Challenges in Cybersecurity and Privacy - the European Research Landscape

Cybersecurity and Privacy issues are becoming an important barrier for a trusted and dependable global digital society development. Cyber-criminals are continuously shifting their cyber-attacks specially against cyber-physical systems and IoT, since they present additional vulnerabilities due to their constrained capabilities, their unattended nature and the usage of potential untrustworthiness components. Likewise, identity-theft, fraud, personal data leakages, and other related cyber-crimes are continuously evolving, causing important damages and privacy problems for European citizens in both virtual and physical scenarios. In this context, new holistic approaches, methodologies, techniques and tools are needed to cope with those issues, and mitigate cyberattacks, by employing novel cyber-situational awareness frameworks, risk analysis and modeling, threat intelligent systems, cyber-threat information sharing methods, advanced big-data analysis techniques as well as exploiting the benefits from latest technologies such as SDN/NFV and Cloud systems. In addition, novel privacy-preserving techniques, and crypto-privacy mechanisms, identity and eID management systems, trust services, and recommendations are needed to protect citizens’ privacy while keeping usability levels. The European Commission is addressing the challenge through different means, including the Horizon 2020 Research and Innovation program, thereby financing innovative projects that can cope with the increasing cyberthreat landscape. This book introduces several cybersecurity and privacy research challenges and how they are being addressed in the scope of 15 European research projects. Each chapter is dedicated to a different funded European Research project, which aims to cope with digital security and privacy aspects, risks, threats and cybersecurity issues from a different perspective. Each chapter includes the project’s overviews and objectives, the particular challenges they are covering, research achievements on security and privacy, as well as the techniques, outcomes, and evaluations accomplished in the scope of the EU project. The book is the result of a collaborative effort among relative ongoing European Research projects in the field of privacy and security as well as related cybersecurity fields, and it is intended to explain how these projects meet the main cybersecurity and privacy challenges faced in Europe. Namely, the EU projects analyzed in the book are: ANASTACIA, SAINT, YAKSHA, FORTIKA, CYBECO, SISSDEN, CIPSEC, CS-AWARE. RED-Alert, Truessec.eu. ARIES, LIGHTest, CREDENTIAL, FutureTrust, LEPS. Challenges in Cybersecurity and Privacy - the European Research Landscape is ideal for personnel in computer/communication industries as well as academic staff and master/research students in computer science and communications networks interested in learning about cyber-security and privacy aspects

Blockchain for Transparent Data Management Toward 6G

The wealth of user data acts as a fuel for network intelligence toward the sixth generation wireless networks (6G). Due to data heterogeneity and dynamics, decentralized data management (DM) is desirable for achieving transparent data operations across network domains, and blockchain can be a promising solution. However, the increasing data volume and stringent data privacy-preservation requirements in 6G bring significantly technical challenge to balance transparency, efficiency, and privacy requirements in decentralized blockchain-based DM. In this paper, we investigate blockchain solutions to address the challenge. First, we explore the consensus protocols and scalability mechanisms in blockchains and discuss the roles of DM stakeholders in blockchain architectures. Second, we investigate the authentication and authorization requirements for DM stakeholders. Third, we categorize DM privacy requirements and study blockchain-based mechanisms for collaborative data processing. Subsequently, we present research issues and potential solutions for blockchain-based DM toward 6G from these three perspectives. Finally, we conclude this paper and discuss future research directions.Huawei Technologies Canada || Natural Sciences and Engineering Research Council of Canad

