Slide 1

Slide 1 text

© Fraunhofer IESE Dominik Rost (Fraunhofer IESE) Matthias Naab (Fraunhofer IESE) Joshua Vécsei (Caruso) Rechtmässige Datenverarbeitung als Architekturherausforderung für Datenplattformen OOP 2019 München

Slide 2

Slide 2 text

Industrie 4.0 Smart Farming Smart Energy Smart Mobility Smart Health Smart Rural Areas Smart Teams Smart X Digital Ecosystems

Slide 3

Slide 3 text

https://www.computerwoche.de/a/mit-data-hubs-zu-neuen-business-modellen,3546259

Slide 4

Slide 4 text

3 DATA HUBS / MARKETPLACE PLATFORMS Data Hub Data Provider Data Consumer Data Provider Data Provider Data Provider Data Provider Data Consumer Data Consumer Data Consumer Data Consumer

Slide 5

Slide 5 text

THE DATA PLATFORM CARUSO

Slide 6

Slide 6 text

5 DEVELOPMENT OF CONNECTED VEHICLES IN EUROPE 91% 285 51% 165 31% 105 13 28% 91 30% 102 16 21% 69 40% 137 2015 2020 2025 Number of European cars and light commercial vehicles in millions Retrofit: OBD-2, Smartphone, etc. OEM: Extended Vehicle, Open Telematics, etc. Not Connected Source: IHS, LMD, Roland Berger 314 325 344  Retrofit suppliers (short-term) & OEM (long-term) become potential data suppliers

Slide 7

Slide 7 text

6 ECOSYSTEM WITH B2B MARKETPLACE PLATFORM DATA PROVIDER DATA CONSUMER B2B B2C B2B2C Technical Legal Business

Slide 8

Slide 8 text

7 ECOSYSTEM WITH B2B MARKETPLACE PLATFORM OEM (BVW) WORKSHOP (1-2-3-Workshops) B2C Example Technical Legal Business Car Driver

Slide 9

Slide 9 text

8 OUR INITIAL CONNECTED PARTNERS D A T A P R O V I D E R D A T A C O N S U M E R

Slide 10

Slide 10 text

9 HIGH-LEVEL PLATFORM ARCHITECTURE Brokering Engine CARUSO DATAPLACE Marketplace Data / Service brokered via Caruso “mileage of car with VIN XYZ is 10.382” Data needed for brokering “provider X offers mileage for car with VIN XYZ” Partner System Partner System Partner System Partner System

Slide 11

Slide 11 text

10 CARUSO DATA CATALOGUE: HARMONIZED IN-VEHICLE DATA Vehicle Position, Movement & Surroundings (65) Movement & Distances (12) Time, Position & Orientation (13) Trip Details (16) Driving Assist Data (10) Vehicle Surroundings Data (10) Vehicle Identification (4) Vehicle Health & Maintenance (43) Maintenance (19) Malfunctions – DTC (11) Malfunctions – MIL (4) Malfunctions – Occurrence (9) Vehicle Non-Powertrain Hardware (76) ABS, ESP & Traction Control (5) Airbags (4) Brakes (13) Doors, Windows & Locks (21) External Hardware (3) Heater & AC (9) Lights (5) Seatbelts (3) Tyres, Steering & Suspension (10) Wipers (3) Vehicle Powertrain Resources (57) Air (8) Coolant (8) Fuel – Consumption (10) Fuel – General (19) Oil (12) Vehicle Powertrain Hardware (223) Combustion (30) Drive Battery (11) ECUs (31) Electric Vehicle Battery (30) Engine Status (16) Exhaust (39) Ignition (30) Particulate Filter (17) Transmission (19)

Slide 12

Slide 12 text

11 DELIVERY OF PERSONAL DATA DATA PROVIDER DATA CONSUMER B2B B2C B2B2C Personal Data Personal Data

Slide 13

Slide 13 text

LAWFULNESS OF DATA PROCESSING CARUSO’S REQUIREMENTS AND SOLUTION APPROACH

Slide 14

Slide 14 text

13 GDPR But no legal advice, and no hard questions please ;)

Slide 15

Slide 15 text

14 PERSONAL DATA Any information relating to an identified or identifiable natural person GDPR Art. 4 No.1

Slide 16

Slide 16 text

15 PERSONAL DATA Vehicle Identification Number (VIN)?

Slide 17

Slide 17 text

16 PERSONAL DATA CAN HARDLY BE PREVENTED DATA PROVIDER DATA CONSUMER B2B B2C B2B2C VIN, Battery Level VIN, Mileage VIN, Name, Address

