Straight after the JTC 1/SC 27 IT security techniques meeting in Jaipur (following night after the Parish event) ETSI’s Cyber group seriously proposed that we have to abandon the whole privacy issue. I do not see the future as black.

Based on this serious theme we have arranged a series of update acute isssues workshop on cyber security combined with hands-on workshops to provide practical skills and training. This year our theme was: Cybersecurity in an interconnected world: Trust and Privacy (The International Crisis Management Workshop (CriM’17) and Oulu Winter School (University of Oulu, Finland) The seminar was organized as a one and half day lecture series and workshops continued straight after them. In the hands-on workshops the theory was put into practice.

In recent years, news and revelations about government surveillance programs have constantly been present in media and reminded us that our daily activities in cyber space are not as private or secure as we had expected. Governments put substantial effort to maintain a surveillance infrastructure to monitor digital activities. Laws and regulations are put in place to support those actions. The main driver for those programs are the prevention of cyber crime and cyber terrorism and to enhance the security in our daily lives. Those developments leave citizens as well as security experts wondering if this large-scale surveillance is proportional to the security threats we are facing and if the reduction of the security and privacy of uninvolved and unknowing citizens is tolerable. On top of this progress non-state actors have collected much information about citizens over an extended period, by mundane customer service cards, acquisitions of patents records, or taking over of fast troves of information by criminals. Data collectors frequently cooperate, nontransparent to affected citizens.

The EU General Data Protection Regulation (GDPR) is designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy. Parallel with this process the Directive on security of network and information systems (the NIS Directive) will be adopted (It was adopted by the European Parliament on 6 July 2016 and entered into force in August 2016. From there Member States have 21 months to transpose the Directive into their national laws and 6 months more to identify operators of essential services). The NIS Directive provides legal measures to boost the overall level of cybersecurity in the EU.  For example Member States preparedness is increase by requiring them to be appropriately equipped, e.g. via a Computer Security Incident Response Team (CSIRT) and a competent national NIS authority.

These are important steps for our privacy and gives to us the basic digital rights we preserve: Breach notification, right to access, right to be forgotten, data portability and especially privacy by design.  As Commission implementing decision (20.1.2015) states “The security industry has thus to face a growing challenge: improving the protection of privacy and personal data, while meeting the requirements of their customers. Whilst legally speaking the customers of the security industry often bear the legal responsibility for complying with data protection rules (being the data controllers), their providers also bear some responsibility for data protection from a societal and ethical point of view. These involve those who design technical specifications and those who actually build or implement applications or operating systems.”

Since “errare humanum est” we need regulations to force the good design principles even in our hectic digital world so that the basic digital rights can be and will be guaranteed.

Juha Röning
Professor, Coordinator of CS-AWARE