Harnessing Pseudonyms with Implicit Attributes for Privacy-Respecting Mission Log Analysis

Many applications in the area of collaborative work can be enhanced by tracking users regularly. Consider a future emergency management application, in which mobile first responders are continuously tracked in order to support a better coordination of the rescue missions and to create a mission log. However, continuous tracking of individuals and storing the data for later use is often in conflict with individual privacy preferences. Therefore, it is a challenge to deal with conflicting traceability and privacy protection requirements. A common way to implement some kind of privacy protection is to use pseudonyms instead of fixed IDs for each user. However, in order to build a multilateral secure and acceptable solution, a more complex system design w.r.t. to pseudonym linkability is required, that also allows third parties to analyze the logs for organizational and legal reasons. In this paper, we present our approach to deal with this issue: we propose to encode additional information into pseudonyms that are used in location tracking systems and stored in data logs. Our concept comprises both access rights for the user herself and implicit attributes that may be verified by third parties in a privacy-respecting manner. We introduce the cryptographic constructions, which employ cryptographically secure pseudorandom number generators, threshold cryptography and techniques for securely evaluating encrypted data. Moreover, in this paper, we sketch a practical application example in the area of emergency mission log analysis and discuss the main security properties of our concepts.