Documente Academic
Documente Profesional
Documente Cultură
Introduction
◮ The Origins, The Debate
◮ Privacy Threats
Economics of privacy
◮ The Value of Privacy
◮ Privacy and Business
Privacy-Enhancing Tecnologies
◮ Languages for Access Control and Privacy Preferences
◮ Data Privacy Protection
◮ Privacy for Mobile Environments
RFID privacy
◮ Privacy Threats
◮ EU Recommendation
Conclusion
Origins
◮ Debate:
→ Extremes
◮ Concept:
→ Aristoteles.
→ John Stuart Mill.
→ Margaret Mead.
◮ More pragmatically
→ 1898 ”The right to be let alone”.
◮ 1948 → Universal Declaration of Human Rights
Privacy Threats
◮ Deloitte 2009
◮ Incidents
→ 40% Unauthorized disclosure
→ 30% Theft (disks, laptops)
→ 20% Penetration/hacking
→ 10 % Lost of data
◮ Type of Information Exposed
→ 40% PII
→ 30% Social Security Numbers
→ 10% Educational Information
→ 10 % Financial Information
→ 5% Medical Information
→ 5% Login Accounts
1. Introduction
2. The Economics of Privacy
2.1 The Value of Privacy
2.2 Privacy and Business
3. Privacy-Enhancing Technologies
4. Privacy and RFID
5. Conclusion
Conclusion
◮ People react negatively when privacy is incomplete, but...
◮ ... a modest monetary reward is sufficient.
Froomkin
◮ ”The death of privacy?”
◮ Privacy-destroying technologies
◮ Combination is worst, need of legal responses
Odlyzko
◮ Several works, leading author
◮ Pesimistic view, pressures on the market
Empirical Studies
◮ Forbes 50 and Fortune 500, poor state of privacy policies
◮ Better management of privacy in public bodies
1. Introduction
2. The Economics of Privacy
3. Privacy-Enhancing Technologies
3.1 Languages for Access Control and Privacy Preferences
3.2 Data Privacy Protection
3.3 Privacy for Mobile Environments
4. Privacy and RFID
5. Conclusion
PETs
◮ Privacy-Enhancing Technologies is a system of ICT measures
protecting informational privacy by eliminating or minimising
personal data thereby preventing unnecessary or unwanted
processing of personal data
◮ Fostered by Web and Location technologies
◮ Three different contexts
→ Languages for Access Control and Privacy
Preferences
→ Data Privacy Protection
→ Privacy for Mobile Environments
PRIME
◮ Privacy and Identity Management for Europe
Israel Barroso Pérez
Languages for Access Control and Privacy Preferences
EPAL
◮ Enterprise Privacy Authoritation Language
◮ For specifying enterprise-based privacy policies
Constitución Española
◮ Artı́culo 18.1: Se garantiza el derecho a la intimidad
personal[...]
◮ Artı́culo 18.3: Se garantiza el secreto de las
comunicaciones[...]salvo resolución judicial.
◮ Artı́culo 18.4: La Ley limitará el uso de la informática para
garantizar el honor y la intimidad personal y familiar de los
ciudadanos[...]
Location information
◮ Great amount of information
◮ Target of location-based attacks
◮ Pesimistics have even predicted ”Big Brother”
Location Privacy
◮ Right to decide how, when and for wich purposes
◮ Duckham y Kulick ”Location Privacy and Location-Aware
Computing”
→ Unsolicited advertising
→ Physical attacks or harassment
→ User profiling
→ Denial of service
Location Privacy
◮ Categories of Location privacy
→ Identity privacy
→ Position privacy
→ Path privacy
◮ Protection techniques of Location Privacy
→ Anonymity-based techniques
→ Obfuscation-based techniques
→ Policy-based tecniques
◮ Method of Anonymity-based technique
→ Beresford and Stajano
→ Mix Zones
1. Introduction
2. The Economics of Privacy
3. Privacy-Enhancing Technologies
4. RFID Privacy
4.1 Privacy Threats
4.2 Regulation and Standardization
4.3 EU Recommendation
5. Conclusion
Privacy Threats
◮ Spoofing identity. Spoofing occurs when an attacker
successfully poses as an authorized user of a system.
◮ Tampering with data. Data tampering occurs when an
attacker modifies, adds, deletes, or reorders data.
◮ Repudiation. Repudiation occurs when a user denies an action
and no proof exists to prove that the action was performed.
◮ Information disclosure. Information disclosure occurs when
information is exposed to an unauthorized user.
◮ Denial of service. Denial-of-service denies service to valid
users.
EU Recommendation
◮ Provides guidance to Member States on the design of
applications
◮ Provides guidance to ensure implementing Directives
95/46/EC, 99/5/EC and 2002/58/EC
Reports
◮ If the answer to all the above questions is ”No”, the RFID
Application is a ”level 0” Application and does not require
further analysis or a PIA Report.
◮ If the answer to at least one of the above questions is ”Yes”,
RFID Applications Operators should proceed by drafting a
PIA Report according to the next steps of this Framework.
Israel Barroso Pérez
RFID Privacy - PIA Framework
Current Situation
◮ PIA in March of 2010
◮ In July of 2010 study by Working Party
◮ The Working Party strongly encourages the industry to seize
this opportunity.
◮ The Working Party does not endorse the proposed document
in its current form.
◮ The Working Party is confident that the industry can propose
an improved framework
1. Introduction
2. The Economics of Privacy
3. Privacy-Enhancing Technologies
4. RFID Privacy
5. Conclusion