Biblio

With the advent of ease of access to the internet and an increase in digital literacy among citizens, digitization of the banking sector has throttled. Countries are now aiming for a cashless society. The introduction of a Unified Payment Interface (UPI) by the National Payments Corporation of India (NPCI) in April 2016 is a game-changer for cashless models. UPI payment model is currently considered the world’s most advanced payment system, and we see many countries adopting this cashless payment mode. With the increase in its popularity, there arises the increased need to strengthen the security posture of the payment solution. In this work, we explore the privacy challenges in the existing data flow of UPI models and propose approaches to preserve the privacy of customers using the Unified Payments Interface.

At the same time as Big Data technologies are being constantly refined, the legislation relating to data privacy is changing. The invalidation by the Court of Justice of the European Union on October 6, 2015, of the agreement known as “Safe Harbor”, negotiated by the European Commission on behalf of the European Union with the United States has two consequences. The first is to announce its replacement by a new, still fragile, program, the “Privacy Shield”, which isn't yet definitive and which could also later be repealed by the Court of Justice of the European Union. For example, we are expecting to hear the opinion in mid-April 2016 of the group of data protection authorities for the various states of the European Union, known as G29. The second is to mobilize the Big Data community to take control of the question of data privacy management and to put in place an adequate internal program.

The growth of ICTs and the resulting data explosion could pave the way for the surveillance of our lives and diminish our democratic freedoms, at an unimaginable scale. Consumer mistrust of an organization's ability to safeguard their data is at an all time high and this has negative implications for Big Data. The timing is right to be proactive about designing privacy into technologies, business processes and networked infrastructures. Inclusiveness of all objectives can be achieved through consultation, co-operation, and collaboration (3 C's). If privacy is the default, without diminishing functionality or other legitimate interests, then trust will be preserved and innovation will flourish.

Security and privacy threat modeling is commonly applied to systematically identify and address design-level security and privacy concerns in the early stages of architecture and design. Identifying and resolving these threats should remain a continuous concern during the development lifecycle. Especially with contemporary agile development practices, a single-shot upfront analysis becomes quickly outdated. Despite it being explicitly recommended by experts, existing threat modeling approaches focus largely on early development phases and provide limited support during later implementation phases.In this paper, we present an integrated threat analysis toolchain to support automated, continuous threat elicitation, assessment, and mitigation as part of a continuous integration pipeline in the GitLab DevOps platform. This type of automation allows for continuous attention to security and privacy threats during development at the level of individual commits, supports monitoring and managing the progress in addressing security and privacy threats over time, and enables more advanced and fine-grained analyses such as assessing the impact of proposed changes in different code branches or merge/pull requests by analyzing the changes to the threat model.

Telecommunications and data are pervasive in almost each aspect of our every-day life and new concerns progressively arise as a result of stakes related to privacy and data protection [1]. Indeed, systems development becomes data-centric leading to an ecosystem where a variety of players intervene (citizens, industry, regulators) and where the policies regarding data usage and utilization are far from consensual. The new General Data Protection Regulation (GDPR) enacted by the European Commission in 2018 has introduced new provisions including principles for lawfulness, fairness, transparency, etc. thus endorsing data subjects with new rights in regards to their personal data. In this context, a growing need for approaches that conceptualize and help engineers to integrate GDPR and privacy provisions at design time becomes paramount. This paper presents a comprehensive approach to support different phases of the design process with special attention to the integration of privacy and data protection principles. Among others, it is a generic model-based approach that can be specialized according to the specifics of different application domains.

Through the widespread use of information technologies, institutions have started to offer most of their services electronically. The best example of this is e-government. Since institutions provide their services to the electronic environment, the quality of the services they provide increases and their access to services becomes easier. Since personal information can be verified with inter-agency information sharing systems, wrong or unfair transactions can be prevented. Since information sharing between institutions is generally done through web services, protection of personal data transmitted via web services is of great importance. There are comprehensive national and international regulations on the protection of personal data. According to these regulations, protection of personal data shared between institutions is a legal obligation; protection of personal data is an issue that needs to be handled comprehensively. This study, protection of personal data shared between institutions through web services against software developers is discussed. With a proposed application, it is aimed to take a new security measure for the protection of personal data. The proposed application consists of a web interface prepared using React and Java programming languages and rest services that provide anonymization of personal data.

