Trust and privacy in the future internet—a research perspective

Dirk van Rooy Jacques Bus With the proliferation of networked electronic communication came daunting capabilities to collect, process, combine and store data, resulting in hitherto unseen transformational pressure on the concepts of trust, security and privacy as we know them. The Future Internet will bring about a world where real life will integrate physical and digital life. Technology development for data linking and mining, together with unseen data collection, will lead to unwarranted access to personal data, and hence, privacy intrusion. Trust and identity lie at the basis of many human interactions and transactions, and societies have developed legitimate concern for privacy being essential for freedom and creativity. The burgeoning development of the Information Society, particularly during the past fifteen years, transcended the societal readiness to respond to the transformational change evoked by ICT. We have reached the eleventh hour for the preservation of trust and privacy as elements that can be transposed into our digital future. Europe has been at the forefront in recognizing the importance of privacy protection in relation to digital data, witness the advanced European legislation in this domain. The European Commission recognizes that appropriate measures need to combine technology development with legal means, user awareness and tools supporting data controllers to comply with law in an accountable and transparent way, and that empower users with a controlling stake in managing their personal data. Activities are underway at many levels. European RTD programmes play their role in supporting research in trustworthy ICT, privacy enhancing technologies, privacy-by-design in service layers as well as in networks, enabling technologies such as cryptography, and in generalized frameworks for trust and privacy-protective identity management. The views expressed above are purely those of the authors and may not in any circumstances be regarded as stating an official position of the European Commission. - Introductionsetting the scene The Future Internet, broadly understood as a conglomerate of networks connected through the Internet Protocol with the Web as an information layer on top, will eventually include an Internet of Things and a Web of Services and will bring us a world with digital life fully integrated into real life. From a societal and historic perspective the Future Internet will be the next level of the transformational change that was initiated by the emerging Information Society, which really only started some decades ago, at most. Trust and identity are concepts that lie at the basis of our existence and have been exercised through physical recognition and face-to-face communication. In a transformation to digital functions, it is vital to understand how the mechanisms of trust and identification can be maintained. Trust effectively facilitates human transactions and economic activities by reducing risks. There is factual evidence of a significant positive correlation between the level of trust in a society and its level of prosperity and economic competitiveness (Fukuyama 1995; Akomak and ter Weel 2008). Privacy has emerged in society as a concern to ensure liberty and creativity. The ability to control the release of personal information is a decisive factor for establishing levels of trust in society. Global principles of privacy are reflected in Article 12 of the United Nations Universal Declaration of Human Rights.1 The EU has implemented a strong comprehensive legal framework on Data Protection and Privacy.2 Other elements in building societal trust include accountability and transparency to help ensuring respect of the rule of law and of democratic rights enshrined in law. The prospect of an all-encompassing Future Internet forces us to consider in depth the consequences of digitizing many aspects of our lives. Massive data collection through social networking, profiling for business purposes, surveillance activities and the like create personal digital shadows, which remain beyond the control of the affected individual. Management of direct and behavioural personal data will become increasingly difficult when every transaction and interaction is recorded, stored or used for profiling. Storage and processing, including linking and mining of this data, in particular in a future Cloud, will create uncertainty, undermine trust in the use of eServices and might undermine the overall level of trust, thus threatening the full development of the Information Society. Solutions must be found in research and technological development with the societal requirements and consequences in mind. Privacy, data protection, security, accountability and transparency must be included in the design of our networks, service architectures and infrastructures. To be effective in a globalised world we must cooperate internationally to ensure interoperabilityorganisationally, semantically and preferably also technically. 1 http://www.un.org/en/documents/udhr/ 2 Directives 95/46/EC and 2002/58, respectively. Privacy has many aspectsit relates to culture, history, morality, the position of individuals in society, public and private security, legislation, economics, technology etc. In many societies it is an important concern underpinning societal values, in particular for sustaining freedom and the ability to exert democratic rights and human self-determination. The concept of privacy is subject to change over time; it is contextual and cultural. The challenges posed by the emerging digital world need urgent attention. We may currently witness the most massive and concentrated transformational pressure in known human history on the concept of privacy. It is essential therefore to work towards transposing these social characteristics into the digital space. Legislation and policy, future challenges and technology The European Union has since many years given focused attention to data and privacy protection, in legislation going back to the 1970s in individual EU Member States, in European-wide directives such as the Data Protection Directive [Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data] and in several policy documents, such as the PETs Communication [COM (2007)228 on Promoting Data Protection by Privacy Enhancing Technologies (PETs)].3 The mentioned PETs Communication states that The use of PETs can help to design information and communication systems and services in a way that minimizes the collection and use of personal data and facilitate compliance with data protection rules. The European Commission in its First Report on the implementation of the Data Protection Directive4 considers that ...the use of appropriate technological measures is an essential complement to legal means and should be an integral part in any efforts to achieve a sufficient lev (...truncated)