Surveillance and E-Government: Real and Potential Threats to Privacy in

Europe and BeyondFatemeh Ahmadi Zeleti

Tampere University of Technology

FP7 SMART ProjectSteering Committee Meeting in Malta

June 2012

Surveillance and e-government: Threats to Privacy

National level

International level

National Level

Iran

• Embezzlement in the government and the Central Bank

No appropriate surveillance system and technology (Ex: Application access control and Login control system)

Embezzlement and weak e-government system

• Iran's disputed election in the year 1388 (2009)• Lack of efficient e-voting system and system

security (Data updated illegally)• E-counting system and security fails• Unauthorized access to the system• Number of votes cast in 50 Iranian cities

exceeded the number of people entitled to vote • Additional votes are over 3 million

G2C: E-Voting

G2C: Police fine

• Bargaining over the value

• Manually entered to the system

• System lacks appropriate login access control and application access control

• Upon payment, officer falsify the data

G2C: Smart Driving License

• Government developed smart driving license

• Classification of violations in the system

• Issuing of driving license

• Police simply insert the license to issue the bill

G2C: Fuel Card

Cards have no efficient security

Card password can be easily visible by others (Stolen and used by other)

Card is not properly designed for one car (anyone can use it)

People sell their allowance to others for a higher price

http://www.epolice.ir

G2C: Household consumption

• Meter equipment is not well designed to meet the security requirements

• 2011: Police caught and arrested a man who cheated

• Design of digital meter • Man with a hand held device to register the

number

G2E: Employee work time registration and payroll system

• Poor employee work time registration system

• No proper surveillance tech

• Low security to employee’s data

• Authorized employee can access to the work load page and easily cheat and fool the system

• Direct effect on the payroll system

E-Administration

• Too many processes which causes data loss

• Unauthorized access to the system and customer’s data

• Employees uses data to establish knowledge about the customer

• Due to the unauthorized access, customer’s file number is changed

E-Payment say the point

• Card users share their card password

• Share upon payment

• Payment is not finalized, but customer account is affected

E-Health• Insurance booklet is in use

• Upon arrival to the clinic, patient's info is entered to the system

• But, no proper system security to identify the patient and if he is using his own booklet

• Solution to prevent violations and abuse of the current booklet and system: Smart insurance (Health) card

• Ready to use by end of 2012

Database and accessibility

• Unsecure databases and unuthorizes access

• Higher education usecure database and lack of efficientaccess control

• Low speed connection => distribution of whole database

• Regular employees accessibility to all databases

No efficient access control

Lack of education and undrestanding of possible threats

Ex: In March 2012, regular employee of the Central Bank handover the whole bank database

• Most of the government websites save the user’s password

• No hashing algorithm is used (MD5)

• One user may use 1 password for different purposes

Hashing the password

• Some government websites assign password to the users (Melli Code: Nesha System)

• By knowing someone’s Melli Code, another person can access to the account

• Melli card No-> Profile access-> Profile info

Government assigned password

• Government surveillance on government organizations• Tight requlation for employees and websites• For high security of user’s information• All employees of Banks and Insurance Companies• No use of international e-mail domain• No electronic communication with customers with international

e-mail domain• Hotmail, MSN, Yahoo and Gmail => one of the tools to exit user’s

information from the country • No website with the .org and .com domain• All website with the .ir domain

Website Regulation: May 2012: Iran

Simorgh: May 2012: Iran

• Anti-censorship software (VPN)

• Fake version of Green Simurgh in 4shared

• Founded by Munk School of Global Affairs

• Green Simurgh Co. (Since 2009) is denying

• Abused citizen’s needs

• Turned out to be Spying Version

• Access to user’s info (Identification and access keys)

• Monitor user’s activities (IPs, Event handelers (Keys and clicks))

• Collected Info and data are transfered to a servers located in Soudi Arabia and USA

simurghesabz.net

• Extensive Gov to Gov attack

• Low system security of major government organizations

• The most sophisticated threats ever

• Malfunction systems of the two most important gov orgs

• Name: ’Fiber’

• Starting date: Aug 2010 (Kaspersky Lab, Russia)

• Research Unit: International Telecommunications Union of United Nation (ITUUN)

• ITUUN Research on ’Wiper’ => ’Fiber’ discovery

• It collects all the sensative information and destruct data from the organization DB

• Record Network traffic, take picture of screen, conversation recording, keyboradrecording and etc.

