Euro security agency says MORE crypto needed in gov policy
Your move, David Cameron
Governments need to build more privacy into legislation,technology vendors need to step up and compliance cops should crack down to push privacy-enhancing technologies out of the labs, says the European Union Agency for Network and Information Security (ENISA).
The agency has issued a report, Privacy and Data Protection by Design - from policy to engineering, in which it says privacy technologies other than encryption receive little attention. The document goes on to make the case for increased privacy by detailing an inventory of technologies and strategies it says will enhance privacy, while also detailing challenges to their implementation.
"We observed that privacy and data protection features are, on the whole, ignored by traditional engineering approaches when implementing the desired functionality," the team said.
"This ignorance is caused and supported by limitations of awareness and understanding of developers and data controllers as well as lacking tools to realise privacy by design.
"While the research community is very active and growing, and constantly improving existing and contributing further building blocks, it is only loosely interlinked with practice."
The worth of privacy technologies was demonstrated in labs but was with "few exceptions" encryption is not a standard component in system design.
Authors said compliance enforcement agencies within the European Union's regulatory privacy and data protection framework must include better incentives and "serious sanctions".
"System developers and service providers need clear incentives to apply privacy by design methods and offer privacy-friendly and legally compliant products and services ... but also to establish effective penalties for those who do not care or even obstruct privacy-friendly solutions," the authors wrote.
They said the notion of achieving a balance between privacy and security was false and should be spiked, as both goals were complimentary and necessary.
The report came ahead of the EU's proposed General Data Protection Regulation set to be enforceable by 2017 which could include fines against non-compliant companies of up to €1 million or two percent of annual worldwide turnover.
Key findings included:
- Policy makers need to support the development of new incentive mechanisms for privacy-friendly services and need to promote them;
- The research community needs to further investigate in privacy engineering, especially with a multi disciplinary approach. This process should be supported by research funding agencies;
- The results of research need to be promoted by policy makers and media;
- Providers of software development tools and the research community need to offer tools that
- enable the intuitive implementation of privacy properties;
- Especially in publicly co-founded infrastructure projects, privacy-supporting components, such as key servers and anonymising relays, should be included;
- Data protection authorities should play an important role providing independent guidance and assessing modules and tools for privacy engineering;
- Legislators need to promote privacy and data protection in their norms;
- Standardisation bodies need to include privacy considerations in the standardisation process
- Standards for interoperability of privacy features should be provided by standardization bodies.
ENISA's recommendations are at odds with UK prime minister David Cameron's recently-stated intention to backdoor or ban encrypted communications. ®
Sponsored: Becoming a Pragmatic Security Leader