Prof.  Jean-­‐Henry  Morin  University  of  Geneva  –  CUI  

Ins8tute  of  Informa8on  Service  Science  Faculté  des  Sciences  de  la  Société  

 Jean-­‐Henry.Morin@unige.ch  

@jhmorin  

Reinsta(ng  Trust   in  the  Digital  Age  

PwC 5th Digital Trust Conference

Geneva

March 17, 2015

Who has NEVER « worked around » security policies to legitimately complete work that systems

Prevented from doing ?

3  

 

Security  is  bypassed,  not  a2acked  

Inspired by Adi Shamir, Turing Award lecture, 2002

             

 

Foreword  Human  Factor  

Outline

•  A bit of context and technology

•  3 eras of Trust

•  Revisiting technology

•  Co-Compliance Principle and Digital Responsibility

•  Conclusions & Take Away

•  Q & A

Context  (I)  

Organiza8ons  &  Corporate  sector  

53  %  !!!  

6

Organizations & Corporate Sector : Corporate Security Policies

53% admit circumventing corporate security policies to get the work done (EMC RSA Security, 2008)

Among the most cited reasons justifying circumventing corporate security policies (Cisco, 2008)

a)  Doesn’t correspond to the operational reality nor to what is required to get the work done

b)  Need to access applications not belonging to or authorized by corporate IT policies to work

Consequences : increase in risks and costs •  Requires « creativity » to get the job done ! •  Increased stress due to unauthorized actions •  Inefficiencies •  Untraceable transgressions / violations

Informa8on  Protec8on  &  Control  Today  

Perimeter  based  and  Access  Control  Lists  (ACL).  Beyond  ?  Not  much…  

?

Mobile Worker

Corporate Network

VPN

Context  (II)  

Entertainment  &  Media  sector  

© & the RIAA Scum Bird

http://bit.ly/akxivr

1  Technology  

DRM  

How did we get here… … a dystopian scenario ?

http://www.flickr.com/search/?q=DRM

3  eras  of  trust  

•  Before  –  Suspicion  

•  Today  –  Breach  of  Trust  

•  Tomorrow  –  The  rise  of  «  informed  Trust  »  

h_p://eloquentscience.com/wp-­‐content/uploads/2012/05/past-­‐present-­‐future-­‐sign1.jpg  

<  Before>  

Suspicion  &  Distrust    18th  century  Jeremy  Bentham’s  Panop8con  

A Paradox

We talked about Trust and Trusted Computing

in the digital age…

…but everything relied on a distrust assumption

http://zatoichi.homeip.net/~brain/TrustedComputing.jpg

<  Today  >  

Massive  Breach  of  Trust    

2013  =  PRISM  &  Co.  

<  Tomorrow  >  

 The  rise  of  «  Informed  Trust  »  

Can IT be fixed ? •  Acknowledging that :

•  Security is necessary (managed content) •  Total Security is neither realistic nor desirable •  Given the right User Experience and Business Models

most users smoothly comply (e.g., iTunes) •  Most users aren’t criminals

•  We need to take a step back to : •  Critically re-think Security, DRM, Trust •  Reconsider the debate outside the either/or extremes of

total vs. no security •  Factor in, by design, these issues for the development of

systems and services WE all use.

Rethinking & Redesigning

•  Acknowledge the Central role of the User and User Experience •  Reinstate Users in their roles & rights and Responsibilities •  Presumption of innocence & the burden of proof

•  Fundamental guiding principle to Rethink and Redesign DRM : Feltens’ “Copyright Balance” principle (Felten, 2005)

“Since lawful use, including fair use, of copyrighted works is in the public interest, a user wishing to make lawful use of copyrighted

material should not be prevented from doing so by any DRM system.”

•  Claim and Proposition : •  Put the trust back into the hands of the users •  Reverse the distrust assumption

Requires a major paradigm shift

From  Utopia  to  Reality  …  

The  Excep8on  Management  Model  

Rethinking & Redesigning DRM

•  Exception Management in DRM environments, mixing water with fire ? Not necessarily !