Slide 18

Slide 18 text

ENSURING LAWFULNESS OF DATA PROCESSING

Slide 19

Slide 19 text

18 LAWFULNESS OF PROCESSING GDPR Art.6 1. Processing shall be lawful only if and to the extent that at least one of the following applies: (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes; (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; (c) processing is necessary for compliance with a legal obligation to which the controller is subject; (d) processing is necessary in order to protect the vital interests of the data subject or of another natural person; (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. Contract Consent Legitimate Interest

Slide 20

Slide 20 text

19 LEGAL OPTIONS COMPARING OVERVIEW • Legitimate Interest • Low technical effort • Further from ExVeh standard • OEM & Neutral Server give responsibility to service provider • Feels “looser” • More difficult to understand • Legally sound, all involved parties covered • Higher risk of abuse and damage of image  Less technical effort but possibly less convincing and higher risk for partners • Consent • Higher technical effort • Closer to ExVeh standard • OEM and Neutral Server can verify consent from user • Feels “stronger” • Easier to understand • Legally sound, all involved parties covered • Lower risk of abuse and damage of image  More technical effort but possibly more convincing and lower risk for partners

Slide 21

Slide 21 text

20 SPECIAL CATEGORIES OF DATA ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, etc.

Slide 22

Slide 22 text

21 LOCATION DATA IS EVIL

Slide 23

Slide 23 text

CONSENT HANDLING

Slide 24

Slide 24 text

23 SETTINGS Data Provider Data Consumer / Service Provider Neutral Server Registered Keeper / Customer Caroline Private Commercial Working Contract Commercial Usage Contract «Neutral Server» Caruso «Data Provider System» BVW «Data Consumer System» 1-2-3- Workshops «Data Consumer System» CloudDriverLog «Data Consumer System» Fleetr Fleet System Plumber Kratz Employees Carl Fift Car Rental Work Contract Rental Contract MyCarData App Data Processor Contract BVW C Series Private Car BVW Minivan BVW Rental Cars CloudDriverLog App use use registered to registered to registered to Fleetr Fleetr WebApp use

Slide 25

Slide 25 text

24 REQUIREMENTS FOR CONSENT HANDLING • The solution approach must fulfill the regulations of the GDPR • The data consumer must not be required to interact with all data providers individually • Involved parties must know and be able to store the message that users have been shown and to which they gave consent • The data provider should not be able to identify the data consumer • The data provider should not be able to identify the user / registered keeper • The data provider should not be required to trust a third party unconditionally • The solution approach should be compliant to current ExVe standard ideas • The solution approach should be easily implementable for the data consumer • The solution approach should impede unlawful processing of personal data • The solution should utilize a standard security technology • The Neutral Server could not need to store personal data of the user • The user could be able to manage given consent at a central place • The user could give consent to a whole chain of organizations in a given use case

Slide 26

Slide 26 text

25 USE EXISTING SECURITY SOLUTION: OAUTH2 «Resource Server» BVW Data Server «Client» 1-2-3-Workshops System Service Backend «Authorization Server» BVW Authorization Server «Resource Owner» Registered Keeper Caroline Data Provider Data Consumer «User Agent» MyCarData App 1. provide auth link in app 2. call auth link via app 3. request authorization for Client 4. authorize 5 provide access token & refresh token 6. Get data (access token) 7 Check token and return data Neutral Server ?

