Hard Problems in Computer Hard Problems in Computer PrivacyPrivacy

John WeigeltJohn Weigelt

DisclaimerDisclaimer

The views expressed in this presentation are The views expressed in this presentation are my own and are not provided in my my own and are not provided in my

capacity as Chief Technology Officer for capacity as Chief Technology Officer for Microsoft Canada Co Microsoft Canada Co

OutlineOutline

Privacy ContextPrivacy Context

Implementing for Privacy Implementing for Privacy

The Hard ProblemsThe Hard Problems

PrivacyPrivacy

““the right to control access to one's person the right to control access to one's person and information about one's self.”and information about one's self.”

Privacy Commissioner of Canada, speech at the Privacy Commissioner of Canada, speech at the Freedom of Information and Protection of Privacy Freedom of Information and Protection of Privacy

Conference, June 13, 2002Conference, June 13, 2002

The Context Of Privacy ComplianceThe Context Of Privacy Compliance

COMPLIANCECOMPLIANCE

Sarbanes-OxleySarbanes-Oxley

Fiscal accountability for Fiscal accountability for all public companiesall public companies

Personal Information Personal Information Protection Electronic Protection Electronic Documents Act Documents Act (PIPEDA) (PIPEDA)

U.S. PATRIOT ActU.S. PATRIOT Act

Customer documentation Customer documentation requirements in order to requirements in order to “know your customer“know your customer””

Freedom of Freedom of Information, PrivacyInformation, Privacy

Protection ActProtection Act

BC law for protection of personal BC law for protection of personal informationinformation

Health Insurance Health Insurance Portability and Portability and

Accountability Act Accountability Act (HIPAA)(HIPAA)

California SB 1386California SB 1386

Law requiring customer Law requiring customer notification if their personal data notification if their personal data

was, or was believed to be , was, or was believed to be , compromisedcompromised

Gramm-Leach Bliley Gramm-Leach Bliley Act (GLBA)Act (GLBA)

Privacy of financial Privacy of financial informationinformation

Right to carry insurance Right to carry insurance between job; privacy of between job; privacy of patient Information patient Information

Personal Health Personal Health Information Information Protection Act Protection Act (PHIPA)(PHIPA)Ontario law for Ontario law for protection of personal protection of personal health Informationhealth Information

Impact of Non-ComplianceImpact of Non-Compliance

Loss of Revenue

Damage to Investor

Confidence

Damage to Reputation

Personal Liability

Interruption of Business Processes

Damage to Customer

ConfidenceLegal

Consequences

Regulatory Penalties & Fines GridRegulatory Penalties & Fines GridName of Regulatory Name of Regulatory MandateMandate

Some Potential PenaltiesSome Potential Penalties Potential FinesPotential Fines

SOASOA 20 years in prison20 years in prison $15 million$15 million

HIPAAHIPAA 10 years in prison10 years in prison $250,000$250,000

GLBAGLBA 10 years in prison10 years in prison $1 million$1 million

Patriot ActPatriot Act 20 years in prison20 years in prison $1 million$1 million

California SB 1386California SB 1386 Unfair trade practice law Unfair trade practice law penaltiespenalties

Private civil and class Private civil and class actions; unfair trade actions; unfair trade practice law finespractice law fines

PIPEDAPIPEDA Up to $100, 000Up to $100, 000

FOIPPAFOIPPA Up to $500,000Up to $500,000

PHIPAPHIPA $50,000 for an individual and $250,000 for a $50,000 for an individual and $250,000 for a corporation, + Damagescorporation, + Damages

SEC Rule 17a-4SEC Rule 17a-4 Suspension/expulsionSuspension/expulsion $1 million+$1 million+

Privacy ChallengesPrivacy ChallengesSpotlight on PIPEDA / PHIPA / FOIPPASpotlight on PIPEDA / PHIPA / FOIPPA

Policy interpretations are still emergingPolicy interpretations are still emerging

Relationship to Security services misunderstoodRelationship to Security services misunderstood

Privacy often implemented in a binary mannerPrivacy often implemented in a binary manner

Privacy Metrics Developing

Privacy often driven by popular opinion

Focus on privacy enhancing technologies Focus on privacy enhancing technologies

Designing for PrivacyDesigning for Privacy

Implement for all privacy principlesImplement for all privacy principles

Privacy implementations require defence in Privacy implementations require defence in depthdepth

A risk managed approach should be takenA risk managed approach should be taken

Solutions must provide privacy policy agilitySolutions must provide privacy policy agility

Privacy and security must be viewed as related Privacy and security must be viewed as related but not dependentbut not dependent

Use existing technology in privacy enhancing Use existing technology in privacy enhancing waysways

