Trust in the Digital World Conference 2015

Ronny Bjones, Alliances director Trust in Digital Life association.

I wanted to share my observations of the TDW event in Madrid on 25-26 of February 2015.

At TDW you see three communities coming together. We heard policy makers on the different trust-related programs they are working on such as eIDAS, data protection, NIS, big data, etc.

From the other side you see academia and industry explaining their progress in their projects which are frequently connected to these policy programs.

This gives a fantastic synergy and a lot of networking.

 

The demonstrations

Overall I loved the demonstrations people are bringing forward. I saw some great new 2FA approaches from KUL/COSIC & qKey.

The Trustseed digital signature demonstration in which I was involved, was also a high-light. It showed new advances how specialized cloud based trust services can make it easy for relying parties to incorporate complex signature scenarios. Trustseed was the winner of last year’s TDL sprint award.

 

Great points Policy Makers brought forward

The EC policy makers informed us very well on their trust related programs. We had Jacub Boratynski on the cybersecurity programs backed by Afonso Ferreira on the strategic research agenda in cyberspace. Afonso had a clear call to be involved in the NIS platforms.

Marta Nagy-Rothengass showed the business opportunity on big data and how the EC is enabling these opportunities. I was impressed by one slide which showed how their investment into the “one digital economy” can bring the greatest benefits for the European economy. Way bigger than any of the other programs.

She made an interesting point on what she called the ‘Snowden effect”. The “Snowden effect” might slow down business to benefit from big data because of all the regulations around it. Companies are afraid to step into this field.  I thought this was interesting because I always believed there would be a great opportunity for European companies in this space.

 

Great points Industry Speakers brought forward

From the industry I saw a great session from Paul Wang NEC on Smart Cities. He had this picture of sixteen cameras all inline monitoring one street. These cameras belonged to different organizations and did different operations. Some of them might recognize individuals and map these individuals to the most wanted list, a service operated by the police. Others will see pictures with mosaics to anonymize individuals. These were operated by other services which could not invade the privacy of individuals. He pointed out a very valid point that we need non-repudiation to protect the authenticity of these pictures. He showed an example of a clearly manipulated picture. Imagine the impact to individuals when this happens.

 

Dr. Richard Benjamin from Telefonica gave some great examples of big data. Showing how we can get new insights by overlapping earthquake strengths in a certain area with SMS and telephone usage. This could show where people are in trouble and it would be possible to send ambulances to these areas. Another example was to map people, correlated to demographic statistics to shopping areas to learn who is actually shopping there.

He scared me a bit with a quit innocent example. He showed statistics of running football players (speed, location on the field, etc.). He told that Telefonica bought the data and did some analysis on it which showed that Messy was actually not such a big runner. Anyway this reminds me about some behaviors I spot with relatives. We all have relatives who store old stuff such as old VCR’s because who knows, maybe in the future, it might be worth a few bucks. Probably not though but this is exactly the same behavior which is triggering big data. These services are storing this data because maybe somebody will spend some bucks on it. A lot of data is very useful but many services will collect data because maybe in the future it can be monetized. But are they taking the right measures to protect that data and is it really worth it to store the data in the first place?  

The whole big data industry is fragile. It can be in risk from big incidents, in the same way how the nuclear industry was wiped in the USA by the “three mile island” incident.

There is no way that these viewpoint are exhaustive. I probably missed some great sessions but I hope by sharing these, more people will have some food for thought.

Read more blogs from Ronny Bjones on the subject of Identity at: http://blog.beejones.net/

New EU Regulation to boost electronic signatures and trust services

Amardeo Sarma, Chairman of Trust in Digital Life association’s Board of Directors
&
Jörg Hladjk, Chairman of Trust in Digital Life association’s Advisory Board

On July 23, 2014, the Council of the European Union adopted a regulation on electronic identification and trust services for electronic transactions (the “Regulation”). The Regulation is an element of the European Commission’s Digital Agenda for Europe, which aims to reboot Europe’s economy and help Europe’s citizens and businesses to get the most out of digital technologies. According to the Council, the Regulation seeks to increase the effectiveness of public and private online services, electronic business and electronic commerce in the EU and to enhance trust in electronic transactions in the internal market. Mutual recognition of electronic identification and authentication is considered to be vital for a number of cross-border scenarios.

