Data Protection in Transit and at Rest with Leakage Detection

Denis A Ulybyshev (6620474)

15 May 2019

<p>In service-oriented architecture, services can communicate and share data among themselves. This thesis presents a solution that allows detecting several types of data leakages made by authorized insiders to unauthorized services. My solution provides role-based and attribute-based access control for data so that each service can access only those data subsets for which the service is authorized, considering a context and service’s attributes such as security level of the web browser and trust level of service. My approach provides data protection in transit and at rest for both centralized and peer-to-peer service architectures. The methodology ensures confidentiality and integrity of data, including data stored in untrusted cloud. In addition to protecting data against malicious or curious cloud or database administrators, the capability of running a search through encrypted data, using SQL queries, and building analytics over encrypted data is supported. My solution is implemented in the “WAXEDPRUNE” (Web-based Access to Encrypted Data Processing in Untrusted Environments) project, funded by Northrop Grumman Cybersecurity Research Consortium. WAXEDPRUNE methodology is illustrated in this thesis for two use cases, including a Hospital Information System with secure storage and exchange of Electronic Health Records and a Vehicle-to-Everything communication system with secure exchange of vehicle’s and drivers’ data, as well as data on road events and road hazards. </p><p>To help with investigating data leakage incidents in service-oriented architecture, integrity of provenance data needs to be guaranteed. For that purpose, I integrate WAXEDPRUNE with IBM Hyperledger Fabric blockchain network, so that every data access, transfer or update is recorded in a public blockchain ledger, is non-repudiatable and can be verified at any time in the future. The work on this project, called “Blockhub,” is in progress.</p>

Computer System Security

Database Management

Data Privacy

data protection mechanism

role-based access control

attribute-based encryption scheme

Leakage Detection

encrypted search queries

identity management

authentication scheme

blockchain technology application

La protection des libertés individuelles sur le réseau internet / The protection of Individuals rights on the internet

Criqui-Barthalais, Géraldine

07 December 2018

Cette étude envisage le réseau internet comme un nouvel espace invitant à réinterpréter les libertés de la personne physique. Au titre de celles-ci, sont protégées la liberté individuelle, entendue comme le fait de ne pouvoir être arbitrairement détenu et la liberté d’aller et venir. Il doit en aller de même sur le réseau. Etablissant une analogie avec ces libertés, la première partie de la thèse consacre deux libertés : la liberté d’accès au réseau et la liberté de naviguer sur le web. La première implique de définir le contenu d’un service public de l’accès. De plus, il faut affirmer que la coupure d’accès au réseau doit être envisagée comme une mesure privative de liberté ; elle ne peut donc être décidée que par le juge judiciaire. L’affirmation de la liberté de naviguer sur le web conduit à envisager le régime du blocage des sites, une mesure qui ne peut intervenir que dans le cadre d’une police administrative spéciale. Dans la seconde partie il apparaît que ces deux libertés n’ont toutefois de sens que si l’individu a accès au réseau anonymement et n’est pas surveillé arbitrairement quand il navigue sur le web. Cette étude cherche ainsi à préciser le régime devant encadrer le mécanisme d’adressage du réseau. Sont définies les conditions du contrôle de l’identité de l’internaute à partir de son adresse IP. Enfin, il est soutenu qu’un principe général d’effacement des données révélant les sites visités doit être affirmé, principe qui s’applique aux différents acteurs du réseau, notamment les moteurs de recherche. L’interception de ces données ne peut procéder que d’un pouvoir sécuritaire ou hiérarchique sur l’internaute. / This study considers the internet as a new territory where rights guaranteed to each individual in physical space can be promoted; not only free speech and privacy, but also the Habeas Corpus prerogative writ, which protects against unlawful imprisonment, and the right to freedom of movement. Thus, processing by analogy, the dissertation intends to promote two specific digital rights: the freedom to connect to the internet and the freedom to surf on the web. The freedom to connect should be part of a public service which promotes this access through public policies. Moreover, barring someone from using the internet can only be decided by a judge. The freedom to surf should protect the web users against unreasonable restrictions. Thus, measures blocking illegal websites should not come through self-regulation but through a legal framework which defines how administrative authorities are entitled to decide such restrictions. The protection of these two rights entails further obligations. Individuals must access the internet anonymously and they must be aware of how the government monitors their actions on the web. This study tries to outline the content of measures aiming to frame network addressing mechanisms. Identity checks based on the IP address should be subject to a strict legal regime. The study concludes that individuals have to be protected from surveillance when data reveal their choices among websites while they are connected. Internet access providers, but also search engines and browsers, must delete this data. Only special measures taken by a public entity or someone entitled to control the web users may lead to this kind of data retention.

