mitrou/katsikas, rights beyond the security challenges 1 “security and privacy: convergence or...

38
Mitrou/Katsikas, Rights beyond the security c hallenges 1 “Security and privacy: convergence or contradiction?” ………. “Constitutional rights: beyond the security challenges” Lilian Mitrou/S. Katsikas University of the Aegean

Post on 22-Dec-2015

222 views

Category:

Documents


1 download

TRANSCRIPT

Mitrou/Katsikas, Rights beyond the security challenges 1

“Security and privacy: convergence or contradiction?”

………. “Constitutional rights: beyond the security challenges”

Lilian Mitrou/S. Katsikas University of the Aegean

Mitrou/Katsikas, Rights beyond the security challenges

2

Security

Information security: preservation of confidentiality, integrity and availability of informationInformation Systems security refers to the protection of all elements constituting an IS (i.e. hardware, software, information, people, processes)Security is not a pure technical issue!

Mitrou/Katsikas, Rights beyond the security challenges

3

Risks and …culture of security

The nature, volume and sensitivity of information has expanded substantially Growing number and wider variety of threats and vulnerabilities Respond to a changing risk/security environment by promoting the “culture of security”, i.e. focus on security in the development of systems and networks and adoption of new ways of thinking and behaving

Mitrou/Katsikas, Rights beyond the security challenges

4

Privacy and Data Protection

Informational self-determination Precondition of (deliberative) autonomy and freedom, of participation in communal life, as a member of a free, democratic society Object of the data protection legislation is to establish obligations and responsibilities, to provide the terms and conditions, under which the processing of personal data is to be carried out so as to protect the fundamental rights and liberties of natural persons and in particular their right to privacy

Mitrou/Katsikas, Rights beyond the security challenges

5

Security as regulatory obligation

Security as a component of effective data protection?Convention 108 (81) Council of Europe: Appropriate security measures for the protection…against accidental or unauthorised destruction, accidental loss, unauthorised access, alteration, dissemination (Art. 7)OECD –Privacy Guidelines: security principle

Mitrou/Katsikas, Rights beyond the security challenges

6

The Data Protection Directive

The protection…requires…appropriate technical and organisational measures, both at the time of the design of the processing system and at the time of the processing itself, particularly in order to maintain security and thereby to prevent any unauthorised processing. These measures must ensure the appropriate level of security taking into account the state of the art, the cost in relation to the risk and the nature of the data to be protected.

Mitrou/Katsikas, Rights beyond the security challenges

7

The Electronic Privacy Directive

Security and Information about security risksAppropriate technical and organisational measures to safeguard security of servicesInformation of subscribers in case of a particular risk of a breach of the security of the networkThe requirement to inform does not discharge from the obligation to face and remedy security risks and restore “normal security level” of the service

Mitrou/Katsikas, Rights beyond the security challenges

8

Privacy Enhancing Technologies

PETs as a system of technological measures that minimize or eliminate the collection of data, without damaging the system itself The term PETS should be reserved for technological systems that are intentionally developed to promote privacy. We should distinguish PETs from respectively security enhancing technologies (i.e.mechanisms aimed primarily at ensuring the confidentiality, integrity and/or availability of data/information ( though not necessarily in order to promote personal privacy) and from patterns of mere behaviour , though there are considerable overlaps.

Mitrou/Katsikas, Rights beyond the security challenges

9

PETs, Security and User Empowerment

Individuals should be placed in a position in which they are able to determine the use of technical and organizational protection tools themselves User empowerment as an alternative to protective regulation? The main objection to relying on user empowerment is simply, that PET’s as a tool to fend for himself/herself are often and simply difficult to use. Therefore it is crucial that the default settings offer a high level of privacy protection. Engineering specifications should embody policies for data protection

Mitrou/Katsikas, Rights beyond the security challenges

10

PETs as PITs?

