Faculty of Science, Technology and Medicine
Faculty of Law, Economics and Finance
Faculty of Humanities, Education and Social Sciences
Interdisciplinary Centre for Security, Reliability and Trust
Luxembourg Centre for Systems Biomedicine
Luxembourg Centre for Contemporary and Digital History
Luxembourg Centre for European Law
Luxembourg Centre for Socio-Environmental Systems
The Doctoral School in Science and Engineering is happy to invite you to Iván ABELLÁN ÁLVAREZ’s defence entitled
Accountable and privacy-oriented decentralised information systems
Supervisor: Prof Gilbert FRIDGEN
The rise and adoption of information systems has indisputably changed the way we interact in today’s world, yet it comes at the expense of technological and infrastructure over-reliance. The reach of digital transformation, such as digitalisation of daily tasks and services, has led to large amounts of meta and personal data being collected, processed and stored. However, current policy-driven and market-driven information systems security frameworks may not warrant the necessary privacy guarantees in the digital sphere. Wicked problems arise from socio-technical system interdependence and the friction between design requirements, security guarantees and the institutionalisation of privacy practices that if neglected pose threats to individuals’ privacy.
This thesis exposes the multifaceted view of privacy, highlighting its diverse understandings, and the institutional and organisational commitment to them. We identify and examine tensions between technically desirable properties, organisational and market- driven demands, as well as institutional and policy-driven boundaries. Moreover, it introduces accountability as a compliance and technical property to uphold system reliability either by governance structures, control measures, or legal responsibility.
The research employs methods ranging from design science research and privacy threat modeling to privacy risk assessments to identify the shortcomings in existing IT design knowledge for addressing recognised privacy principles. This thesis also contributes to data minimisation by design as a guiding development and evaluative approach, providing prescriptive design knowledge and deriving design principles to balance privacy and compliance requirements, such as data minimisation, and accountability.
Specifically, this thesis examines three domains of study, namely (de)-centralised infrastructure, policy-driven information systems, and market-driven information systems.
Within the infrastructure domain, information security management systems and permissionless networks, such as blockchain-like systems, are studied as two distinct perspectives for reliable system design.
Policy-driven use cases, such as the EU digital identity wallet and card-not-present payments, are analysed to examine tensions between security requirements, privacy demands, and compliance obligations.
Finally, market- driven contexts, including digital platforms and data-sharing electronic markets, are used to study data privacy trade-offs.