Humanizing security technology and terminology Scott CADZOW C3L
Your speaker Scott CADZOW Director, Consultant, Security Expert, Standards developer, Pen-tester, Cryptanalyst (for fun), Writer/Blogger (not often), Husband, Father, Privacy advocate, Triathlete (barely competitive but enjoys it) Rapporteur of about 20 ETSI standards (TETRA, NGN, HF-UCI, MTS, AT-D, ITS, ehealth) Chairman or vice chairman at various times of ETSI and ISO standards groups (TETRA, LI, ITS)
Setting the tone Real knowledge is to know the extent of one s ignorance, Confucius... as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns -the ones we don't know we don't know, Donald Rumsfeld (February 2002) He that would perfect his work must first sharpen his tools. Confucius
The proposal to HF and Users Sorting terminology to identify requirements Background: The terminology of security does not align to the human expectation of security. This misalignment does a dis-service to security experts, to privacy experts, to legislation and to the affected users. Examples: Integrity: the quality of being honest and having strong moral principles (a gentleman of complete integrity). Integrity: safeguarding the accuracy and completeness of information and processing methods
Real concerns and resulting requirements The concerns of users of systems are not on the technology of confidentiality or on proofs of integrity or authentication Users tend to be concerned with less tangible or intangible things like trust, integrity and ethical behavior. The approach to be considered is to take the user debate from CIA to ESP: Technology often means the CIA of Confidentiality, Integrity and Availability As technologists we are able to say with confidence that the algorithms underpinning cryptographic confidentiality (e.g. AES), digital signature (e.g. RSA), and cryptographic hashes (e.g. SHA) give assurance of security (i.e. cannot be broken using any known capability). Users look more at behavioral expectations -the ESP of Ethics, Privacy and Security. As technologists we cannot say this person is acting ethically or this recipient of your data is acting in your interest.
What we need to foster ICT systems treating users with dignity ICT systems acting ethically Much more than merely respecting and protecting privacy (private data, user behavior, user relationships)
Ethics a societal and technical issue Applying the Hippocratic oath to machine systems: ὌμνυμιἈπόλλωνα ἰητρὸν καὶ Ἀσκληπιὸν καὶ Ὑγείαν καὶ Πανάκειαν καὶ θεοὺς πάντας τε καὶ πάσας, ἵστορας ποιεύμενος, ἐπιτελέα ποιήσειν κατὰ δύναμιν καὶ κρίσιν ἐμὴν ὅρκον τόνδε καὶ συγγραφὴν τήνδε ἡγήσεσθαι μὲν τὸν διδάξαντά με τὴν τέχνην ταύτην ἴσα γενέτῃσιν ἐμοῖς, καὶ βίου κοινώσεσθαι, καὶ χρεῶν χρηί ζοντι μετάδοσιν ποιήσεσθαι, καὶ γένος τὸ ἐξ αὐτοῦ ἀδελφοῖς ἴσον ἐπικρινεῖν ἄρρεσι, καὶ διδάξειν τὴν τέχνην ταύτην, ἢν χρηί ζωσι μανθάνειν, ἄνευ μισθοῦ καὶ συγγραφῆς, παραγγελίης τε καὶ ἀκροήσιος καὶ τῆς λοίπης ἁπάσης μαθήσιος μετάδοσιν ποιήσεσθαι υἱοῖς τε ἐμοῖς καὶ τοῖς τοῦ ἐμὲ διδάξαντος, καὶ μαθητῇσι συγγεγραμμένοις τε καὶ ὡρκισμένοις νόμῳ ἰητρικῷ, ἄλλῳ δὲ οὐδενί. διαιτήμασί τε χρήσομαι ἐπ' ὠφελείῃ καμνόντων κατὰ δύναμιν καὶ κρίσιν ἐμήν, ἐπὶ δηλήσει δὲ καὶ ἀδικίῃ εἴρξειν. οὐδώσωδὲοὐδὲφάρμακον οὐδενὶ αἰτηθεὶς θανάσιμον, οὐδὲ ὑφηγήσομαι συμβουλίην τοιήνδε ὁμοίως δὲ οὐδὲ γυναικὶ πεσσὸν φθόριον δώσω. ἁγνῶς δὲκαὶ ὁσίωςδιατηρήσω βίον τὸν ἐμὸν καὶ τέχνην τὴν ἐμήν. οὐτεμέωδὲοὐδὲμὴνλιθιῶντας, ἐκχωρήσω δὲ ἐργάτῃσι ἀνδράσι πρήξιος τῆσδε. ἐςοἰκίας δὲ ὁκόσας ἂν ἐσίω, ἐσελεύσομαι ἐπ' ὠφελείῃ καμνόντων, ἐκτὸς ἐὼν πάσης ἀδικίης ἑκουσίης καὶ φθορίης, τῆς τε ἄλλης καὶ ἀφροδισίων ἔργων ἐπί τε γυναικείων σωμάτων καὶ ἀνδρῴων, ἐλευθέρων τε καὶ δούλων. ἃ δ' ἂνἐνθεραπείῃ ἢ ἴδω ἢ ἀκούσω, ἢ καὶ ἄνευ θεραπείης κατὰ βίον ἀνθρώπων, ἃ μὴ χρή ποτε ἐκλαλεῖσθαι ἔξω, σιγήσομαι, ἄρρητα ἡγεύμενος εἶναι τὰ τοιαῦτα. ὅρκονμὲνοὖνμοιτόνδεἐπιτελέα ποιέοντι, καὶ μὴ συγχέοντι, εἴη ἐπαύρασθαι καὶ βίου καὶ τέχνης δοξαζομένῳ παρὰ πᾶσιν ἀνθρώποις ἐς τὸν αἰεὶ χρόνον παραβαίνοντι δὲ καὶ ἐπιορκέοντι, τἀναντία τούτων.
