This is our first blog of 2015 and we’d like to wish all the readers of SecurityWatch a very Happy New Year!
So what are the predictions for cybersecurity issues this year?! More open source software bugs, vulnerabilities in mobile payment systems, IoT attacks…etc. Apart from these issues, there is one global concern which is ongoing and undoubtedly growing – PRIVACY.
Surveillance issues are at the forefront due to rising terrorist activities. Such activities that could be potential threats to a nation or it’s people, compel governments (or as claimed so by them) to keep a close eye on all activity over the wire within their remit.
Not long ago, such operations were conducted covertly. But the NSA and GCHQ revelations by Edward Snowden starting June 2013, were an eye-opener for many. An international survey on Internet security and trust reported that, of ‘23,376 Internet users in 24 countries reported that 60% of Internet users have heard of Edward Snowden, and 39% of those ‘have taken steps to protect their online privacy and security as a result of his revelations’ which is considerable number.
Recently UK’s prime minister announced that, if elected again, he would block chat messengers that support end-to-end encryption (such as WhatsApp, iMessage, Telegram, Cyberdust, etc.), as part of his plans for new surveillance powers announced in the wake of the Charlie Hebdo shootings in Paris. Seems like the onus is now on the citizens to assist the governments by sacrificing their privacy as opposed to the them putting in more resources to tackle terrorist threats.
And it isn’t just the governments ready to put their hands on any kind of personal information available over the wire, there are other actors involved as well. Cyber theft is escalating and information is being sold on the deep web or darknet for financial gain. Moreover, companies monitor user activity more than ever before to keep track of users and their activities to boost sales.
Such growing interest in personal information for malicious purposes compels us to think more and more about protecting our privacy online in the internet era. This Hindi proverb, in my view, explains it well –
“Shaadi laddoo motichoor ka, jo khaaye pachtaye, jo na khaaye pachtaye”
Which means – Marriage is like a delicious tempting sweet, the one who consumes it suffers as well as the one who doesn’t (unless you absolutely hate sweets)! Which is entirely true if we substitute Internet in place of Marriage in this case. Anyone using the internet needs to be cautious and must take proactive measures to protect their privacy if they want to have a good relationship with it!
There are already complaints being lodged and measures being taken to strengthen the privacy regulations in Europe. Among them is the “Right to be Forgotten” Ruling (C-131/12) that states a search engine will have to delete information, along with the links when it receives a specific request from a person affected.
Some users of the internet, especially the younger generation, might relate to privacy as only changing their twitter or Facebook settings to restrict feeds and pictures to contacts.
However, privacy is more than that.
“Privacy is not something that I’m merely entitled to, it’s an absolute prerequisite.” – Marlon Brando
Privacy is a fundamental human right. This is acknowledged by Article 8 of the European Convention on Human Rights, which provides a right to respect for one’s “private and family life, his home and his correspondence”. The Charter of Fundamental Rights of the European Union and Universal Declaration of Human Rights have similar sections on privacy protection.
However, not every fundamental right that a citizen possesses is set out in a country’s constitution. For example, in Ireland, the Constitution does not specifically state a right to privacy but the courts recognize that the personal rights in the constitution imply the right to privacy.
Privacy is an integral element of democratic societies and this applies to the digital world as well. Digital technologies may be designed to protect privacy. Since the 1980s technologies with embedded privacy features have been proposed. During that time, deploying Privacy Enhancing Technologies (PETs) (e.g. encryption, protocols for anonymous communications, attribute based credentials and private search of databases) was seen as the solution as opposed to embedding of privacy into the design of technology. However, apart from a few exceptions such as encryption, PETs haven’t really become a standard or a widely used component in system design.
Most of us may have heard about the relatively newer concept of Privacy by Design (PbD) which has been around for a few years now. It was developed by the former Information and Privacy Commissioner of Ontario, Dr. Ann Cavoukian, back in the 90’s. Dr. Ann argued that “the future of privacy cannot be assured solely by compliance with legislation and regulatory frameworks; rather, privacy assurance must ideally become an organization’s default mode of operation.”
