Trust and the web veria 11 12- 09

61
George Metakides Veria December 11 2009 Trust and the Web

description

 

Transcript of Trust and the web veria 11 12- 09

Page 1: Trust and  the web  veria  11 12- 09

George MetakidesVeria

December 11 2009

Trust and the Web

Page 2: Trust and  the web  veria  11 12- 09

Trust undelries the foundations of Civilization

21st

Industrial

19th -20th15th Printing

Agricultural

3000 B.C. Writing Electricity

ΤelephonyΤelevision

Information….

Internet

Page 3: Trust and  the web  veria  11 12- 09

Cryptography : Security(how to tell a secret)

• The Caesar Cipher• abcdefghijklmnopqrstuvwxyz• k=4• defghijklmnopqrstuvwxyzabc• Dwwdfn Qrz

(Suetonius : (De Vita caesarum ,2nd cent.a.d.)

Page 4: Trust and  the web  veria  11 12- 09

Electricity : Safety• 1880 First Applications (factories) Few houses(lighting) Lack of Trust !

• 1920 Invasion of households (appliances) Integrated everywhere « Reasonable» trust Today The Internet/Web is around…1900 !

Page 5: Trust and  the web  veria  11 12- 09

Cryptography(how to tell a secret)

• The Caesar Cipher• abcdefghijklmnopqrstuvwxyz• k=4• defghijklmnopqrstuvwxyzabc• Dwwdfn Qrz

(Suetonius : (De Vita caesarum ,2nd cent.a.d.)

Page 6: Trust and  the web  veria  11 12- 09

WWW : The explosion raises new trust issues

users – sites- searches Commerce,governance,entertainment Education /Learning Political priority

black on black routes and the missing .mil, .gov.

Page 7: Trust and  the web  veria  11 12- 09

And it is only the beginning !

Connections between people

Con

nect

ions

bet

wee

n In

form

atio

n

Email

Social Networking

Groupware

JavascriptWeblogs

Databases

File Systems

HTTPKeyword Search

USENET

Wikis

Websites

Directory Portals

2010 - 2020

Web 1.0

2000 - 2010

1990 - 2000

PC Era1980 - 1990

RSS Widgets

PC’s

2020 - 2030

Office 2.0

XML

RDF

SPARQLAJAX

FTP IRC

SOAP

Mashups

File Servers

Social Media Sharing

Lightweight Collaboration

ATOM

Web 3.0

Web 4.0

Semantic SearchSemantic Databases

Distributed Search

Intelligent personal agents

JavaSaaS

Web 2.0 Flash

OWL

HTML

SGML

SQLGopher

P2P

The Web

The PC

Windows

MacOS

SWRL

OpenID

BBS

MMO’s

VR

Semantic Web

Intelligent Web

The Internet

Social Web

Web OS

Page 8: Trust and  the web  veria  11 12- 09

Issues at stake

• Network Security – Threats• System Safety – Software• Privacy –Personal Data• Data Authenticity /Integrity

Page 9: Trust and  the web  veria  11 12- 09

Issues at stake

• Network Security – Threats• System Safety – Software• Privacy –Personal Data

Page 10: Trust and  the web  veria  11 12- 09

Network securityEvolution of threats

courtesy

Page 11: Trust and  the web  veria  11 12- 09

Security in Converged Networks (inherited problems / inherited solutions?)

VoIP ISPs

CABLE FIXED NETWORKS MOBILE NETWORKS

VNOsMulti

Play Multi Play

a la carte

NGN/IMS

Page 12: Trust and  the web  veria  11 12- 09

Example: Mobile SecurityIP-Based 3G/4G Mobile Networks IncreaseMobile Operators’ Exposure to Risks from:

The proliferation of connections tountrusted external networks.

