USE OF WIKI SYSTEMS IN ARCHAEOLOGY

Privacy, Security and Data Protection as Key Problems

Katharina Holzinger, Andreas Holzinger, Christian Safran

Institute for Information Systems and Computer Media, Graz University of Technology, Graz, Austria

Gabriele Koiner-Erath

Institute of Archaeology, Graz University, Graz, Austria

Edgar Weippl

Secure Business Research, Vienna University of Technology, Vienna, Austria

Keywords: Wikis, Archaeology, Education, Security, Privacy, Data Protection.

Abstract: Wikis are powerful, collaborative tools and can be used for educational purposes in many ways. The

original idea of a Wiki is to make information accessible to all. However, it is very interesting that

experiences in the use of Wikis in educational settings showed that security and data protection of wiki

contents is definitely an issue. In this paper, we discuss problems and solutions on the basis of use cases

from archaeological education. Interestingly, archaeologists are extremely worried about online accessible

information due to the serious danger of archaeological looting. “Tomb raiders”, i.e. people who excavate

artefacts of cultural heritage on the basis of information stored in Geowikis, so called archaeological looters,

are not aware of the value of cultural heritage, are interested only in the artefacts and destroying the cultural

context, which is of enormous interest for archaeological research. Consequently, the protection of

archaeological information is one of the most urgent tasks in the preservation of cultural heritage.

1 INTRODUCTION

Wikis are a Web technology for mass collaborative

authoring, offering the asset of free and easy access

for end users: everybody can contribute, comment

and edit (Gorman, 2005), (Ebner, Kickmeier-Rust &

Holzinger, 2008). However, during the discussion

after a talk at the conference Archaeology &

Computers in Vienna 2009 (Holzinger et al., 2009),

it was very interesting that security and data

protection of wiki contents is definitely an issue,

from the perspective of archaeologists – though

neglected by computer scientists. A look into the

field of Archaeology makes this obviously evident:

The archaeological heritage is under serious

threat from illegal and destructive excavations

(archaeological looting) aiming at recovering

antiquities for sale on the international market

(Brodie & Renfrew, 2005).

2 BACKGROUND

Year by year, thousands of archaeological

monuments are destroyed by building projects but

also by archaeological looters. In fact, looting is one

of the most serious problems in the protection of

archaeological heritage. Metal detecting, digging

without permission, non reporting of finds and

selling illegally excavated objects are forbidden in

many countries and – which people are often

unaware – are punished severely. A famous example

is the looting of several bronze weapons and a 30 cm

diameter bronze disk with gold inlays, later known

as the sky disk of Nebra with metal detectors on the

Mittelberg near Leipzig in Saxony-Anhalt

(Germany) in 1999. The disk, a unique object of the

16th century B.C. which is adorned with astral

symbols, turned up at the market in 2001,

subsequently confiscated by police in 2002, and is

120

Holzinger K., Holzinger A., Safran C., Koiner-Erath G. and Weippl E. (2010).

USE OF WIKI SYSTEMS IN ARCHAEOLOGY - Privacy, Security and Data Protection as Key Problems.

In Proceedings of the International Conference on e-Business, pages 120-123

DOI: 10.5220/0002982701200123

 SciTePress

now exhibited in the Prehistoric Museum of

Halle/Saale (Meller, 2004).

Looters are fanatical collectors driven by

financial motivation or just the ecstasy of finding

objects. Looters are mostly interested in metal

objects, which can be easily located by metal

detectors (Connor & Scott, 1998). By digging up

and pulling out the objects, they destroy the

archaeological context and thus the possibility to

date and interpret the find. Even when these objects

are located on the market or in private collections,

the damage is irreparable.

Basically, looters do not rely (only) on online

information; however, looters are often supported by

official find reports that are nowadays widely

published in electronic media. These reports offer

descriptions and maps of find places and thus make

the localization of the monuments very easy.

3 MATERIALS & METHODS

At Graz University of Technology several studies

were carried out on how Wiki-systems could be used

for different purposes (Ebner, Zechner & Holzinger,

2006), (Ebner & Walder, 2007). In subjects

including Civil Engineering, Architecture, Geology,

Archaeology, etc. the use of GeoWikis can be of

great benefit (Priedhorsky & Terveen, 2008).

