Library

Publications 2011

older publications

• Study on monetising privacy. An economic model for pricing personal information. Do some individuals value their privacy enough to pay a mark-up to an online service provider who protects their information better? How is this related to personalisation of services? This study analyses the monetisation of privacy. ‘Monetising privacy’ refers to a consumer’s decision of disclosure or non-disclosure of personal data in relation to a purchase transaction. The main goal of this report is to enable a better understanding of the interaction of personalisation, privacy concerns and competition between online service providers. Consumers benefit from personalisation of products on the one hand, but might be locked in to services on the other. Moreover, personalisation also bears a privacy risk, i.e. that data may be compromised once disclosed to a service provider. Privacy is a human right; thinking about the economics of privacy does not change this basic fact. The authors of this report consider an economic analysis of privacy as complementary to the legal analysis as it improves our understanding of human decision-making with respect to personal data.
• Study on data collection and storage in the EU. Given the clear contrast between the importance of the privacy by design principle on the one hand, and the reality of lax data protection practices with many online service providers on the other hand, the aim of this study is to present an analysis of the relevant legal framework of European Member States on the principles of minimal disclosure and the minimum duration of the storage of personal data. The study is not intended to go too deep into the details of the legal complexities of the data protection legislation. It rather focuses on a limited number of relevant use cases and tries to find out how the aforementioned principles are expressed in concrete legal or regulatory provisions applicable to these cases, and how they are observed in practice.
• The use of Cryptographic Techniques in Europe. With the increased use of e-Government services, the amount of citizens’ sensitive data being transmitted over public networks (e.g. the Internet) and stored within applications that are accessible from anywhere on the Internet significant grew. Hence, the cryptographic recommendations and specifications that Member States promote for e-Government services have a direct impact on the privacy of European citizens. This
  study examined the cryptographic documents and specifications defined by European Union Member States related to the encryption of unclassified information stored and transmitted by e-Government services. The findings and recommendations rely on answers received from Member States, covering more than 61% of the EU population; additionally, selected members of the European ICT industry provided feedback on their experience of working with, deploying, auditing and testing MS cryptographic solutions.
• Trust and Reputation Models. Reputation systems are a key success factor of many websites, enabling users and customers to have a better understanding of the information, products and services being provided. However, by using reputation systems, individuals place themselves at additional risk. This report studies privacy risks of in duty systems and surveys the current practice of reputation providers. Furthermore, it gives recommendations to service providers to improve their practice to mitigate risks for their customers and to policymakers to improve the legal framework on privacy and data protection  to suit the needs of our modern communication society.
• Managing multiple identities. Nowadays each person has the opportunity of living multiple lives in parallel, in the real as well as in the virtual world. A trend observed over the last years, first in the research community, but now also in commercial offerings is the increase of interactions between these two worlds, making real-world information accessible to services on the Internet.
  An area of particular interest is the management of multiple identities, where “identity” is being considered in a broad sense. Issues related with this area include anonymity, pseudonymity, unlinkability and unobservability. The increasingly digital nature of relationships between people is central to dealing with those issues. It is not a question
  simply of hardware or software, but more importantly of enabling people to enjoy and benefit from their online experiences, while dealing with potential issues. The problems might include a lack of knowledge or training, difficult personal circumstances or simply irritation at the diversity and unpredictability of online privacy and identity mechanisms. It is therefore vital that we should have strong, reliable mechanisms, which can be easily understood and relied upon across the course of a lifetime.
  This paper introduces the key concepts of electronic identity and presents available methods of managing multiple identities.
• Mapping security services to authentication levels. In the study, we focus on some of the available technologies and research results addressing privacy and data protection and topics related to, or influencing privacy, such as consent, accountability, trust, tracking and profiling. The study covers three perspectives: user side, business side and architecture side. Each part of the study identifies and proposes clear means to better privacy protection and enhancement that are useful for several stakeholders.
• Privacy, Accountability and Trust – Challenges and Opportunities. In the study, we focus on some of the available technologies and research results addressing privacy and data protection and topics related to, or influencing privacy, such as consent, accountability, trust, tracking and profiling. The study covers three perspectives: user side, business side and architecture side. Each part of the study identifies and proposes clear means to better privacy protection and enhancement that are useful for several stakeholders.
• Survey of accountability, trust, consent, tracking, security and privacy mechanisms in online environments. The study, using a survey, attempts to evaluate which are currently the mechanisms deployed in available online services for accountability, consent, trust, security and privacy.  
  While the finding of this survey cannot be easily extrapolated to all online services, some trends are prominent and it is safe to assume that these are valid for most organisations that operate online.
• Data breach notifications in the EU. The introduction of a European data breach notification requirement for the electronic communication sector introduced in the review of the ePrivacy Directive (2002/58/EC) is an important development with a potential to increase the level of data security in Europe and foster reassurance amongst citizens on how their personal data is being secured and protected by electronic communication sector operators. Against this background, ENISA reviewed the current situation in order to develop a consistent set of guidelines addressing the technical implementation measures and the procedures, as described by Article 4 of the reviewed Directive 2002/58/EC.

