Difference between revisions of "Completed study periods and pwis"

From IPEN Wiki
Jump to navigation Jump to search
Line 762: Line 762:
|}
|}
</div>
</div>
=== <span style="font-size:medium;">PWI 6089 Impact of Artificial Intelligence on Security and Privacy (Started in September 2020, Completed in October 2022)</span> ===
<div style="font-variant-numeric: normal; font-variant-east-asian: normal; background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;"><div style="background-color: transparent; cursor: text; line-height: 20.8px; margin: 0px;">
{| cellpadding="1" cellspacing="1" border="1" style="line-height: 20.8px; width: 900px;"
|-
| Leaders
|
'''Phase 1 (completed):''' Antonio Kung,&nbsp;<span style="background-color: transparent;">Srinivas Poosarla,&nbsp;</span><span style="background-color: transparent;">Peter Dickman,&nbsp;Gurshabad Grover, Peter Deussen, Heung Your Youm,&nbsp;</span>Zhao Yunwei, Volker Smoljko
'''Phase 2 (on-going):''' Antonio Kung, Lenora Zimmerman
|-
| Objective
|
'''Phase 1 (completed): '''The PWI has the objective to investigate the possibility to propose one or several documents
*Part 1: a TR providing
**guidance on how to assess the impact of security and privacy of AI use cases,
**providing a security and privacy analysis of the use cases in ISO/IEC TR 24030 (AI use cases)
*Part 2: a TS providing
**an overview of privacy concerns for AI,
**guidance concerning AI-based systems
**additional recommendations concerning standards where appropriate
*Part 3: a TS providing
**an overview of security concerns for AI,
**guidance concerning AI-based systems
**additional recommendations concerning standards where appropriate
The following work will be carried out in the PWI:
*extend the content of the study period report with the following
**analysis of TR 24030 use cases from a security viewpoint,
**identification of standards for which specific recommendations concerning AI would be useful,
**identification of AI standards for which specific recommendations concerning security and privacy would be useful;
**identification of specific security controls; and
**whatever contributions that matches the intended content of part 1, part 2, and part 3.
*transform the report into a set of three documents that can be submitted as draft TR and TS;
*make a recommendation on the way to proceed concerning the three documents;
'''Phase 2 (on-going):&nbsp;'''Guidance on addressing privacy protection for artificial intelligence systems
*Currently discussed scope:&nbsp;
This document provides guidance for organizations to identify and address privacy concerns in the development and use of artificial intelligence systems. The guidance in this document aims to provide information to organizations to help them better understand and address the impact of AI systems and Machine Learning techniques on individual privacy and society at-large. This document also addresses ways in which societal and regulatory expectations influence how AI systems and Machine Learning is and is not used.
This document is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, that develop or use AI systems.
|-
|
Documentation
|
1st PWI report was published in April 2021.
2nd PWI report was published in October 2021
|-
| Comments
|
Is the continuation of the [https://ipen.trialog.com/wiki/Completed_study_periods_and_pwis#Impact_of_Artificial_Intelligence_on_Privacy_.28Started_in_October_2018.2C_Completed_in_September_2020.29 study period] that concluded in September 2020
Further to the completion of phase 1, part 1 is registered as a TR (ISO/IEC 27653; Impact of security and privacy in AI use cases), part 2 is still-on going. Note that part 3 has been transferred to another PWI 7699 (Guidance for addressing security threats and failures in artificial<br/>intelligence)
Further to March 2022 meeting, PWI is working on making a new work item proposal on Guidance for privacy protection in AI systems
Further to October 2022 meeting, a ballot has been initiative for ISO/IEC 27091 Cybersecurity and data protection - Artificial intelligence - Privacy Protection
|}
</div></div>

Revision as of 14:53, 26 December 2022

Privacy engineering framework (Started in April 2015. Completed in April 2016)

Leaders Antonio Kung, Matthias Reinis
Objective Study the concept of privacy engineering and see whether new work items are needed
Documentation Slides presenting motivation for study period by Antonio Kung: http://ipen.trialog.com/wiki/File:PRIPARE_Proposal_Study_Period_Privacy_Engineering_Framework_2.pdf
Timeline

Privacy-Preserving Attribute-based Entity Authentication (Started in October 2015. Completed in April 2016)

Leader Pascal Pailler, Nat Sakimura, Jaz Hoon Nah
Objective
Documentation
Comments
  • Initiated in Jaipur (Oct 2015)
  • Replaces SP privacy-respecting identity management scheme using attribute-based credentials (outcome of the ABC4trust FP7 project: https://abc4trust.eu,, initiated in April 2014 in Hong Kong), with an extended scope
  • Completed.
  • Followed by new project : ISO/IEC 27551: Requirements for attribute-based unlinkable entity authentication (see above)