Libertés publiques

Informatique et libertés

Surveillance

Données personnelles

Adresse IP

Anonymat sur le réseau

Accès au réseau

Communications électroniques

Numérique

Internet

Individuals rights

Data protection

Surveillance

IP address

Anonymity on the Internet

Freedom to connect

Electronic communications

Internet

Digital rights

La protection des données à caractère personnel dans le domaine de la recherche scientifique. / The protection of personal data in scientific research

Coulibaly, Ibrahim

25 November 2011

Comment devrait être assurée, de façon efficiente, la protection des données à caractère personnel dans le domaine de la recherche scientifique ? Telle est la problématique de cette thèse. Question cruciale à l'heure où les traitements de données sont appelés à multiplier à l'avenir dans tous les domaines de recherche, et dont les finalités ne sont pas toujours clairement définies ni perçues. A cette question, l'application de la loi Informatique et Libertés, loi à vocation généraliste pour l'encadrement des traitements de données à caractère personnel, a laissé apparaître, dès son adoption, de nombreuses difficultés dans le domaine de la recherche scientifique. Diverses modifications et adaptations sont intervenues – 1986, 1994, 2004 – à l'aune desquelles, il fallait déterminer l'encadrement des traitements de données personnelles à des fins de recherche scientifique. De cette investigation, il résulte que la loi Informatique et Libertés pose les principes de base de la protection des données traitées dans le domaine de la recherche scientifique en prévoyant un encadrement a priori de la collecte des données et un suivi et un contrôle a posteriori de la mise en œuvre du traitement. L'encadrement a priori vise principalement à la garantie de la qualité scientifique des projets de recherches. Inhérent à la finalité scientifique du traitement des données, le suivi a posteriori tend, quant à lui, à garantir le respect de certaines règles comme la compatibilité des réutilisations des données, la présentation et l'utilisation des résultats de la recherche dans des conditions ne devant pas porter atteinte aux personnes. Parce que ne pouvant pas relever de la seule intervention du responsable du traitement, le suivi a posteriori se complète d'un contrôle a posteriori opéré autant par la personne concernée, la CNIL, les juridictions. Dans le domaine de la recherche scientifique, ces différents contrôles pourraient opportunément se compléter par une intervention de la communauté des chercheurs en question. Il s'agit de l'autorégulation. En définitive, une protection efficiente des données à caractère personnel résultera d'un système de régulation à plusieurs niveaux et acteurs dont chacun doit effectivement utiliser les moyens d'action qui lui sont reconnus. / How should the protection of personal data in scientific research be efficiently ensured ? This is the main question of this dissertation. Important issue at a time personal data processing are to be increased in the future in all scientific research fields, but whose aims are neither clearly defined nor always clearly perceived. To this question, the enforcement of data protection act which is a general law for the management of personal data processing has shown, since its adoption, many problems in scientific research. Many changes and adaptations have been made in 1986, 1994 and 2004, on the basis of which it was necessary to determine the management of personal data processing to scientific research purposes. This investigation reveals that data protection act lays the basic principles of the protection of personal data processed in scientific research by forecasting an a priori data gathering, a follow-up and an a posteriori control of the data processing implementation. The a priori management mainly aims at guaranteeing the scientific quality of research projects. As for the a posteriori follow-up which is inherent in scientific aim of data processing, its objective is to guarantee the enforcement of some rules such as the accountancy of data reuse, the presentation and the use of the research results in conditions that should not be harmful to people. As it cannot depend on the sole intervention of the responsible for the processing, the a posteriori follow-up is completed by an a posteriori control carried out by the affected person as well as the CNIL and the courts. In scientific research, these different controls could opportunely complement one another by an intervention of the community of researchers in question. This is self regulation. At the end, an efficient protection of personal data will result from a multiple step regulation system in which participants and everyone must actually use the means of actions which are acknowledged to them.

