ETSI TR 103 304 V1.1.1 (2016-07)

TECHNICAL REPORT
CYBER;
Personally Identifiable Information (PII)
Protection in mobile and cloud services

2 ETSI TR 103 304 V1.1.1 (2016-07)

Reference
DTR/CYBER-0002
Keywords
access control, privacy
ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - NAF 742 C
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° 7803/88

Important notice
The present document can be downloaded from:
http://www.etsi.org/standards-search
The present document may be made available in electronic versions and/or in print. The content of any electronic and/or
print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any
existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the
print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at
https://portal.etsi.org/TB/ETSIDeliverableStatus.aspx
If you find errors in the present document, please send your comment to one of the following services:
https://portal.etsi.org/People/CommiteeSupportStaff.aspx
Copyright Notification
No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying
and microfilm except as authorized by written permission of ETSI.
The content of the PDF version shall not be modified without the written authorization of ETSI.
The copyright and the foregoing restriction extend to reproduction in all media.

© European Telecommunications Standards Institute 2016.
All rights reserved.
TM TM TM
DECT , PLUGTESTS , UMTS and the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members.
TM
3GPP and LTE™ are Trade Marks of ETSI registered for the benefit of its Members and
of the 3GPP Organizational Partners.
GSM® and the GSM logo are Trade Marks registered and owned by the GSM Association.
ETSI
3 ETSI TR 103 304 V1.1.1 (2016-07)
Contents
Intellectual Property Rights . 5
Foreword . 5
Modal verbs terminology . 5
Executive summary . 5
1 Scope . 6
2 References . 6
2.1 Normative references . 6
2.2 Informative references . 6
3 Definitions and abbreviations . 7
3.1 Definitions . 7
3.2 Abbreviations . 9
4 Overview . 10
5 Threats to PII . 10
5.1 Overview . 10
5.2 Data fusion and re-identification . 11
5.3 Data breaches . 11
5.4 Service termination/inaccessibility . 11
5.5 Lock-in mechanisms. 11
5.6 Ransomware and Spyware . 11
5.7 Over-collection . 12
5.8 Mis-contextualization . 12
5.9 User Impersonation . 12
5.10 Alteration of ownership or access rights . 12
5.11 Alteration of persistence . 12
5.12 Synopsis . 13
6 Technical aspects . 14
6.1 Principles from ISO/IEC 29100 . 14
6.2 Degree of link-ability . 14
6.3 Trust . 15
6.4 Awareness of data transaction . 15
6.5 Semantics . 16
6.6 Portability . 16
6.7 Access control . 16
6.8 Log and auditing . 17
6.9 Embedded sensors and devices . 17
6.10 Lawful interception . 17
7 Use cases, actors and roles . 18
7.1 Overview . 18
7.2 Actors and roles . 18
7.3 Use case UC1 . 19
7.4 Use case UC2 . 19
Annex A: Scenarios . 20
A.1 Medical scenario . 20
A.2 Flight Passenger Name Record . 20
A.3 Bring Your Own Device (BYOD) . 20
A.4 Fake or untrusted access mobile networks . 21
A.5 Untrusted app scenario . 21
ETSI
4 ETSI TR 103 304 V1.1.1 (2016-07)
A.6 Social networking . 21
A.7 In-car blackbox . 22
A.8 Cloud unavailability . 22
A.9 Self-quantifying . 22
History . 23

ETSI
5 ETSI TR 103 304 V1.1.1 (2016-07)
Intellectual Property Rights
IPRs essential or potentially essential to the present document may have been declared to ETSI. The information
pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found
in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in
respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web
server (https://ipr.etsi.org/).
Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee
can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web
server) which are, or may be, or may become, essential to the present document.
Foreword
This Technical Report (TR) has been produced by ETSI Technical Committee Cyber Security (CYBER).
Modal verbs terminology
In the present document "should", "should not", "may", "need not", "will", "will not", "can" and "cannot" are to be
interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions).
"must" and "must not" are NOT allowed in ETSI deliverables except when used in direct citation.
