05 October 2020
Recommending Policies: How To Make A Difference
One of the roles of the emerging European Cybersecurity Competence Network which CyberSec4Europe is piloting is to provide effective policy recommendations to policymakers formulating policies that will shape the cybersecure future of Europe.
CyberSec4Europe partners provide recommendations as a result of attending workshops, conferences and diverse meetings under the auspices of organisations such as ECSO, ENISA, the European Data Protection Supervisor and others. Proactively, important elements of the work performed during the course of the project itself, particularly in the context of the roadmapping work, form the basis of what can make proposals for the attention of EU policymakers:
- to support novel privacy-preserving technologies including data sharing for COVID-19
- university curricula to provide more attention to certain cybersecurity topics including security-by-design and privacy-by-design
- to adopt integrated models for legal compliance and sanction avoidance
- to coordinate Member States on achieving cybersecurity sovereignty
- to continue to invest in novel solutions for cybersecurity threats
- to take leadership in the research and development of blockchain applications
- to consider secure 5G as a crucial enabler
- to adopt a common eIDAS-based trust framework for Member State digital identity trust schemes
- financial services institutions to adopt a privacy-preserving approach to sharing KYC data and IBAN information among banks and other financial institutions
Although each one of the above is worth exploring, we will focus on one.
Support privacy-preserving technologies including data sharing for COVID-19
The recent pandemic uncovered a major problem: we need to find a way, directly or indirectly, to share location data in order to identify people who have come in contact with others infected with COVID-19. At the same time, such sharing of location data has to be carried out in a privacy-preserving way if we are not to set a precedent for the creation of a surveillance society, monitoring the movements and whereabouts of citizens at all times. The well-intentioned goal to stem the tide of the virus and protect a nation’s health could end up creating the conditions for digital entrapment.
Hence, privacy-preserving contact tracing appears to be a contradiction, an impossible trade-off: having to know who an individual has had contact with without having to reveal the identities of who was in contact with whom. Data sharing is an immensely powerful and now pervasive business process but with major societal impacts, not only during a time of emergency but in many everyday health, finance, educational and other scenarios.
Focus areas for support
Our recommendation is to proactively support the numerous European research centres working in this aspect of privacy-related identity management. To be more specific the areas to support are:
- Privacy-preserving data sharing could be used for other medical/health purposes, such as scientific processing, research, secondary processing, epidemiology, etc.
- Privacy-by-design technological approaches. If privacy is not to become an afterthought, it should be included in the first design phase of solution or process creation.
- Privacy-enhancing technologies. Like it or not, when anyone goes online, we leave digital “crumbs” that can be used to follow them all over the Internet – and frequently have no other choice. In order to communicate, we provide our IP address, to receive decent service from a web server, we accept cookies, and, to access an online service, we are subjected to device fingerprinting. Privacy-enhancing technologies can help users protect their IP address, protect their devices, and ultimately protect their identity from unwanted intrusion.
An ongoing process
The set of recommendations identified above are just the beginning of a process that will continue over the remaining months of the project – and beyond. All partners will be looking to extract the key ideas and principles from across the whole spectrum of activities in CyberSec4Europe and finding opportunities to present these ideas externally to help progress cybersecurity policymaking for years to come.
For more on CyberSec4Europe’s initial set of policy recommendations, you are invited to read D9.8: Policy Recommendations
Evangelos Markatos, FORTH