Editorial inconsistencies to 29100 (Started in April 2016. Completed in October 2016)

Leaders Nat Sakimura, Mathias Reinis, Elaine Newton
Objective

Collecting errors and correcting inconsistencies

Documentation
Comments
  • Completed, has led to a draft amendment (with limited scope)

Guidelines for privacy in Internet of Things (IoT) (Started in April 2016. Completed in April 2017)

Leaders Heung Youl Youm, Srinivas Poorsala, Antonio Kung
Objective
  • assess the viability of producing guidelines for Privacy in IoT within WG5;
  • to potentially provide (a) New Work Item Proposal(s) and/or input material for existing relevant projects as a recommendation to the Working Groups 5 depending on the outcome of this assessmen

Documentation


Comments

Initiated in Tampa (April 2016)

Initial contribution in Abu Dhabi (October 2016)

Conclusions in Hamilton (April 2017) led to the merging with Guidelines fot security in IoT (WG4). See new study period below on security and privacy for Internet of things.

Discussion also led to a new study period "Framework of user-centric PII handling based on privacy preference management by users"


Guidelines for security and privacy for Internet of Things (IoT) (Completed in November 2017)

Start/Duration April 2017/6 months)
Leaders Eric Hibbard, Faud Khan, Tyson Macaulay, Srinivas Poorsala
Objective prepare the materials necessary to initiate an International Standard
coming out of the SC 27 meeting in Berlin (Oct-2017)

Documentation


Comments

Is an SC27/WG4 study periods involving WG4 and WG5.

Study period is completed and new work item has been proposed (https://ipen.trialog.com/wiki/ISO#New_Work_Item_Proposal_Security_and_Privacy_for_the_Internet_of_Things).

Kickoff expected in Wuhan in WG4

PII Protection considerations for smartphone app providers (Started in October 2015. Completed in April 2017)

Leader Rahul Sharma, Natarajan Swaminathan, Johan Eksteen, Sai Pradeep Chilukuri
Objective

Study mobile application ecosystems from a privacy viewpoint

Collect views of multiple stakeholders in the mobile applications space

Collect mobile apps privacy guidelines issued by various agencies

Collate a report on the findings

Potentially provide a new work item proposal

Documentation
Comments

Initiated in Jaipur (October 2015)

Privacy in smart cities (Started in October 2015. Completed in November 2017)

Leaders Antonio Kung, Sanjeev Chhabra, Udbhav Tiwari
Objective

Connect with multiple stakeholders in the smart city space

Refer the existing work on smart cities

Collate information, feedback, inputs from the stakeholders and draft the guidelines

Potentially provide (a) new work item proposal(s) that can translate in guidelines

Documentation
Comments

Initiated in Jaipur (October 2015)

Liaison to be established with ISO/IEC JTC1/SG1 (Smart cities) 

Presentation in Tampa (April 2016) of intermediate state

Presentation in Abu Dhabi (October 2016) of intermediate state

Presentation in Hamilton (April 2017) of intermediate state

Proposal for new work item in Berlin (Nov 2017)

Code of practice solution for different types of PII (Started in October 2016, Completed in April 2017)

Leaders Mathias Reinis, Heung Youl Youm
Objective

Study ISO/IEC FDIS 29151 and ISO/IEC IS 27018 with the objective to find a solution that is applicable for different types of PII processors, especially compatible with the needs of a SME

Documentation


Comments

Terminated due to lack of contributions

Requirements and outline for ISO/IEC 29115 revision (Started in April 2017. Completed in April 2018)

Leaders David Temoshok replacing Sal Francomacaro, Thomas Lenz, Patrick Curry, Andrew Hugues, Heung Youl Youm
Objective

Documentation


Comments

Has resulted in a NWIP

Application of ISO 31000 for identify-related risk (Started in April 2017. Completed in April 2018)

Leaders Christophe Stenuit, Joanne Knight
Objective Gather information in order to determine the viability of creating a standard providing guidance on the application of ISO 31000:2009 to assess identity-related risks

Documentation


Comments
New work item proposal

Concept of PII Deletion (Started in November 2017. Completed in April 2018)

Leaders Volker Hammer, Srinivas Poosarla, Eduard de Jong, Alan Shipman
Objective Study the potential internationalisation of national standard DIN 66398 "Guideline for development of a concept for data deletion with derivation of deletion periods for personal identifiable information"

