In .Com we trust
From journal PS Public Service Review,
European Science & Technology, Issue 9, 2010 publication, published by PSCA International Ltd. Publication pp. 128-129
Authors: James Clarke, Kieran Sullivan and Barry Mulcahy at Waterford Institute of Technology – TSSG, encourage a global effort when it comes to building confidence in Internet Security.
The growth of the Information Society means there is a strong need to develop intelligent and user-friendly, Information and Communication Technology (ICT) security environments. These secure environments should take full account of the values of liberty, democracy and privacy in our societies, while fostering an open and competitive e-commerce environment.
The challenges are complex – with a growing number of systems, networks, services and applications carrying and storing personal and business content. As online services become increasingly accessible, users are getting involved in new forms of community building: chatting, gaming, blogging, and creating online lives. As a consequence, they divulge sensitive information relating to their activities, profiles, health and financial status, and various other personal matters.
Investment in ICT Security is increasing as assurance requirements from stakeholders acknowledge the inherent risk of unprotected systems, applications and data. The motivation is clear: society and technology are evolving in tandem, and at a significant pace. Technology is more accessible to the global population, with applications and services deployed quickly in order to keep up with growing user demand.
Users of technology have embraced the internet era and are demanding services that meet their lifestyles and multiple roles. A large proportion of the global population regularly use online services such as Skype, Facebook, Bebo, Flickr, YouTube, etc. For some aspects, there are differences on usage patterns and trends toward specific demographics, cultures and communities. However, as governments and industry increase their use of the internet for many services and applications that they provide (for example, e-health, e-government), a situation of blanket dependency on such services is created. The spread of this virtual personal space over various geopolitical and judiciary entities leads to problems that are not yet adequately addressed.
Internet and Web services are based on a global infrastructure of communication, data processing and service provisioning. Explicit steps need to be taken to reach an international understanding on Trust and Security to avoid breaking the Internet infrastructure into separately controlled pieces. To ignore this risk is to invite a lesser role for the Internet as a global information network, as well as lowering its potential for innovation and social impact. Conversely, a balance must be addressed so that innovation and social impact will not be lessened by overburdening regulatory frameworks while protecting individual consumer rights and dignity.
‘Increasing the depth and scope of the personal data available to data subjects online may increase privacy risks unless accompanied by a holistic approach to system security design.’
The burdensome task of supplying excessive personal information, ostensibly for authentication purposes, when accessing online services presents a hurdle to user trust of the Internet. This data is elicited through a registration process that often solicits information that is unnecessary for the correct functioning of the service in question. The handing over of their private data to a remote entity can make users uncomfortable, especially when the route to legal redress arising from any data misuse may not be fully established or understood when they are in this process.
It has become apparent that legislation frameworks are required to ensure both trust and privacy in the Future Internet, (equally in the current Internet). As in the real world, however, valid trust and privacy online cannot exist without accountability. In order to hold users and service providers responsible for any illegal actions, some form of local accountability should be enforced, since there are essentially few legislative boundaries in the current Internet. This makes redress difficult, if not impossible.
User-centric Privacy Enhancing Technologies (PET) can help address this imbalance . These PETs should include tools for enforcement and dynamic consent management. The right for individuals to access their personal data from data controllers is a cornerstone of the EU Data Protection legal framework; however, in reality, there has been little consideration given to how these rights can be effectively, safely, and conveniently exercised by data subjects.
Many people today do not know who has access to their personal information. Even if users can see their data, they may have no control over it; i.e. to remove/delete/amend what they deem inappropriate or false. PETs must incorporate dynamic consent management and be built into the architecture of any identity management system.
User-centric identity management—providing strong mutual authentication between data subject and data controller—is a pre-requisite. More research is needed to determine how personal data should be stored and structured to maximise the transparency available to individuals. Increasing the depth and scope of the personal data available to data subjects online may increase privacy risks unless accompanied by a holistic approach to system security design. There is, however, little literature directly addressing these topics apart from a number of ICT Trust and security projects being funded by the European Commission’s Directorate General Information Society and Media (DGINFSO) Unit F5 on Trust and Security and other initiatives eg. Future Internet Assembly where there is a dedicated cluster for trust, identity and security.
