Workshop on the Relationship between Privacy and Security Marc Wilikens Joint Research Centre Instit - PowerPoint PPT Presentation

1 / 23
About This Presentation
Title:

Workshop on the Relationship between Privacy and Security Marc Wilikens Joint Research Centre Instit

Description:

Institute for the Protection and Security of the Citizen (One of the ... Consumer rights. protection. eConfidence. 5. Relationship between privacy and security ... – PowerPoint PPT presentation

Number of Views:56
Avg rating:3.0/5.0
Slides: 24
Provided by: MarcWi6
Category:

less

Transcript and Presenter's Notes

Title: Workshop on the Relationship between Privacy and Security Marc Wilikens Joint Research Centre Instit


1
Workshop on the Relationship between Privacy
and Security Marc WilikensJoint Research
Centre Institute for the Protection and Security
of the CitizenCybersecurity Carnegie Mellon
University 29-30 May, 2002
2
Joint Research Centre
  • EU-funded multi-disciplinary RD
  • Institute for the Protection and Security of the
    Citizen (One of the 8 Institutes of the JRC)
  • To provide research-based, systems-oriented
    support to EU policies for the protection of the
    citizen against economic and technological
    risk.
  • Cyber-security is a principal concern
  • Better understanding of vulnerabilities and
    technological challenges
  • Provide facilities for cross-border
    collaboration, specific testing and RD projects.
  • Close collaboration with EU departments DGs
    Infso, Jai, Markt, Sanco European Parliament

3
JRC P3P Reference Implementation
4
A cybersecurity perspective
Redress, trust seals EEJNET, FINNET Data
Protection Directives EU cyber-crime
forum Network security, early warning,
RD, Test Beds and Demonstration platforms
Cyber-crime
Privacy
Protection against cyber-abuse
Identity theft
Fraud
Profiling


Attacks
Intrusions
Information Infrastructure Security
Systemic risks and interdependencies
5
Relationship between privacy and security
  • The right balance between privacy and security.
  • A balance of what?
  • Issues
  • Combating (cyber)-crime formal and informal
    social control
  • Minimise privacy threats for law abiding citizens
  • Proportionality concept tension between
    individual and public interest.
  • Accountability
  • Holistic approach

ICT as driver, threat and solution
6
Privacy/security attributes
Anonymity
Pseudonymity
Privacy
Unlinkability
Unobservability
Attributes
Accountability
Non-repudiation
Integrity
Confidentiality
Security
Availability
7
Cyber Crime
  • All forms of cyber crime are increasing rapidly
  • Old crimes criminals changing the pattern of
    their operations by using ICT
  • New crimes using ICT e-commerce fraud, forgery,
    etc..
  • Attacks against the information systems
    technical infrastructure
  • New policy issues ref CoE cybercrime
    convention, EC communication
  • What constitutes a cybercrime? Hacking, etc.
  • Tools and powers to investigate computer data
    preservation, real-time collection of traffic
    data, interception of content data, duties of
    third-parties
  • Cross-border co-operation
  • Safeguards limitation of scope and duration

8
Cyber Crime Interactions
Support
Technical Tools
RD
Cyber Crime operations
Prevention
Response/Evidence
Early Warning
Information Sharing
Detection
Life-cycle
9
Information privacy
  • Privacy (human right) informational
    self-determination
  • Data protection (EU legal framework) principles
    for information management (fairness, consent,
    transparency, purpose specification, data
    retention, security, access).
  • Enabler for trust and confidence in the
    Information Society
  • Law is not self-acting
  • Personal data is disclosed by default, online
    anonymity does not have same status as physical,
    identification is considered critical for
    combating crime
  • Also technology is required to assist in
    compliance and enforcement.

10
Drivers PITs and PETs
  • ICT play a vital role in the information society
    but also creates threats. Online activities of an
    individual can be tracked (what people do),
    profiled (who people are), localised (where
    people are).
  • PIT Privacy Invasive Technologies
  • Service provider Customised services to
    consumers needs personal data
  • Mobile and downloadable code and data files
    (cookies), Interactive Digital Television viewing
    tracking, IPR protection based on credential
    checking of customers, intelligence in the
    network, location tracking in mobile systems.
  • Governments Combating cybercrime evidence
    collection, data retention.
  • PET Privacy Enhancing Technologies
  • Personalised services but whilst keeping personal
    data collection to a minimum.
  • Soft version guidelines, policies, privacy seals
  • Hard version access control, encryption, smart
    cards, identity protectors, anonymisers, P3P, etc

