Upload
solomon-daniels
View
214
Download
0
Tags:
Embed Size (px)
Citation preview
PRIVACY 12212012PRIVACY 12212012
JOHNJOHN BORKING BORKING
THE BEGINNING OF A BIG REVOLUTION?
• WHAT DO HAVE NEW YORK, DJERBA, BALI, MOMBASSA, ISTANBUL, DJAKARTA, MOSCOW, MADRID, BESLAN, LONDON IN COMMON?
• SERIOUS THREATS FROM CRIMINALS AND TERRORISTS
• THE THIRD COUNTRIES HAVENOTS CLAIMING THEIR SHARE
• WESTERN CITIZENS TROUBLED AND FEELING VULNERABLE
REACTION +• CHANGING SECURITY AND PRIVACY
ENVIRONMENT – Zero sum game Privacy vs. Security– Public accepts less privacy ( I have nothing to hide)– Public safety vs. privacy– Citizens: I trust the government attitude
• ANTI-TERRORIST LEGISLATION– US Patriot Act, Bill about Lawful Access, EU
Retention of Traffic Data, PNR-data, Council of Europe Convention on Cyber-Crime etc. etc.
• MORE POLICIES MANDATING INDIVIDUALS’ PERSONAL INFORMATION
+ OUR SOCIETY NOW
• KEY DRIVER: CONNECTIVITY• IN A URBANIZED, CONSUMERIST
AND WIRED WORLD• LEADING TO: CONTINUOUS
RECORD KEEPING OF INDIVIDUALS BY PUBLIC AND PRIVATE SECTOR
• EGALITARIAN AND DEMOCRATIC PRESSURES TO DISCLOSE
WILL ORWELL’S PROPHECY COME TRUE?
PRIVACY INVASIVE TECHNOLOGIES
Spielberg:• IDENTIFICATION THROUGH BIOMETRIC
CHARACTERISTICS• SURVEILLANCE TOOLSBut already much more:• DATA MINING, WEB TRACKING, VIDEO
CAMERAS IN THE STREET, RFIDs• THREATS: MANIPULATION AND MISUSE
OF POWER
IS PRIVACY UNDER SIEGE?
BACKGROUND:PRIVACY & PERSONAL DATA
• THE CLAIM OF INDIVIDUALS TO DETERMINE WHAT INFORMATION ABOUT THEMSELVES IS KNOWN TO OTHERS, WHEN AND HOW USED (WESTIN 2005)
• A BLOCKING POWER
PERSONAL DATA• PERSONAL DATAPERSONAL DATA : ANY INFORMATION
RELATING TO AN IDENTIFIED OR IDENTIFIABLE NATURAL PERSON
• AN IDENTIFIABLE PERSONAN IDENTIFIABLE PERSON IS ONE WHO CAN BE IDENTIFIED, DIRECTLY OR INDIRECTLY, IN PARTICULAR BY REFERENCE TO AN IDENTIFICATION NUMBER OR TO ONE OR MORE FACTORS SPECIFIC TO HIS PHYSICAL, PHYSIOLOGICAL, MENTAL, ECONOMIC, CULTURAL OR SOCIAL IDENTITY (95/46/EC Article 2 - Recital 26 Disproportionate time, effort and labour)
YES, PRIVACY IS AT RISK IN THE NAME OF SECURITY 1
• THE NEED TO IDENTIFY INDIVIDUALS FASTER, MORE ACCURATELY, AND MORE RELIABLY;
• THE NEED TO AUTHENTICATE THE IDENTITIES OF INDIVIDUALS, TO VERIFY THEIR CREDENTIALS AND AUTHORIZATIONS;
• THE NEED TO CHECK BACKGROUNDS AND HISTORIES, PATTERNS OF ASSOCIATION, TO CHECK NAMES AGAINST WATCH LISTS AND NO-FLY LISTS;
• THE NEED TO ACCESS DATA QUICKLY FROM MANY SOURCES, BOTH PUBLIC & PRIVATE, AND ACROSS NUMEROUS JURISDICTIONS
YES, PRIVACY IS AT RISK IN THE NAME OF SECURITY 2
• THE NEED TO INTERCEPT COMMUNICATIONS AND MONITOR TRAFFIC PATTERNS OF ACTIVITY;
• THE NEED TO LINK, CORRELATE, AND SIFT THROUGH MASSIVE AMOUNTS OF PERSONAL DATA, LOOKING FOR PATTERNS UNKNOWN;