Privacy by Design is believed to be accomplished by practicing its 7 Foundational Principles which have been have been translated into over 30 languages.
- Proactive not Reactive; Preventative not Remedial
- Privacy as the Default Setting
- Privacy Embedded into Design
- Full Functionality – Positive-Sum, not Zero-Sum
- End-to-End Security – Full Lifecycle Protection
- Visibility and Transparency – Keep it Open
- Respect for User Privacy – Keep it User-Centric
Privacy is a challenging subject that covers a number of domains, including law, policy and technology. Some believe that the concept of Privacy by Design is too vague and since it does not focus on the role of the actual data holder, but on that of the system designer, it is not applicable in the privacy law.
Despite the criticism, Privacy by Design has been globally recognized and adopted. The U.S. Federal Trade Commission recognized Privacy by Design in 2012 as one of its three recommended practices for protecting online privacy. In addition, a variation of the concept, known as ‘Data protection by Design’ has been incorporated into the European Commission plans to unify data protection within the European Union with a single law – the General Data Protection Regulation. The variation apparently goes beyond mere technical solutions and addresses organisational procedures and business models as well. However, since the proposal does not explicitly define or give references for definitions of either data protection by design or privacy by design, the precise meaning of these concepts is nebulous.
In an effort to encourage adoption and implementation of privacy by design and, provide guidance on privacy engineering practices, several bodies have taken initiatives.
In January 2012 the European Commission proposed a regulation on data protection that will replace the existing Data Protection Directive. The proposal for the new regulation in general associates the requirements for data protection by design and data protection by default with data security and contains specific provisions relevant to Privacy by Design and by Default.
European Union Agency for Network and Information Security (ENISA)
In December 2014, European Union Agency for Network and Information Security (ENISA) published a report to elaborate on how privacy by design can be implemented with the help of engineering methods. According to the ENISA report-
“The principle “Privacy/Data Protection by design” is based on the insight that building in privacy features from the beginning of the design process is preferable over the attempt to adapt a product or service at a later stage. The involvement in the design process supports the consideration of the full life-cycle of the data and its usage.”
The report is intended for data protection authorities, policy makers, regulators, engineers and researchers. It discusses the notion of a privacy design strategy, and how it differs from both a design pattern and a PET. Moreover, the report briefly summarizes the eight privacy design strategies as derived by Hoepman from the legal principles underlying data protection legislation for both data and processes. It also provides a list of privacy implementation techniques.
The report identifies and highlights some limitations of privacy by design too. The predominant ones are – fragility of privacy properties if two systems are combined or one embedded in the other, absence of a general and intuitive metric that allows comparing two systems with the same or similar functionality with respect to a set of privacy properties, increased complexity and reduced utility of the resulting system and different interpretations of privacy by design.
National Institute of Standards and Technology (NIST)
A similar initiative is underway by NIST as well, called the Privacy Engineering initiative which focuses onproviding standards-based tools and privacy engineering practices to help evaluate the privacy posture of existing systems, enable the creation of new systems that mitigate the risk of privacy harm and, address privacy risks in a measurable way within an organization’s overall risk management process. The organization published a draft last year in April – NIST Privacy Engineering Objectives and Risk Model Discussion in which a definition for Privacy engineering was proposed –
“..a collection of methods to support the mitigation of risks to individuals of loss of self-determination, loss of trust, discrimination and economic loss by providing predictability, manageability, and confidentiality of personal information within information systems.”
However, as per our knowledge, this is not the final accepted definition and a meeting to update the draft will be held in February 2015.
Although the requirement for such initiatives was long due, these standards, regulations and guidelines can only take us so far when it comes to protecting our privacy in times of these technological transformations and rising cyber security threats. Nevertheless, using the right means with the right technology and embedding privacy and data protection in the way we design/build solutions could certainly facilitate the protection of our user identities in this crazy world of the internet