On Technology Neutral Policies for E–identity: a Critical Reflection Based on UK Identity Policy

This paper reviews the arguments for technology neutral e–identity policies. It uses the recent experience of identity policy in the UK, as well as a consideration of technological developments, to distinguish between two perspectives on technology neutral policies: legal and technological. Whilst the legal perspective on technology neutrality is intended to provide legal certainty, it fails to address discontinuous technological developments such as zero–knowledge systems and risk based assessments of identity and attribute claims. These are transforming the basis of identity policies and highlight the challenges of proposing technology neutral identity policies in law. The paper then applies the technological critique of technology neutrality to review a recent study on identity, authentication and signature policy in the EU

Activity-Aware Electrocardiogram-based Passive Ongoing Biometric Verification

Identity fraud due to lost, stolen or shared information or tokens that represent an individual\u27s identity is becoming a growing security concern. Biometric recognition - the identification or verification of claimed identity, shows great potential in bridging some of the existing security gaps. It has been shown that the human Electrocardiogram (ECG) exhibits sufficiently unique patterns for use in biometric recognition. But it also exhibits significant variability due to stress or activity, and signal artifacts due to movement. In this thesis, we develop a novel activity-aware ECG-based biometric recognition scheme that can verify/identify under different activity conditions. From a pattern recognition standpoint, we develop algorithms for preprocessing, feature extraction and probabilistic classification. We pay particular attention to the applicability of the proposed scheme in ongoing biometric verification of claimed identity. Finally we propose a wearable prototype architecture of our scheme

Defining Security Requirements with the Common Criteria: Applications, Adoptions, and Challenges

Advances of emerging Information and Communications Technology (ICT) technologies push the boundaries of what is possible and open up new markets for innovative ICT products and services. The adoption of ICT products and systems with security properties depends on consumers' confidence and markets' trust in the security functionalities and whether the assurance measures applied to these products meet the inherent security requirements. Such confidence and trust are primarily gained through the rigorous development of security requirements, validation criteria, evaluation, and certification. Common Criteria for Information Technology Security Evaluation (often referred to as Common Criteria or CC) is an international standard (ISO/IEC 15408) for cyber security certification. In this paper, we conduct a systematic review of the CC standards and its adoptions. Adoption barriers of the CC are also investigated based on the analysis of current trends in security evaluation. Specifically, we share the experiences and lessons gained through the recent Development of Australian Cyber Criteria Assessment (DACCA) project that promotes the CC among stakeholders in ICT security products related to specification, development, evaluation, certification and approval, procurement, and deployment. Best practices on developing Protection Profiles, recommendations, and future directions for trusted cybersecurity advancement are presented

Assessing the Effectiveness of a Fingerprint Biometric and a Biometric Personal Identification Number (BIO-PIN™) when used as a Multi-Factor Authentication Mechanism

The issue of traditional user authentication methods, such as username/passwords, when accessing information systems, the Internet, and Web-based applications still pose significant vulnerabilities. The problem of user authentication including physical and logical access appears to have limited, if any, coverage in research from the perspective of biometric as ‘something the user knows.’ Previous methods of establishing ones’ identity by using a password, or presenting a token or identification (ID) card are vulnerable to circumvention by misplacement or unauthorized sharing. The need for reliable user authentication techniques has increased in the wake of heightened concerns about information security and rapid advancements in networking, communication, and mobility. The main goal of this research study was to examine the role of the authentication method (BIO-PIN™ or username/password) and time, on the effectiveness of authentication, as well as the users’ ability to remember the BIO-PIN™ versus username/password (UN/PW). Moreover, this study compared the BIO-PIN™ with a traditional multi-factor biometric authentication using multiple fingerprints (without sequence) and a numerical PIN sequence (noted as BIO+PIN ). Additionally, this research study examined the authentication methods when controlled for age, gender, user’s computer experience, and number of accounts. This study used a quasi-experimental multiple baseline design method to evaluate the effectiveness of the BIO-PIN™ authentication method. The independent, dependent, and control variables were addressed using descriptive statistics and Multivariate Analysis of Variance (MANOVA) statistical analysis to compare the BIO-PIN™, the BIO+PIN, and UN/PW authentication methods for research questions (RQs) 1 and 2. Additionally, the Multivariate Analysis of Covariance (MANCOVA) was used to address RQ 3 and RQ4, which seeks to test any differences when controlled by age, gender, user experience, and number of accounts. This research study was conducted over a 10-week period with participant engagement occurring over time including a registration week and in intervals of 2 weeks, 3 weeks, and 5 weeks. This study advances the current research in multi-factor biometric authentication and increases the body of knowledge regarding users’ ability to remember industry standard UN/PWs, the BIO-PIN™ sequence, and traditional BIO+PIN

