1. TTA activity on Cyber Security and Protection of PI/PII/LI 14 July, 2008 Heung-youl Youm, Sun Kim TTA, Korea DOCUMENT #:GSC13-PLEN-23 FOR:Presentation SOURCE:TTA, Korea AGENDA ITEM:Plenary; 6.3 CONTACT(S):Heung-youl Youm (hyyoum@sch.ac.kr)(hyyoum@sch.ac.kr Sun Kim (skim@tta.or.kr) Submission Date: July 1, 2008

2. 2 Highlight of Current Activities(1/4) TC 5 is a Lead Technical Committee on information security that is responsible for developing various standards and guidelines and coordinating security activities across all Technical Committees. Project Group(PG) 501/5, Information Security Infrastructure PG 502/5, Personal Information Protection & Identity management PG 503/5, Cyber Security PG 504/5, Application Security & IS Certification PG 505/5, Telebiometrics PG 506/5, Digital Right Management PG (Project Group) 502 in TTA is now developing standards or guidelines for protecting Personal Information (PI), PII (Personally Identifiable Information) and LI (Location Information) in Korea.

3. 3 Highlight of Current Activities(2/4) PG501/5 : Information Security Infrastructure PG502/5: Private Information Protection & IdM PG503/5: Cyber Security PG504/5: Application Security & IS certification PG505/5: Telebiometrics Protection of Privacy Information, Personal Identifier Information User/application/ network-level Identity Management Cryptographic algorithm/Key management Pubic Key Infrastructure Authentication/ Access control Interoperable transmission of Biometric information Biometric information protection system Emigration/Immigration control system /Smart Card/IC cards Application Service Security Common Criteria/Information Security Management System Trusted Cryptographic Module Domain-specific security (IPTV, RFID/USN) Internet/NGN security Vulnerability Information Sharing/Incident Handling SPAM/Traceback/Digital Forensic PG506/5: DRM Unauthorized Copy Protection DRM for ensuring IPR Interoperable DRM Users Position & Role of each PG in TC5

4. 4 Highlight of Current Activities(3/4) Before January 2008After January 2008 PG.101 Information Security Infrastructure PG.102 Internet Security PG.103 Telebiometrics PG.110 Digital Right Management PG.501 Information Security Infrastructure PG.502 Personal Information Protection & IdM PG.503 Cybersecurity PG.504 Application security& IS certification PG.505 Telebiometrics PG.506 Digital Right management TC1: Common InfrastructureTC5: Information Security New PGContinuation of existing PG Organizational structure for the standardization

5. 5 Highlight of Current Activities(4/4) Achievements and current activities for protection of PI/PII/LI –Upstream contribution to the ITU-T SG17 ITU-T X.1171, Framework for Protection of Personally Identifiable Information in Applications and Services Using Tag-Based Identification; Consented April 2008, under LC resolution process ITU-T X.rfpg, Guideline on protection for personally identifiable information in RFID application Under development ITU-T X.idif, User Control enhanced digital identity interchange framework, Under development –Domestic achievements TTAS.KO-12.0053, Privacy Management Model for based on Life Cycle of Personal Information, Approved December 2007 TTAS.KO-12.0054, Framework for internet-Personal Identification Number Service, Approved December 2007 TTAS.KO-12.0055, Massage Format for internet-Personal Identification Number Service, Approved December 2007 –Downstream adoption TTAS.KO-12.0051, The Platform for Privacy Preference, Approved December 2007 adopted from W3C TTAE.IF-RFC3693, Geopriv Requirements, Approved December 2007 adopted from IETF TTAE.IF-RFC3694, Threat Analysis of the Geopriv Protocol, Approved December 2007 adopted from IETF

6. 6 Strategic Direction TTA’s standardization activities in the area will be carried out in coordination with global SDOs, especially ITU-T. Especially, TTA PG502 will focus on developing standards or guidelines in the following areas: –the ID management; –protection of personal information and personally identifiable information; –and protection of location information. TTA will focus on carrying out three types of activities: upstream activities, downstream adoption and domestic activities: –For the upstream contribution, TTA continues to submit to ITU-T the contribution in this area; –For the downstream adoption, TTA continues adopt the suitable international standards developed by global SDOs to complement domestic standards; –For the local contribution, TTA continues to develop domestic standards which are closely related to Korea’s regulation.

7. 7 Challenges(1/2) Nowadays, a series of hacking incidents result in a massive leakage of personal information stored in the web-based companies from a hacking incidents: –For instance, Auction, a subsidiary of the world’s largest on-line auction company e-Bay, Korea’s number one of on-line company with 18 million registered users, leaked personal information of more than ten million registered users due to a hacking incident in early February 2008. More than 90 percent of the information outflow was of names, registered IDs and resident registration numbers on April 2008. A lot of applications such as Location-based services, navigation applications, emergency services and other location-dependent services need geographic location information about a target (such a user, resource or other entity). There is a need to securely gather and transfer location information for location services, while at the same time protect the privacy of the individuals involved.

8. 8 Challenges(2/2) The widespread deployment of identification tags (including RFID tags) can give rise to concerns of privacy infringement because of the abilities of RFID technology to automatically collect (and process) data, with the possible disclosure of such data to the public (deliberately or accidentally). The web site request the user to submit the resident registration number when a user signs up for the web site. Indeed, the resident registration number contains many privacy relevant information such as birth year, birth date and month, sexuality, and birth place. Therefore, leakage of this information always results in the privacy infringement. Therefore, a new ID management system should be developed for web site not to request a user to submit the resident registration number.

