UPENET (UPGRADE European NETwork) CEPIS NEWS

Transcription

1 UPGRADE is the European Journal for the Informatics Professional, published bimonthly at < Publisher UPGRADE is published on behalf of CEPIS (Council of European Professional Informatics Societies, < by Novática < journal of the Spanish CEPIS society ATI (Asociación de Técnicos de Informática, < UPGRADE monographs are also published in Spanish (full version printed; summary, abstracts and some articles online) by Novática UPGRADE was created in October 2000 by CEPIS and was first published by Novática and INFORMATIK/INFORMATIQUE, bimonthly journal of SVI/FSI (Swiss Federation of Professional Informatics Societies, < UPGRADE is the anchor point for UPENET (UPGRADE European NETwork), the network of CEPIS member societies publications, that currently includes the following ones: InfoRewiew, magazine from the Serbian CEPIS society JISA Informatica, journal from the Slovenian CEPIS society SDI Informatik-Spektrum, journal published by Springer Verlag on behalf of the CEPIS societies GI, Germany, and SI, Switzerland ITNOW, magazine published by Oxford University Press on behalf of the British CEPIS society BCS Mondo Digitale, digital journal from the Italian CEPIS society AICA Novática, journal from the Spanish CEPIS society ATI OCG Journal, journal from the Austrian CEPIS society OCG Pliroforiki, journal from the Cyprus CEPIS society CCS Tölvumál, journal from the Icelandic CEPIS society ISIP Editorial TeamEditorial Team Chief Editor: Llorenç Pagés-Casas Deputy Chief Editor: Rafael Fernández Calvo Associate Editor: Fiona Fanning Editorial Board Prof. Vasile Baltac, CEPIS President Prof. Wolffried Stucky, CEPIS Former President Hans A. Frederik, CEPIS Vice President Prof. Nello Scarabottolo, CEPIS Honorary Treasurer Fernando Piera Gómez and Llorenç Pagés-Casas, ATI (Spain) François Louis Nicolet, SI (Switzerland) Roberto Carniel, ALSI Tecnoteca (Italy) UPENET Advisory Board Dubravka Dukic (inforeview, Serbia) Matjaz Gams (Informatica, Slovenia) Hermann Engesser (Informatik-Spektrum, Germany and Switzerland) Brian Runciman (ITNOW, United Kingdom) Franco Filippazzi (Mondo Digitale, Italy) Llorenç Pagés-Casas (Novática, Spain) Veith Risak (OCG Journal, Austria) Panicos Masouras (Pliroforiki, Cyprus) Thorvardur Kári Ólafsson (Tölvumál, Iceland) Rafael Fernández Calvo (Coordination) English Language Editors: Mike Andersson, David Cash, Arthur Cook, Tracey Darch, Laura Davies, Nick Dunn, Rodney Fennemore, Hilary Green, Roger Harris, Jim Holder, Pat Moody. Cover page designed by Concha Arias-Pérez "Indiscernible Identity" / CEPIS 2010 Layout Design: François Louis Nicolet Composition: Jorge Llácer-Gil de Ramales Editorial correspondence: Llorenç Pagés-Casas <pages@ati.es> Advertising correspondence: <novatica@ati.es> UPGRADE Newslist available at < Copyright Novática 2010 (for the monograph) CEPIS 2010 (for the sections UPENET and CEPIS News) All rights reserved under otherwise stated. Abstracting is permitted with credit to the source. For copying, reprint, or republication permission, contact the Editorial Team The opinions expressed by the authors are their exclusive responsibility ISSN Monograph of next issue (April 2010) "Information Technology intourism Industry" (The full schedule of UPGRADE is available at our website) Vol. XI, issue No. 1, February Editorial: Serbian Publication InfoReview joins UPENET, the Network of CEPIS Societies Journals and Magazines 2 From the Chief Editor s Desk New Deputy Chief Editor of UPGRADE Monograph: Identity and Privacy Management (published jointly with Novática*) Guest Editors: Javier Lopez-Muñoz, Miguel Soriano-Ibañez, and Fabio Martinelli 3 Presentation: Identify Yourself but Don t Reveal Your Identity Javier Lopez-Muñoz, Miguel Soriano-Ibañez, and Fabio Martinelli 6 Digital Identity and Identity Management Technologies Isaac Agudo-Ruiz 13 SWIFT Advanced Services for Identity Management Alejandro Pérez-Méndez, Elena-María Torroglosa-García, Gabriel López- Millán, Antonio F. Gómez-Skarmeta, Joao Girao, and Mario Lischka 21 A Privacy Preserving Attribute Aggregation Model for Federated Identity Managements Systems George Inman and David Chadwick 27 Anonymity in the Service of Attackers Guillermo Suarez de Tangil-Rotaeche, Esther Palomar-González, Arturo Ribagorda- Garnacho, and Benjamín Ramos-Álvarez 32 The Importance of Context-Dependent Privacy Requirements and Perceptions to the Design of Privacy-Aware Systems Aggeliki Tsohou, Costas Lambrinoudakis, Spyros Kokolakis, and Stefanos Gritzalis 38 Privacy Three Agents Protection Gemma Déler-Castro 44 Enforcing Private Policy via Security-by-Contract Gabriele Costa and Ilaria Matteucci 53 How Do we Measure Privacy? David Rebollo-Monedero and Jordi Forné 59 Privacy and Anonymity Management in Electronic Voting Jordi Puiggalí-Allepuz and Sandra Guasch-Castelló 66 Digital Identity and Privacy in some New-Generation Information and Communication Technologies Agustí Solanas, Josep Domingo-Ferrer, and Jordi Castellà-Roca 72 Authentication and Privacy in Vehicular Networks José-María de Fuentes García-Romero de Tejada, Ana-Isabel González-Tablas Ferreres, and Arturo Ribagorda-Garnacho UPENET (UPGRADE European NETwork) 79 From ITNOW (BCS, United Kingdom) ICT in Education Enthusing Students Bella Daniels 81 From InfoReview (JISA, Serbia) Information Society "Knowledge Society" is a European Educational Imperative that Should not Circumvent Serbia Marina Petrovic CEPIS NEWS 84 Selected CEPIS News Fiona Fanning 86 Privacy-Consistent Banking Acquisition CEPIS Legal and Security Special Interest Network * This monograph will be also published in Spanish (full version printed; summary, abstracts, and some articles online) by Novática, journal of the Spanish CEPIS society ATI (Asociación de Técnicos de Informática) at <

