IoT and Privacy by Design

Transcription

1 IoT and Privacy by Design A recap on previous presentation More recent work on GDPR, NIS Cyber Security, and the Human Right to Privacy The design process for consumer goods and services 2 current examples children s smart watches, and Government Identification Pete Eisenegger p.eisenegger@btinternet.com BSI Consumer Coordinator Digital Standards ANEC IoT and Privacy expert ISO Consumer Policy Committee Key Person Privacy NCF Executive Committee Member British Computer Society ad hoc IoT Workshop 25 th October 2017

2 Recap from June 2017 Practical design for real people ( not regulatory theory ) Privacy is Security plus Privacy Controls Detailed control 8 years of consumer privacy standards background work by UK (BSI-CPIN), Europe (ANEC) and Internationally (ISO- COPOLCO) Consumer goods and services privacy by design process overview - Consumer Centered ( e.g. consent doesn t work ) - Security requirements - Real time privacy controls over processing - Interworking with other stuff 24x7 Privacy is highly contextual

3 PbD and the GDPR COPOLCO PbD process analysed against the Bird and Bird 69 page guide Human Right to Privacy Bird and Bird guide to the GDPR GDPR does not address domestic processing 65 key GDPR factors were identified from the Bird and Bird guide 61 of the requirements were applicable to PbD All 61 requirements were addressed by the PbD process and more.. The COPOLCO PbD process addresses the privacy controls for domestic processing and domestic security design. GDPR requirement on security Does the security requirement even apply to consumer equipment?

4 PbD, Cyber and cars Cars are International UK 29 Principles None refer to consumers ( cyber breach notification, consumer rights etc ) UK Government Cyber Security Connected and Automated Vehicles 25 of the Principles are directly addressed in the COPOLCO PbD draft standard at the product level 3 of the Principles are impractical in the consumer world e.g. are our smartphones going to be Cyber Certified and all apps on them and IoT devices attached to them? 1 of the Principles is added value we need to add the impact of cyber attacks on product safety into privacy impact assessment

5 European Policy Centre and U.S. Mission to the EU Cyber Security lessons from the US experience 3 key recommendations from the US expert: Insulate key infrastructure controls from the Internet Simplify software code ( complexity is the enemy of security ) Introduce liability regulation Many other aspects: Quantify risk, Internet core at risk, SME lack of skills, Social media risks, do not suppress innovation, international cooperation ( vulnerabilities and exploits ) The developing consumer perspective - Analysing CISCO s Cyber Security Report 2017 for ANEC Consumers must be included in setting the Cyber standards All 6 key sectors provide consumer internet connected things and services - healthcare, telecoms, transport, utilities/energy, financial services, retail 9 out of 19 key cyber concerns involve consumers, All malware factors in the report apply to consumers 7 out of 10 key security technologies apply to consumer products too

6 3 Consumer Product Design Standards ISO 10377:2013 provides practical safety design guidance ISO 10393:2013 provides product recalls and other corrective actions guidance Tumble drier fire risk EN Design for All - Accessibility - Extending the range of users Public comments phase just finished Body, senses, mental abilities ISO COPOLCO Proposed Privacy by Design for Consumer Goods and Services Undergoing voting within ISO to be accepted as a new work item All applicable to IoT Data Protection, Domestic Security and Privacy Alexa

7 General Consumer Product Design Process Applicable to: Consumer goods and services from the public and private sectors Understand consumers Develop use cases industry knowledge foreseeable use and misuse Product governance Supply chains and retail channels Product requirements Product development good practices Product testing and design validation Design implementation in production Production testing / system commissioning Incident monitoring and response preparation Product documentation consumer, regulatory, sales and support Release to market distribution, sales and support trained and ready Monitor market and respond to product incidents End of product life withdrawal and consumer issues Product design

8 The Norwegian Consumer Council The Norwegian Consumer Council together with the security firm Mnemonic, tested several smartwatches for children. Need for a Privacy by Design Standard with requirements that are 3 rd party assessed for compliance Serious security flaws Through a few simple steps, a stranger can take control of the watch and track, eavesdrop on and communicate with the child. False sense of security The SOS function in the Gator watch, and the whitelisted phone numbers function in the Viksfjord, are particularly poorly implemented. The alerts that are transmitted when the child leaves a permitted area are also unreliable. Security requirements setting sections Design quality tools and product testing sections 21 & 23 Illegal or non-existent terms and conditions Some of the apps associated with the watches lack terms and conditions. It is also not possible to delete your data or user account. These are clear breaches of both the Norwegian Marketing Control Act and the Personal Data Act. Regulatory requirements setting section Draft PbD standard

9 IoT and its online services Identity management becomes part of the IoT challenge for traditional product areas The government's Verify identity platform is not meeting user needs. The Verify platform only caters for individual citizens, failing to meet many other well-known user needs. It offers no support for example for those with Power of Attorney accountants carers and nothing for business users either a failure at the discovery stage to understand what had previously been tried (and failed), what was already in use (both good and bad), and what user needs Verify would have to meet if it were ever to become a viable Section 13.2 Foreseeable use includes use of a product based on the institutional knowledge of the provider Draft PbD standard

10 Thank you Consumers need IoT Privacy by Design Consumers need liability regulation too Pete Eisenegger British Computer Society ad hoc IoT Workshop 25 th October 2017