Evaluation d’Impact sur la Vie Privée journée... · 18/03/2015 1 Evaluation d’Impact sur la...

18/03/2015 1www.centrenational-rfid.com

Evaluation d’Impact sur la Vie Privée

des Applications RFID

Les journées thématiques du CNRFID Paris

18 Mars 2015

Introduction RFID and privacy RFID operator

Legal Environment Chart of fundamental rights of European Union Directive 95/46/EC and French “Loi Informatique et Libertés” Recommendation 2009/387/EC, Mandate M436 et EN 16571 Future European Regulation

Privacy Impact Assessment (PIA/EIVP) PIA levels PIA process: the 9 steps

Risk Analysis Data, Threats, Vulnerabilities, Countermeasures, Residual risk EN 16571 / ISO 27005 vs. EBIOS

EN 16571 Registration Authority CSL/CNRFID Software

Agenda

2www.centrenational-rfid.com02/23/2015

Privacy is a fuzzy concept but can be summarized…

“the claim of individuals to determine for themselves when, how and to what extent information about them is communicated to others”

Information: Personal Data Data Protection

collection, accuracy, protection and use of data collected by an organization Data Security

protection of collected data

Notion of personal consent Opt-In Opt-Out

Personal data and privacy classification Physical (body integrity) Personal Behaviour (political, religious, sexual,…) Personnal communications (phone, emails, social networks, …) Personal information (gender, age, …) Spatial privacy (locations, travels,…)

Introduction: Privacy concept


Citizen use more and more RFID technologies Ticketing (transportation and events) Payment (small values w/o PIN code) Identity (passport, driver licence) NFC applications…

Citizen are surrounded by RFID tags Everyday life products (textile, library books,…) Luxury goods (authentication, certificates,…) First developed for logistics, inventory, article surveillance, …

Data can identify people directly… Name, address, etc. Generally secured HF protocols (first use cases)

Or indirectly Unique identifiers (TID, EPC, …) Combined with other data, could impact privacy

Introduction: RFID everywhere?


Privacy, Security, data protection


Introduction: RFID operator

6www.centrenational-rfid.com

Definition is given in the Recommendation 2009/387/EC

‘RFID application operator’ or ‘operator’ means the natural or legal person, public

authority, agency, or any other body, which, alone or jointly with others, determines

the purposes and means of operating an application, including controllers of personal

data using a RFID application

Organizations that read RFID tags… … Organizations that write (encode) a tag

The RFID operator is responsible in implementing a PIA

02/23/2015

Privacy: European Regulations


Directive 95/46/CE protection of individuals with regard to the processing of personal data and on the

free movement of such data Transposed in National French Law: “Loi Informatique et Libertés”

Chart of fundamental rights of the UE (2000/C 364/01) Art. 8, right to the protection of personal data

Everyone has the right to the protection of personal data concerning him or her.

Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.

Compliance with these rules shall be subject to control by an independent authority.

In France, such authority is CNIL !!!!

02/23/2015

Privacy: European Regulations


Recommendation 2009/387/EC

Due to potential massive RFID deployment, the European Commission issued a

Recommendation (May 2009)

« on the implementation of privacy and data protection principlesin applications supported by RFID »

Title Data protection: Not only personal data

Definition and scope All RFID technologies (NFC and contactless smart cards included) All kind of application, including… governmental applications, with exceptions

being rare For retail sector (direct link to the consumer) there are rules when deactivation of

the tag is required

02/23/2015

Focus on tag deactivation at the Point of Sale

Once the tag leaves the « controlled domain »

Logic deactivation:

Secured deactivation (Kill + passwords)

Unsecured deactivation (Kill with one password for the entire application)

Reduced read range????

Hardware:

Tag destruction (strong electromagnetic wave,…)

Tag removal

Privacy(European Recommendation)


Recommendation does not oblige to deactivate the tags at PoS if RFID operator undertakes a

Privacy Impact Assessment (PIA)

and proves that the risk is limited Systematic deactivation (OPT-IN) in case of high level of risk.

To provide a simple, immediate and free way to disable the tag at PoS (medium level of risk) (OPT-OUT)

Privacy Impact Assessment (PIA) Identify the impact of the implementation of the application with respect to

personal data and privacy

PIA has to be undertaken by the RFID operator !

Level of detail consistent with the level of risk

Privacy(Recommandation)


Privacy, PIA Framework


To help the RFID operators in the PIA process,

European Commission gathers stakeholders

to draft a Framework

This Framework has been accepted by Art. 29

WP and endorsed by European Commission in

January 2011

Privacy, PIA Framework


Framework tries to standardize the PIA process but…

WTF PIA

level?