2 Privacy Three Agents Protection Gemma Déler-Castro Web 2.0 and its manifestations have given rise to an increase in the number of content providers. Now it is the individuals themselves who prepare and publish content. The implementation of e-government procedures requires the fluid exchange of information between parties although it is not always easy to know beforehand who will participate in such procedures. Privacy protection laws were prepared in a different environment. They are now under review to adapt them to the new scenarios. Within the current framework, government and organizations are the two agents involved in the protection of individuals. Due to changes in the use of the Internet and networks, it has become necessary to include a third agent: the individual. Thus, individuals should play a more active role in effective privacy protection. Keywords: Identity management, Privacy, Social Networks, Trusted Domains. 1 Introduction The uses of information technology have changed substantially since the European Directive and Spanish Law on Personal Data Protection were developed and passed. In the new century the Information and Knowledge Society has become a reality. There is a new, virtual world parallel to the physical one that does not belong exclusively to businesses. It is popular and reaches individuals. Today, a part of our lives and relationships takes place on the Internet. It is no longer possible to keep data in one place. Data is combined and merged to create and deploy new, increasingly more attractive services. Privacy is a right that is still just as important as it is in the physical world. But the laws established to protect this right have lost effectiveness. Laws were prepared for a different environment in which data was collected by organizations (public and private) to run their processes. Therefore, it may be difficult to apply them in the current situation (characterized by the flow of information, distributed computing, e-applications, social networks, and more recently, cloud computing). In some cases it is not enough to protect people s privacy. This article discusses two cases, one related to e-government and the other to social networks. In both cases protection is only possible through the combined efforts of three agents: the government, social network managers, and individuals. 2 Transformation over Time Privacy protection laws were created in the pre-internet era and therefore need to be updated to adapt to the new reality. The World Wide Web was born in the 90s and the number of servers and user connections has grown exponentially ever since. In the first decade of the new century, the introduction of Web 2.0 has brought about a significant change. Now any individual can be a content provider. The determined entry of public authorities into the In- Author Gemma Déler-Castro is a Computer Engineer by the Universitat Politècnica de Catalunya, Spain, and holds a Master in Information and Knowledge Society. Since 1988 she has pursued her professional career in Applus+, heading its Information Technology Dept., where she has developed testing, certification, technical assistance and consulting services. She has worked in standardization since 1988 as a permanent member of the Spanish National Information Technology Committee. She has also chaired several committees and groups. She is a member of various technology platforms and runs the DNIe (Spanish Electronic Identity Card) group at esec (Spanish Technologic Platform for Security and Trust). Her most recent areas of activity include identity management and privacy. <gdeler@appluscorp.com> formation Society (development of the eeurope initiative) has shown that compliance with current legislation gives rise to problems that will need to be addressed in order to provide quality services to citizens. There is a need to create new concepts such as "trusted domains" or "shared areas" (the "aires de partage" proposed by French researcher Pierre Trudel) that facilitate information sharing while maintaining safeguards to protect people s privacy. Briefly: 2.1 The 90s In the 90s, computing and communications networks developed rapidly so it was necessary to set rules for data processing and transfer. Several countries started to prepare and draft such regulations. Spain was one of the first countries to have privacy regulations: the LORTAD, the Spanish statutory law of data protection (Ley Orgánica 5/ 92). The LORTAD regulated the automated processing of personal data and predated the Data Privacy Directive 95/ 46/EC, the European law created to harmonize national regulations. The Directive applies to data processed by automated means (e.g. a customer s database in a computer) and to 38 UPGRADE Vol. XI, No. 1, February 2010 Novática