Recherche scientifique

Ethique et déontologie de la recherche

Loi Informatique et libertés

Protection des personnes

Recherche dans le domaine de la santé

Scientific research

Ethics and deontology of research

Data protection act

Protection of persons

Research related to social science

Research related to health

Les échanges de données personnelles entre l’union européenne et les tiers dans le domaine de la sécurité

Larbre, David

12 December 2014

L’intérêt d’une réflexion sur les échanges de données personnelles de sécurité entre l’Union européenne et les tiers est né d’une interrogation sur le cadre juridique auquel ces échanges se rattachent, et l’existence de garanties en matière de protection des données. En partant du constat que les États sont à l’origine de la création de réseaux de coopération policière et judiciaire, l’irruption de l’Union européenne et de ses Agences dans des sphères régaliennes a de quoi déconcerter. L’intervention de l’UE et de ses Agences doit également attirer l’attention sur le respect des conditions de ces échanges qui sont soumis à l’exigence de garanties adéquates de la part des États tiers et Cet avènement nécessite de déterminer au préalable comment les échanges de données avec les tiers sont devenues progressivement un instrument au service de l’espace de liberté de sécurité et de justice (ELSJ). En cela, la sécurité telle qu’elle est ici appréhendée, concerne la lutte contre le terrorisme, la criminalité organisée et l’immigration clandestine. Ainsi cette thèse vise, à travers un examen des accords conclus par l’UE et ses Agences avec les tiers, à déceler, analyser, et mettre en évidence les règles qui régissent ces échanges de données personnelles ainsi que la protection qui s’y rattache. Elle doit permettre de mieux cerner la fonction de l’Union européenne et le rôle des États membres dans ces échanges, d’évaluer les garanties apportées par l’UE et ses partenaires, et d’aboutir à l’émergence d’un régime d’ensemble hétérogène mais dont l’unité réside dans le souci d’assurer une protection adéquate. / Enabling security between the European Union and third party personal data exchange leads one to reflect on the related legal framework and safeguards regarding data protection. As states are at the origin of police networks and judicial cooperation, the emergence of the EU and its agencies in sovereign spheres has been astonishing. For the EU,respecting the conditions of such exchanges requires adequate guarantees from third states. To better understand this, one should first analyze to which extent these exchanges have gradually become an instrument servicing the areas of freedom, security and justice (AFSJ, "security" here implies the fight against terrorism, organized crime and illegal immigration). This thesis aims to detect, analyze and highlight the rules governing the exchanges of personal data and the protection attached to them. Its goal is to understand the function of the EU and the role of member states in these exchanges, to assess the guarantees provided by the EU or its partners and to lead to the emergence of a system which could provide adequate protection. The first part will determine the modalities of cooperation between the EU and third parties in the field of personal data security exchanges; identifying the existence of safety data exchange networks before looking into the fight against terrorism and organized crime’s international dimension. A focus on external standards in the EU will lead the reader to grasp how safety within third party data exchange networks may be structured and to understand the role of international organizations such as the UN (or extraterritorial jurisdiction from third countries such as the USA). The EU having developed its cooperation regarding safety data exchanges, its foreign policy in terms of AFSJ gives one an overview of safety data exchange networks and their diversity, but it also shows the limits of their extension. These different forms of cooperation are the foundations of constituent EU treaties, yet they face legal and democratic issues as far as EU legitimacy is concerned. The EU integration process, on which safety with third party data exchanges is based, will also be studied; if this integration is a success overall, sovereignty issues have also brought their share of safety data protection alterations. This thesis’ second part focuses on the guarantees related to safety data exchanges, fundamental rights protection regarding this personal data and the need for adequate protection when transferring data to third parties. The adequacy of "normative" protection must be analyzed in global terms, that is to say within an international framework. The study of normative protection will be followed by a thorough examination of their effective protection. The reader will see how data exchange security transparency enables people to exercise their right to both access data and challenge decisions taken on the basis of data exchange safety. Effective protection leads to the identification of responsibilities related to safety data exchanges, the mechanisms of which may highlight that the EU or third parties have breaches in their obligations.

