Privacy in the Cyber-Era

(To Massimo Montanile)
09/05/17

Technological innovation continually proposes new tools for an increasingly connected planet1, but at the same time exposes personal data to new threats and, more generally, the valuable information assets, including critical infrastructures, now exposed to the threat cyber.

Think of the explosion of the model Cloud and to all the organizational implications of compliance and security related, to the diffusion of biometric, graphometric devices, to profiling, often embedded in the site development sw websites, to the tumultuous development of IoT, which according to the most conservative estimates will interconnect between them over 50 billion devices in the 2020. These models should be well understood, evaluating their adoption from time to time, balancing the possible real benefits they carry with the risks of violating Privacy, and not only, related to their use.

Of course, each one giving preference to their point of view, of attacker or defender, even if it is difficult to end up playing only one role.

On a world population of 7,5 billion people, internet users are 3,6 billion2.

Data is the raw material of the information age3: every human activity performs at least one data processing, at some stage of its life cycle, in order to take place. The use of data, with the digitalisation of information, has now entered structurally into all the economic and social processes of our life4. The rapid technological evolution makes available new tools continuously and enables information processing processes that were previously impossible or only imagined. If we think only of data collection, in the last two years 90% of the entire digital world heritage has been generated5, which grow at the rate of 50% per year. Domo statistics6 they clearly return the dimension of the Internet phenomenon: every minute of the day on Youtube you share 400 hours of new videos; you buy products and services on Amazon for over 222.000 dollars and almost 2 millions and a half of photos receive a like on Instagram.

According to Gartner7, within 2020 devices connected to the Internet of Things (IoT) other than PCs and mobile devices will be 25 billion (more than half only for the market consumer); Cisco expects that within the 2020 the total number of interconnected IoT devices could touch the 50 billion threshold, while IDC brings this estimate to 212 billion.

Companies, organizations are all migrating, some unconsciously, towards a digital model. Which promises new opportunities, but which also exposes you to new risks.

The armed forces, for several years now, have undergone concrete processes of digital transformation, starting from the USA. Consider the remarkable development of Forza NEC, the "multinational inter-force program in NATO for the creation of an innovative military tool through the shared digitalisation of information, equipment and common operational and logistic platforms"8.

Smart devices, not only the common electronic devices but also those more advanced and sophisticated, connected to the network according to the IoT model, or IoE - Internet of Everything, they offer ever more innovative, creative and advantageous features, but they inherently have considerable potential risks of being hacked9, from enemies often not easily identified and that sometimes can lead to attacks even if they do not have important technical or financial resources.

It becomes urgent and necessary action by the institutions to support a culture of security and defense of the right of the person, not distinct from his personal data.

The EU Privacy Regulation10 offers us the opportunity to approach the security issue in a structured way, providing very useful indications (especially in the recitals), which, if well understood, allow the implementation of measures, processes and organizations capable of supporting the great challenge of Data Protection.

Here we retrace quickly what are in our opinion more useful, to recognize in the training a powerful "firewall" aimed at supporting and strengthening the awareness of those who process personal data, but also those who develop Data Protection systems, including loop of the life cycle of the development project Security e Privacy tool, human behavior as a requirement to be taken into account, at the same level as functional and binding requirements. For an effective one Security e Privacy by Design11.

The Privacy Guarantor, in a recent statement released to comment on the Wikileaks-CIA case12 in fact affirms that "it is essential above all to invest in privacy by design and by default, designed to reduce the risk of invasion in our private sphere starting from the same configuration of the devices. But above all, we must not resign ourselves to the apparently unstoppable process of global surveillance, which we are increasingly exposed to and that news like this unfortunately confirm".

In particular, the reference to data protection from the design is explicit in the 78 recital of the GDPR, while the 83 recital introduces the approach risk-based necessary to face the compliance with the new privacy regulation, underlining, in the 90 recital, the indispensable impact assessment that must always be considered to define priorities and areas of application of the security measures to be implemented.

Interesting to retrace the work of P. Perri13 on the formalization of the criteria and safety standards, which offers a well-structured guide to understand the relationships between the elements to be considered in order to correctly address the complex theory of risk analysis.

In my opinion, an approach aimed at the establishment of certification schemes should be strongly supported, especially at the Service / Product level, with a model based on the impartiality of the assessment / certification bodies, guaranteeing the level of "Privacy Security" of the object evaluation, along the lines of the Common Criteria14, which require the adoption of organizational models and development processes oriented to Data Protection.

In order to better protect confidentiality in electronic communications and a high level of privacy protection, the European Commission has recently proposed new standards for all electronic communications, the so-called ePrivacy Directive15.

