The City of the Future Living Lab Sauro Vicini CTO @ eservices for Life and Health San Raffaele Hospital Istanbul 2015
San Raffaele Hospital & Science Park in Milan Sauro Vicini All Rights Reserved
San Raffaele Hospital s Science Park & The City of the Future Living Lab
The City of the Future Living Lab A lab where tomorrow s technologies and services are conceived, designed, developed, experimented and evaluated with users ac9ve par9cipa9on. In such a fer9le se=ng, research in bought out of tradi8onal laboratory contexts and populates an ecosystem that grows and evolves day a?er day, offering future- looking experiences
A Living Lab for (Healthy) Living Services Accenture s Report on Living Services available at hfps://www.accenture.com/us- en/insight- living- services- from- accenture- digital.aspx
A Living Lab for Living Services Trusted Cloud Smart Hospital Smart City
The City of the Future Living Lab Research Misconduct
The Co-Creation Process Vicini, S., Bellini, S., & Sanna, A. (2013). User- Driven Service Innova9on in a Smarter City Living Lab. Interna9onal Conference on Service Sciences (ICSS) (p. 254-259). Shenzhen: IEEE.
City of the Future Living Lab The Co-Creation Process Co-Design
City of the Future Living Lab The Co-Creation Process Implementation
City of the Future Living Lab The Co-Creation Process Experimentation
City of the Future Living Lab The Co-Creation Process Experimentation
City of the Future Living Lab The Co-Creation Process Evaluation
The City of the Future Living Lab Our Strenghts Big and crowded Playground Knowledge and competences easy to reach Strong scien9fic background Real mul9- disciplinary research group Rigouros research methodology
The City of the Future Living Lab Our Strengths Big and crowded Playground 32.000 sqm, 25.000 visitors daily Knowledge and competences easy to reach especially in the health and wellbeing sector Strong scien9fic background Top ranked scien9fic ins9tute Real mul9- disciplinary research group Designers, Engineers, Psycologist, Sociologist, Lawyer, Philosophe, Rigourous research methodology coming from tradi9onal research & scien9fic trial
Enhancing Co-Creation with Privacy and Security-byDesign methodologies Sauro Vicini
Acknoledgments Online Privacy Enforcement, Right Assurance & Optimization PRIvacy and Security MAintaining Services in the CLOUD empowering privacy and security in non-trusted environments Trustworthy Clouds - Privacy and Resilience for Internetscale Critical Infrastructure Managing Assurance, Security and Trust for services Personalized Information Platform for Life and Health Services Privacy and Identity Management for Europe 17
The Co-Creation Process
The City of the Future Living Lab Ethics and Privacy
The Co-Creation Process (Co-Design)
Ethics, Privacy & Security by Design Derived from results Scenario Defini9on Input Data Iden9fica9on Stakeholders' Goals and Data of interests Analysis Threats and Feared Events Inves9ga9on Co- Design tools Interviews SOTA inves9ga9on List of relevant data- types handled in the system Stakeholders ' Goals table (Table) Feared Events table (Table) 1 Day Workshop Exper9se you need (7 people + Moderator): Technical (PETs) Service Design Law Ethics 3 End- user / Domain expert
Ethics, Privacy & Security by Design Scenario defini6on This phase targets the defini9on of the applica9on scenario. During this phase, stakeholders will be iden9fied via an incremental process: as the scenario is generated and enriched of details, new stakeholders may appear. A prac9cal tool widely adopted in the Co- Crea9on methodology to achieve this goal is the interview. As widely known, interviews do not follow strict templates and have to be adapted case by case (see, e.g., (S9ckdorn & Schneider, 2012; Fox, 2009)). In this phase, the interviews have to target the elicita9on of the so- called needs and pain- points of the users, i.e., highlight the missing services and those services which need a substan9al re- design. Despite the interviews are very effec9ve tools for elici9ng the end- users requirements, other co- crea9on tools (like focus- groups, workshops, brainstorming sessions, etc.) can be exploited here, if needed, for having a befer picture of the scenario. The analysis of the state- of- the- art (SOTA) is also required at this step and complements the aforemen9oned tools. The output of this phase is a textual descrip9on of the scenario.
Ethics, Privacy & Security by Design Scenario defini6on
Ethics, Privacy & Security by Design Input data iden6fica6on The defini9on of the scenario will naturally allows the iden9fica9on of the set of input data of the system, i.e., the data that will be provided by the stakeholders. Notably, once the scenario with its stakeholders and data into play has been defined and the set of input data has been iden9fied, a first privacy and security assessment inves9ga9on can be performed, e.g., by iden9fying which kind of data needs ad- hoc countermeasures because of their high sensi9veness which is protected by the law. At this stage, inputs from legal/ethics experts would be beneficial to iden9fy important requirements arising from the handling of par9cular data. Stakeholders goals and data of interest analysis The two previous phases generate the elements that are fed into the third phase of the SPACE process, devised for the analysis of stakeholder s goals and their data of interest. The following table, Table 1, is the template for carrying out such analysis. It is a table clearly and precisely summarizing the list of stakeholders, their goals and the set of data they are interested in. Notably, new data- types may be defined here (for a prac9cal example see the case study presented in Sec9on 3). The importance of filling- in this table is that it will highlight the data of interest of each stakeholder according to their goals. The usage of this data without privacy and security countermeasures, however, may violate some privacy or security principle. It is therefore of vital importance characterize the high- level goals of the stakeholders and iden9fy the data they need to provide their service, in order to consider the circumstances in which privacy or security breaches might occur. Stakeholder Goals Data of interest
Ethics, Privacy & Security by Design Stakeholders goals and data of interest analysis Stakeholder Goals Data of interest Pa6ents Take advantage of Genomic- based medical treatments; know ludic informa9on about their DNA. DNA, Ludic metadata, Clinical metadata. Doctors Cure pa9ents; Diagnose diseases. Iden9fica9on data, Clinical metadata. Researchers Support the hospital staff. DNA UIP Selling a new service. Administra9ng the (untrusted) infrastructure on which the analyses are carried out. Resource sta9s9cs (disk usage, network traffic, CPU load); System logs.