Droit de l’Union européenne

Relations extérieures

Protection des données personnelles

Lutte contre le terrorisme

Lutte contre la criminalité organisée

European Union law

Area of freedom, security and justice

External Relations

Data protection

Fight against terrorism

Fight against organised crime

340

Der Schutz der Privatsphäre bei der Anfragebearbeitung in Datenbanksystemen

Dölle, Lukas

13 June 2016

In den letzten Jahren wurden viele Methoden entwickelt, um den Schutz der Privatsphäre bei der Veröffentlichung von Daten zu gewährleisten. Die meisten Verfahren anonymisieren eine gesamte Datentabelle, sodass sensible Werte einzelnen Individuen nicht mehr eindeutig zugeordnet werden können. Deren Privatsphäre gilt als ausreichend geschützt, wenn eine Menge von mindestens k sensiblen Werten existiert, aus der potentielle Angreifer den tatsächlichen Wert nicht herausfinden können. Ausgangspunkt für die vorliegende Arbeit ist eine Sequenz von Anfragen auf personenbezogene Daten, die durch ein Datenbankmanagementsystem mit der Rückgabe einer Menge von Tupeln beantwortet werden. Das Ziel besteht darin herauszufinden, ob Angreifer durch die Kenntnis aller Ergebnisse in der Lage sind, Individuen eindeutig ihre sensiblen Werte zuzuordnen, selbst wenn alle Ergebnismengen anonymisiert sind. Bisher sind Verfahren nur für aggregierte Anfragen wie Summen- oder Durchschnittsbildung bekannt. Daher werden in dieser Arbeit Ansätze entwickelt, die den Schutz auch für beliebige Anfragen gewährleisten. Es wird gezeigt, dass die Lösungsansätze auf Matchingprobleme in speziellen Graphen zurückgeführt werden können. Allerdings ist das Bestimmen größter Matchings in diesen Graphen NP-vollständig. Aus diesem Grund werden Approximationsalgorithmen vorgestellt, die in Polynomialzeit eine Teilmenge aller Matchings konstruieren, ohne die Privatsphäre zu kompromittieren. / Over the last ten years many techniques for privacy-preserving data publishing have been proposed. Most of them anonymize a complete data table such that sensitive values cannot clearly be assigned to individuals. Their privacy is considered to be adequately protected, if an adversary cannot discover the actual value from a given set of at least k values. For this thesis we assume that users interact with a data base by issuing a sequence of queries against one table. The system returns a sequence of results that contains sensitive values. The goal of this thesis is to check if adversaries are able to link uniquely sensitive values to individuals despite anonymized result sets. So far, there exist algorithms to prevent deanonymization for aggregate queries. Our novel approach prevents deanonymization for arbitrary queries. We show that our approach can be transformed to matching problems in special graphs. However, finding maximum matchings in these graphs is NP-complete. Therefore, we develop several approximation algorithms, which compute specific matchings in polynomial time, that still maintaining privacy.

Datenbanken

Datenschutz

Anfragebearbeitung

Schutz der Privatsphäre

Anonymisierung

privacy

databases

data protection

query processing

anonymization

004 Informatik

28 Informatik, Datenverarbeitung

ST 277

RW 60447

RW 60501

ST 270

ddc:004

Transferring Big Data to the United States in the Post Snowden Era : Can the Fundamental Rights of EU citizens laid down in Articles 7,8 and 47 of the Charter be guaranteed?

Tenhovaara, Taru

January 2018

No description available.

data transfers

personal data

standard contractual clauses

privacy shield

binding corporate rules

fundamental rights

Snowden

big data

data mining

mass surveillance

general data protection regulation

GDPR

privacy

Social Sciences

Samhällsvetenskap

Law

Juridik

A Privacy-Preserving, Context-Aware, Insider Threat prevention and prediction model (PPCAITPP)

