Anonymizers: What do they do?

Anonymity tools allow users to build connections with websites, for instance for communications, or commercial purposes, without revealing the user’s identity. There may be numerous reasons for individuals to protect their identity, for instance, fear of persecution, exercising the right of free speech, or to minimize risk, avoid activity monitoring and prevent identity theft. Anonymity tools are used by a variety of individuals, from law enforcement officers, to human rights workers, journalists, citizens of repressive governments and regular internet browsers. Anonymity tools enable users to browse the internet without revealing personal information.

Even while visiting websites that do not require personal information, internet browsers reveal IP addresses by default. The use of anonymizing proxies allows users to browse without exchanging any personal information, as the proxy makes requests to the websites on the user’s behalf.

Models of Anonymizers

Mix networks are one type model of anonymizer. Mix networks are made up of routers which use layered encryption, buffering and message reordering to create a path for the data to follow through the network. The routers store and forward messages at random intervals and can ensure that each message sent in the network is exactly the same length. Even if there is no data ready to be sent, the router can randomly create and send a message. An example of a mix network anonymity tool is Onion Routing, which uses an “onion,” or layered data structure to transmit data to recipients.

Another model is known as the Crowd system. It was first developed by AT&T, based on a similar concept to the mix network. With the Crowd system, users are grouped with other users in a “crowd.” The crowd forwards requests to a random member, without revealing the origin of the request. Unlike mix networks, which send data on pre-configured paths, the Crowd system dynamically creates paths for each request. This makes the Crowd system more flexible to network changes.

Anonymizers & Risks

There are a number of risks involved with using anonymizers. For instance, users who access the anonymizing proxy are revealing their IP addresses to that proxy. Some anonymizers may record incoming and outgoing connections. Even if an anonymizer claims not to log user activity, this is often difficult to ascertain. Internet service providers have also been known to log their customers’ online activities. Certain malicious anonymizers have been known to perpetrate “man in the middle” attacks, in which the anonymizer modifies the content being transmitted or received.

In order to limit risks, certain users will encrypt any private information that is exchanged outside of the anonymizer, for instance usernames, passwords, credit card information and email addresses.

Tor Network

Another option for limiting risks is to use one anonymizer to connect to another, a technique known as daisy chaining. This allows the user to appear anonymous to the exposed anonymizing tool. A well-known application of daisy chained anonymizers is the Tor network.

The Tor network is based on an onion routing system and is a network of encrypted connections. It works to hide users’ identity and their online activities from monitoring and analysis efforts. Since each layer is encrypted, the Tor network ensures that there is anonymity between the routers. When data is sent on a Tor network, it takes a random, private pathway through different relays. Each relay is only aware of the relay that came before it and the relay that comes next. No single relay will ever know all the relays in the sequence. The user’s circuit is changed every ten minutes, to prevent monitoring.

Like any anonymity network, the Tor system does have its shortcomings. Tor is mainly designed to ensure the secure transport of data. However, data sent on the Tor network may be monitored by any party that has access to both origin and destination of a user’s connection. In the US, the federal government is entitled to monitor domestic internet activity, in accordance with the Communications Assistance for Law Enforcement Act (CALEA).

Encryption

Many users rely on encryption tools to protect sensitive information transmitted online. Numerous encryption tools have been developed to enable users to protect their information. Encryption algorithms render information unreadable to individuals unless they have the encryption key. The longer the encryption key, the more difficult it is for an attacker to decrypt the information. While previous encryption keys were only 56-bits, most privacy professionals will recommend 128-bit encryption keys.

File Encryption

There are different types of encryption for different purposes. File encryption ensures that sensitive data transmitted over the internet, or that information stored on a home system is secured.

One example of file encryption software is Pretty Good Privacy (PGP), developed by Philip Zimmerman in 1991. PGP applies a combination of data compression, symmetric-key cryptography, hashing and public-key cryptography. PGP uses a web of trust to ensure that the public key is distributed to and used by the correct person. This software provides relatively high security. In a number of different incidents, the FBI and other law enforcement agencies were unable to access files that had been encrypted with PGP.

