1 Scott CADZOW, C3L for i-Tour ITS – Challenges for privacy-security-safety

2 Agenda and aim of seminar From the assertion that Intelligent Transport Systems will revolutionise society with aims to improve the safety of citizens when using any means of transport by leveraging the international communications network. – What is ITS intending to achieve? – How does ITS fit to the core human right of protection of privacy? – What is the regulatory meaning of privacy? – How do you comply to privacy protection? – How can technology assist in privacy protection?

3 Your speaker? Scott CADZOW – Expert and rapporteur for: TETRA security specifications The suite of guidance documents for effective security standards development – covering Common Criteria, Risk analysis, and security requirements engineering Frequent member and leader of Specialist Task Forces – He is chairman of the ETSI ITS Security group and also its counterpart in ISO TC – Has been vice-chairman of ETSI Project TETRA WG6 (Security) and the TETRA Security and Fraud Prevention Group (SFPG) – Has bee vice-chairman of the ETSI Lawful Interception group. – Has contributed ENISA reports on network resilience, supply chain integrity, and on measures to counter internet bullying.

4 Definition Privacy is defined as the right of the individual to have his identity and agency protected from any unwanted scrutiny and interference. – It reinforces the individual's right to decisional autonomy and self-determination. Privacy is a fundamental right protected by the Universal Declaration of Human Rights and by various legislative orders including the EU Convention for the Protection of Human Rights and Fundamental Freedoms

5 Some statistics Deaths on EU27 roads: – Dropped from 56,247 in 2000 to 34,500 in 2009 Downward trend is persistent and ITS should aim to accelerate the trend Vehicles on EU27 roads: – Increased from 334/1000 inhabitants in 1991 to 473/1000 in 2009 Assertion: Manufacturers want to continue this increase Public transport use: – Flat at 7% for train use in EU27 – Flat at 9% for bus use in EU27 Assertion: Directive wants this to change from flat to increase

6 Some figures 1. Safety – Traffic carnage in the UK is estimated to cost 1% of GDP (£18billion) 2. Efficiency – Congestion costs an estimated in 1% of EU total GDP or 100B€ p.a. (or £18billion in the UK alone) 3. Environmental sustainability – Transport accounts for 30% of total energy consumption in the EU, with the vast majority being consumed by road transport.

7 ITS network: a network of sensors

8 What is the new thinking? Use vehicles as sensors Use people as sensors Use vehicles as computing nodes Use people as data sources Distribute knowledge

9 What are the new problems? Use vehicles as sensors – Who does it give its sensor data to? Does it trust the receiver will use it well? Use people as sensors – What are you sensing? Is this going to come back and adversely affect me? Use vehicles as computing nodes – Is this realistic? How much excess computing power is a car maker going to install? Use people as data sources – Not just sensor data but opinions too? Distribute knowledge – To whom and who pays?

10 What can ITS do with data? Identify virtual communities – How people travel and for what may give travel service providers better knowledge of how to ticket, how to schedule, how to better serve, different communities Provide data for recommender systems

11 Top level objectives for privacy ITS has to meet the expectations of privacy established by: – OECD Declaration of Human Rights – EU Data Protection laws – EU Convention on human rights Privacy is a right and expectation and not a technology

12 ITS aim: to improve safety

13 Co-operative awareness Vehicles signalling their presence by radio – Where and what I am reported continuously for all to hear – Short range radio (5.9GHz, 100mW transmitter, about 200m range) – Not cellular, no infrastructure assumed Every vehicle aware of every other vehicle in the local area – Raw data for collision avoidance and other applications

14 Event notification messages Geo-routed indication of events – Crash, congestion, adverse weather … – Receiving vehicles forward the message within and towards the affected geographic area Broadcast over radio for all to hear – 5.9GHz, low power, short range, no infrastructure Intent is to warn other drivers and get them to change their behaviour

15 CAM and DENM and PII PII = Personal Identifying Information CAM and DENM identify behaviour: – Where a vehicle is – How it is being driven – Long term analysis may derive personal data: Start and end points of journey Correlation to objects at end points of journey: – house (home?), shop (socio-economic group?), church (religion?), school (family status?)

