Transcript Privacy in Mobile Internet

Future ICT Landscapes –
Security and Privacy Challenges
& Requirements
Simone Fischer-Hübner
IVA Workshop, Stockholm
24th May 2012
Part I: Security & Privacy
Challenges
Part II: Requirements for
Protecting Identity, Privacy &
Security
ICT Trends & Challenges






Open Communication
Infrastructures (e.g., VoIP)
Outsourcing, Cloud
Computing
Web 2.0, ”free” services
Smart Devices
Ambient Intelligence
…
Open Communication Infrastructure Threats:
Example: PSTN vs. VoIP

PSTN: Public switched
telephone network
 Circuit switching:



Circuit
Switching
Bandwidth reserved
Fixed route
VoIP: Voice over IP

Packet Switching:


Dynamic bandwidth
Unfixed route
Packet
Switching
Pros and Cons of VoIP
-
+

Low cost



Software based
equipment
Reused infrastructure
Services integration


Quality




More features: video,
data, presence, game…
Security



Latency
Dynamic bandwidth
Packets order
Open environment
Shared infrastructures
Emergence calls

Not bound with physical
location, no guarantee
VoIP: Security Vulnerabilities
and Threats

Availability threats:


Confidentiality threats:



Eavesdropping
Timing attacks
Integrity threats:




Denial of Service
Signaling messages modification
Media injection
Replay attacks
Privacy threats:


Call Spam (SPITs)
Traffic Analysis
Cloud Computing – Security
Challenges

Security risks: Malicious insiders,
data loss / leackages, shared
technology vulnerabilities,
downtime,…

Cloud service users lack



Understanding of risks
Control over what happens with
data
Means for redress
http://www.ethannonsequitur.com/
Web 2.0



User Profiling
”Face rape”
Lifelong privacy
issues
Part I: Security & Privacy
Challenges
Part II: Requirements for
Protecting Identity, Privacy &
Security
Newly proposed EU Data
Protection Rules
(Data Protection Regulation proposed 25 January 2012)





”Right to be forgotten”
Explicitly given consent, more
transparency of data handling, easy-tounderstand policies
Easier exercising of data subject rights
(electronically, in relation to all recipients)
Increased accountability, privacy breach
notification, higher penalites
Privacy by Design (PbD), Privacy by
Default
Privacy-enhancing Identity
Management
Health Care
Government
Work
Blood
Group
Tax
Status
GoodConduct
Certificate
Health
Status
Income
Birthday
Shopping
Insurance
Name
Address
Birthplace
Age
Credit
Rating
Foreign
Languages
Diary
Alice
Phone
Number
MasterCard
Cellphone
Number
Interests
Payment
Diners Club
Driving
Licence
Likes &
Dislikes
Telecommunication
Travel
Boyfriend
Bob
Clauss/Köhntopp 2001
Leisure




User control - Audience segegration
Data minimisation
Pseudonymity, Unlinkability
ID theft protection, reliability
Enabler PETs: Anonymous
Credentials (PrimeLife, ABC4Trust)
www.abc4trust.eu
Transparency & Accountability
Tools:
Cloud service
users
Chain of
Accountability
Cloud service supply chain/network
service
service
Cloud
service
service
Preventive
Detective
Corrective
Regulators, auditors,
business governance
Trusted services
supporting
accountability
Cloud service users: control and transparency over how their data is used, and
support in obtaining redress
Service providers: techniques to make services more trustworthy,
satisfy business policies and allow differentiation
Regulators/auditors: assurance about compliance with policies and regulations
Questions ?
http://www.cs.kau.se/~simone/