GNU Privacy Guard (GnuPG) is another suite of cryptographic software, developed by Werner Koch in 1999. It was designed to operate together with PGP. GnuPG works by using asymmetric keypairs to encrypt messages. The public keys are then exchanged with the appropriate individuals, verifying the recipient. GnuPG relies on a number of different encryption algorithms, such as block ciphers, asymmetric-key ciphers, cryptographic hashes and digital signatures.

Email Encryption

Emails may be vulnerable to interception from the point it leaves the sender until it arrives at its recipient. For instance, companies have the authority to monitor their employees’ email messages. Email server administrators also have access to the email stored on their servers. There are a number of different email encryption programs, with various security capabilities.

A common way to ensure the security of email messages is to use digital signatures. Digital signatures apply public-key cryptography attached to the email message. Digital signatures identify the sender, ensure that the message has not been modified or tampered with and underscore the legal consequences of the message for the sender and recipient. Digital signatures are also relatively efficient and offer a relatively high level of assurance of the authenticity of the sender. Digital certificates work together with digital signatures to verify the identity of the public key holder.

Like any other security model, there are shortcomings of the digital key system. Private keys are still vulnerable to theft or copying. For instance, a third party may gain enough information to create a copy of a private key. Digital certificates could theoretically be forged or cracked, though according to researchers, this would be highly difficult to do.

Filters

Filters are a broad category of tools that can selectively control the online content that appears on the user’s system. For example, a filter may be designed to block emails, HTML cookies, websites, HTML headers or other unwanted content. Filters may be used by organizations to prevent access to certain online content, by individuals who do not want spam messages, or by parents to protect their children from inappropriate content.

A cookie cutter is a type of filtering program that blocks a system from exchanging cookies with another website. Cookie cutters may also prevent websites from displaying specific types of cookies, or stop the user’s browser from sending header information to the website. One example of such a program is Internet Junkbuster, which blocks the browser from loading banner ads and other cookies. It functions as a proxy between the browser and the internet and allows the user to configure which cookies or files to block or allow.

Summary

This article introduces the importance of protecting online privacy through three major categories of tools: anonymizers, encryption and filters. Anonymizers prevent the user’s identity from being revealed, while allowing the user to browse on the internet. Encryption tools ensure the secure transmission of data, for instance files or email. Filters block specific content from being loaded by internet browsers. The article explains the functions of each of the privacy tools and offers some examples of each tool.

CIPP/IT Preparation

In preparation for the Certified Information Privacy Professional/Information Technology exam, a privacy professional should be comfortable with topics related to this post, including:

• Privacy-enhancing technologies (III.B.c.)
• Anonymity tools (III.B.d.)
• Applications of anonymity tools (III.B.d.iii.)
• Tor Anonymity System (III.B.d.iii.5.)

Encryption/Decryption

Cryptography is used to protect the confidentiality of data. When original data (referred to as plaintext) is transformed cryptographically, it is encrypted, or disguised. The process of encryption produces ciphertext, or cipher. The ciphertext is not readable until it is converted back into plaintext through a process called decryption. The process of decryption can only be initiated by the designated recipient through the use of a key. Examples of ciphertext include substituting letters for numbers, rotating letters of the alphabet, scrambling voice signals, or using computer algorithms to rearrange data bits in digital signals.

The most secure encryption methods rely on mathematical algorithms and a key (or password) for decryption. The key is a variable value, often a random character string, which is necessary for transforming the ciphertext back into plaintext. The key is known only by authorized individuals and should not be shared with other parties.

Encryption and decryption are crucial elements in a number of other processes, including:

• Authentication: this process verifies or establishes the identity of an entity or of the data. User authentication verifies if a user is authorized to enter a system. This is based on three factors of identification: something the user knows (e.g. PIN, password); something the user has (e.g. ID card, smart card, token); or something the user is or does (e.g. biometric identifiers). Data authentication establishes both data integrity and data origin authentication.
• Data confidentiality: this ensures that sensitive data is kept secure. Data confidentiality may involve data that is transmitted between two parties, through intermediaries, or data that is kept in repositories. Ensuring data confidentiality means that sensitive information is not accessed by attackers or other unauthorized parties.
• Data origin authentication: this confirms that the sender of the data is the originator of the data, rather than someone claiming to be the originator.
• Data integrity: a high level of data integrity assures users that the information is trustworthy, complete and untampered with. Data integrity ensures that data is accessible, correct and consistent.

