Research on Security and Identity Management (by Marco Casassa Mont) : Privacy

New HP Labs Technical Report - Extending XACML Access Control Architecture for Allowing Preference-Based Authorisation

marcocasassamont — Fri, 27 Nov 2009 18:18:00 GMT

A new HP Labs Technical Report has been recently released: "Extending XACML Access Control Architecture for Allowing Preference-Based Authorisation" (Authors: Kounga, Gina; Casassa Mont, Marco; Bramhall, Pete):

"Data protection regulations, such as the UK Data Protection Act, require organisations to process personal data according to the conditions consented by the data subjects. Such conditions can be expressed with data items or preferences collected from data subjects and stored in data repositories. Then, enforcing consent requires the policy decision point (PDP) to return authorization decisions based on access control policies and preferences. However, as security good practice requires using different entities for making authorisation decisions and accessing data, the PDP cannot return privacy-aware authorisation decisions if no solution is defined which allows the PDP to identify whether access requests fulfil the consented conditions without accessing the preferences. Existing standards do not solve this issue and previously proposed solutions transfer the decision making to the policy enforcement point. In this paper, we propose a solution that extends the eXtensible Access Control Markup Language standard and improves privacy-aware access control."

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

Research on Security and Identity Management

marcocasassamont — Fri, 09 Oct 2009 17:22:00 GMT

The time has come to update the topic (and focus) of this blog.

In the last few years my R&D work and research at HP Labs has been involving a variety of aspects, including security, identity management and privacy.

Most of my posts have actually been reflecting this - hence my decision to update my blog. Hope this will further increase the community of people that are interested and follow my blog.

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

Workshop on Access Control (and Privacy) Application Scenarios

marcocasassamont — Mon, 28 Sep 2009 16:37:00 GMT

Please consider submitting a position paper at the W3C Workshop on Access Control (and Privacy) Application Scenarios, by October 23^rd:

http://www.w3.org/2009/policy-ws/cfp.html

"W3C invites people to participate in a Workshop on Access Control Application Scenarios on 17-18 November 2009 in Luxembourg. This Workshop is intended to explore evolving application scenarios for access control technologies, such as XACML. Results from a number of recent European research projects in the grid, cloud computing, and privacy areas show overlapping use cases for these technologies that extend beyond classical intra-enterprise applications. The Workshop, co-financed by the European Commission 7th framework program via the PrimeLife project, is free of charge and open to anyone, subject to review of their statement of interest and space availability.

The workshop is intended to discuss issues around access control in very wide sense, encompassing conditions and rules derived from the fact of accessing information. Topics that might serve as appropriate discussion points for position papers include, but are not limited to:

interaction between access control and privacy policies
language extensions to connect access control languages to novel types of credentials
large-scale cloud and grid computing use cases for access control technologies
policy management
mechanisms for controlling progressive disclosure of information by user agents and servers
the emerging role of trust delegation and supportive mechanisms in cloud computing, grid, and Web use cases
mechanisms for richer user control over downstream data controllers

The workshop will examine experiences and recent research results in these areas, their need for agreed semantics, the need for extensions to existing access control languages, and perhaps for radically new approaches.

Position papers are due 23 October. See the call for participation for more information."

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: my original HP blog can be found here ---

A Fine Balance 2008: Privacy Technologies in Action

marcocasassamont — Mon, 01 Dec 2008 21:31:00 GMT

On November, 27^th I attended the UK "A Fine Balance 2008: Privacy Technologies in Action" event. It provided different and interesting perspectives (from the technological, social and legislative angles) on privacy. Presentations are soon going to be made available online:

"Following the success of the 2006 and 2007 Fine Balance events, four of the government's Knowledge Transfer Networks present the third in this series of independent forums that are already helping industry, government and academia achieve a balance between ensuring privacy and enjoying the benefits of new technology. "

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

Top 5 Mistakes of Privacy Awareness Programs?

marcocasassamont — Tue, 28 Oct 2008 22:13:00 GMT

Jay Cline, in an interesting article called "Opinion: Top 5 Mistakes of Privacy Awareness Programs", lists the top five shortcuts that many large corporations take when dealing with privacy awareness programs:

Doing separate training for privacy, security, records management and code of ethics
Equating "campaign" with "program"
Equating "awareness" with "training"
Using one or two communications channels
No measurement

Have a look.

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

PrivacyOS: Thematic Network for Privacy Protection

marcocasassamont — Wed, 22 Oct 2008 16:50:00 GMT

PrivacyOS (Privacy Open Space) is "a thematic network for privacy protection infrastructure within the current European Commission´s ICT Policy Support Programme. The Project has started at the beginning of June 2008 and brings together industry, SMEs, Government, Academia and Civil Society to foster development and deployment of privacy infrastructures for Europe."

