PRIVACY IN THE DIGITAL SOCIETY

Israel Barroso P´rez e
M´ster en Ciencia y Tecnolog´ Inform´tica a ıa a

December 13, 2010

Israel Barroso P´rez e

Outline
Introduction
◮ ◮

The Origins, The Debate Privacy Threats

Economics of privacy
◮ ◮

The Value of Privacy Privacy and Business

Privacy-Enhancing Tecnologies
◮ ◮ ◮

Languages for Access Control and Privacy Preferences Data Privacy Protection Privacy for Mobile Environments
Israel Barroso P´rez e

Outline RFID privacy ◮ ◮ Privacy Threats EU Recommendation Conclusion Israel Barroso P´rez e .

More pragmatically → 1898 ”The right to be let alone”. 1948 → Universal Declaration of Human Rights ◮ ◮ ◮ Israel Barroso P´rez e . → John Stuart Mill.Introduction Origins ◮ Debate: → Extremes Concept: → Aristoteles. → Margaret Mead.

Introduction Figure: Peter Steiner .Privacy Israel Barroso P´rez e .

→ But not balance between old and new requirements. ◮ Israel Barroso P´rez e . Tecnology first → now other requirements → Technology has matured.Introduction About Digital Society ◮ Lessig in his book ”Free Culture” → Privacy in terms of friction → Reconcile privacy with security.

Introduction Privacy Threats ◮ ◮ Deloitte 2009 Incidents → → → → 40% Unauthorized disclosure 30% Theft (disks. laptops) 20% Penetration/hacking 10 % Lost of data ◮ Type of Information Exposed → 40% PII → 30% Social Security Numbers → 10% Educational Information → 10 % Financial Information → 5% Medical Information → 5% Login Accounts Israel Barroso P´rez e .

Privacy-Enhancing Technologies 4. Introduction 2.PRIVACY 1.2 Privacy and Business 3.1 The Value of Privacy 2. Conclusion Israel Barroso P´rez e . The Economics of Privacy 2. Privacy and RFID 5.

Hui ”Economics of Privacy” Two issues gain most attention → The Value of Privacy → Coexistence of Business and Privacy The Value of Privacy ◮ Syverson and Shostack → ”What price privacy?” → Irrational behaviour. small rewards → People not able to assess Israel Barroso P´rez e .The Economics of Privacy ◮ ◮ ◮ Strong economics factors influence K.L.

.. .The Value of Privacy Culnan and Armstrong ◮ ◮ ◮ Firms with ethical behaviour Privacy concerns because unclear policies 2008. Israel Barroso P´rez e . Tsai address same issue Grosslack and Acquisti ◮ ◮ ”When 25 cents is too much” Willingness to sell Conclusion ◮ ◮ People react negatively when privacy is incomplete... a modest monetary reward is sufficient. but.

need of legal responses Odlyzko ◮ ◮ Several works. poor state of privacy policies Better management of privacy in public bodies Israel Barroso P´rez e . leading author Pesimistic view. pressures on the market Empirical Studies ◮ ◮ Forbes 50 and Fortune 500.Privacy and Business Froomkin ◮ ◮ ◮ ”The death of privacy?” Privacy-destroying technologies Combination is worst.

Privacy-Enhancing Technologies 3. Introduction 2.3 Privacy for Mobile Environments 4. Conclusion Israel Barroso P´rez e . The Economics of Privacy 3. Privacy and RFID 5.PRIVACY 1.1 Languages for Access Control and Privacy Preferences 3.2 Data Privacy Protection 3.

Privacy-Enhancing Technologies PETs ◮ Privacy-Enhancing Technologies is a system of ICT measures protecting informational privacy by eliminating or minimising personal data thereby preventing unnecessary or unwanted processing of personal data Fostered by Web and Location technologies Three different contexts → Languages for Access Control and Privacy Preferences → Data Privacy Protection → Privacy for Mobile Environments ◮ ◮ PRIME ◮ Privacy and Identity Management for Europe Israel Barroso P´rez e .

XML-based language Assess privacy practices of a server provider EPAL ◮ ◮ Enterprise Privacy Authoritation Language For specifying enterprise-based privacy policies Israel Barroso P´rez e .Languages for Access Control and Privacy Preferences XACML (eXtensible Access Control Markup Language) ◮ ◮ XML-based for access control (OASIS) Interchange access control policies P3P (Platform for Privacy Preferences Project) ◮ ◮ W3C project.

Data Protection Privacy Anonymity ◮ ◮ ◮ First in the context of relational databases Deidentification does not provide full anonymity Race + date of birth + Zip Code is enough. cookies. spam. Israel Barroso P´rez e ◮ . for instance Overview European Data Protection Law ◮ European Data Protection Directive 95/47/CE → Automated processing of personal data Directive on Privacy and Electronic Communications 2002/58/CE → Data protection in publicly available electronic communications networks → Additional obligations concerning data security. communications secrecy.

Alto Medidas de seguridad de los datos Israel Barroso P´rez e ..Desarrollo de la LOPD ◮ ◮ Datos de nivel Bajo..Data Protection Privacy Ley 15/1999 de Protecci´n de Datos o ◮ ◮ ◮ ◮ ◮ ◮ ◮ Art´ ıculo 5: Derecho de informaci´n en la recogida de datos o Art´ ıculo 6: Consentimiento del afectado Art´ ıculo 7: Datos especialmente protegidos Art´ ıculo 9: Seguridad en los datos Art´ ıculo 10: Deber de secreto Art´ ıculo 11: Comunicaci´n de los datos o M´s. Medio. a Real Decreto 1720/2007 .