Such GeoWiki implementations are focussed on

the geographical aspect and are basically

implemented as editable maps. Due to specific

requirements of the subjects mentioned above, a

special GeoWiki, the so called TUGeoWiki has been

developed (Safran et al., 2009a), which focuses on

the description of the individual locations and the

connections between them. The design of the

TUGeoWiki server-side and client-side application

was based on four central requirements: Geotagging

Interface, Mobile and Desktop Interface,

Collaborative Environment and Map Mashup

(Auinger et al., 2009). The final requirement was to

provide the integration of external location-based

material, based on the coordinates available for

location articles in the TUGeoWiki. This enables the

integration of highly detailed material from external

sources without the need to provide such material

within the TUGeoWiki itself (the mashup concept).

The most obvious use for a mashup in the

TUGeoWiki’s case is the integration of mapping

material using an API, such as the Google Maps

API. Numerous other map APIs are available and

the integration of further material, such as geological

data, could also be considered. The final application

consists of two independent systems that fulfil the

requirements detailed above. Most of the interaction

is performed using a ediawiki, with specially

developed extensions within a mobile and/or

desktop browser. In order to make this extended

functionality available on a mobile device in the

field, additional mobile clients for the most common

platforms were implemented. On the client side, all

of the interaction is done with a browser, which

connects to a Mediawiki on the TUGeoWiki server.

The original Mediawiki is extended by two special

pages. The first offers a list of all geotagged articles

in the Wiki. More specifically, this page implements

the functionality for the creation of new locations

based on geographical coordinates. The second

special page supports the upload of images including

geographical coordinates. Within JPEG images,

additional information can be stored in a so-called

EXIF header. Besides metadata regarding a broad

range of standard information such as date, time, or

camera model, the EXIF header may also contain the

geographical coordinates of the image. This

information can either be added by a camera, when a

photo is taken, or added manually at a later date. The

server-side Mediawiki is further extended by a

template, which is applied to all newly created

location articles. The template contains a Google

map of the area around its coordinates and it links to

the corresponding location on Google Maps and

Microsoft Live Maps. Moreover, the template links

to another Mediawiki extension called GeoHack,

which constructs links to various geographical

services for the coordinates (Safran, Garcia-Barrios

& Ebner, 2009b). Finally, all location articles are

added to a common category.

4 USE CASES

A recent use case was the Zeğreg Tepe in the

territory of ancient Tavium in Asia Minor, a hill

where a famous Hellenistic and Roman sanctuary of

Zeus Tavianos is supposed to have been located

(Strobel & Gerber, 2000), (Koiner, Lohner-Urban &

Scherrer, 2010). There was a colossal bronze statue

of Zeus, and the sanctuary was known for its

asylum, i.e. the protection of people who were

persecuted. This sanctuary probably was built on a

Hittite temple of Teššub, the Hurritian and Hittite,

the weather god who was one of the predecessors of

the Greek Zeus. The Zeğreg Tepe is a hill with steep

flanks in the south, west and east and a more gentle

slope in the north, where the main entrance is to be

supposed to be located. The top of the hill is flat

USE OF WIKI SYSTEMS IN ARCHAEOLOGY - Privacy, Security and Data Protection as Key Problems

121

with some pronounced terraces to the south and east.

Surveying and air photographs located remains of

walls but also rocky structures. Restricting access to

these data is mandatory.

5 SOLUTIONS

Restricting access to any information and controlling

the use of it are basic security requirements usually

implanted in a process referred to as AAA:

Authentication, Authorization and Auditing

(Weippl, 2005).

Authentication. While there are three basic forms

of authentication (“What you are”, “What you

have”, “What you know”), it is mostly passwords,

passphrases or similar concepts that are used in Web

based applications. The major drawback is that end

users tend to select very weak passwords. If

combined with a token or certificate (“what you

have”) authorization becomes more powerful. For

Wikis in our specific context, client-side

authentication with tokens is feasible. Users have to

be given a certificate file that they install on their

computer. This certificate is then used to

authenticate the client to the Web server.

