InternationalTelecommunicationUnion

Abbie Barbir, Ph.D.Rapporteur, Q10/17 Identity Management Question Abbie.barbir@ties.itu.int

ITU-T

Security and Privacy

International Cloud SymposiumWashington DC October 2012

2

ITU-T Objectives International Telecommunication Union

Develop and publish standards for global ICT interoperability

Identify areas for future standardization

Provide an attractive and effective forum for the development of international standards

Promote the value of ITU standards

Disseminate information and know-how

Cooperate and collaborate

Provide support and assistance

3

ITU-T Key Features

Truly global public/private partnership

95% of work is done by private sector

Continuously adapting to market needs

Pre-eminent global ICT standards body

NumberingSG 2

TariffsSG 3

Climate Change& EMCSG 5

Cable TVSG 9

Protocols& TestingSG 11

QualitySG 12

Future NetworksSG 13

Access &Transport NetworksSG 15

MultimediaSG 16

SecuritySG 17

TSAG

ITU-T Study Groups

4/48

Personally Identifiable Information (PII)

Aspects of privacy and protection of PII data is a key concern to the ITU-T (SG 17 )

Recommendations published have identified security threats and provide guidelines in that area. Recommendation ITU-T X.1171 identifies threats and

requirements for PII protection in application using tag-based identification.

Recommendation ITU-T X.1275 standardizes a possible, privacy impact assessment (PIA) process for the entire RFID system

Joint Coordination Activity on Internet of Things (JCA-IoT) Focus Group on Machine-to-Machine Service Layer

SG 17 Questions involved in “privacy” studies

Question 3/17 “Telecommunications information security management”

Question 4/17 “Cybersecurity” Question 6/17 “Security aspects of ubiquitous telecommunication

services” Question 7/17 “Secure application services” Question 9/17 “Telebiometrics” Question 10/17 “Identity management architecture and mechanisms” Further candidate Questions could be

Question 8/17 “Cloud computing security” Question 11/17 “Directory services, Directory systems, and

public- key/attribute certificates”

Definitions of Privacy in ITU-T Recommendations

Privacy ITU-T X.1252 (04/2010) “Baseline identity management

terms and definitions” The right of individuals to control or influence what personal

information related to them may be collected, managed, retained, accessed, and used or distributed.

ITU-T Y.2720 (01/2009) “NGN identity management framework” The protection of personally identifiable information.

Recommendation X.1171 Threats and requirements for protection of PII in applications

using tag-based identification

Basic model of a B2C application \

8/48

X.1171 Threats

PII infringement through information leakage

9/48

Guidelines on protection of personally identifiable information in the application of RFID technology

Privacy principles (based on privacy principles of: Council of Europe], EC Directive 95/46, EC Directive 2002/58/EC, OECD, and UNHCR)

Threats and infringements of PII in RFID Typical RFID applications and possible threats to PII

Supply-chain managementTransportation and logisticsHealthcare and medical application e-government Information service

Guidelines on protection for personally identifiable information

ITU-T X.1275

10/48

X.1275RFID applications and threats to PII

Field Typical applicationsInformationin RFID tag

Possible privacy threats

Supply chain

Inventory management ProductTracking, profiling of persons performing of inventory

Retail (e.g., supermarket) ProductTracking, profiling(after purchasing good)

Transportation and logistics

Public transportation ticket

User's ID, charging, etc. Tracking, profiling

Highway toll User's ID, charging, etc. Tracking, profiling

Vehicle tracking Product Tracking, profiling

Fleet/container management

ProductTracking, profiling of persons handling of containers

Healthcare

Tracking patientsPatient's ID, medical history, etc.

Tracking, profiling, invisibility

Preventing medication errors

Patient's ID, medical history, prescription, etc.

Tracking, profiling

Blood or medicines tracking for anti-counterfeiting

Product ×

e-government e-passportPeople's ID, nationality, biometric

Tracking, profiling, counterfeiting PII

Information services Smart poster Product ×11/48

Other Work X.gpim

Draft Recommendation, Guideline for management of personally identifiable information for telecommunication organizations

Big Data view

Scope provides a guideline of management PII in the context of

telecommunications

Possibly joint work Liaison cooperation with ISO/IEC JCT 1/SC 27/WG 1

Internet-of-Things (IoT), ubiquitous sensor networks (USN), Machine-to-Machine (M2M) and network aspects of identification systems, including RFID (NID) play an important role in ITU-T’s standardization activities.

Various ITU-T Study Groups and ITU-T initiatives are addressing RFID/NID, IoT, USN and M2M including the security aspects thereof; an initial suite of ITU-T Recommendations has already been developed in that domain and serves as a tool set for standard developers and implementers; yet the comprehensive subject is still emerging and forthcoming drafts are in preparation by the ITU-T Global Standards Initiative (GSI-IoT) where those standards are being developed in cooperation among the experts.

Aspects of privacy and protection of PII (personally identifiable information) data is a key concern and first set of ITU-T Recommendations published have identified security threats and provide guidelines in that area.

Recommendation ITU-T X.1171 identifies threats and requirements for PII protection in application using tag-based identification.

Recommendation ITU-T X.1275 standardizes a possible, privacy impact assessment (PIA) process for the entire RFID system.

Summary

13/48

THANK YOU

For further information

http://www.itu.int/ITU-Thttp://www.itu.int/ITU-T/studygroups/com17

For further information

http://www.itu.int/ITU-Thttp://www.itu.int/ITU-T/studygroups/com17

14/48