Implement for all Privacy PrinciplesImplement for all Privacy Principles

AccountabilityAccountabilityNotice (identification of purpose)Notice (identification of purpose)ConsentConsentLimit Collection & UseLimit Collection & UseDisclosure of transferDisclosure of transferRetention PoliciesRetention PoliciesAccuracyAccuracySafeguardsSafeguardsOpennessOpennessIndividual AccessIndividual AccessChallenging ComplianceChallenging Compliance

Implement a Defence in DepthImplement a Defence in Depth

– Engages the entire business for successEngages the entire business for success– Allows for the allocation of controls outside of ITAllows for the allocation of controls outside of IT

LegislationLegislation

PoliciesPolicies

ProceduresProcedures

Physical ControlsPhysical Controls

Application Features

Application Features

Inherent System

Capabilities

Inherent System

Capabilities

Use a Risk Managed ApproachUse a Risk Managed Approach

Privacy Impact Assessments provide Privacy Impact Assessments provide insight into how PII is handled in the insight into how PII is handled in the design or redesign of solutions and identify design or redesign of solutions and identify areas of potential riskareas of potential risk

(example: SLAs for privacy principles)(example: SLAs for privacy principles)

Design for AgilityDesign for Agility

Interpretations of privacy policy continues Interpretations of privacy policy continues to evolve and it is essential that solutions to evolve and it is essential that solutions are agile to meet existing and emerging are agile to meet existing and emerging privacy policiesprivacy policies

Avoid solutions that are difficult to migrate Avoid solutions that are difficult to migrate fromfrom– E.g. Bulk encryptionsE.g. Bulk encryptions

Fully Secure

Anonymous

Non-Secure

Full Disclosure

Public Opinion

Solution Range

Privacy

Security

Privacy AgilityPrivacy Agility

Use existing technology in privacy Use existing technology in privacy enhancing waysenhancing ways

Tendency to purchase solutions to solve Tendency to purchase solutions to solve compliance needscompliance needs

Many privacy compliance activities can be Many privacy compliance activities can be met with the existing technologiesmet with the existing technologies

E.g. Notices, consent mechanisms, E.g. Notices, consent mechanisms, limiting collectionlimiting collection

Security and Privacy FoundationsSecurity and Privacy Foundations

SecurityData

Marking

Rules based

Approach

Bell-Lapadula

BibaRisk

ManagementApproach

Data Marking

For Privacy

Rules based

approach

PrivacyLegislation

PrivacyEnhancing

Technologies

Privacy Impact

Assessment

PrivacyPolicies

Threat Risk

Assessment

SecuritySafeguards

EvaluationScheme

Security Policies

1973 1975Late 60s1940 1980s

1994 200220011996 20021983

19861983 199350BC

Security

Privacy

Hard ProblemsHard Problems

In the late 70s a group of computer In the late 70s a group of computer security experts defined the hard problems security experts defined the hard problems in computer securityin computer security

These were re-assessed in the late 90s by These were re-assessed in the late 90s by a number of groupsa number of groups

Hard Problems in Computer Hard Problems in Computer SecuritySecurity

Intrusion and Misuse Intrusion and Misuse Detection / ResponseDetection / ResponseSecurity of mobile Security of mobile codecodeControlled sharing of Controlled sharing of sensitive informationsensitive informationCovert channel Covert channel controlcontrolTestability of softwareTestability of software

Denial of service Denial of service preventionpreventionSecurity management Security management infrastructureinfrastructureSecure system Secure system CompositionCompositionHigh assurance High assurance developmentdevelopmentMetrics for securityMetrics for securityMulti-level securityMulti-level security

http://www.infosec-research.org/docs_public/IRC-HPL-as-released-990921.docI

http://www.nitrd.gov/pubs/200311_grand_challenges.pdf

Why do the same for Privacy?Why do the same for Privacy?

Provides a foundation for research effortsProvides a foundation for research efforts

Sets a context for system designSets a context for system design

Progress has been made on the tough Progress has been made on the tough problems in computer security problems in computer security

Privacy Hard ProblemsPrivacy Hard Problems

1.1. Work factors (level Work factors (level of effort) for of effort) for linkabilitylinkability

2.2. Minimum sets for Minimum sets for unlinkabilityunlinkability

3.3. Assurance levelsAssurance levels

4.4. Re-AnonymizationRe-Anonymization

5.5. Intuitive ConsentIntuitive Consent

6.6. Ontology for privacy Ontology for privacy contextscontexts

7.7. PII location tracingPII location tracing

8.8. PII Consent PII Consent revocationrevocation

9.9. Authoritative source Authoritative source definitiondefinition

10.10. Information model Information model for Privacyfor Privacy

Work Factors for Linkability Work Factors for Linkability

Not all PII is equally descriptive (e.g. SIN vs Not all PII is equally descriptive (e.g. SIN vs Name)Name)Leveraging different types of PII requires varying Leveraging different types of PII requires varying degrees of effortdegrees of effort– Linking to an individualLinking to an individual– Establishing valueEstablishing value

