BZPEERReading, trust and collaboration for research
Menu

Discover

GraphFollow connections around a paper, topic or saved view.

Workspaces

HomePick up where your research flow left off.InboxHandle requests, replies and notifications from one place.CollectionsCurate reading lists, evidence sets and shareable dossiers.ResearchSee your private provenance graph, trail and imports.CollaborationMove from discovery into focused discussion rooms.PublishDraft, preview and publish full-text research articles.

Network

ExpertsFind specialists worth following or asking for help.CommunitiesJoin research circles organized around shared work.PartnersSee external organizations active around the same topics.

Opportunities

ListingsBrowse roles, calls and collaborations with clearer fit signals.

Account

Log inReturn to your reading and collaboration workspace.Create accountStart saving work, following people and joining teams.
Log inCreate account

Researcher profile

Shishir Nagaraja

Shishir Nagaraja contributes to research discovery and scholarly infrastructure.

ResearcherAffiliation not importedOpen to collaborate
Cryptography and Securitycs.CYComputer Visioneess.SYHuman-Computer Interactionphysics.soc-phPopulations and EvolutionRoboticsSocial and Information NetworksSystems and Control

Trust snapshot

Quick read

Trust 21 - EmergingVerification L1Unclaimed author
9works
0followers
10topics
4close collaborators

Actions

Decide how to stay connected

Follow researcher0

Identity and collaboration

How to connect with this researcher

Claiming links this public author record to a researcher profile and unlocks direct collaboration workflows.

Log in to claim

Direct collaboration

Open a focused conversation when the fit is right

Claim this author entity first to unlock direct invitations.

Research graph

See the researcher in context

Open full explorer

Inspect adjacent work, topics, institutions and collaborators without jumping out to a separate graph page.

Building this graph slice

BZPEER is loading the nearby papers, people, topics and institutions for this page.

Published work

9 published item(s)

preprint2022arXiv

Dissecting liabilities in adversarial surgical robot failures: A national (Danish) and European law perspective

Over the last decade, surgical robots have risen in prominence and usage. For surgical robots, connectivity is necessary to accept software updates, accept instructions, and transfer sensory data, but it also exposes the robot to cyberattacks, which can damage the patient or the surgeon. These injuries are normally caused by safety failures, as seen in accidents with industrial robots, but cyberattacks are caused by security failures instead. We create a taxonomy for both types of failures in this paper specifically for surgical robots. These robots are increasingly sold and used in the European Union (EU); we therefore consider how surgical robots are viewed and treated by EU law. Specifically, which rights regulators and manufacturers have, and which legal remedies and actions a patient or manufacturer would have in a single national legal system in the union, if injuries were to occur from a security failure caused by an adversary that cannot be unambiguously identified. We find that the selected national legal system can adequately deal with attacks on surgical robots, because it can on one hand efficiently compensate the patient. This is because of its flexibility; secondly, a remarkable absence of distinction between safety vs security causes of failure and focusing instead on the detrimental effects, thus benefiting the patient; and third, liability can be removed from the manufacturer by withdrawing its status as party if the patient chooses a separate public law measure to recover damages. Furthermore, we find that current EU law does consider both security and safety aspects of surgical robots, without it mentioning it through literal wording, but it also adds substantial liabilities and responsibilities to the manufacturers of surgical robots, gives the patient special rights and confers immense powers on the regulators.

0 citations0 reviewsNo code linkedOpen access
preprint2022arXiv

Preventing or Mitigating Adversarial Supply Chain Attacks; a legal analysis

The world is currently strongly connected through both the internet at large, but also the very supply chains which provide everything from food to infrastructure and technology. The supply chains are themselves vulnerable to adversarial attacks, both in a digital and physical sense, which can disrupt or at worst destroy them. In this paper, we take a look at two examples of such successful attacks and consider what their consequences may be going forward, and analyse how EU and national law can prevent these attacks or otherwise punish companies which do not try to mitigate them at all possible costs. We find that the current types of national regulation are not technology specific enough, and cannot force or otherwise mandate the correct parties who could play the biggest role in preventing supply chain attacks to do everything in their power to mitigate them. But, current EU law is on the right path, and further vigilance may be what is necessary to consider these large threats, as national law tends to fail at properly regulating companies when it comes to cybersecurity.