16 Privacy concerns Transmitter has no knowledge of who receives the data Transmitter has no knowledge if the receiver is good (restricts processing to only ITS application) or bad (makes additional use of data) – Any potential for bad actors is bad and needs to be designed out of the system

17 Pseudonymity is not an answer pseudonymity: act of ensuring that a user may use a resource or service without disclosing its user identity, but can still be accountable for that use Many aspects of behaviour are carried in immutable data – i.e. data that cannot be made pseudonymous – CAM and DENM content – Network addresses – GeoLocations

18 ITS aim: to improve environment

19 Give feedback to users about environmental consequences of their travel behaviour with a view to encourage change CO 2 – climate change PM – air quality European standard Key pollutants COPERT IV - model and databases of emission factors

20 Emission calculation EngineFuel Speed Outside temperature - Gasoline - Diesel - LPG - Passenger cars - Motorcycles - Mopeds - Vans / small trucks - Urban buses - Coaches - Cold start - Hot start Engine capacity Fuel Vehicle Engine state Emission standard

21 Illustration

22 ITS aim: to reduce congestion

23 Congestion problem People in location “A” want to get to location “B” at the same time as lots of other people – Transport network capacity insufficient to meet demand The “Dawkins” solution: – Move/copy what everyone wants at “B” to “A” – Stagger the journey start times for all travellers

24 ITS aim: encourage use of public transport

25 Objective: to develop a routing system capable to: – support multi-modal routing – handle real-time information – consider multi-criteria evaluation functions – increase environmental awareness of travellers – generate personalized advice – learn preferences of users

26 Multimodal trips

27 User specifies which modes are available Uni-modal networks are inter- connected by transfer links Supernetwork approach Multiple unimodal networks supernetwork

28 Time expanded method to account for time tables of public transport Time dependent method to account for congested travel times Compiling the supernetwork

29 Link costs function (to weight different factors) C = β 0 + T * β 1 + T * α 1 * β 2 + T * α 2 * β 3 + T * α 3 * β 4

30 Example of parameters Mode Link type β 0 Constant (min) β 1 Time weight β 2 Bad weather β 3 Child β 4 Time pressure Foot Travel link Bike Travel link Bike Inter transfer link (in) Bike Inter transfer link (out) Car Travel link Car Inter transfer link (in) Car Inter transfer link (out) Bus Travel link Bus Intra transfer link (in) Bus Intra transfer link (out) Bus Inter transfer link (in) Bus Inter transfer link (out) Train Travel link01000 Train Intra transfer link (in) Train Intra transfer link (out) Train Inter transfer link (in) Train Inter transfer link (out)

31 Which Real-time data?

32 Fast Safety No delays Convenience Low cost Emission Preferences

33 Privacy and the protection of people

34 What the regulation covers data controller: – natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data data processor: – natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller processing of personal data: – any operation or set of operations which is performed upon personal data, whether or not by automatic means Examples of processing are collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction. data subject: – person who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity data subject's consent: – any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed

35 Requirements Identify type of information/data users can upload and access: – determine if private (identity revealing) or public data Trust-based access control mechanism allowing users to upload content – Can trust be private? Virtual user communities’ characteristics – Does this reveal data that would otherwise be private? Recommender system – How personal does it need to be to be effective?

36 Protecting User Privacy Privacy protection protects a person. A person is described by what they do, where they do, when they do it, what they do it with, and with whom they do it ITS users share their activity with each other and with the system – Need to protect exploit of that data by other parties

37 Combination of technology & process Design for Assurance : Ensure that security provisions can be measured and evaluated Root is "Common Criteria for Security Assurance Evaluation" published as ISO and interpretation for standards development in ETSI EG Privacy by Design: adopt practices throughout the design, implementation and operation that maximise privacy identify data leakage address the human element in system deployment address the policies of the system users, maintainers & managers consider end of life data disposal

38 WP5 – Goal and Objectives Trust based Access Control Mechanism

39 Scenario i-Tour Approach: “[…] Fluid access control based mechanism based on trust, with users dynamically gaining (or losing) the right to upload different categories of content, as their trustworthiness is dynamically reassessed […]” i-Tour registered users

40 Scenario i-Tour Approach: “[…] Trust-based recommender engine that suggests to users content they are most likely to enjoy, based on a combination of how much they trust the creator of the content, and how much people similar to them enjoyed such content […]” “Where can I buy some food for lunch?”

