A workshop of the High Level Group of Scientific Advisors of the European Commission’s Scientific Advice Mechanism (SAM)

25-26 October 2016Lithuanian Academy of Sciences Vilnius, Lithuania

PROGRAMME

Research & Innovation

Secure Digital Identities for the Digital Single Market

in Europe

Cybersecurity Workshop

Cybersecurity Workshop Secure digital identities for the Digital Single Market in Europe

A workshop of the High Level Group (HLG) of Scientific Advisors of the European Commission’s Scientific Advice Mechanism (SAM)

25 -26 October 2016 Lithuanian Academy of Sciences, Vilnius, Lithuania

1

DAY ONE – TUESDAY 25 OCTOBER 2016

9:00> 9:30

RegistrationWelcome coffee

1st floor foyer

9:30> 10:30

Opening sessionWelcome Mr Artūras Paulauskas, Head of the Seimas (Parliament of the Republic of Lithuania) Committee on National Security and Defence

Prof. Valdemaras Razumas, President of the Lithuanian Academy of Sciences

Presentation of the European Commission’s Scientific Advice MechanismJohannes Klumpers, Head of Unit SAM, DG RTD, European Commission

Presentation of the topic and structure of the workshopRolf-Dieter Heuer, SAM HLG, Workshop chair

Keynote speechNicolas Arpagian, Orange Cyberdefense ‘Digital identity : an asset for citizens, a target for criminals’

1st floor Great conference hall

10:30> 13:00

Session 1: Understanding digital identity 1st floor Great conference hall through a multidisciplinary approach

This session will explore the question ‘What do we really mean by digital identities’ and why it is not only a question of technology, but one that draws on different disciplines. How can we build an understanding that takes into account the various definitions and uses of digital identities? Such identities generally concern a business entity, a person or an object and are delivered by governments or by the private sector. What can we know about the place of digital identities in citizen’s lives, in the economy, politics and society?

Co-chairsPearl Dykstra, SAM HLGJanusz Bujnicki, SAM HLG

Presentations Liesbet van Zoonen, Erasmus University Rotterdam‘Contradictions between offline and online identity’Ahto Buldas, Tallinn University of Technology ‘Requirements for digital identities vs current practice’

Plenary discussion moderated byPam Briggs, University of NorthumbriaMichael Waidner, Darmstadt University and Fraunhofer Institute for Secure Information Technology

MONDAY 24 OCTOBER 2016

19:00> 21:30

Open buffet dinner Novotel Vilnius Centre

Programme

2

13h00> 14h00

Lunch

14h00> 16h30

Session 2: The Strengths, 1st floor Great conference hall Weaknesses, Opportunities and Threats (SWOT) of Digital Identities

The session will provide a SWOT (Strengths, Weaknesses, Opportunities and Threats) analysis of digital identities. As the basic means to access digital services, the secure use of digital identities has an economic impact but can also have an effect on security, on the protection of privacy, and overall on the enforcement of fundamental rights and trust in the digital world. On the other hand we need to find the evidence of the weaknesses of digital identities and the real threats for citizens, businesses and societies. Given their prominent role, digital identities are prone to, or source of, several threats, such as identity theft or citizen or consumer tracking and profiling, and therefore directly linked with risks to cybersecurity.

Co-chairsRolf-Dieter Heuer, SAM HLGCédric Villani, SAM HLG

Presentations John Mc Canny, Queen’s University Belfast‘Progress and Research in Cybersecurity: Supporting resilience, trust and digital identities’Dennis Broeders, Erasmus University Rotterdam and Netherlands Scientific Council for Government Policy ‘Opportunities, threats and issues in on line identity management’

Plenary discussion moderated byJosep Domingo-Ferrer, Universitat Rovira i VirgiliCarsten Maple, University of Warwick

