1、 ETSI TR 103 304 V1.1.1 (2016-07) CYBER; Personally Identifiable Information (PII) Protection in mobile and cloud services TECHNICAL REPORT ETSI ETSI TR 103 304 V1.1.1 (2016-07) 2 Reference DTR/CYBER-0002 Keywords access control, privacy ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - F
2、RANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice The present document can be downloaded from: http:/www.etsi.org/standards-search The present document may be
3、made available in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived difference in contents between such versions and/or in print,
4、 the only prevailing document is the print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this
5、 and other ETSI documents is available at https:/portal.etsi.org/TB/ETSIDeliverableStatus.aspx If you find errors in the present document, please send your comment to one of the following services: https:/portal.etsi.org/People/CommiteeSupportStaff.aspx Copyright Notification No part may be reproduc
6、ed or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI. The content of the PDF version shall not be modified without the written authorization of ETSI. The copyright and the foregoing restriction e
7、xtend to reproduction in all media. European Telecommunications Standards Institute 2016. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members. 3GPPTM and LTE are Trade Marks of ETSI registered for the benefit of its Memb
8、ers and of the 3GPP Organizational Partners. GSM and the GSM logo are Trade Marks registered and owned by the GSM Association. ETSI ETSI TR 103 304 V1.1.1 (2016-07) 3 Contents Intellectual Property Rights 5g3Foreword . 5g3Modal verbs terminology 5g3Executive summary 5g31 Scope 6g32 References 6g32.1
9、 Normative references . 6g32.2 Informative references 6g33 Definitions and abbreviations . 7g33.1 Definitions 7g33.2 Abbreviations . 9g34 Overview 10g35 Threats to PII 10g35.1 Overview 10g35.2 Data fusion and re-identification 11g35.3 Data breaches . 11g35.4 Service termination/inaccessibility . 11g
10、35.5 Lock-in mechanisms. 11g35.6 Ransomware and Spyware . 11g35.7 Over-collection . 12g35.8 Mis-contextualization . 12g35.9 User Impersonation 12g35.10 Alteration of ownership or access rights 12g35.11 Alteration of persistence . 12g35.12 Synopsis . 13g36 Technical aspects 14g36.1 Principles from IS
11、O/IEC 29100 . 14g36.2 Degree of link-ability . 14g36.3 Trust . 15g36.4 Awareness of data transaction 15g36.5 Semantics . 16g36.6 Portability . 16g36.7 Access control 16g36.8 Log and auditing . 17g36.9 Embedded sensors and devices 17g36.10 Lawful interception 17g37 Use cases, actors and roles . 18g37
12、.1 Overview 18g37.2 Actors and roles 18g37.3 Use case UC1 . 19g37.4 Use case UC2 . 19g3Annex A: Scenarios 20g3A.1 Medical scenario 20g3A.2 Flight Passenger Name Record 20g3A.3 Bring Your Own Device (BYOD) 20g3A.4 Fake or untrusted access mobile networks . 21g3A.5 Untrusted app scenario . 21g3ETSI ET
13、SI TR 103 304 V1.1.1 (2016-07) 4 A.6 Social networking . 21g3A.7 In-car blackbox . 22g3A.8 Cloud unavailability . 22g3A.9 Self-quantifying 22g3History 23g3ETSI ETSI TR 103 304 V1.1.1 (2016-07) 5 Intellectual Property Rights IPRs essential or potentially essential to the present document may have bee
14、n declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“,
15、 which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (https:/ipr.etsi.org/). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenc
16、ed in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document. Foreword This Technical Report (TR) has been produced by ETSI Technical Committee Cyber Security (CYBER). Modal verbs terminology In the present document “should“, “s
17、hould not“, “may“, “need not“, “will“, “will not“, “can“ and “cannot“ are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions). “must“ and “must not“ are NOT allowed in ETSI deliverables except when used in direct citation. Executive
18、 summary ICT is moving towards a genuinely distributed and virtualized environment characterized by a rich set of mobile and cloud services available to users. In this context, it may be difficult to have a priori knowledge of who may need access to data, when and where this may happen and whether t
19、hat data could be or contain Personally Identifiable Information (PII). The present document proposes a number of scenarios focusing on todays ICT and develops an analysis of possible threats related to PII in mobile and cloud based services. It also presents technical challenges and needs derived f
20、rom regulatory aspects (lawful interceptions). The aim is to consolidate a general framework, in line with regulation and international standards, on top of which technical solutions for PII protection can be developed. ETSI ETSI TR 103 304 V1.1.1 (2016-07) 6 1 Scope The present document proposes a
21、number of scenarios focusing on todays ICT and develops an analysis of possible threats to Personally Identifiable Information (PII) in mobile and cloud based services. It also presents technical challenges and needs derived from regulatory aspects (lawful interceptions). It consolidates a general f
22、ramework, in line with regulation and international standards, where technical solutions for PII protection can be plugged into. 2 References 2.1 Normative references Normative references are not applicable in the present document. 2.2 Informative references References are either specific (identifie
23、d by date of publication and/or edition number or version number) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the referenced document (including any amendments) applies. NOTE: While any hyperlinks included in this claus
24、e were valid at the time of publication, ETSI cannot guarantee their long term validity. The following referenced documents are not necessary for the application of the present document but they assist the user with regard to a particular subject area. i.1 ISO/IEC 29100:2011: “Information technology
25、 - Security techniques - Privacy framework“. i.2 National Institute of Standards and Technology NIST SP 800-122: “Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)“. i.3 Regulation 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic
26、 identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC. i.4 Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on
27、the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). i.5 Directive 2002/21/EC of the European Parliament and of the council of 7 March 2002 on a common regulatory framework for electronic communications networks and services (Framework Directive). i.
