Trustworthy infrastructure for personal data management


Published on

© European Union Agency for Network and Information Security (ENISA), 2013

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Trustworthy infrastructure for personal data management

  1. 1. Please replace background with image Trustworthy Infrastructure for Personal Data Management Udo Helmbrecht Executive Director, ENISA Digital Enlightenment Forum Brussels, 19th September 2013
  2. 2. Virtual world and privacy • Divergent approaches – Personal data protection vs. data retention • Difference of perception across countries/regions – Privacy – human right in EU or consumer right in US • A new currency: personal data • Contradictory expectations and practice – Privacy - fundamental human right in the EU – Users concerned about privacy • 93% of participants in ENISA study1 – Users wiling to disclose more personal data for discounts • up to 87% of participants, in some cases, for 0.5 € discount in the study 1
  3. 3. Data protection • Fundamental human right in the EU2 • Legislation reform • Current context very complex Data retention1 • Legislation not transposed in all 27 MS • Different interpretation • Current context very complex • Questionable practice / deployment Technology • Scalability • Advances in ICT • Different technologies, lack of level playing field • Cost of deployment for secure solutions • Pan-European approach for information security needed • Different technologies • Cost of deployment for secure solutions • Scalability of the solutions • PETs still under development • Deployment costs • Scalability of the solutions • ‘Blanket’ interception • Deep packet inspection Complex interactions 1 105:0054:0063:EN:PDF 2
  4. 4. ‘The right to be forgotten’ 1 between expectations and practice • Included in the proposed regulation on “the processing of personal data and on the free movement of such data” published by the EC in Jan 2012. • ENISA addressed the technical means of assisting the enforcement of the right to be forgotten. • A purely technical and comprehensive solution to enforce the right in the open Internet is generally not possible • Technologies do exist that minimize the amount of personal data collected and stored online • Personal data is the new currency in the cyberspace! 1
  5. 5. Notification about security breaches in the EU legislation Article 13a of the Framework Directive for electronic communication Article 4 of the e-Privacy Directive Article 15 of the Draft Regulation on e-identities Articles 30, 31 and 32 of the Draft General Data Protection Regulation Framework Directive, E-Privacy Directive, e-ID Regulation, Data Protection Regulation Commonalities and diifferences between notification articlesRelevant notification articles Source: EU Cyber Incident Reporting, ENISA 2012 reporting/cyber-incident-reporting-in-the-eu
  6. 6. Trust in the infrastructure Gaps in supply chain • Technical level – For software – Trusted Computing – No efficient methods to control HW components • HW trojans, counterfeit elements, reverse engineering, side channel attacks • Physical analysis is complex, time consuming, costly • Labelling/marking is subject to counterfeiting • Risk analysis framework – Product driven – Based on financial risk – No methods for dynamic real time systems • Standardisation scheme – Existing certification schemes not addressed for complex supply chains – Lack of efficient technical solutions does not allow for implementation of controls
  7. 7. Towards secure infrastructure for data processing • The challenges extend beyond MS borders, hence… – MSs and the EU need close collaboration with industry and research • A gap is observed between – what is possible at technological level – what is available at market place and proposed by policy makers • Users are primarily interested in – Convenience, ease of use – Price (preferably free) • Technical issues in implementation of data protection mechanisms – Right to be forgotten – Minimal disclosure – Portability of profiles • The role of standardisation is still not clear
  8. 8. European Union Agency for Network and Information Security Science and Technology Park of Crete P.O. Box 1309 71001 Heraklion Crete Greece Follow ENISA