D8.5: Report on inter-disciplinary workshops

Title: “THE SERVICES - THE USERS”

ICPP (Contribution to the discussion) 

Opening the second discussion, M. Meints and C. Krause provided a couple of slides on “Four Sector Model of Markets for Mobile Solution” in order to initiate a discussion about the borders between different types of communication (eGovernmental, Professional, public and private). They also stated that these borders are not always definite and can become a little blurry. 

This picture (extracted from this ICPP presentation) perfectly illustrates a point highlighted by S. Elaluf-Calderwood (LSE): Some changes of individual behaviour appear, which are regarded as an impact of the mobility on the information society; in particular publishing some private information — data mobility — (e.g. by doing blog) without being aware of possible consequences.

In the ICPP presentation, “data mobility” concerns the e-Bay profile, and the applicant did not realise that a future employer can use private data available in the public domain for professional reasons. 

So the awareness will become an issue for the mobile user in order to know how to protect his personal data and to understand the risk of his actions. If it is considered as a new responsibility, education may play a role to increase the awareness of the lifestyle related to mobility. 

Also, manufacturer awareness has been identified as important as well, in order to consider these issues before the implementation / manufacturing of the products, so as to embed appropriate measures/safeguards in the manufactured products. 

It was also noted that people had to give their consent all the time for things they are likely to give their consent anyway (e.g. Licence Agreement with Microsoft when a user installs Microsoft Windows on his/her PC), have made them giving their consent easier, without reflecting on it much, thus weakening if not completely eliminating the process of the user considering the request before giving consent. On the other hand, it is an established law that the user should first be asked and give consent, so that this part cannot be avoided in fixed as well as in mobile systems.  

It was further argued that there is a consideration of mobile publishing, with regards to its being more instantaneous, thus posing a bigger threat as it does not leave much time to the user to reflect on his/her action. 

At this point the benefits in protecting our privacy were identified to include the following: 

• Protection against incorrect conclusions, that may be derived based on our published information 

• The missing ability of attackers to manipulate and control our identity in the public. 

Also, a number of questions were raised in the context of the discussion mainly as a result of the mobility needs of users and the authentication and identification challenges thereof. The open-ended questions were meant to help raise awareness as to possible solutions. These were: (a) can any of the lessons learnt trying to raise consensus on standards and interoperability decisions be repeated?; (b) is the technical academic environment aiding in the identification and implementation of appropriate solutions?; (c) does the spirit of collaboration inherent among researchers help lower the ‘trust’ barriers to common solutions?. It was repeatedly stated that the existence of common goals (the so called Bologna process) acted as a catalyst in achieving consensus, which is not the case in industry or even government and that the research spirit helped through the creation of smaller more human-relation based communities. 

J. Claessens (Mobility solution by Microsoft)

Mr. Claessens presented the Microsoft solution structured around three axes: mobile services (integration planned in various stages), mobile platforms (management of a lot of devices at the same time) and technical platform mainly based on .NET solution. The main challenge is to perform mobile communications in a heterogeneous network of mobile devices in an instant way. 

J. Claessens (Contribution to the discussion)

Mr. Claessens introduced an important topic on identifying ways to manage communications and data using mobile identity, while preserving privacy at the same time. He identified the two points in order to solve this complex situation: managing privacy (referring to identification information + location) and managing the complexity. He raised a question for discussion as to the possibility of configuring the user consensus only once, without having the user click “I agree” every time. He sees two disadvantages in users having to give their consensus each time: 

• Much interruption and nuisance to the user 

• A security problem, since the users are going to click “YES” in every question, without much considering the request. 

From this introduction, some technical-legal aspects arose: 

• Is it possible to adapt the “I accept” button concept (already existing in the fixed world) in the mobile world and still remain within legal boundaries? (related to consensus requirement) 

• Negotiation tools/protocols (e.g. P3P was also cited) can help the non-interruption requirement but represent only one layer. However, it was estimated that few providers will be able to offer this type of tool: How could we avoid monopoly? 

ICPP (Contribution to the discussion)

Mr. Meints first identified the following changes / considerations that have been generated with the introduction of mobile communications: 

• They introduce a lot of personal data, locations, mobile devices etc. 

• Simple contracts versus location-based, which could involve 4 or 5 generic participants in the communication, thus making it more complex.  

• There is also the problem of transparency, the user of the data most of the times is not the controller of the data. In this case consent becomes very difficult to give, and the protection via pure legislation is difficult. 

