CIO perspective on (the future of) privacy

2013/05/15

As part of the CIO Days 2012 we did scenario planning sessions with a group of CIOs from the Netherlands. Scenario planning is methodology to consider what might happen in the future, and what the impact will be. Instead of trying to predict a future, we determined two dominant uncertainties about the future, and combined these in four possible futures. My Novay colleague Timber Haaker is our scenario planning guru, and also authored this blog post and this article in  CIO Magazine nr.2013-1 with more background on scenario planning and the scenario planning sessions we did at the CIO Days.  This is a pdf with only the relevant pages. All in Dutch. I facilitated the scenario planning session on privacy, the results of which I share below:

After listing uncertainties about what the future of privacy could be, we selected the two main uncertainties (though consensus). These were:

  • how the privacy regulations evolve: high (strict privacy regulations which are enforced and with high penalties) or low (relaxed regulations, little enforcement and low penalties),
  • privacy awareness: low (no-one cares) or high (a major concern and therefore potential differentiator).

Combining the two main uncertainties, resulted in the below four scenario’s.

privacy-scenarioplanning

The scenario’s are:

  • In Tick Box-scenario regulations are very strict, but people generally don’t care. An organisation thus has to fulfill privacy requirements to satisfies lawyers, contrary to customers. One could consider this money wasted…
  • In the Fear-scenario privacy is a hot issue. Both regulators as people in general care a lot about privacy, and privacy requirements are a major issue. A CIO should ‘fear’ not being able to fulfill privacy requirements. A company should invest in privacy-by-design, privacy-enhancing technologies and privacy expertise in general.
  • In the Choice-scenario the regulations are relaxed, but people do care about privacy. There is thus a choice from the perspective of the business, and privacy is a differentiator.
  • In the Ignore scenario neither regulators not people care, and privacy is not an issue for the CIO.

Is was interesting and fun to facilitate this session. By doing it in a session (starting in subgroups) we got everyone involved (wisdom-of-the-crowd). Since we, of course, had little time we did not go into details on the different scenario’s, but I think all of the participants (including myself) learned something on how privacy may evolve, and how to use scenario planning to be prepared for a unknown future.

Leave a Comment » | Uncategorized | Tagged: | Permalink
Posted by Maarten Wegdam

Step-up authentication as-a-Service

2013/01/07

IDentity-as-a-Service (IDaaS) was a hot topic in 2012 (e.g., this blog post of Dave Kearns), and probably will continue to be so in 2013. In a project for and with SURFnet (Dutch NREN) Novay designed a IDaaS-like service to make existing identities more trustworthy: Step-up authentication as-a-Service. (No idea more to abbreviate this: SuaaaS?)  The Step-up authentication as-a-Service we designed addresses this need by making it possible to increase the trustworthyness (put differently: increase the level of assurance) of identities in an existing identity federation. The service addresses both the technology and the process/registration side: a second factor authentication and an additional face-2-face check who this digital identity (and second factor) actually belongs to.

From a user perspective, the service has a self-service interface to register a second factor (see mockup below), an interface for the identity providers for user management (see second mock-up below) and of course every time a step-up authentication is needed the user is re-directed to the Step-up authentication as-a-Service to authenticate with this second factor.

Read the rest of this entry »

Leave a Comment » | Uncategorized | Tagged: , , , , , | Permalink
Posted by Maarten Wegdam

eRecognition won Novay Digital Identity Award

2012/12/04

eRecognition (in Dutch: eHerkenning) has won, congratulations to Logius, ICTU, ministerie of Economic Affairs, all the partipating companies in eHerkenning and of course especially to the people that have contributed to eHerkenning! Below the official press release. What I’d like to personally add to this is that I think it is great that eHerkenning simply started facilitating business-2-government identification, with the parties that saw oppertunities to provide identity services and only a limited set of government service providers. It now has a growing usage, and is also targetting business-2-business.

Physically the award is a small statue (ceramics), from the artist Alexandra Veneman. A (bit shortened) explanation on her idea when she made this:

Read the rest of this entry »

Leave a Comment » | Uncategorized | Tagged: , | Permalink
Posted by Maarten Wegdam

Nominees Novay Digital Identity Award 2012: Evolok, eRecognition and IDchecker

2012/11/07

For the third year in a row I’m responsible for the Novay Digital Identity Award, which Novay in collaboration with IDentity.Next will give to an innovation in the area of digital identity. The first winner (2010) was Ziggur (digital dealth service), last year’s winner was Edentiti (online identity verification).