Ethics, Privacy & Security by Design Threats and Feared events inves6ga6on The table with the list of stakeholders, their goals and data of interest is fed into this phase. This phase is also parameterized by a set of threats that are pre- defined and can be tailored according the privacy and security facets of greater interest. In our applica9on scenario, we exploited the privacy and security proper9es listed in the LINDDUN (Deng, Wuyts, Scandariato, Preneel, & Joosen, 2011) and STRIDE (Howard & Lipner, 2006) threats categories. The LINDDUN threats category, also exploited in the PRIPARE methodology, comprises seven threats, each associated to a privacy property. The LINDDUN privacy proper9es are: 1. Unlinkability: hiding the link between two or more ac9ons, iden99es, and pieces of informa9on. 2. Anonymity: hiding the link between an iden9ty and an ac9on or a piece of informa9on. 3. Plausible deniability: ability to deny having performed an ac9on that other par9es can neither confirm nor contradict. 4. Undetectability: hiding the user s actvi9es. 5. Confiden9ality: hiding the data content or controlled release of data content. 6. Content awareness: user s consciousness regarding his own data. 7. Policy and consent compliance: data controller to inform the data subject about the system s privacy policy, or allow the data subject to specify consents in compliance with legisla9on. Each privacy property is associated to a threat: Linkability, Iden9fiability, Non- repudia9on, Detectability, Disclosure of informa9on, Unawareness, and Non- compliance.
Ethics, Privacy & Security by Design Stakeholder Threat Data involved Feared Event Security/Privacy countermeasure Pa6ents Disclosure DNA Full disclosure of DNA, The system must ask the affec9ng his/her rela9ves signature of the informed privacy. consent to the pa9ents Hospital staff Detectability Clinical metadata; Iden9fica9on data Pa9ent does not have the control on who accesses his/ her data. Researchers Unawareness DNA Unauthorized research ac9vity. Researcher Disclosure DNA Knowing more things about me than the things I expect to know. Researchers Linkability DNA Blood- link between pa9ents. rela9ves. The system must track logs of all the access and allow the user to know who is accessing and when they are accessing their data. Researchers must sign an agreement specifying that they cannot perform research ac9vity, if the pa9ent did not allowed third par9es research ac9vi9es. The system must provide access to the minimum amount of DNA that is sufficient for a specific task. The system must avoid direct access to mul9ple DNA data that can lead to the blood- link discovery.
The Co-Creation Process (Co-Design)
References Deng, M., Wuyts, K., Scandariato, R., Preneel, B., & Joosen, W. (2011). A privacy threat analysis framework: supporting the elicitation and fulfillment of privacy requirements. Requirements Engineering, 16 (1), 3-32. Fox, N. (2009). Using Interviews in a Research Project. Nottingham: The NIHR RDS for the East Midlands / Yorkshire & the Humber. Hood, L., & Flores, M. (2012). A personal view on systems medicine and the emergence of proactive P4 medicine: predictive, preventive, personalized and participatory. New Biotechnology, 613-624. Howard, M., & Lipner, S. (2006). The Security Development Lifecycle. Redmond, WA, USA: Microsoft Press. Notario, N., Crespo, A., Kung, A., Kroener, I., Le Métayer, Troncoso, C., et al. (2014). PRIPARE: A New Vision on Engineering Privacy and Security by Design. Cyber Security and Privacy - Third Cyber Security and Privacy EU Forum, CSP Forum 2014, Athens, Greece, May 21-22, 2014, Revised Selected Papers (p. 65-76). Athens, Greece: Springer. Pearson, S. (2009). Taking Account of Privacy when Designing Cloud Computing Services. Proceedings of the 2009 ICSE Workshop on Software Engineering Challenges of Cloud Computing (p. 44-52). Washington DC: IEEE Computer Society. Shostack, A. (2014). Threat Modeling: Designing for Security. Indianapolis, Indiana: John Wiley & Sons. Stickdorn, M., & Schneider, J. (2012). This is Service Design Thinking: Basics, Tools, Cases. Wiley. Vicini, S., Bellini, S., & Sanna, A. (2012). The City of the Future Living Lab. International Journal of Automation and Smart Technology, 2 (3). Vicini, S., Bellini, S., & Sanna, A. (2013). User-Driven Service Innovation in a Smarter City Living Lab. International Conference on Service Sciences (ICSS) (p. 254-259). Shenzhen: IEEE. 29
The City of the Future Living Lab www.cityofthefuturelab.org
Sauro Vicini mail vicini.sauro@hsr.it tel +39 02 2643 3137 Istanbul / 2015