close

Вход

Забыли?

вход по аккаунту

?

“Security and data protection: convergence or contradiction?”

код для вставкиСкачать
Lilian Mitrou/S. Katsikas
University of the Aegean
“Security and privacy:
convergence or contradiction?”
………. “Constitutional rights: beyond
the security challenges”
Mitrou/Katsikas, Rights beyond the security challenges
1
Security
Information security: preservation of
confidentiality, integrity and availability of
information
Information Systems security refers to the
protection of all elements constituting an IS (i.e.
hardware, software, information, people,
processes)
Security is not a pure technical issue!
Mitrou/Katsikas, Rights beyond the
security challenges
2
Risks and …culture of security
The nature, volume and sensitivity of information has
expanded substantially
Growing number and wider variety of threats and
vulnerabilities
Respond to a changing risk/security environment by
promoting the “culture of security”, i.e. focus on security
in the development of systems and networks and
adoption of new ways of thinking and behaving
Mitrou/Katsikas, Rights beyond the
security challenges
3
Privacy and Data Protection
Informational self-determination
Precondition of (deliberative) autonomy and freedom, of
participation in communal life, as a member of a free,
democratic society
Object of the data protection legislation is to establish
obligations and responsibilities, to provide the terms
and conditions, under which the processing of personal
data is to be carried out so as to protect the
fundamental rights and liberties of natural persons and
in particular their right to privacy
Mitrou/Katsikas, Rights beyond the
security challenges
4
Security as regulatory obligation
Security as a component of effective data
protection?
Convention 108 (81) Council of Europe:
Appropriate security measures for the
protection…against accidental or unauthorised
destruction, accidental loss, unauthorised
access, alteration, dissemination (Art. 7)
OECD –Privacy Guidelines: security principle
Mitrou/Katsikas, Rights beyond the
security challenges
5
The Data Protection Directive
The protection…requires…appropriate technical and
organisational measures, both at the time of the design
of the processing system and at the time of the
processing itself, particularly in order to maintain
security and thereby to prevent any unauthorised
processing.
These measures must ensure the appropriate level of
security taking into account the state of the art, the cost
in relation to the risk and the nature of the data to be
protected.
Mitrou/Katsikas, Rights beyond the
security challenges
6
The Electronic Privacy Directive
Security and Information about security risks
Appropriate technical and organisational measures to
safeguard security of services
Information of subscribers in case of a particular risk of
a breach of the security of the network
The requirement to inform does not discharge from the
obligation to face and remedy security risks and restore
“normal security level” of the service
Mitrou/Katsikas, Rights beyond the
security challenges
7
Privacy Enhancing Technologies
PETs as a system of technological measures that minimize
or eliminate the collection of data, without damaging the
system itself
The term PETS should be reserved for technological
systems that are intentionally developed to promote privacy.
We should distinguish PETs from respectively security
enhancing technologies (i.e.mechanisms aimed primarily at
ensuring the confidentiality, integrity and/or availability of
data/information ( though not necessarily in order to
promote personal privacy) and from patterns of mere
behaviour , though there are considerable overlaps.
Mitrou/Katsikas, Rights beyond the
security challenges
8
PETs, Security and User Empowerment
Individuals should be placed in a position in which they are able
to determine the use of technical and organizational protection
tools themselves
User empowerment as an alternative to protective regulation?
The main objection to relying on user empowerment is simply,
that PET’s as a tool to fend for himself/herself are often and
simply difficult to use.
Therefore it is crucial that the default settings offer a high level of
privacy protection. Engineering specifications should embody
policies for data protection
Mitrou/Katsikas, Rights beyond the
security challenges
9
PETs as PITs?
PETs can be Privacy Invasive Technologies?
– Level of Privacy (pseudonymity where anonymity is arguably
viable)
– Character of technological standard setting process
(transparency, legitimacy etc.)
– Context in which PETs are applied and effect of application
PETs as palliative for the introduction of a PIT and for
the disempowerment of rules and authorities
Mitrou/Katsikas, Rights beyond the
security challenges
10
Security and Privacy
An attack may not necessarily breach confidentiality or
privacy of the data.
Adequate security protects more than just privacy; it
also protects the integrity and availability of information
resources.
Ensuring data privacy requires implementing adequate
security measures and introducing security mechanisms
including authentication, secure access control,
encryption and security management practices.
Mitrou/Katsikas, Rights beyond the
security challenges
11
Privacy Invasive Security?