He believes Data Protection legislation is already strong with respect to mobile services (thus perhaps adequate for the time being), but its enforcement is rather difficult. In this context, he perceives a need to change the law enforcement and not the legislation per se. Also, since the interpretation of the Data protection regulation seems to differ in the EU countries, he believes there is a need for consensus and standardisation in this matter. Consensus and standards in a European level could help to reach balanced competitive conditions on the European market. Additional legislation such as Works Council Constitution Act applies for the use of mobile services (in this case especially in the working context). So two questions arose: 

• How can transparency of processes be implemented so that an informed consensus of the user can be achieved? 

• How can security of personal data be technically achieved? 

Eleni Kosta – ICRI-K.U.Leuven (Contribution to the discussion)

She brought mainly two issues into the discussion:  

1. the proposal for a “Directive on the retention of data processed in connection with the provision of public electronic communication services and amending Directive 2002/58/EC” (hereinafter ‘Data Retention Directive’) and 

2. answering the question ‘How to prevent secondary effects: spam, fraud, inappropriate content for children, inconvenience in public space, etc?’, Mrs. Kosta approached the issue of inappropriate content for children. 

Specifically: 

1. On 21.09.2005 the European Commission presented a proposal for a Data Retention Directive. This was the result of a long debate and disagreement with the Council, as to who is competent to issue such a Directive. A small introduction was made as to how long shall the data retention period last: e.g.  

   • Traffic and location data should be retained for a period of at least 12 months and not more than 36 (Council’ draft framework decision on the retention of data […], dated 28.04.2004) 

   • Traffic and location data shall be retained for a period of 12 months up to 48 months (Council’ draft framework decision on the retention of data […], dated 28.04.2004)

2. During the discussion Mrs. Kosta presented four different approaches to the protection of minors against illegal and harmful content transmitted through mobile devices. The harmful content may be legal content for adults, but harmful / inappropriate for children. The different approaches are:

• Strict legislation (the paradigm of US Communications Decency Act & Child Online Protection Act) 

• Special software or other Internet applications for Internet content monitoring (e.g. V-Chip or the Belgian ‘SaferChat’) 

• Self regulation (e.g. UK mobile operators’ code of conduct for the self regulation of new forms of content on mobiles) 

• Co-regulation (e.g. Australian internet content regulation scheme). It involves both, mobile and internet operators, possibility to make on-line complaints and the intervention of government. Co-regulation requires cooperation between industries and government. 

Lessons Learnt 

As a result of the discussions and the presentations, a number of issues emerged that are important to note in the framework of FIDIS research. These are the following: 

Mobile versus fixed identity: increased requirements and challenges

It is a conclusion stemming from nearly every presentation and agreed upon in the discussions: mobile and fixed identity has different requirements, the former presenting further challenges and considerations. 

An increased need for mobility

It has also been an underlying notion within the discussions and presentations that there is an increased need for mobility for individuals and businesses, both in order to complete work requirements and to facilitate private, everyday communications and tasks. This increased need imposes further requirements mostly on the organisational part of mobile identity, such as consensus, awareness raising and procedural interoperability. It is not clear whether these targets can be achieved. 

Identity challenges

The main identified identity challenges in a mobile world are: 

• Data protection and privacy – Vulnerabilities multiply in a mobile world 

• Identity portability – Maintaining you identity rights when using different platforms 

• Identity roaming over heterogeneous networks – Heterogeneous aspect has to be preserved because it allows freedom for the users 

Identity challenges at the European level are more difficult to meet also because of difference in the legislative framework between EU countries. 

Key factor for mobile services success: Trust

From the different discussions, trust has been stressed as the most important factor in order to guarantee the success of mobile services. Trust is regarded as a bridge between mobile individual and mobile usage or in other terms, a bridge between user requirements and mobile services. In the context of a mobile world, the concept of trust essentially is composed of transparency, consensus and user control. 

Other challenges concerning mobility

• The need to redefine physical security; the solution must come from the user and not from the device? 

• Mobile publishing, which is most instantaneous, and therefore does not provide the user with ample time for reflection of his/her actions 

• Increased user and manufacturer’s awareness regarding the capabilities of the mobile devices 

The questions and issues raised in this workshop will be dealt with in WP11 and other Workpackages where mobile technologies such as RFID are analysed and discussed.  

Dark Areas / Things We Do Not Know 

• How to balance privacy and services’ costs? How to protect and enhance privacy, while providing ease of use and minimum disruption to the user? 

• How to securely and efficiently service “alien devices”?

• How to achieve trust and standardisation, especially in highly heterogeneous and mobile environments? And if there are solutions towards this direction, are they only or basically technical? 

• The implications of converging mobile and fixed technologies that may cater for mobile user requirements. 

List of participants