Introduction to Privacy and Privacy Engineering

Introduction  to  Privacy    and  Privacy  Engineering    Dr.  Ian  Oliver  EIT  Summer  School,  August  2014,  Finland  

Contents  

� WHY  learn  about  privacy?  

�  PHILOSOPHY  of  privacy  

�  LEGAL  aspects  of  privacy  �  ENGINEERING  aspects  of  privacy  

�  FOUNDATIONAL  aspects  of  privacy  

�  Supporting  Material  

WHY  learn  about  privacy  

�  The  dominating  issue  regarding  information  systems  at  the  moment  

�  Increased  public  awareness  of  surveillance  

�  Business  and  economic  reasons  

�  Trust  

WHY  learn  about  privacy  

�  The  dominating  issue  regarding  information  systems  at  the  moment  

�  Increased  public  awareness  of  surveillance  

�  Business  and  economic  reasons  

�  Trust  

WHY  learn  about  privacy  

�  The  dominating  issue  regarding  information  systems  at  the  moment  

�  Increased  public  awareness  of  surveillance  

�  Business  and  economic  reasons  

�  Trust  

WHY  learn  about  privacy  

�  The  dominating  issue  regarding  information  systems  at  the  moment  

�  Increased  public  awareness  of  surveillance  

�  Business  and  economic  reasons  

�  Trust  

PHILOSOPHY  

PHILOSOPHY  �  The  Right  To  Be  Let  Alone  �  “The  Right  to  Privacy”  (Warren  and  Brandeis,  1890)  

PHILOSOPHY    

�  From  where  comes  privacy?  

PHILOSOPHY  

�  "a  person  may  be  identified  directly  by  name  or  indirectly  by  a  telephone  number,  a  car  registration  number,  a  social  security  number,  a  passport  number  or  by  a  combination  of  significant  criteria  which  allows  him  to  be  recognized  by  narrowing  down  the  group  to  which  he  belongs  (age,  occupation,  place  of  residence,  etc.)”  

� WP29:  Opinion  4/2007  on  the  concept  of  personal  data  

PHILOSOPHY    

�  Does  ”privacy”  exist?  

�  If  so,  what  does  it  mean?  

�  If  not,  what  does  that  mean?  

PHILOSOPHY    

�  Does  ”privacy”  exist?  

�  If  so,  what  does  it  mean?  

�  If  not,  what  does  that  mean?  

PHILOSOPHY    

�  Does  ”privacy”  exist?  

�  If  so,  what  does  it  mean?  

�  If  not,  what  does  that  mean?  

PHILOSOPHY    

Wisdom  

Knowledge  

Information  

Data  

Noise  

PHILOSOPHY    

�  Discuss:  �  Personal  privacy  �  Information  privacy  �  Expectation  of  privacy  within  technology  �  Social  media,  sharing,  surveillance  �  ”Nothing  to  Fear,  Nothing  to  Hide”  �  Limits  of  privacy  and  the  acceptable  loss  of  privacy  �  Privacy  as  an  innovator  

PHILOSOPHY    

�  Privacy  as:  

�  A  Principle  �  A  Legal  Discipline  �  An  Engineering  Discpline  �  An  Economic  Aspect  

PHILOSOPHY    

�  Privacy  by  Design  (PbD)  Principles  1.  Proactive  not  Reactive;  Preventative  not  Remedial  2.  Privacy  as  the  Default  Setting  3.  Privacy  Embedded  into  Design  4.  Full  Functionality  —  Positive-­‐Sum,  not  Zero-­‐Sum  5.  End-­‐to-­‐End  Security  —  Full  Lifecycle  Protection  6.  Visibility  and  Transparency  —  Keep  it  Open  7.  Respect  for  User  Privacy  —  Keep  it  User-­‐Centric  

�  Semantic  Gap  Between  PbD  and  Engineering  

We  concentrate  here  

LEGAL  

LEGAL    

�  Terminology  

�  Personal  Data  /  Personally  Identifiable  Data  (PII)  �  Sensitive  Data  �  Traffic  Data  

LEGAL    

�  Compliance  and  Laws  

�  EU  Data  Protection  /  WP29  �  US  Data  Protection  

�  COPPA,  HIPPA,  SOX,  Safe  Harbor  

�  Usage  and  Purpose  versus  Collection    

LEGAL    

�  Specific  Examples  

�  Privacy  Policies  �  Secondary  Data  Collection  

�  Opt-­‐in  &  Opt-­‐out  �  Defaults  �  Necessity  

�  Tracking  �  Browser  Cookies  �  Data  Transfers  �  Data  Retention  

�  Conflicts  �  EU-­‐US  Data  Transfers  �  Encryption  or  not?  �  Trade  Compliance  �  Business  need  versus  Personal  need  �  Information  Assymetry    

