View
213
Download
0
Tags:
Embed Size (px)
Citation preview
DisclaimerDisclaimer
The views expressed in this presentation are The views expressed in this presentation are my own and are not provided in my my own and are not provided in my
capacity as Chief Technology Officer for capacity as Chief Technology Officer for Microsoft Canada Co Microsoft Canada Co
OutlineOutline
Privacy ContextPrivacy Context
Implementing for Privacy Implementing for Privacy
The Hard ProblemsThe Hard Problems
PrivacyPrivacy
““the right to control access to one's person the right to control access to one's person and information about one's self.”and information about one's self.”
Privacy Commissioner of Canada, speech at the Privacy Commissioner of Canada, speech at the Freedom of Information and Protection of Privacy Freedom of Information and Protection of Privacy
Conference, June 13, 2002Conference, June 13, 2002
The Context Of Privacy ComplianceThe Context Of Privacy Compliance
COMPLIANCECOMPLIANCE
Sarbanes-OxleySarbanes-Oxley
Fiscal accountability for Fiscal accountability for all public companiesall public companies
Personal Information Personal Information Protection Electronic Protection Electronic Documents Act Documents Act (PIPEDA) (PIPEDA)
U.S. PATRIOT ActU.S. PATRIOT Act
Customer documentation Customer documentation requirements in order to requirements in order to “know your customer“know your customer””
Freedom of Freedom of Information, PrivacyInformation, Privacy
Protection ActProtection Act
BC law for protection of personal BC law for protection of personal informationinformation
Health Insurance Health Insurance Portability and Portability and
Accountability Act Accountability Act (HIPAA)(HIPAA)
California SB 1386California SB 1386
Law requiring customer Law requiring customer notification if their personal data notification if their personal data
was, or was believed to be , was, or was believed to be , compromisedcompromised
Gramm-Leach Bliley Gramm-Leach Bliley Act (GLBA)Act (GLBA)
Privacy of financial Privacy of financial informationinformation
Right to carry insurance Right to carry insurance between job; privacy of between job; privacy of patient Information patient Information
Personal Health Personal Health Information Information Protection Act Protection Act (PHIPA)(PHIPA)Ontario law for Ontario law for protection of personal protection of personal health Informationhealth Information
Impact of Non-ComplianceImpact of Non-Compliance
Loss of Revenue
Damage to Investor
Confidence
Damage to Reputation
Personal Liability
Interruption of Business Processes
Damage to Customer
ConfidenceLegal
Consequences
Regulatory Penalties & Fines GridRegulatory Penalties & Fines GridName of Regulatory Name of Regulatory MandateMandate
Some Potential PenaltiesSome Potential Penalties Potential FinesPotential Fines
SOASOA 20 years in prison20 years in prison $15 million$15 million
HIPAAHIPAA 10 years in prison10 years in prison $250,000$250,000
GLBAGLBA 10 years in prison10 years in prison $1 million$1 million
Patriot ActPatriot Act 20 years in prison20 years in prison $1 million$1 million
California SB 1386California SB 1386 Unfair trade practice law Unfair trade practice law penaltiespenalties
Private civil and class Private civil and class actions; unfair trade actions; unfair trade practice law finespractice law fines
PIPEDAPIPEDA Up to $100, 000Up to $100, 000
FOIPPAFOIPPA Up to $500,000Up to $500,000
PHIPAPHIPA $50,000 for an individual and $250,000 for a $50,000 for an individual and $250,000 for a corporation, + Damagescorporation, + Damages
SEC Rule 17a-4SEC Rule 17a-4 Suspension/expulsionSuspension/expulsion $1 million+$1 million+
Privacy ChallengesPrivacy ChallengesSpotlight on PIPEDA / PHIPA / FOIPPASpotlight on PIPEDA / PHIPA / FOIPPA
Policy interpretations are still emergingPolicy interpretations are still emerging
Relationship to Security services misunderstoodRelationship to Security services misunderstood
Privacy often implemented in a binary mannerPrivacy often implemented in a binary manner
Privacy Metrics Developing
Privacy often driven by popular opinion
Focus on privacy enhancing technologies Focus on privacy enhancing technologies
Designing for PrivacyDesigning for Privacy
Implement for all privacy principlesImplement for all privacy principles
Privacy implementations require defence in Privacy implementations require defence in depthdepth