3 Figure 1: Use of ICT in Spain since 2004 until (Source: Spain s National Institute of Statistics.) other media such as paper if the data is sorted (with some kind of index) for retrieval purposes. The Directive does not apply to data processed in the performance of purely personal or household activities. Later on the Spanish LOPD: (Ley Orgánica 15/1999) transposes the 1995 Directive and replaces the LORTAD. The situation in the late 90s was quite different. In this decade the global hypertext system initiated by the British physicist Timothy John Berners-Lee was publicly presented. This was the starting point of the Internet we know today. A new era of communication came and humankind became globally interconnected. HTML became standard in 1993; Yahoo and Netscape were in place in 1994; the first version of Explorer came out in 1995 and in 1998 W3C published the first version of XML. This decade clearly marks a transition: at the beginning of the 90s applications were in the hands of organizations. Only organizations had computers powerful enough to process data needed for the development of their activities and businesses. In this situation it was possible to identify where 1 Term defined in 2004 when Dale Dougherty from O Reilly Media used it in a lecture in which he spoke about the rebirth and evolution of the web (after the technological bubble burst in early 2000). 2 The area can be defined as the shared information space in which personal data required for the provision of a package of services is available to different entities. Such entities are only entitled to access data if it is necessary to perform the service for which the shared area was intended. Also, measures and safeguards are designed to ensure that personal data will be used for lawful purposes rather than to prevent its circulation. Rules are established to designate who is responsible for the dissemination of information over the network. the data was and who was responsible for it and for the measures intended to protect it. This environment explains the principles of the Directive. 2.2 Since 2000 This has been the time when the masses have had access to the Internet. The number of Internet users has grown rapidly. Governments have launched policies to reduce the digital divide. The network has appeared as a new relationship space. The network is too important to be excluded from; exclusion limits one s capacity for personal development. According to Eurostat, the European body for statistics, in Spain 40% of individuals between 16 and 74 accessed the Internet in In 2008 the figure increased to 59.8% (see Figure 1). The use of Information Technologies among 10 to 15 year olds is very high. Thus, computer usage among children is almost universal (94.5%), while 85.1% use the Internet. The so-called Web and its various expressions such as social networking were born in recent years. Anyone can be a content and information provider in Web 2.0, therefore the number of agents is growing. Now, it is not only businesses or governments who collect and process data. National Data Protection Agencies, whose functions include (but are not limited to) the review of practices, preparation of reports, and the application of sanctions to companies, have no authority in the case of content generated by individuals. Novática UPGRADE Vol. XI, No. 1, February

4 3 Privacy, not just a Social Networking Problem The e-government applications currently being deployed require information to be shared among various public and private organizations if they are to be effective. There are several approaches to address the loss of data privacy. Perhaps one of the most prominent is Pierre Trudel s "aires de partage" approach mentioned above, which could be translated as "trusted domains" or "shared areas" 2. The development of this idea allows Government to be presented as a network in which administrative boundaries are increasingly irrelevant. To ensure services to citizens, the information held by various government agencies must be made accessible, but the requirement to obtain the "free and explicit consent" for each movement of personal information makes this difficult to implement. The legal framework should be adapted for the characteristics of networks and the Internet in particular. It is necessary to rethink the legal framework to ensure the protection of privacy in the context of e-government. The fundamentals of personal data protection need to be re-interpreted so as to provide guarantees and measures to ensure the protection of privacy. Protection at data access level requires a much higher level of protection than that found in the current measures used to protect deposited data. The purpose principle (need to know) is essential in data access. Data should only be used for purposes which are consistent with the original purposes for which it was acquired. Transparency is a prerequisite for both credibility and trust in networks. Respect of the purpose principle means that the user is aware of the family of purposes for which information was collected and will be used. The concept allows the flow of information and defines its uses. 4 Privacy in Social Networks The term Web 2.0 is a recent one; it first appeared in It makes reference to a new way of working and interacting. There is even a new business model, "long tail", successfully used by Amazon and other companies. Social networks are services on the Web offering a virtual space to share personal or professional information to its users. They may include text, photos, videos and links. Users are interconnected through an associated network of contacts that meet the six degrees rule (everyone is at most six steps away from any other person in the world). 