Executive summary
ICT is moving towards a genuinely distributed and virtualized environment characterized by a rich set of mobile and
cloud services available to users. In this context, it may be difficult to have a priori knowledge of who may need access
to data, when and where this may happen and whether that data could be or contain Personally Identifiable Information
(PII). The present document proposes a number of scenarios focusing on today's ICT and develops an analysis of
possible threats related to PII in mobile and cloud based services. It also presents technical challenges and needs derived
from regulatory aspects (lawful interceptions). The aim is to consolidate a general framework, in line with regulation
and international standards, on top of which technical solutions for PII protection can be developed.

ETSI
6 ETSI TR 103 304 V1.1.1 (2016-07)
1 Scope
The present document proposes a number of scenarios focusing on today's ICT and develops an analysis of possible
threats to Personally Identifiable Information (PII) in mobile and cloud based services. It also presents technical
challenges and needs derived from regulatory aspects (lawful interceptions). It consolidates a general framework, in line
with regulation and international standards, where technical solutions for PII protection can be plugged into.
2 References
2.1 Normative references
Normative references are not applicable in the present document.
2.2 Informative references
References are either specific (identified by date of publication and/or edition number or version number) or
non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the
referenced document (including any amendments) applies.
NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee
their long term validity.
The following referenced documents are not necessary for the application of the present document but they assist the
user with regard to a particular subject area.
[i.1] ISO/IEC 29100:2011: "Information technology - Security techniques - Privacy framework".
[i.2] National Institute of Standards and Technology NIST SP 800-122: "Guide to Protecting the
Confidentiality of Personally Identifiable Information (PII)".
[i.3] Regulation 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic
identification and trust services for electronic transactions in the internal market and repealing
Directive 1999/93/EC.
[i.4] Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the
protection of natural persons with regard to the processing of personal data and on the free
movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
[i.5] Directive 2002/21/EC of the European Parliament and of the council of 7 March 2002 on a
common regulatory framework for electronic communications networks and services (Framework
Directive).
[i.6] Directive 2002/22/EC of the European Parliament and of the Council of 7 March 2002 on
Universal service and users' rights relating to electronic communications networks and services
(Universal Service Directive - OJ L 108, 24.04.2002).
[i.7] Directive 1999/5/EC of the European Parliament and of the Council of 9 March 1999 on radio
equipment and telecommunications terminal equipment and the mutual recognition of their
conformity.
[i.8] Directive 1995/46/EC of the European Parliament and of the Council of 24 October 1995 on the
protection of individuals with regard to the processing of personal data and on the free movement
of such data.
[i.9] US President's Council of Advisors on Science and Technology: "Report to the president. Big data
and privacy: a technological perspective".
[i.10] ETSI TR 101 567: "Lawful Interception (LI); Cloud/Virtual Services for Lawful Interception (LI)
and Retained Data (RD)".
ETSI
7 ETSI TR 103 304 V1.1.1 (2016-07)
[i.11] ETSI Cloud Standards Coordination: Final Report.
[i.12] ISO/IEC 11889:2009: "Information technology - Trusted Platform Module" (Parts 1-4).
[i.13] ISO/IEC 29191:2012: "Requirements for partially anonymous, partially unlinkable
authentication".
[i.14] ISO/IEC 29115:2011: "Entity authentication assurance framework".
[i.15] ETSI TS 119 612: "Electronic Signatures and Infrastructures (ESI); Trusted Lists".
[i.16] ETSI TR 103 308: "CYBER; Security baseline regarding LI and RD for NFV and related
platforms".
[i.17] ETSI TR 187 010: "Telecommunications and Internet converged Services and Protocols for
Advanced Networking (TISPAN); NGN Security; Report on issues related to security in identity
imanagement and their resolution in the NGN".
[i.18] ISO/IEC 27040:2015: "Information technology - Security techniques - Storage security".
[i.19] ISO/IEC 17789:2014: "Information technology - Cloud computing - Reference architecture".
[i.20] ISO/IEC 9594-8:2014: "Information technology - Open Systems Interconnection - The Directory -
Part 8: Public-key and attribute certificate frameworks".
[i.21] ETSI TS 101 331: "Lawful Interception (LI); Requirements of Law Enforcement Agencies".
[i.22] ETSI TS 101 671: "Lawful Interception (LI); Handover interface for the lawful interception of
telecommunications traffic".
