Embed Size (px)
Citation preview
1
Scott CADZOW, C3L for i-Tour
ITS – Challenges for privacy-security-safety
2
Agenda and aim of seminar
• From the assertion that Intelligent Transport Systems will revolutionise society with aims to improve the safety of citizens when using any means of transport by leveraging the international communications network. – What is ITS intending to achieve? – How does ITS fit to the core human right of protection of
privacy? – What is the regulatory meaning of privacy?– How do you comply to privacy protection?– How can technology assist in privacy protection?
3
Your speaker?
• Scott CADZOW– Expert and rapporteur for:
• TETRA security specifications• The suite of guidance documents for effective security standards development
– covering Common Criteria, Risk analysis, and security requirements engineering
• Frequent member and leader of Specialist Task Forces
– He is chairman of the ETSI ITS Security group and also its counterpart in ISO TC204.16
– Has been vice-chairman of ETSI Project TETRA WG6 (Security) and the TETRA Security and Fraud Prevention Group (SFPG)
– Has bee vice-chairman of the ETSI Lawful Interception group. – Has contributed ENISA reports on network resilience, supply chain
integrity, and on measures to counter internet bullying.
4
Definition
• Privacy is defined as the right of the individual to have his identity and agency protected from any unwanted scrutiny and interference. – It reinforces the individual's right to decisional autonomy and
self-determination. • Privacy is a fundamental right protected by the Universal
Declaration of Human Rights and by various legislative orders including the EU Convention for the Protection of Human Rights and Fundamental Freedoms
5
Some statistics
• Deaths on EU27 roads:– Dropped from 56,247 in 2000 to 34,500 in 2009
• Downward trend is persistent and ITS should aim to accelerate the trend
• Vehicles on EU27 roads:– Increased from 334/1000 inhabitants in 1991 to 473/1000 in 2009
• Assertion: Manufacturers want to continue this increase
• Public transport use:– Flat at 7% for train use in EU27– Flat at 9% for bus use in EU27
• Assertion: Directive wants this to change from flat to increase
6
Some figures
• 1. Safety– Traffic carnage in the UK is estimated to cost 1% of GDP
(£18billion)• 2. Efficiency
– Congestion costs an estimated in 1% of EU total GDP or 100B€ p.a. (or £18billion in the UK alone)
• 3. Environmental sustainability– Transport accounts for 30% of total energy consumption in the
EU, with the vast majority being consumed by road transport.
7
ITS network: a network of sensors
8
What is the new thinking?
• Use vehicles as sensors• Use people as sensors• Use vehicles as computing nodes• Use people as data sources• Distribute knowledge
9
What are the new problems?
• Use vehicles as sensors– Who does it give its sensor data to? Does it trust the receiver will use it well?
• Use people as sensors– What are you sensing? Is this going to come back and adversely affect me?
• Use vehicles as computing nodes– Is this realistic? How much excess computing power is a car maker going to
install?• Use people as data sources
– Not just sensor data but opinions too? • Distribute knowledge
– To whom and who pays?
10
What can ITS do with data?
• Identify virtual communities– How people travel and for what may give travel
service providers better knowledge of how to ticket, how to schedule, how to better serve, different communities
• Provide data for recommender systems
11
Top level objectives for privacy
• ITS has to meet the expectations of privacy established by:– OECD Declaration of Human Rights– EU Data Protection laws– EU Convention on human rights
• Privacy is a right and expectation and not a technology
12
ITS aim: to improve safety
13
Co-operative awareness
• Vehicles signalling their presence by radio– Where and what I am reported continuously for all to
hear– Short range radio (5.9GHz, 100mW transmitter, about
200m range)– Not cellular, no infrastructure assumed
• Every vehicle aware of every other vehicle in the local area– Raw data for collision avoidance and other applications
14
Event notification messages
• Geo-routed indication of events– Crash, congestion, adverse weather …– Receiving vehicles forward the message within
and towards the affected geographic area• Broadcast over radio for all to hear
– 5.9GHz, low power, short range, no infrastructure• Intent is to warn other drivers and get them to
change their behaviour
15
CAM and DENM and PII
• PII = Personal Identifying Information• CAM and DENM identify behaviour:
– Where a vehicle is– How it is being driven– Long term analysis may derive personal data:
• Start and end points of journey• Correlation to objects at end points of journey:
– house (home?), shop (socio-economic group?), church (religion?), school (family status?)