Challenges in Cybersecurity and Privacy - the European Research Landscape

Cybersecurity and Privacy issues are becoming an important barrier for a trusted and dependable global digital society development. Cyber-criminals are continuously shifting their cyber-attacks specially against cyber-physical systems and IoT, since they present additional vulnerabilities due to their constrained capabilities, their unattended nature and the usage of potential untrustworthiness components. Likewise, identity-theft, fraud, personal data leakages, and other related cyber-crimes are continuously evolving, causing important damages and privacy problems for European citizens in both virtual and physical scenarios. In this context, new holistic approaches, methodologies, techniques and tools are needed to cope with those issues, and mitigate cyberattacks, by employing novel cyber-situational awareness frameworks, risk analysis and modeling, threat intelligent systems, cyber-threat information sharing methods, advanced big-data analysis techniques as well as exploiting the benefits from latest technologies such as SDN/NFV and Cloud systems. In addition, novel privacy-preserving techniques, and crypto-privacy mechanisms, identity and eID management systems, trust services, and recommendations are needed to protect citizens’ privacy while keeping usability levels. The European Commission is addressing the challenge through different means, including the Horizon 2020 Research and Innovation program, thereby financing innovative projects that can cope with the increasing cyberthreat landscape. This book introduces several cybersecurity and privacy research challenges and how they are being addressed in the scope of 15 European research projects. Each chapter is dedicated to a different funded European Research project, which aims to cope with digital security and privacy aspects, risks, threats and cybersecurity issues from a different perspective. Each chapter includes the project’s overviews and objectives, the particular challenges they are covering, research achievements on security and privacy, as well as the techniques, outcomes, and evaluations accomplished in the scope of the EU project. The book is the result of a collaborative effort among relative ongoing European Research projects in the field of privacy and security as well as related cybersecurity fields, and it is intended to explain how these projects meet the main cybersecurity and privacy challenges faced in Europe. Namely, the EU projects analyzed in the book are: ANASTACIA, SAINT, YAKSHA, FORTIKA, CYBECO, SISSDEN, CIPSEC, CS-AWARE. RED-Alert, Truessec.eu. ARIES, LIGHTest, CREDENTIAL, FutureTrust, LEPS. Challenges in Cybersecurity and Privacy - the European Research Landscape is ideal for personnel in computer/communication industries as well as academic staff and master/research students in computer science and communications networks interested in learning about cyber-security and privacy aspects

EU Privacy seals project: Challenges and Possible Scope of an EU Privacy Seal Scheme. Final Report Study Deliverable 3.4

The objective of this report is focus on the challenges of implementing an effective EU privacy seal and its possible scope. It returns the focus to privacy and data protection, and presents further groundwork to feed into Task 4 of the Study (Proposals and evaluation of options for an EU-wide privacy seals scheme). Where relevant, research results and analyses of Tasks 1 and 2 are used. First, the report assesses the gaps in current privacy seal sector. Next, it highlights the advantages of, priorities for and possible scope of an EU privacy seal scheme. Eventually, four case studies (CCTV systems, cloud services, smart metering systems and biometric systems) illustrate the possible scope of an EU privacy seal scheme and demonstrate whether an EU privacy seals scheme would bring any added value to privacy and data protection.JRC.G.6-Digital Citizen Securit

Hajusraamatutehnoloogia kasutuselevõtu õiguslikud takistused: tehnoloogia neutraalsuse ja funktsionaalse samaväärsuse põhimõtetele tuginev analüüs

