Sunday, 18 April 2010

Flight security - ENISA report on RFID, Internet of Things

On 13 April 2010 EU cybersecurity agency ENISA issued their risk assessment report of the risks associated with a future air travel scenario enabled with “Internet of things”, IoT / RFID technology -  Flying 2.0 - Enabling automated air travel by identifying and addressing the challenges of IoT & RFID technology (IoT = "Internet of Things") with Annex I - " Scenario Building & Analysis", and Annex II - "Risk Assessment Spreadsheet" on assets, impact areas, threats, vulnerabilities etc.

It identifies major security risks, as well as privacy, social and legal implications and also makes concrete policy and research and legal, recommendations. Risks include "failure of the air travel procedures, passenger frustration and low social acceptance, loss/violation of citizen/passenger privacy and social exclusion". It doesn't just deal with RFID technology, it also considers the EU-US PNR agreement.

From the press release:

"Three policy recommendations: 1. Rethink existing business structures and introduce new business models.  Air transportation actors (e.g. airlines, airports, logistics, aviation security agencies, etc) should proactively stay alert for new business models. 2. User-friendliness and inclusiveness of devices, processes and procedures - we need to be inclusive. 3. Develop and adopt policies for data management and protection

Five research recommendations: 1. Data protection and privacy, 2. Usability, 3. Multi-modal person authentication, e.g. biometric procedures, 4. Proposing standards of light cryptography protocols, and, 5. Managing trust as a central consideration: an enterprise should understand its own trust framework.

Three legal recommendations: 1. Support for users, e.g. for data subjects to better exercise their rights. 2. Placing a high value on information and data. 3. Harmonisation of data collection by airport shops and efforts to raise awareness, among travellers of the collection and processing of data."

Their recommendations for the EU (emphasis added, and some comments in italics) -

"We recommend that the European Commission prepare guidelines on the better enforcement and application of the European regulatory framework, especially in view of the challenges posed by technological developments. More specifically, we recommend that:
- amendments of data protection legislation be introduced to give Data Protection Authorities (DPAs) stronger powers to audit companies or government departments with regard to their compliance with the relevant data protection legislation and that DPAs should be given the resources needed in order to achieve this task;
[Absolutely - I've been saying that in the PETs context, and the Article 29 Working Party certainly feel DPA powers and resources should be beefed up]
- the European Commission negotiate amendments to the EU-US PNR agreement so that there is transparency what the US does with PNR data, whether such data is shared, and so that European citizens have access to their data in a timely, low or no-cost way.
[See the EU's recent report of the 2010 review of the EU-US PNR agreement]
- the European Commission gives a priority to the regulation of profiling and behavioural marketing in order to ensure the protection of the data subject from their consequences.
We further recommend that the European Commission:
- adopt an ‘end-to-end’ approach for securing IoT/RFID applications: appropriately mitigating IoT/RFID risks lies beyond securing the RFID tags, it actually extends from smart devices to readers and back-end databases
[An end to end approach should be taken to all personal data throughout its life cycle - see my post Data Dozen - Identity Management for Privacy]
- in order to improve the usability of future research results, and align research with industrial and societal needs, promote the participation of industry, and in particular SMEs in research activities as FP7. More specifically, we recommend that the Commission reinforce pilot activities in the line of the present CIP ICT-PSP programme with more ambitious targets and measures for participation of SMEs, and also initiate support actions, to better disseminate the results of such research to them;
- encourage more (and better) research at EU level on the ethical limits of private data capture and circulation, and on the societal implications of developments in this regard, e.g. under the Science and Society programme of FP7.
- endorse and promote awareness raising and educational activities for the citizens, as well as other specialised audience (professionals, personnel etc.)"

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.