Documentation


Comments


Development of Identify standards landscape standing document (Started in  April 2018, Completed in October 2018)

Leaders Joanne Knight, Julien Bringer, Salvatore Francomacaro, Heung Youl Youm,
Objective

 Create an initial draft of a new SD that would provide:

  • The scope of the identity standards landscape
  •  Introductory content identifying the role of each existing and emerging standard within the landscape, as well as its relationship to the other landscape standards. To serve as an overarching guide to users of identity-related standards
  • A process (flow chart) for the analysis of the creation or revision of identity standards, to guide alignment
  •  A register of alignment issues that have been accepted as needing to be resolve
  • Develop a proposal for the process of maintaining the standing document that includes:

Documentation


Comments


Identify assurance framework (Started in April 2017. Completed in October 2018)

Leaders Patrick Curry, Anthony Nadalin
Objective analyze the outcomes of ISO/IEC 29003 and related matters, then to determine the possible next steps towards developing an International Standard (or other mechanisms) for an Identity Assurance Framework.

Documentation


Comments


Framework of user-centric PII handling based on privacy preference management by users (Started in April 2017, Completed in October 2018)

Start/duration

April 2017 / 18 months

Leaders Shinzaku Kiyomoto, Antonio Kung, Heung Youl Youm
Objective define frameworks of user-centric PII handling based on privacy preferences of users

Documentation


Comments

Triggered by an initiative from ITU-T for such a framework applied to the IoT. See https://ipen.trialog.com/wiki/ITU_Activities#X.iotsec-3:.C2.A0Technical_framework_of_PII_.28Personally_Identifiable_Information.29_handling_system_in_IoT_environment

In Berlin (November 2017),  it was decided to consider 3 options

  • extension of 29101
  • definition of a generic model
  • defintion of specific models

In Wuhan (May 2018), it was decided to prepare a NWIP

In Gjovik (October 2018), the NWIP was finalised

Additional Privacy-Enhancing Data De-identification standards (Started in April 2018. Completed in October 2019)

Leaders Malcom Townsend, Heung Youl Youm
Scope

This Study Period aims to analyze the challenges and risks associated with the implementation of data de-identification techniques described in ISO 20889, and provide a strategy and structured approach to the potential development of additional standards covering such potential topics such as requirements, risk analysis, codes of practice and so on.

Documentation


Comments


Identity Standards Landscape Document Update (Started in October 2018. Completed in October 2019)

Leaders

Andrew Hughes, Christophe Stenuit, Kai Rannenberg


Objective

Solicit additional content for the draft Standing Document; solicit comments on the current content and structure of the draft Standing Document; discuss and make a disposition of comments; and to update the Standing Document

Documentation


Comments



Consent receipts and records (Started in April 2019, completed in October 2019)

Leaders Collin Wallis, Andrew Hughes
Objective

The scope of this study period is to assess the need for a Consent Receipt and Record standard used to support transparency and accountability practices related to an individual's consent to PII processing

Documentation


Comments


Review of requirements for accredited certification for sector specific ISMS standards (Started in April 2019. Completed in October 2019)

Leaders Hans Hedbom, Alan Shipman
Objective

The scope of this study period is to review possible approaches to establishing the foundation for accredited certification for sector-specific standards. The concrete instantiation for this is ISO/IEC 27552, which is expected to be published soon.

Comments


Privacy consideration in practical workflows (Started in April 2018, completed in April 2020)

Leaders Mickey Cohen
Objective

The scope of this study period is to collect contributions:

(1) On workflows describing use-cases where the combination of privacy, security (including exposure period), identification quality and practical implementation need to be viewed as a whole

(2) For a merit function(s) combining the subjects into a qualitative evaluation of the privacy

Documentation


Comments



Use case for identity assurance (Started in October 2018, Completed in September 2020)

Leaders

Andrew Hughes, Tony Nadalin, Patrick Curry


Objective

To compile a set of business use cases that require identity assurance, which can be analysed to produce functional requirements for identity assurance.  These functional requirements can inform the review of TS 29003 and the contents of a potential Identity Assurance Framework International Standard, and also inform the evolution of ISO/IEC 29115

Documentation


Comments


Impact of Artificial Intelligence on Privacy (Started in October 2018, Completed in September 2020)

Leaders

Antonio Kung, Srinivas Poosarla, Peter Dickman, Gurshabad Grover, Peter Deussen, Heung Your Youm, Zhao Yunwei

Objective

Establish a 12-month study period starting in October 2018 to review the emerging field of AI and assess its potential impact on privacy, and task the rapporteurs of the Study Period

  • to review the new generation of AI-based systems (autonomous systems) and identify their impact on privacy,
  • to review the new threats to privacy which AI can create,
  • to review how AI can be used by deploying improved privacy controls, and
  • to provide recommendations for standardization work.

