Web and privacy Industrial perspectives on Cryptography A. Esterle - ENISA Antwerp – 29 May 2008 www.enisa.europa.eu Web and privacy • Privacy and protection of personal data – specific purpose (to collect and process it) – subject consent – right to access and rectify • Web applications (commerce, health, administration…) – management of e-Identity www.enisa.europa.eu
Privacy Challenges • 2 drivers – Business (ID theft, behavioural marketing…) – Collective security (anti-terrorism…) • 1 track – new technologies – new (web) applications www.enisa.europa.eu Right to access • Proliferation of electronic data which “help discriminate in a unique way” • Very easy to collect/process data • Very heavy (paper) procedure for the subject to access his personal data • How to give the subject Online access www.enisa.europa.eu
Privacy minimisation • Reduce the identity of a person to the strict amount of information needed for each given application • Need for protocols: – able to manage various credentials – able to maintain interoperability www.enisa.europa.eu Reputation (1) • Minimum identity (email address) completed with an appreciation of your online behaviour • Difficulties: – no clear metrics – open to organised attacks – compatible with multiple identities – attached to a given identity (theft) www.enisa.europa.eu
Reputation (2) • Useful tools to develop (ENISA PP): – authentication mechanisms against reputation theft – management of global reputation – portability of reputation (integrated in authentication transport standards) – use of reputation in e-Government ? www.enisa.europa.eu Social Networks (1) • Deliberate release of personal data • Facilitates: – personal data harvesting and aggregation – privacy breaches, identity theft – stalking, bullying, reputation slandering www.enisa.europa.eu
Social Networks (2) • Useful tools to develop (ENISA PP): – portability of social networks – impose subject consent to tags inclusion – image-anonymisation techniques www.enisa.europa.eu Botnets • Involvement in collective/offensive actions out of your knowing (ENISA PP) • Strengthening the capacity of ISPs to detect and block botnet communication – traffic inspection – content analysis and comparison without reading the messages (idem spam) www.enisa.europa.eu
ENISA Material • Position Papers 2007 – Reputation-based systems http://www.enisa.europa.eu/doc/pdf/deliverables/enisa_pp_reputation_based_system.pdf – Online social networks http://www.enisa.europa.eu/doc/pdf/deliverables/enisa_pp_social_networks.pdf – Botnets – The silent threat http://www.enisa.europa.eu/doc/pdf/deliverables/enisa_pp_botnets.pdf • Privacy Working Group Report (summer 2008) • Position Papers 2008: Web 2.0 and Virtual world • Report on interoperable eIDs in Europe (end 2008) www.enisa.europa.eu QUESTIONS ? www.enisa.europa.eu
ENISA’s Role European Council European Council European Parliament European Parliament European Commission European Commission R s s R n n o o & & t i i a a t c c D D l i i p p l p p A A e e Standards Standards Legal Framework Legal Framework Stakeholder Stakeholder -academia academia - • lack of coherence lack of coherence • -associations associations - ENISA ENISA • lack of dialogue • lack of dialogue -providers - providers Certificates Certificates • lack of cooperation • lack of cooperation -vendors vendors - -end users - end users National security policies National security policies Incentives Incentives eAdministation eAdministation Member States Member States NRA NRA NSA NSA www.enisa.europa.eu 13 13 NBA DPA DPA NBA Government Government
Recommend
More recommend