A risk managed approach should be takenA risk managed approach should be taken
Solutions must provide privacy policy agilitySolutions must provide privacy policy agility
Privacy and security must be viewed as related Privacy and security must be viewed as related but not dependentbut not dependent
Use existing technology in privacy enhancing Use existing technology in privacy enhancing waysways
Implement for all Privacy PrinciplesImplement for all Privacy Principles
AccountabilityAccountabilityNotice (identification of purpose)Notice (identification of purpose)ConsentConsentLimit Collection & UseLimit Collection & UseDisclosure of transferDisclosure of transferRetention PoliciesRetention PoliciesAccuracyAccuracySafeguardsSafeguardsOpennessOpennessIndividual AccessIndividual AccessChallenging ComplianceChallenging Compliance
Implement a Defence in DepthImplement a Defence in Depth
– Engages the entire business for successEngages the entire business for success– Allows for the allocation of controls outside of ITAllows for the allocation of controls outside of IT
LegislationLegislation
PoliciesPolicies
ProceduresProcedures
Physical ControlsPhysical Controls
Application Features
Application Features
Inherent System
Capabilities
Inherent System
Capabilities
Use a Risk Managed ApproachUse a Risk Managed Approach
Privacy Impact Assessments provide Privacy Impact Assessments provide insight into how PII is handled in the insight into how PII is handled in the design or redesign of solutions and identify design or redesign of solutions and identify areas of potential riskareas of potential risk
(example: SLAs for privacy principles)(example: SLAs for privacy principles)
Design for AgilityDesign for Agility
Interpretations of privacy policy continues Interpretations of privacy policy continues to evolve and it is essential that solutions to evolve and it is essential that solutions are agile to meet existing and emerging are agile to meet existing and emerging privacy policiesprivacy policies
Avoid solutions that are difficult to migrate Avoid solutions that are difficult to migrate fromfrom– E.g. Bulk encryptionsE.g. Bulk encryptions
Fully Secure
Anonymous
Non-Secure
Full Disclosure
Public Opinion
Solution Range
Privacy
Security
Privacy AgilityPrivacy Agility
Use existing technology in privacy Use existing technology in privacy enhancing waysenhancing ways
Tendency to purchase solutions to solve Tendency to purchase solutions to solve compliance needscompliance needs
Many privacy compliance activities can be Many privacy compliance activities can be met with the existing technologiesmet with the existing technologies
E.g. Notices, consent mechanisms, E.g. Notices, consent mechanisms, limiting collectionlimiting collection
Security and Privacy FoundationsSecurity and Privacy Foundations
SecurityData
Marking
Rules based
Approach
Bell-Lapadula
BibaRisk
ManagementApproach
Data Marking
For Privacy
Rules based
approach
PrivacyLegislation
PrivacyEnhancing
Technologies
Privacy Impact
Assessment
PrivacyPolicies
Threat Risk
Assessment
SecuritySafeguards
EvaluationScheme
Security Policies
1973 1975Late 60s1940 1980s
1994 200220011996 20021983
19861983 199350BC
Security
Privacy
Hard ProblemsHard Problems
In the late 70s a group of computer In the late 70s a group of computer security experts defined the hard problems security experts defined the hard problems in computer securityin computer security
These were re-assessed in the late 90s by These were re-assessed in the late 90s by a number of groupsa number of groups
Hard Problems in Computer Hard Problems in Computer SecuritySecurity
Intrusion and Misuse Intrusion and Misuse Detection / ResponseDetection / ResponseSecurity of mobile Security of mobile codecodeControlled sharing of Controlled sharing of sensitive informationsensitive informationCovert channel Covert channel controlcontrolTestability of softwareTestability of software
Denial of service Denial of service preventionpreventionSecurity management Security management infrastructureinfrastructureSecure system Secure system CompositionCompositionHigh assurance High assurance developmentdevelopmentMetrics for securityMetrics for securityMulti-level securityMulti-level security
http://www.infosec-research.org/docs_public/IRC-HPL-as-released-990921.docI
http://www.nitrd.gov/pubs/200311_grand_challenges.pdf
Why do the same for Privacy?Why do the same for Privacy?