There are a number of different levels of encryption, which depend on the key space. The key space refers to the number of possible keys that may be used to initialize an algorithm. Organizations can choose from different levels, depending on their requirements:

1. File-Level Encryption: this encrypts data at the individual file level. Users can decide which files to encrypt, depending on the sensitivity of their contents. This method is also referred to as folder encryption, since entire folders can be encrypted in a similar fashion. Files are encrypted and decrypted by users who have been authenticated.
2. Full-Drive Encryption: this method encrypts all the data that is on the disk drive. This is done through software on the hard disk driver, or by the hardware in the disk drive. Users must be authenticated when the disk drive is powered on, before they can gain access to the data.
3. Field-Level Encryption: this method encrypts only designated fields in a document. The non-encrypted fields are then able to appear in plaintext when viewed.

Non-Repudiation & Digital Signatures

Cryptography influences non-repudiation, which proves that the integrity and origin of data is genuine. Repudiation is when one party involved in a communication denies involvement in some or all of the communication. Users need to have evidence that messages were sent. This prevents a sender from later denying having sent a message. Non-repudiation falls under two categories:

1. Proof of Origin: Non-repudiation with proof of origin establishes the origin of the data, protecting the recipient in case the sender should deny sending the data. This ensures accountability from the originating party. Often, the term “non-repudiation” is used interchangeably with non-repudiation with proof of origin.
2. Proof of Receipt: Non-repudiation with proof of receipt proves that the data was received as it was originally addressed. This protects the sender in case the recipient should deny receipt of the data.

There are a number of ways to ensure non-repudiation. For instance, a data hash can establish, to a reasonable degree, that the data was not manipulated without detection. Data hashes, or hash functions, convert large amounts of data into single integers. However, data hashes cannot prevent data from being manipulated during the transmission process.

Another way to ensure non-repudiation is to use digital certificates. Digital certificates confirm that information transmitted electronically is authentic. For instance, digital certificates may be used for e-commerce, online banking and other sensitive online services. In these situations, encryption is insufficient; certificates are necessary as evidence of the sender of the encrypted information.

Digital certificates associate an identity to a pair of electronic keys for encryption of digital information. They make it possible to verify a claim to identity and prevent impersonation. Digital certificates usually contain the following:

• Owner’s public key
• Owner’s name
• Expiration date of the public key
• Name of issuer – this is the certification authority that issued the certificate
• Serial number of the certificate
• Digital signature of the issuer

Symmetric & Asymmetric Encryption

There are two types of encryption schemes: symmetric encryption and asymmetric encryption.

Symmetric key cryptography refers to using the same key for encrypting as well as decrypting. It is also referred to as shared secret, secret-key or private key. This key is not distributed, rather is kept secret by the sending and receiving parties. With symmetric encryption, the sender encrypts a plaintext message with a symmetric encryption algorithm and a shared key. This process results in a ciphertext message that is sent to the recipient. The recipient then decrypts this message back as a plaintext with a shared key. With this form of encryption, the two parties must share the key over a secure channel before communications.

Asymmetric cryptography is also referred to as public-key cryptography. Public key depends on a key pair for the processes of encryption and decryption. Unlike private keys, public keys are distributed freely and publicly. Data that has been encrypted with a public key can only be decrypted with a private key.

Asymmetric cryptography is the most recent cryptographic technique. With asymmetric cryptography, the sender encrypts a plaintext message with an asymmetric encryption algorithm and the recipient’s public key. The result is a ciphertext message, which is sent to the recipient. The recipient then decrypts this message back as plaintext, by using the private key corresponding to the public key the sender used to encrypt the message.

Compared to asymmetric cryptography, symmetric cryptography is much simpler, as the same key is shared between sender and receiver. Asymmetric encryption needs more processing resources to encrypt a message then asymmetrically encrypt the shared key. However, asymmetric encryption offers a number of advantages over symmetric encryption, including:

• Simplified key distribution
• Digital signature
• Long-term encryption

Strong Encryption

Strong encryption refers to ciphers that are virtually unbreakable without the decryption keys. This method of encryption relies on a very large number (256 bits) as a cryptographic key. However, the practice of strong encryption is controversial. While most companies and consumers believe it is a security measure, governments tend to view strong encryption as a potential means by which criminal activity or harassment could be concealed. The concern is that stalkers, predators or terrorists could disguise their identities through encryption, essentially becoming untraceable to authorities.