16
Privacy concerns
• Transmitter has no knowledge of who receives the data
• Transmitter has no knowledge if the receiver is good (restricts processing to only ITS application) or bad (makes additional use of data)– Any potential for bad actors is bad and needs to be
designed out of the system
17
Pseudonymity is not an answer
• pseudonymity: act of ensuring that a user may use a resource or service without disclosing its user identity, but can still be accountable for that use
• Many aspects of behaviour are carried in immutable data – i.e. data that cannot be made pseudonymous– CAM and DENM content– Network addresses– GeoLocations
18
ITS aim: to improve environment
19
• Give feedback to users about environmental consequences of their travel behaviour with a view to encourage change
CO2 – climate change
PM – air quality
European standard
Key pollutants
COPERT IV - model and databases of emission factors
20
Emission calculation
Engine Fuel
Speed Outside temperature
- Gasoline- Diesel- LPG
- Passenger cars- Motorcycles- Mopeds- Vans / small trucks- Urban buses- Coaches
- Cold start- Hot start
Engine capacity
Fuel
Vehicle
Engine state
Emission standard
21
Illustration Passenger carGasolineEngine technology year 2002Engine capacity of 1.5 litre
Travel distance 18.1 kmTravel speed 80 km/h
Cold startTemperature 20 oC
Fuel use 128 gPM emission 0.022 gCO2 emission 3592 g
22
ITS aim: to reduce congestion
23
Congestion problem
• People in location “A” want to get to location “B” at the same time as lots of other people– Transport network capacity insufficient to meet
demand• The “Dawkins” solution:
– Move/copy what everyone wants at “B” to “A”– Stagger the journey start times for all travellers
24
ITS aim: encourage use of public transport
25
• Objective: to develop a routing system capable to:– support multi-modal routing– handle real-time information– consider multi-criteria
evaluation functions– increase environmental
awareness of travellers– generate personalized advice– learn preferences of users
26
Multimodal trips
27
User specifies which modes are available
Uni-modal networks are inter-connected by transfer links
Supernetwork approach
Multiple unimodal networks supernetwork
28
Time expanded method toaccount for time tablesof public transport
Time dependent method to account for congested travel times
Compiling the supernetwork
29
Link costs function(to weight different factors)
C = β0+ T * β1+ T * α1 * β2+ T * α2 * β3+ T * α3 * β4
30
Example of parametersMode Link type β0
Constant(min)
β1
Time weight
β2
Bad weather β3
Child β4
Time pressure
Foot Travel link 0 1 0.4 0.1 0
Bike Travel link 0 1 0.3 0.2 0
Bike Inter transfer link (in) 0 1 0.4 0.2 0
Bike Inter transfer link (out)
0 1 0.4 0.2 0
Car Travel link 0 1 0.1 0 0
Car Inter transfer link (in) 5 1 0.2 0 0
Car Inter transfer link (out)
0 1 0.2 0 0
Bus Travel link 0 1 0.2 0.1 0
Bus Intra transfer link (in) 3 1.1 0.3 0.1 0.2
Bus Intra transfer link (out)
3 1 0.3 0.1 0.1
Bus Inter transfer link (in) 3 1.2 0.2 0.1 0.2
Bus Inter transfer link (out)
3 1 0.2 0.1 0.1
Train Travel link 0 1 0 0 0
Train Intra transfer link (in) 0 1.1 0.3 0 0.2
Train Intra transfer link (out)
0 1 0.3 0 0.1
Train Inter transfer link (in) 0 1.2 0.2 0 0.2
Train Inter transfer link (out)
0 1 0.2 0 0.1
31
Which Real-time data?
32
Fast
Safety
No delays
Convenience
Low costEmission
Preferences
33
Privacy and the protection of people
34
What the regulation covers• data controller:
– natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data
• data processor: – natural or legal person, public authority, agency or any other body which processes personal data
on behalf of the controller• processing of personal data:
– any operation or set of operations which is performed upon personal data, whether or not by automatic means
• Examples of processing are collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
• data subject: – person who can be identified, directly or indirectly, in particular by reference to an identification
number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity
• data subject's consent: – any freely given specific and informed indication of his wishes by which the data subject signifies
his agreement to personal data relating to him being processed
35
Requirements• Identify type of information/data users can upload and
access:– determine if private (identity revealing) or public data
• Trust-based access control mechanism allowing users to upload content– Can trust be private?
• Virtual user communities’ characteristics– Does this reveal data that would otherwise be private?
• Recommender system– How personal does it need to be to be effective?
36
Protecting User Privacy• Privacy protection protects a
person. • A person is described by what they
do, where they do, when they do it, what they do it with, and with whom they do it
• ITS users share their activity with each other and with the system– Need to protect exploit of that data
by other parties
37
Combination of technology & process
• Design for Assurance : Ensure that security provisions can be measured and evaluated
• Root is "Common Criteria for Security Assurance Evaluation" published as ISO 15408 and interpretation for standards development in ETSI EG 202 387
• Privacy by Design: adopt practices throughout the design, implementation and operation that maximise privacy
• identify data leakage• address the human element in system deployment• address the policies of the system users, maintainers & managers• consider end of life data disposal
43
Protecting User Privacy - risk reduction
44
Privacy, data protection and security
• Privacy is a fundamental right– Article 12 UDHR:
• No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks
– Article 8 EU Convention for the Protection of Human Rights and Fundamental Freedoms: Right to respect for private and family life
• Everyone has the right to respect for his private and family life, his home and his correspondence.
• There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.
