Privacy Enhancing Technologies, Privacy by design · Jaap-Henk Hoepman // ( XOT ) // Het PI.lab Samenwerking tussen: Radboud Universiteit –ICIS Tilburg Universiteit –TILT TNO

Jaap-Henk Hoepman

@xotoxot // [email protected] // www.xot.nl // blog.xot.nl

Privacy Enhancing Technologies, Privacy by design

Hoe kan technologie compliance

met de GDPR verhogen?

Jaap-Henk Hoepman // ( XOT ) //

Over mij

Universitair hoofddocent Radboud Universiteit

● Privacy enhancing technologies

● Applied cryptography

● Internet of Things

Blogger

● http://blog.xot.nl

// Privacy by Design and Privacy Enhancing Technologies 212-4-2016


Het PI.lab

Samenwerking tussen:

● Radboud Universiteit – ICIS

● Tilburg Universiteit – TILT

● TNO – Security; Strategy & Policy

Wetenschappelijk directeur

● Jaap-Henk Hoepman

Zakelijk directeur

● Marc van Lieshout



Contents

What is privacy (from tech perspective)

Privacy by design

Privacy design strategies

Privacy Enhancing Technologies

Other developments

Concluding remarks

12-4-2016 // Privacy by Design and Privacy Enhancing Technologies 4

What is privacy

12-4-2016 // Privacy by Design and Privacy Enhancing Technologies

5

Jaap-Henk Hoepman // ( XOT ) // 12-4-2016 // Privacy by Design and Privacy Enhancing Technologies 6


What is privacy from a technical perspective

Confidentiality

● Access control; Anonymity

Integrity

● Authenticity

Availability

Unlinkability

● Entities; events

Intervenability

Transparency


(Hansen, Jensen, & Rost, 2015)


Transfer

Different types of data/information

Volunteered

● What you reveal explicitly when asked

Observed

● What you reveal implicitly by your behaviour

Inferred

● What is derived from other data about you

// Privacy by Design and Privacy Enhancing Technologies 8

[World Economic Forum Report Personal Data: The Emergence of a New Asset Class]

12-4-2016


Data vs Metadata

Metadata (= Behavioural data)

● Condensed (information rich, easy to process)

● More ”true” (judge a man not on what he says but on what he does)


Privacy by design


10


Privacy by design

Protect privacy when developing new technology:

● From concept…

● … to realisation

Privacy is a quality attribute (like security, performance,…)

Privacy by design is a process!

11

Throughout the system development cycle



Software development cycle


ConceptDevelopment

Implemen-tation

Privacy enhancing technologies

12-4-2016



Impact assessment & strategies


ConceptDevelopment

Analysis

Privacy Design Strategies

Privacy Impact Assessment

12-4-2016

Privacy design strategies


Source #1: Solove


Information storage

Information flow


Source #2: data protection law

Core principles

● Data minimisation

● Purpose limitation

● Proportionality

● Subsidiarity

● Data subject rights: consent, (re)view

● Adequate protection

● (Provable) Compliance



Wat is ‘Data Processing’…

Action Relevant GDPR Personal Data Processing ExamplesOperate Adaptation; Alteration; Retrieval; Consultation; Use; Alignment; Combination

Store Organisation; Structuring; Storage

Retain opposite to (Erasure; Destruction)

Collect Collection; Recording

ShareTransmission; Dissemination; Making Available; opposite to (Restriction; Blocking)

Change unauthorised third party (Adaptation; Alteration; Use; Alignment; Combination)

Breach unauthorised third party (Retrieval; Consultation)



Database tables


Attributes

Ind

ivid

uals

minimise separate aggregate hide


Eight privacy design strategies



Eight privacy design strategies

HIDE:

● preventing exposure of access, association, visibility, and understandability of personal information to reduce the likelihood of privacy violations.

MINIMIZE:

● limiting usage of personal information to reduce the impact of privacy violations.