Open systems, protocols andapplications are more “vulnerable” toworms, viruses and DDoS attacks

Proliferation of mobile devices Peer-to-peer Applications

Page 13: Trust and  the web  veria  11 12- 09

The Weakest Link .... DNS

Internet-Wireless

DMZ / Service Network

Bankclients

WebservicesHome banking

www.bank.com176.43.2.54

ISP DNS Hacker

• Client starts browser for home banking• Types in www.bank.com• DNS request goes to ISP• DNS points to the firewall of the bank• Firewall redirects the packets to the

webserver

• Hacker changes DNS table of the ISP server• Client starts browser for home banking• Types in www.bank.com• DNS request goes to ISP• DNS points to the server of hacker• Hacker simulates the websites of the bank• Client tansfers PIN & TAN• Hacker got PIN & a unused TAN

186.47.3.63

Web Server

Client Server

Page 14: Trust and  the web  veria  11 12- 09

Normal operation• Power failure• UPS will provide power for 24 hours• After 24 hours UPS will send SNMP trap to call server SHUTDOWN

SNMP spoofing• Internal user will spoof the UPS SNMP trap• Call Server shutdown• TELEPHONE SYSTEM GOES DOWN !!!!!

VoIP ServerUPS

LAN

SNMP

SNMP

The Weakest Link .... SNMPClient

VoIP conversation

Page 15: Trust and  the web  veria  11 12- 09

Ever more wireless?• GSM phone connections represent 60% of the

world’s population• 84% market share• GSM networks migrating rapidly to WCDMA• 50% of all mobile terminals will be “WiFi”

enabled by 2010• NFC (e.g. RFIDs) in > 30% of mobile phones in

2010• Banking/Micropayments/Location Based

Services• 4 Billion mobile users in 2008 ? How many

Internet enabled?• Security Problems explode !

By 2010, 60% of the world mobiles will be on Internet

Page 16: Trust and  the web  veria  11 12- 09

Issues at stake

• Network Security – Threats• System Safety – Software• Privacy –Personal Data

Page 17: Trust and  the web  veria  11 12- 09

System Safety

Safety metrics ? Safety “Seal of Approval”What is “satisfacory” ?

Software• Air traffic• Financial Transactions• Critical Infrastructures• “Verification” ; • Insurance

■ The Economics of Safety!

Page 18: Trust and  the web  veria  11 12- 09
Page 19: Trust and  the web  veria  11 12- 09

Issues at stake

• Network Security – Threats• System Safety – Software• Privacy –Personal Data

Page 20: Trust and  the web  veria  11 12- 09

Privacy and Personal data

Governments: Service provision and …

Companies: Customer profiling

Google street ,Webcams ,Facebook ,You Tube …

Options for users (opt-in / opt-out) Data retentionData deletionΝew legislation

Page 21: Trust and  the web  veria  11 12- 09

Thank you!

Page 22: Trust and  the web  veria  11 12- 09

Investing in Security

• How much should organizations spend on information security?

• Governments, vendors say: much more than at present (But they’ve been saying this for 20 years!)

• Measurements of security return-on-investment suggest current expenditure may be about right !

• “negative “ incentives just starting (regulatory framework, fines ).

• Benefits for early adopters elusive.

Page 23: Trust and  the web  veria  11 12- 09

Security Market

• ROI

We are here Coming…. Liability as an Incentive

Class actions?

+-

Page 24: Trust and  the web  veria  11 12- 09

But Reality is pressing !

Phorm to use BT customers to test precision advertising system on net

YouTube case opens can of worms on online privacy

Grosse faille du web, et solution en chemin

Revealed: 8 million victims in the world's biggest cyber heist

Cyberwar and real war collide in Georgia

(Apr) Article 29 Working Party of EDPOs: the EU’s Data Protection Directive generally applies to the processing of personal data by search engines, even when their headquarters are outside the EU

The dangers of cloud computing

Big Brother Spying on Americans' Internet Data?