Tekle, Solomon Mekonnen

07 1900

The insider threat problem is extremely challenging to address, as it is committed by insiders who are trusted and authorized to access the information resources of the organization. The problem is further complicated by the multifaceted nature of insiders, as human beings have various motivations and fluctuating behaviours. Additionally, typical monitoring systems may violate the privacy of insiders. Consequently, there is a need to consider a comprehensive approach to mitigate insider threats. This research presents a novel insider threat prevention and prediction model, combining several approaches, techniques and tools from the fields of computer science and criminology. The model is a Privacy- Preserving, Context-Aware, Insider Threat Prevention and Prediction model (PPCAITPP). The model is predicated on the Fraud Diamond (a theory from Criminology) which assumes there must be four elements present in order for a criminal to commit maleficence. The basic elements are pressure (i.e. motive), opportunity, ability (i.e. capability) and rationalization. According to the Fraud Diamond, malicious employees need to have a motive, opportunity and the capability to commit fraud. Additionally, criminals tend to rationalize their malicious actions in order for them to ease their cognitive dissonance towards maleficence. In order to mitigate the insider threat comprehensively, there is a need to consider all the elements of the Fraud Diamond because insider threat crime is also related to elements of the Fraud Diamond similar to crimes committed within the physical landscape. The model intends to act within context, which implies that when the model offers predictions about threats, it also reacts to prevent the threat from becoming a future threat instantaneously. To collect information about insiders for the purposes of prediction, there is a need to collect current information, as the motives and behaviours of humans are transient. Context-aware systems are used in the model to collect current information about insiders related to motive and ability as well as to determine whether insiders exploit any opportunity to commit a crime (i.e. entrapment). Furthermore, they are used to neutralize any rationalizations the insider may have via neutralization mitigation, thus preventing the insider from committing a future crime. However, the model collects private information and involves entrapment that will be deemed unethical. A model that does not preserve the privacy of insiders may cause them to feel they are not trusted, which in turn may affect their productivity in the workplace negatively. Hence, this thesis argues that an insider prediction model must be privacy-preserving in order to prevent further cybercrime. The model is not intended to be punitive but rather a strategy to prevent current insiders from being tempted to commit a crime in future. The model involves four major components: context awareness, opportunity facilitation, neutralization mitigation and privacy preservation. The model implements a context analyser to collect information related to an insider who may be motivated to commit a crime and his or her ability to implement an attack plan. The context analyser only collects meta-data such as search behaviour, file access, logins, use of keystrokes and linguistic features, excluding the content to preserve the privacy of insiders. The model also employs keystroke and linguistic features based on typing patterns to collect information about any change in an insider’s emotional and stress levels. This is indirectly related to the motivation to commit a cybercrime. Research demonstrates that most of the insiders who have committed a crime have experienced a negative emotion/pressure resulting from dissatisfaction with employment measures such as terminations, transfers without their consent or denial of a wage increase. However, there may also be personal problems such as a divorce. The typing pattern analyser and other resource usage behaviours aid in identifying an insider who may be motivated to commit a cybercrime based on his or her stress levels and emotions as well as the change in resource usage behaviour. The model does not identify the motive itself, but rather identifies those individuals who may be motivated to commit a crime by reviewing their computer-based actions. The model also assesses the capability of insiders to commit a planned attack based on their usage of computer applications and measuring their sophistication in terms of the range of knowledge, depth of knowledge and skill as well as assessing the number of systems errors and warnings generated while using the applications. The model will facilitate an opportunity to commit a crime by using honeypots to determine whether a motivated and capable insider will exploit any opportunity in the organization involving a criminal act. Based on the insider’s reaction to the opportunity presented via a honeypot, the model will deploy an implementation strategy based on neutralization mitigation. Neutralization mitigation is the process of nullifying the rationalizations that the insider may have had for committing the crime. All information about insiders will be anonymized to remove any identifiers for the purpose of preserving the privacy of insiders. The model also intends to identify any new behaviour that may result during the course of implementation. This research contributes to existing scientific knowledge in the insider threat domain and can be used as a point of departure for future researchers in the area. Organizations could use the model as a framework to design and develop a comprehensive security solution for insider threat problems. The model concept can also be integrated into existing information security systems that address the insider threat problem / Information Science / D. Phil. (Information Systems)

Insider threat

Fraud diamond

Context-aware system

Information security

Privacy preservation

005.8

Computer networks -- Security measures

Computer networks -- Access control

Data protection

Penetration testing (Computer security)

Computer crimes

Hackers

Computer security

Towards Usable Transparency via Individualisation

Murmann, Patrick

January 2019

The General Data Protection Regulation grants data subjects the legal rights of transparency and intervenability. Ex post transparency provides users of data services with insight into how their personal data have been processed, and potentially clarifies what consequences will or may arise due to the processing of their data. Technological artefacts, ex post transparency-enhancing tools (TETs) convey such information to data subjects, provided the TETs are designed to suit the predisposition of their audience. Despite being a prerequisite for transparency, however, many of the TETs available to date lack usability in that their capabilities do not reflect the needs of their final users. The objective of this thesis is therefore to systematically apply the concept of human-centred design to ascertain design principles that demonstrably lead to the implementation of a TET that facilitates ex post transparency and supports intervenability. To this end, we classify the state of the art of usable ex post TETs published in the literature and discuss the gaps therein. Contextualising our findings in the domain of fitness tracking, we investigate to what extent individualisation can help accommodate the needs of users of online mobile health services. We introduce the notion of privacy notifications as a means to inform data subjects about incidences worthy of their attention and examine how far privacy personas reflect the preferences of distinctive groups of recipients. We suggest a catalogue of design guidelines that can serve as a basis for specifying context-sensitive requirements for the implementation of a TET that leverages privacy notifications to facilitate ex post transparency, and which also serve as criteria for the evaluation of a future prototype. / <p>Paper 2 ingick som manuskript i avhandlingen, nu publicerad.</p>

