surveillance and e-government: real and potential threats to privacy in europe and beyond
DESCRIPTION
Surveillance and E-Government: Real and Potential Threats to Privacy in Europe and BeyondTRANSCRIPT
Surveillance and E-Government: Real and Potential Threats to Privacy in
Europe and BeyondFatemeh Ahmadi Zeleti
Tampere University of Technology
FP7 SMART ProjectSteering Committee Meeting in Malta
June 2012
Surveillance and e-government: Threats to Privacy
National level
International level
National Level
Iran
• Embezzlement in the government and the Central Bank
No appropriate surveillance system and technology (Ex: Application access control and Login control system)
Embezzlement and weak e-government system
• Iran's disputed election in the year 1388 (2009)• Lack of efficient e-voting system and system
security (Data updated illegally)• E-counting system and security fails• Unauthorized access to the system• Number of votes cast in 50 Iranian cities
exceeded the number of people entitled to vote • Additional votes are over 3 million
G2C: E-Voting
G2C: Police fine
• Bargaining over the value
• Manually entered to the system
• System lacks appropriate login access control and application access control
• Upon payment, officer falsify the data
G2C: Smart Driving License
• Government developed smart driving license
• Classification of violations in the system
• Issuing of driving license
• Police simply insert the license to issue the bill
G2C: Fuel Card
Cards have no efficient security
Card password can be easily visible by others (Stolen and used by other)
Card is not properly designed for one car (anyone can use it)
People sell their allowance to others for a higher price
http://www.epolice.ir
G2C: Household consumption
• Meter equipment is not well designed to meet the security requirements
• 2011: Police caught and arrested a man who cheated
• Design of digital meter • Man with a hand held device to register the
number
G2E: Employee work time registration and payroll system
• Poor employee work time registration system
• No proper surveillance tech
• Low security to employee’s data
• Authorized employee can access to the work load page and easily cheat and fool the system
• Direct effect on the payroll system
E-Administration
• Too many processes which causes data loss
• Unauthorized access to the system and customer’s data
• Employees uses data to establish knowledge about the customer
• Due to the unauthorized access, customer’s file number is changed
E-Payment say the point
• Card users share their card password
• Share upon payment
• Payment is not finalized, but customer account is affected
E-Health• Insurance booklet is in use
• Upon arrival to the clinic, patient's info is entered to the system
• But, no proper system security to identify the patient and if he is using his own booklet
• Solution to prevent violations and abuse of the current booklet and system: Smart insurance (Health) card
• Ready to use by end of 2012
Database and accessibility
• Unsecure databases and unuthorizes access
• Higher education usecure database and lack of efficientaccess control
• Low speed connection => distribution of whole database
• Regular employees accessibility to all databases
No efficient access control
Lack of education and undrestanding of possible threats
Ex: In March 2012, regular employee of the Central Bank handover the whole bank database
• Most of the government websites save the user’s password
• No hashing algorithm is used (MD5)
• One user may use 1 password for different purposes
Hashing the password
• Some government websites assign password to the users (Melli Code: Nesha System)
• By knowing someone’s Melli Code, another person can access to the account
• Melli card No-> Profile access-> Profile info
Government assigned password
• Government surveillance on government organizations• Tight requlation for employees and websites• For high security of user’s information• All employees of Banks and Insurance Companies• No use of international e-mail domain• No electronic communication with customers with international
e-mail domain• Hotmail, MSN, Yahoo and Gmail => one of the tools to exit user’s
information from the country • No website with the .org and .com domain• All website with the .ir domain
Website Regulation: May 2012: Iran
Simorgh: May 2012: Iran
• Anti-censorship software (VPN)
• Fake version of Green Simurgh in 4shared
• Founded by Munk School of Global Affairs
• Green Simurgh Co. (Since 2009) is denying
• Abused citizen’s needs
• Turned out to be Spying Version
• Access to user’s info (Identification and access keys)
• Monitor user’s activities (IPs, Event handelers (Keys and clicks))
• Collected Info and data are transfered to a servers located in Soudi Arabia and USA
simurghesabz.net
• Extensive Gov to Gov attack
• Low system security of major government organizations
• The most sophisticated threats ever
• Malfunction systems of the two most important gov orgs
• Name: ’Fiber’
• Starting date: Aug 2010 (Kaspersky Lab, Russia)
• Research Unit: International Telecommunications Union of United Nation (ITUUN)
• ITUUN Research on ’Wiper’ => ’Fiber’ discovery
• It collects all the sensative information and destruct data from the organization DB
• Record Network traffic, take picture of screen, conversation recording, keyboradrecording and etc.