• THE NEED TO SHARE DATA AND INTELLIGENCE ACROSS DIFFERENT JURISDICTIONS AND DOMAINS – ALL IN REAL TIME;
• THE NEED TO MAKE ASSESSMENTS AND JUDGEMENTS ABOUT PEOPLE, THAT MAY BE QUESTIONABLE AT BEST, AGAIN IN REAL OR NEAR-REAL TIME. (COMMISSIONER CAVOUKIAN 2005)
SCENARIOS (1996 NLDPA)
• THE STATE AS BIG BROTHERTHE STATE AS BIG BROTHER– STRONG GOVERNMENT– ADVANCED ICT– SEPARATION OF POWERS FADING AWAY– NO PRIVACY BUT CONFORMITY
• THE STATE AS LITTLE SISTERTHE STATE AS LITTLE SISTER– WEAK GOVERNMENT– COMMERCE AND INDUSTRY TAKING
OVER TASKS OF GOVERNMENT– NO PRIVACY: PSYCHOGRAFIC PROFILES
EU PIM SCENARIOS (2001) EU PIM SCENARIOS (2001) WATCH THE SIGNSWATCH THE SIGNS
Privacy & Identity Management
Today =
scenario
+ scenario
- scenario
Time
SCENARIOS– “Positive”: Identity Management integrated with Privacy
Protection add value for users, business and government. PIM are becoming more and more important, policy makers address PIM in new regulations, users need new PIM products to meet their needs, etc.
– “ Steady state”: Identity Management and Privacy Protection are two different worlds. Privacy Protection is for niche markets with a strong battle between Legal Enforcement and Privacy Protection. PIM will grow slowly in special markets and delivers only a baseline protection.
– “ Negative”: Users are not interested in Identity Management and Privacy Protection, but more in active use of there profiles by business and government for added value and cheaper services. PIM is becoming less important, PIM regulation will be stripped, users lose interest PET companies go bankrupt, etc.
ARE WE TOO PESSIMISTIC?
RAPID CHANGE FOMENTS UNCERTAINTY AND CONFUSION
• THERE ARE KNOWN KNOWNS. THERE ARE THINGS WE KNOW WE KNOW. WE ALSO KNOW.
• THERE ARE KNOWN UNKNOWNS.THAT IS TO SAY WE KNOW THERE ARE SOME THINGS, WE DO NOT KNOW
• BUT THERE ARE ARE ALSO UNKNOWN UNKNOWNS, THE ONES WE DON’T KNOW, WE DON’T KNOW.
Donald Rumsfeld 12-02-2002
1994 WHERE WE THOUGHT WE WERE GOING
• THE WORLD WAS ON A ROAD TO PEACE
• GLOBALIZATION WAS RAMPING UP• CORPORATE INNOVATION WAS
CREATING VALUE AND WEALTH• WE WERE CONNECTED BY WWW
• AND TEN YEARS LATER?
2004 DID WE EXPECT THIS DEVELOPMENT ?
• BUSH DOCTRINE: US WAGING WAR ON IRAQ AND TERRORISM
• THE RISE OF CHINA AS ECONOMIC SUPER POWER
• EUROPEAN UNION 25 MEMBERS +• STRONG EURO• ERA OF OFFSHORING AND
OUTSOURCING
PRIVACY: A WESTERN LUXURY?
GLOBALIZATIONGLOBALIZATION– THE URGENT NEED FOR A WORLDWIDE PRIVACY
PROTECTION BECAUSE OF ASYMMETRIES IN INFORMATION DISTRIBUTION
• BY INTERNATIONAL LAW? BY INTERNATIONAL LAW? – DATA PROTECTION HAS REACHED THE STATUS OF
A UNIVERSALLY ACCEPTED CONCEPT, EVEN IF IT STILL FALLS SHORT OF A UNIVERSALLY ENFORCEABLE RIGHT. (BURKERT 2005)
• OR BY PRIVACY ENHANCING TECHNOLOGIES OR BY PRIVACY ENHANCING TECHNOLOGIES AND PRIVACY STANDARDIZATION ?AND PRIVACY STANDARDIZATION ?
