SECOND INTERNATIONAL SUMMER SCHOOL ON INFORMATION AND SYSTEM SECURITY

ISS 2004
SECOND INTERNATIONAL SUMMER SCHOOL ON INFORMATION AND SYSTEM SECURITY

Dates: September 13-24, 2004
Place: Villa Olmo, Como, Italy

Each of the courses that are offered consists of 15/20 hours of lecturing spread over the two-weeks period. Upon request, a final evaluation for each course will be made through a final exam or project. The program of the school will also include special sessions on industry and research projects dealing with various aspects of security. The official language of the school is English.
Courses Offered:

Relevant privacy standards - P3P and Appel
Giles Hogben
Institute for the Protection and Security of the Citizen (IPSC) European Commission Ispra Italy
Anonymity and pseudo-anonymity protocols
Giuseppe Russo
Sun Microsystems (Italy)
Privacy-enhancing techniques
Danilo Bruschi
University of Milano
Introduction to privacy and identity management
Marc Wilikens
Joint Research Centre of the EC, Ispra, Italy
Privacy-preserving databases and data mining
Yucel Saygin
Faculty of Engineering and Natural Sciences Sabanci University, Orhanli, Istanbul, Turkey
Legal and forensic aspects
Giovanni Ziccardi
University of Milano

Relevant privacy standards - P3P and Appel

Program:
BACKGROUND:

Introduction:
Why P3P and EPAL?

Introduction to XML:
P3P and EPAL are expressed in XML, therefore an understanding of XML is an essential foundation.

TECHNICAL DETAILS:

P3P Architecture:
The elements of P3P architecture - policies, data schemas, compact policies, policy reference files, appel rulesets, and user agents.

P3P Semantics:
The elements of a Policy, Relationship to Data Protection Legislation, problems in the European Union. Example policies.

P3P and Cookies:
Applying P3P to a cookie, linkage, legal and "philosophical" issues around cookies.

Applying policies:
Policy reference files and deciding responsibility for a policy. Scenario.

APPEL - language syntax and implementation architecture.

Example of APPEL rules.

Modeling laws with APPEL.

HOW P3P ENABLES A WEB SITE:

User Interfaces:
User agent front ends, policy editors, rule editors.

Exercise:
Enabling a web site with P3P from start to finish.

OUTLOOK FOR P3P:

Unsolved Problems:
Legal, Technical and Social problems with P3P e.g. compact policies, notice, consent.

Future of P3P:
P3P 1.1, P3P in enterprise and audit languages, P3P as a basis for lifecycle data systems.

INTRODUCTION TO EPAL:

EPAL context.

Difference between EPAL and P3P.

EPAL architecture.

EPAL Syntax.

Example of modelling a legal document in EPAL.

EPAL Prospects.

Speaker: Giles Hogben

Anonymity and pseudo-anonymity protocols

Program:
TOPICS:
One of the main impact of contemporary Information and Communication Tehnology (ICT) is the invasion of the Privacy and the misuse of the personal informations. In order to solve the privacy problem, often the people talks about “ data protection ” as a set of methodologies and tools useful to solve the problem. But if we use data security as a synonymous of the privacy we can be deceived. Indeed the term “ data protection ” involves all technics usefull for protecting the user's personal informations from the unauthorised or accidental disclosure. Privacy means how to protect the personal sphere of the users. Anonymity represents one of the main aspects of the privacy. This course will give an introduction and a survey on the main anonymity & pseudoanonimity protocols.
PROGRAM:

Introduction to anonymity & pseudoanonymity.

Anonimyty at the Communication Level: DC nets & MIX nets, Mix net applications (Anonymous Remailers and Browsers, Onion Routing), Crowds.

Anonimyty at the Application Level: Blind Signatures, Ecash, Anonymous payment protocols, Anonymous voting schemes.

Anonimyty at the System Level.

BIBLIOGRAPHY:

Simone Fischer-Hübner, “ IT-Security and Privacy-Design and Use of Privacy-Enhancing Security Mechanisms ”, Springer Scientific Publishers, Lecture Notes of Computer Science, LNCS 1958 http://link.springer-ny.com/link/service/series/0558/tocs/t1958.htm, May 2001, ISBN 3-540-42142-4.

http://www.freehaven.net/anonbib/

Speaker: Giuseppe Russo

Privacy-enhancing techniques

Program:

Anonymity on the network (Mattia Monga - Igor Nai Fovino)

Digging the file system looking for personal data (Lorenzo Martignoni)

Attacks to privacy (Lorenzo Cavallaro - Andrea Lanzi)

Security and Privacy (Danilo Bruschi)

Speakers: Danilo Bruschi, Lorenzo Cavallaro, Andrea Lanzi, Lorenzo Martignoni, Mattia Monga, Igor Nai Fovino

Introduction to privacy and identity management

Program:

Digital identities, privacy and security.

An introduction to legal and technical privacy principles.

Presentation of an application scenario.

Speaker: Marc Wilikens

Privacy-preserving databases and data mining

Program:

Introduction to data mining

Overview of privacy preserving databases and data mining

Privacy preserving data mining

Privacy preserving classification model construction

Privacy preserving data clustering

Privacy preserving association rule mining in distributed databases

Privacy protection against data mining

Association rule hiding

Classification model hiding

Privacy protection in text databases

Privacy preserving databases

Privacy preserving outsourcing of databases

Privacy preserving indexes

Privacy preserving query answering

Future research directions

Speaker: Yucel Saygin

Legal and foresic aspects

Abstract: The Program of my lessons is related to computer forensics, the science that studies the collection, preservation, analysis, and presentation of computer-related evidence. Computer evidence can be useful in criminal cases, civil disputes, and human resources/employment proceedings.
We will study the basic principles of the computer forensics, focusing especially on the legal aspects: media analysis, data retention, privacy, legal security. Lessons will deal also with the italian and international legal framework of these topics.

Speaker: Giovanni Ziccardi

Others school programme details will be announced soon.

-->

Privacy-enhancing techniques
Program:	Anonymity on the network (Mattia Monga - Igor Nai Fovino) Digging the file system looking for personal data (Lorenzo Martignoni) Attacks to privacy (Lorenzo Cavallaro - Andrea Lanzi) Security and Privacy (Danilo Bruschi)
Speakers:	Danilo Bruschi, Lorenzo Cavallaro, Andrea Lanzi, Lorenzo Martignoni, Mattia Monga, Igor Nai Fovino

Introduction to privacy and identity management
Program:	Digital identities, privacy and security. An introduction to legal and technical privacy principles. Presentation of an application scenario.
Speaker:	Marc Wilikens

Privacy-preserving databases and data mining
Program:	Introduction to data mining Overview of privacy preserving databases and data mining Privacy preserving data mining Privacy preserving classification model construction Privacy preserving data clustering Privacy preserving association rule mining in distributed databases Privacy protection against data mining Association rule hiding Classification model hiding Privacy protection in text databases Privacy preserving databases Privacy preserving outsourcing of databases Privacy preserving indexes Privacy preserving query answering Future research directions
Speaker:	Yucel Saygin

Legal and foresic aspects
Abstract:	The Program of my lessons is related to computer forensics, the science that studies the collection, preservation, analysis, and presentation of computer-related evidence. Computer evidence can be useful in criminal cases, civil disputes, and human resources/employment proceedings. We will study the basic principles of the computer forensics, focusing especially on the legal aspects: media analysis, data retention, privacy, legal security. Lessons will deal also with the italian and international legal framework of these topics.
Speaker:	Giovanni Ziccardi