First plenary Meeting of iCROSS

The first plenary Meeting of the newly established iCROSS project took place on 9-11th November in Budapest. As a part of the LUH project team Jonathan Stoklas and Kai Wendt, both research assistants at the Institute for Legal Informatics, participated. Main issue of the meeting was to visit the Tompa-Kelebia Border Control Point at the frontier between Hungary and Serbia, one of the European Unions external borders. Frontier officers explained the current procedure of border passing while the participants could observe the actual traffic.

Main goal of the iCROSS project is to enable a fast and efficient border control for third country nationals passing the European Borders. The project re-engineers the system of border crossing by enabling an automated control. It envisages a two step system: Within a first step, the so-called pre-registration phase, travellers are informed about the procedure and their rights. Furthermore, all necessary data, such as those contained in travel documents, is gathered. Planned is a first interview with an avatar, a lie detection test and the creation of a link to any pre-existing authority data.

Secondly, the existing border control workflows are expanded by relevant nodes with state of the art technology to ensure a quick, secure and efficient treatment of the traveller. Security controls can be performed with a portable, wireless connected unit and gathered results are complemented with the data won in phase one. Multiple technologies enable to check the validity and authenticity of documents. In the process many data are collected, which makes it essential to assure a securely transfer, transparency and the travellers informed consent. The overall goal of iCROSS is to reduce costs of the control and time travellers spend at the border by providing a high standard of security.

The IRI is assigned to data protection issues and is going to assure that all legal requirements, established by several national and international law sources, are met. The work also includes ethical questions concerning privacy, the informed consent and others.

Finally, all steps and procedures are going to be validated in real operation scenarios depicting the variety of cases in Hungary, Greece, Latvia and Poland. More information is available on the Institutes website as well as on www.icross-project.eu.

IMG_0904

Cw55rU5XAAAKT9o

 

Unlocking Wi-Fi Encryption during Disaster Response Operation: Implications for Privacy and Information Security

Link

 

Responding to natural disasters has always been a very difficult and compassionate task. This is especially so when there are high death toll and colossal damage to property as recently witnessed in the 6.2 magnitude earthquake that struck central Italy and killed close to 300 people.[1] As always, on-the-ground activities are necessary for such emergencies, involving civil protection agencies, humanitarian organizations, and volunteers who quickly engage in search and rescue activities as well as other physical assistance to the victims and their community. But sometimes despite these rapid disaster response efforts, telecommunications breakdown can undermine humanitarian activities as seen, for instance, in Haiti in 2010.[2] The ability of the response team to communicate and use ICT devices is usually vital in the aftermath of a disaster and the impact of ICTs at such point cannot be overlooked.  In some cases, the deployment of ICTs is  indispensable, ranging from the use of drones to the activation of Facebook’s Safety Check and other online activities such as crowdsourcing and mapping of real-time information.

The recent earthquake in Italy, however, brings this to a new dimension: in the course of the response operations, the Italian Red Cross posted a message on its Twitter account asking residents within the affected locations to unlock their Wi-Fi network, including a step-by-step guide on how they can switch off their Wi-Fi network encryption.[3] The aim of this action is to facilitate communications and rescue operations, and this request was retweeted 3039 times at the time of this writing. A similar request was reportedly made by the Italian National Geological Association and Lazio Region.[4] It is noteworthy that this is not the first scenario that such a call had been made during a disaster response operation. In 2013, one NGO, Disaster Tech Lab, tweeted a called for people to open their Wi-Fi networks in the wake of the Boston bombing.[5] The tweet got minimal attention and was only retweeted 20 times, apparently because this organization is not as popular as the Red Cross.

While it was good news that the Internet functioned amidst such an enormous damage caused by the Italian earthquake, the call for opening up private Wi-Fi though with good intentions may have other risk implications on privacy and information security of the residents. Although such concerns may appear trivial when weighed against the massive damage caused by the disaster and the need for the rescue operations to go on smoothly in the short term, the long-term effect of having unencrypted networks in the whole neighbourhood cannot be overlooked. Especially, if no conscious efforts are made in the post-response phase of the disaster to ensure that residents lock back their network properly. As pointed out already by one commentator on Twitter, a malicious user in such cases could cause havoc for the owner of the network such as: sending illegal communications through such an open network; downloading illegal material; breaking into all the computers on the network; controlling any Internet-connected device on the network and/or hacking them as well as monitoring all communications traffic on the network.[6]  The implications of the above may not be trivial,[7] especially as many of the residents may not have adequate knowledge of what information security breach entails. Privacy implications of surveillance when the network communications and devices are monitored without the owner’s knowledge may be huge and could last for a long time.

Amidst this unprecedented calls, experts have suggested others less intrusive alternatives such as setting up a guest access point on the wireless network which may not require a password to log on.[8] Although this may not be easy to set up by a good number of WiFi owners, the risk is not absolutely zero because creating such access points may mean that the guest will use the owner’s traffic and might lock the account. Furthermore, the issues of responsibility and misuse such as downloading illegal material are still present. In Germany for instance, the Federal Court of Justice ruled in the Sommer unsere Leben decision [9]  that the private owner of a WLAN has the duty to examine the internet connection for reasonable security measures against the risk of unauthorized use and copyright infringement, which at the minimum, requires sufficient password-protection on the network.[10] Although the recent ruling by the Court of Justice, EU in Tobias Mc Fadden v Sony Music Entertainment Germany GmbH,[11] indicates that a private person that provides a free WiFi could benefit from the mere conduit exemption under Article 12 (1) of e-Commerce Directive, such a person is in principle, not precluded from an injunction which requires him on pain of payment of a fine to prevent third parties from infringing copyright via his Internet connection through technical measures such as password-protecting the network. He may also be required to reveal the identity of users of his network.

