Information Sharing: The Paradox Andrew Cormack Chief Regulatory - - PowerPoint PPT Presentation

information sharing
SMART_READER_LITE
LIVE PREVIEW

Information Sharing: The Paradox Andrew Cormack Chief Regulatory - - PowerPoint PPT Presentation

Dec 23, 2023 181 likes •365 views

Information Sharing: The Paradox Andrew Cormack Chief Regulatory Adviser, Janet Privacy needs help The information sharing paradox Sharing information protects privacy Prevents/mitigates privacy invasion by phishers, crackers,

slide-1
SLIDE 1

Information Sharing: The Paradox

Andrew Cormack Chief Regulatory Adviser, Janet

slide-2
SLIDE 2

Privacy needs help

slide-3
SLIDE 3
  • Sharing information protects privacy

– Prevents/mitigates privacy invasion by phishers, crackers, bot-herders... – Also supports NRENs’ ethics of helping clean the ‘net

  • Sharing information may also harm privacy

– Increasing availability of information about systems/people

The information sharing paradox

slide-4
SLIDE 4

How to balance these?

slide-5
SLIDE 5

And explain it to our automated systems?

slide-6
SLIDE 6

Need to plan our information sharing

slide-7
SLIDE 7

Where to Start?

slide-8
SLIDE 8
  • Necessity – only share when it helps
  • Minimisation – only share what is likely to help
  • Accuracy – not all information is alike
  • Security – protect what you share (and receive)

Possible information sharing principles

slide-9
SLIDE 9
  • How might our involvement make things better?

– Until this is clear, probably best not to – Magnitude of threat may justify more involvement

  • NRENs can act as trusted intermediary

– Facilitate contact between info.source and victim – E.g. SURFnet botnet Code of Practice (TNC2014)

  • Direction of sharing?

– Us: send problem to(wards) person – Courts: bring person to problem – Fix your own problems!

Thinking about necessity

slide-10
SLIDE 10
  • Only share the information a recipient needs

– Discuss/pilot this manually before automating it – Recipient probably doesn’t need local identity

  • Keep linking information (if you have it) separate
  • Only disclose on court order?
  • IP addresses represent different levels of privacy risk

– Sharing server IP probably less risky than endpoints – Sharing external IP probably less risky than internal – And truncate/aggregate/remove unnecessary identifiers

  • Minimise scope of sharing to reduce risk

– Affected service < trusted party < trusted community < world

  • Plan minimisation into information collection (e.g. pDNS)

– Still need minimisation process for unplanned donations

Thinking about minimisation

slide-11
SLIDE 11
  • When sharing, explain clearly

– How reliable the information is – What it is suitable for – What it’s allowed to be used for – How long it’s worth keeping

  • Shouldn’t need to disclose source to do this

Thinking about accuracy

slide-12
SLIDE 12
  • Use the technology...

– Encrypted transfer – Secure storage – Authentication

  • May also reduce free-rider problem that can reduce trust
  • E.g. Need to donate if you want to receive more
  • Common rules facilitate sharing

– Membership agreements, ethics codes, ... – E.g. ISACs

Thinking about security

slide-13
SLIDE 13

Is it Lawful?

slide-14
SLIDE 14

Data Protection law

  • “Upstream” sharing supports user notification

– As required by Directive if you get personal data indirectly!

  • Positive support in draft Data Protection Regulation

– Incident prevention/response is a legitimate interest – Art.29 WP discuss balancing those with fundamental rights

  • Law requires us to keep information secure

– ISO27002 says Incident Response is a key control

  • Areas to watch/influence

– Incentives for pseudonyms could help sharing – Detailed list of legitimate interests could prevent us protecting privacy – Unrealistic limits on metadata retention (e.g. delete at end of call) – Export rules – incidents don’t recognise EEA border (see next slide)

slide-15
SLIDE 15

International issues

  • Need to share outside EEA

– Incidents cross borders deliberately

  • Often sending information back where it came from

– UK ICO suggests meeting their national expectations – So definitely shouldn’t be harder than sharing within EEA

slide-16
SLIDE 16

Conclusion

slide-17
SLIDE 17
  • Sharing is essential

– Can’t protect privacy without it – But does create some privacy risks

  • Plan collection/sharing to achieve proportionate risk

– Don’t be paralysed because you can’t eliminate it – Treat breaches of rules/ethics as serious

  • Explain benefits/risks

– Openness builds trust & confidence – Set standards the law should encourage

Getting sharing right

slide-18
SLIDE 18

Janet, Lumen House Library Avenue, Harwell Oxford Didcot, Oxfordshire t: +44 (0) 1235 822200 e: Andrew.Cormack@ja.net b: https://community.ja.net/blogs/regulatory-developments t: @JanetLegReg

Now it’s your turn...