Cybersecurity: Privacy, Data Protection and Identity · · 2016-11-23 Data Protection by Design &...
Transcript of Cybersecurity: Privacy, Data Protection and Identity · · 2016-11-23 Data Protection by Design &...
Cybersecurity: Privacy, Data Protection and Identity
Marit Hansen Data Protection Commissioner Schleswig-Holstein, Germany
Workshop on Cybersecurity Vilnius, 26 October 2016
www.datenschutzzentrum.de
Cybersecurity: Privacy, Data Protection and Identity
Setting of ULD
• Data Protection Authority (DPA) for both the public and private sector
• Also responsible for freedom of information
Source: en.wikipedia.org/ wiki/Schleswig-Holstein
Source: www.maps-for-free.com
www.datenschutzzentrum.de
Overview
• Privacy and data protection
• Requirements
High level protection goals
Legal basis from May 2018
• Solutions
• Conclusion
Cybersecurity: Privacy, Data Protection and Identity
www.datenschutzzentrum.de
Data Protection is mainly about data
Cybersecurity: Privacy, Data Protection and Identity
human beings with their
rights
Photo: Ashtyn Renee
Questions to consider in system design:
• Effects on individuals?
• Effects on society?
www.datenschutzzentrum.de
Cybersecurity: Privacy, Data Protection and Identity
Imbalance in power
data protection necessary
Important: Perspective of the individual
Foto: Azureon2
www.datenschutzzentrum.de
Perspective: Alice & Bob
Cybersecurity: Privacy, Data Protection and Identity
Information security: The adversary is Eve (or Mallory).
Data protection: The adversary is Bob! (Well, at least he is one of them.)
Data processing interference
with fundamental rights
www.datenschutzzentrum.de
Data flow model: enriching information
Cybersecurity: Privacy, Data Protection and Identity
Possible consequences: • Personalised ads • Better/worse credit conditions • Lower/higher prices • Getting an insurance (or not) • Being under suspicion (or not) • …
At each step, different parties (with
different responsibilities) can be involved.
Reference: Marit Hansen: Linkage Control – Integrating the Essence of Privacy Protection into IMS, Proc. eChallenges 2008, 1585-1592
www.datenschutzzentrum.de
Overview
• Privacy and data protection
• Requirements
High level protection goals
Legal basis from May 2018
• Solutions
• Conclusion
Cybersecurity: Privacy, Data Protection and Identity
www.datenschutzzentrum.de
Protection goals: more than IT security
Cybersecurity: Privacy, Data Protection and Identity
Integrity
Confidentiality Unlinkability
Intervenability
Transparency Availability
classical IT security protection goals*)
*) From the data subject’s perspective
www.datenschutzzentrum.de
Requirements for data protection: consulting the law
The new “General Data Protection Regulation” (GDPR)
• Effective from 25 May 2018
• Single set of rules for all EU Member States
• Scope (“market location principle”):
Data controller/processor or the data subject in the EU
Also organizations based outside the European Union if they process personal data of EU residents
• Principles like lawfulness, purpose binding, necessity, data minimisation, transparency, intervenability …
• Sanctions
• Data Protection by Design and by Default
Cybersecurity: Privacy, Data Protection and Identity
www.datenschutzzentrum.de
Data Protection by Design & by Default
• Art. 25 GDPR
• Targeted at controllers + data processors
• Producers of IT systems “should be encouraged” (Rec. 78)
• Objective: to design systems + services from early on, for the full lifecycle … a) … in a data-minimising way b) … with the most data protection-friendly pre-settings
Cybersecurity: Privacy, Data Protection and Identity
Art. 25 Data Protection by Design and by Default
1. Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, […]
www.datenschutzzentrum.de
Related: Security by Design
Built-in security, e.g. manufacturers preventing default passwords (or none at all)
Cybersecurity: Privacy, Data Protection and Identity
www.datenschutzzentrum.de
Related: Security by Design
Cybersecurity: Privacy, Data Protection and Identity
http://www.theverge.com/2013/10/21/4863872/
dick-cheney-pacemaker-wireless-disabled-2007
http://resources.infosecinstitute.com/hcking-implantable-medical-devices/
Built-in security by removing functionality
www.datenschutzzentrum.de
WWW with or w/o security?