Current safeguards tend to treat all PII as equal Current safeguards tend to treat all PII as equal As in security safeguards, resource efficiencies As in security safeguards, resource efficiencies may be gained if a work factor approach can be may be gained if a work factor approach can be taken to the deployment of safeguardstaken to the deployment of safeguards

Minimum Sets for UnlinkabilityMinimum Sets for Unlinkability

Aggregation of data presents a significant Aggregation of data presents a significant challenge in the privacy spacechallenge in the privacy spaceOften only a few pieces of individually non-Often only a few pieces of individually non-PI data can provide a high probability of PI data can provide a high probability of identificationidentificationDetermining the relative probability of Determining the relative probability of identification of sets of data will assist in identification of sets of data will assist in safer data sharing or automatic safer data sharing or automatic ambiguization of data sets ambiguization of data sets

Assurance Levels for Privacy Assurance Levels for Privacy SolutionsSolutions

Different level of assurance are required Different level of assurance are required for security safeguards, typically for security safeguards, typically depending on the confidence required in depending on the confidence required in the transaction (e.g. trusted policy the transaction (e.g. trusted policy mediation)mediation)

Can the same be philosophy be applied to Can the same be philosophy be applied to the privacy environment the privacy environment – E.g. Database perturbation E.g. Database perturbation

Re-anonymizationRe-anonymization

Current safeguards work on the Current safeguards work on the assumption that data leakages are assumption that data leakages are absoluteabsolute

Some large content providers have been Some large content providers have been successful in removing licensed contentsuccessful in removing licensed content

Can a process be developed to regain Can a process be developed to regain anonymity following a data leakageanonymity following a data leakage

Intuitive Privacy ConsentIntuitive Privacy Consent

While consent is a fundamental tenet for While consent is a fundamental tenet for data privacy, users still do not fully data privacy, users still do not fully understand privacy noticesunderstand privacy notices

How can privacy notices provide the user How can privacy notices provide the user with greater insight into management of with greater insight into management of their PIItheir PII

Ontology for Privacy ContextsOntology for Privacy Contexts

Individuals are often comfortable providing PII depending Individuals are often comfortable providing PII depending on the context of its use (purpose description)on the context of its use (purpose description)– Entertainment, Financial, Health, EmployerEntertainment, Financial, Health, Employer

Sharing between contexts provides an opportunity for Sharing between contexts provides an opportunity for enhanced services, but must be performed in a enhanced services, but must be performed in a structured mannerstructured manner

Defining the contexts for a universal ontology will be Defining the contexts for a universal ontology will be required to provide interoperability between solutionsrequired to provide interoperability between solutions

(Work has been started in the PRIME project – (Work has been started in the PRIME project – http://www.prime-project.eu.org/)http://www.prime-project.eu.org/)

PII Location AwarenessPII Location Awareness

An individual’s PII may find its way into a An individual’s PII may find its way into a variety of provider repositories often variety of provider repositories often unbeknownst to the data subjectunbeknownst to the data subject

PII location awareness provides the data PII location awareness provides the data subject with the ability to determine the subject with the ability to determine the data custodiandata custodian

PII Consent RevocationPII Consent Revocation

Revoking consent for a data is currently a Revoking consent for a data is currently a manual processmanual process

An automated scheme to revoke access to An automated scheme to revoke access to an individual’s PII will provide greater an individual’s PII will provide greater certainty of completioncertainty of completion

Authoritative sources DefinitionAuthoritative sources Definition

Several PII submission schemes have the Several PII submission schemes have the storage of data by the data subject as a storage of data by the data subject as a premisepremise

What mechanisms are required to What mechanisms are required to determine the certainty of the data determine the certainty of the data submitted (e.g. what organization can submitted (e.g. what organization can attest to which facts with what degree of attest to which facts with what degree of confidence)confidence)

Information Model for PrivacyInformation Model for Privacy

Bell-LaPadula and Biba developed models Bell-LaPadula and Biba developed models on how to move data while preserving on how to move data while preserving confidentiality and integrityconfidentiality and integrity

Information models are required to assist Information models are required to assist in the development of privacy safeguardsin the development of privacy safeguards

For example: can we say that linkability is For example: can we say that linkability is a function of set sizea function of set size

ConclusionConclusion

The hard problems presented today The hard problems presented today provide a starting point for discussion for provide a starting point for discussion for those areas where research can be those areas where research can be focused to improve our ability to safeguard focused to improve our ability to safeguard personal information personal information

QuestionsQuestions