This paper summarises the results of a workshop at the IFIP Summer School 2015 introducing the EU Horizon 2020 project PRISMACLOUD, that is, Privacy and Security Maintaining Services in the Cloud. The contributions of this summary are three-fold. Firstly, it provides an overview to the PRISMACLOUD cryptographic tools and use-case scenarios that were presented as part of this workshop. Secondly, it distills the discussion results of parallel focus groups. Thirdly, it summarises a ``Deep Dive on Crypto'' session that offered technical information on the new tools. Overall, the workshop aimed at outlining application scenarios and eliciting end-user requirements for PRISMACLOUD.

In this paper, we discuss end user requirements that we elicited for the use of malleable signatures in a Cloud-based eHealth scenario. The concept of a malleable signature, which is a privacy enhancing cryptographic scheme that enables the redaction of personal information from signed documents while preserving the validity of the signature, might be counter- intuitive to end users as its functionality does not correspond to the one of a traditional signature scheme. A qualitative study via a series of semi-structured interviews and focus groups has been conducted to understand stakeholders’ opinions and concerns in regards to the possible applications of malleable signatures in the eHealth area, where a medical record is first digitally signed by a doctor and later redacted by the patient in the cloud. Results from this study yielded user requirements such as the need for suitable metaphors and guidelines, usable templates, and clear redaction policies. 

Recent cryptographic research has devised several new algorithms and protocols with a potential of mitigating several of the most ardent security and privacy threats, existing in currently available public cloud services. Nevertheless, such cryptographic schemes often exhibit counterintuitive functionality to end users, or they work differently to other already established traditional schemes with which users are already familiar. A practical solution to address these problems involves a human centered design approach, deriving Human Computer Interaction (HCI) requirements from consultations and extensive testing with experts, prospective end users, and other stakeholders. The European Horizon 2020 project PRISMACLOUD “Privacy and Security Maintaining Services for the Cloud” uses such an approach and provides HCI patterns as part of its proper cloud service development methodology CryptSDLC to communicate HCI requirements to cloud service designers and user interface implementers. In this article, we present several new cryptographic cloud services, e.g. for redacting digitally signed data, and for redundant storage and sharing of confidential data in a public cloud scenario, together with three example HCI patterns for specific interactions of end users with these services. We show how these patterns were elaborated and validated in practice to prove the suitability for their intended purpose. To summarize, we give an account on our practical experience during the actual prototype development and implementation and show how they constitute an essential element of the CryptSDLC development methodology.

Background: Patients' privacy is regarded as essential for the patient-doctor relationship. One example of a privacy-enhancing technology for user-controlled data minimization on content level is a redactable signature. It enables users to redact personal information from signed documents while preserving the validity of the signature, and thus the authenticity of the document. In this study, we present end users' evaluations of a Cloud-based selective authentic electronic health record (EHR) exchange service (SAE-service) in an electronic health use case. In the use case scenario, patients were given control to redact specified information fields in their EHR, which were signed by their doctors with a redactable signature and transferred to them into a Cloud platform. They can then selectively disclose the remaining information in the EHR, which still bears the valid digital signature, to third parties of their choice. Objective: This study aimed to explore the perceptions, attitudes, and mental models concerning the SAE-service of 2 user roles: signers (medical professionals) and redactors (patients with different technical knowledge) in Germany and Sweden. Another objective was to elicit usability requirements for this service based on the analysis of our investigation. Methods: We chose empirical qualitative methods to address our research objective. Designs of mock-ups for the service were used as part of our user-centered design approach in our studies with test participants from Germany and Sweden. A total of 13 individual walk-throughs or interviews were conducted with medical staff to investigate the EHR signers' perspectives. Moreover, 5 group walk-throughs in focus groups sessions with (N=32) prospective patients with different technical knowledge to investigate redactor's perspective of EHR data redaction control were used. Results: We found that our study participants had correct mental models with regard to the redaction process. Users with some technical models lacked trust in the validity of the doctor's signature on the redacted documents. Main results to be considered are the requirements concerning the accountability of the patients' redactions and the design of redaction templates for guidance and control. Conclusions: For the SAE-service to be means for enhancing patient control and privacy, the diverse usability and trust factors of different user groups should be considered.

The importance and perception of privacy varies from one context to the other. However, everyone values his or her privacy to a certain extent. The subjectivity of that value, attitudes, and behaviors would depend on different entangling factors. It is important to understand the motivation that influences human behavior, whether to protect or share their information. In this paper, we aim at understanding the boundaries of privacy, factors influencing information sharing behavior including experiences (reciprocities of privacy), and efforts taken to protect one’s data. We collected data using quantitative (survey/quiz) and qualitative means (focus groups). In the survey/quiz, our results showed that intrusion experience and awareness have a significant correlation between sharing of data. Furthermore, our focus groups results yielded details on influencing factors for privacy reciprocities and tradeoffs. We discuss our results in terms of privacy incentives and factors influencing the sharing behavior of their information. Finally, we highlight the complexity of behavior where intrinsic and extrinsic motivations could clash and result in a dilemma such as the privacy paradox phenomenon. © 2019, Springer Nature Switzerland AG.

The purpose of this paper is to develop a usable configuration management for Archistar, whichutilizes secret sharing for redundantly storing data over multiple independent storage clouds in a secure andprivacy-friendly manner. Selecting the optimal secret sharing parameters, cloud storage servers and othersettings for securely storing the secret data shares, while meeting all of end user’s requirements and otherrestrictions, is a complex task. In particular, complex trade-offs between different protection goals and legalprivacy requirements need to be made.

Background:Third-party cloud-based data analysis applications are proliferating in electronic health (eHealth) because of the expertise offered and their monetary advantage. However, privacy and security are critical concerns when handling sensitive medical data in the cloud. Technical advances based on “crypto magic” in privacy-preserving machine learning (ML) enable data analysis in encrypted form for maintaining confidentiality. Such privacy-enhancing technologies (PETs) could be counterintuitive to relevant stakeholders in eHealth, which could in turn hinder adoption; thus, more attention is needed on human factors for establishing trust and transparency.

Objective:The aim of this study was to analyze eHealth expert stakeholders’ perspectives and the perceived tradeoffs in regard to data analysis on encrypted medical data in the cloud, and to derive user requirements for development of a privacy-preserving data analysis tool.

Methods:We used semistructured interviews and report on 14 interviews with individuals having medical, technical, or research expertise in eHealth. We used thematic analysis for analyzing interview data. In addition, we conducted a workshop for eliciting requirements.

Results:Our results show differences in the understanding of and in trusting the technology; caution is advised by technical experts, whereas patient safety assurances are required by medical experts. Themes were identified with general perspectives on data privacy and practices (eg, acceptance of using external services), as well as themes highlighting specific perspectives (eg, data protection drawbacks and concerns of the data analysis on encrypted data). The latter themes result in requiring assurances and conformance testing for trusting tools such as the proposed ML-based tool. Communicating privacy, and utility benefits and tradeoffs with stakeholders is essential for trust. Furthermore, stakeholders and their organizations share accountability of patient data. Finally, stakeholders stressed the importance of informing patients about the privacy of their data.

Conclusions:Understanding the benefits and risks of using eHealth PETs is crucial, and collaboration among diverse stakeholders is essential. Assurances of the tool’s privacy, accuracy, and patient safety should be in place for establishing trust of ML-based PETs, especially if used in the cloud.