GDPR（一般データ保護規則）とFIDO標準について

All Rights Reserved | FIDO Alliance | Copyright 20181
FIDO SUPPORT FOR THE GDPR
ALAIN MARTIN
CO-CHAIR FIDO EUROPE WG
VP STRATEGIC PARTNERSHIPS - GEMALTO

AGENDA
• Review of relevant GDPR requirements
• How FIDO helps to meet these requirements

GDPR – GENERAL DATA PROTECTION REGULATION
• Applies since 25 May 2018
• Very large fines for infringement: Up to €20,000,000 or 4% total
worldwide turnover
• Data protection
• Consent of data subject
• Data subject rights
• Adequacy, relevance, etc. of data collection
• …
The subject of today

4
SECURITY OF PROCESSING
• Personal data shall be protected against unauthorised processing,
unauthorized disclosure or access (articles 5, 32.2)
• Level of security to be appropriate to the risk (article 32.1)

PROTECTION AGAINST UNAUTHORIZED ACCESS
Are passwords still OK ?
➔Strong authentication
may be required

RECENT HEALTHCARE DATA BREACHES
July 2018 – Singapore
“Hackers stole data of PM Lee and 1.5 million
patients in 'major cyberattack' on SingHealth”
October 2018 – USA
“US Center for Medicare & Medicaid Services
says 75,000 individuals' files accessed in
data breach”
July 2018 – USA
“1.4M records breached in UnityPoint Health
phishing attack”
July 2018 – USA
“Patient data exposed for months
after phishing attack on Sunspire”

7
SPECIAL CATEGORIES OF DATA
• Processing of this data prohibited,
unless allowed in specific cases
(article 9.1)
• If allowed, requires
• Explicit consent (article 9.2)
• Suitable safeguards to protect personal
data
• Data protection impact assessment
(article 35)
• Assessment of the measures, safeguards
and mechanisms envisaged for
mitigating risk and ensuring the
protection of personal data
Special
Categories
of data
Political opinions
Racial or ethnic
origin
Healthcare
Sexual life
Religious
beliefs
Biometric data

8
USER CONSENT
• Data subject must give consent to processing of his/her personal data
(article 6.1)
• The controller should be able to demonstrate this consent (article 7.1)
• For special categories: explicit consent (article 9.2)

EXPLICIT CONSENT
Is ticking a box the best
practice ?
➔Strong authentication could be a good practice
➔Creating a non forgeable digital proof could be
a good practice

10
EXEMPTION
• GDPR does not apply to the processing of personal data by a natural
person in the course of a purely personal or household activity (article 2.2)
• Biometrics on smartphone can be exempted
• e.g. French Data Protection Authority (CNIL) exemption IF ON DEVICE STORAGE
AND MATCHING
• If remote storage and matching, there must be an impact assessment

CNIL BIOMETRIC DIRECTIVE
Criteria for exemption from CNIL review and authorization
1. The user uses this device privately, using his own biometric data, to unlock his
phone or to access applications he has downloaded on his own
2. The user only decides to use the biometric authentication integrated in his device
3. The biometric template is stored in the device in a closed environment and is not
accessible or transmitted to the outside
4. The biometric template is stored in the apparatus in an encrypted manner using a
cryptographic algorithm and a key management according to the state of the art
5. During the access control, only a token or data indicating the success or failure of
the recognition of the biometry presented is transmitted

DATA SUBJECT RIGHTS
• Data subjects have a number of rights on their personal data:
• Right of access (Article 15)
• Right to rectification (Article 16)
• Right to erasure (Article 17)
• Right to data portability (Article 20)
• Delivering these capabilities requires user authentication
For sensitive data (special categories), are
passwords still OK ?
➔Strong authentication may be required

13
DATA PROTECTION BY DESIGN PRINCIPLE
• Controllers should implement measures which meet the principles of
data protection by design (article 25)
• Proactive
• Embedded from the start in design
• For authentication solutions, this would mean, by design:
➔ Protection of user authentication credentials and biometric data
➔ Protection against phishing or MITM attacks
➔ Protection against third parties inferring the identities of authenticating parties

FIDO HELPS MEET GDPR
REQUIREMENTS

HUMAN-READABLE “SHARED SECRET”
• Inconvenient
• Phishable
• Hackable
This is true of One Time
Passwords as well
Password or OTP

SMS OTP HACKS
August 2018 – USA
“Reddit Breach Highlights Limits of SMS OTP-
Based Authentication”
May 2017 – Germany (Süddeutsche Zeitung )
“Vulnerability in the mobile network: Criminal
hackers empty accounts”
German
Banks

User Environment
FIDO AUTHENTICATION
Authenticator
User gesture before
private key can be used
(Touch, PIN entry,
Biometric entry)
Challenge
Signed Response
Private key
Public key
User Relying Party
Local user verification step On-line authentication step

FIDO EMBRACES PROTECTION/PRIVACY-BY-DESIGN
Based on
public key
cryptography
No server-side
shared secrets
Keys
generated
and stored
on device
No 3rd party in
the protocol
Biometrics, if used,
never leave device
No link-ability
between services or
accounts

FIDO PROTECTION FROM HACKERS
• Non human readable cryptographic response
• Protects from (simple) phishing attacks
• Verification of web origin/channel id
• Prevents man-in the middle attacks and (complex) phishing attacks
Relying
Party

FIDO’S USE OF BIOMETRICS
• With FIDO, biometrics can only be stored and matched on a consumer’s
device
• FIDO prohibit biometrics from being stored or matched in servers
➔ No Data Protection Impact Assessment for the use of biometric data

EXPLICIT CONSENT WITH FIDO
• FIDO authenticators are capable of signing
transaction data
• Server message can include consent information
• Signed response is a non forgeable proof
• Can be used in case of dispute
Do you agree to
providing your
health data to
ABCHealth ?
Authenticate to
confirm

BROADER REACH: A BENEFIT OF STANDARDISATION
• A FIDO universal server
supports any FIDO
compliant authenticator
➔FIDO Standards reduce
the cost of deploying
multiple devices
FIDO server
App

TAKE AWAY
• In light of the heavy fines
• In light of the ever increasing attacks
from hackers
➔ A service provider should consider
replacing passwords with stronger
means of authentication
Password
• FIDO proposes a standardized solution
• That combines convenience and security
• That meets the privacy-by-design requirement
Data protection
measures

HTTPS://FIDOALLIANCE.ORG/

GDPR（一般データ保護規則）とFIDO標準について

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to GDPR（一般データ保護規則）とFIDO標準について

Similar to GDPR（一般データ保護規則）とFIDO標準について (20)

More from FIDO Alliance

More from FIDO Alliance (20)

Recently uploaded

Recently uploaded (20)

GDPR（一般データ保護規則）とFIDO標準について