[i.23] ISO/IEC JTC 1/SC 38 CD 19944: "Information technology - Cloud computing - Data and their
flow across devices and cloud services".
NOTE: Standard under development.
[i.24] ISO/IEC JTC 1/SC 37 AWI 20889: "Information technology - Security techniques - Privacy
enhancing data de-identification techniques".
NOTE: Standard under development.
[i.25] J.A. Akinyele, C. U. Lehmanny et Al. Self-Protecting Electronic Medical Records: Using
Attribute-Based Encryption. Cryptology ePrint Archive, Report 2010/565. 2010.
3 Definitions and abbreviations
3.1 Definitions
For the purposes of the present document, the following terms and definitions apply:
app: "software application", typically running on a user's device platform
anonymization: process that replaces an actual identifier with an attribute obtained by randomization or generalization
in such a way that there is a reasonable level of confidence that no individual can be identified
Cloud Service Customer: individual or organization consuming one or more cloud services provided by a Cloud
Service Provider
Cloud Service Partner: individual or organization providing support to the provisioning of cloud services by the Cloud
Service Provider, or to the consumption of cloud service by the Cloud Service Customer
Cloud Service Provider: individual or organization providing cloud services to one or more Cloud Service Customers
Cloud Service user: individual consuming one or more cloud services using a particular device
ETSI
8 ETSI TR 103 304 V1.1.1 (2016-07)
consent: freely given specific and informed indication of his wishes by which the data subject signifies his agreement
to personal data relating to him being processed
data breach: compromise of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized
disclosure of, or access to protected data transmitted, stored or otherwise processed [i.18]
data consumer: entity accessing data for a given purpose
data fusion: process of combining multiple data sets into one improved data set in order to discover any information
which cannot be derived from the original data sources
data subject: identifiable person, i.e. a person who can be identified, directly or indirectly, in particular by reference to
an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or
social identity
de-anonymization: any process in which anonymous data is cross-referenced with other sources of data to re-identify
the anonymous data source
Device Platform Provider: Cloud Service Provider providing services necessary to support the device platform
generalization: process that reduces the degree of granularity (known as precision) of a set of attributes
identity theft: inappropriate use of someone else's credentials to commit fraud or crimes
lock-in: process which makes a customer dependent on a given service provider and unable to use another provider
without substantial switching costs
metadata: data about the data, which can be structural or descriptive
mis-contextualization: process in which data from different personas is mixed and used inappropriately
over-collection: practice of collecting information unrelated to a stated purpose
persona: role played by an individual user in the context of a service
Personally Identifiable Information (PII): any information that (a) can be used to identify the PII principal to whom
such information relates, or (b) is or might be directly or indirectly linked to a PII principal
NOTE 1: To determine whether a PII principal is identifiable, account can be taken of all the means which can
reasonably be used by the privacy stakeholder holding the data, or by any other party, to identify that
natural person [i.1].
NOTE 2: In the US, according to [i.2]: any information about an individual maintained by an agency, including any
information that can be used to distinguish or trace an individual's identity, such as name, social security
number, date and place of birth, mother's maiden name, or biometric records; and any other information
that is linked or linkable to an individual, such as medical, educational, financial, and employment
information.
PII controller: privacy stakeholder that determines the purposes and means for processing personally identifiable
information (PII) other than natural persons who use data for personal purposes [i.1]
PII principal: natural person to whom the personally identifiable information (PII) relates [i.1]
PII processor: privacy stakeholder that processes personally identifiable information (PII) on behalf of and in
accordance with the instructions of a PII controller [i.1]
portability: usability of the same software, data or metadata in different environments
processing of PII: operation or set of operations performed upon personally identifiable information (PII) [i.1]
NOTE: Examples of processing operations of PII include, but are not limited to, the collection, storage, alteration,
retrieval, consultation, disclosure, anonymization, pseudonymization, dissemination or otherwise making
available, deletion or destruction of PII) [i.1].
