TTA activity on Cyber Security and Protection of PI/PII/LI

14 July, 2008

Heung-youl Youm, Sun Kim

TTA, Korea

DOCUMENT #: GSC13-PLEN-23

FOR: Presentation

SOURCE: TTA, Korea

AGENDA ITEM: Plenary; 6.3

CONTACT(S): Heung-youl Youm (hyyoum@sch.ac.kr)

Sun Kim (skim@tta.or.kr)

Submission Date:July 1, 2008

2

Highlight of Current Activities(1/4)

• TC 5 is a Lead Technical Committee on information security that is responsible for developing various standards and guidelines and coordinating security activities across all Technical Committees.

• Project Group(PG) 501/5, Information Security Infrastructure• PG 502/5, Personal Information Protection & Identity management• PG 503/5, Cyber Security• PG 504/5, Application Security & IS Certification• PG 505/5, Telebiometrics• PG 506/5, Digital Right Management

• PG (Project Group) 502 in TTA is now developing standards or guidelines for protecting Personal Information (PI), PII (Personally Identifiable Information) and LI (Location Information) in Korea.

3

Highlight of Current Activities(2/4)

PG501/5 : Information SecurityInfrastructure

PG502/5: Private Information Protection & IdM

PG503/5: Cyber Security

PG504/5: Application Security & IS certification

PG505/5: Telebiometrics

• Protection of Privacy Information, Personal Identifier Information

• User/application/ network-level Identity Management

• Cryptographic algorithm/Key management

• Pubic Key Infrastructure

• Authentication/Access control

• Interoperable transmission of Biometric information• Biometric information protection system• Emigration/Immigration control system /Smart Card/IC

cards

• Application Service Security• Common Criteria/Information Security

Management System• Trusted Cryptographic Module• Domain-specific security (IPTV, RFID/USN)

• Internet/NGN security• Vulnerability Information Sharing/Incident

Handling• SPAM/Traceback/Digital Forensic

PG506/5: DRM • Unauthorized Copy Protection• DRM for ensuring IPR • Interoperable DRM

Users

Position & Role of each PG in TC5

4

Highlight of Current Activities(3/4)

Before January 2008 After January 2008

PG.101Information Security Infrastructure

PG.102 Internet Security

PG.103 Telebiometrics

PG.110 Digital Right Management

PG.501Information Security InfrastructurePG.502 Personal Information Protection & IdM

PG.503 Cybersecurity

PG.504 Application security& IS certification

PG.505 Telebiometrics

PG.506 Digital Right management

TC1: Common Infrastructure TC5: Information Security

New PG Continuation of existing PG

Organizational structure for the standardization

5

Highlight of Current Activities(4/4)

• Achievements and current activities for protection of PI/PII/LI– Upstream contribution to the ITU-T SG17

• ITU-T X.1171, Framework for Protection of Personally Identifiable Information in Applications and Services  Using Tag-Based Identification; Consented April 2008, under LC resolution process

• ITU-T X.rfpg, Guideline on protection for personally identifiable information in RFID application Under development

• ITU-T X.idif, User Control enhanced digital identity interchange framework, Under development

– Domestic achievements• TTAS.KO-12.0053, Privacy Management Model for based on Life Cycle of

Personal Information, Approved December 2007• TTAS.KO-12.0054, Framework for internet-Personal Identification Number

Service, Approved December 2007• TTAS.KO-12.0055, Massage Format for internet-Personal Identification Number

Service, Approved December 2007– Downstream adoption

• TTAS.KO-12.0051, The Platform for Privacy Preference, Approved December 2007 adopted from W3C

• TTAE.IF-RFC3693, Geopriv Requirements, Approved December 2007 adopted from IETF

• TTAE.IF-RFC3694, Threat Analysis of the Geopriv Protocol, Approved December 2007 adopted from IETF

6

Strategic Direction

• TTA’s standardization activities in the area will be carried out in coordination with global SDOs, especially ITU-T. Especially, TTA PG502 will focus on developing standards or guidelines in the following areas:– the ID management;

– protection of personal information and personally identifiable information;

– and protection of location information.

• TTA will focus on carrying out three types of activities: upstream activities, downstream adoption and domestic activities: – For the upstream contribution, TTA continues to submit to ITU-T the

contribution in this area;

– For the downstream adoption, TTA continues adopt the suitable international standards developed by global SDOs to complement domestic standards;

– For the local contribution, TTA continues to develop domestic standards which are closely related to Korea’s regulation.

7

Challenges(1/2)

• Nowadays, a series of hacking incidents result in a massive leakage of personal information stored in the web-based companies from a hacking incidents: – For instance, Auction, a subsidiary of the world’s largest on-line

auction company e-Bay, Korea’s number one of on-line company with 18 million registered users, leaked personal information of more than ten million registered users due to a hacking incident in early February 2008. More than 90 percent of the information outflow was of names, registered IDs and resident registration numbers on April 2008.

• A lot of applications such as Location-based services, navigation applications, emergency services and other location-dependent services need geographic location information about a target (such a user, resource or other entity). There is a need to securely gather and transfer location information for location services, while at the same time protect the privacy of the individuals involved.

8

Challenges(2/2)

• The widespread deployment of identification tags (including RFID tags) can give rise to concerns of privacy infringement because of the abilities of RFID technology to automatically collect (and process) data, with the possible disclosure of such data to the public (deliberately or accidentally).