Modern text World Medical Association International Code of Medical Ethics AT THE TIME OF BEING ADMITTED AS A MEMBER OF THE MEDICAL PROFESSION: I SOLEMNLY PLEDGE to consecrate my life to the service of humanity; I WILL GIVE to my teachers the respect and gratitude that is their due; I WILL PRACTISE my profession with conscience and dignity; THE HEALTH OF MY PATIENT will be my first consideration; I WILL RESPECT the secrets that are confided in me, even after the patient has died; I WILL MAINTAIN by all the means in my power, the honour and the noble traditions of the medical profession; MY COLLEAGUES will be my sisters and brothers; I WILL NOT PERMIT considerations of age, disease or disability, creed, ethnic origin, gender, nationality, political affiliation, race, sexual orientation, social standing or any other factor to intervene between my duty and my patient; I WILL MAINTAIN the utmost respect for human life; I WILL NOT USE my medical knowledge to violate human rights and civil liberties, even under threat; I MAKE THESE PROMISES solemnly, freely and upon my honour.
alternatively Do no harm Not just for telemedicine Applies to all ICT systems
Home of Ethics? Considered owned by organisation Of the medical profession Of a bank Of a retail store or group Where is the ethical home for a concept? Or a global ICT network of systems? Users are often modelled for simplicity as being outside the system boundary are they?
Ethics versus security and privacy For telemedicine Audit trail of actions involving machines must be as good if not better than those involving humans Non-repudiation of clinical action Proper authorisationof all clinical and non-clinical actions Clinical intervention Clinical monitoring An ehealthsystem should be seen to perform ethically as a Turingsystem To exhibit behaviours that make its actions indistinguishable from purely human actors
2 threads intertwined Security Gives assurance of the following characteristics Confidentiality ensuring that data transmitted that is only meant to be seen by Alice and Bob can only be seen by Alice and Bob Integrity ensuring that the system behaviour, content and look is not changed without that change being authorised (and reversible and repeatable and (essentially) correct) Availability ensuring proper identification and authorisation of all actors, ensuring that performance is maintained, ensuring that the system is available to its legitimate users when they are allowed to legitimately use it
the other thread Privacy Ensuring that the system acts on private data (generally any data that may by itself or in collusion with other data, services, or analysis be used to identify one out of a crowd) legitimately with respect to The law The explicit understanding of the affected parties
Threats to ehealth? Unauthorised access to data Requires identification, authorisation, nonrepudiation, confidentiality (when stored and when in transit) Inappropriate access to data Requires context processing sometimes data has to be released but only when it is right Incorrect clinical intervention By hijack of telemedicine actors (the insulin pump attack)
Characterisation of data? Assumptions Data is open Data is layered Potentialities Data is loosely structured Data is mutable Data associations are highly dynamic Data protection and privacy (DP&P) The same root data may be both private (subject to DP&P) and public (not subject to DP&P)
The result we want to achieve Proof that all data and services acting on behalf of users do so in such a way that all data, and all processing, is essential within the privacy and security constraints set for the system Let systems be open to ethical and dignity audit Ensure that any action by the system or its users whilst connected to the system do not give rise to any increased risk to the user that would not exist if the system did not exist
Thank you for your attention
Acknowledgement The author acknowledges support for the presentation material from the following sources: i-scope: The project has received funding from the European Community, and it has been co-funded by the CIP- ICT Policy Support Programme as part of the Competitiveness and innovation Framework Programme by the European Community (http://ec.europa.eu/ict_psp), contract number 297284. The author is solely responsible for it and that it does not represent the opinion of the Community and that the Community is not responsible for any use that might be made of information contained therein. SUNSHINE: This project is partially funded under the ICT Policy Support Programme (ICT PSP) as part of the Competitiveness and Innovation Framework Programme by the European Community (http://ec.europa.eu/ict_psp). i-locate: The project has received funding from the European Community under contact number 621040