Certain governments, including that of the United States, are pushing for key escrow systems for strong encryption. Key escrow systems involve a trusted third party, who holds the encryption key on behalf of the government. This third party may be a bank or new federal office created by Congress. Everyone who uses a strong encryption would essentially be required to provide the government with a copy of the key. Decryption keys would then be stored securely and only used by authorities with the appropriate court orders. A significant concern about the key escrow system is that the keys are held in a single, central location, which would present a risk for hacker attacks. It is possible for criminals to hack into the key database and steal or modify the keys.

Summary

This article discusses cryptography, the practice of encrypting and decrypting data in order to ensure confidentiality and integrity. The article explores various levels of encryption, including field-level, file-level and full-drive encryption. It also explores cryptography in relation to associated concepts, such as authentication, confidentiality, integrity and non-repudiation. The article then compares two types of encryption schemes: symmetric encryption (also called private key encryption) and asymmetric encryption (also called public key encryption). Finally, it discusses the controversy surrounding strong encryption, which may inadvertently disguise criminal activity.

Foundations Exam Preparation

In preparation for the Foundations exam, a privacy professional should be comfortable with topics related to this post, including:

• Cryptography (II.C.a.iii.)
• Digital signatures (II.C.b.vi.5.)
• Non-repudiation (II.C.b.vi.6.)

Preventative, Detective & Corrective Controls

Controls function as safety valves which prevent accidental disclosure of information. They may take the form of human processes, automated processes, or human work flows that are aided by technology. Controls may be physical, technical or administrative and are grouped into three main categories of controls: preventive, detective and corrective.

Preventive controls are implemented in order to avoid unwanted situations. They prevent errors or irregularities from happening. Examples of preventative controls include:

• Access Control Software: this controls data and program sharing between users. It controls access to a system by allowing access only to registered users with the appropriate ID and password. After users have logged on, the control software manages access to data and programs in the system.
• Anti-Virus Software: this software identifies, detects, isolates and removes viruses. This should be kept active on a system to ensure continual detection and interception of new viruses.
• Policies/Procedures: to identify the ways in which processes must be performed. This must go hand in hand with training, detective controls and audits.
• System Design: appropriate system design enables controls to be more effective. System engineering with an eye to the control requirements can result in a better system.
• Standards: using standards as sources of process information can help to prevent problems from occurring. Standards may be drawn from the BSI (British Standards Institute), NIST (US National Institute of Standards), or the ISO (International Standards Organization), among others.
• Passwords: this is combined with an ID to verify the identity of users. Password-ID log-on also ensures that users are accountable for their actions within the system. There are a number of different types of passwords, including fixed, dynamic and one-time passwords.
• Smart Cards: these contain chips that can be read by remote terminals. Smart cards specify user’s authorization and privileges in the system. These are often combined with another form of identity authentication (e.g. password, PIN number, biometrics) before the user can be allowed access to the system.
• Encryption: this protects data from unintended discloser when it is transmitted through the network. The process of encryption changes readable data, or plain text, into unreadable data, or ciphertext. Data can be encrypted through hardware or software.
• Access Systems: for instance, preventing access to a specific port or service that is vulnerable to exploitation.

However, preventative controls are insufficient, as policies, standards and procedures are often misinterpreted or ignored for a number of reasons. This is why other types of controls are necessary.

Detective controls spot errors or irregularities that may have taken place. Although detective controls cannot stop unauthorized access to data, they can send alerts to monitoring parties when unintended events take place. Some examples of detective controls include:

• Audit Trails: record system activities in order to reconstruct and examine events, produce violation reports.
• Intrusion Detection: track users during usage of the system to ensure activities are authorized. Useful in situations where intruders are using authorized accounts, or when legitimate users are engaged in unauthorized activities.

Corrective controls are implemented to correct errors or irregularities that have been detected. Such controls correct the circumstances that allowed unauthorized activity to take place, or they restore the system’s original conditions. Corrective controls may make changes to existing physical, technical or administrative controls. Examples of this type of control include backup configuration files, hard drive images and response plans for specific incidents.

What do they do?

Access controls can help to maintain the CIA triad (confidentiality, integrity, availability) in information system security. The triad represents the core principles of the information security field.