0 citations0 reviewsNo code linkedOpen access
preprint2022arXiv

The Dangers of Computational Law and Cybersecurity; Perspectives from Engineering and the AI Act

Computational Law has begun taking the role in society which has been predicted for some time. Automated decision-making and systems which assist users are now used in various jurisdictions, but with this maturity come certain caveats. Computational Law exists on the platforms which enable it, in this case digital systems, which means that it inherits the same flaws. Cybersecurity addresses these potential weaknesses. In this paper we go through known issues and discuss them in the various levels, from design to the physical realm. We also look at machine-learning specific adversarial problems. Additionally, we make certain considerations regarding computational law and existing and future legislation. Finally, we present three recommendations which are necessary for computational law to function globally, and which follow ideas in safety and security engineering. As indicated, we find that computational law must seriously consider that not only does it face the same risks as other types of software and computer systems, but that failures within it may cause financial or physical damage, as well as injustice. Consequences of Computational Legal systems failing are greater than if they were merely software and hardware. If the system employs machine-learning, it must take note of the very specific dangers which this brings, of which data poisoning is the classic example. Computational law must also be explicitly legislated for, which we show is not the case currently in the EU, and this is also true for the cybersecurity aspects that will be relevant to it. But there is great hope in EU's proposed AI Act, which makes an important attempt at taking the specific problems which Computational Law bring into the legal sphere. Our recommendations for Computational Law and Cybersecurity are: Accommodation of threats, adequate use, and that humans remain in the centre of their deployment.

0 citations0 reviewsNo code linkedOpen access
preprint2022arXiv

The Opportunity to Regulate Cybersecurity in the EU (and the World): Recommendations for the Cybersecurity Resilience Act

Safety is becoming cybersecurity under most circumstances. This should be reflected in the Cybersecurity Resilience Act when it is proposed and agreed upon in the European Union. In this paper, we define a range of principles which this future Act should build upon, a structure and argue why it should be as broad as possible. It is based on what the cybersecurity research community for long have asked for, and on what constitutes clear hard legal rules instead of soft. Important areas such as cybersecurity should be taken seriously, by regulating it in the same way we see other types of critical infrastructure and physical structures, and be uncompromising and logical, to encompass the risks and potential for chaos which its ubiquitous nature entails. We find that principles which regulate cybersecurity systems' life-cycles in detail are needed, as is clearly stating what technology is being used, due to Kirkhoffs principle, and dismissing the idea of technosolutionism. Furthermore, carefully analysing risks is always necessary, but so is understanding when and how the systems manufacturers may fail or almost fail. We do this through the following principles: Ex ante and Ex post assessment, Safety and Security by Design, Denial of Obscurity, Dismissal of Infallibility, Systems Acknowledgement, Full Transparency, Movement towards a Zero-trust Security Model, Cybersecurity Resilience, Enforced Circular Risk Management, Dependability, Hazard Analysis and mitigation or limitation, liability, A Clear Reporting Regime, Enforcement of Certification and Standards, Mandated Verification of Security and Continuous Servicing. To this, we suggest that the Act employs similar authorities and mechanisms as the GDPR and create strong national authorities to coordinate inspection and enforcement in each Member State, with ENISA being the top and coordinating organ.

0 citations0 reviewsNo code linkedOpen access
preprint2022arXiv

When is Software a Medical Device? Understanding and Determining the 'Intention' and Requirements for Software as a Medical device in EU law

The role of software in society has changed drastically since the start of the 21st century. Software can now partially or fully facilitate anything from diagnosis to treatment of a disease, regardless of whether it is psychological or pathological, with the consequence of software being comparable to any other type of medical equipment, and this makes discovering when software must comply with such rules vital to both manufacturers and regulators. In lieu of the Medical Device Regulation we expand on the idea of intention, and identify the criteria software must fulfil to be considered medical devices within EU-law.

