in-the-middle attacks.

13:00-14:30: Buffet lunch

14:30-15:30: Jan Lindquist, Swedish institute of Standards (SIS) and Beatriz Esteves, Universidad Politécnica de Madrid, Spain, 1:30h presentation & discussion

Speakers: Jan Lindquist, Swedish institute of Standards (SIS) Beatriz Esteves, Universidad Politécnica de Madrid, Spain Title: Privacy Receipts in Solid Pods Abstract: There are areas in Solid that need to be further developed both at specification and open source levels. This article will explore some of these limitations and propose a way forward with potentially some prototypes for demonstration. The main goal is to tie it to standard developments like the ISO/IEC 27560 Consent Record Information Structure and the Kantara Consent Receipt Specification. In addition, the ODRL profile for Access Control (OAC) policies will be explored and extended to deal with the requirements brought by the previously mentioned standards and to provide standardised privacy receipts as a form of data sharing agreements for the provision of data stored in Solid Pods while recording metadata regarding entities, data sources, and other provenance information. The questions to be answered by the article are:

  1. “The Solid specifications currently do not support or specify any form of agreements regarding provisioning of Pods or resources, or for Apps.” (Clause 3.5 Contracts and Agreements).
  2. “Solid’s specifications support specifying who can write or edit data, but do not record its provenance in a direct manner.” (Clause 4.7, Actor Layer)
  3. “Solid currently supports an extremely limited form of logging, where decisions related to authorisations are recorded in a registry, and an Access Receipt is provided as a success response after authorisation.” (Clause 4.8 Logging layer)

15:30-16:00: Coffee and refreshment

16:00-18:00: Marcu Florea 40min, Efstratios Koulierakis 40mins, Livio Robaldo 40mins. Chair: Arianna Rossi

Speaker: Livio Robaldo, Swansea University, UK Title: Deontic statements in RDF Abstract: Representing deontic statements (obligations, prohibitions, etc.) from legislation, while connecting them with context-specific roles, data categories, etc. is not very useful unless automated inferential rules to check their compliance on input states of affairs are provided. Checking compliance of deontic statements has been addressed in decades of past literature in deontic logic and normative reasoning. However, most of this literature focuses on the propositional level; thus, the proposed approaches are inadequate to handle data in RDF, which is a first-order format. The evolution of these approaches in that sense is the object of current research. In fact, it appears crucial to research and implement compliance checkers able to directly process data in RDF format, under the hypothesis that more and more (big) data in this format are becoming available nowadays worldwide, in a multitude of different domains. The workshop will present two possible formalizations in SHACL and ASP-Core-2 and a comparison between the two, also in terms of simulations with respect to shared synthetic datasets. This will complement ongoing research initiatives in Solid-based compliance checking of Data Protection requirements, within the present COST Action and beyond.

Speaker: Marcu Florea, University of Groningen, Netherlands Title: Pre-configured privacy preferences and consent under GDPR Abstract: The SOLID model promises to give individuals more power by allowing them to control the access to and the modification of their data. The data is decoupled from the services that use it and hosted in a personal repository called a data pod. Whilst this structure is promoting autonomy and self-determination, its feasibility might be undermined by the time and effort that exercising such control requires. If the access to the data is possible only with the permission of the user, the data subjects will be faced with a myriad of choices. Considering their limited time and cognitive capacity, the promised control might lose its meaning and be transformed into a formal and repetitive approval. This contribution analyzes a potential solution to avoid this information and choice overload: matching predefined choices made by users to application requests to process the personal data stored in a SOLID data pod.

Speaker: Efstratios Koulierakis, Faculty of Law, University of Groningen Title: The Importance of Expressing GDPR Certificates and Codes of Conduct in Machine Readable Format Abstract: The present submission is a contribution to the topic of automation of compliance checking and accountability. Specifically, there are policy languages, vocabularies as well as transparency and compliance techniques that make use of Resource Description Frameworks, Extensible Markup Language and linked data principles with the aim of achieving compliance with the obligations of the General Data Protection Regulation (GDPR). Such examples are the SPECIAL Policy Language, the SPECIAL Log Vocabulary and the Data Privacy Vocabulary (DPV). Meanwhile, there is ongoing scientific work for the usage of such tools within the context of SOLID. With the use of these technical solutions one can transpose compliance and accountability policies into machine readable format.

Thus, there are tools that aim at expressing data protection policies. However, the question that arises from a legal perspective is what kind of policies should be implemented. In that regard, the GDPR uses abstract expressions which make it difficult for developers of digital applications to understand what it takes to bring their products in compliance with EU data protection law.

In relation to that challenge, the present submission proposes that documents, which have been officially approved in accordance with the GDPR can offer guidance as to what policies one should express in machine readable format. In particular, the focus is on officially approved codes of conduct (article 41 GDPR) and data protection certificates (articles 42-43 GDPR). In that regard, the contribution analyses the importance of officially approved data protection certificates and codes of conduct in comparison to documents that have been developed outside of the GDPR framework. Furthermore, it gives illustrative examples, where these officially approved documents lay down specific personal data processing policies.

In conclusion, this submission proposes the use of the existing policy languages and vocabularies with the aim of expressing the policies in certificates and codes of conduct that have been developed within the GDPR framework.

19:00 dinner: La Bottega Dei Mangiari, Via Roma, 35, 84084 Fisciano SA,14.7892919/La+Bottega+Dei+Mangiari,+Via+Roma,+35,+84084+Fisciano+SA/@40.7719074,14.791323,17z/data=!3m1!4b1!4m10!4m9!1m1!4e1!1m5!1m1!1s0x133bc5a9e995c38b:0xa3f282ee497847b2!2m2!1d14.7977439!2d40.7690316!3e2

Tuesday 14 February (workshops & short papers):

9:30-11:00: Arianna Rossi, University of Luxembourg, Iris Xu & Aurelia Tamo-Larrieux, Maastricht University Part I: HCI and privacy

11:00-11:30: second breakfast

11:30-13:00: Arianna Rossi, University of Luxembourg, Iris Xu & Aurelia Tamo-Larrieux, Maastricht University Part II: HCI and privacy

Abstract: We have different styles of elaborating data-related information (eg experts vs laypeople) as well as varying data sharing preferences. Asking users to continuously interact with data permission requests does not necessarily enhance their autonomy and their agency over their data - quite the contrary. The personalisation of transparency and data permissions may constitute an answer to such challenges: it can be achieved through manual configuration, based on the user social networks, personalized assistance (e.g. chatbots), data-driven personalization based on past preferences and behaviors, and many more. This 3 hours workshop will explore this topic in an interdisciplinary manner through foresight techniques like backcasting. Guiding questions:

  • To what extent does Solid enable the personalization of disclosures and the tailoring of data permission requests?
  • Which solutions seem the most promising? What requirements?
  • What are the benefits and risks?
  • What is feasible from a technical, usable and legal perspective?

13:00-14:30 Buffet lunch

14:30-16:00: parallel collaboration sessions TBC.

16:00-16:30: coffee and refreshments

16:30-18:00: Gertjan De Mulder 45min, Ines Akaichi 45mins Chair: Livio Robaldo

Speaker: Gertjan De Mulder, SolidLab, Ghent University – imec Ruben Verborgh, SolidLab, Ghent University – imec Title: End-user identity in Solid: the interoperability problem space

Abstract: The Solid ecosystem uses a decentralized mechanism of WebIDs to identify agents and to manage their access control. As the number of participants in the ecosystem increases, the question of how to manage a multitude and variety of WebIDs becomes increasingly pressing. To this end, we performed an assessment of the current state of end-user identity and the demands going forward. This document examines the interoperability angle for personal identity within Solid, providing strict technical as well as looser interpretations of the WebID concept, building upon these to outline the problem space as well as directions for solutions. We discuss the necessity of a shared understanding, and describe challenges including anonymity and pseudonymity, extending the identifier space, and disambiguating different WebIDs and identity providers pertaining to the same end-users. We thereby provide a blueprint for the work needed to mature the Solid ecosystem with regard to identity.

Speaker: Ines Akaichi, Giorgos Flouris, Irini Fundulaki, Sabrina Kirrane Institute for Information Systems and New Media, WU, Vienna, Austria Foundation for Research and Technology, Crete, Greece Title: A Semantic Policy Language for Usage Control

Abstract: Growing dynamic and distributed environments, such as the web or IoT-based data sharing systems, pose new challenges in terms of unpredictability and dynamicity, which require tools that offer fine-grained and continuous protection of digital assets. Usage control is a powerful approach to ensure compliance with data protection, copyright and institutional policies. Despite considerable progress in specifying and enforcing access control policies, most current solutions to enforcing usage control lack support for automated compliance checking. This is usually attributed to the fact that their policy languages lack underlying formal semantics. Usage control policies cover who can access what data (permissions and prohibitions), but also how data may or may not be used after access has been granted (obligations and dispensations), under which conditions. At present, there exists a limited number of logic-based usage control policy languages that aim to provide support for either conditional permissions or obligations with support for limited types of conditions. Given that formal semantics are needed to account for the unpredictability and dynamics of distributed environments by ensuring policy consistency and continuous compliance, our work focuses on developing a flexible and general logic-based policy language for usage control. Our language is based on deontic conditional rules, which allows various usage control requirements to be described in terms of permissions, prohibitions, obligations, dispensations, and various related usage conditions that are encountered in usage control scenarios.

19:00 dinner: Madegra, Piazza della Concordia, 35, 84123 Salerno SA,14.7892919/Madegra,+Piazza+della+Concordia,+35,+84123+Salerno+SA/@40.7245336,14.7453843,13z/data=!3m1!4b1!4m10!4m9!1m1!4e1!1m5!1m1!1s0x133bc2396e7f1d33:0x379dab45f0f710c7!2m2!1d14.7706441!2d40.6738638!3e3

Wednesday 15 February (collaboration & broadcast):

9:30-11:00: Parallel session for paper and proposal collaborations, chairs TBC

11:00-10:30: second breakfast

11:30-13:00: Broadcast of workshop outcomes, chair Ross Horne

12:30-14:00: lunch

14:30-18:00: Pompeii

Committee Members

Inès Akaichi, Vienna university of Economics and Business, Austria

Rob Brennan, University College Dublin, Ireland

Beatriz Esteves, Universidad Politécnica de Madrid, Spain

Christian Esposito, University of Salerno, Italy

Olaf Hartig, Linkoping University, Sweden

Ross Horne, University of Luxembourg, Luxembourg

Harshvardhan Pandit, Dublin City University, Ireland

Chang Sun, Maastricht University, Netherlands

Livio Robaldo, Legal Innovation Lab Wales, Swansea University, UK

Arianna Rossi, University of Luxembourg, Luxembourg