ENGINEERING    

�  Case  Study  �  Data  Flow  Modelling  

� Ontologies  and  Defintions  

�  Requirements  

�  Notice  and  Consent  

�  Risk  �  PETS  � Maxims  

ENGINEERING  case  study    

Motivating  Example  High-­‐Level  View  Detailed  View  

Motivating  Example  High-­‐Level  View  Detailed  View  

ENGINEERING  case  study    

Information  systems  

…for  some  definition  of  information  

ENGINEERING  an  analogy    

Information  is  a  material  

ENGINEERING  data  flow    

Data  Flow  Modelling  Basic  Syntax  Annotations:  protocols,  content  

ENGINEERING  data  flow    

Data  Flow  Modelling  Basic  Syntax  Annotations:  protocols,  content  

 ENGINEERING  data  flow  example    

ENGINEERING  data  flow  example  

ENGINEERING  data  flow  example  

ENGINEERING  data  flow  example  

ENGINEERING  ontologies    

Ontology  and  Terminology  

 The  mechanisms  by  which  languages  are  agreed  upon    Lawyer  –  Engineer  communication    Terminological  Defintions  

ENGINEERING  ontologies    

What  do  the  following  statements  actually  mean?  

 Personal  Data    Personally  Identifiable  Data    Location  Data    Field    Data  set  

ENGINEERING  ontologies    

Semantics  

ENGINEERING  ontologies  -­‐  modelling  

ENGINEERING  ontologies  -­‐  security  

(  Unclassified  )   Secret   Confidential   Internal   Public  

ENGINEERING  ontologies  -­‐  information  

�  Type  Theory  

�  Information  type  vs  Machine  type/Programming  language  type  

�  Structures  

�  Example,  is  {  lat:float,  long:float  }  a  �  Location  �  A  struct  of  two  reals?  �  Neither  

�  Context  

ENGINEERING  ontologies  -­‐  identifiers  

ENGINEERING  ontologies  -­‐  further…  

ENGINEERING  ontologies  -­‐  identification  

Unauthenticated  

Observed  

Authenticated  (*)  

Proven  

ENGINEERING  identifiability  

ENGINEERING  requirements  

ENGINEERING  notice  &  consent  

ENGINEERING  notice  &  consent  

ENGINEERING  notice  &  consent  

ENGINEERING  notice  &  consent  

�  Calculation  of  the  Agreement  from  the  DFD  

ENGINEERING  -­‐  risk  

ENGINEERING  -­‐  evaluating  risk  

�  Failure  Mode  and  Effect  Analysis  

�  Root  Cause  Analysis  �  STRIDE:  Threat  Assessment  

ENGINEERING  -­‐  PETS  

�  Hashing  �  Encryption  �  Dataset  Partitioing  �  Tokenisation  �  k-­‐anonymity  

�  l-­‐diversity,  t-­‐closeness,  differential  privacy  

�  BASIC  GOOD  OLD  FASHIONED  SECURITY  

ENGINEERING  maxims    

�  Don't  collect  what  you  don't  use  

�  If  it  looks  like  PII,  it  probably  is  PII,  so  treat  it  as  PII  �  Don't  shock  the  user  �  Location  data  isn't  just  GPS  co-­‐ordinates  �  Good  security  does  not  mean  good  privacy,  but  good  privacy  doesn't  come  without  good  security  

�  All  information  can  be  transformed  and  cross-­‐referenced  into  whatever  you  need  

�  Security  through  Obscurity,  Privacy  through  PowerPoint  and  Policies...        

FOUNDATIONAL    

�  Information  Theory  

�  Syntax,  Semantics  

�  Entopy  

PROJECT  EVALUATION  

Demonstrate:  

 �  Understanding  of  who  the  data  subject  is  �  Where  the  data  is  flowing  for  various  use  cases  through  data  flow  modelling  �  What:  

�  is  the  level  of  identification  of  the  data  subject  �  are  the  usages  and  purposes  of  �  are  the  information  types  being  carried  �  is  the  logical  architecture  or  structure  of  the  system  

�  A  risk  analysis  based  on  the  given  taxonomy  of  risks  

SUPPORTING  MATERIAL    

�  The  Privacy  Engineer's  Manifesto,  Dennedy,  Fox  &  Finneran    

�  Understanding  Privacy,  Solove    

�  Privacy  in  Context,  Nissenbaum    

�  Applied  Cryptograpy,  Schneier  

SUPPORTING  MATERIAL    

Ian  Oliver  (2014)    

Privacy  Engineering:  A  Dataflow  and  Ontological  Approach    

ISBN:9781497569713  

Twitter:  @i_j_oliver  

Blog:  http://ijosblog.blogspot.fi  

DISCUSSION    

<<crossreferencing>>Thinking

Local Knowledge

References

Lecturer<<data subject>>Audience

<<speech, email, etc>>

<<weird brain processes>>

<<reading, listening>>

<<neurons>> <<neurons>>

<<speech, email, etc>>

security class: Publicinformation type:Content, Identity, Location, TemporalIdentity: authenticated (1)Provenance: UserPurpose: PrimaryUsage: Product Improvement, Future Human Lecturer

YOU  

ME