•  Reversing the distrust assumption puts the user “in charge”, facing his responsibilities

•  Allow users to make Exception Claims, granting them Short Lived Licenses based on some form of logging and monitoring

•  Use Credentials as tokens for logging to detect and monitor abuses

•  Credential are Revocable in order to deal with abuse and misuse situations

•  Mutually acknowledged need for managed content while allowing all actors a smooth usability experience

(Morin and Pawlak, 2007, 2008); (Morin 2008, 2009)

Excep8on  Management  in  «  managed  content  »  environments  

•  Auditable  model  covering  incident  and  abuse  detec;on  as  well  as  revoca;on  •  Burden  of  proof  on  the  party  having  a  jus8fiable  “claim”  regarding  abuse  

or  incidents  &  presump8on  of  innocence  •  Monitoring  in  (near)  real  8me  of  security  policies  

Fasoo.com  

Technology Transfer Academic partnership with Fasoo.com

•  June 2011, Integration of the Exception Management model as « Provisional Licensing »

January  2015:  85%  of  companies  using  Fasoo  Enterprise  DRM  

provide  Excep8on  Management    

Ongoing  Work  …    

•  DRM,  Security,  Trust  &  Block  Chain  

•  Security  Policy  Design  framework  

Perspec8ve…  •  Take  into  account  the  Human  Factor  by  Design  (People  Centric  Security,  PCS  [T.  Scholtz,  2012])  

•  Data  Protec8on  in  a  digital  economy  :    – Awareness  raising  and  training  –  The  EU  Data  Protec8on  reform:  re-­‐appropria;on  of  data  and  personal  informa;on  by  the  people  

 •  Public  Policies  and  Digital  Governance  :  Key  success  factors,  Emergency!  

To Trust or not to be …

http://world.edu/wp-content/uploads/2013/02/climate-change-skeptics.jpg

Digital  Responsibility  :  Informed  Trust  &  Transparency  

Co-Compliance •  Emerging principle relying on

« Informed Trust » and « Transparency »

•  Co-Compliance (short for collaborative compliance):

collaborative, shared responsibility enabled by digital

technologies allowing both joint elaboration of a decision or

action and the shared evaluation of its result.

Cost : Major paradigm shift !

(Morin,  2014)  

Digital Responsibility

Some Key characteristics (evolving) : •  User Centered Design •  Account for all stakeholders •  Proportionality of the means to engage •  Integrating the Human Factor •  Openness and Transparency •  Sharing and Collaboration •  Limited and Humble use of the legal instrument •  Leveraging sustainable public policies

(Morin,  2014)  

Conclusion •  Trust assumes leaving to humans the capacity to

make free moral decision (Exception by Design)

•  Trust isn’t blind (managed, informed)

•  We are facing a MAJOR challenge of our participative digital society

Is a socially responsible and sustainable approach to trust in the digital era possible ?

References

J.-H. Morin, “Rethinking DRM Using Exception Management”, chapter III in Handbook of Research on Secure Multimedia Distribution, S. Lian and Y. Zhang (Eds), Information Science Reference (ISR), ISBN: 978-1-60566-262-6, IGI Global, March 2009, pp 39-54.

http://www.igi-global.com/reference/details.asp?id=33143

J.-H. Morin, “Exception Based Enterprise Rights Management : Towards a Paradigm Shift in Information Security and Policy Management”, International Journal On Advances in Systems and Measurements, issn 1942-261x, vol. 1, no. 1, 2008, pp. 40-49.

http://www.iariajournals.org/systems_and_measurements/

J.-H. Morin, “La responsabilité numérique : Restaurer la confiance à l'ère du numérique“ FYP éditions, Avril 2014.

http://www.fypeditions.com/responsabilite-numerique/

Think(do)Tank on Service Science and Innovation http://thinkservices.info/ h_p://thinkdata.ch/    

Swiss  Digital  Agenda  Na8onal  debate  h_p://NumeriCH.ch/    

     

L e t ’ s   b e   D i g i t a l l y   R e s p o n s i b l e   !  Q   &   A  

   

Contacts: Prof.  Jean-­‐Henry  Morin  

University  of  Geneva  –  CUI  Ins8tute  of  Informa8on  Service  Science  

Faculté  des  Sciences  de  la  Société  h_p://iss.unige.ch/    

Jean-­‐Henry.Morin@unige.ch  

@jhmorin  

h_p://ch.linkedin.com/in/jhmorin  

h_p://www.slideshare.net/jhmorin  

h_p://jean-­‐henry.com/  

&