ABSTRACT
The process of digitalization of societies and innovation is involving the fast introduction of new technologies in different sectors. However, the development of technology represents a challenge as it involves technical, legal, economic and social aspects that have to be considered since its conception or design. The aim of this paper is to offer an adaptation of an existing legal methodology, the Data Protection Impact Assessment, as a legal obligation to evaluate technological proposals and assure compliance with privacy by design requirements. For that purpose, we will refer to the specific case of Identity Management technologies. We introduce the main challenges in the sector of Digital Identity Management as well as the importance of covering the “architecture” and “user” sides in the development of safer technologies by citing concrete examples. Finally, in order to provide a more practical view of the methodology to adapt the Data Protection Impact Assessment, we refer to the work developed in the research project OLYMPUS in the evaluation of its privacy implications. By introducing this example, the paper offers a specific methodology directly reusable for the study of technological proposals in IdM but that can be adapted to any other sector.
- In Cambridge Analytical scandal it was discovered that Facebook provided unauthorized access to personally identifiable information of more than 87 million Facebook users to the data firm Cambridge Analytical. Cambridge Analytica integrated this information with a range of data from social media platforms, browsers, online purchases, voting results, and more. By adding OCEAN analysis to the other private and public data acquired, Cambridge Analytica developed the ability to “micro-target” individual consumers or voters with messages most likely to influence their behavior. The OCEAN analysis was paired with a large number of targeted messages in “Project Alamo,” which was employed for the election campaign of President Trump. Jim Isaak and Mina.J Hanna. 2018. User Data Privacy: Facebook, Cambridge Analytica, and Privacy Protection”, Computer 51(8), 56–59. 10.1109/MC.2018.3191268 Google Scholar
- Jon R. Knight. 2019. The New Normal: Easier Data Breach Standing Is Here to Stay” Cybersecurity L.Rep 1 Feb. 6. Retrieved the 25th 2021 of April from: https://perma.cc/QXZ8-JEH3Google Scholar
- Paige Leskin. 2018. The 21 Scariest Data Breaches of 2018.Bus. Insider Dec. 30. Retrieved the 25th of April 2021 from: https://www.businessinsider.com/data-hacks-breaches-biggest-of-2018-2018-12Google Scholar
- Penny Jorna, Russel Smith and Katherine Norman. 2018. Identity crime and misuse in Australia: results of the 2018 online survey [Online statistical report]. Australian Institute of Criminology, 2020. Retrieved the 4th of April 2020 from: https://aic.gov.au/publications/sr/sr19Google Scholar
- The United States Department of Justice. Identity theft. Official website. Available at the following address: https://www.justice.gov/criminal‐fraud/identity‐ theft/identity‐theft‐and‐identity‐fraud.Google Scholar
- Sopna A/P Sinnathamby Sehgar and Zuriati Ahmad Zukarnain, 2021. Online Identity Theft, Security Issues, and Reputational Dam- age. Preprints 1–10, 2021. https://doi.org/10.20944/preprints202102.0082.v1Google Scholar
- Tiffany Hsu, 2017, Data Breach Victims Talk of Initial Terror, Then Vigilance. N.Y. TIMES Sept. 9. Retrieved the 25th of April 2021 from: https://www.nytimes.com/2017/09/09/business/equifax-data-breach-identity-theft-victims.htmlGoogle Scholar
- Susan Gasson. 2003. Human-centered vs. user-centered approaches to information system design, JITTA 29-46. Retrieved the 26th of April 2021 from: https://aisel.aisnet.org/jitta/vol5/iss2/5/Google Scholar
- https://www.aries-project.eu/ (Grant Agreement 700085)Google Scholar
- https://cordis.europa.eu/project/id/257782/es (Grant Agreement 257782)Google Scholar
- https://cordis.europa.eu/project/id/216483/es (Grant Agreement 216483)Google Scholar
- https://olympus-project.eu/(Grant Agreement 786725)Google Scholar
- Jorge Bernal, Antonio Skarmeta, Rafael Torres . 2019. D3.1- Requirements and Design Templates for OLYMPUS. Horizon 2020 Project OLYMPUS (Oblivious identitY Management for Private and User-friendly Services). Retrieved the 26th of April 2021 from: https://olympus-project.eu/wp-content/uploads/2019/07/Olympus_pu_d3_1_v1.0.pdfGoogle Scholar
- Nabie Y. Conteh1 and Paul J. Schmick. 2016. Cybersecurity: risks, vulnerabilities and countermeasures to prevent social engineering attacks. International Journal of Advanced Computer Research 6(23), 31–38. https://doi.org/10.19101/ijacr.2016.623006Google ScholarCross Ref
- Hitoshi Kokumai. 2018. Identity Assurance by Our Own Volition and Memory Part 1. Payments Journal 1st August. Retrieved the 26th of January 2021 from: https://www.paymentsjournal.com/identity-assurance-by-our-own-volition-and-memory-part-1Google Scholar
- Hitoshi Kokumai, 2019. Passwords Made of Unforgettable Images. Payments Journal 30th September. Retrieved the 26th of January 2021 from: https://www.paymentsjournal.com/passwords-made-of-unforgettable-images/Google Scholar
- Hitoshi Kokumai, 2021. Detection of Phishing by Episodic Image Memory. Hitoshi Kokumai LinkedIn profileGoogle Scholar