Väitekirja elektrooniline versioon ei sisalda publikatsiooneKäesolev väitekiri käsitleb hajusraamatutehnoloogia (HT) kohtlemist Eesti ja EL õiguse alusel konkreetsete kasutusjuhtude näitel. HT on “mitmeotstarbeline tehnoloogia”, millel on rida erinevaid kasutusvõimalusi, sh. selle kõige tuntumad näited nagu plokiahelatehnoloogia ning bitimünt. Kuivõrd olemasolev õigusraamistik on loodud tsentraliseeritud infrastruktuuride ning mitte hajutatud andmestruktuuride jaoks nagu seda on HT, siis tihtipeale takistab olemasolev õigusraamistik HT kasutamist selles sisalduvate nii otseste kui ka kaudsete kallutatud nõuete tõttu. Nimetatud dissonants on sarnane analoogmaailma jaoks loodud õigusnormide takistava mõjuga digitaalsete lahenduste kasutuselevõtmisel. Seega ei ole väitekirjas käsitletavad takistused vaid HT-le omased vaid seotud iga uue tehnoloogia kasutuselevõtuga. Toodud probleemi uuritakseväitekirjas kolme konkreetse HT kasutusjuhu pinnal: (i) bitimündi vahetusteenuse osutamine; (ii) HT-põhise osanike nimekirja pidamine ; (iii) HT-põhise hübriid-targa lepingu ning elektroonilise allkirja kasutamine. Uurimise mõõdupuuna kasutatakse tehnoloogia neutraalsuse põhimõtet ning funktsionaalse samaväärsuse alampõhimõtet, et tuvastada kallutatud nõudeid ning piirata riigivõimu voli eelistada konkreetseid tehnoloogiaid samas teisi tehnoloogiaid diskrimineerides. HT kasutusjuhtude pinnal saab järeldada, et olemasolev õigsraamistik ei ole tehnoloogia-neutraalne ning eelistab tsentraliseeritud lahendusi ning ei taga HT-põhistele funktsionaalselt samaväärsetele lahendustele samaväärset kohtlemist. Arvestades toodud järeldusi uuritakse väitekirjas ka kallutatud nõuete põhjuseid ning strateegiaid kuidas jätkusuutlikult lahendada kallutatusest tekkinud takistused HT kasutusele. Väitekirja teema on oluline arvestades ka 2020. aasta lõpus avaldatud EL-i digitaalse finantspaketi määruste eesmärki, milleks on toetada HT kasutuselevõttu EL-is.This dissertation focuses on the treatment of distributed ledger technology (DLT) applications under the existing regulation in Estonia and the EU based on the analysis of specific use cases. The existing regulatory frameworks in most jurisdictions were built for centralized infrastructures and not for distributed ones, such as built on DLT. Consequently, current legal frameworks may inhibit the use of DLT due to either apparent or non-apparent biases written into the regulation. DLT on the other hand represents a “general-purpose technology” that, therefore, has abundance of applications including its most well known examples of blockchain and Bitcoin. The discrepancy between old rules and new tools is nothing new as the development of the digital world in comparison to the physical world led to the same problem. Therefore, the research problem addressed in the dissertation is not specific to DLT, but linked to the uptake of any new technology. With the aim to explore the potentially inhibiting effect of existing regulation, specific DLT use cases are investigated: (i) bitcoin exchange-service provision; (ii) DLT-based shareholder ledger maintenance and (iii) use of DLT-based electronic signature and hybrid smart contract agreements. In this exploration, the principle of technology neutrality and its sub-principle of functional equivalence are utilized as benchmarks for the identification of biases. The aim of these principles is to prohibit regulators from favouring some technologies and discriminating against others. The use case analyses show that some of the existing regulation is not technology-neutral due to inbound bias for centralized solutions. Furthermore, effects equivalence is not granted by existing regulation to functionally equivalent DLT-based solutions. Against this background, the dissertation discusses the reasons for these biases and regulative strategies to resolve these in a sustainable manner. The dissertation is especially relevant considering the goal of the proposed EU regulations of the Digital Finance Package introduced in late 2020 to promote the use of DLT in the EU.https://www.ester.ee/record=b542731

Self-sovereign identity decentralized identifiers, claims and credentials using non decentralized ledger technology