• Over 600 Government organizations are influenced

Fiber: April 2012: Iran and …

• Consequences

Ministry of Science: The attack was failed and the situation is under control. No extra info is forecasted.

Ministry of Oil: Main server disconnection. Computer motherboards are burned out and some data are lost, butcould be recovered. To minimize the loss, number of Internet and network connections were intentionally disconnected.

Service malfunction: Iran

• National Information and Communication Technology Agenda

• Information Society and a knowledge-based Economy in which ICT is an Enabler Technology

• TAKFA comes in seven strategic axesGovernmentEducationHigher EducationServicesCommerce and EconomyCulture and Persian LanguageICT industry through SME empowerment

TAKFA (Late 1999- April 2002): Iran’s road to knowledge-based development

TAKFA put down

• Lack of inexpensive and easy access to Internet

• Lack of advanced technologies and security software

• Lack of surveillance technologies and equipment

• Lack of encompassing information infrastructure

• Inadequate national bandwidth

International Level

• High security (Official Finnish ID require)

• Login access control

• Application access control

• Money transfer over the NetBank require further telephonic confirmation

• Required questions are asked to process the payment

• 1 password/1 netbank access

E-Payment (NetBank) in Finland

E-Health in Finland

• Kela Card

• 1 card for 1 user

• Biometric Kela Card (patient’s record is kept safe and private)

• Kela card is consider as the patient's ID in e-health system

• Owned by 1 person only

• CCTV takes picture of the car violating the driving regulation

• System takes care of issuing the fine

• No opportunity to falsify the data

• IP cameras: Once capture a footage, image is sent to the control center and fine will be issued and sent to the driver address

Police fine in Finland

• New e-service is implemented on March 2012

• No resident permit is attached to the passport

• Biometric identifiers stored on the residence permit card chip include a facial image and two fingerprints

• User’s data is kept safe in the card

• No one can fake it

• It is not an official ID

• In UK too

Foreigner resident permit card in Finland

• Stamp the resident permit in the passport• RP info is entered by hand• Info can be easily change by the passport holder

• Solution: ACR I-Card Resident permit (electronic chip embedded into the card containing all your relevant information)

• Quick verification of information• Eliminates fixers and illegal personnel issuing falsified

documents.

Resident permit in the Philippines

E-Health in Australia

• NEHTA (National E-Health Transition Authority)• Personally controlled electronic health records

(PCEHR) for all Australians• Starting July 2012, all Australians can choose to

register for an electronic health record• PCEHR System is used • A privacy management framework has been

developed to ensure that privacy of the user’s data

• Still early to define the threats to privacy

E-Health in China and USA: Jan 2012

• China and the United States, two different political cultures, have both introduced major health reform programs to promote health-care improvement for their respective citizens

• The piloted use of biometrics in the SD card with fingerprint encryption for patients to access personal health records

• Without the SD card, no one can access

• The United States is experiencing an increasing use of biometric applications for authentication and identification

• Government of many countries abuse citizen’s data and information

• Government surveillance is done through monitoring users activity, communication and accessing user’s data (data are accessed from the e-services portals)

• Government authorities are not enough expert to design expert systems with high security

• Technology play a vital role if implemented appropriately

• It is expected that privacy protections to be increased

Conclusion

Thank you for your kind attention

I welcome your questions,

Suggestions and Comments!

Fatemeh Ahmadi Zeleti

Fatemeh.AhmadiZeleti@tut.fi