Internet securityCode redLe cyber-espionnage économique

entre dans le Top 3 des menaces

Critical infrastructures open to attack, says study

Internet key to Obama victories

Lesson From a Crisis: When Trust Vanishes, Worry

(Aug) Google To Slice Existing 18 Month Data Retention Period In HalfLa colère associative monte contre Edvige,

le fichier policier de données personnelles

ICT Systems

Security

Privacy

Trust

Page 25: Trust and  the web  veria  11 12- 09

Trust and Society• Trustworthy systems and practices play

important role in democratic our society: legal code, institutions, moral code, reliable technology, …

It took generations to build our democratic values – Europe must nurture them into the digital age.

Page 26: Trust and  the web  veria  11 12- 09

EU Legal framework on Data protection and Privacy and Technology

• DP Directive: 95/46/EC, Privacy Directive:2002/58/EC

• Personal Data: information relating to an identified or identifiable person

• Scope:– Material: which information and processes addressed– Personal: which roles (data controller, processor, subject)– Territorial: applicable law, cross-border data transfer

• Issues:– Linked data, smart data mining and Personal Data– Accountability and transparency of controller and

processor; need for technology support– Risk assessment and user control, need for technology

support

Page 27: Trust and  the web  veria  11 12- 09

Security, Privacy, Trust Interplay in the Information Society

Trustworthy InformationSociety?

End-Users & the Society

Policy & Regulation

Technology & Innovation

• Global ICT - national “frontiers”• “Economics of security”• Policies for privacy-respecting

Trust and Identity?

• Complexity, ease of use• Role of end-users• Society-protecting business models

• Security, privacy, identity• Protection of human values • Transparency, accountability• Auditing and Law enforcement

Page 28: Trust and  the web  veria  11 12- 09

Trusted & Smart “everything”

EnergyNetworks

Game Machine

Telephone

PC

DVD

Audio

TVSTBDVC

DigitalLiving

Sm

a rt

Spa

ce

Future InternetTransportNetworks

eHealth & Healthnetworks

Page 29: Trust and  the web  veria  11 12- 09

RISEPTIS Advisory Board

Research and Innovation in SEcurity, Privacy and Trustworthiness in the Information

SocietyObjective: provide visionary guidance on policy and research challenges in the field of security and trust in the Information Society.

Chair: George Metakides (U Patras, CTI) Members: Dario Avallone(Engineering), Giovanni Barontini (Finmeccanica), Kim Cameron (Microsoft), William Dutton (Oxford Internet Institute), Anja Feldmann (Deutsche Telekom), Laila Gide (Thales), Carlos Jimenez (Secuware), Willem Jonker (Philips), Mika Lauhde (Nokia), Sachar Paulus (U. Brandenburg, ISSECO), Reinhard Posch (CIO GOV. Austria, TU Graz, A-SIT), Bart Preneel (KU Leuven), Kai Rannenberg (U. Frankfurt, CEPIS), Jacques Seneca (Gemalto); Observer: Peter Hustinx (Observer)Support: Willie Donnelly (WIT), Keith Howker (WIT), Sathya Rao (Telscom), Michel Riguidel (ENST), Neeraj Suri (U. Darmstadt)Jacques Bus, Thomas Skordas, Dirk van Rooy (EC)

Page 30: Trust and  the web  veria  11 12- 09

RISEPTIS Mission and Objectives

Input to:

Two sides:

“User Centricity”: From Principles to Action!Personalised Services

Policy

Research

Future Internet

Trustworthiness

Mission: develop a European vision on research and policy for

trustworthiness in the future Information Society

http://www.think-trust.eu/riseptis.html

Page 31: Trust and  the web  veria  11 12- 09

Concepts:

Trust■ a three-part relation: A trusts B to do X

based on A’s subjective evaluation and highly depending on context

■ Basis for decision to go in transaction

Trustworthiness Level of trust assigned by A to B to do X Trustworthy systems: give measurable

guarantees on risks, resilience, QoS, …

Identity - Identification A process approach: claims on ID and

access proven to ‘relying party’

Page 32: Trust and  the web  veria  11 12- 09

Recommendation 1: The EC should stimulate interdisciplinary research, technology development and deployment that addresses the trust and security needs in the Information Society.