9. 9 Next Steps/Actions TTA will continue to contribute to global SDO activities by submit contributions to the ITU-T SG17 activities in this area, especially in the protection of private information. TTA will support to develop the domestic standards for the protection of PI, PII and location information which have regulation implications in this area. Recently, Korea government requests a web site with more than certain number of registered users to use an i-PIN (Internet - Personal identification number) when a user signs up for a web site, which is a Korean-type ID management system. Its aim is to replace resident registration number with new i-PIN, which is real pseudorandom and has no private information about a user. Therefore, TTA will develop the domestic standards for next model of i-PIN system to overcome the current drawbacks.

10. 10 Proposed Resolution - Summary There is still much room for developing global standards to protect privacy infringements of users or targets, especially PI (Personal Information), PII (Personally Identifiable Identifier) and location information. Therefore, it is necessary for global SDOs to strength the activities to develop a set of standards or guideline in order to protect private information, PII, and location information from various cyber attacks. In addition, it is required to consider the privacy infringement effects when new IT protocols or services are introduced, designed or standardized.

11. 11 Supplemental Slides

12. 12 ITU-T SG17, SG13 and others TTA TC 5 Relationship between the PG and Global SDOs PG 501 Information Security Infrastructure PG502 Private Information Protection &IdM PG503 Cybersecurity PG504 Application security and CC PG505 Telebiometrics PG506 Digital Right management Q.D/17 Directory Services, Directory Systems, and Public- key/Attribute Certificates Q.I/17 Telecommunications Systems Security Project Q.J/17 Security Architecture and Framework Q.K/17 Cybersecurity Q. L/17 Identity Management Architecture and Mechanisms Q. M/17 Telecommunications Information Security Management Q. N/17 Telebiometrics Q. O/17 Security Aspects of Ubiquitous Telecommunication Servicess Q. P/17 Secure Application services Q. Q/17 Countering Spam by Technical Means Q. T/17 Service Oriented Architecture Security Q.15/13 NGN security and Network IdM ISO/IEC JTC1/SC17, SC27, SC31, SC37 IETF Security Area

13. 13 Summary of Achievements in area of Protection of PI/PII/LI since GSC12(1/3) Upstream contribution to the ITU-T SG17 –ITU-T X.1171, Framework for Protection of Personally Identifiable Information in Applications and Services Using Tag-Based Identification; Consented April 2008, under LC resolution process This Recommendation describes a number of Personally Identifiable Information (PII) infringements for applications and services using tag-based identification, and requirements for PII protection. In addition, this Recommendation provides a framework for PII protection service based on PII policy profile. –ITU-T X.rfpg, Guideline on protection for personally identifiable information in RFID application Under development, This Recommendation recognizes that as RFID greatly facilitates the access and dispersion of information pertaining specifically to the merchandise that individuals wear and/or carry, it also creates an opportunity for the same information to be abused for tracking an individual's location or invading their privacy in a malfeasant manner. For this reason the Recommendation provides guidelines and best practices regarding RFID procedures that can be used by service providers to gain the benefits of RFID while attempting to protect personal identifiable information. –ITU-T X.idif, User Control enhanced digital identity interchange framework, Under development, This Recommendation defines a framework that covers how global interoperable digital identity interchange can be achieved and how an entity’s privacy is enhanced by providing an entity more control over the process of identity interchange. In addition, the Recommendation defines the general and functional requirements of the framework that should be satisfied. Based on the requirements, a framework is defined with basic functional building blocks for identity interchange and enhancing entity control.

14. 14 Summary of Achievements in area of Protection of PI/PII/LI since GSC12(2/3) Domestic contribution –TTAS.KO-12.0053, Privacy Management Model for based on Life Cycle of Personal Information, Approved December 2007 This standard describes basic definitions related with personal information and classifies personal information by importance. And this standard suggests security requirements that help IT service provider to manage personal information securely, when they collect, store, use and destroy personal information. Moreover, this standard describes various privacy infringement causes and measures. –TTAS.KO-12.0054, Framework for internet-Personal Identification Number Service, Approved December 2007 This standard informs definition and function of components of -PIN service framework that Authentication Agency offers to ISP. In addition to that, this shows the whole process of -PIN service. –TTAS.KO-12.0055, Massage Format for internet-Personal Identification Number Service, Approved December 2007 This standard defines the message format for inbound and outbound personal information which is proposed by Authentication Agency to ISP, among i-PIN Service stake holders, which are user, ISP and Authentication Agency.

15. 15 Summary of Achievements in area of Protection of PI/PII/LI since GSC12(3/3) Downstream adoption –TTAS.KO-12.0051, The Platform for Privacy Preference, Approved December 2007 adopted from W3C This standard based on W3C P3Pv1.1. It defines the Policy syntax and semantics, Compact policy and Data schema in P3P. –TTAE.IF-RFC3693, Geopriv Requirements, Approved December 2007 adopted from IETF The standard defines the security requirements for providing privacy of location object which gathered and transferred by location-based and location-dependent services. – TTAE.IF-RFC3694, Threat Analysis of the Geopriv Protocol, Approved December 2007 adopted from IETF This document analyzes threats against geopriv protocol and architecture for geopriv protocol for location-based and location-dependent services. Some security properties about theses threats are enumerated as a reference for Geopriv requirements.