THEMATIC AREAS OF NIS'09
"Privacy and Security in the Internet of Things"
The emergence of RFID technology has given rise to a broader topic, the Internet of Things (IOT). According to the IOT vision, all objects will carry a unique identity and have the ability to communicate via wireless communication links. In this setup numerous communication links occur every second between objects exchanging information and making decisions on behalf of their users without requiring the user’s intervention. Large-scale adoption of this vision is expected to have a crucial impact on the organisation of industrial processes and on the competitiveness of enterprises. This implies an increased dependency of business and citizens on the underlying ICT infrastructures and the services they support, with increased concerns for security, privacy, and possible threats to civil liberties.
"Privacy and Security in e-Citizen Services"
eCitizen services span across different areas of applications regarding eGovernment, eHealth etc., mainly aiming at enhancing the quality of life of the citizens, by facilitating their interaction with the public services and modernising public administration procedures. The importance of these services and the challenges and concerns regarding information security and privacy posed by the introduction of new technologies in the provision of these services make it an important area for the NIS Summer School.
The aim of this session is thus to provide an overview of these main challenges from different viewpoints and discuss recommended solutions to address them. The four planned lectures, which will be given from speakers from different backgrounds (social, legal & data protection, IT security etc.), will cover various aspects of the discussion on eCitizen services and the information security and privacy considerations that are currently posed, so that participants may gain a better understanding of these services and challenges they pose.
Notably, new technologies are used or are expected to be introduced with a view to enhancing the provision of these services, such as Web2.0 technologies, RFID applications, mobile communications, the introduction of which is expected to improve the quality of the services offered. Therefore, an overview of these new services will be made, presenting what they really provide and the developments that are currently taking place, so that participants can have a clearer idea of what eCitizen services are all about.
There are many key requirements to these services: sound identity management, interoperable authentication mechanisms, data protection measures in place are just some of the many challenges that governments face. Addressing these concerns and meeting these requirements is a priority in our society, since it is imperative to ensure and foster the trust of citizens in these new “enhanced” services. This session will focus on these challenges and risks, providing to participants a substantial insight on this debate. The speakers are going to talk about significant information security and privacy risks and considerations that are raised at the moment and some that may also arise in the near future. In order to do so more effectively and to provide a better understanding of these issues, certain real-world examples and use cases from EU member states will be also brought in.
Possible measures currently proposed or envisaged will be also presented and discussed at length: such as the concept of privacy and security-by-design, while also privacy impact assessments (PIA) will be presented in more detail, and its benefits and challenges will be further outlined. The topic of identity management, which is as mentioned above is very critical and plays a very significant and definitive role in this issue, is also going to be presented in more detail, specifically in relation with existing EU initiatives (e.g. STORK project: http://www.eid-stork.eu/). The legal aspect of privacy and data protection is equally important to consider, and thus one lecturer will focus on the legal implications and requirements.
For further reading you may refer to the following:
- Regarding possible privacy and security risks of eHealth applications, ENISA has recently conducted a relative study of possible risks posed by an emerging eHealth monitoring and treatment application. To download the full report, please visit:
http://enisa.europa.eu/pages/02_01_press_2009_03_20_being_diabetic_2011.html - Regarding PIA methodologies, UK has developed a PIA handbook, which can be found at:
http://www.ico.gov.uk/for_organisations/topic_specific_guides/pia_handbook.aspx - A recent EC Recommendation on RFID applications is highlighting the importance of performing PIAs:
http://ec.europa.eu/information_society/policy/rfid/documents/recommendationonrfid
2009.pdf
"Privacy and Security in Social Networks and 3D Social Worlds"
The largest number of personal data profiles on the planet is held not in a government identity registry or one of the much heralded Federated Identity Providers but in the data warehouses of Social Networking providers. Online Social Networking Sites are now among the most visited websites globally. They collect and organise huge amounts of personal data - e.g. over 30 billion images on Facebook - and provide tools for managing that data. Although there has been strong pressure to offer stronger privacy, such providers' economic models rely on exploitation of their personal data stores.
Social networking is becoming the preferred (by end-users) way to manage personal data. It is an area where people take an active interest in how their personal information is managed and displayed rather than being passive account-holders as in most identity management systems. Social engagement provides a much-needed incentive for end-users to engage in processes such as setting privacy rules and providing feedback on spammers.