Authorization. Access Control mechanisms are

used to enforce restrictions of authorization. Various

security models for access control have been

proposed in the last few decades; one can distinguish

between discretionary access control (DAC) and

mandatory access control (MAC) and role-based

access control (RBAC).

DAC controls access to an object on the basis of

an individual user’s permissions and/or prohibitions.

This means that it is at the discretion of an object’s

owner to decide who has which kind of access. In

MAC, the system decides for the user how

information should be classified. Changing this

categorization to lower the level is commonly

prohibited in the Bell LaPadula model (Bell &

LaPadula, 1976); the no-write-down property

guarantees confidentiality. A role is a collection of

operations (on specific objects) needed for an

application. Assigning access rights to subjects

based on their role is called RBAC. RBAC is

commonly used in database systems as it offers two

main advantages. First and foremost, RBAC clearly

separates “what has to be done” from “who has to do

it” in that it assigns users to roles and defines

permissions on roles, which in turn takes effect

when users activate the corresponding role. Second,

RBAC clearly distinguishes an application’s object

model from the subject and authorization model

(Essmayr, Probst & Weippl, 2004). The object

model provides a view on objects to protect (e.g.,

tables, columns, entities), the subject model

highlights which entities are active within a system

(e.g., users, processes), and the authorization model

describes rules regulating access between subjects

and objects and the administration thereof (Weippl,

Ibrahim & Winiwarter, 2001). In Wikis with a

relatively small user group, role-based access control

can be effectively used on two layers. The users and

roles can be defined at application level (the Wiki)

and, in addition, in the database management

system. The Wiki uses, for each user, their database

account to connect to the database. While this

certainly impacts performance as connection pooling

is no longer possible, it clearly increases security.

Weaknesses in the Wiki application itself cannot be

used to access the database.

Auditing. Analyzing log files to determine who

accessed which data is useful to establish whether

the Wiki was compromised. Auditing clearly

requires reliable authentication and logging

mechanisms should be difficult to disable. A good

approach is to have two or three levels of logging:

(1) Web server logs show the requests made to the

Web server. (2) Logs on the application level

contain more details on which actions a user

performed. However, each application action must

have corresponding entry in the Web server log. (3)

Logs entries can also be generated inside the

database. These entries must again match log entries

on the other two levels. If inconsistencies between

the log files are detected then an attacker might, for

instance, have gained direct access to the database.

This can be detected because the database logs

would show activities not recorded on the

application level. Contemporary Wiki systems only

support these concepts rudimentarily, making further

development highly necessary.

6 CONCLUSIONS

During the last few years, Wiki systems have

become a well-used tool to enable online

collaborative work in education. Research has

shown the positive effect they can have on the

learning process. However, the issues of privacy and

security have up to now been neglected in this

context, though they are an important factor. A good

example is the application of Wiki-based systems in

the context of archaeological education. Though

especially location-based applications, such as

ICE-B 2010 - International Conference on e-Business

122

TUGeoWiki, can enhance the learning process and

working in this context, the sensitive nature of

archaeological data makes privacy and security a

key issue. Authentication, authorization and auditing

processes have been shown to be necessary

inclusions in the future development of Wiki

systems in this context. In this paper, we proposed

the implementation of a dual authentication for

Wikis to protect information stored in archaeological

Wikis. Improving authentication and authorization

will enable researchers to share more information

without the fear that looters will gain unauthorized

access to data and abuse the data. Moreover,

precautions can be taken to avoid unintentional

publication of hidden data such as location

information in images. Unprotected archaeological

monuments are highly susceptible to destruction by

looters, consequently data protection in this field is

highly important.

REFERENCES

Auinger, A., Ebner, M., Nedbal, D. & Holzinger, A.

(2009) Mixing Content and Endless Collaboration –

MashUps: Towards Future Personal Learning

Environments. In: Lecture Notes in Computer Science

(LNCS 5616). Berlin, Springer, 14-23.

Bell, D. & LaPadula, L. (1976) Secure Computer System:

Unified exposition and multics interpretation.