Privacy: one word on M/436


December 2008: European Commission issued Mandate 436 Madate is issued to CEN, ETSI and CENELEC (only CEN and ETSI participate) Phase 1: propose a gap analysis of existing standards related to RFID, data

protection and privacy protection. A joint technical committee is chaired by CNRFID

May 2011: phase 1 report underlines that there is no existing standard related to PIA process and signage (public awareness)

January 2012: KoM of phase 2: the goal is to publish standards in a 2 year time frame (only CEN is involved)

July 2014: publication of 2 major standards

EN16570: Signage and public awareness EN16571: PIA process for RFID applications

July 2014: CNRFID became the Registration Authority for EN16571

02/23/2015

Future European Regulation


Future Regulation on Data Protection Supersedes Directive 95/46/CE Regulation: no need to transpose it into national law Art.33 makes Privacy Impact Assessment Mandatory

Art. 32a: Respect to riskThe controller, or where applicable the processor, shall carry out a risk analysis of the potential impact of the intended data processing on the rights and freedoms of the data subjects, assessing whether its processing operations are likely to present specific risks

Art. 33: Data Protection Impact AssessmentThe controller shall carry out an assessment of the impact of the envisaged processing operations on the rights and freedoms of the data subjects, especially their right to protection of personal data

Art. 33: Describes the minimal requirements …

02/23/2015

Future European Regulation


The DPIA shall contain …

a systematic description of the envisaged processing operations and the purposes of the processing

an assessment of the necessity and proportionality of the processing operations in relation to the purposes

an assessment of the risks to the rights and freedoms of data subjects

a description of the measures envisaged to address the risks and minimize the volume of personal data which is processed

a list of safeguards, security measures and mechanisms to ensure the protection of personal data

a general indication of the time limits for erasure of the different categories of data

a list of the recipients or categories of recipients of the personal data

02/23/2015






Agenda


Privacy Assets and Data Types

Assets are classified in two categories Assets that can directly identify individuals

Passport, Medical bracelet, Loyalty card, Venue-based trackable bracelets, …

Assets that when held can identify the individualsAirline baggage tag, Tagged employee uniform, Public transport card, Retail product, Library book, …

Privacy Assets are closely related to Personal Data (wherever it is stored) EN 16571 assesses the “value” of the data on the tag and in the application

Associated Personal Data are classified into 6 categories

PI Personal Identifier (name, email, DNA, …)

PB Personal Behaviour (age, religion, political affiliation…)

TH Tag and Hardware (RFID chip ID, IPV4/6, …)

RV Residual Value (Residual value on loyalty card, travel card, …)

TL Time and Location (start location, route, …)

IT Identity of Things (Unique Item code)

PIA Levels


Privacy in depth model

This model identifies all of the layers that need to be considered to assess the privacy risks associated with the RFID technology used in the application

The top four layers are directly concerned with RFID technology, whereas the bottom four layers are concerned with the host computer and application

PIA Levels


Asses the PIA Level


To assess the PIA level, you need to answer

3 basic questions

02/23/2015

What to consider regarding the PIA level?

Level 0: no PIA required

Level 1:

Risk assessment for data types other that PI and PB

Only consider threats on the RFID air-interface

Level 2:

For PI and PB, only consider threats on application layer

For other data types, consider all kind of threats

Level 3:

For PI and PB, consider all kind of threats

Whatever the level, don’t forget to consider the controlled and uncontrolled domains

PIA Levels


EN 16571: PIA flowchart

02/23/2015






Agenda


Asset identification and valuation

2 categories of asset

directly identifiable assets, where encoded data includes:

an individual's name

a unique chip ID

any identifier that has a one-to-one relationship with the individual

indirectly identifiable factors specific to the individual's physical, physiological, mental, economic, cultural or social identity, as included in Directive 95/46/EC for the definition of person data

The value of the asset is based on the highest value of the associated data types

The value of asset is between 0 and 4 (based on ISO 27005)

EN16571 gives a list (quite exhaustive) of data types and proposes values

Risk Analysis: Asset


Example of Asset valuation

Membership card with information encoded in the RFID chip and stored in the application

Risk Analysis: Asset


RFID Threats are mainly based on two different attacks: Eavesdropping Tag activation

Eavesdropping Listening the communication between a tag and an interrogator Eavesdropping distances are greater than reading distances Information can be decoded if not cover-coded or encrypted

Tag Activation RFID tag are operational once energized (no ON/OFF switch) A fake reader can ask a real tag to backscatter information Activation distances are greater than reading distances because attacker does not

care Regulation limitations (eg. 2Werp in Europe) More and more commercial readers are available

