Research on Security and Identity Management (by Marco Casassa Mont) : EnCoRe

Update about TSB UK EnCoRe Project – Ensuring Consent and Revocation

marcocasassamont — Mon, 02 Nov 2009 17:54:00 GMT

The 5^th Quarter Summary of EnCoRe (http://www.encore-project.info) R&D activities in the space of Consent and Revocation management is now available online at: http://www.encore-project.info/press_archive/Q5%20summary.pdf

In addition, a new "service" has been launched, about "Latest EnCoRe Tidbits" aiming at providing links to snippets of news related to consent and revocation: http://www.encore-project.info/news.html#story1

More to come. Enjoy.

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

Good progress in the TSB EnCoRe Project – Ensuring Consent and Revocation

marcocasassamont — Tue, 25 Aug 2009 12:01:00 GMT

The TSB EnCoRe project (Ensuring Consent and Revocation) is making good progress towards his various objectives, involving the provision and management of consent and revocation.

This topic has been tackled from various perspectives including: legal and social aspects, user requirements, architectural and technological aspects, risk assessment and compliance.

More information is available on the EnCoRe web site, including a brief summary of the project's fourth quarter activities.

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

Do Enterprises know where they store personal data?

marcocasassamont — Wed, 18 Mar 2009 10:03:00 GMT

Apparently most of enterprises don't, at least based on this survey, called "Safeguarding the Currency of Business", where they found that "71 percent of organizations queried said they did not have an accurate inventory of where personal data for employees and customers is stored".

This has strong implications (among other things ...) from a privacy perspective, in particular from a consent and revocation management angle - as also currently highlighted in a recent HP Labs report of ours ("On the Management of Consent and Revocation in Enterprises: Setting the Context").

Hopefully we will explore how to tackle some of the related issues in the UK TSB EnCoRe project.

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

Twitter and its Privacy and Identity Management Implications

marcocasassamont — Thu, 12 Mar 2009 09:33:00 GMT

I recently started using Twitter (my link: http://twitter.com/MCasassaMont).

Twitter it getting more and more popular within (and across) organisations in particular for geographically distributed teams, to share their activities and whereabouts.

I am interested to better understand this tool, in particular in terms of its identity and privacy implications and long term repercussions for individuals and organisations.

I see some interesting research to be potentially carried out in the context of the Identity Analytics R&D project at HP Labs and UK TSB EnCoRe project.

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

Built-in Data Loss Prevention and Analogy with Privacy Management

marcocasassamont — Fri, 05 Dec 2008 13:51:00 GMT

I have just read this interesting article, called "Microsoft, RSA Partner to Develop Next-Gen data Loss Prevention", by Lawrence Walsh:

"The alliance between Microsoft and RSA will move data loss prevention technology into the fabric of the IT infrastructure and improve protection by associating data with identities and classifications. Analysts are already calling the idea a "game changer.""

The main message I got is that we need to move away from bolt-on solutions, towards "built-in DLP approaches". I tend to agree with this approach, despite being much harder to achieve.

This has some interesting analogies with privacy and the way privacy management is currently carried out, at least with most of current privacy-enhancing technology (PET) approaches. I believe that we need to move toward built-in approaches too, that require deep understanding of the interconnections with the relevant "IT infrastructure fabric", related business processes (and needs), along with involved risks and their potential impact.

So, I believe this is something to consider very carefully, for example, in the context of the "Consent and Revocation Management" R&D area, within the TSB EnCoRe project.

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

Part II: TSB EnCoRe Project – Ensuring Consent and Revocation

marcocasassamont — Mon, 27 Oct 2008 21:59:00 GMT

In a previous post of mine, I announced the UK TSB EnCoRe project, focusing on research on Consent and Revocation.

A new version of the EnCoRe web site is now available online.

I would be interested in getting your views and input on two aspects:

Prior art and work in the space of consent and revocation. In a first analysis, very little work is available in terms of automation of revocation of consent, in a wide sense. Any known work/solution in this space?
Your (user) requirements in the space of consent and revocation

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

Announcing EnCoRe (Ensuring Consent and Revocation): a new UK IT Collaborative Project

marcocasassamont — Fri, 19 Sep 2008 16:23:00 GMT

A new UK IT collaborative project has been officially announced: EnCoRe - Ensuring Consent and Revocation (some initial press releases: here and here):

"As more and more personal information flows from individuals to organisations when they interact online, people are becoming more and more concerned that they can not effectively control what this information is used for, with which other organisations it is shared, and where it is stored. They may have given their consent, often in vague terms and implicitly, for its use, sharing and storage, but they have no real control over the specifics of these, nor the ability to revoke their consent and be sure that their wish is respected. In summary, they are not able to control where their personal information flows to, and this makes them uneasy about interacting online.

The overall vision of this project is to make giving consent as reliable and easy as turning on a tap, and revoking that consent as reliable and easy as turning it off again."

This £3.6m project consortium is multi-disciplinary, spanning across a number of IT and social science specialisms. The project partners are Hewlett-Packard Laboratories, HW Communications, QinetiQ, the London School of Economics, the Ethox Centre of the University of Oxford and the University of Warwick.

The EnCoRe project runs from June 2008 to November 2011. It receives funding from the UK Government's Technology Strategy Board, Economic & Social Research Council and Engineering & Physical Sciences Research Council.

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---