• Trustworthy network, service and computing environments (incl. FI)

• Trust, privacy and identity management frameworks

• Engineering principles and architectures for trustworthiness (metrics, crypto, secure SW, …)

• Data and policy governance, socio-economic aspects, liability, management

Page 33: Trust and  the web  veria  11 12- 09

Recommendation 2: The EC should support concrete initiatives that bring together technology, policy, legal and social-economic actors for the development of a trustworthy Information Society.

• Trust and Trustworthiness is the basis for economic and social transaction

• It will facilitate economic growth and a stable society• Transpose old social values into digital space, by

building platforms and tools to help citizens, enterprises and public organisations to measure trust, control assets and data

Partnership for “Trust in Digital Life”initiated by Gemalto, Microsoft, Nokiaand Philips

Page 34: Trust and  the web  veria  11 12- 09

Recommendation 3: The EC, together with the Member States and industrial stakeholders, must give high priority to the development of a common EU framework for identity and authentication management

• Federative, based on MS’s eID systems

• Compliant with legal frameworkon data protection and privacy

• Based on “Laws of Privacy”(user control, minimal disclosureconstraint use, justifiable parties, …)

• Facilitating full spectrum: public admin, banking with strong authentication simple web activities in anonymity

Page 35: Trust and  the web  veria  11 12- 09

Recommendation 4: The EC should work towards the further development of the EU data protection and privacy legal frameworks as part of an overall consistent ecosystem of law and technology

• Data breach notification extended• Definition of personal data• Strengthen accountability & transparency

tools• Consider consumer & liability laws• Part of an overall policy that should be

closely interlinked with technology progress• Continuity, usability, trustworthiness and

user-centric privacy protection are essential

Page 36: Trust and  the web  veria  11 12- 09

Recommendation 5: The EC together with industrial and public stakeholders should develop large-scale actions towards building a trustworthy Information Society

• Europe has:– long-established social trust,– scientific and technology capacities– well-developed industrial and service

structures• Large-scale projects are needed to take

advantage of these strengths• Develop a techno-legal ecosystem for

trust, security and privacy, that is amenable globally

Page 37: Trust and  the web  veria  11 12- 09

Recommendation 6: The EC should recognise that, in order to be effective, it should address the global dimension and foster engagement in international discussions

• Global Open Standards• Federated frameworks for

interoperability (travel and ID)• Global Law Enforcement in the

Internet• Consumer protection for use of

global e-services• Privacy and data protection in global data exchange

With respect for local cultures

Page 38: Trust and  the web  veria  11 12- 09

Trustworthiness An Interdisciplinary Approach

Trustworthiness and Web Science

Networks

SW Systems

Internet/Web Engineering

Regulation

Citizens Society

CriticalInfrastuctures

Page 39: Trust and  the web  veria  11 12- 09

40

Web Science

Biology• Evolutionary dynamics• Systems biology• Plasticity…

Economics• Theory of Markets• Macro and Micro

economics• Auction models• Types of capital…

Web Engineering• Protocols• Architectures• Accessibility• Security• Resilience…

Ecology• Structure of

ecosystems• Ecosystem

Productivity• Population Dynamics• Digital Biosphere…

Socio-cultural• Values, attitudes and lifestyles:

fast trends• Anti-corporate• ‘Open source’ values• New trust matrix: NGOs• Ethical consumers• Demography

Artificial Intelligence• Knowledge

Representation Languages

• Inference• Bayesian Methods• Agent Based

Computing…

Media • Fragmented public media and

discourse• Journalism• Single issue moral panics• Smart mobs• Mobile opinion formers…

Computer Science• Computability• De-centralised Information

Systems• Semantic Web• Linked Data• Process Calculus…

Mathematics• Theory of Graphs • Networks• Statistics• Game Theory…

Sociology• Social attitudes• Theory of groups• Social networks• Plume Tracing…

Psychology• Social attitudes• Cognitive properties • Human Information

Processing• Experimental Methods…

Law• Intellectual Property• EU/regulatory drivers• Public engage vs

indifferent• Corporate social responsibility…

Physics• Statistical Mechanics • Phase Transitions…

Political Science• Governance• Democratic mechanisms…

Nigel Shadbolt

Page 40: Trust and  the web  veria  11 12- 09

TrustA Web Science Perspective

• What is the essential nature of trust?

• How to understand trust in the age of the Web?

• How does trust influence activity in the Digital Economy and e-Gov?

• Balance between social and technical solutions to these problems?

• The role of security and privacy

Photo C

redit Yuri Arcurs

Page 41: Trust and  the web  veria  11 12- 09

42

Trust 101• X trusts Y

– Meaningless: trust can only be understood in the context of trustworthiness

• Trustworthiness is a property of Y– Y is trustworthy = she represents her

intentions and motivations accurately• Trust is an attitude of X

– X trusts Y = X believes that Y is trustworthy

• Trust is a 3-way relation – includes a context– X trusts Y to do P

Page 42: Trust and  the web  veria  11 12- 09

43

The Disconnect

• X benefits from Y being trustworthy– BUT only controls his trust

• Y benefits from X’s trust– BUT only controls her

trustworthiness• Fundamental, ineradicable

uncertainties of cooperative behaviour

Page 43: Trust and  the web  veria  11 12- 09

44

The Essential Problem of Trust

• NOT:– How can we increase trust?

• BUT:– How can we causally

connect trust and trustworthiness so that we trust someone if and only if they are trustworthy?

Page 44: Trust and  the web  veria  11 12- 09

45

Costs & Benefits of Trust

Trustworthy Untrustworthy

TrustMaximal

benefits of cooperation

Loss (gain) of assets risked

Mistrust Opportunity costs

Nothing risked, nothing gained

Page 45: Trust and  the web  veria  11 12- 09

46

3 Sources of Uncertainty• Y sends signals of her

trustworthiness– Are the signals accurate?– Is Y gaming the signal system?

• Period of time between X investing resources and Y delivering performance– X cannot act until Y is proven to

have defected• Possibility of X applying sanctions to

Y– Will sanctions be effective?– Can X apply them to Y?

• All these three exacerbated by the Web

Con

nect

ed w

orld

by

jvw

areh

ouse

on

Pho

tobu

cket

Page 46: Trust and  the web  veria  11 12- 09

47

Signalling on the Web• Dramatic reduction in bandwidth compared

to offline transactions• New conventions, not widely understood• Trust distributed across many types of agent

– Human– Software agent– Website– Organisation– Distributed coalition– Knowledge source– Protocol– Infrastructure

Imag

e te

chne

xus.

com

Page 47: Trust and  the web  veria  11 12- 09

48

Time on the Web• Digital information

can be copied or transferred at speed of light

• E-crime is instantaneous

• Reputation information is backward-facing– Provides no

certainty about future behaviour

Wor

ld A

t Wor

k by

The

o D

eutin

ger

Page 48: Trust and  the web  veria  11 12- 09

49

Sanctions on the Web

• Uncertain identity• Uncertain jurisdiction• Fewer repeat

transactions • More one-shot

interactions

Page 49: Trust and  the web  veria  11 12- 09

50

Content on the Web

• Provenance – what, who, when and where

• Much valuable content is authorless

• What is the role of government public data and what is its value?

Web Science research issue: Does open public data increase trust?

Page 50: Trust and  the web  veria  11 12- 09

51

Online Institutions• Traditional Solutions

– Physical Institutions– Reputation management– Note: Solutions can only be

partial

• Decentralised Web makes institutions hard to set up– Problems of enforcement– Online institutions also

suffer from problems of jurisdiction, low bandwidth (compared to offline)

– Systemic risk– Usability issues (e.g. PKI)

Web Science research issue: how to design institutions for certifying trustworthiness and promoting trust

Page 51: Trust and  the web  veria  11 12- 09

52

Online Reputation• Assembly of historical data• How to stop changes of identity• How to interpret ratings• Is the reputation for the buyer’s convenience?

– He uses historical data to estimate future trustworthiness– Uncertain

• Is it for the seller’s convenience?– She wants to preserve her reputation– Only works if she wants to interact again in the future

Web Science research issue: how best to represent and manage reputation, and

understand its significance for buyer and seller

Page 52: Trust and  the web  veria  11 12- 09

53

The Dark Side• Not all trust is good

– Criminal fraternity have low-risk solutions to trust problem

– Auction sites for selling identities, credit cards etc– Fast assembly of short-term criminal coalitions

Web Science research issue: how can we disrupt trust (increase mistrust) in degenerate systems

Page 53: Trust and  the web  veria  11 12- 09

54

Which Way Round?• Does trustworthiness cause trust?

– Y proves her trustworthiness via certificates, behaviour, qualifications etc

– Weber• Does trust cause trustworthiness?

– X trusts Y and accepts her into his moral community– Y learns trustworthy behaviour– Durkheim

Web Science research issue: understand the causal direction of the relation

Page 54: Trust and  the web  veria  11 12- 09

55

Changes in Attitude• early Web: trust => trustworthiness

– Assumption of good faith– Knowledge sharing tool

• middle Web: trustworthiness => trust– E-commerce– Security/identity infrastructures

• Current Web: trust <=> trustworthiness– Elements of both– Social networking– Generational issues

Page 55: Trust and  the web  veria  11 12- 09

56

Role of Web Science• Clearly a problem with social and

technological aspects• How does offline behaviour transfer to the

Web?– How do we cope with the lowered information

bandwidth?• What new forms of behaviour have

arrived?• How can infrastructure be designed?

– Usability– Effectiveness

Page 56: Trust and  the web  veria  11 12- 09

Trust A Web Science Perspective

• Research the nature of trust relations between individuals, groups and organizations in digital interactions

• develop the framework and institutions needed to govern interactions in the digital ecology

• understand the balance role of the social and the technical

Imag

e co

urte

sy IE

T

Page 57: Trust and  the web  veria  11 12- 09

Trusta Web Science Perspective

Understanding trust in the age of the Web is about–Technology– Sociology– Psychology– Economics– LawIt is about Web Science

Page 58: Trust and  the web  veria  11 12- 09

Technology evolutions New generations of threats to trust as well !

– Fiber optics : High data-rate & Massive (flows, data, services)

– Radio : Pervasive : Ubiquity => cooperation– Software : Diversity => Complex,

heterogeneous– Linked Data / Semantic Search– Peer to Peer / Cloud

59

Page 59: Trust and  the web  veria  11 12- 09

Governance, Management issues

• Trust Management– Designing security policies and process

-- Identity Management (Multiple identities?)– Data

• Archive : auditability, signature of contracts• Communication: security of exchanges

– Software

• Threats and Vulnerability Management– Monitoring activities and events– Benchmarking– Supervision, observation, Recording :Measuring !

60

Page 60: Trust and  the web  veria  11 12- 09

A Next Generation Network Ecosystem

The Future Internet

The Semantic web and beyond

The Internet /Web of things

Trustworthiness as a prerequisite and driver

Social –Economic- Legal – Technical Issues all bound up

[www.aquarium-berlin.de]

A New Ecosystem Emerging

Page 61: Trust and  the web  veria  11 12- 09

Thank You !