At least 250 Million HF readers on smart phones Many small UHF readers that have USB connections or plug into smart phones

e.g. Arete Pop (1 off price 200€) with a read range of 1 metre

Actual threats are a mix of eavesdropping and tag activation

RFID Threats


Physical data modification: unauthorized changing of encoded data on the tag by deleting, modifying or adding

data Example: changing a product code to gain some financial advantage

Tracking Continual sequence of unauthorized tag reading The threat can be deployed with mobile or fixed interrogators Example: tracking of employees in known zones, tracking of customers,…

Relay Attack Also known as “Man in the middle” attack Allow a real tag to communicate with a real reader at long distances Example: Access a building without authorization

Examples of RFID Threats


Threats are classified using 2 vectors:

The layer that is attacked (data on the tag, RFID air-interface, RFID reader, application)

The security requirement (confidentiality, availability, integrity)

The value of the threat is either low, medium or high (ISO 27005)

The value is linked to the complexity and required skill required for implementing the threat

Threats associated with the data encoded on the RFID tag and the RFID tag

Side Channel attack (confidentiality)

Physical data modification (integrity)

Cloning (integrity)

Tag reprogramming (integrity)

Tag destruction (availability)

…

Risk Analysis: Threats


Threats associated with the air interface or the device interface communication

Unauthorized Tag Reading (confidentiality)

Eavesdropping or traffic analysis (confidentiality)

Crypto attacks (confidentiality)

Relay, or man-in-the-middle attack (integrity)

Replay attack (integrity)

Noise (availability)

Jamming (availability)

Malicious Blocker Tags (availability)

…



Threats associated with the interrogator

Side channel attack (confidentiality)

Exhaustion of protocol resources (availability)

De-synchronization attack (availability)

There is no identified interrogator’s threat on data integrity

Threats associated with the host application

Privacy and Data Protection Violations (confidentiality)

Injecting Malicious Code (integrity)

Partial/complete denial of service (availability)



Vulnerability can be:

Low: it is unlikely or impossible to implement a threat

Medium: it is possible (identified in research documents) to implement a

threat

High: the threat has been exploited in real world

Taking into account the “exposure” time

Asset that is held on a transient basis (less than 50 consecutive days) are

considered as less vulnerable

Vulnerability can be reduced by one level

Example: detachable label on retail product.

Risk Analysis: Vulnerability


www.centrenational-rfid.com 32

Risk value (EN 16571 / ISO 27005)

02/23/2015

The initial risk value is easy to compute

www.centrenational-rfid.com 33

Risk value (EN 16571 / ISO 27005)

Example: library book Asset: Unique Identifier linked to book category

(data on the tag): 2 Threat: Tag activation: Medium

Vulnerability: UHF protocol, no encryption: High

Risk Value 5/8

02/23/2015

But exposure is lessthan 50 consecutivedays

Risk is reduced by one

Risk Value: 4/8

Countermeasures are applied in order to

mitigate the risk

Countermeasures are classified:

embedded in the tags and devices (crypto)

available in the technology but require an action by the RFID operator (kill)

independent of the hardware and can be implemented by the RFID operator

(systematic removal of the tag at point of sale)

RFID operator can advise the individual about protecting privacy (please

remove the tag yourself)

Risk Analysis: Countermeasures


Once countermeasures have been implemented, the risk shall be reevaluated

The basic rule (described in EN 16571) is that:

Implementation of a countermeasure reduces the risk by 1

If RFID operator decides to remove, destroy, or render untraceable a tag

before it moves from the controlled to the uncontrolled domain, then the risk

level goes to zero.

CSL/CNRFID Software is more sophisticated

Countermeasures’ values can be more or less than 1

Implementation of multiple countermeasures on a threat reduces the risk

even more (cumulative effect with non linear equation)

Overall Risk reduction can be more or less than 1

Risk Analysis: Countermeasures


The risk that has not been canceled (zeroed) is called the residual risk

This residual risk has to be compared to the benefits carried by the application

The residual risk has to be accepted by the stakeholders

The risk has to be reassessed in case of:

significant changes in the RFID application

changes in the type of information process

reports of breaches in similar RFID applications

And every year ….

Risk Analysis: residual risk


EBIOS: Expression des Besoins et Identification des Objectifs de Sécurité

A 5 steps methodology

Circumstantial study - determining the context

Security requirements

Risk study

Identification of security goals

Determination of security requirements

EBIOS is primarily intended for governmental and commercial organizations

working with the Defense Ministry that handle confidential or secret defense

classified information: Nothing to do with RFID and privacy

Risk Analysis: EBIOS approach


CNIL proposes a methodology for privacy risk management based on EBIOS

The 5 steps become:

Background study: What is the context?

Feared events study: What does one fear happening?

Threats study: How can it happen? (optional)

Risk study: What is the risk level? (optional)

Measures study: What can be done to treat risks?