0 citations0 reviewsNo code linkedOpen access
preprint2022arXiv

YASM (Yet Another Surveillance Mechanism)

Client-Side Scanning (CSS) see in the Child Sexual Abuse Material Detection (CSAMD) represent ubiquitous mass scanning. Apple proposed to scan their systems for such imagery. CSAMD was since pushed back, but the European Union decided to propose forced CSS to combat and prevent child sexual abuse and weaken encryption. CSS is mass surveillance of personal property, pictures and text, without considerations of privacy and cybersecurity and the law. We first argue why CSS should be limited or not used and discuss issues with the way pictures cryptographically are handled and how the CSAMD preserves privacy. In the second part, we analyse the possible human rights violations which CSS in general can cause within the regime of the European Convention on Human Rights. The focus is the harm which the system may cause to individuals, and we also comment on the proposed Child Abuse Regulation. We find that CSS is problematic because they can rarely fulfil their purposes, as seen with antivirus software. The costs for attempting to solve issues such as CSAM outweigh the benefits and is not likely to change. The CSAMD as proposed is not likely to preserve the privacy or security in the way of which it is described source materials. We also find that CSS in general would likely violate the Right to a Fair Trial, Right to Privacy and Freedom of Expression. Pictures could have been obtained in a way that could make any trial against a legitimate perpetrator inadmissible or violate their right for a fair trial, the lack of any safeguards to protect privacy on national legal level, which would violate the Right for Privacy, and it is unclear if the kind of scanning could pass the legal test which Freedom of Expression requires. Finally, we find significant issues with the proposed Regulation, as it relies on techno-solutionist arguments and disregards knowledge on cybersecurity.

0 citations0 reviewsNo code linkedOpen access
preprint2020arXiv

Secure Calibration for Safety-Critical IoT: Traceability for Safety Resilience

Secure sensor calibration constitutes a foundational step that underpins operational safety in the Industrial Internet of Things. While much attention has been given to IoT security such as the use of TLS to secure sensed data, little thought has been given to securing the calibration infrastructure itself. Currently traceability is achieved via manual verification using paper-based datasheets which is both time consuming and insecure. For instance, when the calibration status of parent devices is revoked as mistakes or mischance is detected, calibrated devices are not updated until the next calibration cycle, leaving much of the calibration parameters invalid. Aside from error, any party within the calibration infrastructure can maliciously introduce errors since the current paper based system lacks authentication as well as non-repudiation. In this paper, we propose a novel resilient architecture for calibration infrastructure, where the calibration status of sensor elements can be verified on-the-fly to the root of trust preserving the properties of authentication and non-repudiation. We propose an implementation based on smart contracts on the Ethereum network. Our evaluation shows that Ethereum is likely to address the protection requirements of traceable measurements.

0 citations0 reviewsNo code linkedOpen access
preprint2020arXiv

Unlinking super-linkers: the topology of epidemic response (Covid-19)

A key characteristic of the spread of infectious diseases is their ability to use efficient transmission paths within contact graphs. This enables the pathogen to maximise infection rates and spread within a target population. In this work, we devise techniques to localise infections and decrease infection rates based on a principled analysis of disease transmission paths within human-contact networks (proximity graphs). Experimental results of disease spreading shows that that at low visibility rates contact tracing slows disease spreading. However to stop disease spreading, contact tracing requires both significant visibility (at least 60%) into the proximity graph and the ability to place half of the population under isolation. We find that pro-actively isolating super-links -- key proximity encounters -- has significant benefits: targeted isolation of a fourth of the population based on 35% visibility into the proximity graph prevents an epidemic outbreak. It turns out that isolating super-spreaders is more effective than contact tracing and testing but less effective than targeting super-links. We highlight the important role of topology in epidemic outbreaks. We argue that proactive innoculation of a population by disabling super-links and super-spreaders may have an important complimentary role alongside contact tracing and testing as part of a sophisticated public-health response to epidemic outbreaks.

0 citations0 reviewsNo code linkedOpen access
preprint2011arXiv

Who clicks there!: Anonymizing the photographer in a camera saturated society

In recent years, social media has played an increasingly important role in reporting world events. The publication of crowd-sourced photographs and videos in near real-time is one of the reasons behind the high impact. However, the use of a camera can draw the photographer into a situation of conflict. Examples include the use of cameras by regulators collecting evidence of Mafia operations; citizens collecting evidence of corruption at a public service outlet; and political dissidents protesting at public rallies. In all these cases, the published images contain fairly unambiguous clues about the location of the photographer (scene viewpoint information). In the presence of adversary operated cameras, it can be easy to identify the photographer by also combining leaked information from the photographs themselves. We call this the camera location detection attack. We propose and review defense techniques against such attacks. Defenses such as image obfuscation techniques do not protect camera-location information; current anonymous publication technologies do not help either. However, the use of view synthesis algorithms could be a promising step in the direction of providing probabilistic privacy guarantees.

0 citations0 reviewsNo code linkedOpen access