44
45
Privacy, data protection and security
• Assigns rights to citizens on how data related to them is protected– Enshrined in law in Directive 95/46/EC of the European Parliament and
of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data
– Supplemented by Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)
45
46
Privacy, data protection and security
• Personal data– shall mean any information relating to an identified or identifiable natural person
('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity
• Processing of personal data– shall mean any operation or set of operations which is performed upon personal
data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction
• “data subject’s” consent– shall mean any freely given specific and informed indication of his wishes by which
the data subject signifies his agreement to personal data relating to him being processed 46
47
Privacy, data protection and security
• The means to give assurance of the confidentiality, integrity and availability of data and services– Offers technical and procedural means to support regulation
• Security supports … – Privacy (Privacy Enhancing Technologies)
• COM(2007) 228 final: “COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL on Promoting Data Protection by Privacy Enhancing Technologies (PETs)”
– Data protection
47
48
Content privacy – user generated
48
49
Content privacy – provided
49
50
Content privacy – interactive sessions
50
51
One person – multiple persona
51
52
Consequences for ITS
• ITS carries personal data both directly and indirectly in all its variants:– Advanced Traveller Information Systems (ATIS)
• Location and route is personal information
– Advanced Traffic Management Systems (ATMS)– ITS-Enabled Transportation Pricing Systems
• Concessionary fares require exchange of personal data
– Advanced Public Transportation Systems (APTS) – Vehicle-to-Infrastructure Integration (VII) – ETSI
• CAM and DENM
– Vehicle-to-Vehicle Integration (V2V) – ETSI• CAM and DENM 52
53
Wider concept
53
class IdentityBehav iour
Behav iourPerson
Location
Action
Time
happens at
consists of
takes place at
Determines
Exhibits
54
User Privacy versus User security• Security is not a synonym for privacy
– But security techniques will give some protection of privacy
– Security techniques counter risk of
• Interception, Masquerade, Manipulation, Repudiation
55
Protecting User Privacy
• Separation of identification and authorisation entities
– Anonymous at point of service delivery
– Identity and behaviour made non-linkable without collusion and difficult even with collusion
56
Use case interactions for “authorisation” uc Actors
iTour-user iTour-Data-Prov ider
iTour-Portal-Operator
iTour-App-Dev eloper
InstallJVM
Jav aAppTester
Request use of Application
Validate authority to install
Validate authority to run
Define application
Prov ide proof of author and integrity of
application
Test and v erify application
Prov ide proof of authority to deploy
application
Install authority schema
Define Authority Schema
User-machine-prov ider
«precedes»
«invokes»
«invokes»
«precedes»
«precedes»
«precedes»
«include»
«precedes»
«precedes»
Prosumer relationship
Multiple authorisations
57
Security technology protecting privacy
• Privacy shall be addressed from the perspective of security used as Privacy Enhancing Technologies (PETs).
• Security technologies are usually classified to the CIA model• The implementation will ensure control of:
– Security associations (specific links between objects)
– Confidentiality– Integrity – Authenticity
58
Privacy protection measures
• Anonymity– Ensures that a user may use a resource or service without disclosing the
user's identity• Pseudonymity
– Ensures that a user may use a resource or service without disclosing its user identity, but can still be accountable for that use
• Unlinkability– Ensures that a user may make multiple uses of resources or services
without others being able to link these uses together• Unobservability
– ensures that a user may use a resource or service without others, especially third parties, being able to observe that the resource or service is being used
59
Unlinkability
• The maximising of entropy between messages from the same source– Derived from Shannon’s work– Cryptographic hashing achieves much of the effect
but cannot be realised in broadcast network with real world data being transmitted
60
Personal privacy – the i-Tour user
• New concerns in i-Tour– Group membership implied through
virtual community analysis may become personal data
– Recommendations through the recommender engine may become personal data
– Personalised travel services need knowledge of personal preferences
• Exploit of such data sets has to be minimised without properly traceable consent
61
Trust• How does the service trust the network?• How does the content provider trust the service
platform?• Proposals being considered
– Keyed authorisation framework• Variant of X.509 based Privilege Management Infrastructure
(PMI) using lightweight IEEE 1609.2 certificates (underlying cryptography is elliptical curve)
• Elements of Kerberos ticket granting service too
– May allow greater trust from users of the core network– May act as a deterrent to SPAM, DDoS and other attacks
61
62
i-Tour ontology for privacy class IdentityBehav iour
Behav iourPerson
Location
Action
Time
Priv ate data
Externally v erified data
Self asserted data
Preferences
PET
Identifier
RFID Tag
Tagged Item
Is protected by
Determines
takes place at
consists of
happens at
Controls release of
Exhibits
May imply
May be protected by
has an
May hold
Is identifiable with
May contain
May involve use of
Strong assertion
Aim is to weaken this assertion
Technology for protection
63
Objectives from directives
From regulation
From analysis
64
Protecting User Privacy• Need to demonstrate the
separation of identity and authorisation and unlinkability measures give privacy assurance
• Single and double blinding with strong assertions of community membership without revealing real identity (thus minimising privacy exploits)
65
Closing acknowledgements
• Partners in the i-Tour project• Colleagues in the ETSI ITS standards groups• Funding from FP7
66
Questions