16h30> 17h00

Coffee break 1st floor Foyer

17h00> 17h30

Wrap-up day one Members of the SAM HLG

1st floor Great conference hall

19h00> 22h00

Evening Reception - social event

Palace of the Grand Dukes of Lithuania

3

DAY TWO – WEDNESDAY 26 OCTOBER 2016

09:30> 13:00

Session 3: Privacy and security1st floor Great conference hall

The session will discuss the privacy side of cybersecurity; effective cybersecurity measures can help protect privacy in the digital world. On the web, people often entrust critical personal information to service providers. What happens to this data? The session will cover the potential tensions and synergies between privacy protection, national security and business interests. The discussion will also cover the role of standards for improving privacy and security online.

Co-chairsPearl Dykstra, SAM HLGJanusz Bujnicki, SAM HLG

Presentation Marit Hansen, Data Protection Commissioner of Land Schleswig-Holstein‘Cybersecurity & the Information Society - serving & protecting citizens/users, companies and organisations at scale’

Discussion moderated byJan Camenisch, IBM Research Centre Zurich Erol Gelenbe, Imperial College London

Session 4: Security and trust1st floor Small conference hall

Trust is fundamental for social cooperation and economic growth. But trust will be depleted if the security of the cyber space is weak – or perceived as weak by the users –turning people away from new technologies, or limiting their role. How Europe responds to cybersecurity can therefore be a critical factor to enable social-economic transformations of a digital age. The session will notably investigate how trust in the digital world can be improved, notably regarding the use and protection of digital identities. The economic value of trust for the European economy will also be addressed.

Co-chairsRolf-Dieter Heuer, SAM HLGCédric Villani, SAM HLG

Presentation Frederic Jacobs, I am the Cavalry and Spin Research‘Building trust in digital identities’

Discussion moderated byBart Preneel, Katholieke Universiteit LeuvenAdi Shamir, Weizmann Institute

13:00> 14:00

Lunch 1st floor foyer

14:00> 16:00

Session 5: Conclusions

Report back session 3Pearl Dykstra, SAM HLGJanusz Bujnicki, SAM HLG

Report back session 4Rolf-Dieter Heuer, SAM HLGCédric Villani, SAM HLG

Wrap-up workshop Members of the SAM HLG

1st floor Great Conference hall

16:00 End of the workshop

4

Table of contents

1. Introduction 6

2. Background 6

3. Objectives 6

4. Workshop Format 7

5. Preparing For Your Contribution 7

6. Description of the Sessions 8

Information Note for the Chairs, Moderators, Speakers and Participants

5

1. Introduction

Welcome to the Workshop “Secure digital identities for the Digital Single Market in Europe”. This two-day event will take place in Vilnius, Lithuania, on Tuesday 25 and Wednesday 26 October 2016. It is organised by the High Level Group (HLG) of Scientific Advisors of the European Commission’s Scientific Advice Mechanism (SAM).

This document aims at providing the necessary information and guidelines for participants in order to prepare their contributions to the workshop discussions.

2. Background

On request of the European Commission’s Vice-President Andrus Ansip and Commissioner Guenther Oettinger early this year, cybersecurity is one of the first areas taken up by the SAM HLG (see the scoping paper). The SAM HLG will provide scientific advice with a view to inform European policies for the next years. Secure digital identities are a cornerstone for a secure digital market. In view of the preparation of its scientific advice, as outlined in the corresponding scoping paper, the HLG is holding a dedicated workshop on secure digital identities with invited top-level participants from the research communities and society. The discussions and insights from the workshop are expected to feed into the scientific advice of the HLG to the Commission that is foreseen for early 2017.

The Digital Single Market, one of the key priorities of the European Union, aims to make Europe a world leader in information and communication technology, with all the tools to succeed in the global digital economy and society. This means making much better use of the opportunities offered by digital technologies which have no borders. In particular, according to the Digital Single Market Strategy, a Digital Single Market is one in which the “free movement of persons, services and capital is ensured and individuals and businesses can seamlessly access and exercise online activities, under conditions of fair competition, and with a high level of consumer and personal data protection, irrespective of nationality or place of residence”.