Confidentiality in a system indicates that the privacy of individuals is protected and that information is not disclosed to unauthorized users. A strong access control system can ensure that information is accessed through a case-by-case basis, ensuring that the information is kept confidential and preventing exposure to unauthorized individuals.

Controls can also maintain the integrity of information, meaning that the data are safeguarded from modification without authorization. Strong access controls protect data integrity in the following ways:

1. Protect data from accidental modification – ensure that data cannot be easily edited or modified
2. Protect data from deliberate modification – control access to sensitive information, preventing deliberate or malicious changes to data
3. Maintain external database consistency – compare external data with local data to check for inconsistencies
4. Maintain internal database consistency – compare local data with external data to check for inconsistencies

Finally, control systems allow authorized users to access the minimum data required to complete their tasks. This ensures that the element of availability is protected. Availability not only ensures that data are available, but also that the necessary procedures required to access that data is reasonable for users.

Types of Controls

Control strategies must be designed to address risks that have been identified as unacceptable. The design of control systems and strategies must take into account threats, vulnerabilities and risks that may potentially be faced by the system or network.

The control system design process also takes into account three layers of controls: policies, models and mechanisms. These three layers are discussed below:

1. Access control policies refer to how access can be managed; who is authorized to access the information; and under which circumstances the information can be accessed. Policies may be based on resource use, competence, obligation, need-to-know or conflict-of-interest factors.
2. Models describe the security policy of the system. As such, models can help identify theoretical vulnerabilities and limitations of a system. Models can connect policy and mechanisms.
3. Control policies are manifested through a mechanism that carries out a user’s request. The mechanism functions within the structure defined by the system. Mechanisms may or may not be direct implementations of control policy.

Controls also function at a number of different levels in a system, from the hardware, to the operating system, to the middleware, to the application. At the hardware level, access controls are provided by the processor, which controls which information a process can access. The middleware level creates resources (e.g. files, communications ports) and has the responsibility for allowing or limiting access to these resources. Applications enforce a number of different protection properties and may be written on top of the middleware. Finally, at the application level, the user may interact with a rich, complex security policy. Preventative, detective and corrective controls appear at each level of the system and build upon each other to mitigate and manage risks.

Summary

Access controls may be comprised of processes, tools and people and are necessary for ensuring the confidentiality, integrity and availability of information. The article looks at the three main categories of access controls: preventative, detective and corrective. It defines each category of control, provides examples and discusses the ways in which these controls function to uphold the CIA triad for information security. Finally, the article looks at the ways in which the controls operate and interact at different levels of the system.

Foundations Exam Preparation

In preparation for the Foundations exam, a privacy professional should be comfortable with topics related to this post, including:

• Access controls: preventative, corrective, detective (II.B.c.ii.)

What is RFID?

RFID is a term for a group of technologies that enable machines to identify objects. This may include bar codes, smart cards, optical character readers, biometric technologies and more. RFID uses radio waves to identify items. Its first application was the identification of aircraft during WWII. Since then, developments in technology have reduced the cost and increased potential applications of RFID technology. The automatic identification offered by RFID is attractive to many organizations and retail stores, as it reduces the time and labor necessary to manually input data and to improve data accuracy.

There are three components in an RFID system:

1. Tag: this is usually made up of a microchip unit, antenna and encapsulating material. Microchips can store up to two kB of data. This may be information about a certain product, such as its destination or sell-by date. An RFID system may include multiple tags.

Tags are also referred to as transponders. They can be read-only or read-write tags. “Read-only” means that the information on the tags cannot be changed in any way. Read-write tags can have the information modified or erased multiple times. Since they offer greater functionality, their price is much higher than read-only tags.

1. Reader: this is a device that has at least one antenna to communicate with the RFID tag. It emits radio waves and receives signals back from the tag. The reader passes digital information to a computer system. Readers are also known as interrogators. They can be portable, handheld devices or fixed terminals positioned in strategic places, such as loading bays or doorways.
2. Infrastructure: this includes the necessary hardware and software for supporting the RFID system. The RFID software translates the data from the tag into the information about the goods and orders. This information is transmitted into other databases and applications for processing.

How can RFID be used?

