1. ITU-T
Security and Privacy
International Cloud Symposium
Washington DC October 2012
Abbie Barbir, Ph.D.
Rapporteur, Q10/17
Identity Management Question
Abbie.barbir@ties.itu.int
International
Telecommunication
Union
2. ITU-T Objectives
International Telecommunication Union
Develop and publish
standards for global ICT
interoperability
Identify areas for future
standardization
Provide an attractive and effective forum for the development
of international standards
Promote the value of ITU standards
Disseminate information and know-how
Cooperate and collaborate
Provide support and assistance
3. ITU-T Key Features
Truly global public/private
partnership
95% of work is done by
private sector
Continuously adapting to
market needs
Pre-eminent global ICT
standards body
5. Personally Identifiable
Information (PII)
Aspects of privacy and protection of PII data is a key concern to
the ITU-T (SG 17 )
Recommendations published have identified security threats and
provide guidelines in that area.
Recommendation ITU-T X.1171 identifies threats and
requirements for PII protection in application using tag-based
identification.
Recommendation ITU-T X.1275 standardizes a possible,
privacy impact assessment (PIA) process for the entire RFID
system
Joint Coordination Activity on Internet of Things (JCA-IoT)
Focus Group on Machine-to-Machine Service Layer
6. SG 17 Questions involved in
“privacy” studies
Question 3/17 “Telecommunications information security
management”
Question 4/17 “Cybersecurity”
Question 6/17 “Security aspects of ubiquitous telecommunication
services”
Question 7/17 “Secure application services”
Question 9/17 “Telebiometrics”
Question 10/17 “Identity management architecture and
mechanisms”
Further candidate Questions could be
Question 8/17 “Cloud computing security”
Question 11/17 “Directory services, Directory systems, and
public- key/attribute certificates”
7. Definitions of Privacy in
ITU-T Recommendations
Privacy
ITU-T X.1252 (04/2010) “Baseline identity management
terms and definitions”
The right of individuals to control or influence what personal
information related to them may be collected, managed, retained,
accessed, and used or distributed.
ITU-T Y.2720 (01/2009) “NGN identity management
framework”
The protection of personally identifiable information.
8. Recommendation X.1171
Threats and requirements for protection of PII in applications
using tag-based identification
Basic model of a B2C application
8/48
9. X.1171
Threats
PII infringement through information
leakage
9/48
10. ITU-T X.1275
Guidelines on protection of personally identifiable information
in the application of RFID technology
Privacy principles (based on privacy principles of: Council of
Europe], EC Directive 95/46, EC Directive 2002/58/EC,
OECD, and UNHCR)
Threats and infringements of PII in RFID
Typical RFID applications and possible threats to PII
Supply-chain management
Transportation and logistics
Healthcare and medical application
e-government
Information service
Guidelines on protection for personally identifiable
information
10/48
11. X.1275
RFID applications and threats to PII
Information
Field Typical applications Possible privacy threats
in RFID tag
Tracking, profiling of persons
Inventory management Product
performing of inventory
Supply chain
Tracking, profiling
Retail (e.g., supermarket) Product
(after purchasing good)
Public transportation
User's ID, charging, etc. Tracking, profiling
ticket
Highway toll User's ID, charging, etc. Tracking, profiling
Transportation and
logistics Vehicle tracking Product Tracking, profiling
Fleet/container Tracking, profiling of persons
Product
management handling of containers
Patient's ID, medical history,
Tracking patients Tracking, profiling, invisibility
etc.
Preventing medication Patient's ID, medical history,
Tracking, profiling
Healthcare errors prescription, etc.
Blood or medicines
tracking for anti- Product ×
counterfeiting
People's ID, nationality, Tracking, profiling,
e-government e-passport
biometric counterfeiting PII
Information services Smart poster Product ×
11/48
12. Other Work
X.gpim
Draft Recommendation, Guideline for management of
personally identifiable information for telecommunication
organizations
Big Data view
Scope
provides a guideline of management PII in the context of
telecommunications
Possibly joint work Liaison cooperation with ISO/IEC
JCT 1/SC 27/WG 1
13. Summary
Internet-of-Things (IoT), ubiquitous sensor networks (USN), Machine-
to-Machine (M2M) and network aspects of identification systems,
including RFID (NID) play an important role in ITU-T’s standardization
activities.
Various ITU-T Study Groups and ITU-T initiatives are addressing
RFID/NID, IoT, USN and M2M including the security aspects thereof;
an initial suite of ITU-T Recommendations has already been
developed in that domain and serves as a tool set for standard
developers and implementers; yet the comprehensive subject is still
emerging and forthcoming drafts are in preparation by the ITU-T
Global Standards Initiative (GSI-IoT) where those standards are
being developed in cooperation among the experts.
Aspects of privacy and protection of PII (personally identifiable
information) data is a key concern and first set of ITU-T
Recommendations published have identified security threats and
provide guidelines in that area.
Recommendation ITU-T X.1171 identifies threats and requirements
for PII protection in application using tag-based identification.
Recommendation ITU-T X.1275 standardizes a possible, privacy
13/48
impact assessment (PIA) process for the entire RFID system.
14. THANK YOU
For further information
http://www.itu.int/ITU-T
http://www.itu.int/ITU-
T/studygroups/com17
14/48