Incentives of Privacy Enhancing Technologies
Copenhagen, Denmark – 10 September 2010
2010 PRIVAT TEK
Oluf Nielsen
Scientific Officer
Trust & Security Unit
Information Society and Media Directorate-General
European Commission
The views expressed in this presentation are purely those of the speaker
and may not in any circumstances be regarded as stating an official
position of the European Commission.
“TRUSTWORTHY ICT”
Security
Phishing attacks
Internet security soar in the UK
Cyberwar and real war
collide in Georgia
Lessons from SocGen: Internal Threats need
to become a security priority
Code red
Revealed: 8 million victims in the
world's biggest cyber heist
Grosse faille du web,
et solution en chemin
The Evolution of Cyber Espionage
Privacy
Cloud computing lets
Feds read your email
YouTube case opens can
of worms on online privacy
Phorm to use BT customers to
test precision advertising system on net
Web giants spark
privacy concerns
Big Brother tightens
his grip on the web
La colère associative monte contre Edvige,
le fichier policier de données personnelles
Trust
Defenseless on the Net
Identity theft, pornography, corporate blackmail
in the web's underworld, business is booming
Big Brother Spying on
Americans' Internet Data?
Internet wiretapping
Bugging the cloud
UK's Revenue and Customs loses
25 million customer records
Six more data discs
'are missing'
“TRUSTWORTHY ICT”
 Technology
–
–
–
Cyber-threats, cyber-crime
The Future of the Internet
Complex ICT Systems and Services
underpinning Critical Infrastructures
 Users
–
–
–
–
–
Trust, accountability, transparency
Identity, privacy and empowerment,
Creativity, Usability
Economics of Security
Human values and acceptance
TRUSTWORTHY ICT: Security Economy
Open Research Questions?
What does the rising trend in identity theft and potential cost of data breach imply for
companies security strategy for their networks, computers and access?
COST/BENEFITS



What Security Economic research is needed to better understand the economic impact of data breaches for stock
market valuations highlighting security vulnerabilities?
How can Security Economics be used to analyze how effective cost sharing of liability is possible in order to achieve
more societal optimal investments in ICT trust and security applications?
What market conditions and economic incentives has to be in place for firms to invest in ICT security to minimise their
long-term costs and respond better to market forces by integrating ICT security into their products and services?
TRUSTWORTHY ICT: Security Economy
Open Research Questions?
Could vulnerability markets help buyers and sellers to establish the actual cost
of finding ICT systems and software flaw?
 Would Market-based approaches increase the number of identified


vulnerabilities by motivating more people to search flaws?
Why is Cyber insurance markets not taken up more widely?
Would Reputation systems deter free-riding and cheating in peer-to-peer
networks?
TRUSTWORTHY ICT: Security Economy
Open Research Questions?
Personalised Services
How to create?
 Better knowledge when it pays off for companies investing in more ICT


security applications by linking closely to corporate values in their assets?
More incentives for better company reporting e.g. how they manage their
assets and security breaches for both their internal and external stakeholders?
More trust worthy financial reporting that includes: controls of information;
security policy; security standards access; authentication; network security?
TRUSTWORTHY ICT: Security Economic ICT
Applications? – How to Value your Core Assets?

How to identify and manage
vulnerabilities in cyber space?
 What does it take for a competitor to
reproduce your company assets?
 How to focus your IT security
investment on the core assets?
 How to apply the appropriate control
measures?
TRUSTWORTHY ICT: Security Economic ICT
Applications? – How to Value your Core Assets?
•
Is there a need for developing user friendly and cost effective ICT tools which
enable organisations to better assess and value their high value assets?
•
To be used for collecting information on incidents, losses, and spending
•
ICT applications which integrates economic incentive trust mechanism
•
ICT systems which ensures informed and automated management decision
creating transparency and accountability for key stakeholders
There is a need for user friendly automated tools which can perform those
controls on organisations most critical assets to cope with rapid evolving
ICT security challenges
TRUSTWORTHY ICT: Security Economic ICT
Applications? – How to Value Your Core Assets?
TOTAL VALUE ASSETS [TANGIBLE PLUS INTANGIBLES]
TOTAL IT SECURITY EXPENDITURE
Data
Data
Application
Application
Host
Host
Network
Network
Core
Assets
CYBER
VULNERABILITIES
MATRIX
Core
Assets
Embedding Privacy by Design in Technology
•
Technological data protection should be taken into account
already at the planning stage.
•
Privacy by design should be technological neutral.
•
From the creation of standards and the design of architecture to
their implementation by the data controller.
•
The European Digital Agenda endorses the principles of privacy
by design to ensure citizens and trust in ICT and for online
services.
•
Privacy and Trust goes hand in hand and Privacy by Design
should be guiding principle for the development of new
trustworthy ICT.
Source: Opinion of the European Data Protection Supervisor on Promoting
Trust in the Information Society by Fostering Data Protection and Privacy,
Brussels 18 March 2010
Embedding Privacy by Design in Technology
•
The Lisbon Treaty has reinforced protection by
recognizing the respect for private life and protection of
personal data as separate fundamental rights in articles 7
and 8 of the EU Charter of Fundamental Rights.
•
Whereas the protection of the rights and freedom of data
subjects with regard to the processing of personal data
that requires appropriate technical and organizational
measures to be taken;
both at the time of design of the processing system, and
the time of the processing itself particularly in order to
maintain security and thereby to prevent any
unauthorized processing.
ICT FP7 WORK PROGRAMME 2011-2012
Objective ICT-2011.1.4 Trustworthy ICT
a) Heterogeneous networked, services and
computing environments
b) Trust, eIdentity and Privacy
management infrastructures
c) Data policy, governance and socioeconomic ecosystems
d) Networking and coordinating activities
ICT FP7 WORK PROGRAMME 2011-2012
Objective ICT-2011.1.4 Trustworthy ICT
b) Trust, eIdentity and Privacy
management infrastructures
•
Development of trusted architectures, protocols and
models for trust assurance
•
Protocols for privacy infrastructures
•
Interoperability or federated management of
identity claims

Flexible use of centric privacy

Accountability

Non-repudiation

Traceability

Right to oblivion at the design level
ICT FP7 WORK PROGRAMME 2011-2012
Objective ICT-2011.1.4 Trustworthy ICT
c) Data policy, governance and socio-economic ecosystems
•
Management and governance frameworks
•
Technology supported social economics frameworks for risk
analysis, liability assignment, assurance and certification
•
Tools for trust management based on cost benefit analysis
ICT FP7 WORK PROGRAMME 2011-2012
Objective ICT-2011.1.4 Trustworthy ICT
Expected Impact
•
Improved European industrial competitiveness in
markets of trustworthy ICT
•
Adequate support to users to make informed decisions
on the trustworthiness of ICT
•
Demonstrable usability and societal acceptance of
proposed handling of information and privacy
Further information
 On ICT-FP7 Security:
http://cordis.europa.eu/fp7/ict/security/home_en.html
 ICT-FP7 Project Synopsis:
http://cordis.europa.eu/fp7/ict/security/projects_en.html
 Objective 1.4 Call Details:
– Opening expected 26 July 2011 - Ending 17 January 2012
 More information: oluf.nielsen@ec.europa.eu
Research Programme Officer Trust and Security