Digital identities are with us every day. The technical possibilities are very diverse. How can digital identities enable secure identification for eGovernment and eHealth on the one hand and guarantee privacy protection on the other? Digital identities enable access to the digital society. They represent persons, organisations and objects in the digital world and are used in more and more areas of life. Each of us thus has – consciously or unconsciously – digital representations of our person for various purposes. Be it the Cumulus card from Migros, the SwissPass from the SBB or the SIM card in a mobile device, all these digital identities accompany us every day. Digital identities are very diverse. From a technical point of view, the spectrum ranges from user name/password combinations and smart cards to biometric means of identification and hardware-based certificates such as SuisseID. What characteristics should a digital identity have? A digital identity should be useful. It is a tool to be able to perform certain functionalities in the digital world. For example, with a digital identity you can prove who you are and thus use certain online services. You can digitally sign documents or data – analogous to a handwritten signature. With other, more passive identities, you can collect benefits from bonus programmes or use other real-world services, such as public transport. For some applications in the digital world, such as eGovernment, you have to be sure who is behind a digital identity. Identities, such as SuisseID, can be used as a digital ID. To do this, the identities used must be secure and trustworthy. With an identity based on a SuisseID, you can be 100% sure that you are dealing with the corresponding person. Trust in SuisseID is based on the one hand on a certified registration process, where you have to be present in person, and on the other hand on the security of the technologies used. For example, a hardware token, the SuisseID stick, prevents the SuisseID identity from being stolen. Only those who have the stick and the matching PIN can use the SuisseID. This is referred to as 2-factor authentication. A state-recognised electronic identity enjoys the highest level of trust. Here, the state assumes responsibility for registration, which is usually linked to the application for an identity document, for example an identity card or passport. But the high level of trust and security of a digital identity comes at a price: higher costs as well as complicated handling and an elaborate registration process. This usually results in poor user acceptance. Therefore, user-friendliness should always be weighed against security requirements when using digital identities. For example, a high level of security can be dispensed with for an online subscription to a daily newspaper, as the potential for damage is low. Privacy must be protected The data collection frenzy of some service providers on the Internet and various hacker attacks on customer data in recent months have strengthened the desire to protect privacy and anonymity. Particularly as it is now very difficult, and in some cases almost impossible, to remove data from the digital world once it has been disclosed. A good digital identity therefore also makes it possible to move anonymously or pseudonymously in the digital world. With these methods, the true identity of a person is hidden and only the characteristics that are essential for the use of a service, such as age, are revealed. This makes it possible to control access to inappropriate content for minors without knowing their name or gender. The disclosure of the identity (or parts of it) or the preservation of anonymity thus remains a decision of the person himself. A digital identity is not enough The various possible properties of digital identities make it clear that several identities are needed for the different areas of application. In eGovernment and also in eHealth, it is important to identify citizens and patients unambiguously in order to avoid confusion. Only a state-recognised digital identity or identities at a similarly high level of trust, such as SuisseID or the planned insurance card, which also has a unique identifier, make this possible. In other areas, where the potential for damage is lower, one can also use simpler electronic identities, such as those provided by Google or Facebook. These free identities are mostly based on self-registration with email or SMS confirmation. The personal attributes provided are mostly self-declared. Here, users and server providers alike should be aware of the dangers and risks.
Tag Archive for: Privatsphäre
The focus “Cyber Security & IT Forensics” deals with selected topics related to the security of the computer infrastructure, such as confidentiality, integrity and availability of data, but also with questions related to the protection of privacy. The digital society only functions if people can rely on a secure and trustworthy computer infrastructure. This consists of powerful end devices, omnipresent networks and central servers. Confidentiality, integrity and availability of data, but also protection of privacy are central to this. The focus is on the devices that people use directly and daily: their smartphones, tablets or laptops. Malware It is primarily these devices that are attacked by malware. Criminal elements spread malware around the world with the aim of deriving economic or financial benefit from it. Malware is a computer programme that usually performs unwanted functions invisibly. They appear in a wide variety of forms:
- Computer viruses are programmes that spread copies of themselves via the exchange of documents on storage media
- Computer worms infect other computers via networks
- Trojan horses, on the other hand, are programmes that superficially benefit the user, but invisibly perform unwanted functions in the background, such as stealing passwords or contact information.
- Recently, the number of cases in which so-called ransomware is used has increased. These are malware programmes that encrypt the user data of a system with a secret key, so that their access is blocked by the user for the time being. Access is only possible again after the payment of a ransom (ransom) by the communication of a secret key.
Protection through research In our research, we investigate how malware works. We try to understand how they work, how they spread and what they do. We also study the development history of the malware. Understanding the development history helps us to better protect and anticipate the systems. Our know-how is in demand from companies and service providers who provide security-critical computer infrastructure and/or use it themselves. On the other hand, the knowledge gained flows into teaching, for example so that students learn how to write robust software that is resistant to attacks of this kind. Protection of privacy Computers and terminals, networked with the Internet, represent a combination of private and public space, similar to private living space and public space (streets, squares, transport systems, public services). Just as there is protection of private information (for example, medical secrecy, voting secrecy) in real spaces, there must be the same protection in cyberspace. We are dealing with the question of how this protection can be provided on the basis of concrete issues such as e-voting, personal health data or mobility pricing. IT forensics If norms established by society are violated, it is important to record the facts in the case of suspicious incidents. As in the real world, traces of criminal acts must also be recorded in cyberspace, and in such a way that their evidence will stand up before a judge. The question here is: Are there traces in the suspects’ devices that confirm a criminal act that has been committed? Our research focuses on the field of memory forensics. On the teaching side, we actively help in the Master’s training course Maîtrise universitaire ès Sciences en science forensique orientation investigation et identification numériques at the University of Lausanne.