‘Explicit steps need to be taken to reach an international understanding of ‘trust’ and ‘security’ to avoid breaking the internet infrastructure into separately controlled pieces. To ignore this risk is to invite a lesser role for the internet as a global information network, as well as lowering its potential for innovation and social impact.’
In recent years, there has been a structured international consultation processes at programme management and researcher levels in ICT Trust, Security and Privacy. Through the EU led INCO-TRUST project , significant progress has been made in developing a shared understanding of global issues and scenarios—related to ICT Trust and Security research directions, which is fostering a strong and competitive ICT trust and security industry in Europe. These efforts have steadily expanded between EU researchers and have also grown outwards to the global community to include partners from the nations United States, Japan, Australia, South Korea and Canada. The resultant collaboration process provides significant benefits for top level European researchers, helping to forge global partnerships among international peers in key areas of security research and development.
The growing international community of policy-makers and stakeholders is essential to gaining consensus on key Trust and Security issues. This engagement allows tools and mechanisms to be developed that provide protection, assurance and integrity for networked digital environments. In addition to developing secure technological infrastructures, this international forum provides a platform to reinforce the necessary legal frameworks, underpinning a “technologically embodied law of a digitised constitutional democracy” ; for example, including technical and legal support for privacy-friendly accountability. Further work to formalise ICT Trust and Security activities will be necessary in order to fully integrate cross-issue themes with ongoing and future research projects. This will provide effective coordination and a strategic direction that has both the necessary breadth and depth to address the challenges of liberty, democracy and privacy in our online societies.
During the ICT 2010 event held recently in Brussels, it was repeated time and again that while developing solutions to the wide range of R&D challenges concerning Trustworthy ICT, it is important to adopt a holistic approach, which does not hamper the innovation levels and commercial incentives that have in the past financially supported the development of the Internet. A number of European Union Framework Programme (FP) projects are being carried out in research centres like the Waterford Institute of Technology’s TSSG. to seek solutions for strategically important Trust and Security issues – using a combination of partners from academia, regulatory bodies and commercial partners (e.g. online service providers). Indeed, it is in the best interest of the latter to foster a high-level of trust and privacy amongst their customers. This will encourage the adoption of future e-commerce initiatives and the roll-out of next generation networks (NGN) that support them. It is only through a variety of measures—legislative, technical and educational—that we can hope to improve on the present situation where citizens’ information is treated as a commodity to be traded amongst vested interests.
It is unlikely that we will attain a panacea of privacy and identity management on the Internet in the very near future. However, through the ongoing initiatives described here briefly, a growing awareness and sense of urgency regarding Trust and Security issues is helping to propagate and bring to the forefront the existing work being carried out in Europe and in discussions and partnership with other countries. Such awareness and urgency will also help to ensure its adoption in the future.
Since January 2011, Mr. Clarke is Project Coordinator of a European Framework Program 7 Co-ordination action entitled BIC, which stands for Building International Cooperation for Trustworthy ICT: Security, Privacy and Trust in Global Networks & Services. BIC will engage the European Union trust and program management (funding organizations) and research communities with their peers in Brazil, India and South Africa and enable the collaboration with research communities in trust and security already established in the US, Australia, Japan, Korea and Canada established in the recently concluded INCO-Trust project that Mr. Clarke also coordinated from 2008 – 2010. In addition, Mr. Clarke is actively involved in the research community, having served in various international conference committees as program committee member.
Mr. Clarke was twice voted onto the two year terms of Steering Board member of the European eMobility Technology Platform (now Net!Works), and is also involved in the Future Internet Assembly (FIA) as one of the Trust and Security organisers and Program Committee members. For the upcoming FIA Budapest conference in May 2011, he is involved with colleagues in organising a session on the challenges associated to the Internet of Things (IoT) and impacts on trust, security and privacy.
Previously at WIT, Mr. Clarke worked on the Framework Programme 6 (FP6) projects IST ESFORS and SecurIST projects.