3: Se garantiza el secreto de las comunicaciones[. o Art´ ıculo 18..4: La Ley limitar´ el uso de la inform´tica para a a garantizar el honor y la intimidad personal y familiar de los ciudadanos[.] Art´ ıculo 18...Cap´ ıtulo III ◮ ◮ ◮ Art´ ıculo 33: Secreto de las comunicaciones Art´ ıculo 34: Protecci´n de datos o Art´ ıculo 38: Derechos de los consumidores y usuarios finales Constituci´n Espa˜ola o n ◮ Art´ ıculo 18...Data Protection Privacy Ley 32/2003 General de Telecomunicaciones .] Israel Barroso P´rez e ◮ ◮ ..1: Se garantiza el derecho a la intimidad personal[.]salvo resoluci´n judicial.

when and for wich purposes Duckham y Kulick ”Location Privacy and Location-Aware Computing” → Unsolicited advertising → Physical attacks or harassment → User profiling → Denial of service Israel Barroso P´rez e .Privacy for Mobile Environments Location information ◮ ◮ ◮ Great amount of information Target of location-based attacks Pesimistics have even predicted ”Big Brother” Location Privacy ◮ ◮ Right to decide how.

Privacy for Mobile Environments Location Privacy ◮ Categories of Location privacy → Identity privacy → Position privacy → Path privacy Protection techniques of Location Privacy → Anonymity-based techniques → Obfuscation-based techniques → Policy-based tecniques Method of Anonymity-based technique → Beresford and Stajano → Mix Zones ◮ ◮ Israel Barroso P´rez e .

Privacy-Enhancing Technologies 4.2 Regulation and Standardization 4. RFID Privacy 4. The Economics of Privacy 3.PRIVACY 1. Introduction 2.1 Privacy Threats 4. Conclusion Israel Barroso P´rez e .3 EU Recommendation 5.

Denial-of-service denies service to valid users. Information disclosure. or reorders data. deletes. Data tampering occurs when an attacker modifies. Denial of service.RFID Privacy Privacy Threats ◮ Spoofing identity. adds. Tampering with data. Repudiation. Spoofing occurs when an attacker successfully poses as an authorized user of a system. Repudiation occurs when a user denies an action and no proof exists to prove that the action was performed. ◮ ◮ ◮ ◮ Israel Barroso P´rez e . Information disclosure occurs when information is exposed to an unauthorized user.

RFID Privacy Regulation and Standardization ◮ ◮ ◮ ISO: 11784. 10536. 14443. etc Article 29 Data Protection Working Party (Spain with AEPD) EU Recommendation on the implementation of privacy and data protection principles in applications supported by RFID EU Recommendation ◮ Provides guidance to Member States on the design of applications Provides guidance to ensure implementing Directives 95/46/EC. 18000. 99/5/EC and 2002/58/EC ◮ Israel Barroso P´rez e .

in collaboration with relevant civil society stakeholders. ◮ ◮ ◮ ◮ Israel Barroso P´rez e .EU Recommendation Privacy and data protection ◮ Member States should ensure that industry. EU Recommendation on the implementation of privacy and data protection principles in applications supported by RFID This framework should be submitted for endorsement to the Article 29 Data Protection Working Party within 12 months Conduct an assessment of the implications of the application implementation for the protection of personal data and privacy take appropriate technical and organisational measures to ensure the protection of personal data and privacy.RFID Privacy . develops a framework for privacy and data protection impact assessments.

RFID Privacy .The RFID Application processes personal data → Level 3 .The RFID Application processes personal data and the RFID Tag Information contains personal data Israel Barroso P´rez e .The RFID Application does not process personal data → Level 2 .The RFID Application does not process personal data → Level 1 .EU Recommendation RFID Privacy Impact Assessment Framework (PIA) ◮ ◮ Carried out by the industry Levels → Level 0 .

If the answer to at least one of the above questions is ”Yes”.PIA Framework Process ◮ ◮ ◮ Does the RFID Application process personal data? Does the RFID Tag Information contain personal data? Does the RFID Application link RFID Tag Information to personal data? Are tagged items intended to be possessed by Individuals? ◮ Reports ◮ If the answer to all the above questions is ”No”. Israel Barroso P´rez e ◮ . the RFID Application is a ”level 0” Application and does not require further analysis or a PIA Report. RFID Applications Operators should proceed by drafting a PIA Report according to the next steps of this Framework.RFID Privacy .

RFID Privacy .PIA Framework Current Situation ◮ ◮ ◮ PIA in March of 2010 In July of 2010 study by Working Party The Working Party strongly encourages the industry to seize this opportunity. The Working Party is confident that the industry can propose an improved framework ◮ ◮ Israel Barroso P´rez e . The Working Party does not endorse the proposed document in its current form.

Introduction 2. The Economics of Privacy 3.PRIVACY 1. Privacy-Enhancing Technologies 4. RFID Privacy 5. Conclusion Israel Barroso P´rez e .

2010 Israel Barroso P´rez e .PRIVACY IN THE DIGITAL SOCIETY Israel Barroso P´rez e M´ster en Ciencia y Tecnolog´ Inform´tica a ıa a December 13.

Sign up to vote on this title
UsefulNot useful