Short BIO

Professor in information sciences at the University of Paris Ouest Nanterre la Défense

Member of TACTIC lab with a focus on usages of ICT tools for online learning. Specific domains of interest cover public access to Internet and standards for e-learning.

In charge of :

• an online curriculum to train professionals for designing e-learning applications in companies and public institutions.
• an online master on digital projects for local development.
• an online professional certificate for data protection officers.

Ongoing studies on privacy and personal data protection.

 

CPDP Conference 2012 Panel 'A ‘Trusted’ Panel: A Need for Constructive Distrust?' presentation

Consumer trust, an overlooked issue?

As trust is considered a tenet of e-commerce, consumers opinions and representations are generally overlooked in most of ongoing debates. A general assumption is that users fears are well known and taken care of, although sociological studies demonstrate that it is not the case. Stakeholders are discussing technical solutions as well as providing legal basis to implement them without giving enough attention to how users will understand and adopt them. As a result, some of these services are heading for failure for not taking into consideration consumer's expectations and fears, even if some examples across Europe show that users involvement in design phases yields a better adoption rate. This presentation would like to prove this hypothesis by giving insights on how trust is built by net-users when an effective right is given to them to interact with persons in charge of their personal data in order to control how they use them. Good practices as well as known failures will be presented and discussed. Examples will be drawn from the French postal services : how to gain confidence from users for Certinomis and Identic (electronic certificates) ? Translink, the national Deutsch transport operator, has built a trust relationship with travellers based on the bouldering tradition : bringing together all stakeholders to agree on simple usage scenarios. How the BEUC envisions to give guarantees to customers and build trust by insuring a secure digital environment ? How civil society reacts to threats such as personal data breaches?

 

Title of the presentation (2011)

Moderator for panel 11: Securing the cloud against organisational threats

Cloud Providers and Security Risk

A traditional cloud-based environment offers a quick and cost-effective access to technology. Outsourcing ID Management to a «Third Trusted Party», «Identity Broker» , or through a «bilateral proof based agreement», will require strong guarantees to users from industrial stakeholders (services providers).

By letting go of the infrastructure, managing security risk becomes an important task requiring a joint effort between the client and cloud provider.To help mitigate such risk, use of identity and access management solutions by cloud providers are a must. Who is the user and what can a user do in a cloud environment must be monitored and also enforced diligently.

A public cloud that offers on-demand services to a wide population of users must take relevant compliance mandates with utmost responsibility to ensure access control will not be compromised - or risk loss of business due to bad publicity and lack of trust. Thus, identity management technologies such as authentication, authorization, user management, compliance, and others are paramount:

• Users must be strongly authenticated to validate their identity
• Web based Identity Federation to ease the authentication process should be available
• Up to date access rights must be checked against cloud application's access control policies
• All user interactions must be logged to ensure non-repudiation
• User accounts must be de-provisioned in a timely manner
• Dormant accounts must be identified and removed quickly
• Access permissions must be certified on a continuous basis
   

 

Online publications

1.Arnaud M., Towards a European privacy charter in e-ticketing, Smart ticketing and transport 2009, Paris, France, October 5-6, 2009, http://www.groupeactis.com/spip.php?rubrique22

2.Arnaud M., Trusted third party as a key actor for privacy protection , The net will not forget, European Conference on ICT and Privacy, Copenhagen, Denmark, September 23-24, 2009 http://ict-privacy.dk/

3.Arnaud M., Privacy, security and safety in e-ticketing, Workshops Proceedings of the 5th International Conference on Intelligent Environments, 20-21 July 2009, Barcelona, Spain, http://intelligentenvironments.org/conferences/ie09/ Ambient Intelligence and Smart Environments, vol.4, IOS Press, Amsterdam, 2009, pp.247-252