SEPARATE:

● preventing the correlation of personal information to reduce the likelihood of privacy violations.

ABSTRACT:

● limiting the detail of personal information to reduce the impact of privacy violations.

CONTROL:

● providing data subjects with means to consent to, choose, update, and retract from personal information in a timely manner.

INFORM:

● providing data subjects with clear explanation and timely notification on personal information.

ENFORCE:

● ensuring commitment to continually create, maintain, and uphold policies and technical controls regarding personal information.

DEMONSTRATE:

● ensuring available evidence to test, audit, log, and report on policies and technical controls regarding personal information.



The eight strategies in detail

Strategy Underlying Goals Effects on Actions Regarding Personal Data

ENFORCE

ensu

rin

g

as a

bu

nd

ant

commitment

as p

oss

ible

fo

r

creating, maintaining and upholding on policies and technical controls

regarding

sto

rage

,

colle

ctio

n,

rete

nti

on

,

shar

ing,

chan

ges,

bre

ach

es

or

op

erat

ion

on

per

son

al d

ata,

in a

tim

ely

man

ner

,

wit

hin

th

e co

nst

rain

ts o

f th

e ag

reed

up

on

pu

rpo

ses.

DEMONSTRATE evidencetesting, auditing, logging, and

reporting

CONTROL

pro

vid

ing means

consenting to, choosing, updating, and retracting

From

INFORM clarity providing, explaining, and notifying On sharing

MINIMISE

limit

ing usage

as m

uch

as

po

ssib

le b

y excluding, selecting, stripping, or destroying

Any

retention

AGGREGATE detail summarising or groupingcollection

SEPARATE

pre

ven

tin

g correlation distributing or isolating

HIDE exposuremixing, obfuscating, dissociating, or

restricting access tosharing



Tactics (that help achieve strategy goals)

MINIMISE HIDE SEPARATE ABSTRACT

EXCLUDE

SELECT

STRIP

DESTROY

RESTRICT

MIX

OBFUSCATE

DISSOCIATE

DISTRIBUTE

ISOLATE

SUMMARIZE

GROUP

INFORM CONTROL ENFORCE DEMONSTRATE

SUPPLY

NOTIFY

EXPLAIN

CONSENT

CHOOSE

UPDATE

RETRACT

CREATE

MAINTAIN

UPHOLD

AUDIT

LOG

REPORT


Privacy Enhancing Technologies (PETS)

12-4-2016// Privacy by Design and Privacy Enhancing Technologies

24


Classification of PETS

Communication

Authentication and identity management

Storage privacy

Private computation (aka homomorphic encryption ;-)

Transparency

Intervenability

Privacy in databases



Cryptography

Symmetric key cryptography

(Asymmetric) Public key cryptography

Confidentiality

● Encryption/decryption

Integrity

● Hash function

Authenticity

● Message Authentication Code (MAC)

● (Digital) Signature



Encryption

encrypt decrypt

plaintext

e.g. “attack at dawn”

“attack at dawn”

ciphertext

e.g. “sdwr$350/.]{]gtdfc”

Secret!

secret?

public?


Cipher: algoritme + sleutels

Cipher (i.e. cryptosysteem)

● “Public” algorithm +

● “Secret” keys

encrypt decrypt“attack” “sdwr$350” “attack”“gfd6#Q”


Symmetric ciphers

Properties

● Same key to encrypt/decrypt

● Fast

● Short keys (128-256 bits)

Examples

● Data Encryption Standard (DES)

● Advanced Encryption Standard (AES)

29562956


Asymmetric ciphers

Properties

● Public (encrypt) en private (decrypt) keys

● Slow

● Long keys(1024-2048 bits)

Voorbeelden

● RSA

● Diffie Hellman


Hashfunctions

Properties

● “one-way”

● “collision resistance”