Inherent tension between privacy and security. Security measures
are not identified with privacy protective and enhancing measures
Anonymity and pseudonymity are not included in any security
definition!
All the current authentication technologies needed for authorisation
and accountability of users involve the use of personal information
or attributes that can be linked to personally identifiable information.
Risk analysis tools focus on authentication and identification but
make no provision to minimise the collection of personal data during
these procedures.
Mitrou/Katsikas, Rights beyond the
security challenges
12
Authentication procedures
Some situations require strong identification to combat
crime and fraud, attacks and threats.
Excessive personal data may be collected during
authentication procedure within a system.
Cryptographic methods to ensure the integrity of data
in electronic transactions raise privacy implications,
which include the collection of personal data and the
creation of systems of personal identification.
Mitrou/Katsikas, Rights beyond the
security challenges
13
Security in the context of e-voting
Security is a multidimensional notion in the context of evoting. Security primarily refers to the (technically
guaranteed) respect of secrecy and freedom but it covers
the entire range of functions and election components such
as registration, eligibility and authentication.
Security is a “technical” criterion, which aims at
protecting integrity, generality, equality, freedom,
secrecy and fairness of elections.
Not only a technical issue, but a political issue as well, as its
lack undermines legitimacy and trust of the public in the
election process
Mitrou/Katsikas, Rights beyond the
security challenges
14
Security contra voting rights?
Security against external threats and attacks. It is generally not
feasible to remove fraudulent ballots from an election tally
because it may be impossible to determine which ballots should
not have been counted.
Security must of course not jeopardize the voting principles that
it has to guarantee: secrecy, transparency and verifiability!
– Authentication/Identification that threats secrecy?
Security and confidence are not only means of making elections
secure, but also means of convincing citizens that the system is
secure.
Mitrou/Katsikas, Rights beyond the
security challenges
15
Workplace Surveillance
Protecting a system from insider threat or misuse
involves deterrence, prevention and containment of
misuse.
ISO/IEC 17799 proposes personnel screening as a subcategory of personnel security, aiming at information
security management.
Monitoring and surveillance of electronic
communications is an intrusion in worker’s privacy
Balance of interests: transparency and proportionality of
risks and monitoring.
Mitrou/Katsikas, Rights beyond the
security challenges
16
Democracy as a security-frontier?
“The security of information systems and networks should
be compatible with essential values of a democratic society.
Security should be implemented in a manner consistent with
the values recognised by democratic societies including the
freedom to exchange thoughts and ideas, the free flow of
information, the confidentiality of information and
communication, the appropriate protection of personal
information, openness and transparency” (OECD Guidelines
for the Security of Information Systems and Networks –
2002)
Mitrou/Katsikas, Rights beyond the
security challenges
17
Conclusion
Technology could and should be used to enhance
democracy.A first condition for successful protection of
freedoms and rights is the transposition of the legal
demands into technical standards integrated into
technology.
Risk assessment and rights impact assessment:
measures should be evaluated against the question
“does this meet democratic standards”?
A democratic society should accept even security risks!
Mitrou/Katsikas, Rights beyond the
security challenges
18
References
Institute for Prospective Technological Studies (IPTS), Security and Privacy for
the Citizen in the Post-September 11 Digital Age (2003)
OECD - Group of Experts on Information Security and Privacy, Privacy
Protection in a global networked society. (Paris 1998)
Ana I. Vicente, La convergence de la sГ©curitГ© informatique et la protection des
données à caractère personnel –Vers une nouvelle approche juridique (2003)
L. Mitrou/D.Gritzalis/S. Katsikas, Electronic voting: Constitutional and legal
requirements and their technical implications (Kluwer, 2003)
L. Mitrou/K. Moulinos, Privacy and Data Protection in Electronic
Communications (Springer, 2003)
Lee Bygrave, PETs, Caught between a Rock and a Hard Place, European
Commission -Data Protection Conference (Brussels 2002)
M. О�ОµОїП‡О±ПЃОЇОґОїП…, О— В«ОµОє П„П‰ОЅ О­ПѓП‰ О±ПЂОµО№О»О®В» ПѓП„О± О О»О·ПЃОїП†ОїПЃО№О±ОєО¬ ОЈП…ПѓП„О®ОјО±П„О±,
О”О№ПЂО»П‰ОјО±П„О№ОєО® О•ПЃОіО±ПѓОЇО±, ОџО О‘ 2004
Mitrou/Katsikas, Rights beyond the
security challenges
19
Lilian Mitrou/S. Katsikas
University of the Aegean
“Security and privacy:
convergence or contradiction?”