Is extended for 6 months to study TR 24030 AI use cases and to check the impact of AI on ISO/IEC 27701

Is further extended 6 months to study the integration of security

Documentation

In addition to specific contributions made by SC27 experts, the Intermediate report uses the following references:

IEEE Ethically Aligned AI

https://standards.ieee.org/industry-connections/ec/autonomous-systems.html https://standards.ieee.org/content/dam/ieee-standards/standards/web/documents/other/ead_v2.pdf

Ethics guidelines for trustworthy AI
https://ec.europa.eu/newsroom/dae/document.cfm?doc_id=57112
Privacy Commissioners declaration 
https://icdppc.org/wp-content/uploads/2018/10/20180922_ICDPPC-40th_AI-Declaration_ADOPTED.pdf
AI as a Disruptive Opportunity and Challenge for Security
https://docbox.etsi.org/Workshop/2018/201806_ETSISECURITYWEEK/IoTSecurity/S03_TRANSFORMATION/TRIALOG_KUNG.pdf
The impact of AI on life cycle processes
https://www.itu.int/en/ITU-T/Workshops-and-Seminars/20190121/Documents/2_%20Antonio%20Kung_v2.pdf
Asilomar principles https://futureoflife.org/ai-principles
Malicious AI report https://img1.wsimg.com/blobby/go/3d82daa4-97fe-4096-9c6b-376b92c619de/downloads/1c6q2kc4v_50335.pdf&nbsp;
Privacy and Freedom of Expression In the Age of Artificial Intelligence 
https://privacyinternational.org/report/1752/privacy-and-freedom-expression-age-artificial-intelligence
UK House of Lords Select Committee on AI: AI in the UK: ready, willing and able?

https://publications.parliament.uk/pa/ld201719/ldselect/ldai/100/100.pdf

Australian Human Rights Commission report on Human Rights and Technology
https://tech.humanrights.gov.au/sites/default/files/2019-02/AHRC_WEF_AI_WhitePaper2019.pdf
Comments

Expected to have a strong collaboration with JTC1/SC42 Artificial Intelligence

An intermediate report was provided in Tel-Aviv (April 2019).

A second report was provided in Paris (October 2019)

A third report was provided in the virtual meeting (April 2020) including the study of SC42 ISO/IEC 24030 on AI use cases and the study of ISO/IEC 27701

A fourth report was provide in the virtual meeting (Sep 2020) including a contribution to TC215 on security and privacy in eHealth. A preliminary work item is started

Privacy engineering model (Started in April 2019, Completed in September 2020)

Leaders John Sabo, Antonio Kung, Srinivas Poorsala
Objective Study period to evaluate the development of a privacy engineering model intended to support privacy engineers, privacy architects and other practitioners as a bridge between ISO/IEC SC27 and other data privacy management standards and the technical and business process services and functionality needed to integrate data privacy control requirements in operational processes, systems and their ecosystems
Documentation


Comments

As a result of this study period, a NWIP - Privacy operationalisation model and method for engineering has been established

Guidance on processes of a privacy information management system (Started in October 2019, Completed in September 2020))

Leaders

Michael Steiner, Alan Shipman

Objective

Determine if SC 27 needs a standard for “Guidance on processes of a privacy information management system” as part of the ISO /IEC 27000-family.

Consider the following:

  1. ISO/IEC 27001 and ISO/IEC 27003
  2. ISO/IEC 27701 (a.k.a. DIS 27552)
  3. ISO Handbook “The integrated use of management system standards”
  4. ISO/IEC 33004
  5. 2nd WD of ISO/IEC 27022
Documentation


Comments



Privacy for Fintech services (Started in October 2019, completed in September 2020)

Leaders

Heung Youl Youm, Gurshabad Grover, Janssen Esguerra

Objective

Objectives

  • Apply privacy principles described in ISO/IEC 29100:2011
  • Study use cases, applications, devices and underlying infrastructure related to providing Fintech services
  • Consider privacy risks related to providing Fintech services
  • Consider regulatory requirements that impact privacy of customers
  • Consider all kinds of stakeholders: regulators, financial institutions, customers, product suppliers, application and service providers
  • Study the necessity for guidelines on privacy where it could be used by relevant stakeholders to mitigate risks identified in the privacy risks assessment

Protection of privacy of customers is a concern as a huge amount of PII is collected, transmitted, shared, used and analyzed at every instance in the interconnected Fintech services.