PROTECTION BY INTERNATIONAL LAW?
• UNITED NATIONS PRIVACY TREATY? – United Nations Guidelines Concerning Computerized Personal
Data Files which were adopted by the General Assembly on 14 December 1990
• FOUR DIFFERENT LEGAL SYSTEMS– ROMAN/FRENCH/GERMAN CONTINENTAL
SYSTEM – ANGLO SAXIAN COMMON LAW SYSTEM – ISLAM RELIGIOUS (SHARIA) LAW SYSTEM
• TUNESIA AND PAKISTAN
– SOCIALIST LEGAL SYSTEM• CHINA
CULTURAL DIVIDE EU &. US• FUNDAMENTAL HUMAN RIGHT VS COMMODITY
• PRIVACY ISN’T AN ABSOLUTE GOOD AS IT IMPOSES REAL COSTS ON SOCIETY (West vs. FCC 1999 - US Court of Appeal 10th Circuit)
• FASTER DECLINE OF ANONYMITY• MANY COMSUMER PRIVACY BREACHES• OPTING-OUT VS OPTING-IN
• SELF REGULATION OR CONTRACT VS STATE SUPERVISON
• NO PRIVACY COMMISSIONER• US SAFE HARBOR SYSTEM• BINDING CORPORATE RULES
• NO INFORMATION WALLS (Senator McGovern)• SPAM LOBBY / NO CALL LISTS
10 YEARS OF EU PRIVACY DIRECTIVES
• GLOBAL SATISFACTION BUT A LACK OF HARMONIZATION (EU REPORT MAY 2003)
• NO AWARENESS OF CITIZENS ABOUT• PRIVACY RIGHTS: 68%• DPA/PRIVACY COMMISSIONER: 68%• PETS: 72% • COMPLAINTS: 67%• VERY FEW COURT CASES
(SOURCE EUROBAROMETER)
• OUTDATED CONCEPTS? REVISION OF 95/46/EC: 2015
IN THE MEAN TIME :
EU PRIME RESEARCH INCREASING PET TOOLS BOX
OBJECTIVE: EMPOWERING THE INDIVIDUAL, BUIDING-IN PRIVACY PROTECTION, KEEPING BIG BROTHER OUT
BORKING CONSULTANCY
WHAT IS PET?
Technologies & information architectures that ENHANCE, thus improve or increase the protection of the Privacy of the citizen.
RESEARCH TOPICS SOCIO-RESEARCH TOPICS SOCIO-ECONOMIC (2005)ECONOMIC (2005)
– BUSINESS CASE MODELS BUSINESS CASE MODELS PET & IM COSTS, PET & IM COSTS, REVENUE-MODELS, ECONOMIC INCENTIVES, CITIZENS REVENUE-MODELS, ECONOMIC INCENTIVES, CITIZENS AS COUNTERVAILING POWER?AS COUNTERVAILING POWER?
– PRIVACY EXPERIENCE OF THE PRIVACY EXPERIENCE OF THE CITIZENS. IS A PRIVACY CITIZENS. IS A PRIVACY A LUXURY GOOD? A LUXURY GOOD?
– ANALYSIS OF DIGITAL IDENTITY SERVICES, E.G. ANALYSIS OF DIGITAL IDENTITY SERVICES, E.G. CONDITIONS FOR RELIABLE SYSTEMSCONDITIONS FOR RELIABLE SYSTEMS
– WHAT ARE BEST APPROACHES/CONDITIONS TO WHAT ARE BEST APPROACHES/CONDITIONS TO STIMULATE PET & IM PRODUCERS/VENDORS?STIMULATE PET & IM PRODUCERS/VENDORS?
ECONOMIC IMPACT OF THE CONSUMER/CITIZEN?
• ON CONSUMER ATTITUDES MANY MODELS MAPPING STIMULI & THE ATTITUDE OF THE INDIVIDUAL DURING THE BUYING PROCESS OF GOODS AND SERVICES. ALSO APPLICABLE TO PRIVACY NEEDS?