72.9% of Internet users in Spain are members of a social network million Internet users visit a social network at least once a month. Spain is the second country in Europe in the use of social networks. Personal information has been populating the network since the appearance of the first examples of Web 2.0. Bloggers were the first to offer their visitors some information about their private lives: where they were going, what they did, how they felt, or what personal or professional events they would attend. There is a gradual and voluntary loss of privacy of the individual who, in return, expects to be well positioned in the resulting social framework of interpersonal relationships. Examples are easy to find: personal blogs have given prestige and helped improve professionals curriculums and reputation, or have given the place and opportunity to singers and other artists to disseminate their work. Web 2.0 courses emphasize the benefits of networking using LinkedIn, Xing or others. Students continue social relationships after school hours using instant messaging and/or sites like Facebook. Social networks offer great opportunities to all but, at the same time, there is loss of privacy when sharing data of an intimate nature. Other uses of the data left in these networks for purposes different from the original are: Human resources departments or search and comparison by head hunters Publication of information and comments for the purpose of harming others ("cyber-bullying", or couples who break up and make data belonging to their ex available for a variety of purposes). To obtain people s profiles for later use (generally linked to e-crime activities). Tools facilitate publication, making it attractive even for people with limited computer skills. In addition, some search engines make the results from blogs and other 2.0 sites appear first in the list. If an individual wishing to remain private stops providing this information, other users can publish content that belongs to that private area without telling the individual (e.g. photo tagging). The Internet makes it easy to create new content through the combination and merging of previous information. The ownership of this new information changes. There is no barrier to the transfer of data such as this, which might be of a personal or sensitive nature in many cases. Current legislation does not protect in such cases as it is not applicable to data processed in the exercise of purely personal or household activities. The issue is now in its preliminary stage. Although actions are in place to study and contain the effects, we are still a long way from finding a solution. In his 2007 article Tudel recognizes that there is much still to be done to characterize the different types of online spaces under the control of the citizen. 5 A New Model, Three Agents There are several difficulties. The network knows no borders whereas regulations are territorial. However, the first steps have been taken and we can refer to two recent documents that express the concern of several governments and even of the managers of some social networks in this regard: "The Safer Social Networking Principles for the EU" The APD (Spanish Data Protection) - Inteco report on Data Privacy and Information Security in online social networks Although users of social networks do not seem to be 40 UPGRADE Vol. XI, No. 1, February 2010 Novática

5 Figure 2: A New Privacy Model: The Three Agents. concerned about what information they reveal and the consequent loss of intimacy and privacy, many national and international agencies have sounded the alarm. Data Protection Agencies are proactive in providing social network managers and citizens with recommendations regarding these services. These recommendations focus on preventing potential unlawful interference and to minimize the disclosure of intimate personal information by users. Social networks can be seen as repositories of content from individuals; anyone can process this data using tools that are provided for free. In social networking, data protection is also a matter for the individual, who must play an active role in data protection (see Figure 2). 5.1 Public Administrations Public Administrations are gradually becoming aware of the problem and taking the first steps towards addressing them. While laws are still local, social networks based in 3 Continuing with the driving simile, apart from the various measures in place to prevent road accidents (the good state of roads, the highway code, safety measures in cars ), all passengers (not just the driver) must wear their seat belt. Drivers must comply with additional rules such as avoiding alcohol or drug use which can impair driving. And regardless of the existence of traffic lights, pedestrian crossings, the highway code pedestrians must still look both ways before crossing. 4 On the date of publication of this article, the 31st International Data Protection and Privacy Authorities Conference will have been held in Madrid (from November 4 to 6). One of the main objectives is to analyse in depth the rapid development of Information Technology and the Internet. The Internet has become an indispensable tool in today s society, but we need to think about the proliferation of new services such as social networks - because of their impact on the field of data protection and privacy. European countries (such as Tuenti) are friendlier with their users privacy than those in the USA (Facebook). A similar effort to that made for the preparation of the Directive has recently been made to revise current legislation. Education efforts are gradually increasing and becoming more important: e.g. publications by ENISA (European Network and Information Security Agency) or by the newly created "Office for the security of Internet users" OSI, an Agency of the Spanish Government directly involved in maintaining users privacy and identity management (see < They include tips for users of social networks. Under the heading "You re the one who sets the limits of your privacy" some clear advice is given: Think before you post Manage your contact list Comply with privacy policies and terms of use to prevent abuse And under the heading "Protect yourself from identity theft", several tips are given to minimize the risk of such fraud. 