privacy identity and trust challenges for the future internet citizen fabio massacci (unitn)
TRANSCRIPT
9/27/2010 Fabio Massacci - ICT 2010 1
Privacy, Identity and Trust
Challenges for the Future
Internet Citizen
Fabio Massacci
University of Trento
Università degli Studi di
Trento
9/27/2010 Fabio Massacci - ICT 2010 2
Whose Future Internet?
• When we think of the Future Internet we
always think it is for “us”
– Sophie, Fabio, Reihnard, Ksheerabdhi,
Mireille etc.
• It is not for “us”. That’s wrong picture
• Three generations tell three stories
– Nonno Paolo – Born 1939
– Papà Fabio – Born 1967
– Paolo – Born 2000
Privacy
9/27/2010 Fabio Massacci - ICT 2010 3
9/27/2010 Fabio Massacci - ICT 2010 4
Nonno Paolo – Jun. 1996
• First Picture on the internet – Age 58
• Business Related
9/27/2010 Fabio Massacci - ICT 2010 5
Papà Fabio – Feb. 1999
• First Picture on the Internet – Age 31
• Again only professional pictures
9/27/2010 Fabio Massacci - ICT 2010 6
Paolo – Feb. 2007
• First picture on the internet – Age 7
If you don’t put, you don’t get
pictures, do you?• Come on, a father should not post stuff
on the internet and then complain that
his boss, insurance company, wife, eu
project partner, saw it…
• Er… not really
9/27/2010 Fabio Massacci - ICT 2010 7
9/27/2010 Fabio Massacci - ICT 2010 8
Where is the problem of Privacy?
• Nobody in the family posted that picture!– Somebody from Sportivi Ghiaccio Trento put it
– I didn’t even know the picture was on the net before Feb. 2010
• Paolo’s life will be entirely on the Future Internet – Can he separate his lives (note the plural) in different zones?
• In physical life we are pretty good at zoning– Separate relations (eg friends, work, neighbors) by “distance”.
– (legal or curious) searches difficult by people outside the zone
– Law enforcement can break zones but have hurdles
– Individual and government can build zones
• Technical solution alone ain’t enough– He can’t put a sticky policy as the photo will be about him, not his
– Regulatory action also needed
Identity
9/27/2010 Fabio Massacci - ICT 2010 9
9/27/2010 Fabio Massacci - ICT 2010 10
How to tell Identity?
• Nonno Paolo – 1° use C.C. on Internet:Age 59
• Papà Fabio – 1° use C.C. on Internet: Age 29
• Paolo – 1° attempt: Age 9– Papi, can you give me your credit card?
– Er… What do you need it for?
– There is this Star Wars LEGO robot that you can buy on the LEGO web site you find with Google
– Er… Let me see a second… Paolo, this is not LEGO web site!!! It is just a … site … selling stuff…
– [Follow long -- and for a child boring -- explanation on how to find the identity of providers]
9/27/2010 Fabio Massacci - ICT 2010 11
Commercial Identity?
• Identity tech so far conceived for “client/servers”– What about “identity” of “partners” ?
– You want to know who is the other!
• In the physical realm– Identity of partners is regulated (you cannot just open a
supermarket, a dentist’s practice or a bank)
– Commercial identity is distinct but always linked to identity of human individuals (legal responsible)
– strictly linked to specific attributes and taxable
• How to link the identity of end point to the accountable identity for humans behind it?– Of course scams always possible (eg Maddoff) but you’ won’t
get away so easily with it
Trust
9/27/2010 Fabio Massacci - ICT 2010 12
Download and Run Internet
Connected Software• Nonno Paolo: always stuff from a box
• Papà Fabio: Age 28 – SSH Client/Server
• Paolo: Age 10 – REVOLT
• What’s that?
– Running cars. Can connect over IP to a peer
– Got from a friend on a usb stick
– I found months later when he wanted to play
multiplayer and Windows Firewall complained
9/27/2010 Fabio Massacci - ICT 2010 13
How do you trust REVOLT?
• Russian Roulette
– For 24 other fathers
(actually the children)
9/27/2010 Fabio Massacci - ICT 2010 14
• PhD in Security
– 3hours for father of
only child without
admin password
After REVOLT, GERICO…
• Come on, that’s obvious, after all that’s
children downloading shady software
• Er… not really
– Gerico is not for the faint hearted…
– Really for grown-up, corporate users…
9/27/2010 Fabio Massacci - ICT 2010 15
So, what’s GERICO?
9/27/2010 Fabio Massacci - ICT 2010 16
• What’s the problem of running software
connecting automatically to your Tax
Agency?
– You just don’t know what exactly it does…
Corporate Environment is
alike…• Put everything on a very secure cloud is new trend
– Good step but not enough
• The problem is that “everything”
– in-house developed LDAP system hiding roles from the ERP sys
as you pay O#### by the role
– open source PDF report generator so you won’t have to pay
licensing fees to A####
– The wrapper of old legacy application controlled remotely by a
university spin-off of ex-CTO turned prof.
– The new S## GRC application monitoring the whole virtual
network controlled by your auditors to lower your audit bill
• No machine readable/checkable claim what they do
9/27/2010 Fabio Massacci - ICT 2010 17
The Wild West Ecosystem
• Citizens’ Laptops and Corporate Clouds are quickly
evolving (worsening?) alike
– Lots of frequently changing interconnected software
– With [some] natural language description
– With [some] digital identity
• But we don’t know what this software is doing
– Compare with entering an EU Consortium Agreement…
– For uploading a software you just check a signature…
• Where’s the contractual, machine readable, version
of security claims, rights and obligations?
– Security-by-Contract?
– Software should declare its claims and we should check them..
9/27/2010 Fabio Massacci - ICT 2010 18
Challenges Ahead
9/27/2010 Fabio Massacci - ICT 2010 19
Sum-Up of Challenges
• Frame of mind:
– Privacy, Identity and Trust solutions must be solutions
for people whose lives/data/actions have been on the
Future Internet since they can read or write (age 6)
• Questions
– Do (regulatory & technical) solutions allow individuals
to zone identities?
– How to link the identity of a partner service to the
accountable identity of humans behind it?
– Can we provide/check a “contractual” description of
the security behavior of our parners’ code?
9/27/2010 Fabio Massacci - ICT 2010 20