Data transparency

Human-centred design

Human-computer interaction (HCI)

Information privacy

Intervenability

Mobile health (mhealth)

Transparency-enhancing tool (TET)

Usability

Human Computer Interaction

Interaction Technologies

Interaktionsteknik

Media and Communication Technology

Medieteknik

我國與美國聯邦對身分竊用法律之比較研究 / A comparative study on the identity theft related laws and practices of Taiwan (R.O.C.) and U.S.A

徐子文, Hsu, Tzu Wen Daniel

Unknown Date

因為資通訊科技之普及發達，提升經濟、社會活動的便捷性並豐富人們的生活品質，但一面兩刃，它同時也蘊藏了新興犯罪的機會，對經濟、社會活動之正常運作帶來威脅。其中，身分資料偷竊及身分冒用（以下簡稱「身分竊用」），已然成為資訊社會時代嚴重的新興犯罪之一。「身分竊用」一般俗稱為「身分竊盜」，其係由英文原文identity theft直譯而來。其實身分無從竊盜起，英文原文的identity theft其實也是簡稱，完整的意義是identity theft and assumption，係指行為人未經授權擅用他人用已表彰其身分的證明或資訊，從而冒用他人之身分，遂行各式活動。本研究為求接近其實際文意內涵，在本研究中將其譯為「身分竊用」。 同為自由開放和高度科技化之社會，美國法律制度和社會機制環境雖與我多有不同，但其面對相同問題時的所受之影響和相對處理方式，或可為我國在處理同類問題時之參考。美國在身分竊用之相關法律，自從1970年代以降，至少制定20件以上的相關法律。先是從個人金融隱私權的保護著手，如在1970年制定《公平信用報告法》(FCRA)、1974年所制定的《隱私權法》(Privacy Act)。1998年則進一步制定通過《身分竊用嚇阻法》(Identity Theft and Assumption Deterrence Act)，明文規範「身分竊用」為刑事犯罪行為。《身分竊用嚇阻法》最重要價值是確認了身分被竊用的人也是犯罪被害者，相較於之前只有因犯罪者使用身分竊用手法而被詐騙失去財務的人才被認為是受害者 ，有了很大的進步。而之後的法律制定和實務處理即朝向個人資料保護、身分竊用預防和損害抑制，以及執法訴追等方向前進。 本研究以身分識別理論為起點，探討身分竊用在現代資訊社會中之角色和因身分識別資料被竊取冒用所發生之行為對個人社會和經濟的影響，蒐集美國聯邦自1970代迄今所制定和處理身分竊用相關之法律並予以摘錄分類，最後比較兩國對身分竊用問題處理之異同，並嘗試提出借鏡調和應用的建議。本研究蒐集整理，並將其群組為四種類型。分別是：（一）身分竊用罪法群；（二）個人身分證之相關法群；（三）消費者信用報告法群，以及（四）個人資料保護法群。 本研究發現，我國和美國雖然均面臨到身分竊用的問題，但因為國情和制度的不同，所受到的影響程度和所採取對應問題的方式也因此不同。例如：我國和美國在對個人識別號碼的態度和處理不同，美國是盡量打破個人利用單一獨特(unique)號碼進行識別的機制，而我國則是大量的使用。在個人身分證明文件上，我國較為統一，美國則較為分散，迄今尚未有全國統一性的身分識別證。在個人識別資料庫的建置和運用上，我國相對集中，美國重分散。我國對個人資料的保護是遵循歐盟模式，採取從上而下立法的方式。相反的，美國在個人資料保護作為上比較傾向建置一個結合法規、命令和自我管理的架構，而非由政府制訂的單一法規，係採由下而上模式。我國現在使用的國民身分證和身分證號在實體世界所建構的通用身分識別體系，因為個人資料庫雖分散但可集中連線查詢管理的特性，其在身分竊用防制機制的優勢因此建立。美國在對抗身分竊用問題所採取的方式雖因為國情和歷史的不同而和我國有相當程度的差異，但其在犯罪嚇阻控制上特別注意建立執法機關的查緝能力、訴追工具和司法機關量刑裁判的嚇阻效益，仍值得我國學習。本研究對於「美國聯邦量刑委員會」在其《量刑基準》上針對身分竊用罪的量刑考量及該委員會如此設計之源由稍有描述，或可為後續研究或實務參考之用。 / Identity theft is a form of stealing someone's identity in which someone pretends to be someone else by assuming that person's identity, typically in order to access resources or obtain credit and other benefits in that person's name. The first victim of identity theft is the person whose identity has been assumed by the identity thief and this person can suffer adverse consequences if they are held accountable for the perpetrator's actions. The other victims are those who were defrauded by identity theft tactics. Along with the prevalence of information and communication technology, identity theft is becoming a great threat to common people and even to national security. This study has collected more than 20 pieces of U.S.A. federal acts and statutes that related to combating identity theft problems. This study then categorizes then into 4 groups, namely 1) identity theft criminalization; 2) national personal identification system; 3) consumer credit report; and 4) personal data protection. In the mean time, this study also collected related laws and Taiwan (R.O.C.) for comparison. The government organization structures and legal systems between U.S.A. and Taiwan (R.O.C.) are very different, though the common goal of fighting identity theft is the same; the measures are quite different as well. In short, in terms of laws and personal identification system, the U.S.A. is more decentralized while in Taiwan (R.O.C.) it is more centralized. Taiwan (R.O.C.) has a national-wide and unified personal identification system that put it in a better position to respond and mitigate to identity theft impacts. On the other hand, from the law enforceability aspect, the study finds the U.S.A. provides better tools to law enforcement agencies and prosecutors to bring the offenders to justice in court and the judges have relatively more clear guidelines for case consideration and sentence.