Position papers

older position papers

• "Bittersweet cookies. Some security and privacy considerations" , February 2011. The purpose of this paper is to highlight some of the security and privacy concerns generated by the use of cookies, without exhaustively identifying all of them; it is intended to serve as a starting point for further analysis by different communities.Presentations
• 'Motivation, vision and challenges of international cooperation and relevant ENISA activities', BIC (Building a long term INCO strategy in Trustworthy ICT) session, Barbara Daskala, 1st SysSec workshop, 6 July, Amsterdam.

Presentations

older presentations

• "Supply Chain Integrity", Slawomir Gorniak, EP3R meeting, Brussels, 6^th July 2011
• "Motivation, vision and challenges of international cooperation and relevant ENISA activities", BIC (Building a long term INCO strategy in Trustworthy ICT) session, Barbara Daskala, 1st SysSec workshop, 6 July, Amsterdam.
• "Privacy &  Trust Activities at ENISA", Rodica Tirtea, ENISA-FORTH Summer School, June 30^th, 2011.
• "Data Breach Notifications", ENISA’s previous and current work, Slawomir Gorniak, ENISA-FORTH Summer School, June 30^th, 2011
• "Cloud Computing -Security and privacy issues", Slawomir Gorniak, International Data Protection Conference, Budapest 16^th June 2011
• "ENISA’s Approach to Standardisation", Slawomir Gorniak, ISO SC27 meeting, Singapore, 11^th April 2011
• "Interoperability of EU eGovernment Services - Opportunities and Risks", Slawomir Gorniak, Secure Documents World conference, London, 5^th April 2011
• "Privacy in online services", Rodica Tirtea, Do you trust your network? Workshop organized by APDC, Portugal, Lisbon, March 30^th, 2011.
• "Managing Multiple Identities", Slawomir Gorniak, eID Interoperability Conference, Leuven, 16^th March 2011
• "Implementing privacy in online service models", Rodica Tirtea, ENISA panel @ Computers, Privacy & Data Protection (CPDP) conference in Brussels, 25 January, 2011.
• "Data Breach Notifications The way forward", Slawomir Gorniak, ENISA DBN Workshop, Brussels on the 24^th January 2011

Online tutorials

• RIPE Network Coordination Centre (NCC) e-learning course, "DNS Basics" 
• Short video tutorial on IPv6, developed by the ICT project 6DEPLOY entitled “What is IPv6?” 
• IPv6 e-learning module developed by the ICT project 6DEPLOY 

Links 

• Study of the “Operational characteristics of IPv6” by the Internet Society (ISOC) 
• Issue Paper on DNSSEC, by the Council of European National Top Level Domain Registries (CENTR), February 2009 
• “Availability and robustness of electronic communication networks. The ARECI Study”.
• Final report of the ARECI study, March 2007
• IPv6: Enabling the Information Society 
• Study commissioned by the European Commission on the “Impact of IPv6 on Vertical Markets”, October 2007
• Communication from the Commission to the Council, the European Parliament, the European Economic and Social Committee and the Committee of the Regions - A strategy for a Secure Information Society – “Dialogue, partnership and empowerment” /* COM(2006) 251 */
• Communication from the Commission to the Council, the European Parliament, the European Economic and Social Committee and the Committee of the Regions - “i2010 – A European Information Society for growth and employment” /* COM/2005/0229 final */
• REGULATION (EC) No 460/2004 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 10 March 2004 establishing the European Network and Information Security Agency 
• COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT, THE COUNCIL, THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE AND THE COMITTEE OF THE REGIONS – “ADVANCING THE INTERNET - Action Plan for the deployment of Internet Protocol version 6 (IPv6) in Europe”, Brussels, 27/05/2008 - COM(2008) 313 final