Slide 27

Slide 27 text

26 SOLUTION ALTERNATIVES

Slide 28

Slide 28 text

27 SOLUTION ALTERNATIVE 1 Data Provider Data Consumer Neutral Server Neutral Server Brokering Server «Resource Server» BVW Data Server «Client» 1-2-3-Workshops Service Backend «Authorization Server» BVW Authorization Server Authorization Server: Data Provider Client: Data Consumer

Slide 29

Slide 29 text

28 SOLUTION ALTERNATIVE 1 Data Provider Data Consumer Neutral Server Neutral Server Brokering Server «Resource Server» BVW Data Server «Client» 1-2-3-Workshops Service Backend «Authorization Server» BVW Authorization Server «Resource Owner» Registered Keeper Caroline «User Agent» MyCarData App 1. authorize 2. provide access token & refresh token 3. request data (access tokens) 4. request data (forwarded access token) 5. return data 6. return data

Slide 30

Slide 30 text

29 SOLUTION ALTERNATIVE 1 «Resource Server» Data Provider Data Server «Client» 1-2-3-Workshops Service Backend Registered Keeper 1. refresh access tokens (refresh tokens) «Resource Server» Data Provider Data Server «Resource Server» Data Provider Data Server «Resource Server» Data Provider Data Server Registered Keeper Registered Keeper Registered Keeper Neutral Server Brokering Server 2. request data (VINS, access tokens) 4. request data (VINs, forwarded access token) 4. get corresponding providers for VINs Data Provider Data Consumer Neutral Server

Slide 31

Slide 31 text

30 SOLUTION ALTERNATIVE 2 Data Provider Data Consumer Neutral Server BVW Data Server «Client» 1-2-3-Workshops Service Backend «Authorization Server» Neutral Server Authorization Server «Resource Server» Neutral Server Brokering Server Authorization Server: Neutral Server Client: Data Consumer

Slide 32

Slide 32 text

31 SOLUTION ALTERNATIVE 2 Data Provider Data Consumer Neutral Server BVW Data Server «Client» 1-2-3-Workshops Service Backend «Authorization Server» Neutral Server Authorization Server «Resource Server» Neutral Server Brokering Server «Resource Owner» Registered Keeper Caroline «User Agent» MyCarData App 1. authorize 2. provide access & refresh token 3. request data (access token) 4. request data 5. return data 6. return data Trust :(

Slide 33

Slide 33 text

32 SOLUTION ALTERNATIVE 3 Data Provider Data Consumer Neutral Server «Client» Neutral Server Brokering Server «Resource Server» BVW Data Server 1-2-3-Workshops Service Backend «Authorization Server» BVW Authorization Server Authorization Server: Data Provider Client: Neutral Server

Slide 34

Slide 34 text

33 SOLUTION ALTERNATIVE 3: CONSENT PROVISIONING Neutral Server «Client» Neutral Server «Resource Server» BVW Data Server 1-2-3-Workshops Service Backend «Authorization Server» BVW Authorization Server 8. authorize 10. provide access token & refresh token (state) 4. return VIN-specific auth link (id in state, data items, purpose in scope) 7. request authorization for Neutral Server 9. check credentials & store consent 11. store mapping VIN, purpose -> tokens 11. Notify successful authorization 2. request auth link (VIN, purpose, data items) 3. store mapping state id -> VIN, purpose, data items 6. call auth link via app Data Provider Data Consumer 5. provide auth link in app (NS callback, NS clientID, id in state, data items, purpose in scope) 1. Start consent process (first time use, new car registered) «Resource Owner» Registered Keeper Caroline «User Agent» MyCarData App No trust required :) Single point of interaction :) Platform handles consent :) Data consumer remains anonymous :)

Slide 35

Slide 35 text

34 OTHER SOLUTION APPROACHES • Caruso as central consent management hub with custom-built consent mechanism • Trust from all parties towards Caruso required • Implementation of security technology necessary • Utilization of Blockchain technology • Either identities and provided consent information accessible • Or trust toward Caruso required

Slide 36

Slide 36 text

LAWFULNESS DATA PROCESSING TECHNICAL REALIZATION

Slide 37

Slide 37 text

36 CONSENT: POC – WHAT HAPPENS BEHIND THE SCENES (Neutral Server) Caruso Platform (OAuth Client) (Data Provider) BVW Resource Server (OAuth Resource Server) (Service Provider / Data Consumer) 1-2-3-Workshops Backend BVW Authorization Server (OAuth Authorization Server) Caroline 1-2-3-MyCar App BVW Authorization Page 1. 2. 3. 4. 6. 7. 10. 12. 5. 8. 9. 26. 13. 19. 17. 21. 20. 18. 22. 23. 24. 25. 27. 30. 16.. 31. 15. 29. 32. 14. 34. 35. 36. 37. 38. 40 . 41 . 43. 44. 45. 11. User Smartphone / Browser 33. 10. 39. 42. 28.

