6

adequate level of security and to guarantee the properties of confidentiality and integrity of information, identity and access control, privacy of users.

The toolbox will be designed considering security issues from the beginning, instead of following a common approach of adding security mechanisms to an already existent software architecture. In fact, the experience/statistics shows that the latter approach results in a weaker system where the added security mechanisms can be often easily bypassed.

It should be formally proven (verified) that the proposed system does have the above properties, notwithstanding malicious attacks (misuse). On top of this trusted toolbox, high level applications will be designed and realized, using the primitives (to be identified in the research project) provided by the trustworthy layer. A first objective is to guarantee a home-banking level security, focusing of new methods of authentication and access control, on the definition of strict policies and the verification of software to guarantee the overall web application security.

It is worth noticing that putting together secure components does not usually lead to building a secure system. Even though many security technologies exist, they usually address one or more single element of a system or, even worse, just one security property (e.g. only integrity or confidentiality). A more general framework is necessary to deal with a complex architecture such as the one needed in a context of participation web platforms.

Formal verification. Since security is such an issue when dealing with e-government applications, it is important that the security protocols devised to cope with attacks and misuse are carefully verified to be sound.

We thus plan to use model checking techniques to mathematically certify that the security protocols we will use in this project indeed prevent attacks and misuse. To the best of our knowledge, this is the first time that model checking is applied to e-government issues.

Moreover, we plan to go a step further when dealing with the problem of defining a control access policy avoiding misuses and attacks. In fact, we aim to be able both to formally verify given control policy rules, and to automatically synthesize access control policy rules starting from a high level specifications.

Granular privacy management. Luxury cars today offer something called a "valet key". It is a special key you give the parking attendant and it prevents them from driving your car more than a few kilometres, opening the trunk, or accessing your onboard phone address book. The idea is pretty straightforward. You give someone limited access to your car with a special key, while using your regular key to unlock everything.

Everyday new social networking websites offer services which tie together functionality from other sites. But the implementatio~s available today request for your username and password to the other SIte to be able to connect. When you agree to share your secret credentials, not only do you expose your password to someone else, but you also give them full access to do as they wish. They can do anything they wanted - even change your password and lock you out.

We will solve this problem by implementing the EUGAGER Authentication and Tool Manager, which will allow the User to grant access to his private information on EUGAGER, to available tools (Petition and Collaborative Proposals). With this approach, many existing e-participation sites, created by citizens or officially supported by governments, will be able to interact with the EUGAGER core components with a few code additions.

1.1.2.3 Transparency

Once governments commit to strategies transforming their governance processes, significant challenges and opportunities will arise duri~g their implementation process. Among design challenges, transparency IS one of the most remarkable [M:e-gov].

In [M:e-gov] is noted how citizens should be able to understa~d government decisions. A lack of transparency could prevent. the pubhc from actively participate in common decisions, and can easily conceal favouritisms.

Moreover, distributed applications do not generally ensure the user of the correctness of the results. A tool could retrieve data and then post