To tackle this problem in the context of disaster management, a long-term solution is necessary. A solution that will be managed by the Internet Service Providers (ISPs) and that will be less cumbersome and risky for the end users. For example, a solution where the ISPs make Wi-Fi endpoints part of the end users’ Internet router.[12] Essentially, this means that the modem that the ISPs give their customers also function as router units that may also be public hotspots. In this scenario, the combined modem/router unit will create two separate Wi-Fi networks — one will be the home Wi-Fi network, while the other will serve as a “public” network where others such as the emergency responders could connect and access the Internet. In general, this feature allows any of the ISP’s client to securely access the Internet through any of the ISP’s Wi-Fi endpoints including the ones in individual’s homes. Although the same physical hardware is utilized, this is considered an entirely separate connection and the traffic coming from the public Wi-Fi network will not be counted against the home owner’s bandwidth cap. Besides, it is the ISP that authenticates the users of this public network and manages the isolation of people connected to the public network from the private Wi-Fi network.  The ISPs have large security resources to secure the network as a whole.

This solution is already in place in some parts of the world. In Europe, ISPs such as Telenet, Proximus, BT, SFR, Fon, Telekom, free.fr, etc., have implemented this feature. The US Comcast’s XFINITY Wi-Fi also has it. Even though such services were not primarily developed for emergency situations, they could afford a more secure and less intrusive solution in accessing the Internet during disaster response operations.

On a broader scale, however, emergency response teams should proactively include Internet access policy in their activities. This will give them the opportunity to have a plan for Internet access during emergencies. There are existing platforms which could be currently utilized such as the global solution provided by emergency.lu[13] or by the Disaster Tech Lab’s Disaster Communication Services.[14] As rightly concluded by one commentator, “As the world becomes increasingly Internet-dependent, this discussion is not going to go away. With proper precautions in place, the Italian Red Cross’s initiative is admirable and even sensible, but in an emergency, depending on neighbors for vital communications isn’t a sustainable strategy.”[15]

 

Acknowledgment: Research leading to this blog received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 653748. www.carismand.eu

 

 

 

[1] https://www.theguardian.com/world/2016/aug/27/italian-earthquake-corrupt-builders-blamed

[2] http://emergency.lu/index.php/about/vision-principles

[3] https://twitter.com/crocerossa/status/768387275654885376

[4] http://www.bbc.com/news/technology-37186290

[5] https://twitter.com/DisasterTechLab/status/323927304172605441?ref_src=twsrc%5Etfw

[6] https://twitter.com/Cab4Now/status/768510122033311744

[7] http://www.howtogeek.com/132925/htg-explains-why-you-shouldnt-host-an-open-wi-fi-network/

[8] http://www.wired.com/2016/08/safely-open-wi-fi-network-disaster/

[9] https://openjur.de/u/32452.html

[10] https://www.2b-advice.com/LLC-en/Privacy-News/Training/n/5233/d-german-federal-court-of-justice-decides-on-security-measures-for-private-wlan-access

[11] http://curia.europa.eu/juris/document/document.jsf?text=&docid=183363&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=825214

[12] http://www.howtogeek.com/184727/your-home-router-may-also-be-a-public-hotspot-dont-panic/

[13] http://emergency.lu/

[14] http://disastertechlab.org/

[15] http://www.wired.com/2016/08/safely-open-wi-fi-network-disaster/

EVIDENCE kick off meeting in Florence

Once again, Nikolaus Forgó and Christian Hawellek attended a kick off meeting for a new project called EVIDENCE. The meeting took place in Florence on the 24th and 25th of March 2014. EVIDENCE (full title: European Informatics Data Exchange Framework for Courts and Evidence) is an EU FP7 project with a duration of 30 month. The EVIDENCE consortium consists of 9 partners from 7 different european countries.

DSCN1815

 

Weiterlesen

OPTIMIS Toolkit Year 2 version is now available for download!

The new version of the OPTIMIS Toolkit software has been released.  You can now try this version of the software by registering and joining the TEST Program by clicking at the link below:

http://www.optimis-project.eu/toolkit-details

This software is the result of the EU funded project called OPTIMIS (Optimized Infrastructure Services) where IRI is in charge of all the legal issues involved.

One of the key value propositions of the OPTIMIS Toolkit is that helps service providers to make informed decisions regarding the most suitable deployment venues across any kind of cloud environments e.g. federation, hybrid, private, etc.,  supporting end-to-end security and compliance with data protection and green legislation.

If you want to have a clear understanding about what OPTIMS does, we invite you to read the new version of the OPTIMIS white paper which is available at the link below:

http://www.optimis-project.eu/content/optimis-team-releases-new-version-why-use-optimis-white-paper