Slide 38

Slide 38 text

37 POC – SETTING • BVW • Has a contract with the registered keeper • Has a contract with Caruso • Acts as a data provider for „mileage“ and „DTC“ • Insurancia • Has a contract with the registered keeper • Has a contract with Caruso • Acts as a data provider for „address“ • 1-2-3-Workshops • Has a contract with the registered keeper that was made via the „MyCarData“ app • Has a contract with BVW and Insurancia that was made via the Caruso Marketplace • 1-2-3-Workshops decides to remain anonymous towards BVW • Has a contract with Caruso • Acts as a data consumer for „mileage“, „DTC“, „address“ Caruso OEM BVW 1-2-3- Workshops Data Provider Data Consumer (Service Provider) Neutral Server OEM BVW Data Provider Insurancia

Slide 39

Slide 39 text

38 Simulation of Backend with ExVe Systems & Technologies Simulation of Neutral Server Simulation of Backend Simulation of App “MyCar” Authorization Server Spring Boot Server Auth0 (Cloud Service) Spring Boot Server Spring Boot Server Angular Web App Neutral Server Caruso OEM BVW 1-2-3-Workshops Organizations POC – TECHNOLOGIES IN USE Simulation of Backend with ExVe Authorization Server Spring Boot Server Auth0 (Cloud Service) Insurancia

Slide 40

Slide 40 text

39 POC – SCREENCAST

Slide 41

Slide 41 text

40 Insurancia stores given consent: • Client „Caruso“ • Has the consent to retrieve the data item „address“ • For the car with VIN „3VWD67AJ2GM278385“ • For the purpose of „maintenance“ • Given by „Owner“ • Given at „24.01.2019“ Owner sees consent: • Client „Caruso“ wants to retrieve data to pass it to 1-2-3- Workshops • Has the consent to retrieve the data items „mileage, DTC“ • From the Data provider „BVW“ • Has the consent to retrieve the data item „address“ • From the data provider „Insurancia“ • For the car with VIN „3VWD67AJ2GM278385“ • For the purpose of „maintenance“ 1-2-3-Workshops requests consent: • Needs the consent to retrieve the data items „mileage, DTC“ • From the data provider „BVW“ • Needs the consent to retrieve the data item „address“ • From the data provider „Insurancia“ • For the car with VIN „3VWD67AJ2GM278385“ • For the purpose of „maintenance“ 1-2-3-Workshops gets notified about successful consent • Consent given at „24.01.2019“ Caruso stores consent request • Client „Caruso“ • Has the consent to retrieve the data items „mileage, DTC“ • From the data provider „BVW“ • Has the consent to retrieve the data item „address“ • From the data provider „Insurancia“ • For the car with VIN „3VWD67AJ2GM278385“ • For the purpose of „maintenance“ Caruso stores state -> VIN, purpose mapping Caruso receives and stores OAuth tokens • Consent given at „24.01.2019“ • VIN, purpose -> OAuth token mapping Neutral Server Caruso Insurancia 1-2-3-Workshops Organizations POC – WHO KNOWS WHAT ABOUT CONSENT? OEM BVW stores given consent: • Client „Caruso“ • Has the consent to retrieve the data items „mileage, DTC“ • From the owner of the car with VIN „3VWD67AJ2GM278385“ • For the purpose of „maintenance“ • Given by „Owner“ • Given at „24.01.2019“ OEM BVW

Slide 42

Slide 42 text

41 INTEGRATION INTO THE PLATFORM

Slide 43

Slide 43 text

42 CHALLENGES TO BE SOLVED • Granularity and naming must match for all parties • Mileage as a subcategory of “in-vehicle data” • What happens if the data provider cannot offer this data point individually? • Odometer  Mileage • Is the user confused by different terminologies on the data provider and data consumer side? • Processing purpose • GDPR compliance without risking the neutrality of the service

Slide 44

Slide 44 text

43 Rechtmäßige Datenverarbeitung als Architekturherausforderung für Datenplattformen https://www.caruso-dataplace.com/ http://architecture.iese.fraunhofer.de/ https://blog.iese.fraunhofer.de/category/architecture/