● Hashcode 128-256 bits long

Examples

● SHA-256


Communication privacy: TLS, SSH



Anonymous communication





Zero knowledge

The cave of Ali Baba



eID: traditional


Identity Provider Relying Party

User

attributes

All parties are on lineSecurity and privacy

risks


eID: ABC based : Issuing


Credential Issuer Relying Party

User


eID: ABC based : showing


Credential Issuer Relying Party

User

unlinkable Has certificate grantingaccess to attributes


Storage privacy

Cloud provider has the key Only user has the key



Private computation

Secure multiparty computation

● Compiles an ideal function performed by a trusted third party into

one that is jointly executed by the participants (without a trusted

party at all).

Homomorphic encryption

● 𝐸 𝑚1 +𝑚2 = 𝐸 𝑚1 ∗ 𝐸(𝑚2)

● You can compute a function over the plaintexts without knowing

them!



Transparency & Intervenability

Classification

● Information about the processing taking place

● Information about the actual user data collected

● Information about the consequences of the processing and the data

Examples

● Privacy policies and icons

● Privacy seals

● Privacy dashboard

● Policy frameworks like P3P

● Tools like Lightbeam (formerly Collusion)


Other developments


43


OWASP Top 10 Privacy Risks

Web Application Vulnerabilities

Operator-sided Data Leakage

Insufficient Data Breach Response

Insufficient Deletion of personal data

Non-transparent Policies, Terms and Conditions

Collection of data not required for the primary purpose

Sharing of data with third party

Outdated personal data

Missing or Insufficient Session Expiration

Insecure Data Transfer



Standardisation

ISO

● ISO/IEC 29100:2011 Information technology -- Security techniques --

Privacy Framework.

● ISO/IEC 27001:2013 Information technology — Security techniques —

Information security management systems

W3C

● DoNotTrack (DNT), Platform for Privacy Preferences (P3P)

Internet Privacy Engineering Network

● https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN


https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN

Concluding remarks

12-4-2016// Privacy by Design and Privacy Enhancing Technologies

46


Concluding remarks

Limits to privacy by design

● Privacy is fragile; may break when combining or extending systems

● The level of privacy protection is hard to define and measure, making

different systems hard to compare

● Implementation obstacles

Incentives and effective deterrence mechanisms needed

Better understanding of privacy (by design) as a process needed

Tools to support privacy by design in practice are missing

Stronger role of standardisation



Sources

● G. Danezis, J. Domingo-Ferrer, M. Hansen, J.-H. Hoepman, D. L. Metayer, R.

Tirtea, and S. Schiffner. Privacy and Data Protection by Design - from policy

to engineering. Technical report, ENISA, December 2014. ISBN 978-92-9204-

108-3, DOI 10.2824/38623. https://www.enisa.europa.eu/activities/identity-

and-trust/library/deliverables/privacy-and-data-protection-by-design

● OWASP Top 10 Privacy Risks:

https://www.owasp.org/index.php/OWASP_Top_10_Privacy_Risks_Project

● M. Colesky, J.-H. Hoepman, and C. Hillen. A Critical Analysis of Privacy

Design Strategies. In 2016 International Workshop on Privacy Engineering –

IWPE'16, San Jose, CA, USA, May 26 2016.

http://www.cs.ru.nl/~jhh/publications/iwpe-privacy-strategies.pdf

● Richtsnoeren DP; Art 29 WP


twitter: @xotoxot blog.xot.nl [email protected] www.xot.nl

https://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/privacy-and-data-protection-by-design

https://www.owasp.org/index.php/OWASP_Top_10_Privacy_Risks_Project

http://www.cs.ru.nl/~jhh/publications/iwpe-privacy-strategies.pdf

Documents

Privacy Enhancing Technologies, Privacy by design · Jaap-Henk Hoepman // ( XOT ) // Het PI.lab Samenwerking tussen: Radboud Universiteit –ICIS Tilburg Universiteit –TILT TNO