The Digital Single Market requires reliable, trustworthy, high-speed, affordable networks and services that safeguard fundamental rights to privacy and personal data protection while also encouraging innovation. There is therefore the need to reinforce trust and security in digital services and in the handling of personal data.

Cyber threats are a borderless problem, which can affect businesses in any sector, harm citizens’ rights and put into question peoples’ trust on the internet. A growing number of offences (data interception, online payment fraud, identity theft, and trade secrets theft) have led to significant economic losses in the last years. The EU adopted its Cybersecurity Strategy in February 2013 and subsequently launched various initiatives to address these threats (e.g. data interception, online…).

The more we move into the future, full of possibilities for innovation, creativity and new forms of social collaboration opened by digital technologies and the internet, cybersecurity acquires a central importance. The security and management of our digital identities are therefore becoming paramount to our economic and social wellbeing within a global digitally connected world.

3. Objectives

The workshop aims to provide an interactive platform to gather evidence and initiate discussions that will contribute to the SAM HLG’s opinion to the European Commission on cybersecurity.

A multidisciplinary approach with top scientific experts from the domains of information technology and security, as well as from the social sciences and humanities, and from law will contribute to gathering the scientific evidence. In addition, the workshop aims to cast new light on the current and future challenges and opportunities of a fast changing world as viewed by different groups of stakeholders, notably businesses, including leaders in different sectors, citizens, consumers and public administrations.

The workshop will mainly address the following four topics: 1. Understanding digital identities through a multidisciplinary approach2. The Strengths, Weaknesses, Opportunities and Threats (SWOT analysis) of digital identities3. Privacy and security4. Security and trust in the digital world

6

4. Workshop Format

The discussions will be structured as follows:• Opening session including a keynote presentation to set the scene• 2 plenary sessions focusing on digital identities (addressing topics 1 and 2) • 2 parallel sessions to discuss privacy, security and trust (addressing topics 3 and 4)• Introductory presentations in each session • Reporting back to the plenary from parallel sessions and discussions• Wrap-up session and conclusionsThe chair of the workshop is Prof. Rolf-Dieter Heuer, member of the SAM HLG. Each session will be co-chaired by two SAM HLG members; more information on the sessions in section 6.

The audience is expected to number up to one hundred participants, ranging from academics in digital technologies to social sciences and law, government officials, civil society and business professionals. Please note that all presentations, workshop documents and list of participants will be made public. However, to encourage openness and the sharing of information, the Chatam House rules will be applied for the preparation of the workshop outcome document (i.e. no recording will take place, no verbatim notes will be done, no names will be mentioned, only topics and conclusions will appear).

All co-chairs, speakers and moderators of a session are encouraged to co-ordinate with each other before the conference. The conference language is English and there will be no translation provided.

5. Preparing For Your ContributionChair of the Workshop

The tasks of the chair of the workshop will consist of the following:• Welcome the participants• Chair the opening session on the first day and ensure that the time schedule is met• Give a short general presentation on the topic, goals and structure of the workshop• Introduce the keynote speaker• Prepare and present the wrap-up of day 1 • Prepare and present the conclusions of the workshop on the last day

Session Chairs

The tasks of the session chairs will consist of the following:• Introduce the session, the moderators and speakers• Invite the speaker to give her/his presentation (15 minutes maximum in sessions 1 and 2; 20 minutes maximum

in sessions 3 and 4)• Invite a reaction from the moderators (up to 5 min each)• Collaborate with the session moderators in summarising the outcome of the session• For parallel sessions: extract and present the main points from the discussions to the plenary• Assist the chair of the workshop to prepare the conclusions of the workshop and the wrap-up of day 1

Session Moderators

Given the length of the sessions and the diversity of topics addressed, there will be 2 co-moderators per session.