STEP 1: equivalent to the description of the application



STEP 2: Feared events are:

unavailability of legal processes

change in processing (diversion of the purpose, excessive or unfair collection...)

illegitimate access to personal data

unwanted change in personal data

disappearance of personal data

Feared events are ranked using the addition of:

Level of identification (negligible, limited, significant, maximum)

Prejudicial effect (negligible, limited, significant, maximum)



STEP 3: Threats study: How can it happen?

A threat is a possible action by risk sources on supporting assets

Threats are ranked using the addition of:

vulnerabilities of the supporting assets (negligible, limited, significant, maximum)

capabilities of risk sources (negligible, limited, significant, maximum)



STEP 4: Level of risk

Severity vs. Likelihood

You can only have a map of the

risk not a score



STEP 5: Measures

The RFID operator describes how he will reduce the risk (severity and/or

likelihood)

It is up to the RFID operator to evaluate the risk reduction



EBIOS is more devoted to security issues and not suited to RFID and privacy

EBIOS concentrates on feared event not on privacy asset and data type

For one feared event, many data types can be involved so what data type do we have to choose?

EBIOS doesn’t take into account where the data is stored

A feared event can occur if the data is stored in the tag or in the hosted application (the threat will be different !)

When using EBIOS methodology, you will have to imagine scenario so you can forget risks

EBIOS doesn’t give an overall risk score so it is difficult to rank the risk and choose to mitigate the highest ones

EBIOS doesn’t explain how a measure reduces the risk score

EBIOS doesn’t take into account the uncontrolled domain

EBIOS doesn’t take into account the exposure time








Agenda


European Registration Authority

Role defined in the standard EN 16571 – PIA process Privacy Capability Statement

A reference document Clear and standardized information on product features related to privacy

for: RFID chips, tags and readers Avoid misinterpretations of technical standards (many optional features)

and commercial manufacturers’ information (incomplete datasheets) Allow easy comparison of different products

The Registration Authority: Gathers information from the manufacturers Provides these information to RFID operators Is the unique entry point in Europe Impinj and NXP already declare their UHF products

02/23/2015


Impinj and NXP declare UHF products… More to come You can download Privacy Capability Statement from the WebSite

02/23/2015


Example of PCS Impinj M4QT

C:\Users\ctetelin\Desktop\UHF PCS - passive RFID chip - Impinj M4QT -20141217.pdf

02/23/2015

C:/Users/ctetelin/Desktop/UHF PCS - passive RFID chip - Impinj M4QT - 20141217.pdf

PIA made easy: a devoted software

02/23/2015

Enter Organization’s details


02/23/2015

Describe your application


02/23/2015

Select your Assets


02/23/2015

Choose the tags you are using in the application

In case the product is not referenced, an email is automatically sent to support


02/23/2015

Se

lect

th

e

dat

a

typ

es


You can change the data type value

02/23/2015


Only threats that are relevant to the specific RFID protocol and the layer are presented. These are the threats for 15693 and Tag Data:

The operator can accept or change the EN 16571 suggested values

02/23/2015


02/23/2015

R

ele

van

t C

ou

nte

rme

asu

res

are

dis

pla

yed

The countermeasures are linked to threats and impact on risk values varies

Spreadsheet Threat/Countermeasures


02/23/2015

C:/Users/ctetelin/Desktop/EN 16571 Software - Threats Countermeasures 2015-03-11.xlsx

The software displays the PIA summary, with details of Operator details Application description (overview) Data on the tag Countermeasures applied by the operator Countermeasures the individual should apply The risk score

Export in various formats e.g. PDF, HTML

More at: http://rfid-pia-en16571.eu


02/23/2015

RFID operators have now all the reference texts to undertake a PIA

PIA is a good practice and is not mandatory European Recommendation Next step: European Regulation ? All ICT technologies will be covered

PIA is a good way to establish trust between operators and citizen

PIA approach could be spread to other communication and internet technologies

Governments could be a forerunner with ID applications…

Conclusion


Based on ISO/IEC 29160 : RFID Emblem

One common Emblem (EN 16570)


Additional Information to be provided by RFID operators

Signalisation (EN 16570)


NFC tags may be read in this area for the purpose of easy NFC Smartphone based professional data exchanges. vCard

application is available on demand and can be embedded in your visitor badge.

vCard application is operated and controlled by French RFID National Center (CNRFID)

A Privacy Impact Assessment has been undertaken and validated by the French Data Protection Authority (CNIL)

PIA summary can be downloaded at www.centrenational-rfid.com

For more information, please contact us by phone or email:+33 494 370 937, [email protected] Back to presentation

02/23/2015

Evaluation d’Impact sur la Vie Privée journée... · 18/03/2015 1 Evaluation d’Impact sur la...

Documents

Transcript of Evaluation d’Impact sur la Vie Privée journée... · 18/03/2015 1 Evaluation d’Impact sur la...