However, citizens are also asked to play an active role in the defense of their privacy, with increasingly more aware behaviors of the potential risks deriving from the use of new technologies and the services / products made available by them and the benefits that these can offer. to derive.

  

Massimo MontanileDPO - Data Protection Officer of Elettronica SpA Fellow of the Italian Institute for Privacy. Member of Federprivacy and of the CDTI - Club Managers of Information Technologies of Rome. Graduated in 1983 in Information Sciences with honors from the University of Salerno. For over thirty years he has been dealing with Information Technology and Information Security; he has gained significant experience in various multinational companies. His work debut, in continuity with his university career, is at the Sintel startup in Salerno, Siemens partner. Researcher since 1984 at the Olivetti R&D Laboratories in Ivrea, he has designed and developed Communication Protocols Level 2 ISO / OSI, designing and implementing a finite state automaton for the exhaustive test of communication protocols. In particular, he has developed "secure" sw for worldwide organizations (in particular Israel, USA) on UNIX platforms. He subsequently held various management roles for projects for the Central Public Administration in Olivetti Rome. After a period of consultancy in the military field at Agusta (on the “Mangusta” Attack A129), he moved to the Telecom Italia Group in 1997, holding various positions within the Corporate, in Rome and, since 2003 in Milan, in the Purchasing field. Since 2007 in Elettronica SpA, he currently holds the position of Data Protection Officer of the Group. He has published articles and works on Privacy in prestigious magazines, including Il Corriere della Privacy and Labor Law & Practice of IPSOA, speaking as a speaker at various thematic conferences (Privacy Day 2015 and 2016; ICT Festival 2016; Project "Vivi internet, al safe "; etc.). Formerly Lead Auditor UNI EN ISO 9001 Cepas, he is certified TÜV "Privacy Officer and Privacy Consultant" and registered in the TÜV Video Surveillance Register. Provisional ISMS Auditor Cepas. Lead Auditor IEC / ISO 27001 qualified by Cepas / DNV-GL.

 

 Note:

1 A. SORO, Free and connected, Codice Edizioni, Turin, 2016

2 Data at 4 May 2017. Sources and information: World Development Indicators (WDI) - World Bank; Measuring the Information Society - International Telecommunications Union (ITU)

3 A. ROSS, former State Department for Innovation Advisor with Hillary Clinton and a professor at Columbia University and Johns Hopkins University, explains how data are the engine of our era, particularly in his book "Our future - How to face the world in the next twenty years", Feltrinelli, Milan, 2016, pp. 191-229.

4 A. SORO, Free and connected, Codice Edizioni, Turin, 2016

5 P. BAE BRANDTZÆG (SINTEF ICT), in Science Daily "Big Data, for better or worse: 90% of the world's data generated over the last two years"

6 J. JAMES, Data Never Sleeps 4.0, Domo, https://www.domo.com/blog/data-never-sleeps-4-0/ [Last login: 4.11.2016]

7 Gartner, Gartner Says 4.9 Billion Connected "Things" Will Be Used in 2015, press release, Gartner Symposium / ITxpo 2014, November 9-13 in Barcelona, ​​Spain.

9 Wikileaks has recently released thousands of confidential documents, attributed to the CIA, on a malware and cyber-weapon-based hacking program. This alleged hacking system would allow the CIA to control the phones of American and European companies, such as Apple's iPhone, Google's Android and Microsoft, and even Samsung TVs, using them as secret microphones.

10 REGULATION (EU) 2016 / 679 OF THE EUROPEAN PARLIAMENT AND OF THE 27 COUNCIL of April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing the 95 / 46 / EC Directive general data protection).

11 A. CAVOUKIAN, "Operationalizing Privacy by Design: A Guide to Implementing Strong Privacy Practices", Online, 2012. https://www.ipc.on.ca/wp-content/uploads/Resources/7foundationalprinciples.pdf [Last login: 31 October 2016]

12 Wikileaks: Privacy Authority, shed light on CIA hacking as soon as possible - Statement by Antonello Soro, President of the Guarantor for the protection of personal data (Adnkronos, 8 March 2017)

13 P. PERRI, Privacy, law and computer security, Giuffrè Editore, Milan, 2007

14 Il Common Criteria for Information Technology Security Evaluation (also known as Common Criteria or CC) is an international standard (ISO/IEC 15408) for the certification of the computer security. For a detailed discussion, see http://www.difesa.it/SMD_/Staff/Reparti/II/CeVa/Pagine/standard_valutazione.aspx

15 2002 / 58 / EC (Regulation on Privacy and Electronic Communications), Brussels, 10.1.2017 European Commission - Proposal for the protection of personal data - COM (2017) 10 final - 2017 / 0003 (COD)

(photo: US Coast Guard / US Army National Guard / US Army Reserve)