28、6 Directive 2002/22/EC of the European Parliament and of the Council of 7 March 2002 on Universal service and users rights relating to electronic communications networks and services (Universal Service Directive - OJ L 108, 24.04.2002). i.7 Directive 1999/5/EC of the European Parliament and of the C
29、ouncil of 9 March 1999 on radio equipment and telecommunications terminal equipment and the mutual recognition of their conformity. i.8 Directive 1995/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal dat
30、a and on the free movement of such data. i.9 US Presidents Council of Advisors on Science and Technology: “Report to the president. Big data and privacy: a technological perspective“. i.10 ETSI TR 101 567: “Lawful Interception (LI); Cloud/Virtual Services for Lawful Interception (LI) and Retained Da
31、ta (RD)“. ETSI ETSI TR 103 304 V1.1.1 (2016-07) 7 i.11 ETSI Cloud Standards Coordination: Final Report. i.12 ISO/IEC 11889:2009: “Information technology - Trusted Platform Module“ (Parts 1-4). i.13 ISO/IEC 29191:2012: “Requirements for partially anonymous, partially unlinkable authentication“. i.14
32、ISO/IEC 29115:2011: “Entity authentication assurance framework“. i.15 ETSI TS 119 612: “Electronic Signatures and Infrastructures (ESI); Trusted Lists“. i.16 ETSI TR 103 308: “CYBER; Security baseline regarding LI and RD for NFV and related platforms“. i.17 ETSI TR 187 010: “Telecommunications and I
33、nternet converged Services and Protocols for Advanced Networking (TISPAN); NGN Security; Report on issues related to security in identity imanagement and their resolution in the NGN“. i.18 ISO/IEC 27040:2015: “Information technology - Security techniques - Storage security“. i.19 ISO/IEC 17789:2014:
34、 “Information technology - Cloud computing - Reference architecture“. i.20 ISO/IEC 9594-8:2014: “Information technology - Open Systems Interconnection - The Directory - Part 8: Public-key and attribute certificate frameworks“. i.21 ETSI TS 101 331: “Lawful Interception (LI); Requirements of Law Enfo
35、rcement Agencies“. i.22 ETSI TS 101 671: “Lawful Interception (LI); Handover interface for the lawful interception of telecommunications traffic“. i.23 ISO/IEC JTC 1/SC 38 CD 19944: “Information technology - Cloud computing - Data and their flow across devices and cloud services“. NOTE: Standard und
36、er development. i.24 ISO/IEC JTC 1/SC 37 AWI 20889: “Information technology - Security techniques - Privacy enhancing data de-identification techniques“. NOTE: Standard under development. i.25 J.A. Akinyele, C. U. Lehmanny et Al. Self-Protecting Electronic Medical Records: Using Attribute-Based Encr
37、yption. Cryptology ePrint Archive, Report 2010/565. 2010. 3 Definitions and abbreviations 3.1 Definitions For the purposes of the present document, the following terms and definitions apply: app: “software application“, typically running on a users device platform anonymization: process that replace
38、s an actual identifier with an attribute obtained by randomization or generalization in such a way that there is a reasonable level of confidence that no individual can be identified Cloud Service Customer: individual or organization consuming one or more cloud services provided by a Cloud Service P
39、rovider Cloud Service Partner: individual or organization providing support to the provisioning of cloud services by the Cloud Service Provider, or to the consumption of cloud service by the Cloud Service Customer Cloud Service Provider: individual or organization providing cloud services to one or
40、more Cloud Service Customers Cloud Service user: individual consuming one or more cloud services using a particular device ETSI ETSI TR 103 304 V1.1.1 (2016-07) 8 consent: freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data r
41、elating to him being processed data breach: compromise of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to protected data transmitted, stored or otherwise processed i.18 data consumer: entity accessing data for a given purpose
42、data fusion: process of combining multiple data sets into one improved data set in order to discover any information which cannot be derived from the original data sources data subject: identifiable person, i.e. a person who can be identified, directly or indirectly, in particular by reference to an
43、 identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity de-anonymization: any process in which anonymous data is cross-referenced with other sources of data to re-identify the anonymous data source Device Platform Provid
44、er: Cloud Service Provider providing services necessary to support the device platform generalization: process that reduces the degree of granularity (known as precision) of a set of attributes identity theft: inappropriate use of someone elses credentials to commit fraud or crimes lock-in: process
45、which makes a customer dependent on a given service provider and unable to use another provider without substantial switching costs metadata: data about the data, which can be structural or descriptive mis-contextualization: process in which data from different personas is mixed and used inappropria
46、tely over-collection: practice of collecting information unrelated to a stated purpose persona: role played by an individual user in the context of a service Personally Identifiable Information (PII): any information that (a) can be used to identify the PII principal to whom such information relates
47、, or (b) is or might be directly or indirectly linked to a PII principal NOTE 1: To determine whether a PII principal is identifiable, account can be taken of all the means which can reasonably be used by the privacy stakeholder holding the data, or by any other party, to identify that natural perso
48、n i.1. NOTE 2: In the US, according to i.2: any information about an individual maintained by an agency, including any information that can be used to distinguish or trace an individuals identity, such as name, social security number, date and place of birth, mothers maiden name, or biometric record
49、s; and any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information. PII controller: privacy stakeholder that determines the purposes and means for processing personally identifiable information (PII) other than natural persons who use data for personal purposes i.1 PII principal: natural person to whom the personally identifiable information (PII) relates i.1 PII processor: privacy stakeholder that processes personally identifiable info
