Understanding computer security

Few things in society and everyday life have changed in the last 10 years as much as the concept of security. From bank robberies to wars, what used to imply a great deal of violence is now silently happening on the Internet. Perhaps more strikingly, the very idea of privacy – a concept closely related to that of individual freedom – is undergoing such a profound revolution that people are suddenly unable to make rational and informed decisions: we protested for the introduction of RFID tags (Kelly and Erickson, 2005; Lee and Kim, 2006) and now we throw away en-masse most of our private information by subscribing to services (social media, free apps, cloud services), which have their reason of existence in the commerce of intimate personal data. The ICT revolution has changed the game, and the security paradigms that were suitable for people and systems just up to 10 years ago are now obsolete. It looks like we do not know what to replace them with. As of today, we keep patching systems but we do not understand how to make them reasonably secure (Rice, 2007); perhaps more importantly, we do not understand what reasonable privacy guarantees are for human beings, let alone how to enforce them. We do not understand how to combine accountability and freedom in this new world, in which firewalls and digital perimeters cannot guarantee security and privacy any longer. We believe that the root of the challenge that we face is understanding security and how information technology can enable and support such an understanding. And just like security is a broad, multidisciplinary topic covering technical as well as non-technical issues, the challenge of understanding security is a multifaceted one, spanning across a myriad of noteworthy topics. Here, we mention just three that we consider particularly important

Putting the "Account" into Cloud Accountability

Security concerns are often cited as the most prominent reason for not using cloud computing, but customers of cloud users, especially end-users, frequently do not understand the need to control access to personal information. On the other hand, some users might understand the risk, and yet have inadequate means to address it. In order to make the Cloud a viable alternative for all, accountability of the service providers is key, and with the advent of the EU General Data Protection Regulation (GDPR), ignoring accountability is something providers in the EU market will do at their peril. To be able to hold cloud service providers accountable for how they manage personal, sensitive and confidential information, there is a need for mechanisms that can mitigate risk, identify emerging risks, monitor policy violations, manage any incidents, and provide redress. We believe that being able to offer accountability as part of the service provision will represent a competitive edge for service providers catering to discerning cloud customers, also outside the GDPR sphere of influence. This paper will outline the fundamentals of accountability, and provide more details on what the actual "account'' is all about.publishedVersio

Watching Them Watching Us

Steve Wright argues that the process of watching official and unofficial surveillance activities, is guided by an “uneasy ethics.” It can never be a neutral behaviour since someone is benefitting or being dis-benefitted, from both being watched, or being the watcher. The role of the military, security, police, university, media entertainment, industrial complex is now core. Surveillance capacities are being rapidly expanded, whilst existing checks and balances prove both inadequate or in a state of erosion. What can be done in the face of such change and who will create the requisite reinforcement, the checks and balances to prevent surveillance remorselessly moving even further beyond the limits of the law? Wright argues that this is a core issue of applied ethics: it cannot and should not be a sterile exercise in social and political astronomy; not if constitutional democratic systems as we know them are to survive. He calls for a much wider debate on the notion of meaningful human control…and the crucial roles of both whistleblowing and research activis

Singapore’s Quarantine Rhetoric and Human Rights in Emergency Health Risks

When Severe Acute Respiratory Syndrome (SARS) began spreading in Asia in March 2003, many affected countries and areas scrambled to mobilize public health resources and rushed to find effective ways to contain the virus within their territories. In late March and April of the same year, the World Health Organization (WHO) added numerous East and Southeast Asian countries and regions to its list of areas affected by SARS: mainland China, Hong Kong, Vietnam, Singapore, and Taiwan. Singapore was among the first countries to eradicate SARS and was taken off the WHO list on May 30, 2003

Legal Identity between Artificial Intelligence and the Rule of Law

The present research will address the complex purpose of providing legal identity, included in the Sustainable Development Goal 16 which concerns "peace, justice and strong institutions" in connection with the wide issue of Artificial Intelligence. Furthermore, in a wider perspective the relevance of the principle of the rule of law also in this field must be underlined as the rule of law guarantees fundamental rights and values, allows the application of law, and supports an investment-friendly business environment. In this framework the principle of accountability plays a key role in the General Data Protection Regulation (GDPR) (art 25, para. 1): the data controller must account for the implementation of appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of the data processing. In the same way a decisive role to prevent and limit violations of human rights is played by the informed consent as the GDPR requires data controllers to justify the collection and processing of personal data on some lawful bases. Controllers can obtain the consent of data subjects to justify this collection of data, but a number of criteria must be fulfilled before the consent can be valid