1. Trust and the Web George Metakides Veria December 11 2009

2. Trust undelries the foundations of Civilization Agricultural Industrial Information…. 21st 19th-20th 15th 3000 B.C. Writing Electricity Τelephony Τelevision Printing Internet

3. Cryptography : Security(how to tell a secret) The Caesar Cipher abcdefghijklmnopqrstuvwxyz k=4 defghijklmnopqrstuvwxyzabc DwwdfnQrz (Suetonius : (De Vita caesarum ,2ndcent.a.d.)

4. Electricity : Safety 1880 First Applications (factories) Few houses(lighting) Lack of Trust ! 1920 Invasion of households (appliances) Integrated everywhere « Reasonable» trust TodayThe Internet/Web is around…1900 !

5. Cryptography(how to tell a secret) The Caesar Cipher abcdefghijklmnopqrstuvwxyz k=4 defghijklmnopqrstuvwxyzabc DwwdfnQrz (Suetonius : (De Vita caesarum ,2ndcent.a.d.)

7. Commerce,governance,entertainment

8. Education /Learning

10. Issues at stake Network Security – Threats System Safety – Software Privacy –Personal Data Data Authenticity /Integrity

11. Issues at stake Network Security – Threats System Safety – Software Privacy –Personal Data

12. Network securityEvolution of threats courtesy

13. Security in Converged Networks (inherited problems / inherited solutions?) Multi Play Multi Play a la carte Eavesdropping Masquerading VoIP ISPs CABLE MOBILE NETWORKS FIXED NETWORKS VNOs NGN/IMS Denial of Serice Service fraud

16. 75-90% of Upstream Traffic is P2P

17. Traditionally, client requests accommodated by caching

18. Computation is moving to the edge of the network to aggregate, synthesize and filter data

19. The massive deployment of smart, networked sensors will dramatically affect network volume and traffic patterns

21. Types inwww.bank.com

22. DNS request goes to ISP

23. DNS points to the firewall of the bank

25. Client starts browser for home banking

26. Types inwww.bank.com

27. DNS request goes to ISP

28. DNS points to the server of hacker

29. Hacker simulates the websites of the bank

30. Client tansfers PIN & TAN

31. Hacker got PIN & aunusedTANHacker ISP DNS 186.47.3.63 Webservices Home banking

33. UPS will provide power for 24 hours

35. Call Server shutdown

37. Issues at stake Network Security – Threats System Safety – Software Privacy –Personal Data

39. Financial Transactions

40. Critical Infrastructures

41. “Verification”;

42. Insurance

43. The Economics of Safety!Safety metrics ? Safety “Seal of Approval” What is “satisfacory” ?

45. Issues at stake Network Security – Threats System Safety – Software Privacy –Personal Data

46. Privacy and Personal data Companies: Customer profiling Governments: Service provision and … Google street ,Webcams ,Facebook ,You Tube … Options for users(opt-in / opt-out) Data retention Data deletion Νew legislation

47. Thank you!

48. Investing in Security How much should organizations spend on information security? Governments, vendors say: much more than at present (But they’ve been saying this for 20 years!) Measurements of security return-on-investment suggest current expenditure may be about right ! “negative “ incentives just starting (regulatory framework, fines ). Benefits for early adopters elusive.

49. Security Market ROI + - Coming…. Liability as an Incentive Class actions? We are here

50. But Reality is pressing ! Internet security Code red ICT Systems Security Le cyber-espionnage économique entre dans le Top 3 des menaces Grosse faille du web, et solution en chemin Cyberwar and real war collide in Georgia Revealed: 8 million victims in the world's biggest cyber heist Critical infrastructures open to attack, says study YouTube case opens can of worms on online privacy Privacy La colère associative monte contre Edvige, le fichier policier de données personnelles Phorm to use BT customers to test precision advertising system on net (Aug) Google To Slice Existing 18 Month Data Retention Period In Half Big Brother Spying on Americans' Internet Data? Trust The dangers of cloud computing Lesson From a Crisis: When Trust Vanishes, Worry Internet key to Obama victories (Apr) Article 29 Working Party of EDPOs: the EU’s Data Protection Directive generally applies to the processing of personal data by search engines, even when their headquarters are outside the EU

51. Trust and Society Trustworthy systems and practices play important role in democratic our society: legal code, institutions, moral code, reliable technology, … It took generations to build our democratic values – Europe must nurture them into the digital age.