With a view to ensuring the proper functioning of the internal market while aiming at an adequate level of security of electronic identification means and trust services, the Regulation

lays down conditions for mutual recognition of electronic identification;

• sets out rules for trust services,  in particular for electronic transactions; and
• creates a legal framework for electronic signatures, electronic seals and time stamps, electronic documents as well as electronic registered delivery services and certificate services for website authentication.

The Regulation only applies to electronic identification schemes that have been notified by one of the 28 EU Member States and to trust service providers established in the European Union. It includes comprehensive definitions for electronic signatures and trust services, which are important to understand for any provider offering such services. Any products or services that comply with the Regulation can circulate freely in the internal market. All processing of personal data must be carried out in accordance with the General EU Data Protection Directive.

Electronic identification, security breaches and liability

The new rules set out by the Regulation require EU Member states to recognize, under certain conditions, means of electronic identification of natural and legal persons falling under another EU Member State’s electronic identification scheme which has been notified to the European Commission. It is up to the EU Member States to choose whether they want to notify all, some or none of the electronic identification schemes used at national level to access a service provided by a public sector body online. However, these rules only cover cross-border aspects of electronic identification. Issuing means of electronic identification remains a national prerogative. Those member states wishing to do so may join the scheme for recognizing each other’s notified e-identification means as soon as the necessary implementing acts are in place. Although this is expected to take place in the second half of 2015, it may take longer to have these implementing acts in place.

In case of a security breach, where either the electronic identification scheme notified or the authentication is breached or partly compromised in a manner that affects the reliability of the cross-border authentication of that scheme, the notifying EU Member State must, without delay, suspend or revoke that cross-border authentication or the compromised parts concerned, and must inform other EU Member States and the European Commission.

Further, the Regulation introduces rules on liability. According to these rules, the party issuing the electronic identification is liable for damage caused intentionally or negligently to any natural or legal person due to a failure to comply with certain obligations of the Regulation in a cross-border transaction. In addition, the party operating the authentication procedure is liable for damage caused intentionally or negligently to any natural or legal person due to a failure to ensure the correct operation of the authentication in a cross-border transaction.

Trust services, security requirements, incident notification and audits

In addition, to a comprehensive legal framework for electronic signatures, the Regulation also introduces, for the first time, EU-wide rules concerning trust services, such as

the legal effects of electronic seals,

• the legal effects of and requirements for electronic time stamps and electronic registered delivery services,
• the requirements for website authentication and the legal effects for electronic documents.

The Regulation includes strict rules on security requirements. Trust service providers will be required to implement organizational and security measures that are appropriate for the level of risk presented by their activities, in particular for the purpose of preventing and minimizing the impact of security incidents. They must also inform stakeholders about the adverse effects of such incidents. In case of any breach of security or loss of integrity that has a significant impact on the trust service provided or on the personal data maintained therein, trust service providers are obliged to notify the relevant supervisory authority without undue delay, but in any event within 24 hours after becoming aware of the incident. In case of adverse effects on a natural or legal person to whom the trusted service has been provided, these parties must also be informed about the breach.

Further, trust services providers must be audited at their own expense at least every 24 months by a conformity assessment body for compliance with the Regulation. Trust services providers may also be able to use an EU trust mark, the specifications of which will be further defined by implementing acts to be adopted by July 1, 2015.

 The Regulation will come into full force in July 2016.

A TDL sprint success story: Trustseed’s E-Identification

Sahra Benoudiba, Jurist at Trustseed

The use of online signature, or e-Signature, can really make life easier for businesses and citizens if this new technique is able to ensure valid consent of end-users. Trustseed’s aim is to improve social e-ID, which is currently only existing with low value, to make it more reliable using the Microsoft claim system. Supporting documents are checked to prove that the identity of a legal or natural person is valid.

Trustseed’s sprint is a use-case of new trust services and e-ID regulation, using an automated legal component: the online signature. Furthermore, e-ID authorizes by certificate, which is compliant with the privacy regulation. This innovative architecture can ultimately simplify the life of citizens, companies and public administrations. Finally, this ICT-solution is cheap, easy to use and deploy, and offers high results in matters of security, interoperability, and probative value.

The use-case of e-ID has been made possible by TDL’s sprint competition. The TDL sprint framework allows confidence and permits SMEs to initiate partnerships with large entities in Europe, which would otherwise be very difficult. The TDL Sprint award is a good way to showcase the expertise and know-how of small and medium sized companies. Moreover, it incites the full execution of the project, thanks to the financial award; an important stimulator for SMEs and knowledge institutes. After having participated in this sprint award competition, TrustSeed is now fully aware of the potential of the TDL community as an incubator. Due to winning the competition, Trustseed received multiple proposals for partnership, which demonstrates the great benefits of the sprint competition, especially if one is to win it.