………. “Constitutional rights: beyond
the security challenges”
Mitrou/Katsikas, Rights beyond the security challenges
20
Security
Information security: preservation of
confidentiality, integrity and availability of
information
Information Systems security refers to the
protection of all elements constituting an IS (i.e.
hardware, software, information, people,
processes)
Security is not a pure technical issue!
Mitrou/Katsikas, Rights beyond the
security challenges
21
Risks and …culture of security
The nature, volume and sensitivity of information has
expanded substantially
Growing number and wider variety of threats and
vulnerabilities
Respond to a changing risk/security environment by
promoting the “culture of security”, i.e. focus on security
in the development of systems and networks and
adoption of new ways of thinking and behaving
Mitrou/Katsikas, Rights beyond the
security challenges
22
Privacy and Data Protection
Informational self-determination
Precondition of (deliberative) autonomy and freedom, of
participation in communal life, as a member of a free,
democratic society
Object of the data protection legislation is to establish
obligations and responsibilities, to provide the terms
and conditions, under which the processing of personal
data is to be carried out so as to protect the
fundamental rights and liberties of natural persons and
in particular their right to privacy
Mitrou/Katsikas, Rights beyond the
security challenges
23
Security as regulatory obligation
Security as a component of effective data
protection?
Convention 108 (81) Council of Europe:
Appropriate security measures for the
protection…against accidental or unauthorised
destruction, accidental loss, unauthorised
access, alteration, dissemination (Art. 7)
OECD –Privacy Guidelines: security principle
Mitrou/Katsikas, Rights beyond the
security challenges
24
The Data Protection Directive
The protection…requires…appropriate technical and
organisational measures, both at the time of the design
of the processing system and at the time of the
processing itself, particularly in order to maintain
security and thereby to prevent any unauthorised
processing.
These measures must ensure the appropriate level of
security taking into account the state of the art, the cost
in relation to the risk and the nature of the data to be
protected.
Mitrou/Katsikas, Rights beyond the
security challenges
25
The Electronic Privacy Directive
Security and Information about security risks
Appropriate technical and organisational measures to
safeguard security of services
Information of subscribers in case of a particular risk of
a breach of the security of the network
The requirement to inform does not discharge from the
obligation to face and remedy security risks and restore
“normal security level” of the service
Mitrou/Katsikas, Rights beyond the
security challenges
26
Privacy Enhancing Technologies
PETs as a system of technological measures that minimize
or eliminate the collection of data, without damaging the
system itself
The term PETS should be reserved for technological
systems that are intentionally developed to promote privacy.
We should distinguish PETs from respectively security
enhancing technologies (i.e.mechanisms aimed primarily at
ensuring the confidentiality, integrity and/or availability of
data/information ( though not necessarily in order to
promote personal privacy) and from patterns of mere
behaviour , though there are considerable overlaps.
Mitrou/Katsikas, Rights beyond the
security challenges
27
PETs, Security and User Empowerment
Individuals should be placed in a position in which they are able
to determine the use of technical and organizational protection
tools themselves
User empowerment as an alternative to protective regulation?
The main objection to relying on user empowerment is simply,
that PET’s as a tool to fend for himself/herself are often and
simply difficult to use.
Therefore it is crucial that the default settings offer a high level of
privacy protection. Engineering specifications should embody
policies for data protection
Mitrou/Katsikas, Rights beyond the
security challenges
28
PETs as PITs?
PETs can be Privacy Invasive Technologies?
– Level of Privacy (pseudonymity where anonymity is arguably
viable)
– Character of technological standard setting process
(transparency, legitimacy etc.)
– Context in which PETs are applied and effect of application
PETs as palliative for the introduction of a PIT and for
the disempowerment of rules and authorities
Mitrou/Katsikas, Rights beyond the
security challenges
29
Security and Privacy
An attack may not necessarily breach confidentiality or
privacy of the data.
Adequate security protects more than just privacy; it
also protects the integrity and availability of information
resources.
Ensuring data privacy requires implementing adequate
security measures and introducing security mechanisms
including authentication, secure access control,
encryption and security management practices.
Mitrou/Katsikas, Rights beyond the
security challenges
30
Privacy Invasive Security?
Inherent tension between privacy and security. Security measures
are not identified with privacy protective and enhancing measures
Anonymity and pseudonymity are not included in any security
definition!