More details can be found here.

Last week I attended the first PrivacyOS Conference (Strasbourg, 13-15 October 2008). It has been very interesting and stimulating, considering the heterogeneous background of the audience, their presentations and subsequent discussions. I would encourage the members of this community to attend in the future (the next conference is going to happen in April 2009).

In this context, I gave a presentation on "Enabling Privacy-aware Information Lifecycle Management in Enterprises", describing work done at HP Labs and in the EU PRIME project (Framework VI), in the space of "Management of Parametric Privacy Obligation Policies".

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

Online Dialog on Health Information Technology and Privacy

marcocasassamont — Tue, 21 Oct 2008 20:01:00 GMT

As highlighted by this article, called "OMB sponsors online discussion of privacy issues":

"The Office of Management and Budget has asked the National Academy of Public Administration to hold a public discussion this month of health care privacy issues through an interactive Web site."

This online dialog will take place the week of October, 27, at: http://www.thenationaldialogue.org/.

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

Announcing EnCoRe (Ensuring Consent and Revocation): a new UK IT Collaborative Project

marcocasassamont — Fri, 19 Sep 2008 16:23:00 GMT

A new UK IT collaborative project has been officially announced: EnCoRe - Ensuring Consent and Revocation (some initial press releases: here and here):

"As more and more personal information flows from individuals to organisations when they interact online, people are becoming more and more concerned that they can not effectively control what this information is used for, with which other organisations it is shared, and where it is stored. They may have given their consent, often in vague terms and implicitly, for its use, sharing and storage, but they have no real control over the specifics of these, nor the ability to revoke their consent and be sure that their wish is respected. In summary, they are not able to control where their personal information flows to, and this makes them uneasy about interacting online.

The overall vision of this project is to make giving consent as reliable and easy as turning on a tap, and revoking that consent as reliable and easy as turning it off again."

This £3.6m project consortium is multi-disciplinary, spanning across a number of IT and social science specialisms. The project partners are Hewlett-Packard Laboratories, HW Communications, QinetiQ, the London School of Economics, the Ethox Centre of the University of Oxford and the University of Warwick.

The EnCoRe project runs from June 2008 to November 2011. It receives funding from the UK Government's Technology Strategy Board, Economic & Social Research Council and Engineering & Physical Sciences Research Council.

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

Firefox and 50 add-ons for Private and Secure Web Surfing

marcocasassamont — Sat, 02 Aug 2008 17:17:00 GMT

A recent article by Laura Milligan, called "50 Firefox add-ons to achieve private and secure web surfing" provides a comprehensive list of add-ons for Firefox to achieve degreees of security and privacy whilst surfing the web:

"Firefox is generally considered a secure web browser, but if you're interested in keeping your activity on certain websites private or giving yourself extra protection against phishing, hackers and viruses, you may want to consider beefing up your Firefox's security in general. Thankfully, there are lots of options available that make achieving privacy and security online as easy as downloading a simple add-on or application that was designed just for Firefox users."

This article classifies these 50 add-ons (and provides links for each of them) in the following categories: Secrecy and Encryption; add-ons that beef-up security; cookies; testing your system; passwords; protect your privacy online.

Have you had any direct experience using these add-ons? Are they up to their promises?

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

DoD and Funding Research into Information Sharing

marcocasassamont — Fri, 20 Jun 2008 19:51:00 GMT

As reported by this article, the US Defence Department (DoD) is going to fund research on information sharing:

“The Defense Department has awarded $7.5 million to six universities for a five-year research program to help solve the problem of sharing sensitive information while ensuring privacy and security.

The failure of intelligence and law enforcement organizations to share information was one of the problems that contributed to the terrorist attacks of Sept. 11, 2001, according to the commission that studied the attacks. But connecting the dots has proved to be a knotty problem for organizations built on secrecy and control. …”

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

Article: “50 Ways to Take Back Control of Your Personal Data”

marcocasassamont — Wed, 11 Jun 2008 15:56:00 GMT

Have a look at this very interesting article, called “50 Ways to Take Back Control of Your Personal Data”, by InsideCRM providing a useful list of tips and “common sense” (but quite often forgotten …) ways to protect your personal data, maintaining degrees of control on it and reduce your risk exposure to identity thefts, financial losses and other crimes. These tips are organised by categories, in terms of:

Web Privacy
Credit and Finance
General Privacy
Cell Phones and Online Phone Services
Rules to follow to Protect Your Privacy
Tools and tips

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

My HP blog is Back in the new HP Communities Hosting Site …

marcocasassamont — Mon, 02 Jun 2008 21:26:00 GMT

My HP Blog on “Research on Identity Management” is now back, in the in the new HP Communities Hosting Site.

Enjoy …

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---