Dissertação de mestrado integrado em Engenharia InformáticaCurrent identity management systems rely on centralized databases to store user’s personal data, which poses a great risks for data security, as these infrastructure create a critical point of failure for the whole system. Beside that service providers have to bear huge maintenance costs and comply with strict data protection regulations. Self-sovereign identity (SSI) is a new identity management paradigm that tries to answer some of these problems by providing a decentralized user-centric identity management system that gives users full control of their personal data. Some of its underlying concepts include Decentralized Identifiers (DIDs), Verifiable Claims and Credentials. This approach does not rely on any central authority to enforce trust as it often uses Blockchain or other Decentralized Ledger Technologies (DLT) as the trust anchor of the system, although other decentralized network or databases could also be used for the same purpose. This thesis focuses on finding alternative solutions to DLT, in the context of SSI. Despite being the most used solution some DLTs are known to lack scalability and performance, and since a global identity management system heavily relies on these two requirements it might not be the best solution to the problem. This document provides an overview of the state of the art and main standards of SSI, and then focuses on a non-DLT approach to SSI, referencing non-DLT implementations and alternative decentralized infrastructures that can be used to replace DLTs in SSI. It highlights some of the limitations associated with using DLTs for identity management and presents a SSI framework based on decentralized names systems and networks. This framework couples all the main functionalities needed to create different SSI agents, which were showcased in a proof of concept application.Actualmente os sistemas de gestão de identidade digital estão dependentes de bases de dados centralizadas para o armazenamento de dados pessoais dos seus utilizadores. Isto representa um elevado risco de segurança, uma vez que estas infra-estruturas representam um ponto crítico de falha para todo o sistema. Para além disso os service providers têm que suportam elevados custos de manutenção para armazenar toda esta informaçao e ainda são obrigados a cumprir as normas de protecção de dados existentes. Self-sovereign identity (SSI) é um novo paradigma de identidade digital que tenta dar resposta a alguns destes problemas, criando um sistema focado no utilizador e totalmente descentralizado que oferece aos utilizadores total controlo sobre os seus dados pessoais. Alguns dos conceitos subjacentes incluem Decentalized Identifiers (DIDs), Verifiable Credentials e Presentations. Esta abordagem não depende de qualquer autoridade central para estabelecer confiança, dado que utiliza Blockchains ou outras Decentralized Ledger Technilogies (DLT) como âncora de confiança do sistema. No entanto outras redes ou bases de dados descentralizadas podem também ser utilizadas para alcançar o mesmo objectivo. Esta tese concentra-se em encontrar soluções alternativas para a DLT no âmbito da SSI. Apesar de esta ser a solução mais utilizada, sabe-se que algumas DLTs carecem de escalabilidade e desempenho. Sendo que um sistema de identidade digital com abrangência global dependerá bastante destes dois requisitos, esta pode não ser a melhor solução. Este documento fornece uma visão geral do estado da arte e principais standards da SSI, focando-se de seguida numa abordagem não DLT, que inclui uma breve referência a implementações não-DLT e tecnologias alternativas que poderão ser utilizadas para substituir as DLTs na SSI. Alem disso aborda algumas das principais limitações associadas ao uso de DLTs na gestão de identidades digitais e apresenta uma framework baseada em name systems e redes descentralizadas. Esta framework inclui as principais funcionalidades necessárias para implementar os diferentes agentes SSI, que foram demonstradas através de algumas aplicações proof of concept

Data Privacy and Trust in Cloud Computing

This open access book brings together perspectives from multiple disciplines including psychology, law, IS, and computer science on data privacy and trust in the cloud. Cloud technology has fueled rapid, dramatic technological change, enabling a level of connectivity that has never been seen before in human history. However, this brave new world comes with problems. Several high-profile cases over the last few years have demonstrated cloud computing's uneasy relationship with data security and trust. This volume explores the numerous technological, process and regulatory solutions presented in academic literature as mechanisms for building trust in the cloud, including GDPR in Europe. The massive acceleration of digital adoption resulting from the COVID-19 pandemic is introducing new and significant security and privacy threats and concerns. Against this backdrop, this book provides a timely reference and organising framework for considering how we will assure privacy and build trust in such a hyper-connected digitally dependent world. This book presents a framework for assurance and accountability in the cloud and reviews the literature on trust, data privacy and protection, and ethics in cloud computing

Blockchain in Education

This report introduces the fundamental principles of the Blockchain focusing on its potential for the education sector. It explains how this technology may both disrupt institutional norms and empower learners. It proposes eight scenarios for the application of the Blockchain in an education context, based on the current state of technology development and deployment.JRC.B.4-Human Capital and Employmen

Data Spaces

This open access book aims to educate data space designers to understand what is required to create a successful data space. It explores cutting-edge theory, technologies, methodologies, and best practices for data spaces for both industrial and personal data and provides the reader with a basis for understanding the design, deployment, and future directions of data spaces. The book captures the early lessons and experience in creating data spaces. It arranges these contributions into three parts covering design, deployment, and future directions respectively. The first part explores the design space of data spaces. The single chapters detail the organisational design for data spaces, data platforms, data governance federated learning, personal data sharing, data marketplaces, and hybrid artificial intelligence for data spaces. The second part describes the use of data spaces within real-world deployments. Its chapters are co-authored with industry experts and include case studies of data spaces in sectors including industry 4.0, food safety, FinTech, health care, and energy. The third and final part details future directions for data spaces, including challenges and opportunities for common European data spaces and privacy-preserving techniques for trustworthy data sharing. The book is of interest to two primary audiences: first, researchers interested in data management and data sharing, and second, practitioners and industry experts engaged in data-driven systems where the sharing and exchange of data within an ecosystem are critical

“And all the pieces matter...” Hybrid Testing Methods for Android App's Privacy Analysis