pseudonymization: process that replaces an actual identifier with an alias ensuring that it cannot be reverted by
reasonable effort of anyone (other than the party providing them)
ETSI
9 ETSI TR 103 304 V1.1.1 (2016-07)
randomization: process that reduces the degree to which data reflects the true value of a set of attributes (known as
accuracy)
ransomware: type of malware that restricts access to the infected device, demanding that the user pay a ransom to the
malware operators to remove the restriction
re-identification: action performed on de-identified data with the purpose of re-linking the information to a person or
group of persons
secure data deletion: irreversible destruction of electronic data so that no party is capable of recovering
spyware: type of malware that collects/intercepts/retrieves data from a (mobile) device and sends it to a remote
(Command&Control) server
Terminal Equipment: product enabling communication or relevant component thereof which is intended to be
connected directly or indirectly by any means whatsoever to interfaces of public telecommunications networks
traceability: ability to interrelate individuals in a way that is verifiable
trust: level of confidence in the reliability and integrity of an entity to fulfil specific responsibilities
unlinkability: act of ensuring that a user may make multiple uses of resources or services without others being able to
link these uses together
3.2 Abbreviations
For the purposes of the present document, the following abbreviations apply:
5G-PPP 5G Infrastructure Public Private Partnership
ABE Attribute-Based Encryption
API Application Programming Interface
AWI Approved Work Item
NOTE: http://www.iso.org/iso/home/faqs/faqs_abbreviations.htm.
BYOD Bring Your Own Device
CA Certification Authority
CD Committee Draft
CEO Chief Executive Officer
CP-ABE Ciphertext Policy Attribute-Based Encryption
CPU Central Processing Unit
CSC Cloud Service Customer
CSP Cloud Service Provider
CSPa Cloud Service Partner
Csu Cloud Service user
DPP Device Platform Provider
EC European Community
EU European Union
GPS Global Positioning System
GSM Global System for Mobile
ICT Information and Communication Technology
IMEI International Mobile Station Equipment Identity
IMSI International Mobile Subscriber Identity
ISO International Organization for Standardization
JTC Joint Technical Committee
LEA Law Enforcement Authority
LI Lawful Interception
PC Personal Computer
PII Personally Identifiable Information
PIN Personal Identification Number
PKI Public Key Infrastructure
PLMN Public Land Mobile Network
PNR Passenger Name Record
ETSI
10 ETSI TR 103 304 V1.1.1 (2016-07)
PUA Potentially Unwanted Application
RAM Random Access Memory
SAREF Smart Appliances REFerence ontology
SC Subcommittee
SMS Short Message Service
TE Terminal Equipment
TEE Trusted Execution Environment
TPM Trusted Platform Module
TS Technical Specifications
UMTS Universal Mobile Telecommunications System
US United States
4 Overview
An even growing number of human activities are today performed using Internet-based (and particularly, cloud-based)
services. Information that can be used to identify a natural person or might be directly or indirectly linked to her, known
in literature as Personally Identifiable Information (PII) may be potentially present in almost all these activities. While
technology is apparently "disappearing" to naive eyes, as people are focusing on services regardless of the devices,
terminals or platforms they actually use, awareness of data transaction and transparency about its use is decreasing. This
may cause social and legal concerns when data transactions may involve PII.
Code of practices and regulatory aspects protecting PII were present since the advent of mobile communications in
middle 1990s. Directive 95/46/EC (data protection) [i.8], directive 2002/58/EC (privacy) [i.7], and Directive 99/5/EC
(radio equipments) [i.5], [i.6], for instance, state the legal obligations to preserve a user's control of their identity in
electronic communication, as well as obligations intended to avoid frauds. Properly using identifiers and identity
management as suggested in previous ETSI TR 187 010 [i.17] massively reduces the risk to exploit of PII in traditional
communication signalling.
However, today the ICT is moving towards a genuinely distributed and virtualized environment characterized by a rich
set of mobile and cloud services available to users. The eIDAS Regulation [i.3] first and the EU General Data
Protection Regulation [i.4] then have provided a legal framework to address challenges raising from the digital age and
its "app economy", in order to booster citizen's trust in the emerging Digital Single Market.
In fact, differently from previous telecom scenario where user data was mostly accessible from network functional
elements, several kinds of information are today easily accessible from terminal equipments or end user devices,
through open and specialized Application Programming Interface (API). Thus, it may be difficult to have a priori
knowledge of who may need access to users' data, when and where this may happen and whether that data could be or
contain PII.