PETs can be Privacy Invasive Technologies?– Level of Privacy (pseudonymity where anonymity is arguably

viable)– Character of technological standard setting process

(transparency, legitimacy etc.) – Context in which PETs are applied and effect of application

PETs as palliative for the introduction of a PIT and for the disempowerment of rules and authorities

Mitrou/Katsikas, Rights beyond the security challenges

11

Security and Privacy

An attack may not necessarily breach confidentiality or privacy of the data. Adequate security protects more than just privacy; it also protects the integrity and availability of information resources. Ensuring data privacy requires implementing adequate security measures and introducing security mechanisms including authentication, secure access control, encryption and security management practices.

Mitrou/Katsikas, Rights beyond the security challenges

12

Privacy Invasive Security?

Inherent tension between privacy and security. Security measures are not identified with privacy protective and enhancing measuresAnonymity and pseudonymity are not included in any security definition! All the current authentication technologies needed for authorisation and accountability of users involve the use of personal information or attributes that can be linked to personally identifiable information.Risk analysis tools focus on authentication and identification but make no provision to minimise the collection of personal data during these procedures.

Mitrou/Katsikas, Rights beyond the security challenges

13

Authentication procedures

Some situations require strong identification to combat crime and fraud, attacks and threats.Excessive personal data may be collected during authentication procedure within a system.Cryptographic methods to ensure the integrity of data in electronic transactions raise privacy implications, which include the collection of personal data and the creation of systems of personal identification.

Mitrou/Katsikas, Rights beyond the security challenges

14

Security in the context of e-voting

Security is a multidimensional notion in the context of e-voting. Security primarily refers to the (technically guaranteed) respect of secrecy and freedom but it covers the entire range of functions and election components such as registration, eligibility and authentication. Security is a “technical” criterion, which aims at protecting integrity, generality, equality, freedom, secrecy and fairness of elections. Not only a technical issue, but a political issue as well, as its lack undermines legitimacy and trust of the public in the election process

Mitrou/Katsikas, Rights beyond the security challenges

15

Security contra voting rights?

Security against external threats and attacks. It is generally not feasible to remove fraudulent ballots from an election tally because it may be impossible to determine which ballots should not have been counted. Security must of course not jeopardize the voting principles that it has to guarantee: secrecy, transparency and verifiability!– Authentication/Identification that threats secrecy?

Security and confidence are not only means of making elections secure, but also means of convincing citizens that the system is secure.

Mitrou/Katsikas, Rights beyond the security challenges

16

Workplace Surveillance

Protecting a system from insider threat or misuse involves deterrence, prevention and containment of misuse.ISO/IEC 17799 proposes personnel screening as a sub-category of personnel security, aiming at information security management.Monitoring and surveillance of electronic communications is an intrusion in worker’s privacyBalance of interests: transparency and proportionality of risks and monitoring.

Mitrou/Katsikas, Rights beyond the security challenges

17

Democracy as a security-frontier?

“The security of information systems and networks should be compatible with essential values of a democratic society.Security should be implemented in a manner consistent with the values recognised by democratic societies including the freedom to exchange thoughts and ideas, the free flow of information, the confidentiality of information and communication, the appropriate protection of personal information, openness and transparency” (OECD Guidelines for the Security of Information Systems and Networks –2002)

Mitrou/Katsikas, Rights beyond the security challenges

18

Conclusion

Technology could and should be used to enhance democracy.A first condition for successful protection of freedoms and rights is the transposition of the legal demands into technical standards integrated into technology. Risk assessment and rights impact assessment: measures should be evaluated against the question “does this meet democratic standards”? A democratic society should accept even security risks!

Mitrou/Katsikas, Rights beyond the security challenges

19

References

Institute for Prospective Technological Studies (IPTS), Security and Privacy for the Citizen in the Post-September 11 Digital Age (2003)OECD - Group of Experts on Information Security and Privacy, Privacy Protection in a global networked society. (Paris 1998)Ana I. Vicente, La convergence de la sécurité informatique et la protection des données à caractère personnel –Vers une nouvelle approche juridique (2003)L. Mitrou/D.Gritzalis/S. Katsikas, Electronic voting: Constitutional and legal requirements and their technical implications (Kluwer, 2003)L. Mitrou/K. Moulinos, Privacy and Data Protection in Electronic Communications (Springer, 2003)Lee Bygrave, PETs, Caught between a Rock and a Hard Place, European Commission -Data Protection Conference (Brussels 2002)M. Θεοχαρίδου, Η «εκ των έσω απειλή» στα Πληροφοριακά Συστήματα, Διπλωματική Εργασία, ΟΠΑ 2004

Mitrou/Katsikas, Rights beyond the security challenges 20

“Security and privacy: convergence or contradiction?”

