A matter of trust: privacy and security issues in the Information Age
IST-funded research into issues related to Privacy and Identity Management (PIM) is crucial for the uptake of the Information Society as it can contribute to more trust in online services for consumers, business and governments. Surveys have shown that some Europeans feel their privacy is at risk from identity theft. Others are concerned about the erosion of individual rights. One thing is sure - people want to be able to interact securely and safely in cyberspace while maintaining control of their personal data. Such trust is fundamental if citizens are to embrace new services. Privacy by design,While the European Commission has been promoting PETs for several years, the four-year PRIME (Privacy and Identity Management for Europe) FP6 IST project will focus on developing solutions for privacy-enhancing identity management for end users. Launched in March 2004 PRIME will help empower citizens in managing their privacy and to support enterprises privacy compliant data processing. The multidisciplinary PRIME consortium brings together a diverse range of 20 players from industry, research centres and academia from EU Member States, Switzerland and the United States. The consortium is taking on the challenge to improve PET usability and functionality. PRIMEs fundamental principles of data minimisation and privacy by design aim to make Europes information society safer and more secure, while sharpening its competitive edge. Experts have acknowledged that a key feature of the technology is data minimisation limiting the collection of personal data to only what is needed. In addition, they agree PETs should be built right into information systems by design, rather than after the fact. The latter involves fundamental technologies such as human-computer interface, ontologies, authorisation and cryptology. The project will respond to end users needs to minimise disclosure of personal data while accessing services and enforcing personal privacy preferences. It is critical to develop models to make identity management easy for users and service providers to understand. To bring PETs closer to the market, innovative solutions for managing identities will be demonstrated in challenging real life situations, such as travel, location based services, e-learning and e-health. PRIMEs results will be monitored by a Reference Group comprised of experts from industry, public administrations, consumer protection and citizen rights organisations, R&D, standardisation bodies, data protection authorities, and law enforcement agencies. Current solutions often lack privacy and security functionality, explains project coordinator Gérard Lacoste, IBM France. More importantly, they do not allow users to keep sovereignty over their private sphere by managing their own identity and privacy. In addition, European Member States manage identities in different ways. In Germany, for instance, every adult must carry an ID card, while in the UK, state issued ID cards do not presently exist. In the current environment of tighter global security, the smooth and consensual harmonisation of identification systems is critical. Research into this important area has been largely uncoordinated. Fragmentation is in fact a problem, explains Kai Rannenberg, Goethe University, Germany, project coordinator of FP6 IST project, FIDIS (The Future of Identity in the Information Society) which is working towards developing a deeper understanding of how appropriate identification and ID management can help to create a fairer European information society. It is impractical to have an uncoordinated response to the same issue. A harmonised system is needed for numerous reasons. Consider mobility. Europeans are on the move, with many working cross border. Not only must existing applications and workflows be taken into account when designing new systems, but new services and business models will also have to be developed, adds Lacoste. Shaping identity to satisfy Europes needs,Virtual identities are being created for security, profit, convenience and fun. ID cards are becoming more high-tech, biometrics are being incorporated and chips are adding services. People in the Cyberspace are represented by numbers or ID keys. New IDs and ID management systems are being used. For example, mobile communication (GSM) has introduced a globally interoperable ID token the Subscriber Identity Module, or SIM card. The European Commission has decided that research on identity is an important issue that must be integrated and coordinated across Europe, explains Rannenberg. FIDIS, launched in April 2004, brings together leading institutions in this area. They will jointly research activities such as exploring the identity of identity, profiling, the interoperability of IDs and ID management systems, forensic applications, de-identification and the high-tech ID, as well as mobility issues. These topics are dealt with in interdisciplinary perspectives, integrating technological, legal, social and fundamental philosophical research. The relationship between identification technologies and identity in a democratic constitutional community such as the EU is one of the central topics. Bringing together different approaches and cultures creates a synergy that will prove useful in finding a European solution, Rannenberg adds. A coordinated European solution could also become an export good, much like GSM, a highly successful standard that is now used globally., ,E-government takes the lead,This view is shared by IST project GUIDE (Government User IDentity for Europe) which sets out to create an open architecture for secure, interoperable e-government electronic identity services and transactions for Europe. A multidisciplinary and multicultural structure such as ours is ideal to achieve the aim of developing a citizen centric, user driven and technology-enabled open architecture that best suits the