ENISA’s position paper on social networks looked at security and privacy risks in using social networks, including image based search and the growing use of automated image tagging of images with profiles without the consent of the profile owner. ENISA's submission to W3C's workshop on the future of Social Networking submission also looked at how Social networks fulfil all the main criteria to qualify as mainstream Identity Management applications and how they are starting to be used as a central point in managing identity and ways of managing the risks associated with this use.
A new trend in Social Networks is convergence with immersive 3D worlds such as Habbo, Second Life, Kaneva and There. This new breed of social environment gives users a false sense of security with respect to their privacy because their online persona is represented by an avatar, but in fact the privacy risks are every bit as important in such 3D social environments. An ENISA report identifies 12 recommendations to tackle these and other security problems in this area, including key points for awareness-raising campaigns for users eg., on child-safety and privacy risks.
The ENISA survey of 1.500 respondents in the UK, Sweden and Germany shows that most users of virtual worlds think their avatar cannot reveal anything about their real identity. But an avatar is no different from using any online persona, particularly in so-called “social worlds”, i.e. hybrids between online games and social networks. People should take just as much care of their personal data in these environments as in any other online context. Bots can be sprinkled within virtual worlds to spread spam or advertise products, for example.
This session will provide both background necessary to understand the underlying issues as well as will discuss the current state-of-the-art.
"Privacy and Security in Smart Environments"
The pervasiveness of wireless communications technologies in our daily
lives is now commonplace. Wireless networks are starting to be used
extensively for both work and leisure purposes at home. Moreover,
traditional methods of communication at home, such as telephones,
are starting to migrate over wireless IP technologies. This trend
results in private information such as pictures, videos, conversations
and private information of individuals being transmitted over more
vulnerable wireless media and protocols. This session will discuss
emerging threats and solutions as well as projections on applications
of related technologies.
"Enhancing Citizens Confidence in Infrastructures"
Reliable communications networks and services are now critical to public welfare and economic stability. Attacks on Internet, disruptions due to physical phenomena, software and hardware failures, and human mistakes all affect the proper functioning of public eCommunications networks. Such disruptions reveal the increased dependency of our society to these networks and their services.
The experience has revealed that any country, acting independently, may face difficulties in effectively preventing and responding to these type of attacks which often originate from beyond national and European borders.
European Commission’s Communications highlight the importance of network and information security and resilience. They stressed the importance of dialogue, partnership and empowerment of all stakeholders to properly address these threats and especially citizen’s confidence in infrastructures.
ENISA, fully recognizing this need, devised a Multi-annual Thematic Program (MTP) with the ultimate objective to collectively evaluate and improve the resiliency of public eCommunications in Europe and therefore enhancing citizen’s confidence in infrastructures.
EU Commission’s recent Communication on CIIP recognises the importance of the area and confirms ENISA’s role and expertise in the field.
This session will provide to the policy makers useful insights about existing good practices deployed in Member States and private sector, ideas about possible future national and/or European actions/policies, and perspectives about co-operation among Member States and/or institutional stakeholders. It will offer to participants a holistic view of the problem giving mostly emphasis to policy makers. The main questions to be answered are:
- Why resilience of public eCommunications networks is important?
- Which measures (at policy, organisational or technical) were successfully deployed the last 3-5 years and had significant impact
- Which measures (at policy, organisational or technical) could further enhance the resilience of public eCommunications networks
- How Member States and relevant stakeholders could co-operate to address problems at national, cross-border, pan European and even international level? What might be the role of an institution like ENISA?
For further reading you may refer to the following:
- ENISA’s Resilience video that presents our work and results achieved
- ENISA stock taking on 25 national policy and regulatory environments
- ENISA’s analysis of Member States’ (MS) policy and regulatory environments including a number of important recommendations
- Development of three good practice guides in the area of information sharing, exercises and incident reporting
- ENISA work on providers measures:
http://www.enisa.europa.eu/doc/pdf/deliverables/enisa_network_provider_measures_on_
resilience.pdf - ENISA work on IPv6, MPLS, & DNSSec
http://www.enisa.europa.eu/sta/files/resilience_features.pdf
http://www.enisa.europa.eu/doc/pdf/resilience_tech_report.pdf - European Commission’s CIIP Communication
http://ec.europa.eu/information_society/policy/nis/strategy/activities/ciip/index_en.htm - ENISA’s response to EU Commission’s CIIP Communication
http://www.enisa.europa.eu/doc/pdf/CIIP_response.pdf