PII in long term data records (e.g. in health, public administration, education, financial and legal domains) are dynamic
and grow over the life of an individual. The set of actors/individuals/roles that need to access and amend it over a
lifetime is potentially unlimited. It is also not reasonable to expect the record to be "a single document" rather to likely
appear as a large set of data, retained in data centres located in many different national Countries and managed by
various stakeholders with different levels of trust. In such records there may be a need to enable security controls of
some complexity.
The present document proposes a number of scenarios focusing on today's ICT and develops an analysis of possible
threats related to PII in mobile and cloud based services.
5 Threats to PII
5.1 Overview
This clause presents threats derived from the analysis of the scenarios reported in Annex A. The scenarios are not
exhaustive rather they are representative of most common and relevant situations.
Threats sources may include accidents, natural disasters, humans authorized or unauthorized to access data and systems.
A synopsis relating threats with risks and vulnerabilities is provided in table 5.1.
ETSI
11 ETSI TR 103 304 V1.1.1 (2016-07)
5.2 Data fusion and re-identification
Data from different sources, which are typically designed for specific and limited purposes, may be merged and
analyzed for secondary use either within an organization or outside of it through several different techniques. The US
report on big data and privacy [i.9] presents some examples of threats derived from data fusions.
Concentration of large amount of data on few service providers may encourage data fusion, although proper access
control techniques should be put in practice to discourage this practice when undesired.
Re-identication may be achieved through various techniques (ISO/IEC JTC 1/SC 37 AWI 20889 [i.24]). In the context
of web applications, tracking cookies (particularly third parties tracking cookies) may facilitate this process.
De-anonymization may be one relevant consequence.
Data fusion and re-identification normally occur with authorized access to data and might not be evident to the PII
principal.
5.3 Data breaches
Especially in Cloud environments, many providers operate through an agreement with a partner playing the role of PII
processor in order to provide services to users. For instance, a service provider might choose to rely on a storage
provider as a partner. Data braches may thus occur to service providers or to partners of providers processing data.
This process might not be evident to the PII principal, which may trust the service provider but not necessarily the
partner, e.g. due to its location under a different legislation or to the partner's infrastructure (e.g. because of
unauthorized personnel accessing the hardware/software infrastructure, data processing through rogue devices).
5.4 Service termination/inaccessibility
Remote (and cloud) storage offers several advantages in terms of availability (data is no longer dependent on the device
used to create it and manage it). However, cloud computing storage at large data centres may increase the chance of
temporary unavailability - due to network connection issues, shortages or server failures - or even large losses of data.
Normally terms of service contain clauses which address the aforementioned problems, providing recovery solutions.
Even in this case, however, services might be terminated at any time due to non technological problems (e.g.
bankruptcy of the provider) or legal reasons (e.g. file-sharing services infringing copyright laws).
Location of the service provider may be a relevant aspect, as the service may be under different regulations and laws.
5.5 Lock-in mechanisms
Ideally data availability should be granted for the data owner whenever and wherever and be immediate.
However, lock-in mechanisms may practically lead to data unavailability. Lock-in prevents portability (and sometimes
interoperability) of customer's data across different service providers. As a result, when a customer decides to change
provider, data in his or her account may simply be unavailable or lost.
5.6 Ransomware and Spyware
Data availability and confidentiality may be threatened by malicious software such as ransomware and spyware.
Typically, the ransomware silently encrypts contents inside a terminal equipment, a device or on a remote storage. As a
result, documents, images, and other kind of files - which may be or may contain PII - are no more available to users
nor to their service providers unless the users proceed with the payment of the ransom.
Installing vetted software from a trusted source is a general measure to prevent malware. Additionally access control
mechanisms enabling only authorized processes to access files may apply as a specific protection measure.
ETSI
12 ETSI TR 103 304 V1.1.1 (2016-07)
5.7 Over-collection
Over-collection may lead to unwanted disclosure of PII. Several examples and cases of over-collections are described in
the US report on big data and privacy [i.9].
Over-collection, might be present by default when the information arises from the physical world and is captured by
sensors, due to the difficulty to filter out signals not related to the scope of the program (so called "noise"). Instead it is
always intentional for information "born digital", i.e. data and meta-data created specifically for use by a computer or a
digital system [i.9].
