1.
The Internet of Things: Privacy and
Security Issues
Stefan Schiffner
NIS expert, ENISA
European Union Agency for Network and Information Security www.enisa.europa.eu

2.
ENISA’’s Mission
European Union Agency for Network and Information Security www.enisa.europa.eu

3.
Securing Europe’s Information Society
Operational Office in Athens
Seat in Heraklion
European Union Agency for Network and Information Security www.enisa.europa.eu

4.
ENISA activities
Policy
Recommendations Implementation
Mobilising
Communities
Hands on
European Union Agency for Network and Information Security www.enisa.europa.eu

5.
Privacy in the internet of
things
European Union Agency for Network and Information Security www.enisa.europa.eu

6.
What is the internet of things?
• Network of interconnected objects
for data processing
– Cyber physical
– Self configuration
• Specialized & Embedded
– Seamless integration
– Reduced HCI
• Multiple stake holders
– For common or individual goals
• Integrated in legacy systems
O i i d d t i f t t
• Or in independent infrastructure
European Union Agency for Network and Information Security www.enisa.europa.eu 6

7.
Privacy concerns
• An object can reveal information about the individual
• IoT introduces new ways of collecting and processing
such information from objects:
– collection of data from different sources
– correlation and association
– > abuse potential
S i i d h
• Storing is easy and cheap
European Union Agency for Network and Information Security www.enisa.europa.eu 7

8.
Security concerns
• Objects are small and everywhere
– Prone to environmental influences
– Unprotected places (unnoticed manipulation)
– Weak calculation power (limited crypto)
• Autonomous
– Acting without user awareness
European Union Agency for Network and Information Security www.enisa.europa.eu 8

9.
The data protection challenge
and requirements
European Union Agency for Network and Information Security www.enisa.europa.eu

10.
Trust assumption for crypto
trusted
environment
trusted
environment
protected communication
adversairial
environment
European Union Agency for Network and Information Security www.enisa.europa.eu 10

11.
Security silos
• The world is divided in In and Out group
• They might be nested and intersecting
• complex structures
• Rather static
•• Administrative overhead
• Fragile
European Union Agency for Network and Information Security www.enisa.europa.eu 11

12.
To avoid new silos we need:
• Reduction of management burden wrt security and
privacy policies
• Dynamic Automatic negotiation of policies
•• Resilience
• Leads to new (priority) of requirements
European Union Agency for Network and Information Security www.enisa.europa.eu 12

13.
Control
• How to obtain informed consent?
– How can information be presented?
– How can individuals have overall control over their
data?
European Union Agency for Network and Information Security www.enisa.europa.eu 13

14.
Liability and enforcement
• Who is responsible
• How can rights be exercised
– access, deletion
• How can data be safeguarded
– Detection of attacks and damages
European Union Agency for Network and Information Security www.enisa.europa.eu 14

15.
Data Protection requirements
• Privacy & security by design
• Purpose limitation
– no use beyond predefined purposes
• Data minimization:
– collect & process only necessary data
– anonymize or delete data after use
• Distributed protection models
– move away from walled gardens
– multi layer security
– Resilience
• Automated decisions
European Union Agency for Network and Information Security www.enisa.europa.eu 15

16.
The role and needs for standards
• Privacy
– as part of the IoT ontologies and semantics
• New protection protocols
• As an integral control mechanism for the development
and implementation of M2M architectures
European Union Agency for Network and Information Security www.enisa.europa.eu 16

17.
ENISA’s work on IoT & data
protection
European Union Agency for Network and Information Security www.enisa.europa.eu

18.
ENISA activities
Policy
Recommendations Implementation
Mobilising
Communities
Hands on
European Union Agency for Network and Information Security www.enisa.europa.eu

19.
Current activities
• Support all involved stakeholders in the translation of legal
requirements to technical solutions:
• Privacy by design and by default
– Technical tools and mechanisms for information and
control
– Privacy Principles
– Anonymisation and pseudonymisation techniques
• Technical protection measures
– Cryptographic algorithms, parameters, key sizes
European Union Agency for Network and Information Security www.enisa.europa.eu 19

20.
Published Reports
– Survey of accountability, trust, consent, tracking, security and privacy mechanisms in online environments (2011)
http://www.enisa.europa.eu/activities/identity‐and‐trust/library/deliverables/survey‐pat
– Privacy, Accountability and Trust – Challenges and Opportunities (2011)
http://www.enisa.europa.eu/activities/identity‐and‐trust/privacy‐and‐trust/pat/activities‐initiated‐in‐2010
– Bittersweet cookies. Some security and privacy considerations (2011)
http://www enisa europa www.enisa.europa.eu/activities/identity‐and‐trust/library/pp/cookies
– Study on the use of cryptographic techniques in Europe (2011)
http://www.enisa.europa.eu/activities/identity‐and‐trust/library/the‐use‐of‐cryptographic‐techniques‐in‐europe
– Report on trust and reputation models (2011)
http://www.enisa.europa.eu/activities/identity‐and‐trust/library/trust‐and‐reputation‐models
– Study on monetising privacy. An economic model for pricing personal information (2012)
http://www.enisa.europa.eu/activities/identity‐and‐trust/library/deliverables/monetising‐privacy
– Study on data collection and storage in the EU (2012)
http://www.enisa.europa.eu/activities/identity‐and‐trust/library/deliverables/data‐collection
– Privacy considerations of online behavioural tracking (2012)
http://www.enisa.europa.eu/activities/identity‐and‐trust/library/deliverables/privacy‐considerations‐of‐online‐behavioural‐tracking
– The right to be forgotten – between expectations and practice (2012)
http://www.enisa.europa.eu/activities/identity‐and‐trust/library/deliverables/the‐right‐to‐be‐forgotten
– Security certification practice in the EU ‐ Information Security Management Systems ‐ A case study (November,2013)
http://www.enisa.europa.eu/activities/identity‐and‐trust/library/deliverables/security‐certification‐practice‐in‐the‐eu‐information‐security‐management‐systems‐a‐case‐study
– Algorithms, Key Sizes and Parameters Report. 2013 Recommendations (October 2013)
http://www.enisa.europa.eu/activities/identity‐and‐trust/library/deliverables/algorithms‐key‐sizes‐and‐parameters‐report
– Recommended cryptographic measures ‐ Securing personal data (November 2013)
http://www.enisa.europa.eu/activities/identity‐and‐trust/library/deliverables/recommended‐cryptographic‐measures‐securing‐personal‐data
– Securing personal data in the context of data retention. Analysis and recommendations (December 2013)
http://www.enisa.europa.eu/activities/identity‐and‐trust/library/deliverables/securing‐personal‐data‐in‐the‐context‐of‐data‐retention
– On the security, privacy and usability of online seals. An overview . (December 2013)
http://www www.enisa enisa.europa europa.eu/activities/identity identity‐and and‐trust/library/deliverables/on on‐the the‐security security‐privacy privacy‐and and‐usability usability‐of of‐online online‐seals
European Union Agency for Network and Information Security www.enisa.europa.eu 20

21.
Thank you very much for your attention
Follow ENISA:
European Union Agency for Network and Information Security www.enisa.europa.eu