The present invention, in some embodiments thereof, relates to authentication of software application purpose and, more specifically, but not exclusively, to verifying usage of data for specific purposes using digital certificate.
Digital certificates are used today to verify authenticity of applications and their publishers, authenticity of servers, clients and/or other online entities, by a trusted authority.
In the process of code signing, i.e. authentication of a software publisher, a publisher's public key is sent to a trusted certificate authority (CA) which encrypts it with its own private key to create a publisher authentication certificate. This certificate is bundled by the publisher with the application code together with a hash created from the code and encrypted using the publisher's private key. When a user's client opens the bundle, it verifies its authenticity. By using the CA's public key, the certificate is decrypted and the publisher's public key is extracted. The publisher's public key is then used to decrypt the hash. The hash may then be compared to a current hash created by the user's client, to verify that they are the same.
Different privacy regulations mandate that users' personal data may be processed by applications/services only for the declared purpose for which the data was collected and that was consented by the user. Data collected by an application/service is often shared with third parties for outsourcing, data sharing or even profit. The data collectors are, in many cases, responsible for assuring that the data is only used for the consented purposes, both internally and even after being transferred to third parties.