Secure Personal Data Networks: New Approaches with Linked Data

Premium Security Cyber Digital Concept. Abstract Technology Back

The Bern University of Applied Sciences is working with the Federal Chancellery to develop new ways of securely exchanging sensitive personal data. The project utilizes Linked Data technology and investigates additional protection mechanisms for decentrally stored data. This could enable more efficient collaboration between different authorities’ population registers in the future.

Introduction

In Switzerland, data about natural persons is managed in a decentralized manner and falls under various jurisdictions. Some personal data is stored in the population registers of cantons and municipalities, while other data (e.g., the AHV number) is managed in systems at the federal level. Therefore, using information from different registers is often cumbersome and time-consuming. Linked Data technology could offer a solution here; however, it cannot be used without careful consideration for protected data, such as personal information, and requires additional security mechanisms.

What is Linked (Open) Data?

Linked Data is a technology that connects and relates information – similar to a network. It is based on standards such as RDF (Resource Description Framework) and SPARQL (a query language for RDF), which were published by the W3C. [1] [2] The goal is to store datasets in a decentralized manner and make them interoperable.

The most well-known form is Linked Open Data (LOD), where data is made publicly accessible for free use. An example of LOD in Switzerland is the LINDAS service (Linked Data Service) of the Swiss Federal Archives, through which data, for example on forest fire danger or electricity prices, can be accessed. [3] [4] [5] However, this model is not suitable for sensitive information such as personal data, as it lacks inherent mechanisms for access control and thus data protection.

Advantages of Linked Data for Personal Data

The use of Linked Data has significant potential, for example in the management of personal data. Simplified data exchange between different authorities could replace complex and individual interfaces or ensure greater reliability.

One example is the collection of radio and television fees: this requires data from different registers to be combined. Since the fees are charged per household, queries are necessary both to the UPI register (Unique Person Identifier, specifically the AHV number) and to the individual municipal population registers, as only these know a person’s registration status.

Decentralized Personal Data with Linked Data

The namesake project of the Bern University of Applied Sciences and the Federal Chancellery has developed the necessary foundations to enable use cases like this through Linked Data. [6] The “O” is removed – the data is no longer open, instead the Linked Data technology is used for sensitive data.

After an initial requirements analysis and the development of various use cases, the market for triplestores (database systems for Linked Data) was examined. The focus was on access control and rights management capabilities, which are necessary for data protection. Both commercial solutions and open source software were compared. The spectrum ranged from non-existent to very comprehensive capabilities. However, no uniform standards were identified, requiring specific approaches depending on the triplestore used. This is suboptimal for a nationwide architecture.

Architecture Variants

Based on the insights gained so far, various architecture variants were developed:

  • Standardization of a triplestore: A uniform triplestore for all participants would standardize an approach to access control. However, this approach is not flexible enough.
  • Config Engine: In this variant, a dedicated language for access control would be defined. Access rules would then be described according to this and translated via software for specific triplestores. This solution would be conceivable but requires a high degree of standardization.
  • SPARQL Proxy: This variant was implemented as a prototype in the project. See next section.
  • Data modeling / Separation: Access can also be restricted through appropriate data modeling. However, this requires data adaptation and is error-prone.
  • Data encryption: As the last examined possibility, data could also be protected through encryption. This presents similar problems to data modeling, plus additional ones such as necessary key management.

Prototype: SPARQL Proxy

The SPARQL Proxy is a concept that provides an intermediary at the SPARQL query level. It acts as an “intelligent filter”: Positioned between the triplestore and the requesting entity, an incoming SPARQL query is checked by the proxy and restricted according to the entity’s permissions. The modified query then queries the actual triplestore. The original query is then reapplied to the received response data, and the result is returned to the requesting entity. This step is necessary to preserve the basic structure of the queried data.

A key advantage of the proxy over other architecture variants lies in its flexibility: complex permission checks and fine-grained access controls can be implemented without having to make changes to the underlying triplestores. This makes the SPARQL Proxy an effective solution for protecting Linked Data.

Conclusion

The project has demonstrated that the Linked Data approach is also suitable for decentralized personal data in Switzerland. This lays an important foundation for further exploration of the possibilities that the technology offers – particularly in view of digital transformation in public administrations. Besides some specific questions regarding proxy implementation, there are two main open points to be clarified next:

  • Integration with existing Identity and Access Management systems (IAM): For example, connection to IAM Bund.
  • Performance and scalability: How well does the system perform with large amounts of data and many queries?

The BFH could create the next prerequisites for a better-connected administration in Switzerland in a follow-up project.

 


Sources

1 W3C RDF Standards incl. SPARQL

2 https://www.w3.org/

3 https://lindas.admin.ch/?lang=de

4 https://environment.ld.admin.ch/foen/gefahren-waldbrand-warnung/1

5 https://energy.ld.admin.ch/elcom/electricityprice-swiss

6 https://www.bfh.ch/de/forschung/forschungsprojekte/2024-385-206-909/

 

 

Creative Commons Licence

AUTHOR: Pascal Mainini

Pascal Mainini is a tenure-track lecturer at the Institute for Cybersecurity and Engineering (ICE) at the Bern University of Applied Sciences. As an expert in applied cryptography, secure software and hardware, as well as data protection and privacy, he is committed to ensuring the integrity, confidentiality, and security of modern digital systems.

Create PDF

Related Posts

None found

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *