E-Privacy

This fellowship supported my work in updating to the IEEE 802.11 standard to prevent a recently discovered security weakness. This weakness is related to mesh networks, where, without extra defenses, an adversary could inject arbitrary packets into protected mesh networks. We designed a defense to mitigate this challenging gap. Unique about our created defense is that it is fully backward compatible, meaning each individual mesh client can independently enable this defense. As a proof-of-concept, we also implemented this defense in the Linux kernel to demonstrate practicality and confirm it prevents attacks.
 

This fellowship targets consumer-centric privacy by design in international standards work. Moreover, the Specific priorities, gaps and challenges identified are: 

• Consumer trust and privacy gaps: Fragmented practice and fast-moving online services erode user trust; legal principles (e.g., privacy by design, accountability) are not consistently translated into usable, testable requirements. 
• Stakeholder involvement: Consumer organisations and SMEs face high barriers to engage in lengthy, technical processes; national mirrors vary widely in how consumer voices are integrated. 
• Skills & usability deficits: Lack of shared patterns (consent, transparency UX, data control) and uneven digital skills hinder meaningful participation and compliant implementations. 
• Landscape fragmentation: Overlapping activities across SDOs make it hard for newcomers to find entry points, slowing delivery on e-privacy, safety, and transparency outcomes. 

How the fellowship addressed these

This fellowship supports my engagement as the chair of Chair of  ISO/IEC JTC 1/SC 44. The group’s Strategic Business Plan (SBP) aims to respond the the challenges identified above in the following manners: 

• Th TC establishes an inclusive, modular work approach that supplements ISO 31700-1 with smaller, technology-/sector-specific deliverables—lowering thresholds for participation and speeding time-to-impact on safety, transparency, and e-privacy. 
• Low-threshold stakeholder mechanisms: Communications/outreach plan and light-touch consultation formats to systematically bring in consumer groups and civil society, aligned with ISO/COPOLCO and relevant liaisons. 
• SME: A stepwise, outcome-oriented approach envisaged in the SBP to accommodate different maturity levels and resource constraints, easing adoption by SMEs. 
• Early scoping of verticals: Following the September 2025 SC 44 meetings in Kunming, first preliminary work is being initiated with additional verticals to follow.

The fellowship tackles the lack of international, or European, standard or technical specification that focuses explicitly on privacy and data protection capabilities of DLT systems. With this regards, ISO TS 24946 “Requirements and guidance for improving, preserving, and 
assessing the privacy capability of DLT systems” has now reached CD stage (July 2025) and will endeavour to move through this process and be completed in 2026. This process requires continued support from experts to ensure delivery, as scheduled. In this sense, the priority of this activity focuses  at the European level, CEN/CENELEC  JTC 19/WG3 to produce a European standard on PII protection within DLT which is strongly influenced by ‘DIN Spec 4997 - Privacy by Blockchain Design’ and the aforementioned ISO TS 24946. This European specification will seek to harmonise the GDPR and recent EDPB guidance to produce a technical specification intended for the European DLT ecosystem. 
This European specification will provide much needed clarity for the DLT ecosystem as regards data protection and privacy capabilities, affordances, and assessment. Further harmonisation between the international specification at ISO and the European standard will support interoperability, and ensure that privacy and data protection capabilities are harmonised globally. The main challenges concerns exacting requirements from regulations such as Article 76(3) of MiCAR, as well as Article 79(1) of the European AMLR will require navigation. Standards 
require alignment and compatibility with those legal texts, as well as corresponding regulations regarding personal data, data markets, and trust services (e.g., GDPR, Data Act, eIDAS2). Ensuring there are no gaps between regulatory texts and the proposed European standards will be a primary focus. Also, it must be ensured that there are no substantial gaps between international specifications and European standards will be the second focus. Standards alignment between ISO and CEN/CENELEC is viewed as a key outcome to benefit the global DLT ecosystem, and one that requires strong consensus building, given slightly different international privacy perspectives and preferences.

The expected impact of the project is to provide stakeholders with a certification as defined in article 42 of the GDPR, thus improving trust between actors in a context of PII processing.

I estimate that digital identities, and the way to ensure appropriate levels of assurance and handling of corresponding credentials, are key for the digital society.

SME’s will be encouraged to build services on the wallet when there are key benefits for wallet holder focusing on privacy and security when sharing personal data.