Papers and Statements

CEPIS signs open letter to EU Commissioners on Deep Packet Inspection

Internet access service providers are increasingly using Deep Packet Inspection (DPI) technology for traffic management and differentiated pricing of specific services or applications as part of their product design. DPI inspects in detail the data being sent over a computer network and blocks, rerouts or logs data according to necessity. Most often users are not consulted or informed about the use of DPI.
That is why an open letter to the European Commission was initiated by EDRi and Another 12 organisations from all over Europe signed the letter in support. These concerns align with those of CEPIS. On the initiative of the LSI SIN, CEPIS has added its voice to the signatories of this letter.

CEPIS calls for really secure ICT hardware and software in Europe

Even in 2018, there are still basic information security deficits in Europe: confidentiality, integrity and also availability of data from authorities, companies and private individuals are still not guaranteed. Moreover, countless security holes are the gateway to successful attacks on data and digital infrastructures. With reference to the research of its German Member Society Gesellschaft für Informatik eV, CEPIS calls for finally ending the decades-long insecurity of marketable PC and server processors and software.

CEPIS calls for really secure ICT hardware and software in Europe

Best Practices for a journey towards secure cyberspace

This statement collects and comments on official documents aiming towards a secure cyberspace. Its aim is to be a backgrounder for the statements on good or bad practice with regard to cybersecurity that can be derived from its “Conclusion” section.

Best practices for a journey towards secure cyberspace

CEPIS Comments on New regulation on European Union Network and Information Security Agency (ENISA)

Letter from the CEPIS President Commenting on the New Cybersecurity Package

Critical technological dependency requires a revised privacy policy of major service providers, 2016

CEPIS strongly defends the principle that new ICT technologies should guarantee the privacy of its potential users prior to their introduction.

Critical technological dependency requires a revised privacy policy of major service providers

Report on the EU Cloud Security Workshop: Building Trust in Cloud Services – Certification and Beyond, 2016

The EU cloud security workshop, subtitled Building Trust in Cloud Services – Certification and Beyond, was held on 18 March 2016 in Brussels. There were approximately 50 participants from the EU, industry and academia.

Report on the EU Cloud Security Workshop: Building Trust in Cloud Services – Certification and Beyond

Position on the Electronic identification and trust services (eIDAS), 2015

The next generation of eIDs could bring strong and efficient data protection to European citizens. In the electronic identification and trust services environment for electronic transactions, the realization of identification and authentication using an eID should prevent tracking of users.

Position on the Electronic identification and trust services (eIDAS)

Statement on Supporting High-level Decision Making on Cyber Security and Privacy Protection with Reliable Data, 2014

There is no doubt that both privacy protection and cyber security (i.e. addressing the problem of security of cyberspace on a national or international level) have achieved some recognition from governments and international bodies. Subsequently, the need for various high-level decisions highlights the importance of proper fundamentals for such decision making.

Statement on Supporting High-level Decision Making on Cyber Security and Privacy Protection with Reliable Data

Assisting EU Citizens with Reliable ICT Security Information, 2013

European citizens are used to sharing their information on the web, be it personal or professional, on a daily basis. However they are often unaware of the security risks that come with sharing data online. This is particularly problematic given the rise of ICT security breaches and large-scale data collection, as reported in the media. In this context, this CEPIS LSI SIN statement calls on policy-makers – at the European and national level - to take action to ensure that all citizens have access to trustworthy information regarding ICT threats. The paper outlines 8 key recommendations to help equip citizens with reliable ICT information.

Statement: Assisting EU Citizens with Reliable ICT Security Information

Statement on the Future EU Data Protection Regulation, 2013

This statement discusses the draft EU General Protection Regulation proposed by the European Commission  to replace the current Data Protection Directive adopted in 1995. In this statement CEPIS expresses its support to the Data Protection in Europe statement and it highlights a series of issues to take into a consideration with regard to data protection and privacy. For instance, pseudonymisation, anonymisation and encryption should not be misunderstood as a replacement for data protection by regulation or as reason to lower the level of data protection regulation Europe.

Read the CEPIS Statement on the draft EU General Data Protection Regulation

Cloud Computing Security and Privacy Statement, 2011

This statement explores the security and privacy implications associated with Cloud Computing. It examines areas such as the loss of control over data and dependence on the Cloud Computing provider and outlines the related issues. CEPIS provides 15 recommendations on measures that should be taken to deal with the risks and privacy invasion factors of Cloud Computing.

