Intra-Application Partitioning of Personal Data Katrin Borcea, Hilko Donker, Elke Franz, Katja Liesebach, Andreas Pﬁtzmann, and Hagen Wahrig Dresden University of Technology, Dresden, Germany {borcea|donker|ef1|liesebach|pﬁtza|wahrig}@inf.tu-dresden.de Abstract. Personalization provides users a comfortable working envi- ronment. But the necessary collection of personal data can imply pri- vacy problems. Usual approaches to minimize privacy problems aim at separating data disclosed in diﬀerent applications. However, this inter- application partitioning is not suﬃcient in case of large applications. Here we introduce the concept of intra-application partitioning of per- sonal data by means of application-internal contexts. The description of such task-related contexts enables users to assess the linkability of their actions within the application. This approach helps users to control by themselves the linkability of their personal data. 1 Introduction Currently, most applications aim at providing users a comfortable working envi- ronment adapted to personal needs. This goal requires to collect and to evaluate personal data describing, e.g. users’ preferences and goals. Any collection of personal data, however, puts privacy at risk. Since computing systems are not perfectly secure, we cannot exclude unintended access to the data. Hence, as less data as possible should be collected and, if possible, no per- sonal data at all should be disclosed. Privacy-enhancing Identity Management (PIM) realizes decentralized data management and transparent data processing for users [1]. The users are enabled to partition their personal data and to control disclosure of data subsets [2, 3]. Each subset of information is called a partial identity [5], which must be unlinkable by others except their owner. Therefore, uncorrelated pseudonyms are used as identiﬁers for the partial identities. Usually, PIM is used to keep data in diﬀerent applications separate from each other (inter-application partitioning), or to separate actions of a user within diﬀerent roles. Particularly, for applications comprising diﬀerent services and/or interactions with other users, the possibility to partition personal data is needed - even for repeating actions. Within this paper, we introduce possible solutions for this intra-application partitioning depending on application contexts. In contrast to inter-application partitioning, for intra-application partitioning the application must be aware of the partitioning and must support it. There- fore, the application needs to be modiﬁed. Additionally, we have to consider interactions between users, i.e. former actions of the user under a pseudonym, and interactions with other users (possibly) under diﬀerent pseudonyms.