I Did Not Accept That: Demonstrating Consent in Online Collection of Personal Data

Vitor Jesus*, Shweta Mustare

*Corresponding author for this work

Research output: Chapter in Book/Published conference outputConference publication


Privacy in online collection of personal data is currently a much debated topic considering, amongst other reasons, the incidents with well known digital organisations, such as social networks and, in Europe, the recent EU/GDPR regulation. Among other required practices, explicit and simply worded consent from individuals must be obtained before collecting and using personal information. Further, individuals must also be given detailed information about what, how and what for data is collected. Consent is typically obtained at the collection point and, at a single point in time (ignoring updates), associated with Privacy Policies or End-User Agreements. At any moment, both the user and the organization should be able to produce evidence of this consent. This proof should not be disputable which leads us to strong cryptographic properties.

The problem we discuss is how to robustly demonstrate such consent was given. We adapt fair-exchange protocols to this particular problem and, upon an exchange of personal data, we are able to produce a cryptographic receipt of acceptance that any party can use to prove consent and elicit non-repudiation. We discuss two broad strategies: a pure peer-to-peer scheme and the use of a Trusted Third Party.
Original languageEnglish
Title of host publicationTrust, Privacy and Security in Digital Business
Subtitle of host publicationTrustBus 2019
EditorsS. Gritzalis, E. Weippl, S. Katsikas, G. Anderst-Kotsis, A. Tjoa, I. Khalil
ISBN (Electronic)9783030278137
ISBN (Print)9783030278120
Publication statusPublished - 2 Aug 2019


Dive into the research topics of 'I Did Not Accept That: Demonstrating Consent in Online Collection of Personal Data'. Together they form a unique fingerprint.

Cite this