Statement: Cloud Computing Security and Privacy Issues

This statement has also been translated into Greek by the CEPIS Member Society, Hellenic Professionals Informatics Society (HePIS), and translated into Spanish by Asociación de Técnicos de Informática (ATI).

Download the Statement in Greek

Download the Statement in Spanish

Letter of support on data protection in the framework of police and judicial cooperation in criminal matters to the European Data Protection Supervisor Peter Hustinx, 2009

With full credit to the outstanding work of the European Data Protection Supervisor, CEPIS would like to support the encouragement of the EDPS for the EU institutions to take part in the reflections on further improvements of the framework for data protection in law enforcement. CEPIS supports the concerns expressed with regard to the general data protection framework for police and judicial cooperation and urges the Council of the European Union to take further steps to increase the level of protection provided by the new legal instrument.

Click here for the full letter

Privacy-Consistent Banking Acquisition Statement, 2009

This statement outlines the practice that has developed within some banks in Europe to acquire more information than necessary about their clients. This practice presents a serious threat to the protection of the privacy of European citizens, in particular with respect to the principle of proportionality of data. The statement includes recommendations to address this situation and bring both the acquisition and access to data in line with European privacy regulations.

Privacy-Consistent Banking Acquisition Statement

Social Networks - Problems of Security and Data Privacy Statement, 2008

This paper, together with its associated background paper, explores the Security and Privacy issues with Social Networking sites from both a business and personal perspective. At a time when the use or misuse of personal data is said to be of great concern to the citizen, this same citizen may voluntarily place his information on social network sites and see no contradiction. The extent to which this information may be mined for other purposes is unclear. In a corporate environment the use of social software as a part of the business process brings security issues which require a new security model. Some recommendations are made for the way forward.

Social Networks – Problems of Security and Data Privacy Statement

Social Networks – Problems of Security and Data Privacy: Background Paper

Position paper on data retention, 2008

The second statement on data retention discusses new issues that have arisen since the adoption of the data retention Directive. The major concerns include the period time for which data can be retained, the security of stored data, mutual cooperation between service providers and the authorities and the reimbursement of costs. Moreover, the paper makes recommendations on the definitions of “serious crime”, retained data, the problem of communicating content information, a shorter retention period, secure storage and transfer of data and reimbursement of costs.

Position paper on data retention

Authentication approaches for on-line banking, 2007

The statement discusses authentication and security issues of on-line banking. The popularity and wide use of on-line banking can lead to abuses, activities by malicious and criminal users and a rise in organised criminal attempts (e.g. phishing). The statement surveys contemporary authentication approaches used by European banks and points out that complex and error prone security measures do not provide any security improvement, but rather discourage or prevent users easily entering the electronic market place. The recommendations are targeted at different parties, i.e. banks and other financial institutions and organizations, governments and regulators, professionals and customers. For each group specific recommendations are suggested.

CEPIS Position on Authentication Approaches for Online Banking

CEPIS Position on Authentication Approaches for Online Banking: Background Paper

Data Retention has Serious Consequences, 2004

The original data retention statement from 2004 discusses protection of privacy of citizens, major problems in the technical and financial realization of data retention of such a vast scope. The recommendations include the reduction of the retention time and the amount of the retained data. Additionally, the costs for the necessary data retention facilities should be put into public hands by law.

Data retention has serious consequences

E-commerce, 1999

In the statement, published in 1999, e-commerce is considered as a desirable development given appropriate governmental and societal regulation and discipline. Specifically, the development of appropriate standards and generally accepted codes of good practice and codes of conduct are recommended. Associated with these should be the institution of competent complaint boards and other forms of assistance.

CEPIS Position Statement: Electronic Commerce

Crypto Statement, 1996

The statement on the control of encryption was issued in 1996. It discusses whether the import, export and production of cryptographic tools, as well as their use, should be restricted. Recommendations were proposed regarding the unrestricted use of cryptography for certain purposes, the ability of all individuals and organisations in the private and public sectors to use cryptography, not reducing the opportunities for individuals or organizations in the private and public sectors, and on an agreement of governments on a policy relating to their access to computerized data.

Policy Statement: Governmental Restrictions on Encryption Products Put Security at Risk