Over-collection is not necessarily clandestine. Potentially Unwanted Applications (PUA) are common applications that
collect user data, which may include PII, and send it to remote but not necessarily malicious servers (e.g. for targeted
advertisement purposes). Applications belonging to a category commonly known as "people as sensors applications"
may exploit over-collection to provide additional services to users.
5.8 Mis-contextualization
Mis-contextualization occurs when data from different users or from the same user but in different role (i.e. a different
"persona") is mixed and used inappropriately.
Mis-contextualization might be an unintentional event due to, e.g. a missing reset of a terminal equipment (end user
device) or to a missed account switch when the same service subscription is used by more than one user.
Despite potentially supporting multiple user accounts, some terminal equipments, devices, or even single applications
running on them do not provide an easy way for users to switch between different accounts. The terminal, device or
application may contain PII and pointers to subscribed services which might not be erased by the original subscriber. As
a consequence, if the device is not properly reset when it is sold - or even stolen - data related to the original
subscription may be accessed by users other than the subscriber or the legitimate user, leading to disclosure of PII, and
even to an inappropriate use of the subscriber's credentials to commit fraud or crimes (identity theft).
5.9 User Impersonation
An attacker may discover user identities by snooping authentication traffic identity. In some situations in current mobile
networks (e.g. GSM, UMTS and in all networks during an emergency call setup) the IMEI or the IMSI is sent to the
network in plain text. This opens the door to identity disclosure.
Such information can be used later by malicious user to pretend to be the legitimate user, even in order to commit fraud
or crimes (identity theft).
5.10 Alteration of ownership or access rights
A service provider generally owns account data concerning their subscribers. The business model of some services may
require subscribers to consent to a number of uses of the data. Thus, the owner relationship or rights over it may be
altered when data is released to the service. As a consequence data itself may be made public, be altered, or even be
indexed in search engines. Regulation however may provide use limitations, acknowledging principals to effectively
retain some rights over PII.
5.11 Alteration of persistence
To ensure business continuity and prevent data loss, generally data centres provide by default security policies such as
backup and replication over different nodes. Compared to traditional "local" storage devices (e.g. a local hard disks),
this feature may introduce an alteration of natural data persistence.
An irreversible destruction of electronic data so that no party is capable of recovering (so called "Secure" data deletion)
might be difficult to ensure without the ability to resort to the destruction of the hardware.
NOTE 1: Alteration of persistence makes evident that data stored on a remote location may present additional risks
compared to a local storage, although cryptographic techniques may provide means to enforce
confidentiality. These risks might not be evident to the service subscriber.
ETSI
13 ETSI TR 103 304 V1.1.1 (2016-07)
NOTE 2: At the present time, no technical option seems suitable to ensure information extinction after its
disclosure (a feature referred to as "the right to be forgotten" in some legal contexts). The safest
assumption is that data, once released and disclosed, will be persistently present in the Cloud [i.9]. A
weaker version of the "right to be forgotten", known as "right to erasure" has been recently introduced in
EU regulation.
5.12 Synopsis
This clause provides a synopsis of threats found in the scenarios reported in Annex A. The analysis of these scenarios
leads to the identification of three main categories of risks: data disclosure, data manipulation and data unavailability
(corresponding to violations of the three classical security properties: confidentiality, integrity and availability).
Furthermore, each scenario is mapped into one of the two general use cases (UC1, UC2) identified in clause 7 and
addressing architectural aspects.