Smartphones have become inherent to the every day life of billions of people worldwide, and they are used to perform activities such as gaming, interacting with our peers or working. While extremely useful, smartphone apps also have drawbacks, as they can affect the security and privacy of users. Android devices hold a lot of personal data from users, including their social circles (e.g., contacts), usage patterns (e.g., app usage and visited websites) and their physical location. Like in most software products, Android apps often include third-party code (Software Development Kits or SDKs) to include functionality in the app without the need to develop it in-house. Android apps and third-party components embedded in them are often interested in accessing such data, as the online ecosystem is dominated by data-driven business models and revenue streams like advertising. The research community has developed many methods and techniques for analyzing the privacy and security risks of mobile apps, mostly relying on two techniques: static code analysis and dynamic runtime analysis. Static analysis analyzes the code and other resources of an app to detect potential app behaviors. While this makes static analysis easier to scale, it has other drawbacks such as missing app behaviors when developers obfuscate the app’s code to avoid scrutiny. Furthermore, since static analysis only shows potential app behavior, this needs to be confirmed as it can also report false positives due to dead or legacy code. Dynamic analysis analyzes the apps at runtime to provide actual evidence of their behavior. However, these techniques are harder to scale as they need to be run on an instrumented device to collect runtime data. Similarly, there is a need to stimulate the app, simulating real inputs to examine as many code-paths as possible. While there are some automatic techniques to generate synthetic inputs, they have been shown to be insufficient. In this thesis, we explore the benefits of combining static and dynamic analysis techniques to complement each other and reduce their limitations. While most previous work has often relied on using these techniques in isolation, we combine their strengths in different and novel ways that allow us to further study different privacy issues on the Android ecosystem. Namely, we demonstrate the potential of combining these complementary methods to study three inter-related issues: • A regulatory analysis of parental control apps. We use a novel methodology that relies on easy-to-scale static analysis techniques to pin-point potential privacy issues and violations of current legislation by Android apps and their embedded SDKs. We rely on the results from our static analysis to inform the way in which we manually exercise the apps, maximizing our ability to obtain real evidence of these misbehaviors. We study 46 publicly available apps and find instances of data collection and sharing without consent and insecure network transmissions containing personal data. We also see that these apps fail to properly disclose these practices in their privacy policy. • A security analysis of the unauthorized access to permission-protected data without user consent. We use a novel technique that combines the strengths of static and dynamic analysis, by first comparing the data sent by applications at runtime with the permissions granted to each app in order to find instances of potential unauthorized access to permission protected data. Once we have discovered the apps that are accessing personal data without permission, we statically analyze their code in order to discover covert- and side-channels used by apps and SDKs to circumvent the permission system. This methodology allows us to discover apps using the MAC address as a surrogate for location data, two SDKs using the external storage as a covert-channel to share unique identifiers and an app using picture metadata to gain unauthorized access to location data. • A novel SDK detection methodology that relies on obtaining signals observed both in the app’s code and static resources and during its runtime behavior. Then, we rely on a tree structure together with a confidence based system to accurately detect SDK presence without the need of any a priory knowledge and with the ability to discern whether a given SDK is part of legacy or dead code. We prove that this novel methodology can discover third-party SDKs with more accuracy than state-of-the-art tools both on a set of purpose-built ground-truth apps and on a dataset of 5k publicly available apps. With these three case studies, we are able to highlight the benefits of combining static and dynamic analysis techniques for the study of the privacy and security guarantees and risks of Android apps and third-party SDKs. The use of these techniques in isolation would not have allowed us to deeply investigate these privacy issues, as we would lack the ability to provide real evidence of potential breaches of legislation, to pin-point the specific way in which apps are leveraging cover and side channels to break Android’s permission system or we would be unable to adapt to an ever-changing ecosystem of Android third-party companies.The works presented in this thesis were partially funded within the framework of the following projects and grants: • European Union’s Horizon 2020 Innovation Action program (Grant Agreement No. 786741, SMOOTH Project and Grant Agreement No. 101021377, TRUST AWARE Project). • Spanish Government ODIO NºPID2019-111429RB-C21/PID2019-111429RBC22. • The Spanish Data Protection Agency (AEPD) • AppCensus Inc.This work has been supported by IMDEA Networks InstitutePrograma de Doctorado en Ingeniería Telemática por la Universidad Carlos III de MadridPresidente: Srdjan Matic.- Secretario: Guillermo Suárez-Tangil.- Vocal: Ben Stoc