needs of administrations, businesses and citizens, says project director Lia Borthwick. Our members are now hard at work to produce mass scale product demonstrations with governments and citizens. As in FIDIS, GUIDE goes beyond purely technical research and looks closely at a number of factors such as legislation, socio-economic issues and policy that will help to define the technology. Examining the challenges that technology poses to both policy makers and regulators, the project hopes to create an architecture that is practical and workable. GUIDE is multidisciplinary and we are looking at the wider social and political issues and analysing the opponents of certain types of identity tokens, explains Borthwick. For example, in Hungary, the constitution forbids a single identity card. But Spain already has national and regional biometric ID cards. To validate the architecture, the project will run cross-border demonstrations between administrations. GUIDE, which includes 23 organisations from 13 countries, has already engaged with several countries and is rapidly compiling an inventory of where some key issues, and hopefully key answers, lie in creating such a pan-European architecture. ,Privacy and identity management critical in key areas,Helping shape the FP6 research agenda was the IST programmes RAPID project (Roadmap for Advanced Research in Privacy and Identity Management), which ended June 2003. It identified two main areas. The technical research category covered multiple and dependable identity management, infrastructure and enterprise. The non-technical category covered the socio-economic and legal issues. The consortium selected five themes to be studied by a group of leading experts and recommended future research focus on: - providing multiple and dependable identities life-cycle management capabilities to end users;,- enterprise service systems that account for data minimisation and data protection, ontologies and authorisation policies, have audit functions and can detect violations;,- user-friendly privacy-enhancing technologies (PET) infrastructure functions governing IP addresses, location, authorisation and service-level access;,- ways to raise awareness of PIM, stimulate PIM producers, analyse the relationship between PIM, digital identity and e-government;,- the complex relationship between law and technological development such as the legal implications of concepts of online identities, the use of online anonymity and pseudonymity, and privacy requirements vs. the need for state security and law enforcement. Convincing businesses and consumers,To date, compliance with privacy regulation has been the strongest driver for enterprises to develop and implement privacy features into information systems. RAPID identified other positive drivers for enterprises, including:,- The need to improve consumer trust and confidence in the use of personal data. Customer loyalty increases if they trust the way enterprises process their personal data. At the same time, there is a high risk of a damaged reputation when it becomes publicly known that consumer data has in some way been compromised.,- Eliminating the collection and management of unnecessary data and the risks associated with inaccurate or out-of-date information can reduce costs.,- Replacing systems for client, supplier, partner and employee identification with a single automated system for authorisation and authentication can also reduce costs. Time-consuming tasks are automated, staffing requirements are reduced and risks of errors are diminished.,- Privacy compliance can be built into the system, which will automatically increase the consumers trust in the organisation.,- Improved security in that a single system is more manageable. Only appropriate users have access to information and real-time audits can detect and prevent security exposures. ,- The possibilities for new services delivery, such as Single Sign On portals, will benefit consumers. Citizens have varying perceptions of what privacy and identity management is all about. The RAPID consortium recommended that convincing and realistic e-government and e-health applications could further citizens understanding of the issues. Clearly, much more work needs to be done to gain a better understanding of both privacy perception by individuals and of sustainable business models for promoting the uptake of PETs in society. Looking back one year later, it is easy to see the urgent need for more research, says project coordinator Otto Vermeulen, Security Practice Leader, PricewaterhouseCoopers, The Netherlands. You just have to open a newspaper to conclude that PIM research challenges need faster resolution than we anticipated in the project. I am happy these are being addressed under the Sixth Framework Programme [FP6]. Contact:,Otto Vermeulen,RAPID coordinator,PriceWaterhouseCoopers N.V. ,Prins Bernhardplein 200 ,Postbus 94200 ,1097 JB Amsterdam ,The Netherlands,Tel: +31-6-53361787,Email: Otto.vermeulen@nl.pwc.com Gérard Lacoste,PRIME coordinator,Centre d'Etudes et Recherches IBM,Le Plan du Bois,F-06610 La Gaude,France ,Tel: +33-492-114807,Email: lacoste@fr.ibm.com Kai Rannenberg, Denis Royer,FIDIS coordinator,Johann Wolfgang Goethe-Universität Frankfurt ,Graefstr. 78 ,D-60486 Frankfurt am Main ,Germany,Tel: +49-69-79825301,Email: fidis-info@fidis.net Lia Borthwick ,GUIDE ,British Telecom,81 Newgate Street ,EC1A 7AJ London ,United Kingdom,Tel: +44-208-5878227,Email: lia.borthwick@bt.com Source: Based on information from RAPID, PRIME, FIDIS and GUIDEPublished by the IST Results service which gives you online ICT news and analysis on the emerging results from the European Commission's Information Society Technologies research initiative. The service reports on prototype products and services ready for commercialisation as well as work in progress and interim results with significant potential for exploitation,
Countries
Germany, France, Netherlands, United Kingdom