Designing a GDPR compliant blockchain-based IoV distributed information tracking system
Introduction
Privacy issues and their regulation are a very timely and pressing topic in the European Union regulation debate. The introduction of the General Data Protection Regulation (GDPR) and of all national laws recognizing, implementing or developing it have sensibly influenced both the provisioning of technological services and the common feeling towards own personal data. When sensitive data (“special categories of personal data”, as defined in Article 9 of GDPR) generated by a plurality of subjects or connected to the interest of a plurality of subjects have to be collected, maintained and kept unaltered but inaccessible until legally authorized, current solutions, as in the case of Italy, are based on registries2 owned and managed by public regulators with generally complex, anyway certified insertion or updating procedures. The regulator can manage this registry as a whole, if the frequency of operations can be actually handled, as a system of partial registries, articulating the distribution of operations on the basis of proper criteria (e.g., according to a well defined geographic partitioning), or acting as a top authority of a tree-organized delegated registries that are provided by third parties according to specific agreements and duties (e.g., the organization of the Italian Sistema Pubblico di Identità Digitale,3 or SPID, that allows online legal identification of persons by using tokens issued by third parties that can verify credentials, or Posta Elettronica Certificata,4 or PEC, that is a legally valid email system that ensures timestamping, delivery and identity of parties). However, these solutions represent a logical single point of failure, when non distributed, a cost (including technical, organizational and bureaucratic components), when maintained by public regulators, or a strong delegation choice, when involving commercial third parties that may be also providing other non-regulated services, potentially exposed to security breaches.
The application of Blockchain technology in the Internet of Vehicles (IoV) domain offers a new solution to this kind of problems. The use of a blockchain, and of distributed ledgers, is changing the approach to registry maintenance by offering a number of advantages, first of all the complete distribution and replication, the fairness, the reliability, the openness, and the sharing of responsibilities. When registered data may be significant as proofs in situations in which blockchain users are in conflict of interest, the advantage is that each party (or a proxy of it) already has a copy of all data available, trustable and non-repudiable, that can be used to confirm the veracity of contained information even if not directly accessible. This opens the possibility of using blockchain-based solutions in privacy related applications, by exploiting a mechanism with digital signature with asymmetric key (e.g., the Italian firma digitale standard, as established by law with the Codice dell’Amministrazione Digitale5 and its modifications) that exploits the public signature of a regulator. A relevant application field is the tracking of all critical information in the automotive sector, including circulation. In this case, both kind of information, privacy-related and commercially relevant, are to be tracked and protected, and visible only for a court (e.g., in case of accidents or other legal infringements) or for one of the subjects (e.g., the anonymized diagnostic data might be accessible to the manufacturer for statistic reasons to possibly recall a batch of vehicles in case of problems). The rise of the Internet of Vehicles, that enables a large number of services ranging from vehicle-to-vehicle communication to autonomous drive and platooning, to the interaction with smart roads (Karpiriski, Senart, & Cahill, 2006), makes accessible the use of a blockchain for traffic monitoring, security and safety support and the solution of legal issues because of the native integration of sensing and computing on board and the possibility of capturing and cross compare the local state of the traffic. Moreover, the integration of production and maintenance information may be soon seamlessly available with the same technology, as literature reports the appearance of blockchains to support supply chain in manufacturing sectors like aerospace and automotive. The availability (with private, limited or shared visibility) of all relevant information may help stakeholders (insurances, manufacturers, garages, black box service providers, smart road concessionaires) in supporting their internal processes, in discharging or proving responsibilities in case of problems, in certifying operations and in disambiguating critical situations with a lower level of risk; reducing the need for unilateral preventive on-line data collection solutions makes sharing such a blockchain infrastructure viable and convenient (Campanile, Iacono, Levis, Marulli and Mastroianni, 2020). Moreover, a careful design of the data management and signature mechanism may also provide the possibility of implementing different levels of privacy, so to have non-personal but commercially significant data certified and accessible by the authorized party to produce additional information-driven services in the interest of the final users.
In this paper we propose a framework for the integration, collection, storage and management of information about circulating vehicles based on blockchain and Internet of Vehicles oriented to securing GDPR compliance and facilitating law enforcement and operations, to be applied on a national or international basis. We specially focus on privacy related issues, as they have a central role in the current regulations when dealing with data that can affect personal information, rather than on performances in this paper: consequently, evaluations and analyses are performed in the perspective of Data Protection Impact Assessment (DPIA) risk analysis, following the procedures and using the tools that are compliant with the directives of the competent authorities. Our goal is to stimulate the interest of stakeholders and promote public initiatives around our concept, and raise the interest of researchers and practitioners about these topics. At the best of our knowledge, no other proposal with the same characteristics has been discussed in literature. After this introduction, Section 2 presents related work, Section 3 describes our proposal, Section 4 presents a conceptualization of the aspects of a possible blockchain for the architecture, Section 5 discusses GDPR compliance for sensitive parts and the related DPIA risk analysis (detailed in Appendix). Conclusions follow.