Regulatory efforts such as the General Data Protection Regulation (GDPR) embody a notion of privacy risk that is centered around the fundamental rights of data subjects. This is, however, a fundamentally different notion of privacy risk than the one commonly used in threat modeling which is largely agnostic of involved data subjects. This mismatch hampers the applicability of privacy threat modeling approaches such as LINDDUN in a Data Protection by Design (DPbD) context. In this paper, we present a data subject-aware privacy risk assessment model in specific support of privacy threat modeling activities. This model allows the threat modeler to draw upon a more holistic understanding of privacy risk while assessing the relevance of specific privacy threats to the system under design. Additionally, we propose a number of improvements to privacy threat modeling, such as enriching Data Flow Diagram (DFD) system models with appropriate risk inputs (e.g., information on data types and involved data subjects). Incorporation of these risk inputs in DFDs, in combination with a risk estimation approach using Monte Carlo simulations, leads to a more comprehensive assessment of privacy risk. The proposed risk model has been integrated in threat modeling tool prototype and validated in the context of a realistic eHealth application.

Future that IoT has to enhance the productivity on healthcare applications.

The General Data Protection Regulation mandates data protection in the European Union. This includes data protection by design and having privacy-preserving defaults. This legislation has been in force since May 2018, promising severe consequences for violation. Fulfilling its mandate for data protection is not trivial, though. One approach for realizing this is the use of privacy design patterns. We have recently started consolidating such patterns into useful collections. In this paper we improve a subset of these, constructing a pattern system. This helps to identify contextually appropriate patterns. It better illustrates their application and relation to each other. The pattern system guides software developers, so that they can help users understand how their information system uses personal data. To achieve this, we rewrite our patterns to meet specific requirements. In particular, we add implementability and interconnection, while improving consistency and organization. This results in a system of patterns for informing users.

Application development for the cloud is already challenging because of the complexity caused by the ubiquitous, interconnected, and scalable nature of the cloud paradigm. But when modern secure and privacy aware cloud applications require the integration of cryptographic algorithms, developers even need to face additional challenges: An incorrect application may not only lead to a loss of the intended strong security properties but may also open up additional loopholes for potential breaches some time in the near or far future. To avoid these pitfalls and to achieve dependable security and privacy by design, cryptography needs to be systematically designed into the software, and from scratch. We present a system architecture providing a practical abstraction for the many specialists involved in such a development process, plus a suitable cryptographic software development life cycle methodology on top of the architecture. The methodology is complemented with additional tools supporting structured inter–domain communication and thus the generation of consistent results: cloud security and privacy patterns, and modelling of cloud service level agreements. We conclude with an assessment of the use of the Cryptographic Software Design Life Cycle (CryptSDLC) in a EU research project.

Future that IoT has to enhance the productivity on healthcare applications.

Improving e-government services by using data more effectively is a major focus globally. It requires Public Administrations to be transparent, accountable and provide trustworthy services that improve citizen confidence. However, despite all the technological advantages on developing such services and analysing security and privacy concerns, the literature does not provide evidence of frameworks and platforms that enable privacy analysis, from multiple perspectives, and take into account citizens' needs with regards to transparency and usage of citizens information. This paper presents the VisiOn (Visual Privacy Management in User Centric Open Requirements) platform, an outcome of a H2020 European Project. Our objective is to enable Public Administrations to analyse privacy and security from different perspectives, including requirements, threats, trust and law compliance. Finally, our platform-supported approach introduces the concept of Privacy Level Agreement (PLA) which allows Public Administrations to customise their privacy policies based on the privacy preferences of each citizen.

Learning analytics open up a complex landscape of privacy and policy issues, which, in turn, influence how learning analytics systems and practices are designed. Research and development is governed by regulations for data storage and management, and by research ethics. Consequently, when moving solutions out the research labs implementers meet constraints defined in national laws and justified in privacy frameworks. This paper explores how the OECD, APEC and EU privacy frameworks seek to regulate data privacy, with significant implications for the discourse of learning, and ultimately, an impact on the design of tools, architectures and practices that now are on the drawing board. A detailed list of requirements for learning analytics systems is developed, based on the new legal requirements defined in the European General Data Protection Regulation, which from 2018 will be enforced as European law. The paper also gives an initial account of how the privacy discourse in Europe, Japan, South-Korea and China is developing and reflects upon the possible impact of the different privacy frameworks on the design of LA privacy solutions in these countries. This research contributes to knowledge of how concerns about privacy and data protection related to educational data can drive a discourse on new approaches to privacy engineering based on the principles of Privacy by Design. For the LAK community, this study represents the first attempt to conceptualise the issues of privacy and learning analytics in a cross-cultural context. The paper concludes with a plan to follow up this research on privacy policies and learning analytics systems development with a new international study.