身分竊用

身分竊盜

身分詐欺

冒用身分

個人資料保護

電腦犯罪

Identity Theft

Identity Fraud

Privacy

Personal Data Protection

Cyber Crime

公務機關之間傳輸個人資料保護規範之研究－以我國、美國及英國法為中心 / A Comparative Study of Regulations for the Protection of Personal Data Transmitted between Government Agencies in Taiwan, the U.S. and the U.K.

林美婉, Lin, Mei Wan

Unknown Date

政府利用公權力掌握之個人資訊包羅萬象，舉凡姓名、生日、身分證字號、家庭、教育、職業等。科技進步與網際網路發達，使原本散置各處之資料，可以迅速連結、複製、處理、利用；而為了增加行政效率與減少成本，機關透過網路提供公眾服務日益頻繁，藉由傳輸共用個人資料等情況已漸成常態。這些改變雖然對政府與民眾帶來利益，但是也伴隨許多挑戰，尤其當數機關必須共用資訊時，將使管理風險更添複雜與難度，一旦過程未加妥善管制，遭人竊取、竄改、滅失或洩露，不僅當事人隱私受損，也嚴重傷害政府威信。因此，凡持有個人資料的政府機關，均必須建立適當行政、技術與實體防護措施，以確保資料安全與隱密，避免任何可能危及資料真實之威脅與機會，而造成個人人格與公平之侵害。 　　隨著全球經濟相互連結以及網路普及，個人資料保護如今已是國際事務，這個趨勢顯現在愈來愈多的國家法律與跨國條款如OECD、歐盟、APEC等國際組織規範。而在先進國家中，美國與英國關於資訊隱私法制發展有其不同歷史背景，目前美國聯邦機關持有使用個人資料必須遵循的主要法規為隱私法、電腦比對與隱私保護法、電子化政府法、聯邦資訊安全管理法，以及預算管理局發布的相關指導方針；英國政府則必須遵守人權法與歐盟指令架構所制定的資料保護法，並且受獨立資訊官監督審核。此外，為了增加效率，減少錯誤、詐欺及降低個別系統維護成本，公務機關之間或不同層級政府所持有之個人資料流用有其必要性，故二國在資料傳輸實務上亦有特殊規定或作業規則。相較之下，我國2012年10月1日始施行的「個人資料保護法」對於公部門間傳輸個人資料之情形並無具體規定，機關內外監督機制亦付之闕如，使個人資料遭不當使用與揭露之風險提高。 為了保障個人資訊隱私權，同時使公務機關之間傳輸利用個人資訊得以增進公共服務而不違反當事人權益，本研究建議立法或決策者可參酌美國與英國法制經驗，明定法務部負責研擬詳細實施規則與程序以供各機關傳輸個人資料之遵循，減少機關資訊流用莫衷一是的情況；而為保證個人資訊受到適當保護，除了事先獲得當事人同意外，機關進行資料共用之前，應由專業小組審核，至於考慮採取的相關重要措施尚有：（1）建置由政策、程序、人力與設備資源所組成之個人資訊管理系統（PIMS），並使成為整體資訊管理基礎設施的一部分；（2）指派高階官員負責施行及維護安全控制事項；（3）教育訓練人員增加風險意識，塑造良好組織文化；（4）諮詢利害關係人，界定共用資料範圍、目的與法律依據；（5）實施隱私衝擊評估（PIA），指出對個人隱私的潛在威脅並分析風險減緩替代方案；（6）簽定正式書面契約，詳述相關權利與義務；（7）執行內外稽核，監督法規遵循情況，提升機關決策透明、誠信與責任。 關鍵詞：個人資料保護、隱私權、資訊隱私、資料傳輸、資料共用 / Governments have the power to hold a variety of personal information about individuals, such as the name, date of birth, I.D. Card number, family, education, and occupation. Due to advanced technology and the use of the Internet, personal data stored in different places can be connected, copied, processed, and used immediately. It is relatively common for government agencies to provide people with services online as well as transmit or share individual information to improve efficiency and reduce bureaucratic costs. These changes clearly deliver great benefits for governments and for the public, but they also bring new challenges. Specifically, managing risks around sharing information can sometimes become complicated and difficult when more than one agency is involved. If the government agency which keeps personal information cannot prevent it from being stolen, altered, damaged, destroyed or disclosed, it can seriously erode personal privacy and people’s trust in the government. Therefore, each agency that maintains personal data should establish appropriate administrative, technical, and physical safeguards to insure the security and confidentiality of data and to protect against any anticipated threats or hazards to the integrity which could result in substantial harm on personality and fairness to any individual . As the global economy has become more interconnected and the Internet ubiquitous, personal data protection is by now a truly international matter. The trend is fully demonstrated by the growing number of national laws, supranational provisions, and international regulations, such as the OECD, the EU or the APEC rules. Among those developed countries, both the U.S. and the U.K. have their