Technical Report ESD-TR-75-306, 2997 The MITRE

Corporation, Bedford (MA).

Brodie, N. & Renfrew, C. (2005) Looting and the world's

archaeological heritage: The inadequate response.

Annual Review of Anthropology, 34, 343-361.

Connor, M. & Scott, D. D. (1998) Metal detector use in

archaeology: An introduction. Historical Archaeology,

32, 4, 76-85.

Ebner, M., Kickmeier-Rust, M. & Holzinger, A. (2008)

Utilizing Wiki-Systems in higher education classes: a

chance for universal access? Springer Universal

Access in the Information Society, 7, 4, 199-207.

Ebner, M. & Walder, U. (2007) e-Learning in Civil

Engineering - Six Years of Experience at Graz

University of Technology. In: Rebolj, D. (Ed.) 24th

W78 Conference. Maribor, Slovenia.

Ebner, M., Zechner, J. & Holzinger, A. (2006) Why is

Wikipedia so Successful? Experiences in Establishing

the Principles in Higher Education. 6th International

Conference on Knowledge Management (I-Know'06).

Graz, Austria.

Essmayr, W., Probst, S. & Weippl, E. R. (2004) Role-

based access controls: Status, dissemination, and

prospects for generic security mechanisms.

International Journal of Electronic Commerce

Research, 4, 1, 127-156.

Gorman, G. E. (2005) Is the wiki concept really so

wonderful? Online Information Review, 29, 3, 225-

226.

Holzinger, K., Safran, C., Ebner, M., Kappe, F., Koiner,

G. & Holzinger, A. (2009). Geo-Tagging in

Archaeology: Practical Experiences with the

TUGeoWiki International Congress Cultural Heritage

and New Technologies: Computers and Archaeology,

Vienna, 13.

Koiner, G., Lohner-Urban, U. & Scherrer, P. (2010) Die

Arbeiten des Grazer Teams in Tavium/Tawinija

2009,Tavium (Büyüknefes, Provinz Yozgat) und seine

Region, Bericht über die Kampagnen 2006-2009

(forthcoming). Istanbuler Mitteilungen, 60.

Meller, H. (Ed.) (2004) Der geschmiedete Himmel: die

weite Welt im Herzen Europas vor 3600 Jahren.

Begleitband zur Ausstellung: Landesmuseum für

Vorgeschichte, Halle/Saale (in German), Stuttgart,

Theiss.

Priedhorsky, R. & Terveen, L. (2008) The computational

geowiki: what, why, and how. Proceedings of the

ACM 2008 conference on Computer supported

cooperative work. San Diego, CA, USA, ACM.

Safran, C., Ebner, M., Kappe, F. & Holzinger, A. (2009a)

m-Learning in the Field: A Mobile Geospatial Wiki as

an example for Geo-Tagging in Civil Engineering

Education. In: Ebner, M. & Schiefner, M. (Eds.)

Looking Toward the Future of Technology-Enhanced

Education: Ubiquitous Learning and the Digital

Native. New York, IGI , 444-454.

Safran, C., Garcia-Barrios, V. M. & Ebner, M. (2009b)

The benefits of Geo-Tagging and microblogging in m-

Learning: a use case. Proceedings of the 13th

International MindTrek Conference: Everyday Life in

the Ubiquitous Era. Tampere, Finland, ACM.

Strobel, K. & Gerber, C. (2000) TAVIUM (Büyüknefes,

Provinz Yozgat) – Ein regionales Zentrum Anatoliens.

Bericht über den Stand der Forschungen nach den

ersten drei Kampagnen (1997-1999) (in German)

Istanbuler Mitteilungen, 50, 215-265.

Weippl, E., Ibrahim, I. K. & Winiwarter, W. (2001).

Content-based Management of Document Access

Control. 14th International Conference on

Applications of Prolog, 78-86.

Weippl, E. R. (2005) Security in E-Learning (Advances in

Information Security). New York, Springer.

USE OF WIKI SYSTEMS IN ARCHAEOLOGY - Privacy, Security and Data Protection as Key Problems

123