Trust in Digital Life: A pragmatic approach to stimulate economic growth and trustworthiness of ICT

EU Cyber-security Strategy – High Level Conference, 28-02-2014

Arthur Leijtens, Program Director Trust in Digital Life association.

At the conference, that took stock of the progress of the EU Cyber-security strategy, I had a short meeting with Commissioner Neelie Kroes and highlighted the work and results of the TDL community. I was pleased to note that Mrs. Kroes was well informed about TDL and she was keen to hear more about TDL’s pragmatic approach and its focus on business development to stimulate economic growth.

She found the concept of the TDL project sprints particularly interesting. In these sprints, TDL members collaborate in small projects lasting months to plan, execute and disseminate the results. Because of the low barriers, the sprints make it easy for small and medium enterprises and knowledge institutes to collaborate with large enterprises.

In 2010, the European Commission asked me if TDL could show tangible concepts that could foster cyber security. I think Mrs. Kroes was positively surprised about the COSTAR incubator project that TDL initiated 1.5 years ago to develop affordable managed services to protect medium and small business against cybercrime involving all relevant stakeholders.

When a representative of a large international company later told me that we seemed to be quite good in promoting and lobbying TDL pointing to our positioning of TDL in the Cyber Security Strategy of the European Commission, my response was that it is not lobbying to the European Commission, but rather our good work and results that make the difference. Providing concrete results and following a pragmatic approach is what differentiates the Trust in Digital Life Association and draws attention to us.

Making Trust work

Amardeo Sarma, Chairman of Trust in Digital Life, Oct 2013

A fair deal and trust requires a fair exchange of assets. In the digital world, this means that there must be sufficient mutual exposure and information to ensure this exchange in both directions: Payment vs. services or products. To make any transaction or purchase work, we need some amount of information or data to trust the other party to meet its obligations, such as to pay or deliver services. Some third parties may also need data to support a transaction. But trust needs confidentiality beyond that. Compromising data beyond what is needed or explicitly agreed via informed consent is a breach of trust.

This trust has been regularly breached, as recent events have highlighted. More than individuals, companies have reacted seeing their data possibly compromised. Cloud providers in the USA are feeling the pain more than others, to the extent that even potential contracts are being cancelled. This is accompanied by calls to move to Europe’s Clouds.

Commissioner Viviane Reding has made a point here: “Restore trust and boost growth” towards a “the Digital Single Market” in Europe. We have the opportunity to create a foundation for a future trusted digital world. We need a reliable, sustainable and Europe-wide ecosystem and legal baseline. All players need to get together and resolve their differences to ensure that the data protection regulation being discussed becomes a reality. The highest standards of data protection in Europe must apply all over Europe.

Within Trust in Digital Life, we work with industry and knowledge institutions to ensure that trusted solutions and services can be quickly deployed in a multi-stakeholder environment. Supporting migration towards higher data protection standards and promoting the development and use of privacy technologies are central in this context. TDL “sprints” will bring together companies and institutions to validate their technologies in small projects in a common ecosystem.

The technology and solutions are here to be used. We now need policy makers and all stakeholders in Europe to get their act together and make sure that we soon have the level playing field that we all talk about so often.

Trust in Digital life introduction

Dear readers! Welcome to the official blog of the Trust in Digital Life Association.
In this blog all topics related to ‘trust in digital life’ will be discussed and critically reviewed. Via this blog we hope to add trust in digital life by raising awareness about the insecurities of our expanding digital life. Here, our members and guests will give their opinions about the latest developments in digital security, developments in policy making in digital life, and many more. This blog is intended for everyone with an interest in trust in digital life. We will kick off with a short introduction.

The Trust in Digital Life (TDL) community, formed by leading industry partners and institutes, considers trust as a priority prerequisite. Trustworthy ICT solutions must become a commodity enforced by citizens and law. The Trust in Digital Life community has capabilities to resolve the issues and will research, pilot and promote innovative trustworthy ICT environments and technologies.

TDL community encourages the industry to develop innovative information and communication technologies, enabling consumers and enterprises to judge for themselves if their devices, applications and services are trustworthy enough to protect them from internet threats. Industry has the ambition to provide these technologies for an affordable price to the market.

I hope you will enjoy reading our blog.