All the current authentication technologies needed for authorisation
and accountability of users involve the use of personal information
or attributes that can be linked to personally identifiable information.
Risk analysis tools focus on authentication and identification but
make no provision to minimise the collection of personal data during
these procedures.
Mitrou/Katsikas, Rights beyond the
security challenges
31
Authentication procedures
Some situations require strong identification to combat
crime and fraud, attacks and threats.
Excessive personal data may be collected during
authentication procedure within a system.
Cryptographic methods to ensure the integrity of data
in electronic transactions raise privacy implications,
which include the collection of personal data and the
creation of systems of personal identification.
Mitrou/Katsikas, Rights beyond the
security challenges
32
Security in the context of e-voting
Security is a multidimensional notion in the context of evoting. Security primarily refers to the (technically
guaranteed) respect of secrecy and freedom but it covers
the entire range of functions and election components such
as registration, eligibility and authentication.
Security is a “technical” criterion, which aims at
protecting integrity, generality, equality, freedom,
secrecy and fairness of elections.
Not only a technical issue, but a political issue as well, as its
lack undermines legitimacy and trust of the public in the
election process
Mitrou/Katsikas, Rights beyond the
security challenges
33
Security contra voting rights?
Security against external threats and attacks. It is generally not
feasible to remove fraudulent ballots from an election tally
because it may be impossible to determine which ballots should
not have been counted.
Security must of course not jeopardize the voting principles that
it has to guarantee: secrecy, transparency and verifiability!
– Authentication/Identification that threats secrecy?
Security and confidence are not only means of making elections
secure, but also means of convincing citizens that the system is
secure.
Mitrou/Katsikas, Rights beyond the
security challenges
34
Workplace Surveillance
Protecting a system from insider threat or misuse
involves deterrence, prevention and containment of
misuse.
ISO/IEC 17799 proposes personnel screening as a subcategory of personnel security, aiming at information
security management.
Monitoring and surveillance of electronic
communications is an intrusion in worker’s privacy
Balance of interests: transparency and proportionality of
risks and monitoring.
Mitrou/Katsikas, Rights beyond the
security challenges
35
Democracy as a security-frontier?
“The security of information systems and networks should
be compatible with essential values of a democratic society.
Security should be implemented in a manner consistent with
the values recognised by democratic societies including the
freedom to exchange thoughts and ideas, the free flow of
information, the confidentiality of information and
communication, the appropriate protection of personal
information, openness and transparency” (OECD Guidelines
for the Security of Information Systems and Networks –
2002)
Mitrou/Katsikas, Rights beyond the
security challenges
36
Conclusion
Technology could and should be used to enhance
democracy.A first condition for successful protection of
freedoms and rights is the transposition of the legal
demands into technical standards integrated into
technology.
Risk assessment and rights impact assessment:
measures should be evaluated against the question
“does this meet democratic standards”?
A democratic society should accept even security risks!
Mitrou/Katsikas, Rights beyond the
security challenges
37
References
Institute for Prospective Technological Studies (IPTS), Security and Privacy for
the Citizen in the Post-September 11 Digital Age (2003)
OECD - Group of Experts on Information Security and Privacy, Privacy
Protection in a global networked society. (Paris 1998)
Ana I. Vicente, La convergence de la sГ©curitГ© informatique et la protection des
données à caractère personnel –Vers une nouvelle approche juridique (2003)
L. Mitrou/D.Gritzalis/S. Katsikas, Electronic voting: Constitutional and legal
requirements and their technical implications (Kluwer, 2003)
L. Mitrou/K. Moulinos, Privacy and Data Protection in Electronic
Communications (Springer, 2003)
Lee Bygrave, PETs, Caught between a Rock and a Hard Place, European
Commission -Data Protection Conference (Brussels 2002)
M. О�ОµОїП‡О±ПЃОЇОґОїП…, О— В«ОµОє П„П‰ОЅ О­ПѓП‰ О±ПЂОµО№О»О®В» ПѓП„О± О О»О·ПЃОїП†ОїПЃО№О±ОєО¬ ОЈП…ПѓП„О®ОјО±П„О±,
О”О№ПЂО»П‰ОјО±П„О№ОєО® О•ПЃОіО±ПѓОЇО±, ОџО О‘ 2004
Mitrou/Katsikas, Rights beyond the
security challenges
38
Документ
Категория
Презентации
Просмотров
5
Размер файла
190 Кб
Теги
1/--страниц
Пожаловаться на содержимое документа