• Over 600 Government organizations are influenced
Fiber: April 2012: Iran and …
• Consequences
Ministry of Science: The attack was failed and the situation is under control. No extra info is forecasted.
Ministry of Oil: Main server disconnection. Computer motherboards are burned out and some data are lost, butcould be recovered. To minimize the loss, number of Internet and network connections were intentionally disconnected.
Service malfunction: Iran
• National Information and Communication Technology Agenda
• Information Society and a knowledge-based Economy in which ICT is an Enabler Technology
• TAKFA comes in seven strategic axesGovernmentEducationHigher EducationServicesCommerce and EconomyCulture and Persian LanguageICT industry through SME empowerment
TAKFA (Late 1999- April 2002): Iran’s road to knowledge-based development
TAKFA put down
• Lack of inexpensive and easy access to Internet
• Lack of advanced technologies and security software
• Lack of surveillance technologies and equipment
• Lack of encompassing information infrastructure
• Inadequate national bandwidth
International Level
• High security (Official Finnish ID require)
• Login access control
• Application access control
• Money transfer over the NetBank require further telephonic confirmation
• Required questions are asked to process the payment
• 1 password/1 netbank access
E-Payment (NetBank) in Finland
E-Health in Finland
• Kela Card
• 1 card for 1 user
• Biometric Kela Card (patient’s record is kept safe and private)
• Kela card is consider as the patient's ID in e-health system
• Owned by 1 person only
• CCTV takes picture of the car violating the driving regulation
• System takes care of issuing the fine
• No opportunity to falsify the data
• IP cameras: Once capture a footage, image is sent to the control center and fine will be issued and sent to the driver address
Police fine in Finland
• New e-service is implemented on March 2012
• No resident permit is attached to the passport
• Biometric identifiers stored on the residence permit card chip include a facial image and two fingerprints
• User’s data is kept safe in the card
• No one can fake it
• It is not an official ID
• In UK too
Foreigner resident permit card in Finland
• Stamp the resident permit in the passport• RP info is entered by hand• Info can be easily change by the passport holder
• Solution: ACR I-Card Resident permit (electronic chip embedded into the card containing all your relevant information)
• Quick verification of information• Eliminates fixers and illegal personnel issuing falsified
documents.
Resident permit in the Philippines
E-Health in Australia
• NEHTA (National E-Health Transition Authority)• Personally controlled electronic health records
(PCEHR) for all Australians• Starting July 2012, all Australians can choose to
register for an electronic health record• PCEHR System is used • A privacy management framework has been
developed to ensure that privacy of the user’s data
• Still early to define the threats to privacy
E-Health in China and USA: Jan 2012
• China and the United States, two different political cultures, have both introduced major health reform programs to promote health-care improvement for their respective citizens
• The piloted use of biometrics in the SD card with fingerprint encryption for patients to access personal health records
• Without the SD card, no one can access
• The United States is experiencing an increasing use of biometric applications for authentication and identification
• Government of many countries abuse citizen’s data and information
• Government surveillance is done through monitoring users activity, communication and accessing user’s data (data are accessed from the e-services portals)
• Government authorities are not enough expert to design expert systems with high security
• Technology play a vital role if implemented appropriately
• It is expected that privacy protections to be increased
Conclusion
Thank you for your kind attention
I welcome your questions,
Suggestions and Comments!
Fatemeh Ahmadi Zeleti