Table 5.1: threats, risks and vulnerabilities
Scenarios Threats Vulnerabilities Security Properties Risk Category Use Case
Social Networking Over-collection Permissions Confidentiality Disclosure UC2
App, In-car
blackbox,
Self-quantifying
Installing untrusted Ransomware Permissions Availability Unavailability UC2
apps
BYOD, Social Data sharing Permissions, no Confidentiality, Disclosure UC2
Networking App, way to extend Accountability,
Self-quantifying access control Authentication
outside TE
Social Networking Data fusion related Changed Accountability, Disclosure UC2
App, In-car threats scope/use Confidentiality,
blackbox, Authentication
Self-quantifying (Unlinkability,
untraceability)
Cloud Service termination Remote Storage Availability Unavailability UC1
Unavailability or inaccessibility,
lock-in mechanisms
Social Networking Alteration of access Loose Confidentiality, Integrity, Disclosure, UC2
App, rights, indexing in ownership, Availability, Unavailability,
Self-quantifying search engines Changed Accountability (right to Manipulation
scope/use be forgotten)
Social Networking Alteration of Remote Accountability, Disclosure UC2
App, In-car persistence Storage, Confidentiality (right to
blackbox replication be forgotten)
Medical Scenario, Data breaches Untrusted Confidentiality, Integrity, Disclosure, UC1
PNR infrastructure Availability, Unavailability,
Accountability (location Manipulation
control)
BYOD, In-car Mis- Missing device Authentication, Disclosure, UC2
blackbox contextualization, reset or account Confidentiality, Integrity, Unavailability,
identity theft switch Availability, Manipulation
Accountability
Fake or untrusted User Impersonation Untrusted Confidentiality, Integrity Disclosure, UC2
access mobile infrastructure Manipulation
networks
ETSI
14 ETSI TR 103 304 V1.1.1 (2016-07)
6 Technical aspects
6.1 Principles from ISO/IEC 29100
In previous clauses a number of criticalities in PII processing have been identified. The present clause first provides a
summary of general protection principles that have been defined in ISO/IEC 29100 [i.1]; then, it describes a number of
related technical aspects in designing services processing PII.
ISO/IEC 29100 [i.1] recommends service providers to apply the following principles without or with very limited
exceptions, despite jurisdictional differences in national countries. What follows is a summary of the principles;
ISO/IEC 29100 [i.1] contains full details.
• (Informed) consent and choice whenever applicable, including the ability for the PII principal to withdraw
their consent and special provisions for individuals not legally able to express their consent and procedures by
government authorities.
NOTE: Even if consent is withdrawn, the PII controller may need to retain data for a given period for legal or
contractual obligation.
• Purpose legitimacy and specification, including special provisions for sensitive PII which may be subject to
specific legal constraints.
• Principle of collection limitation: organizations should not collect PII indiscriminately, and should inform PII
principals when collection of additional information (not specifically related to the provision of the main
service) is optional.
• Data minimization, including removal of unnecessary processing and unnecessary access to PII and deletion of
PII when no longer strictly needed for the provision of a service (or any legal obligation thereof).
• Limitation of use, retention and disclosure.
• Periodic verification of accuracy of the information and quality of the processing, especially when inaccurately
collected or processed data could result in harm to the PII principal.
• Principle of openness and transparency, including notices on the options available to the PII principal for
accessing, correcting and removing or limiting processing of information; and notices on what PII is being
requested, purpose of processing, details of processing including types of authorized persons able to access the
records, mechanisms of collection, storage, communication, retention and disposal procedures.
• Individual participation and access: ability of the PII principal to access, review and provide any correction to
their PII or request of removal (subject to applicable law for specific cases).
• Principle of accountability of processing and measures taken for protecting PII from privacy breaches and
compensation in case of identity theft, reputation damages, PII misuse or accidental mistakes in the processing
of PII.
• Implement information security to protect confidentiality, integrity and availability of PII from risks such as
unauthorized access, destruction, use, modification, disclosure or loss throughout the whole data lifecycle.
• Compliance with privacy law.
6.2 Degree of link-ability
By definition, PII is any information that can be used to identify or might be directly or indirectly linked to an
individual (PII principal). Data may be qualified according to the degree to which data can be linked to an individual.
ISO/IEC JTC 1/SC 38 CD 19944 [i.23] reports the following classification:
• identified data provides identity of the individual;
ETSI
15 ETSI TR 103 304 V1.1.1 (2016-07)
• pseudonymized data contains aliases (aka pseudonyms) on behalf of the actual identifiers. Aliases can be
obtained by encryption or hashing and cannot be reverted by reasonable effort of anyone other than the party
providing them. The term "securely pseudononymed data" is used when aliases cannot be reverted by
reasonable effort of anyone, including the party providing the aliases;
• anonymized data contains attributes on behalf of the actual identifiers which are randomized or generalized in
such a way that there is a reasonable level of confidence that no individual can be identified. The
randomization process reduces the degree to which the aliases reflect the true value of attributes (accuracy).
The generalization process reduces the
...