Provides a foundation for research effortsProvides a foundation for research efforts
Sets a context for system designSets a context for system design
Progress has been made on the tough Progress has been made on the tough problems in computer security problems in computer security
Privacy Hard ProblemsPrivacy Hard Problems
1.1. Work factors (level Work factors (level of effort) for of effort) for linkabilitylinkability
2.2. Minimum sets for Minimum sets for unlinkabilityunlinkability
3.3. Assurance levelsAssurance levels
4.4. Re-AnonymizationRe-Anonymization
5.5. Intuitive ConsentIntuitive Consent
6.6. Ontology for privacy Ontology for privacy contextscontexts
7.7. PII location tracingPII location tracing
8.8. PII Consent PII Consent revocationrevocation
9.9. Authoritative source Authoritative source definitiondefinition
10.10. Information model Information model for Privacyfor Privacy
Work Factors for Linkability Work Factors for Linkability
Not all PII is equally descriptive (e.g. SIN vs Not all PII is equally descriptive (e.g. SIN vs Name)Name)Leveraging different types of PII requires varying Leveraging different types of PII requires varying degrees of effortdegrees of effort– Linking to an individualLinking to an individual– Establishing valueEstablishing value
Current safeguards tend to treat all PII as equal Current safeguards tend to treat all PII as equal As in security safeguards, resource efficiencies As in security safeguards, resource efficiencies may be gained if a work factor approach can be may be gained if a work factor approach can be taken to the deployment of safeguardstaken to the deployment of safeguards
Minimum Sets for UnlinkabilityMinimum Sets for Unlinkability
Aggregation of data presents a significant Aggregation of data presents a significant challenge in the privacy spacechallenge in the privacy spaceOften only a few pieces of individually non-Often only a few pieces of individually non-PI data can provide a high probability of PI data can provide a high probability of identificationidentificationDetermining the relative probability of Determining the relative probability of identification of sets of data will assist in identification of sets of data will assist in safer data sharing or automatic safer data sharing or automatic ambiguization of data sets ambiguization of data sets
Assurance Levels for Privacy Assurance Levels for Privacy SolutionsSolutions
Different level of assurance are required Different level of assurance are required for security safeguards, typically for security safeguards, typically depending on the confidence required in depending on the confidence required in the transaction (e.g. trusted policy the transaction (e.g. trusted policy mediation)mediation)
Can the same be philosophy be applied to Can the same be philosophy be applied to the privacy environment the privacy environment – E.g. Database perturbation E.g. Database perturbation
Re-anonymizationRe-anonymization
Current safeguards work on the Current safeguards work on the assumption that data leakages are assumption that data leakages are absoluteabsolute
Some large content providers have been Some large content providers have been successful in removing licensed contentsuccessful in removing licensed content
Can a process be developed to regain Can a process be developed to regain anonymity following a data leakageanonymity following a data leakage
Intuitive Privacy ConsentIntuitive Privacy Consent
While consent is a fundamental tenet for While consent is a fundamental tenet for data privacy, users still do not fully data privacy, users still do not fully understand privacy noticesunderstand privacy notices
How can privacy notices provide the user How can privacy notices provide the user with greater insight into management of with greater insight into management of their PIItheir PII
Ontology for Privacy ContextsOntology for Privacy Contexts
Individuals are often comfortable providing PII depending Individuals are often comfortable providing PII depending on the context of its use (purpose description)on the context of its use (purpose description)– Entertainment, Financial, Health, EmployerEntertainment, Financial, Health, Employer
Sharing between contexts provides an opportunity for Sharing between contexts provides an opportunity for enhanced services, but must be performed in a enhanced services, but must be performed in a structured mannerstructured manner
Defining the contexts for a universal ontology will be Defining the contexts for a universal ontology will be required to provide interoperability between solutionsrequired to provide interoperability between solutions
(Work has been started in the PRIME project – (Work has been started in the PRIME project – http://www.prime-project.eu.org/)http://www.prime-project.eu.org/)
PII Location AwarenessPII Location Awareness
An individual’s PII may find its way into a An individual’s PII may find its way into a variety of provider repositories often variety of provider repositories often unbeknownst to the data subjectunbeknownst to the data subject
PII location awareness provides the data PII location awareness provides the data subject with the ability to determine the subject with the ability to determine the data custodiandata custodian
PII Consent RevocationPII Consent Revocation
Revoking consent for a data is currently a Revoking consent for a data is currently a manual processmanual process
An automated scheme to revoke access to An automated scheme to revoke access to an individual’s PII will provide greater an individual’s PII will provide greater certainty of completioncertainty of completion
Authoritative sources DefinitionAuthoritative sources Definition
Several PII submission schemes have the Several PII submission schemes have the storage of data by the data subject as a storage of data by the data subject as a premisepremise
What mechanisms are required to What mechanisms are required to determine the certainty of the data determine the certainty of the data submitted (e.g. what organization can submitted (e.g. what organization can attest to which facts with what degree of attest to which facts with what degree of confidence)confidence)
Information Model for PrivacyInformation Model for Privacy
Bell-LaPadula and Biba developed models Bell-LaPadula and Biba developed models on how to move data while preserving on how to move data while preserving confidentiality and integrityconfidentiality and integrity
Information models are required to assist Information models are required to assist in the development of privacy safeguardsin the development of privacy safeguards
For example: can we say that linkability is For example: can we say that linkability is a function of set sizea function of set size
ConclusionConclusion
The hard problems presented today The hard problems presented today provide a starting point for discussion for provide a starting point for discussion for those areas where research can be those areas where research can be focused to improve our ability to safeguard focused to improve our ability to safeguard personal information personal information