41 WP5 – Goal and Objectives Analysis and division into Virtual Communities

42 Virtual Community Analysis Community detection based on travel pattern on London Underground N. Lathia, J. Froehlich, L. Capra. Mining Public Transport Usage for Personalised Intelligent Transport Systems. In IEEE International Conference on Data Mining. Sydney, Australia. December , 2010.

43 Protecting User Privacy - risk reduction

44 Privacy, data protection and security Privacy is a fundamental right – Article 12 UDHR: No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks – Article 8 EU Convention for the Protection of Human Rights and Fundamental Freedoms: Right to respect for private and family life Everyone has the right to respect for his private and family life, his home and his correspondence. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others. 44

45 Privacy, data protection and security Assigns rights to citizens on how data related to them is protected – Enshrined in law in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data – Supplemented by Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) 45

46 Privacy, data protection and security Personal data – shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity Processing of personal data – shall mean any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction “data subject’s” consent – shall mean any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed 46

47 Privacy, data protection and security The means to give assurance of the confidentiality, integrity and availability of data and services – Offers technical and procedural means to support regulation Security supports … – Privacy (Privacy Enhancing Technologies) COM(2007) 228 final: “COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL on Promoting Data Protection by Privacy Enhancing Technologies (PETs)” – Data protection 47

48 Content privacy – user generated 48

49 Content privacy – provided 49

50 Content privacy – interactive sessions 50

51 One person – multiple persona 51

52 Consequences for ITS ITS carries personal data both directly and indirectly in all its variants: – Advanced Traveller Information Systems (ATIS) Location and route is personal information – Advanced Traffic Management Systems (ATMS) – ITS-Enabled Transportation Pricing Systems Concessionary fares require exchange of personal data – Advanced Public Transportation Systems (APTS) – Vehicle-to-Infrastructure Integration (VII) – ETSI CAM and DENM – Vehicle-to-Vehicle Integration (V2V) – ETSI CAM and DENM 52

53 Wider concept 53

54 User Privacy versus User security Security is not a synonym for privacy – But security techniques will give some protection of privacy – Security techniques counter risk of Interception, Masquerade, Manipulation, Repudiation

55 Protecting User Privacy Separation of identification and authorisation entities – Anonymous at point of service delivery – Identity and behaviour made non-linkable without collusion and difficult even with collusion

56 Use case interactions for “authorisation” Prosumer relationship Multiple authorisations

57 Security technology protecting privacy Privacy shall be addressed from the perspective of security used as Privacy Enhancing Technologies (PETs). Security technologies are usually classified to the CIA model The implementation will ensure control of: – Security associations (specific links between objects) – Confidentiality – Integrity – Authenticity

58 Privacy protection measures Anonymity – Ensures that a user may use a resource or service without disclosing the user's identity Pseudonymity – Ensures that a user may use a resource or service without disclosing its user identity, but can still be accountable for that use Unlinkability – Ensures that a user may make multiple uses of resources or services without others being able to link these uses together Unobservability – ensures that a user may use a resource or service without others, especially third parties, being able to observe that the resource or service is being used

59 Unlinkability The maximising of entropy between messages from the same source – Derived from Shannon’s work – Cryptographic hashing achieves much of the effect but cannot be realised in broadcast network with real world data being transmitted

60 Personal privacy – the i-Tour user New concerns in i-Tour – Group membership implied through virtual community analysis may become personal data – Recommendations through the recommender engine may become personal data – Personalised travel services need knowledge of personal preferences Exploit of such data sets has to be minimised without properly traceable consent

61 Trust How does the service trust the network? How does the content provider trust the service platform? Proposals being considered – Keyed authorisation framework Variant of X.509 based Privilege Management Infrastructure (PMI) using lightweight IEEE certificates (underlying cryptography is elliptical curve) Elements of Kerberos ticket granting service too – May allow greater trust from users of the core network – May act as a deterrent to SPAM, DDoS and other attacks 61

62 i-Tour ontology for privacy Strong assertion Aim is to weaken this assertion Technology for protection

63 Objectives from directives From regulation From analysis

64 Protecting User Privacy Need to demonstrate the separation of identity and authorisation and unlinkability measures give privacy assurance Single and double blinding with strong assertions of community membership without revealing real identity (thus minimising privacy exploits)

65 Closing acknowledgements Partners in the i-Tour project Colleagues in the ETSI ITS standards groups Funding from FP7

66 Questions