5.2 Social Network Managers Those responsible for social networks have an important role: their cooperation is needed to implement mechanisms to fight against impunity when using their platforms to harm the privacy of individuals. It is important that they understand the different national concepts of privacy to implement appropriate measures. They should also take an active supportive role, especially in training and dissemination tasks. 5.3 Individuals I recently heard people wondering if individuals are Novática UPGRADE Vol. XI, No. 1, February

6 ready to live in a world without privacy. Citizens are players, active agents and therefore, have responsibilities 3. Once their responsibilities are set out in new legislation, individuals should know and respect them. However, in the meantime, individuals must be well trained and must develop an awareness of the limits: Users should be required to have sufficient knowledge to assess how much data they wish to reveal. They should be aware that an increasing share of their reputation is on the Internet, that they may not necessarily have generated that content, and they should bear in mind that "the Internet does not forget". Content about users may be circulating in Networks without their consent. Individuals must manage their own reputation and help manage the reputation of others. The Spanish Data Protection Law (LOPD) so far only penalizes companies, but the times we live in require new legislation so that individuals who do not comply with it can also be punished. Implementation of such legislation requires clear ideas, time and resources. Everybody needs to know / rediscover their rights and duties. Thus, it will be necessary to comply with a new code to take advantage of Web 2.0 without causing or suffering any harm. To draw a simple parallel, as drivers we must respect the highway code if we are going to share the roads. If the code is not respected, sanctions are imposed: from fines to imprisonment. To be effective, several mechanisms are needed: Traceability of subsequent events and actions so that privacy violations do not go unpunished. Channels to ensure that people who are referred to, who first provided the content, or who are tagged, are warned that their privacy is being violated. Actions of a regulatory nature have been initiated at an international level. The Article 29 Working Group of the European Commission has made public its intention to regulate data protection in social networks and in other Web 2.0 applications in general. During the 30th International Conference of Data Protection and Privacy a proposal for regulatory provisions in these networks was agreed. The first draft will be discussed at the conference scheduled to take place in Madrid in November Conclusions Current legislation, developed in the early 90s, is not sufficient to protect personal data and privacy in the current environment. The situation has changed since that legislation was approved. Data is no longer kept in files and databases owned by companies or government agencies which also generate, capture, record and process personal data. E-government applications bring new requirements. Data should be shared and available for government agencies and also for private companies to provide effective and efficient quality services. To require consent for each act of transmission would be unmanageable as services need to be provided without delay. What is still unknown is the kind of data that will be needed and who will ensure that the data owners give their consent. The solution proposed by Pierre Trudel is as follows: his trusted domains or shared areas seems to have inspired the implementation and deployment of the Shared Medical Record. Hence, you can recognize the information space (the set of data on the citizen/patient kept in various hospitals, welfare centres, laboratories...), find out who is entitled to access the information if it is necessary for the provision of a service (either the healthcare professionals involved, or the citizen/patient as the data owner), and establish measures to provide effective guarantees (identification, access...). It is worth mentioning that, in this case, there is an authority which is responsible for defining and implementing the "aire de partage" and keeping it operational while providing full safeguards. The case of social networks is different. There is no authority that can define, implement and maintain an "aire de partage". The purpose of this information space changes dynamically as do the access lists. They are maintained by the users themselves, and it is very easy to obtain data. The information space grows and it is difficult to foresee in which direction or purpose. The space continues to grow as users provide new content, new relationships, connections, access... This is why the previous "aires de partage" solution seems to run into difficulties in social networks. Pierre Trudel recognizes that much still needs to be done to