Web and privacy Privacy and protection of personal data specific - - PDF document

www.enisa.europa.eu

Web and privacy

Industrial perspectives on Cryptography

• A. Esterle - ENISA

Antwerp – 29 May 2008

www.enisa.europa.eu

Web and privacy

• Privacy and protection of personal data

– specific purpose (to collect and process it) – subject consent – right to access and rectify

• Web applications (commerce, health, administration…)

– management of e-Identity

www.enisa.europa.eu

Privacy Challenges

• 2 drivers

– Business (ID theft, behavioural marketing…) – Collective security (anti-terrorism…)

• 1 track

– new technologies – new (web) applications

www.enisa.europa.eu

Right to access

• Proliferation of electronic data which

“help discriminate in a unique way”

• Very easy to collect/process data
• Very heavy (paper) procedure for the

subject to access his personal data

• How to give the subject Online access

www.enisa.europa.eu

Privacy minimisation

• Reduce the identity of a person to the

strict amount of information needed for each given application

• Need for protocols:

– able to manage various credentials – able to maintain interoperability

www.enisa.europa.eu

Reputation (1)

• Minimum identity (email address)

completed with an appreciation of your

• nline behaviour
• Difficulties:

– no clear metrics – open to organised attacks – compatible with multiple identities – attached to a given identity (theft)

www.enisa.europa.eu

Reputation (2)

• Useful tools to develop (ENISA PP):

– authentication mechanisms against reputation theft – management of global reputation – portability of reputation (integrated in authentication transport standards) – use of reputation in e-Government ?

www.enisa.europa.eu

Social Networks (1)

• Deliberate release of personal data
• Facilitates:

– personal data harvesting and aggregation – privacy breaches, identity theft – stalking, bullying, reputation slandering

www.enisa.europa.eu

Social Networks (2)

• Useful tools to develop (ENISA PP):

– portability of social networks – impose subject consent to tags inclusion – image-anonymisation techniques

www.enisa.europa.eu

Botnets

• Involvement in collective/offensive actions
• ut of your knowing (ENISA PP)
• Strengthening the capacity of ISPs to

detect and block botnet communication

– traffic inspection – content analysis and comparison without reading the messages (idem spam)

www.enisa.europa.eu

ENISA Material

• Position Papers 2007

– Reputation-based systems

http://www.enisa.europa.eu/doc/pdf/deliverables/enisa_pp_reputation_based_system.pdf

– Online social networks

http://www.enisa.europa.eu/doc/pdf/deliverables/enisa_pp_social_networks.pdf

– Botnets – The silent threat

http://www.enisa.europa.eu/doc/pdf/deliverables/enisa_pp_botnets.pdf

• Privacy Working Group Report (summer 2008)
• Position Papers 2008: Web 2.0 and Virtual world
• Report on interoperable eIDs in Europe (end 2008)

www.enisa.europa.eu

QUESTIONS ?

www.enisa.europa.eu 13 13

European Commission European Commission

R & D R & D Legal Framework Legal Framework e A p p l i c a t i

• n

s e A p p l i c a t i

• n

s

Member States Member States

NRA NRA DPA DPA Government Government NSA NSA NBA NBA European Council European Council European Parliament European Parliament National security policies National security policies eAdministation eAdministation Incentives Incentives Stakeholder Stakeholder

• academia

academia

• associations

associations

• providers

providers

• vendors

vendors

• end users

end users

• lack of coherence

lack of coherence

• lack of dialogue

lack of dialogue

• lack of cooperation

lack of cooperation

ENISA ENISA

ENISA’s Role

Standards Standards Certificates Certificates