Prospect patents, data markets, and the commons in data-driven medicine : openness and the political economy of intellectual property rights

Scholars who point to political influences and the regulatory function of patent courts in the USA have long questioned the courts’ subjective interpretation of what ‘things’ can be claimed as inventions. The present article sheds light on a different but related facet: the role of the courts in regulating knowledge production. I argue that the recent cases decided by the US Supreme Court and the Federal Circuit, which made diagnostics and software very difficult to patent and which attracted criticism for a wealth of different reasons, are fine case studies of the current debate over the proper role of the state in regulating the marketplace and knowledge production in the emerging information economy. The article explains that these patents are prospect patents that may be used by a monopolist to collect data that everybody else needs in order to compete effectively. As such, they raise familiar concerns about failure of coordination emerging as a result of a monopolist controlling a resource such as datasets that others need and cannot replicate. In effect, the courts regulated the market, primarily focusing on ensuring the free flow of data in the emerging marketplace very much in the spirit of the ‘free the data’ language in various policy initiatives, yet at the same time with an eye to boost downstream innovation. In doing so, these decisions essentially endorse practices of personal information processing which constitute a new type of public domain: a source of raw materials which are there for the taking and which have become most important inputs to commercial activity. From this vantage point of view, the legal interpretation of the private and the shared legitimizes a model of data extraction from individuals, the raw material of information capitalism, that will fuel the next generation of data-intensive therapeutics in the field of data-driven medicine

Perceiving is Believing. Authentication with Behavioural and Cognitive Factors

Most computer users have experienced login problems such as, forgetting passwords, loosing token cards and authentication dongles, failing that complicated screen pattern once again, as well as, interaction difficulties in usability. Facing the difficulties of non-flexible strong authentication solutions, users tend to react with poor acceptance or to relax the assumed correct use of authentication procedures and devices, rendering the intended security useless. Biometrics can, sort of, solve some of those problems. However, despite the vast research, there is no perfect solution into designing a secure strong authentication procedure, falling into a trade off between intrusiveness, effectiveness, contextual adequacy and security guarantees. Taking advantage of new technology, recent research onmulti-modal, behavioural and cognitive oriented authentication proposals have sought to optimize trade off towards precision and convenience, reducing intrusiveness for the same amount of security. But these solutions also fall short with respect to different scenarios. Users perform currently multiple authentications everyday, through multiple devices, in panoply of different situations, involving different resources and diverse usage contexts, with no "better authentication solution" for all possible purposes. The proposed framework enhances the recent research in user authentication services with a broader view on the problems involving each solution, towards an usable secure authentication methodology combining and exploring the strengths of each method. It will than be used to prototype instances of new dynamic multifactor models (including novel models of behavioural and cognitive biometrics), materializing the PiB (perceiving is believing) authentication. Ultimately we show how the proposed framework can be smoothly integrated in applications and other authentication services and protocols, namely in the context of SSO Authentication Services and OAuth

Algorithmic Jim Crow

This Article contends that current immigration- and security-related vetting protocols risk promulgating an algorithmically driven form of Jim Crow. Under the “separate but equal” discrimination of a historic Jim Crow regime, state laws required mandatory separation and discrimination on the front end, while purportedly establishing equality on the back end. In contrast, an Algorithmic Jim Crow regime allows for “equal but separate” discrimination. Under Algorithmic Jim Crow, equal vetting and database screening of all citizens and noncitizens will make it appear that fairness and equality principles are preserved on the front end. Algorithmic Jim Crow, however, will enable discrimination on the back end in the form of designing, interpreting, and acting upon vetting and screening systems in ways that result in a disparate impact