characterize these spaces under the control of the citizen. However, new solutions that effectively protect privacy (and which, in turn, enable the development of social networks) are urgently needed. Although this is a complex issue, the first steps have already been taken: The European Commission has started work and has announced its intention to set regulations in this field. Other recent actions include a self-regulatory code for social network providers, presented in 2009 (February 10) or the Recommendation of the Commission (12 May 2009) on the implementation of privacy and data protection principles in applications supported by radio-frequency identification C(2009) But even more activities can be carried out. New players have appeared: individuals. They must be involved in the process so that privacy protection is effective. Spanish Law 1/1982 on civil protection of the right to honour, to personal and family privacy, and one s own image, states that the protection of an individual is defined by laws and social customs. Thus, the scope is that which the individual sets for him or herself, according to that individual s acts. Individuals must therefore consciously design the framework of privacy they want for themselves. Thus, if an Internet user uses Twitter to communicate what he or she is doing at every moment, if he or she constantly publishes photos on Flickr, and uploads his or her videos 42 UPGRADE Vol. XI, No. 1, February 2010 Novática

7 on YouTube, the "private domain" of this individual will be more limited, so it will be difficult to avoid some kind of interference from third parties. It is therefore important for social network users to be aware of the information published, and educated/skilled in "Web 2.0" services. This might prevent the disclosure of certain information they wish to maintain for a more intimate or family sphere. Every individual can publish their own information, which will have an impact on the delimitation of their intimate and other spheres. Individuals can also publish information about others not necessarily social network users (photos, videos, opinions...). Applying a principle of consent to manage these cases of data treatment does not seem very natural. Any new legislation should define the rights and duties of individuals in relation to social networks. According to Alamillo Domingo, I. (2008), "...we must give citizens back control over their data." Thus, in the new legislation, individuals should have the right to protect their personal data and be "cautious" when releasing them on the network. Yet, they should also be obliged to treat the personal data of others with care, using a set of standards and guidelines for action, regardless of whether or not they have the consent of the parties affected. Warning and reporting mechanisms should be simple, rapid and effective to enable online reputation management. Finally, effort in training/education is necessary. The divide in this case becomes extremely dangerous because it affects people s fundamental rights resulting in their being exposed and not knowing how to react. Bibliography P. Trudel. "Améliorer la protection de la vie privée dans l administration électronique : pistes afin d ajuster le droit aux réalités de l État en réseau". Report for the Canadian Ministry of Relationships with Cizitens and Immigration, < egvt/egouvmrci23-06.pdf>. P. Trudel. "État de droit et effectivité de la protection de la vie privée dans les réseaux du e-gouvernement". Paper for the Canadian National Conference on "Technologies, vie privée et justice" organised by the Institut Canadien d Administration de la Justice (ICAJ). Toronto, 28-30/09/2005. < activites/icajviepriv.fr.pdf>. P. Trudel. "Administración electrónica e interconexión de ficheros administrativos en el Estado en red" (egovernment and network interconnections of Public Administrations databases). Revista catalana de dret públic, núm. 35, 2007, < eapc_revistadret/revistes/revista/article /es/at_download/adjunt>. I. Alamillo Domingo. "Identidad en la Red" (Identity in the Net). Revista Investigación y Ciencia: 386, Nov Lluis Torrens. "L estratègia de sistemes d informació del Departament de Salut"." (The Strategy on Health Information Systems Strategy of the Public Health Dept.). Regional Government of Catalonia Public Health Dept. Revista de Sistemes d Informació en Salut, special issue on Shared Clinic Files, < / Social Network Providers et al. "The Safer Social Networking Principles for the EU" (2009). < ec.europa.eu/information_society/activities/social_ networking/docs/sn_principles.pdf>. Spanish Institute of Communications Technologies/ Spanish Data Protection Agency (Inteco/APD). "Study on the Privacy of Personal Data and on the Security of Information in Social Networks". Feb < fcgs9zbyoaq>. Regional Government of Catalonia Public Health Dept. "Shared Clinic Files in Catalonia" ( ). < Universal McCann. "Power to the people Social media tracker. Wave 3" (2008). < share.net/mickstravellin/universal-mccann-international-social-media-research-wave-3>. Commission Recommendation of 12 May 2009 on the implementation of privacy and data protection principles in applications supported by radio- frequency identification. C (2009) < LexUriServ.do?uri=OJ:L:2009:122:0047:0051:EN:PDF>. Spanish Constitution (1978) (namely art. 18). < / Congreso/Informacion/Normas/const_espa_texto_ ingles_0.pdf>. General Assembly of the United Nations (1948). "Universal Declaration of Human Rights". < Novática UPGRADE Vol. XI, No. 1, February