Documentation


Comments


PWI 7748 Guidance and practices for privacy preservation based on zero-knowledge proofs (Started in April 2021, completed in October 2021)

Leaders

Bingsheng Zhang, Patrick Curry, Srinivas Poosarla 

Objective

This work item is to provide guidance and best practices for privacy preservation based on zeroknowledge proofs, taking into account normative references and comparing specifically with ISO/IEC 27551, 27556 and 29191. It intends to cover the usage of zero-knowledge proof protocols for privacy preservation and PII protection in a wide range of data processing applications. It takes into account using zero knowledge proof based privacy-preserving verification system architectures, data process flows and module interfaces.

Documentation


Comments

Completed, transformed into a NWIP 27565

PWI 5181 Information technology - Security and privacy - Data provenance (Started in September 2020, Completed in October 2022)

Leaders

Ryan Ko, Jan de Meer, Yi Zhang

Proposed Scope

This document provides guidelines, methodology and techniques for deriving securely information called meta-data, from sources, intermediaries and users creating, manipulating, and transforming data.

The meta-data derived from data creations and transformations serves for earning trust in entities and stakeholders during the whole lifecycle of data use and data manipulations. By referring to provenance meta-data an information respectively a decision base is provided to processes or, to individuals. Provenance meta-data of data records can also be applied from both, processes, or individuals when they have to decide which one of their data, they want to make voluntarily available to the public as a common good and which one not.

Documentation


Comments

Is a WG4 project

1st report Nov 2020

2nd report March 2021

3rd report May 2021

4th report Oct 2021

5th report Feb 2022

6th report April 2021

7th report July 2022

Draft for proposed new project September 2022

PWI 6089 Impact of Artificial Intelligence on Security and Privacy (Started in September 2020, Completed in October 2022)

Leaders

Phase 1 (completed): Antonio Kung, Srinivas Poosarla, Peter Dickman, Gurshabad Grover, Peter Deussen, Heung Your Youm, Zhao Yunwei, Volker Smoljko

Phase 2 (on-going): Antonio Kung, Lenora Zimmerman

Objective

Phase 1 (completed): The PWI has the objective to investigate the possibility to propose one or several documents

  • Part 1: a TR providing
    • guidance on how to assess the impact of security and privacy of AI use cases,
    • providing a security and privacy analysis of the use cases in ISO/IEC TR 24030 (AI use cases)
  • Part 2: a TS providing
    • an overview of privacy concerns for AI,
    • guidance concerning AI-based systems
    • additional recommendations concerning standards where appropriate
  • Part 3: a TS providing
    • an overview of security concerns for AI,
    • guidance concerning AI-based systems
    • additional recommendations concerning standards where appropriate

The following work will be carried out in the PWI:

  • extend the content of the study period report with the following
    • analysis of TR 24030 use cases from a security viewpoint,
    • identification of standards for which specific recommendations concerning AI would be useful,
    • identification of AI standards for which specific recommendations concerning security and privacy would be useful;
    • identification of specific security controls; and
    • whatever contributions that matches the intended content of part 1, part 2, and part 3.
  • transform the report into a set of three documents that can be submitted as draft TR and TS;
  • make a recommendation on the way to proceed concerning the three documents;

Phase 2 (on-going): Guidance on addressing privacy protection for artificial intelligence systems

  • Currently discussed scope: 

This document provides guidance for organizations to identify and address privacy concerns in the development and use of artificial intelligence systems. The guidance in this document aims to provide information to organizations to help them better understand and address the impact of AI systems and Machine Learning techniques on individual privacy and society at-large. This document also addresses ways in which societal and regulatory expectations influence how AI systems and Machine Learning is and is not used.

This document is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, that develop or use AI systems.

Documentation

1st PWI report was published in April 2021.

2nd PWI report was published in October 2021

Comments

Is the continuation of the study period that concluded in September 2020

Further to the completion of phase 1, part 1 is registered as a TR (ISO/IEC 27653; Impact of security and privacy in AI use cases), part 2 is still-on going. Note that part 3 has been transferred to another PWI 7699 (Guidance for addressing security threats and failures in artificial
intelligence)

Further to March 2022 meeting, PWI is working on making a new work item proposal on Guidance for privacy protection in AI systems Further to October 2022 meeting, a ballot has been initiative for ISO/IEC 27091 Cybersecurity and data protection - Artificial intelligence - Privacy Protection