52. EU Legal framework on Data protection and Privacy and Technology DP Directive: 95/46/EC, Privacy Directive:2002/58/EC Personal Data: information relating to an identified or identifiable person Scope: Material: which information and processes addressed Personal: which roles (data controller, processor, subject) Territorial: applicable law, cross-border data transfer Issues: Linked data, smart data mining and Personal Data Accountability and transparency of controller and processor; need for technology support Risk assessment and user control, need for technology support

54. Role of end-users

56. “Economics of security”

57. Policies for privacy-respecting Trust and Identity?

58. Security, privacy, identity

59. Protection of human values

60. Transparency, accountability

61. Auditing and Law enforcementPolicy & Regulation Security, Privacy, Trust Interplay in the Information Society

62. Game Machine DVC STB TV PC e t Audio r c a a Energy Networks m p DVD S Telephone S Future Internet Digital Living eHealth & Health networks Transport Networks Trusted & Smart “everything”

63. RISEPTIS Advisory Board Research and Innovation in SEcurity, Privacy and Trustworthiness in the Information Society Objective: provide visionary guidance on policy and research challenges in the field of security and trust in the Information Society. Chair: George Metakides (U Patras, CTI) Members: Dario Avallone(Engineering), Giovanni Barontini (Finmeccanica), Kim Cameron (Microsoft), William Dutton (Oxford Internet Institute), Anja Feldmann (Deutsche Telekom), Laila Gide (Thales), Carlos Jimenez (Secuware), Willem Jonker (Philips), Mika Lauhde (Nokia), Sachar Paulus (U. Brandenburg, ISSECO), Reinhard Posch (CIO GOV. Austria, TU Graz, A-SIT), Bart Preneel (KU Leuven), Kai Rannenberg (U. Frankfurt, CEPIS), Jacques Seneca (Gemalto); Observer: Peter Hustinx (Observer)Support: Willie Donnelly (WIT), Keith Howker (WIT), Sathya Rao (Telscom), Michel Riguidel (ENST), Neeraj Suri (U. Darmstadt) Jacques Bus, Thomas Skordas, Dirk van Rooy (EC)

64. RISEPTIS Mission and Objectives Mission: develop a European vision on research and policy for trustworthiness in the future Information Society Policy http://www.think-trust.eu/riseptis.html Research Personalised Services Future Internet Trustworthiness Input to: Two sides: “User Centricity”: From Principles to Action!

68. Recommendation 2: The EC should support concrete initiatives that bring together technology, policy, legal and social-economic actors for the development of a trustworthy Information Society. Trust and Trustworthiness is the basis for economic and social transaction It will facilitate economic growth and a stable society Transpose old social values into digital space, by building platforms and tools to help citizens, enterprises and public organisations to measure trust, control assets and data Partnership for “Trust in Digital Life”initiated by Gemalto, Microsoft, Nokiaand Philips

69. Recommendation 3: The EC, together with the Member States and industrial stakeholders, must give high priority to the development of a common EU framework for identity and authentication management Federative, based on MS’s eID systems Compliant with legal frameworkon data protection and privacy Based on “Laws of Privacy”(user control, minimal disclosureconstraint use, justifiable parties, …) Facilitating full spectrum: public admin, banking with strong authentication simple web activities in anonymity

70. Recommendation 4: The EC should work towards the further development of the EU data protection and privacy legal frameworks as part of an overall consistent ecosystem of law and technology Data breach notification extended Definition of personal data Strengthen accountability & transparency tools Consider consumer & liability laws Part of an overall policy that should be closely interlinked with technology progress Continuity, usability, trustworthiness and user-centric privacy protection are essential

71. Recommendation 5: The EC together with industrial and public stakeholders should develop large-scale actions towards building a trustworthy Information Society Europe has: long-established social trust, scientific and technology capacities well-developed industrial and service structures Large-scale projects are needed to take advantage of these strengths Develop a techno-legal ecosystem for trust, security and privacy, that is amenable globally

72. Recommendation 6: The EC should recognise that, in order to be effective, it should address the global dimension and foster engagement in international discussions Global Open Standards Federated frameworks forinteroperability (travel and ID) Global Law Enforcement in theInternet Consumer protection for use of global e-services Privacy and data protection in global data exchange With respect for local cultures

73. Trustworthiness An Interdisciplinary Approach Internet/Web Engineering SW Systems Networks Critical Infrastuctures Citizens Society Regulation Multi-disciplinary! Trustworthiness andWeb Science

75. De-centralised Information Systems

76. Semantic Web

77. Linked Data

79. Networks

80. Statistics

82. Architectures

83. Accessibility

84. Security

86. Macro and Micro economics

87. Auction models

90. Inference

91. Bayesian Methods

93. EU/regulatory drivers

94. Public engage vs indifferent

96. Cognitive properties

97. Human Information Processing

99. Anti-corporate

100. ‘Open source’ values

101. New trust matrix: NGOs

102. Ethical consumers

104. Systems biology

106. Journalism

107. Single issue moral panics

108. Smart mobs

110. Theory of groups

111. Social networks

113. Ecosystem Productivity

114. Population Dynamics

116. Democratic mechanisms…Nigel Shadbolt Web Science

118. How to understand trust in the age of the Web?

119. How does trust influence activity in the Digital Economy and e-Gov?

120. Balance between social and technical solutions to these problems?

121. The role of security and privacyPhoto Credit Yuri Arcurs

122. 42 Trust 101 X trusts Y Meaningless: trust can only be understood in the context of trustworthiness Trustworthiness is a property of Y Y is trustworthy = she represents her intentions and motivations accurately Trust is an attitude of X X trusts Y = X believes that Y is trustworthy Trust is a 3-way relation – includes a context X trusts Y to do P