- Wan Ying Lee. Chee-Seng Tan and Poh Chua Siah. 2017. The Role of Online Privacy Concern as a Mediator between Internet Self-Efficacy and Online Technical Protection Privacy Behavior”, Sains Humanika Vol.9 no.3-2 37-43. Retrieved the 26th of April 2021 from: https://sainshumanika.utm.my/index.php/sainshumanika/article/viewFile/1271/724Google ScholarCross Ref
- Premier Ministre. 2012. Note technique Recommandations de sécurité relatives aux mots de passe [Technical note]. ANSSI. Retrieved the 26th of April 2021: https://www.ssi.gouv.fr/uploads/IMG/pdf/NP_MDP_NoteTech.pdfGoogle Scholar
- Argyri Pattakou, Aikaterini-Georgia Mavrodei, Vasiliki Diamantopoulou . 2018. Towards the design of usable privacy by design methodologies. In Proceedings - 2018 5th International Workshop on Evolving Security and Privacy Requirements Engineering, ESPRE 1–8. https://doi.org/10.1109/ESPRE.2018.00007Google ScholarCross Ref
- Communication from the Commission to the European parliament and the Council on Promoting Data Protection by Privacy Enhancing Technologies (PETs) Brussels, 2.5.2007 COM (2007) 228 final. Available online: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52007DC0228&from=ENGoogle Scholar
- Spanish Data Protection Agency. 2019. A Guide to Privacy by Design. Issue October 2019.Retrived the 27th of April from: https://www.aepd.es/sites/default/files/2019-12/guia-privacidad-desde-diseno_en.pdfGoogle Scholar
- Regulation (EU) of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) Official Journal of the European Union, Vol.L119 (4th May 2016). Available online: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=ENGoogle Scholar
- Michèle Finck and Frank Pallas. 2019. They who must not be identified- Distinguishing Personal from Non-Personal Data under the GDPR. Max Planck Institute for Innovation and Competition Research Paper Series No.19- 14, .2-21. http://dx.doi.org/10.2139/ssrn.3462948Google Scholar
- A29 WP, 2014: “Opinion 05/2014 on Anonymization Techniques.” Adopted on 10th April. WP 216. 0829/14/EN. Available online: https://cnpd.public.lu/dam-assets/fr/publications/groupe-art29/wp216_en.pdfGoogle Scholar
- Spanish Data Protection Agency. 2018. Guía práctica para las evaluaciones de Impacto en la protección de los datos sujetas al RGPD (25th May 2018). Retrieved the 27th of April 2021 from: https://www.aepd.es/sites/default/files/2019-09/guia-evaluaciones-de-impacto-rgpd.pdfGoogle Scholar
- These risk dimensions sources have been extracted and adapted from the information management tool PILAR. PILAR is a tool for information security management. More information available at National Cryptologic Centre website: https://www.ccn-cert.cni.es/pdf/guias/series-ccn-stic/400-guias-generales/2133-ccn-stic-470-h1-manual-de-la-herramienta-de-analisis-de-riesgos-pilar-6-2/file.htmlGoogle Scholar
- Judge Mohamed Chawki and Dr. Mohamed S. Abdel Wahab. 2006. Identity theft in cyberspace: Issues and solutions. Lex Electronica, vo.11 no.1.Retrived the 27th of April 2021 from: https://papyrus.bib.umontreal.ca/xmlui/bitstream/handle/1866/9563/articles_54.pdf?sequence=1Google Scholar
- Ignacio Alamillo, Cristina Timón and Julián Valero 2020. D3.2- “Security and Privacy-aware OLYMPUS Framework Impact Assessment”. Horizon 2020 Project OLYMPUS (Oblivious identitY Management for Private and User-friendly Services, 2020 [Online deliverable] Retrieved the 27th of April 2021: https://olympus-project.eu/wp-content/uploads/2020/02/Olympus_pu_d3_2_v1_0.pdfGoogle Scholar
- Anja Lehmann, Rafael Torres 2020. D3.3 OLYMPUS Blueprint. Horizon 2020 Project OLYMPUS (Oblivious identitY Management for Private and User-friendly Services, 2020 [Online deliverable] Retrieved the 27th of April 2021: https://olympus-project.eu/wp-content/uploads/2020/10/Olympus_pu_d3_3_v1_0.pdfGoogle Scholar
- Directive EU 2016/680 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties. Official Journal of the European Union, Vol.119/89 (27th April 2016). Available online: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016L0680&from=ENGoogle Scholar
Recommendations
Supporting privacy impact assessment by model-based privacy analysis
SAC '18: Proceedings of the 33rd Annual ACM Symposium on Applied ComputingAccording to Article 35 of the General Data Protection Regulation (GDPR), data controllers are obligated to conduct a privacy impact assessment (PIA) to ensure the protection of sensitive data. Failure to properly protect sensitive data may affect data ...
Criteria for Evaluating the Privacy Protection Level of Identity Management Services
SECURWARE '09: Proceedings of the 2009 Third International Conference on Emerging Security Information, Systems and TechnologiesIdentity Management is the one of web services that manages the digital identity and the personally identifiable information of the user who subscribed for various web services in Internet. It was developed to provide user with an easy way to use and ...
Privacy in Digital Identity Systems: Models, Assessment, and User Adoption
Electronic GovernmentAbstractThe use of privacy protection measures is of particular importance for existing and upcoming users’ digital identities. Thus, the recently adopted EU Regulation on Electronic identification and trust services (eIDAS) explicitly allows the use of ...
Comments