You are asked to:• Introduce the objectives, outline and questions of the session.• Give your reaction to the presentation(s) (5 min maximum).• Open the floor for discussions after the presentations and your statement; keep the discussions focused to ensure

that the time schedule is met• Ensure all identified questions (see section 6) are addressed• Act alternatively as rapporteur/moderator of your session • As rapporteur, collate comments and conclusions made during the session• Collaborate with the session co-chairs in summarising the outcome of the session• Assist the chair of the workshop to prepare the conclusions of the workshop

7

SpeakersPlease keep in mind the following points:

• In sessions 1 & 2, the presentations should not exceed 15 minutes. While in sessions 3 & 4, the presentations should not exceed 20 minutes.

• Provide statements towards which people can react.

ParticipantsYou are invited to:• Act in your own capacity; actively participate in the sessions and their discussions. • Prepare for contributing to the debate based on the session descriptions and questions hereafter (section 6).• While sessions 1 and 2 take place in plenary, sessions 3 and 4 will take place in parallel. Thus for sessions 3 and

4, all participants will be split up into two groups. In order to ensure balanced expertise per group, we have assigned each participant to a specific group. The draft group composition will be sent to you prior to the workshop; prior to day 2, changes are possible in agreement with the secretariat.. Participants will have the opportunity to exchange their views on the session they did not attend during the reporting at the plenary (session 5).

6. Description of the Sessions

Session 1: Understanding digital identities through a multidisciplinary approach

This session will explore the question “what do we really mean by digital identities” and why it is not only a question of technology, but one that draws on different disciplines. How can we build an understanding that takes into account the various definitions and uses of digital identities. Digital Identities are key enablers for the development of the EU Digital Single Market because they provide a bridge between the virtual and real worlds. They are essentially a way to ensure access to digital services provided by governments, private companies or a research institutes, for instance. The security of digital identities is therefore key for ensuring secure digital services. Such identities generally concern a business entity, a person or an object and are delivered by governments or by the private sector. Moreover, people can also “construct” their own digital identities on social media, for instance. Digital identities represent what we say we are when we are online. Overall, people can have different digital identities depending on the context and the purposes. What can we know about the place of digital identities in citizen’s lives, in the economy, polity and society?

The session will address questions such as: 1. How are digital identities defined (e.g. of persons but also objects, in the Internet of Things)? How are different

contexts and purposes affecting the meaning(s) and sensitivities of digital identities (e.g. digital identities as citizens, which are secured by governments and as consumers, secured by the private sector)?

2. How are digital identities used by different groups and communities (including businesses, governments, researchers and citizens)?

3. What are the relevant experiences and lessons learnt by different actors including at regional, Member State and international level (e-government, industry, citizens)? [ for example, what do we learn from the Estonian experiment]

4. How can the use of digital identities support cybersecurity?5. Can a robust multidisciplinary approach be taken forward to support sound cyber risk management and a

science of cybersecurity?6. What is the risk of isolated approaches developed in different sectors to deal with their specific needs? What

kind of cyber security solutions could be implementable across sectors, to prevent fragmentation, lack of interoperability and increased vulnerability?

Co-chairsPearl Dykstra, SAM HLGJanusz Bujnicki, SAM HLG

SpeakersLiesbet van Zoonen, Erasmus University RotterdamAhto Buldas, Tallinn University of Technology

Discussion moderated byPam Briggs, University of NorthumbriaMichael Waidner, Darmstadt Technical University and Fraunhofer Institute for Secure Information Technology

8

Session 2: The Strengths, Weaknesses, Opportunities and Threats (SWOT) of digital identities

The session will provide a SWOT (Strengths, Weaknesses, Opportunities and Threats) analysis of digital identities. As the basic means to access digital services, the secure use of digital identities has an economic impact but can also have an effect on security, on the protection of privacy, and overall on the enforcement of fundamental rights and trust in the digital world. On the other hand we need to find the evidence of the weaknesses of digital identities and the real threats for citizens, businesses and societies. Given their prominent role, digital identities are prone to, or source of, several threats, such as identity theft or citizen or consumer tracking and profiling, and therefore directly linked with risks to cybersecurity.