123. 43 The Disconnect X benefits from Y being trustworthy BUT only controls his trust Y benefits from X’s trust BUT only controls her trustworthiness Fundamental, ineradicable uncertainties of cooperative behaviour

124. 44 The Essential Problem of Trust NOT: How can we increase trust? BUT: How can we causally connect trust and trustworthiness so that we trust someone if and only if they are trustworthy?

125. 45 Costs & Benefits of Trust

126. 46 3 Sources of Uncertainty Y sends signals of her trustworthiness Are the signals accurate? Is Y gaming the signal system? Period of time between X investing resources and Y delivering performance X cannot act until Y is proven to have defected Possibility of X applying sanctions to Y Will sanctions be effective? Can X apply them to Y? All these three exacerbated by the Web Connected world by jvwarehouse on Photobucket

127. 47 Signalling on the Web Dramatic reduction in bandwidth compared to offline transactions New conventions, not widely understood Trust distributed across many types of agent Human Software agent Website Organisation Distributed coalition Knowledge source Protocol Infrastructure Image technexus.com

128. 48 Time on the Web Digital information can be copied or transferred at speed of light E-crime is instantaneous Reputation information is backward-facing Provides no certainty about future behaviour World At Work by Theo Deutinger

129. 49 Sanctions on the Web Uncertain identity Uncertain jurisdiction Fewer repeat transactions More one-shot interactions

130. Content on the Web Provenance – what, who, when and where Much valuable content is authorless What is the role of government public data and what is its value? 50 Web Science research issue: Does open public data increase trust?

131. Online Institutions Traditional Solutions Physical Institutions Reputation management Note: Solutions can only be partial Decentralised Web makes institutions hard to set up Problems of enforcement Online institutions also suffer from problems of jurisdiction, low bandwidth (compared to offline) Systemic risk Usability issues (e.g. PKI) 51 Web Science research issue: how to design institutions for certifying trustworthiness and promoting trust

132. 52 Online Reputation Assembly of historical data How to stop changes of identity How to interpret ratings Is the reputation for the buyer’s convenience? He uses historical data to estimate future trustworthiness Uncertain Is it for the seller’s convenience? She wants to preserve her reputation Only works if she wants to interact again in the future Web Science research issue: how best to represent and manage reputation, and understand its significance for buyer and seller

133. 53 The Dark Side Not all trust is good Criminal fraternity have low-risk solutions to trust problem Auction sites for selling identities, credit cards etc Fast assembly of short-term criminal coalitions Web Science research issue: how can we disrupt trust (increase mistrust) in degenerate systems

134. 54 Which Way Round? Does trustworthiness cause trust? Y proves her trustworthiness via certificates, behaviour, qualifications etc Weber Does trust cause trustworthiness? X trusts Y and accepts her into his moral community Y learns trustworthy behaviour Durkheim Web Science research issue: understand the causal direction of the relation

135. 55 Changes in Attitude early Web: trust => trustworthiness Assumption of good faith Knowledge sharing tool middle Web: trustworthiness => trust E-commerce Security/identity infrastructures Current Web: trust <=> trustworthiness Elements of both Social networking Generational issues

136. 56 Role of Web Science Clearly a problem with social and technological aspects How does offline behaviour transfer to the Web? How do we cope with the lowered information bandwidth? What new forms of behaviour have arrived? How can infrastructure be designed? Usability Effectiveness

138. develop the framework and institutions needed to govern interactions in the digital ecology

139. understand the balance role of the social and the technicalImage courtesy IET

140. Trusta Web Science Perspective Understanding trust in the age of the Web is about Technology Sociology Psychology Economics Law It is about Web Science

141. Technology evolutions New generations of threats to trust as well ! Fiber optics : High data-rate & Massive (flows, data, services) Radio : Pervasive : Ubiquity => cooperation Software : Diversity => Complex, heterogeneous Linked Data / Semantic Search Peer to Peer / Cloud 59

142. Governance, Management issues Trust Management Designing security policies and process -- Identity Management (Multiple identities?) Data Archive : auditability, signature of contracts Communication: security of exchanges Software Threats and Vulnerability Management Monitoring activities and events Benchmarking Supervision, observation, Recording :Measuring ! 60

144. The Semantic web and beyond

145. The Internet /Web of things

146. Trustworthiness as a prerequisite and driver

147. Social –Economic- Legal – Technical Issues all bound up[www.aquarium-berlin.de]

148. Thank You !