IT-security and privacy. Design and use of privacy-enhancing security mechanisms. Foreword by Klaus Brunnstein (Q5941710)

Today it is already acknowledged that the development of new information infrastructures will increase our dependability and, if not properly dealt with, might lead us to a vulnerable information society based on insecure technologies. Moreover, as many new applications are being developed, often crossing national borders, there is a growing amount of personal data that is collected and processed. Hence proper protection of these data has to be guaranteed in the sense that users can only access personal data if it is necessary for their authorized tasks and if the purpose of data processing is compatible with the purposes for which the data is obtained. Privacy requirements also dictate that people still know who has access to their personal data and for what purposes. Privacy as a fundamental human right has to be protected, but the task cannot be fulfilled solely by legislation. Various privacy enhancing technologies have to be designed and used to enforce privacy as well. However, there are some problems, as some security mechanisms can also affect the user's privacy thus yielding in a conflict between security and privacy. Moreover, so called security models known today usually were not designed with basic privacy requirements in mind, therefore are not appropriate to enforce privacy. It follows that a new formal model has to be developed which can be used to express and technically enforce legal privacy requirements. The design of such a formal privacy model together with analysis and discussion of related areas of privacy and IT security form the central theme of the book (author's habilitation thesis). The book consists of six chapters and two appendices. In the first chapter -- Introduction -- the author gives motivation and a brief overview of the privacy problems and conflict between security and privacy. The second chapter -- Privacy in the Global Information Society -- discusses privacy as a social and legal issue. In the first section the definition of privacy is given and three aspects of the concept of privacy, namely territorial privacy, privacy of the person, and informational privacy, are briefly explained. It is stressed that the emphasis of the book is on the discussion of informational privacy (controlling whether and how personal data can be gathered, stored, processed or selectively disseminated). The next two sections are devoted to the historical perspective on data protection legislation and privacy principles of the German Census Decision. A special section is reserved for the summarization of the most essential privacy requirements. Then, the EU Directive on Data Protection is reviewed followed by the section on the German data protection legislation. The rest of the chapter is focused more on privacy aspects in the global information society. First, in a separate section threats to privacy in the global networked society are reviewed. Three major privacy risks are identified here, namely threats at application level, threats at communication level, and threats resulting from insecure technologies. As privacy is becoming more and more an international problem, a section on problems of an international harmonisation of privacy legislation is also included in the chapter. The chapter ends with short sections on the need for privacy enhancing technologies and privacy education. The author then concludes that privacy cannot be sufficiently protected solely by means of legislation or codes of conduct, and that the privacy should also be enforced by technologies and should be included into a system design criteria. Chapter 3 -- IT Security -- gives an introduction to basic security functions and security evaluation criteria. Known security models are discussed there as well, especially with respect to possible use in privacy protection. In the introductory section, IT security is defined by different layers: by the perspective or view on it, by the different aspects that shall be guaranteed, by models that shall enforce those aspects, by basic security functions used by the models, and by security mechanisms that implement these security functions. Also an overview on how the meaning of the term IT security has evolved in the past is given there. Section 2 is devoted to the (formal) security models as means to express precisely the system's security requirements. Besides discussion on the role of security models in the formal system development process, a number of known security models is presented and discussed; namely: Harrison-Ruzzo-Ullman model, Bell LaPadula model, Biba model, lattice model of information flow, noninterference security model, Clark-Wilson model, Chinese wall model, role-based access control (RBAC) model, task-based authorization models for workflow, security models for object-oriented information systems, and resource allocation model for denial of service protection. Also, known approaches to modelling multiple security policies are described; namely the generalized framework for access control (GFAC) and the multipolicy paradigm. Section 3 gives a brief overview of basic security functions and mechanisms, which can be used to implement a security policy. Here in separate subsections, identification and user authentication, access control, auditing, intrusion detection systems, object reuse, trusted path, and cryptography are reviewed. The fourth section deals with the security evaluation criteria. Here all major national and international initiatives in the field are described and their shortcomings discussed. In the last section of the chapter, the conflict between IT security and privacy is discussed and possible privacy implications of security mechanisms are illustrated with a number of examples. It is concluded that a holistic approach to a privacy-friendly design and use of security mechanisms is needed. In chapter 4 -- Privacy-enhancing Technologies -- security aspects specifically aimed at protecting privacy are discussed. Firstly, privacy enhancing security aspects are introduced, in particular aspects for protecting the user identities (anonymity, pseudonymity, unlinkability, and unobservability of users), aspects protecting the usee identities (anonymity and pseudonymity of data subjects), and aspects protecting personal data (especially with respect to requirements of purpose binding and necessity of data processing). Then separate sections discussing system concepts for these aspects follow. Techniques for protection of user identities at the communication level, system level, and application level, as well as protecting user identities in audit data and from other users and services, inference controls for statistical databases, steganographic systems and access control models for personal data protection are discussed there. At the end of the chapter, known IT security evaluation criteria are briefly analyzed from the point of view of privacy requirements. Chapter 5 -- A Task-based Privacy Model -- is devoted to the presentation of a formal security model capable of enforcing basic legal privacy requirements, such as purpose binding or necessity of data processing. Here the privacy policy which is to be enforced by the model is informally described, followed by the model description. After a description of the model elements, invariants, constraints and model rules, sections on information flow control and approaches to deal with the problem of revocation of authorizations are given. Then a brief example application of the privacy model in a hospital environment is given. At the end of the chapter, the proposed model is briefly analyzed and it is stressed that it should be implemented in combination with other security policies (addressing additional security goals). The sixth chapter demonstrates how the privacy policy can be enforced according to the generalized framework for access control (GFAC) approach in Unix System V type system, namely Linux operating system. After a brief introduction to the GFAC concept, a quite detailed specification of the privacy policy rules component is given. Then, it is briefly outlined how this specification was used for the implementation of the privacy policy for the Linux operating system. The last (seventh) chapter gives some concluding remarks on privacy, IT security and its relationship to privacy, and on privacy-enhancing technologies. The book contains two appendices. In the first one (Appendix A) the formal mathematical privacy model is presented. Appendix B is a demonstration example of the proposed approach in the (simplified) imaginary hospital scenario. There are no doubts that with the development of new information infrastructures individual privacy is seriously endangered and is becoming an international problem. The book offers a comprehensive view to the relation between IT security and privacy and to the privacy enhancing technologies. It represents useful reading for all IT professionals.