The session will address questions such as: 1. What is the potential of digital identities (e.g. bridges between the digital and physical world, necessary

means to access digital services, ways to enforce the respect of digital rights) for different sectors (e.g. business, governments)?

2. How can the economic opportunities/ value be assessed? 3. What are the threats linked to the use of digital identities and what are those linked to their content (identity

theft, hacking …)? 4. Are citizens’ data secure in current used systems under (new) threats? What is the evidence ? 5. Are new approaches needed to collect and assess the evidence for analysis and informed policy-making?

Co-chairsRolf-Dieter Heuer, SAM HLGCédric Villani, SAM HLG

SpeakersJohn Mc Canny, Queen’s University BelfastDennis Broeders, Erasmus University Rotterdam

Discussion moderated byJosep Domingo-Ferrer, Universitat Rovira i VirgiliCarsten Maple, University of Warwick

Session 3: Privacy and security

The session will discuss the privacy side of cybersecurity; effective cybersecurity measures can help protect privacy in the digital world. On the web, people often entrust critical personal information to service providers, such as their names, addresses, ages, locations and credit card number. What happens to this data? Given the increasing cases of data breaches, concern is growing among the internet users. As a result, some service providers now offer end-to-end encryption for online communication. At the same time, accessing some of this data may be necessary for ensuring national security. In addition, the business model of some private companies relies on collecting and analysing such data. Therefore there could be some tensions between privacy protection, national security and business interests. The discussion will also cover the role of standards for improving privacy and security online.

The session will address questions such as: 1. What are the most prominent current and future methods for protecting privacy and improving security? Are

these solutions cost-effective?2. Are existing approaches effective for protecting citizens? What is the scientific evidence? What are the

implications?3. How to create synergies between privacy and national security (for example, use of back doors), and between

privacy and business interests? How to reconcile sometimes divergent requirements?4. How to assess the security of different architectures for digital identity management (e.g. distributed ledgers,

federated identity management, single digital identity and framework of interoperable identities)? What is the experience of federated identity management in research collaboration?

5. How can standards and certification contribute to protecting privacy and improving security?

9

Session 3: Privacy and security

Co-chairsPearl Dykstra, SAM HLGJanusz Bujnicki, SAM HLG

SpeakerPeter Dickman, Google Brussels office

Discussion moderated byJan Camenisch, IBM research centre Zurich Erol Gelenbe, Imperial College London

Session 4: Security and trust

Trust is fundamental for social cooperation and economic growth. But trust will be depleted if the security of the cyber space is weak – or perceived as weak by the users –turning people away from new technologies, or limiting their role. How Europe responds to cybersecurity can therefore be a critical factor to enable social-economic transformations of a digital age. The session will notably investigate how trust in the digital world can be improved, notably regarding the use and protection of digital identities. The economic value of trust for the European economy will also be addressed.

The session will address questions such as: 1. What determines citizens’ trust in governments, and in the private sector in a digital world? How widespread

is (dis)trust in a single or multiple digital identities in Europe? 2. What technologies create and sustain trust in the digital world, and are currently applied or emerging? 3. How will future innovative technologies affect the current state of the art in cybersecurity research and

application of solutions? 4. What is the economic value (e.g. competitive advantage of EU companies, innovation etc.) of trust in the

digital world for the European economy? 5. Is open source a solution? 6. Can we trust our digital devices?

Co-chairsRolf-Dieter Heuer, SAM HLGCédric Villani, SAM HLG

Speaker Frederic Jacobs, I am the Cavalry and Spin Research

Discussion moderated byBart Preneel, Katholieke Universiteit LeuvenAdi Shamir, Weizmann Institute

10

11

Notes

12