………. “Constitutional rights: beyond the security challenges”

Lilian Mitrou/S. Katsikas University of the Aegean

Mitrou/Katsikas, Rights beyond the security challenges

21

Security

Information security: preservation of confidentiality, integrity and availability of informationInformation Systems security refers to the protection of all elements constituting an IS (i.e. hardware, software, information, people, processes)Security is not a pure technical issue!

Mitrou/Katsikas, Rights beyond the security challenges

22

Risks and …culture of security

The nature, volume and sensitivity of information has expanded substantially Growing number and wider variety of threats and vulnerabilities Respond to a changing risk/security environment by promoting the “culture of security”, i.e. focus on security in the development of systems and networks and adoption of new ways of thinking and behaving

Mitrou/Katsikas, Rights beyond the security challenges

23

Privacy and Data Protection

Informational self-determination Precondition of (deliberative) autonomy and freedom, of participation in communal life, as a member of a free, democratic society Object of the data protection legislation is to establish obligations and responsibilities, to provide the terms and conditions, under which the processing of personal data is to be carried out so as to protect the fundamental rights and liberties of natural persons and in particular their right to privacy

Mitrou/Katsikas, Rights beyond the security challenges

24

Security as regulatory obligation

Security as a component of effective data protection?Convention 108 (81) Council of Europe: Appropriate security measures for the protection…against accidental or unauthorised destruction, accidental loss, unauthorised access, alteration, dissemination (Art. 7)OECD –Privacy Guidelines: security principle

Mitrou/Katsikas, Rights beyond the security challenges

25

The Data Protection Directive

The protection…requires…appropriate technical and organisational measures, both at the time of the design of the processing system and at the time of the processing itself, particularly in order to maintain security and thereby to prevent any unauthorised processing. These measures must ensure the appropriate level of security taking into account the state of the art, the cost in relation to the risk and the nature of the data to be protected.

Mitrou/Katsikas, Rights beyond the security challenges

26

The Electronic Privacy Directive

Security and Information about security risksAppropriate technical and organisational measures to safeguard security of servicesInformation of subscribers in case of a particular risk of a breach of the security of the networkThe requirement to inform does not discharge from the obligation to face and remedy security risks and restore “normal security level” of the service

Mitrou/Katsikas, Rights beyond the security challenges

27

Privacy Enhancing Technologies

PETs as a system of technological measures that minimize or eliminate the collection of data, without damaging the system itself The term PETS should be reserved for technological systems that are intentionally developed to promote privacy. We should distinguish PETs from respectively security enhancing technologies (i.e.mechanisms aimed primarily at ensuring the confidentiality, integrity and/or availability of data/information ( though not necessarily in order to promote personal privacy) and from patterns of mere behaviour , though there are considerable overlaps.

Mitrou/Katsikas, Rights beyond the security challenges

28

PETs, Security and User Empowerment

Individuals should be placed in a position in which they are able to determine the use of technical and organizational protection tools themselves User empowerment as an alternative to protective regulation? The main objection to relying on user empowerment is simply, that PET’s as a tool to fend for himself/herself are often and simply difficult to use. Therefore it is crucial that the default settings offer a high level of privacy protection. Engineering specifications should embody policies for data protection

Mitrou/Katsikas, Rights beyond the security challenges

29

PETs as PITs?

PETs can be Privacy Invasive Technologies?– Level of Privacy (pseudonymity where anonymity is arguably

viable)– Character of technological standard setting process

(transparency, legitimacy etc.) – Context in which PETs are applied and effect of application

PETs as palliative for the introduction of a PIT and for the disempowerment of rules and authorities

Mitrou/Katsikas, Rights beyond the security challenges

30

Security and Privacy

An attack may not necessarily breach confidentiality or privacy of the data. Adequate security protects more than just privacy; it also protects the integrity and availability of information resources. Ensuring data privacy requires implementing adequate security measures and introducing security mechanisms including authentication, secure access control, encryption and security management practices.

