Sunday, 18 April 2010

Mobile identity management - ENISA report on risks, legal issues, recommendations

An ENISA position paper of 13 April 2010 on Mobile Identity Management by a team of authors:

  • reports on information security risks and best practices in the area of Mobile Identity Management (Mobile IDM) - including identity theft, eavesdropping, spyware, surveillance, phishing, collection and storage of private information beyond the stated purpose, failure to recognize context, inadequate device resources (to process stronger authentication algorithms), intrusive authentication and lack of user awareness
  • analyses key legal issues relating to mobile ID management including a summary of applicable legislation, analysis of EU provisions on location data (Directive on privacy and electronic communication 2002/58/EC of 12 July 2002, concerning the processing of personal data and the protection of privacy in the electronic communications sector on location data etc and the Data Protection Directive 95/46/EC and article 29 Working Party views), transparency requirements for mobile IDM (information which must be given to the data subject), consent requirements for mobile IDM and their application to geo-localization services, the right to withdraw consent and its application in the mobile IDM context, data retention considerations and security measures applicable to service providers and transmission to third parties, and
  • provides recommendations of systems, protocols and/or approaches to address these challenges - interoperability, user awareness, and a set of design objectives (here comes privacy by design again) relating to user experience, access & authorisation, scalability, resilient connectivity, malware defences, control over privacy settings, delegation, accountability, and identity selection and composition. Good to see lots of overlap with my suggested data dozen principles for privacy-preserving identity management systems.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.