11
Holistic approach
Personal Data Platform
Business Process Interdependencies
Information Infrastructure
Credit card/ smart cards
Risk Analysis
Untrusted 3rd Parties
Banks
Mobile Phone /PDAs
Research
INTERNET/ Portals/ ASPs
Hospitals
Home PC/ Smart Home
Web Bugs
Insurance
Public Authorities
Intelligent Car
Data Marketing
Employers
Commerce
Wearable Devices/ Ambient IT
Caching
Law Enforcement
Click Streams
Utilities
Billing
Access control Biometrics
Logistics
Logging
Digital Health Record
Uncontrolled Distribution
Profiling
Tracking
Invasion
12
Privacy enhancing infrastructure
  • Drivers
  • IPv6, unique identifiers (e.g. MAC), mobility
    support, extensive deployment of devices,
    intelligence in the infrastructure (caching,
    roaming).
  • EU data protection commissioners unique IP
    address considered as personal data (risk of
    profiling)
  • Minimum privacy invasive network infrastructure
  • Anonymity e.g. IETF RFC 3041 (privacy
    extension) pseudo-random IP addresses what
    should be the default?
  • Unobservability two aspects
  • Do not disclose your privacy preference privacy
    extension to be used by all nodes if to be
    effective
  • Location confidentiality encryption of home
    address while roaming
  • A. Escudero Location Privacy in IPv6
    internetworking. Pseudo-random interface
    identifiers

13
Privacy enhancing infrastructure (2)
  • Authorisation and accountability schemes
  • Trust units authentication, certificates,
    credentials
  • Reveal identity in case of abuse chaining of
    trust units, secret sharing schemes.
  • Dis-intermediation no unit can accumulate
    personal info.
  • Right to security confidentiality, integrity of
    payload
  • Excludes the headers in IPv6!

14
Business processes
  • Processes and Architectures
  • Enable interoperability of different
    stakeholders PETs
  • Facilitate B2B and B2C activities across complex
    interdependent business processes and multi-party
    scenarios
  • Compliant with legal principles Data
    minimisation, depersonalisation, customer privacy
    services, disclosure control.
  • Security/Privacy policies
  • For complex intra- or inter-enterprise data
    transfers or access by refining and extending
    standard access control and authorisation methods
    (e.g. RBAC).
  • Transitivity properties for transferring data
    between enterprises.

15
Individual - Identity management
  • Pseudonym generator management
  • User chooses different pseudonyms or roles
  • Configuration of rules, profiles, context
  • Bilateral negotiation (e.g. P3P), non-repudiation
  • Powerful vocabulary to express user rights
  • Secure devices off line biometrics to protect
    against identity theft (local authentication).

16
Partial Identities Marit Köhntopp, EU
privacy workshop, October 2001
Identities Management
17
Criminal abuse
  • Example Identity theft
  • Consumer Sentinel (US FTC) 100000 consumer
    complaints received in 2000 of which Identity
    theft accounts for 23
  • IDs linked to mobile devices, tokens, smart
    cards
  • High integrity, quality, powerfull attracts
    attackers
  • Problem of repudiation in case of theft restore
    credibility
  • Preventive security measures are needed example
    of common goals between privacy, security and
    combating cybercrime

18
RAPID
  • Roadmap for Advanced Research in Privacy and
    IDentity Management Technologies
  • Project sponsored by EU IST programme

19
RAPID Objectives
  • To identify the key actors and form a critical
    mass of industrial and academic research players
    required to lead and conduct future RD.
  • To identify the technology challenges and RTD
    needs for PET and Identity Management
    technologies in the next 5 years.
  • To identify wider community of stakeholders
  • Also identify socio/economic research needs
    including legal issues, education/awareness
  • To set basis for a RD in FWP6 Network of
    Excellence
  • To foster international cooperation (W3C, )

20
Information sources
  • Privacy workshops in 2001/2002
  • Privacy and Identity in the IS Emerging
    Technological challenges 4-5 October 2001
  • Digital Identity 10-11 December 2001 Focus on
    wider socio-economic, legal issues
  • Privacy and Identity in the IS Systemic Risks
    5-6 February 2002
  • Privacy related projects in current RTD
    programmes
  • FP5 / IST (PISA, GUIDES, DRIVE, MAFTIA, PRIDEH,
    ..)
  • Other programmes in Europe (national
    international) P3P
  • RTD programmes in other countries world-wide (US,
    Canada, .)
  • Standard initiatives reports
  • Data Protection Commissioners technical reports

21
RD challenges
  • Understanding privacy vulnerabilities of new
    computing paradigms Ambient Intelligence,
    virtual identities, complex interactions of
    agents and systems, intelligence in
    infrastructure
  • Multiple and dependable identity management
  • PETs for Enterprise
  • PETs in infrastructure
  • Socio-economic-legal economics of privacy, crime
    prevention (identity theft), new legal entities
    for identities.
  • Role of Open Source

22
The right balance between privacy and security?
  • The right question?
  • How can we have some privacy in a world where
    anonymity is impossible or unacceptable?
  • OR
  • How can we have accountability in a world where
    privacy is default?
  • How can accountability be configured
    organisationally and technically to ensure
    repeatable reconciliation of legal rules? Role of
    standards?
  • Duties and rights of key organisations in
    multi-party infrastructures and services
    (Telecom, ISP, ASP, etc) and adherence to
    business values and technology policy.
  • Stephan Engberg EU privacy workshop,
    February 5-6, 2002

23
Contact
  • Marc.Wilikens_at_jrc.it
  • http//cybersecurity.jrc.it
Write a Comment
User Comments (0)
About PowerShow.com