Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
© Intellinium 2018. All rights reserved
Balancing Safety and PrivacyGDPR compliance in the industrial IoT
1
ETSI Security WeekJune 12, 2018
François AMBROSINIMathieu DESTRIAN
© Intellinium 2018. All rights reserved 2
IBIT & Intellinium
The first smart and connected safety shoes to protect and save workers’ lives anywhere
anytime.
& Consultancy on security and privacy Munich (Germany)
• Virtual radios, IoT, Access control & Attribute base encryption…
• From prototyping to standardisation
© Intellinium 2018. All rights reserved
A first presentation on Data Access Control at ETSI Security Week 2016
IIoT is not IoT (safety, performance, resilience…)
GDPR is about data protection to ensure essential rights and freedoms of citizen– Privacy gets the most focus although is only part of that
– No data ownership but rights on the data processing
Gaining data processing rights is essential to conduct business
The “bad” news : the GDPR applies to smart Personal Protective Equipment & other wearables– Article 88 extends to the working environment
– Penalties can also apply to organizations (=customer) that do not sell IoT or IIoT
– Worker’s privacy concerns are higher than of normal citizens (worker counsel, unions…)
– You have to get worker consent despite GDPR exemptions (human factor)
The good news :– The GDPR is an enabler of trust and thus of massive worker adoption
– There exist adequate design, processes and technical solutions
3
Introduction
© Intellinium 2018. All rights reserved 4
The smart PPE and its use cases focused on worker safetyVirtualized safety features into a single unique PPE (the safety shoes)
Man‐down
Panic button
Fall detection
Geofencing
Mass Emergency notification
Danger notification
…
© Intellinium 2018. All rights reserved
For most workers: privacy = geolocation
Safety does not require tracking
Only 4 cases for sending geolocation to employers
– When a worker wilfully sends an emergency signal
– When an emergency signal is sent by the device if the worker does not move AND does not answer to the doubt removal procedure (man-down)
– When a worker identifies a danger and wilfully notifies the application
– When the worker receives an emergency mass notification
Need to watch out for potential abuses (deviations from purpose)
How did we get to this result?
5
Geolocation is extremely sensitive set of data for workers It’s one of the red lines (and not only in France)
© Intellinium 2018. All rights reserved
Preliminary: Use common sense and be reasonable (=your mindset)
Step 1: Identify the minimum personal data that is needed to deliver added-value services to your customer (=your business)
Step 2: Talk to management and explain that the technology can (and must) address societal issues (for instance, tracking worker might really be a bad idea) (=your client)
Step 3: Talk early and diligently to workers & their counsels to know what is acceptable and what is not (=your end-user)
Step 4: Prevent your tool to be a « data open bar » for employer or third parties (=your product)
Step 5: Once the field has been properly prepared with all stakeholders, use a formal GDPR analysis with DPIA & consultation with the supervisory authority, and be prepared for spending time and resources for writing documents (and/or to pay consultants) (=the law)
Step 6: Communicate, Answer workers’ questions, Write simple & unambiguous engagement about what you take and for which purpose (=your moral liability towards stakeholders)
6
Matching GDPR & IIoTThe common sense axis
© Intellinium 2018. All rights reserved 7
Matching GDPR & IIoTThe methodological axis
Sub‐case
Personaldata set
Purpose
Flow
nn
1
n
1
1
Data protection objectives
Other regulatory requirements
Confidentiality policy
– Consent form
Data protection impact assessment
Data subjects’ rights implementation
Accountability (data flow)
Implement injunctions
(1) Business(2) Legal
The core
Use cases
Pick one
Sub‐case
…
Use case breakdown: each sub-case the responsibility of one entity
© Intellinium 2018. All rights reserved 8
Data controller and data processor in the value chainThe key to understand your liability
The product
Activity Primary role
Hosting data (instructed) processor
Hosting a service (instructed) processor
Deciding purpose and means of processing
controller
Buying a service ?
The controller is liable
Joint controllers determine their respective responsibilities
Workers see only one controller
Balance of responsibilities depends on setup– Who handles the risks and gets the benefits?
Example with the man-down use case breakdown (one possible configuration)
Client A Smart PPESupplier CDistributor B Emergency
Responders D
WorkersA
Joint controllers with higher liability on C
• Transfers time and type of accident according to instructions from C
• Buys man-down as COTS• Solely stores time and type
of accident for reporting purpose
• Fully manages man-down detection (why and how)
© Intellinium 2018. All rights reserved
Versatile encryption scheme standardised by ETSI TC CYBER for data access control
Many-to-many encryption that scales, based on a secret sharing scheme mapped to attributes and policies– Master Secret Key, Master Public Key, Secret Keys and ciphertexts
ABE can support the GDPR, allows to implement security by default and privacy by design
9
Introduction to Attribute Based EncryptionEnforcing Access Control in the value chain
setups
1
Provisions keys
2
Ksec Data originator Data recipientsKsec
MPK
Cryptosystem controller
3 encrypts decrypt4
transform (e.g. analytics)5
can encrypt as well6
Recipients can become contributing third-parties (e.g. as data processors)– Different entities or business processes
Access control still applies according to the rules set by the cryptosystem controller, for the GDPR access control policies are mapped to purposes
MPK
© Intellinium 2018. All rights reserved 10
Attribute Based Encryption in the IIoT value chainData lake, data streams and boundaries
Data lake
data controller(s)share the cryptosystem
+?
PPE provider Employer
Insurance
Datastreams
GDPR boundary
ABE applicability to the GDPR
Data annotation and traceability are necessary for compliance
Crossing a GDPR boundary requires joint controller, anonymous data, or consent
© Intellinium 2018. All rights reserved
The “Data Far West” should be behind us
Compliance is possible, follow a positive, open and reasonable approach
You don’t own, but can use, end-user data through your products
Privacy concerns apply worldwide (North America, Asia…)
Data access control mechanisms such as ABE can also protect assets of many stakeholders on the same device
Data annotation and traceability will be critical for complex systems
There is ongoing work to solve technical issues related to privacy and data protection in ETSI TC CYBER
11
Conclusion
© Intellinium 2018. All rights reserved 12
Thank you !