Cybersecurity: Privacy, Data Protection and Identity
http://www.theregister.co.uk/2014/10/08/sir_tim_bernerslee_defends_decision_not_to_bake_security_into_www/
“timing and priorities” – security secondary objective …
www.datenschutzzentrum.de
Overview
• Privacy and data protection
• Requirements
High level protection goals
Legal basis from May 2018
• Solutions
• Conclusion
Cybersecurity: Privacy, Data Protection and Identity
www.datenschutzzentrum.de
Cybersecurity: Privacy, Data Protection and Identity
Solutions: Identities Management
• Different contexts or purposes different digital identities
• Proof of attributes instead of identification
www.datenschutzzentrum.de
Best Practice Data Minimisation: Authentication without identification
Cybersecurity: Privacy, Data Protection and Identity
Full data set:
Often not all data necessary:
• attribute selection
• attribute aggregation
• unlinkability of multiple presentations
Minimal data set:
Which data are really necessary for the purpose?
Examples:
Privacy-ABCs: attribute-based credentials
www.datenschutzzentrum.de
Example: Privacy-ABCs in a school communication network
Cybersecurity: Privacy, Data Protection and Identity
https://abc4trust.eu/soederhamn
www.datenschutzzentrum.de
Example Privacy-ABCs: process for exceptionally revealing identity information needing multiple parties
Cybersecurity: Privacy, Data Protection and Identity
www.datenschutzzentrum.de
ISO standardisation on identity management
Cybersecurity: Privacy, Data Protection and Identity
www.datenschutzzentrum.de
Further (de-facto) standards w.r.t. identities
• IP addresses
• MAC addresses
• Cookies
• Combined data for browser or device fingerprinting
• Location data
• Creditworthiness checks
• Social Media identifiers
• …
Cybersecurity: Privacy, Data Protection and Identity
www.datenschutzzentrum.de
Anonymity is difficult to achieve … … and highly context-sensitive
• Attempts for anonymity metrics
k-anonymity (1998)
l-diversity (2007)
t-closeness (2007)
t-plausibility (2009)
…
• Anonymisation of existing personal data:
Requires data transformation
Often: reduction of data quality and utility
Cybersecurity: Privacy, Data Protection and Identity
Photo: Jesus Solana
www.datenschutzzentrum.de
Overview
• Privacy and data protection
• Requirements
High level protection goals
Legal basis from May 2018
• Solutions
• Conclusion
Cybersecurity: Privacy, Data Protection and Identity
www.datenschutzzentrum.de
Conclusion
• Requirements analysis necessary – not one size fits all
• Built-in privacy and data protection in products, services, and infrastructures
• The more unlinkability by infrastructure, the more options
• To address:
(De-facto) standards
Usability issues
Incentives (easy+available solutions, advancing state-of-the-art, enforcement
where necessary, business models …)
Cybersecurity: Privacy, Data Protection and Identity
www.datenschutzzentrum.de
References
• https://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/privacy-and-data-protection-by-design (2014)
• https://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/pets (2015)
• https://www.datenschutzzentrum.de/uploads/sdm/SDM-Handbuch.pdf (2015) [English translation in progress]
• Hansen/Jensen/Rost: Protection Goals for Privacy Engineering, Proc. 1st International Workshop on Privacy Engineering, IEEE, 2015
Cybersecurity: Privacy, Data Protection and Identity
www.datenschutzzentrum.de
Funding Notice
Cybersecurity: Privacy, Data Protection and Identity
Forum Privatheit und selbstbestimmtes Leben
in der Digitalen Welt (Privacy-Forum)
partly funded by the
German Federal Ministry of Education and Research
www.forum-privatheit.de
Privacy & Us
partly funded by
MSCA-ITN-2015-ETN – Marie Skłodowska-Curie
Innovative Training Networks Project Number: 675730
www.privacyus.eu