Balancing Safety and Privacy - ETSI

© Intellinium 2018. All rights reserved

Balancing Safety and PrivacyGDPR compliance in the industrial IoT

1

ETSI Security WeekJune 12, 2018

François AMBROSINIMathieu DESTRIAN

© Intellinium 2018. All rights reserved 2

IBIT & Intellinium

The first smart and connected safety shoes to protect and save workers’ lives anywhere

anytime.

& Consultancy on security and privacy Munich (Germany)

• Virtual radios, IoT, Access control & Attribute base encryption…

• From prototyping to standardisation


A first presentation on Data Access Control at ETSI Security Week 2016

IIoT is not IoT (safety, performance, resilience…)

GDPR is about data protection to ensure essential rights and freedoms of citizen– Privacy gets the most focus although is only part of that

– No data ownership but rights on the data processing

Gaining data processing rights is essential to conduct business

The “bad” news : the GDPR applies to smart Personal Protective Equipment & other wearables– Article 88 extends to the working environment

– Penalties can also apply to organizations (=customer) that do not sell IoT or IIoT

– Worker’s privacy concerns are higher than of normal citizens (worker counsel, unions…)

– You have to get worker consent despite GDPR exemptions (human factor)

The good news :– The GDPR is an enabler of trust and thus of massive worker adoption

– There exist adequate design, processes and technical solutions

3

Introduction


The smart PPE and its use cases focused on worker safetyVirtualized safety features into a single unique PPE (the safety shoes)

Man‐down

Panic button

Fall detection

Geofencing

Mass Emergency notification

Danger notification

…


For most workers: privacy = geolocation

Safety does not require tracking

Only 4 cases for sending geolocation to employers

– When a worker wilfully sends an emergency signal

– When an emergency signal is sent by the device if the worker does not move AND does not answer to the doubt removal procedure (man-down)

– When a worker identifies a danger and wilfully notifies the application

– When the worker receives an emergency mass notification

Need to watch out for potential abuses (deviations from purpose)

How did we get to this result?

5

Geolocation is extremely sensitive set of data for workers It’s one of the red lines (and not only in France)


Preliminary: Use common sense and be reasonable (=your mindset)

Step 1: Identify the minimum personal data that is needed to deliver added-value services to your customer (=your business)

Step 2: Talk to management and explain that the technology can (and must) address societal issues (for instance, tracking worker might really be a bad idea) (=your client)

Step 3: Talk early and diligently to workers & their counsels to know what is acceptable and what is not (=your end-user)

Step 4: Prevent your tool to be a « data open bar » for employer or third parties (=your product)

Step 5: Once the field has been properly prepared with all stakeholders, use a formal GDPR analysis with DPIA & consultation with the supervisory authority, and be prepared for spending time and resources for writing documents (and/or to pay consultants) (=the law)

Step 6: Communicate, Answer workers’ questions, Write simple & unambiguous engagement about what you take and for which purpose (=your moral liability towards stakeholders)

6

Matching GDPR & IIoTThe common sense axis


Matching GDPR & IIoTThe methodological axis

Sub‐case

Personaldata set

Purpose

Flow

nn

1

n

1

1

Data protection objectives

Other regulatory requirements

Confidentiality policy

– Consent form

Data protection impact assessment

Data subjects’ rights implementation

Accountability (data flow)

Implement injunctions

(1) Business(2) Legal

The core

Use cases

Pick one

Sub‐case

…

Use case breakdown: each sub-case the responsibility of one entity


Data controller and data processor in the value chainThe key to understand your liability

The product

Activity Primary role

Hosting data (instructed) processor

Hosting a service (instructed) processor

Deciding purpose and means of processing

controller

Buying a service ?

The controller is liable

Joint controllers determine their respective responsibilities

Workers see only one controller

Balance of responsibilities depends on setup– Who handles the risks and gets the benefits?

Example with the man-down use case breakdown (one possible configuration)

Client A Smart PPESupplier CDistributor B Emergency

Responders D

WorkersA

Joint controllers with higher liability on C

• Transfers time and type of accident according to instructions from C

• Buys man-down as COTS• Solely stores time and type

of accident for reporting purpose

• Fully manages man-down detection (why and how)


Versatile encryption scheme standardised by ETSI TC CYBER for data access control

Many-to-many encryption that scales, based on a secret sharing scheme mapped to attributes and policies– Master Secret Key, Master Public Key, Secret Keys and ciphertexts

ABE can support the GDPR, allows to implement security by default and privacy by design

9

Introduction to Attribute Based EncryptionEnforcing Access Control in the value chain

setups

1

Provisions keys

2

Ksec Data originator Data recipientsKsec

MPK

Cryptosystem controller

3 encrypts decrypt4

transform (e.g. analytics)5

can encrypt as well6

Recipients can become contributing third-parties (e.g. as data processors)– Different entities or business processes

Access control still applies according to the rules set by the cryptosystem controller, for the GDPR access control policies are mapped to purposes

MPK


Attribute Based Encryption in the IIoT value chainData lake, data streams and boundaries

Data lake

data controller(s)share the cryptosystem

+?

PPE provider Employer

Insurance

Datastreams

GDPR boundary

ABE applicability to the GDPR

Data annotation and traceability are necessary for compliance

Crossing a GDPR boundary requires joint controller, anonymous data, or consent


The “Data Far West” should be behind us

Compliance is possible, follow a positive, open and reasonable approach

You don’t own, but can use, end-user data through your products

Privacy concerns apply worldwide (North America, Asia…)

Data access control mechanisms such as ABE can also protect assets of many stakeholders on the same device

Data annotation and traceability will be critical for complex systems

There is ongoing work to solve technical issues related to privacy and data protection in ETSI TC CYBER

11

Conclusion


Thank you !

Documents

Balancing Safety and Privacy - ETSI