• HAVE CONSUMERS ECONOMIC POWER AND COULD THEY FORCE PROVIDERS TO COMPLY WITH THEIR PRIVACY NEEDS? OPERATING AS ONE GROUP?
• WOULD CONSUMERS DISCOVERING AN UNSATISFYING LEVEL OF PRIVACY PROTECTION DIVERT TO A COMPETITOR THAT WOULD DO BETTER? ASYMMETRY OF INFORMATION BETWEEN THE CONSUMERS AND SUPPLIERS?
RESEARCH TOPICSRESEARCH TOPICS
– END TO END IDENTITY MANAGEMENT SYSTEMS– PRIVACY SAFE RFIDS– IDENTITY MANAGEMENT POLICIES AND ONTOLOGY– IDENTITIES LIFE CYCLE MANAGEMENT– PRIVACY MANAGEMENT SYSTEMS– AUTOMATIC ENFORCEMENT– CONTROLLED DISSEMINATION OF AUTHENTICATED
INFORMATION
WORLDWIDE PROTECTION BY PRIVACY
STANDARDIZATION
DEVELOPMENTSDEVELOPMENTS
• THE WROCLAW RESOLUTION 2004• THE EXISTING INTERNATIONAL STANDARD
ISO/IEC IS 15408-1, -2, AND –3 COMMON CRITERIA (CC)
• A GROWING NEED FOR EVALUATING CLAIMS FOR PRODUCTS THAT THESE PROVIDE OR ENHANCE “PRIVACY”
THE CONSEQUENCES OF THE WROCLAW RESOLUTION : THE NECESSITY TO:
1. DEVELOP MODEL PRIVACY TECHNOLOGY STANDARD THAT ENFORCE PRIVACY LEGISLATION
AS “CHECKLIST” FOR EVERY STANDARD&
2. ENABLE PRIVACY AND DATA PROTECTION COMMISSIONERS TO HAVE A MEANINGFUL AND
SUBSTANTIAL ROLE IN THE WRITING AND APPROVAL OF PRIVACY STANDARDS TO PREVENT PRIVACY
INVASIVE STANDARDS
*As a first step and as catalyst : The Wroclaw Foundation*
LINE OF DEVELOPMENT FROM PRIVACY LAW TO PRIVACY
STANDARDS • 2006
– Harmonized set of Fair Information Practices– Working draft of a Global Privacy Standard Framework (Pre-
PAS submission)
• Develop working relationships with ISO, other partners• 2007/8
– A streamlined cost effective PET evaluation methodology to be used by public and private sector for designing & deploying personal data processing systems
• 2008/9/10– ISO Comprehensive set of privacy standards– Comprehensive, global accreditation authority, model and
process based on the set of privacy standards
CONCLUSION 1CONCLUSION 1• DAILY PRIVACY CONSCIOUSNESS IS LOW• INFORMATION PRIVACY IS AT RISK• STAMINA IS NECESSARY IF WE WANT TO
KEEP PRIVACY AS A HUMAN RIGHT
• THE SOLUTION IS THERE TOO. TECHNOLOGY DEVELOPERS HAVE THE POWER TO IMPLEMENT PRIVACY PROTECTING TECHNOLOGIES. THE IMPLEMENTATION OF PRIVACY LEGISLATION IN TECHNOLOGY IS ACHIEVABLE, HOWEVER WE NEED PRIVACY STANDARDS
CONCLUSION 2• IF POSITIVE SCENARIO, THEN
– NEW TECHNO-LEGAL GLOBAL DATA PROTECTION– BUILT-IN PREVENTIVE PERSONAL DATA
PROTECTION – INTEGRATION: USER-INFRASTRUCTURE-
ENTERPRISE– PRIVACY PRODUCTS AND SERVICES THAT WORK– USER CENTRIC APPROACH (HCI AND
DEPLOYMENT OF PRIVACY ICONS)– ENFORCEMENT ARCHITECTURE ( PRIVACY
MANAGEMENT SYSTEMS)– A MODEL PRIVACY STANDARD AND A PET
EVALUATION STANDARD
FOR MORE INFORMATION:FOR MORE INFORMATION:
http://istresults.cordis.lu/index.cfm/section/news/tpl/article/BrowsingType/Features/ID/70244
Thank youThank you
ON PRIME: