This document discusses privacy management for smart cities. It begins with an outline and background on the speaker. It then discusses privacy from a policy maker viewpoint and challenges with ecosystems like smart cities that involve multiple stakeholders and technologies. An example is given of cooperative intelligent transport systems. Governance challenges with new technologies like AI are also discussed. Finally, the document provides an overview of current standardization work on privacy, including ISO/IEC 27570 which provides privacy guidelines for smart cities ecosystems.
1. Privacy Management for Smart Cities
Antonio Kung
Trialog, 25 rue du Général Foy 75008 Paris
antonio.kung@trialog.com
Connected SC&C - Privacy, Trust & Security22 January 2020 1
2. Outline
Connected SC&C - Privacy, Trust & Security
u Speaker
u Policy maker viewpoint on privacy
u The issue of ecosystems: example of cooperative ITS
u The issue of governance: example of AI
u Privacy standards
u ISO/IEC 27570 Privacy guidelines for smart cities
22 January 2020 2
3. Speaker - Engineering background
u Background on IoT
n Embedded systems & Real-fime
systems (e.g. automotive, domotics)
u Work related to privacy
n Secure vehicular communication
– FP6 SEVECOM (2006-2008)
n Privacy-by-design for ITS
– FP7 PRECIOSA (2008-2010)
n Privacy-by-design
– FP7 PRIPARE (2013-2015)
n Engineering tools for privacy
– H2020 PDP4E (2018-2020)
u Work related to smart cities
n EIP-SCC
– Citizen engagement
u Active participation in privacy
standards
n ISO 31000 – Privacy by design
n ISO/IEC 20547-4 – Big data security
and privacy
n ISO/IEC 27030 – IoT security and
privacy
n ISO/IEC 27550 – Privacy Engineering
n ISO/IEC 27556 – Privacy Preference
management
n ISO/IEC 27570 – Privacy guideliens
for smart cities
u Teacher (American University of
Paris)
n CS 2055 : security privacy and trust
Connected SC&C - Privacy, Trust & Security22 January 2020 3
5. Privacy from a Policy Maker Viewpoint
Example of smart cities
Connected SC&C - Privacy, Trust & Security22 January 2020 5
6. They deal with complex ecosystems
Connected SC&C - Privacy, Trust & Security22 January 2020 6
Security
Privacy
Safety
Smart
grid
Transport
Health
Smart
Cities
Big
data
IoT
Ecosystems
Domains Concerns
Stakeholders
Citizens
Business
Policy
makers
Block
chain
Auto-
nomous
systems
AI
Technologies
7. They manage privacy for these ecosystems
Connected SC&C - Privacy, Trust & Security22 January 2020 7
Data Controller
Data processor
Comply Privacy
Obligations
Integrator
Contracts
Supplier
PIA and PbD
Purpose known
Requirements
Purpose unknown
Apply
Apply
Municipality
stakeholder
PIA
Citizen
Give consent
Agree
Requests
Agreements
For data
exchange
8. Supplier - Purpose unknown
Including a supply chain vision
Connected SC&C - Privacy, Trust & Security22 January 2020 8
MiddlewareOSSecurity
module
ElectronicsSensor Smart
device
Device Cloud
solution
Operator
Smart City
Application 1
SupplyChain
Integrator - Purpose known
Operator
Smart City
Application 2
Privacy impact assessment 2Privacy impact assessment 1
Smart City Officer
9. Including a sharing chain vision
Connected SC&C - Privacy, Trust & Security22 January 2020 9
Data analyticsData
transformation
Data collecting
Sharing Chain
Data sharing
agreement
Data sharing
agreement
Smart City Officer
10. Privacy management in ecosystems
Connected SC&C - Privacy, Trust & Security22 January 2020 10
11. Example of C-ITS Environment
Connected SC&C - Privacy, Trust & Security22 January 2020 11
Road side ITS station
Sending vehicle ITS station
Receiving vehicle ITS station
Position of vehicle
Movement of vehicle (speed, acceleration, steering angle, …)
Static information about the vehicle: type and size
Pseudonym
Recent Path (limited to the last 30 seconds at maximum)
Message
Message
12. Example of C-ITS Environment
Connected SC&C - Privacy, Trust & Security22 January 2020 12
Pseudonymization authority
Road side ITS station
Sending vehicle ITS station
Receiving vehicle ITS station
Pseudonym
Pseudonym
13. Stakeholders in the ecosystem
Connected SC&C - Privacy, Trust & Security22 January 2020 13
Application
operator
(Safety, Traffic)
Road side
PKI operator
Pseudonym
issuer
CAM operator
Vehicle
Application
operator
On board
Safety
Different roles,
Different objectives
Different types of data
CAM operator
Road side unit
15. Ecosystem
governance
model
Security, Privacy & Trust Governance Model
Connected SC&C - Privacy, Trust & Security22 January 2020 15
Lifecycle process
Governing
stakeholder
Governance
process
applies
System provider
System assets
to manage
SPT Policies
to
follows
applies
on
to monitor to establish
follows
16. Smart city
governance
Model
Ecosystem
governance
Model
Example of smart city
Connected SC&C - Privacy, Trust & Security22 January 2020 16
Lifecycle process
Governing
stakeholder
Governance
process
applies
System provider
System assets
to manage
SPT Policies
to
follows
applies
on
to monitor to establish
Lifecycle process
Smart city
Governance
process
applies
Smart transport
operator
Transport system
customers data
to manage
SPT Policies
follows
applies
to monitor to establish
followsfollows
17. Autonomous
vehicle
example
Governance process?
Stakeholders inthe process?
Security and Privacy Governance Model for AI?
Connected SC&C - Privacy, Trust & Securityto
Policy management
process
Autonomous vehicle
manufacturer
Control and
monitoring process
Applies
Autonomous vehicle
Vehicle and
passengers
to manage
Safety, security,
privacy policies
follows
applies
to monitor to establish
follows
22 January 2020 17
18. Overview of Work on Standardisation
Several Viewpoints
Connected SC&C - Privacy, Trust & Security22 January 2020 18
19. Current work
Connected SC&C - Privacy, Trust & Security22 January 2020 Slide 19
Principles ISO/IEC 29100 Privacy framework Published (free)
Mechanism
ISO/IEC 20889 Data de-identification terminology and classification of techniques Published
ISO/IEC 29184 Online privacy notices and consent Pending
New Consent record information structure Pending
Organisation
practice
ISO 37100 Privacy-by-design for consumer goods and services Pending
ISO/IEC 27550 Privacy engineering for system life cycle processes Published
ISO/IEC 27701 Privacy information management -- requirements and guidelines Published
ISO/IEC 27555 Establishing a PII deletion concept in organisations Pending
ISO/IEC 27556 User-centric framework for privacy preference management Pending
ISO/IEC 29134 Privacy impact assessment guidelines Published
ISO/IEC 29151 Code of practice for PII protection Published
ISO/IEC 29190 Privacy capability assessment model Published
New Organisational privacy risk management Pending
Ecosystem
practice
ISO/IEC 20547-4 Big data security and privacy Pending
ISO/IEC 27030 Security and privacy guidelines for IoT Pending
ISO/IEC 27570 Privacy guidelines for smart cities Pending
ISO/IEC 23751 Data sharing agreements Pending
20. Privacy management in Smart Cities
Connected SC&C - Privacy, Trust & Security22 January 2020 20
21. ISO/IEC 27570 Privacy guidelines for smart cities
Connected SC&C - Privacy, Trust & Security22 January 2020 Slide 21
Ecosystem
Governance
body
Organisation
1
Organisation
N
Organisation
N
Best available techniques
Continuous improvement