Section snippets
Related work
A blockchain (Crosby, Pattanayak, Verma, Kalyanaraman, et al., 2016) is essentially a public ledger or a distributed database of all digital events and transactions that have been executed and shared among participating entities. Blockchains are well known for their feature of data immutability (Zheng, Zhu, & Si, 2019): they consist in an open and distributed ledger running over a peer-to-peer (P2P) network that can manage transactions for multiple entities efficiently and in a verifiable and
A proposal of system organization
The main idea behind the concept that inspires our solution is the fact that there is a number of stakeholders that are interested in both managing the information about the behavior of the vehicles and defending themselves from possible liabilities deriving from data detention. Of course such a vast control of data tracking a wide number of events related to personal or commercial information is not acceptable, while the availability of a noncontestable registration and partial access to
Towards an implementation: issues and perspectives
As the focus of this paper is not on implementing the architecture but on showing its ability to support privacy-by-design and responsibility sharing, the modeling and analysis process concerned the basic parts of the system. Due to the complexity of the involved technological stack, detailed design, a fully functional prototype and the analysis of performances issues have been mainly left for future work, and functional specifications plus privacy-related issues have been considered first.
In
Compliance analysis
Ensuring data protection and privacy has become mandatory for Government agencies and enterprises that require personal data of their customers to perform their IT services. Article 35 of the GDPR prescribes that “Where a type of processing in particular using new technologies... is likely to result in a high risk to the rights and freedoms of natural persons” the controller shall carry out a Data Protection Impact Assessment (DPIA), which aims to conduct a systematic risk assessment in order
Conclusions and future work
In this paper we presented a framework to exploit blockchain technologies and IoV technologies to support privacy-oriented, certified and shared information management in the field of transportation and road vehicle circulation. Our proposal fosters collaboration between private stakeholders, public authorities and concessionaires of public services and supports law enforcement, litigation resolution and vehicle safety policies. Our goal was to show that blockchain can support higher privacy
Acknowledgment
This work has been partially founded on research activities that are part of the project “Attrazione e Mobilità dei Ricercatori” Italian PON Programme (PON_AIM 2018 num. AIM1878214-2).
References (47)
- et al.
Pf-bts: A privacy-aware fog-enhanced blockchain-assisted task scheduling
Information Processing & Management
(2021) - et al.
A survey on Blockchain for information systems management and security
Information Processing & Management
(2021) - et al.
An incentive-aware blockchain-based solution for internet of fake media things
Information Processing & Management
(2020) - et al.
Blockchain-empowered decentralised trust management for the internet of vehicles security
Computers and Electrical Engineering
(2020) - et al.
Robust decentralised trust management for the internet of things by using game theory
Information Processing & Management
(2020) - et al.
A blockchain-based secure healthcare scheme with the assistance of unmanned aerial vehicle in internet of things
Computers and Electrical Engineering
(2020) - et al.
IoT security: Review, blockchain solutions, and open challenges
Future Generation Computer Systems
(2018) Blockchain’s roles in strengthening cybersecurity and protecting privacy
Telecommunications Policy
(2017)- et al.
Blockchain-based public auditing for big data in cloud storage
Information Processing & Management
(2020) - et al.
Data-driven clustering for multimedia communication in internet of vehicles
Future Generation Computer Systems
(2019)
Blockchain for smart homes: Review of current trends and research challenges
Computers and Electrical Engineering
Towards decentralized IoT security enhancement: A blockchain approach
Computers and Electrical Engineering
On blockchain and its integration with IoT. Challenges and opportunities
Future Generation Computer Systems
Taxonomy of information security risk assessment (ISRA)
Computers & Security
Survey on blockchain for internet of things
Computer Communications
Blockchain-based privacy-preserving remote data integrity checking scheme for IoT information systems
Information Processing & Management
Redactable blockchain – or – rewriting history in bitcoin and friends
Automatic classification of road traffic with fiber based sensors in smart cities applications
Privacy management in Social Internet of Vehicles: Review, challenges and blockchain based solutions
IEEE Access
Privacy regulations, smart roads, blockchain, and liability insurance: Putting technologies to work
IEEE Security & Privacy
Privacy regulations challenges on data-centric and IoT systems. a case study for smart vehicles
Blockchains and Smart Contracts for the Internet of Things
IEEE Access
Cited by (56)
How emerging technologies can solve critical issues in organizational operations: An analysis of blockchain-driven projects in the public sector
2024, Government Information QuarterlyBlockchain from the information systems perspective: Literature review, synthesis, and directions for future research
2023, Information and ManagementRecGuard: An efficient privacy preservation blockchain-based system for online social network users
2023, Blockchain: Research and ApplicationsPrivacy protection scheme for mobile social network
2022, Journal of King Saud University - Computer and Information SciencesCitation Excerpt :Respect for the right to be forgotten is one of the most critical issues in maintaining and promoting users' privacy on social networks. The researchers in (Campanile et al., 2021), came up with a way to block this right of forgetfulness by helping blockchain technology. They introduced a reliable data storage system that is not traceable because it uses blockchain.
Secure semantic search using deep learning in a blockchain-assisted multi-user setting
2024, Journal of Cloud Computing
- 1
All authors contributed equally to each phase and contribution in the work related to this paper.