Mitrou/Katsikas, Rights beyond the security challenges

31

Privacy Invasive Security?

Inherent tension between privacy and security. Security measures are not identified with privacy protective and enhancing measuresAnonymity and pseudonymity are not included in any security definition! All the current authentication technologies needed for authorisation and accountability of users involve the use of personal information or attributes that can be linked to personally identifiable information.Risk analysis tools focus on authentication and identification but make no provision to minimise the collection of personal data during these procedures.

Mitrou/Katsikas, Rights beyond the security challenges

32

Authentication procedures

Some situations require strong identification to combat crime and fraud, attacks and threats.Excessive personal data may be collected during authentication procedure within a system.Cryptographic methods to ensure the integrity of data in electronic transactions raise privacy implications, which include the collection of personal data and the creation of systems of personal identification.

Mitrou/Katsikas, Rights beyond the security challenges

33

Security in the context of e-voting

Security is a multidimensional notion in the context of e-voting. Security primarily refers to the (technically guaranteed) respect of secrecy and freedom but it covers the entire range of functions and election components such as registration, eligibility and authentication. Security is a “technical” criterion, which aims at protecting integrity, generality, equality, freedom, secrecy and fairness of elections. Not only a technical issue, but a political issue as well, as its lack undermines legitimacy and trust of the public in the election process

Mitrou/Katsikas, Rights beyond the security challenges

34

Security contra voting rights?

Security against external threats and attacks. It is generally not feasible to remove fraudulent ballots from an election tally because it may be impossible to determine which ballots should not have been counted. Security must of course not jeopardize the voting principles that it has to guarantee: secrecy, transparency and verifiability!– Authentication/Identification that threats secrecy?

Security and confidence are not only means of making elections secure, but also means of convincing citizens that the system is secure.

Mitrou/Katsikas, Rights beyond the security challenges

35

Workplace Surveillance

Protecting a system from insider threat or misuse involves deterrence, prevention and containment of misuse.ISO/IEC 17799 proposes personnel screening as a sub-category of personnel security, aiming at information security management.Monitoring and surveillance of electronic communications is an intrusion in worker’s privacyBalance of interests: transparency and proportionality of risks and monitoring.

Mitrou/Katsikas, Rights beyond the security challenges

36

Democracy as a security-frontier?

“The security of information systems and networks should be compatible with essential values of a democratic society.Security should be implemented in a manner consistent with the values recognised by democratic societies including the freedom to exchange thoughts and ideas, the free flow of information, the confidentiality of information and communication, the appropriate protection of personal information, openness and transparency” (OECD Guidelines for the Security of Information Systems and Networks –2002)

Mitrou/Katsikas, Rights beyond the security challenges

37

Conclusion

Technology could and should be used to enhance democracy.A first condition for successful protection of freedoms and rights is the transposition of the legal demands into technical standards integrated into technology. Risk assessment and rights impact assessment: measures should be evaluated against the question “does this meet democratic standards”? A democratic society should accept even security risks!

Mitrou/Katsikas, Rights beyond the security challenges

38

References

Institute for Prospective Technological Studies (IPTS), Security and Privacy for the Citizen in the Post-September 11 Digital Age (2003)OECD - Group of Experts on Information Security and Privacy, Privacy Protection in a global networked society. (Paris 1998)Ana I. Vicente, La convergence de la sécurité informatique et la protection des données à caractère personnel –Vers une nouvelle approche juridique (2003)L. Mitrou/D.Gritzalis/S. Katsikas, Electronic voting: Constitutional and legal requirements and their technical implications (Kluwer, 2003)L. Mitrou/K. Moulinos, Privacy and Data Protection in Electronic Communications (Springer, 2003)Lee Bygrave, PETs, Caught between a Rock and a Hard Place, European Commission -Data Protection Conference (Brussels 2002)M. Θεοχαρίδου, Η «εκ των έσω απειλή» στα Πληροφοριακά Συστήματα, Διπλωματική Εργασία, ΟΠΑ 2004