historical contexts of developing legal framework for information privacy. The U.S. Federal agency use of personal information is governed primarily by the Privacy Act of 1974, the Computer Matching and Privacy Protection Act of 1988, the E-Government Act of 2002 , the Federal Information Security Management Act of 2002, and related guidance periodically issued by OMB. The U.K. government has to comply with the Human Rights Act and the Data Protection Act of 1998 which implemented Directive 95/46/EC. Its use of individual data is overseen and audited by the independent Information Commissioner. Further, because interagency data sharing is necessary to make government more efficient by reducing the error, fraud, and costs associated with maintaining a segregated system, both countries have made specific rules or code of practice for handling the transmission of information among different agencies and levels of government. By contrast, Taiwan Personal Information Protection Act of 2010 which finally came into force on 1 October 2012 contains no detailed and clear provisions for data transmitted between government agencies. Moreover, there are also no internal or external oversight of data sharing practices in the public sector. These problems will increase the risk of inappropriate use and disclosure of personal data. To protect individual information privacy rights and ensure that government agencies can enhance public services by data sharing without unreasonably impinging on data subjects’ interests, I recommend that law makers draw on legal experiences of the U.S. and the U.K., and specify that the Ministry of Justice has a statutory duty to prescribe detailed regulations and procedures for interagency data transmission. This could remove the fog of confusion about the circumstances in which personal information may be shared. Also, besides obtaining the prior consent of the data subject and conducting auditing by a professional task force before implementing interagency data sharing program, some important measures as follows should be taken: (1) Establish a Personal Information Management System which is composed of the policies, procedures, human, and machine resources to make it as part of an overall information management infrastructure; (2) Appoint accountable senior officials to undertake and maintain the implementation of security controls; (3) Educate and train personnel to raise risk awareness and create a good organizational culture; (4) Consult interested parties and define the scope, objective, and legal basis for data sharing; (5) Conduct privacy impact assessments to identify potential threats to individual privacy and analyze risk mitigation alternatives; (6) Establish a formal written agreement to clarify mutual rights and obligations; (7) Enforce internal as well as external auditing to monitor their compliance with data protection regulations and promote transparency, integrity and accountability of agency decisions. Key Words: personal data protection, privacy rights, information privacy, data transmission, data sharing

個人資料保護

隱私權

資訊隱私

資料傳輸

資料共用

personal data protection

privacy rights

information privacy

data transmission

data sharing