RFID technology has and will be applied in a variety of public and private sector organizations. Uses include:

• Product Integrity – to ensure that products are authentic and untampered with
• Supply Chain Management – to monitor and control the flow of goods through the supply chain (i.e. from raw material to finished product to consumer)
• Warranty Services – goods with tags incorporated into the materials, in order to facilitate warranty services
• ID, Travel & Ticketing – to verify the identity of the traveller; to ensure that travel documents are genuine
• Baggage Tracking – to monitor and control the movement of baggage (e.g. from check-in to loading)
• Patient Care & Management – to rapidly, accurately verify patient information (e.g. allergies, prescription, health history, etc.)

Privacy Issues

According to the Canadian PIAC (Public Interest Advocacy Center), RFID technology presents a challenge to Canadian privacy legislation. The basic surveillance capabilities of RFID are unlikely to violate privacy, though the PIPEDA significantly limits the use of RFID for consumer surveillance purposes.

However, later Office of the Privacy Commissioner of Canada (OPC) research indicated that there were significant concerns regarding the use of RFID in the workplace. Through a number of public consultations, the OPC was able to establish the perspectives of academics, RFID vendors, industry groups and private citizens. Numerous privacy threats were identified:

Repeated collection of information

• Since RFID tags are very small, they can easily be embedded on/in objects or documents without the individual’s knowledge. It is possible to read RFID tags through fabric, plastic and other materials, as radio waves are not restricted to line of sight. Tags can also be read from a distance. These factors render it impossible for individuals to know if/when he/she is being scanned.

Tracking Movements

• If there is a sufficient network of RFID readers, the tags can be tracked in time and space. This is possible through a combination of GPS (Global Positioning Systems) and RIFD technologies.

Profiling Individuals

• RFID technology means that each object has its own unique identification. This contrasts bar code technology, which gives the same identification to all similar objects (e.g. in a grocery store, all orange juice cartons of the same brand have the same bar code). If unique identifiers are associated with individuals, then profiles of purchasing habits can be compiled.

Secondary Use

• Creating profiles and tracking individual movement can be linked to other information which the individual may not want revealed.

Massive Data Aggregation

• RFID records may be linked with personally identifying data, which may facilitate any of the other privacy threats listed previously.

OPC Responses

The OPC recommends that the ten principles of the CSA Model Code, as well as the PIPEDA form the basis for an RFID privacy management framework. OPC research responds to each of the ten CSA principles, with respect to RFID technologies:

1. Accountability – Who has access to and who is accountable for the data generated by RFID systems, as well as other data collection systems in the workplace?
2. Identifying Purposes – RFID systems that are used for legitimate business purposes (e.g. supply chain management) are more likely to be supported than RFID systems used for secondary purposes or surveillance (e.g. employee surveillance, workforce management). The OPC identified that industry standards, policies or guidelines can help to ensure that the data collected through these systems are used and disclosed for identified purposes.
3. Consent – Meaningful consent must be secured before an RFID system is implemented. However, there is the challenge of securing meaningful and completely voluntary consent in a workplace setting.
4. Limiting Collection – Reasonable expectations of privacy must be balanced with reasonable management of RFID systems. While reasonable expectations of employees are important, the reasonable management of the RFID system is the employer’s responsibility. This involves the protection of employee privacy.
5. Limiting Use, Disclosure & Retention – The issue of RFID implants was a significant concern for OPC and other groups who were consulted, as implants present significant privacy and security issues. For instance, employee conduct might be monitored during and after work hours, at lunch, during vacation, and for tracking physical movements and conduct. This may pose a serious security issue.

Employers should limit the collection of personally identifiable information, including RFID-related data. Data from RFID systems should not be linked to other databases, unless there is a proven need.

1. Accuracy – It is the responsibility of the employer to ensure that personal information is accurate, complete and up to date for the purposes for which it is to be used. An audit trail might be established and maintained regarding the lifecycle of the RFID data.
2. Safeguards – RFID systems that contain personal information must be protected in a way that is proportionate to its sensitivity. Employers should be made accountable for any breach of RIFD technology. Protecting data in each distinct part of the system is an effective approach to safeguarding employee privacy.
3. Openness – For instance, hidden tags or readers should not be implemented. Clients, employees and/or unions should be consulted before RFID systems are installed. Tags and readers ought to be in plain sight, never used for covert surveillance.
4. Individual Access – Individuals (e.g. clients, employees, union leaders) should be guaranteed access to any personally identifiable data generated by RFID systems.
5. Challenging Compliance – Individuals ought to be able to challenge compliance with other principles. This may be the ability to make inquiries or lodge a complaint if necessary.