We have an independent jury (which I’m not in), which picked three nominees for this year:

  • Evolok – which combines identity & access mngt with a paywall system for online content. Easy-of-use for consumers, flexibility w.r.t. business model for online content providers.
  • eRecognition – an identity trust framework from the Netherlands, for business-2-government (and also aiming for business-2-business). Ahead of similar initiatives in US (NSTIC) and UK, and usage is increasing.
  • IDchecker – a company that is very big in a niche market: a SaaS service for verifying physical ID documents based on a optical scan, or, IMHO much ‘cooler’, using a mobile app.

I copied the official announcement/press release below  (in Dutch is here). The winner will be announced on 20 November, during IDentity.Next in The Hague.

Read the rest of this entry »

Leave a Comment » | Uncategorized | Tagged: , | Permalink
Posted by Maarten Wegdam

7′ speech: students in control over their own data

2012/10/04

Image

SURFnet, the Dutch National Research and Education Networking organisation, had their two-year networking event for their customers and partners (3-4 October 2012). A new item were 7′ TEDx-like speeches, one of which was give by me. I talked about putting the student central is discussions about privacy in higher education, e.g., when introducing promising innovations like learning analytics. Although preparing for 7′ takes way more time per minute than preparing for 45′ or 90′ presentations (the length of the presentation the day and week before), it was fun doing it. I basically argued that the user acceptance of privacy-sensitive innovations in higher education is more important than if lawyers think that these innovations are allowed. This means that you should 1) explain the benefits of the innovation for the student and why the data is needed, 2) that you should be transparent on what data is collected exacly and 3) that whenever possible the student should be able to control the collection/sharing/rentention of this data.

For more information (all in Dutch ..): here is a blog post from SURFnet on my presentation. Here are the slides, but since they have a lot of pictures and little text, you are probably better of watching the video. It is only 7′ :) My presentation starts at 1:11′. You can also watch the other presentations, including cool visualisations of open data by the VPRO (first talk) and interesting thoughs on Next-generation trust infrastructures by Roland van Rijswijk (SURFnet, second talk).

Leave a Comment » | Uncategorized | Tagged: , | Permalink
Posted by Maarten Wegdam

Internetbanking fraud in Netherlands increases again

2012/09/27

The Dutch Banking Association (NVB) for a couple of years now makes internetbanking fraud numbers in NL public, with updates every half year. The damage for the first half of 2012 was €27.3M, compared to €35M for the whole of 2011 (see graph below, with the amount for 2012 calculated by simply doubling the first half of 2012) . The relative increase, again calculated by simply doubling the 27.3M to get a number to compare to the €35M, is roughly 1.5 times. This means the growth is less than it was the previous years (see the graph below). Also if you compare the first half of 2012 to the second half of 2012, the growth has decreased to 14%. This does not mean that I’m optimistic, the fraud still increases, and the absolute numbers are also becoming worrisome. With ~11M internet banking users, this is ~€5 per user, which is IMHO significant.

As one would expect, the NVB mentions that attacks are becoming more malware and less ‘old-fashioned phishing’ based. I’d be very interested to see statistics on internet banking fraud with the increasing popular mobile banking apps, but the NVB unfortunately does not provide these numbers.

Leave a Comment » | Uncategorized | Tagged: , | Permalink
Posted by Maarten Wegdam

Tooling and methologies for privacy & security in the cloud

2012/08/12

We recently finished a project on privacy& security in the cloud for SURFnet (Dutch NREN, responsible for the Dutch research network and middleware services on top of this). Basically, we supplemented work of others that focussed on the contractual and legal perspective with a more technology perspective. We listed what an organisation can do themselves to improve privacy & security when taking applications to the cloud, focussing on authentication, autorisation, provisioning/account management and encryption. Below a more eloborate blog post in Dutch.

Zelf zorgen voor security en privacy in de cloud

Bij de risico’s van cloud computing worden vaak de security risico’s genoemd, immers als data de eigen infrastructuur verlaat is er veel vertrouwen nodig in de cloud leverancier. In contracten met de cloud leverancier staan daarom afspraken over de beveiliging van datacentra, wie er verantwoordelijk is voor gegevens, waar gegevens worden opgeslagen, hoe snel storingen verholpen worden, etc. Dit is natuurlijk belangrijk, maar minstens zo belangrijk is het dat aandacht wordt besteed aan de technische maatregelen die door de cloud leveranciers genomen worden en aan de maatregelen die een organisatie zelf kan treffen om de beveiliging van gegevens en de bescherming van privacy in de cloud te ondersteunen. Dit is de insteek geweest in een recente opdracht voor SURFnet, waar we voor hun achterban van onderzoeks en hoger onderwijsinstellingen een overzicht hebben gemaakt van deze maatregelen.

Read the rest of this entry »

2 Comments | Uncategorized | Tagged: , , , , | Permalink
Posted by Maarten Wegdam

« Previous Entries
Follow

Get every new post delivered to your Inbox.