• The web site request the user to submit the resident registration number when a user signs up for the web site. Indeed, the resident registration number contains many privacy relevant information such as birth year, birth date and month, sexuality, and birth place. Therefore, leakage of this information always results in the privacy infringement. Therefore, a new ID management system should be developed for web site not to request a user to submit the resident registration number.

9

Next Steps/Actions

• TTA will continue to contribute to global SDO activities by submit contributions to the ITU-T SG17 activities in this area, especially in the protection of private information.

• TTA will support to develop the domestic standards for the protection of PI, PII and location information which have regulation implications in this area.

• Recently, Korea government requests a web site with more than certain number of registered users to use an i-PIN (Internet - Personal identification number) when a user signs up for a web site, which is a Korean-type ID management system. Its aim is to replace resident registration number with new i-PIN, which is real pseudorandom and has no private information about a user. Therefore, TTA will develop the domestic standards for next model of i-PIN system to overcome the current drawbacks.

10

Proposed Resolution - Summary

• There is still much room for developing global standards to protect privacy infringements of users or targets, especially PI (Personal Information), PII (Personally Identifiable Identifier) and location information.

• Therefore, it is necessary for global SDOs to strength the activities to develop a set of standards or guideline in order to protect private information, PII, and location information from various cyber attacks. In addition, it is required to consider the privacy infringement effects when new IT protocols or services are introduced, designed or standardized.

11

Supplemental Slides

12

ITU-T SG17, SG13 and others

TTA TC 5

Relationship between the PG and Global SDOs

PG 501Information Security InfrastructurePG502 Private Information Protection &IdM

PG503 Cybersecurity

PG504 Application security and CC

PG505 Telebiometrics

PG506 Digital Right management

Q.D/17 Directory Services, Directory Systems, and Public-key/Attribute Certificates

Q.I/17 Telecommunications Systems Security Project

Q.J/17 Security Architecture and Framework

Q.K/17 Cybersecurity

Q. L/17 Identity Management Architecture and Mechanisms

Q. M/17 Telecommunications Information Security Management

Q. N/17 Telebiometrics

Q. O/17 Security Aspects of Ubiquitous Telecommunication Servicess

Q. P/17 Secure Application services

Q. Q/17 Countering Spam by Technical Means

Q. T/17 Service Oriented Architecture Security

Q.15/13 NGN security and Network IdM

ISO/IEC JTC1/SC17, SC27, SC31, SC37

IETF Security Area

13

Summary of Achievements in area of Protection of PI/PII/LI since GSC12(1/3) • Upstream contribution to the ITU-T SG17

– ITU-T X.1171, Framework for Protection of Personally Identifiable Information in Applications and Services  Using Tag-Based Identification; Consented April 2008, under LC resolution process

• This Recommendation describes a number of Personally Identifiable Information (PII) infringements for applications and services using tag-based identification, and requirements for PII protection. In addition, this Recommendation provides a framework for PII protection service based on PII policy profile.

– ITU-T X.rfpg, Guideline on protection for personally identifiable information in RFID application Under development,

• This Recommendation recognizes that as RFID greatly facilitates the access and dispersion of information pertaining specifically to the merchandise that individuals wear and/or carry, it also creates an opportunity for the same information to be abused for tracking an individual's location or invading their privacy in a malfeasant manner. For this reason the Recommendation provides guidelines and best practices regarding RFID procedures that can be used by service providers to gain the benefits of RFID while attempting to protect personal identifiable information.

– ITU-T X.idif, User Control enhanced digital identity interchange framework, Under development,

• This Recommendation defines a framework that covers how global interoperable digital identity interchange can be achieved and how an entity’s privacy is enhanced by providing an entity more control over the process of identity interchange. In addition, the Recommendation defines the general and functional requirements of the framework that should be satisfied. Based on the requirements, a framework is defined with basic functional building blocks for identity interchange and enhancing entity control.

14

Summary of Achievements in area of Protection of PI/PII/LI since GSC12(2/3)• Domestic contribution

– TTAS.KO-12.0053, Privacy Management Model for based on Life Cycle of Personal Information, Approved December 2007

• This standard describes basic definitions related with personal information and classifies personal information by importance. And this standard suggests security requirements that help IT service provider to manage personal information securely, when they collect, store, use and destroy personal information. Moreover, this standard describes various privacy infringement causes and measures.

– TTAS.KO-12.0054, Framework for internet-Personal Identification Number Service, Approved December 2007

• This standard informs definition and function of components of -PIN service framework that Authentication Agency offers to ISP. In addition to that, this shows the whole process of -PIN service.

– TTAS.KO-12.0055, Massage Format for internet-Personal Identification Number Service, Approved December 2007

• This standard defines the message format for inbound and outbound personal information which is proposed by Authentication Agency to ISP, among i-PIN Service stake holders , which are user, ISP and Authentication Agency.

15

Summary of Achievements in area of Protection of PI/PII/LI since GSC12(3/3)• Downstream adoption

– TTAS.KO-12.0051, The Platform for Privacy Preference, Approved December 2007 adopted from W3C

• This standard based on W3C P3Pv1.1. It defines the Policy syntax and semantics, Compact policy and Data schema in P3P.

– TTAE.IF-RFC3693, Geopriv Requirements, Approved December 2007 adopted from IETF

• The standard defines the security requirements for providing privacy of location object which gathered and transferred by location-based and location-dependent services.

– TTAE.IF-RFC3694, Threat Analysis of the Geopriv Protocol, Approved December 2007 adopted from IETF

• This document analyzes threats against geopriv protocol and architecture for geopriv protocol for location-based and location-dependent services. Some security properties about theses threats are enumerated as a reference for Geopriv requirements.