After examining each principle individually, the OPC stated some guiding applications for the implementation of RFID technology in a way that respects Fair Information Practices:

• If the RIFD chip has an individual’s personal information contained on it, then it is defined as a repository of personal information.
• If the tag is unique, it can be associated with an individual. The tag becomes a unique identifier for that individual.
• Personal information includes information about possessions, purchases or behaviors that can be processed to create a profile.

Summary

This article provides a brief introduction to RFID (radio frequency identification) technology. It explores some uses of this technology in consumer and work settings. Privacy concerns regarding RFID systems are raised. The article also offers some responses and recommendations made by the Privacy Commissioner of Canada regarding implementation of RFID technology.

CIPP/C Preparation

In preparation for the Certified Information Privacy Professional/Canada exam, a privacy professional should be comfortable with topics related to this post, including:

• CSA Model Code for the Protection of Personal Information (II.A.a.i.)
• Radio Frequency Identification (RFID) (V.A.a.5.)
• Security threats and vulnerabilities (V.A.b.)
• Information management (V.c.i.)

The ISO standards work to facilitate trade; provide a basis for development, production and assessment of products; and to safeguard consumers who use products and services. The ISO produces standards for a wide range of industrial and commercial subjects. This article explores two ISO standards that are especially relevant to privacy professionals.

ISO 27000 Series & ISMS

The ISO 27000 standards series refers to information security matters. Since October 2005, the ISO has published six of these standards:

• ISO 27001: this is a model for creating information security management systems (ISMS).
• ISO 27002: this is a code of practices governing information security.
• ISO 27003: this focuses on the PDCA (plan-do-check-act) problem solving method for ISMS. It has been proposed, but not yet published.
• ISO 27004: this standard guides the development and assessment of ISMS, in alignment with the ISO 27002.
• ISO 27005: this soon to be published standard discusses information security risk management.
• ISO 27006: this regulates the accreditation of organizations that certify and register ISMS.

The ISO 27000 series is closely linked to other standards, including:

• ISO 17021: this standard discusses the requirements for auditing and certifying management systems of various types. It is closely related to the ISO 27006.
• ISO 13335: this discusses the management of information and communications technology security.  It is closely linked to the ISO 27005.
• ISO 24760: when it is published, this standard will offer a framework for identity management. It is most related to the ISO 27002.

Together, the ISO 27000 series of standards are used to plan, implement, certify and operate an ISMS. An ISMS, or information security management system, is a term unique to the ISO 27000 series. The term refers to a systematic approach for managing an organization’s sensitive information. An ISMS includes people, processes and information systems. Developing an ISMS ensures the following:

• The organization’s information assets are listed and secured.
• Information security risks are managed and mitigated.
• The organization’s security policies are implemented.
• The organization is regularly assessed to ensure adherence to security measures.

Information security involves three main components: confidentiality, integrity and availability. Confidentiality refers to the level to which information is accessible to authorized individuals only. Integrity refers to the level of accuracy and completion of information. Integrity of information also ensures that it is not modified without knowledge and authorization. Availability or accessibility of information to authorized individuals is also necessary for information security.

ISO 27001

The ISO 27001, formally referred to as “Information Technology – Security Techniques – Information Security Management Systems – Requirements,” was published in October 2005. It replaces the former BS7799-2 standard. The previous standard was created in 1995 by the BSI (British Standards Institute), which helped to ensure that information security measures were effective. The BS7799-2 standard was developed as a technology-neutral and vendor-neutral system. This standard was taken as a Code of Practice, rather than as specific standards.

The standard outlines the specific requirements involved in establishing, implementing, monitoring, reviewing and improving a management system. It does not discuss information security-specific requirements, but offers a framework for management systems in various types of organizations, from commercial enterprises, to public service agencies and non-profit groups. The ISO 27001 uses the OECD principles which govern security of information and other network systems.

The ISO 27001 standard demands that an organization’s management carry out the following:

1. Examine information security risks, paying attention especially to threats, vulnerabilities and impacts.
2. Develop and implement a complete set of information security controls and other protocols for dealing with risk.
3. Commit to an overarching management process to ensure that the information security controls adapt and grow with the organization.

The ISO 27001 involves a number of PDCA cycles. The PDCA cycle is a statistical process for problem solving. It is applied within improvement programs to ensure that action is effective. The cycle involves:

1. PLAN: identify the problems that are being faced. Brainstorm solutions to these problems.
2. DO: test problem-solving actions on a limited, experimental scale first. This will ensure that disruptions to regular operations are kept at a minimum.
3. CHECK: determine if the experimental actions are achieving a desired result. Monitor the quality of output continually to ensure that new problems are identified immediately.
4. ACT: once experimental actions are deemed effective, the changes should be implemented on a larger scale. This may mean that the new actions are integrated into daily routines and/or expanded to involve other individuals or departments in the organization.

In order for an organization to be certified compliant with the ISO 27001, it must go through the following process. Initially, the organization must decide to start the certification process. During this stage, management must commit to the project and delegate responsibilities. Management would then develop and publish an organizational policy regarding the standards certification.

The organization then undertakes a scoping process, in which specific parts of the organization are covered by the ISMS. This determines which locations, assets or technologies will be included in the certification.

After the scoping process, the organization must carry out a risk assessment to identify strengths and means of addressing weaknesses, in terms of risk exposure. As a result, the organization produces a document outlining the method for managing risks. The procedures and policies are then implemented throughout the organization. Auditors from certification or registration bodies then carry out the verification of compliance.

ISO 27002

The ISO 27002, formally referred to as “Information Technology – Security Techniques – Code of Practice for Information Security Management,” was published in 2005. The standard is based on the UK standard, BS7799. The ISO 27002 and ISO 27001 are meant to be used together.

The objective of the ISO 27002 standard is to establish requirements and basic principles for implementing or changing an ISMS within an organization. The contents of this standard address the requirements of a risk assessment. It represents more of an advisory document, rather than a standard or formal specification. As such, any organization that adopts the ISO 27002 must identify their own information security risks and create appropriate controls, using the document as a framework.

The standard outlines thirty-nine control objectives that specify functional requirements. These control objectives form a basis for an organization to create principles for its own information security policies. The main sections or categories under which the control objectives fall are as follows:

1. Risk management
2. Policy
3. Organization
4. Asset management
5. Human resources security
6. Physical and environmental security
7. Communications and operations management
8. Access control
9. Software development
10. Incident management
11. Business continuity
12. Compliance

While the ISO 27003 offers some guidance for implementation, a number of critiques regarding the ISO 27002 standard have surfaced since its publication. A few potential areas for revision include:

• The standard does not adequately address risk assessment. It ought to suggest more risk assessment activities.
• The standard does not clearly define what an organization’s security policy should be.
• The standard should assist organizations in ensuring business continuity, for instance facilitating recovery or planning to cope with incidents that may arise.
• The standard should be more in depth in terms of its section on IT auditing. It may want to cover the value of auditing and improvement.

Increasing Certification

There are a number of reasons for increasing certification to ISO 27000 series standards. Two important causes are the increase of threats to information and the increase of regulatory and statutory requirements for information protection. Over the past decade, formal ISMS are seen as necessities for organizational best practices.

According to international reports, ISO 27001 certifications have steadily been increasing by approximately one thousand organizations per year. Concurrently, global information security threats are becoming more and more visible. These threats target any organization or individual who relies on the use of electronic information. At the same time, personal data may also be at risk of natural disasters, external attack, internal corruption or theft. This has led to increasing demand for compliance from suppliers, business partners and consumers.

Summary

This article introduces the ISO 27001 and the ISO 27002 standards. It discusses the ISO 27000 series of standards, which regulate information systems management from a privacy perspective. The ISO 27001 aims to help organizations to improve their ISMS (information security management system) by providing a model for design and implementation. The ISO 27002 lists some guidelines for managing the life cycle of information security within an organization. It is comprised of a number of control objectives. The article finally discusses the important role of ISO standards in an organizational ISMS context.

Foundations Exam Preparation

In preparation for the Certification Foundation exam, a privacy professional should be comfortable with topics related to this post, including:

• Business risk management (I.C.a.)
• Information security standards (II.A.d.)
• Information security management (II.C.a.)