Introduction to Privacy and Privacy Engineering

1. Introduction to Privacy and Privacy Engineering Dr. Ian Oliver EIT Summer School, August 2014, Finland

2. Contents –  WHY learn about privacy? –  PHILOSOPHY of privacy –  LEGAL aspects of privacy –  ENGINEERING aspects of privacy –  FOUNDATIONAL aspects of privacy –  Supporting Material

3. WHY learn about privacy –  The dominating issue regarding information systems at the moment –  Increased public awareness of surveillance –  Business and economic reasons –  Trust

7. PHILOSOPHY

8. PHILOSOPHY –  The Right To Be Let Alone –  “The Right to Privacy” (Warren and Brandeis, 1890)

9. PHILOSOPHY –  From where comes privacy?

10. PHILOSOPHY –  "a person may be identiﬁed directly by name or indirectly by a telephone number, a car registration number, a social security number, a passport number or by a combination of signiﬁcant criteria which allows him to be recognized by narrowing down the group to which he belongs (age, occupation, place of residence, etc.)” –  WP29: Opinion 4/2007 on the concept of personal data

11. PHILOSOPHY –  Does ”privacy” exist? –  If so, what does it mean? –  If not, what does that mean?

14. PHILOSOPHY Wisdom Knowledge Information Data Noise

15. PHILOSOPHY –  Discuss: –  Personal privacy –  Information privacy –  Expectation of privacy within technology –  Social media, sharing, surveillance –  ”Nothing to Fear, Nothing to Hide” –  Limits of privacy and the acceptable loss of privacy –  Privacy as an innovator

16. PHILOSOPHY –  Privacy as: –  A Principle –  A Legal Discipline –  An Engineering Discpline –  An Economic Aspect

17. PHILOSOPHY –  Privacy by Design (PbD) Principles 1.  Proactive not Reactive; Preventative not Remedial 2.  Privacy as the Default Setting 3.  Privacy Embedded into Design 4.  Full Functionality — Positive-‐Sum, not Zero-‐Sum 5.  End-‐to-‐End Security — Full Lifecycle Protection 6.  Visibility and Transparency — Keep it Open 7.  Respect for User Privacy — Keep it User-‐Centric –  Semantic Gap Between PbD and Engineering We concentrate here

18. LEGAL

19. LEGAL –  Terminology –  Personal Data / Personally Identiﬁable Data (PII) –  Sensitive Data –  Traﬃc Data

20. LEGAL –  Compliance and Laws –  EU Data Protection / WP29 –  US Data Protection –  COPPA, HIPPA, SOX, Safe Harbor –  Usage and Purpose versus Collection

21. LEGAL –  Speciﬁc Examples –  Privacy Policies –  Secondary Data Collection –  Opt-‐in & Opt-‐out –  Defaults –  Necessity –  Tracking –  Browser Cookies –  Data Transfers –  Data Retention –  Conﬂicts –  EU-‐US Data Transfers –  Encryption or not? –  Trade Compliance –  Business need versus Personal need –  Information Assymetry

22. ENGINEERING –  Case Study –  Data Flow Modelling –  Ontologies and Deﬁntions –  Requirements –  Notice and Consent –  Risk –  PETS –  Maxims

23. ENGINEERING case study Motivating Example High-‐Level View Detailed View

24. Motivating Example High-‐Level View Detailed View ENGINEERING case study

25. Information systems …for some deﬁnition of information ENGINEERING an analogy Information is a material

26. ENGINEERING data ﬂow Data Flow Modelling Basic Syntax Annotations: protocols, content

27. ENGINEERING data ﬂow Data Flow Modelling Basic Syntax Annotations: protocols, content

28. ENGINEERING data ﬂow example

32. ENGINEERING ontologies Ontology and Terminology The mechanisms by which languages are agreed upon Lawyer – Engineer communication Terminological Deﬁntions

33. ENGINEERING ontologies What do the following statements actually mean? Personal Data Personally Identiﬁable Data Location Data Field Data set

34. ENGINEERING ontologies Semantics

35. ENGINEERING ontologies -‐ modelling

36. ENGINEERING ontologies -‐ security ( Unclassiﬁed ) Secret Conﬁdential Internal Public

37. ENGINEERING ontologies -‐ information –  Type Theory –  Information type vs Machine type/ Programming language type –  Structures –  Example, is { lat:ﬂoat, long:ﬂoat } a –  Location –  A struct of two reals? –  Neither –  Context

38. ENGINEERING ontologies -‐ identiﬁers

39. ENGINEERING ontologies -‐ further…

40. ENGINEERING ontologies -‐ identiﬁcation Unauthenticated Observed Authenticated (*) Proven

41. ENGINEERING identiﬁability

42. ENGINEERING requirements

43. ENGINEERING notice & consent

46. ENGINEERING notice & consent –  Calculation of the Agreement from the DFD

47. ENGINEERING -‐ risk

48. ENGINEERING -‐ evaluating risk –  Failure Mode and Eﬀect Analysis –  Root Cause Analysis –  STRIDE: Threat Assessment

49. ENGINEERING -‐ PETS –  Hashing –  Encryption –  Dataset Partitioing –  Tokenisation –  k-‐anonymity –  l-‐diversity, t-‐closeness, diﬀerential privacy –  BASIC GOOD OLD FASHIONED SECURITY

50. ENGINEERING maxims –  Don't collect what you don't use –  If it looks like PII, it probably is PII, so treat it as PII –  Don't shock the user –  Location data isn't just GPS co-‐ordinates –  Good security does not mean good privacy, but good privacy doesn't come without good security –  All information can be transformed and cross-‐referenced into whatever you need –  Security through Obscurity, Privacy through PowerPoint and Policies...

51. FOUNDATIONAL –  Information Theory –  Syntax, Semantics –  Entopy

52. PROJECT EVALUATION Demonstrate: –  Understanding of who the data subject is –  Where the data is flowing for various use cases through data flow modelling –  What: –  is the level of identification of the data subject –  are the usages and purposes of –  are the information types being carried –  is the logical architecture or structure of the system –  A risk analysis based on the given taxonomy of risks

53. SUPPORTING MATERIAL –  The Privacy Engineer's Manifesto, Dennedy, Fox & Finneran –  Understanding Privacy, Solove –  Privacy in Context, Nissenbaum –  Applied Cryptograpy, Schneier

54. SUPPORTING MATERIAL Ian Oliver (2014) Privacy Engineering: A Dataﬂow and Ontological Approach ISBN:9781497569713 Twitter: @i_j_oliver Blog: http://ijosblog.blogspot.ﬁ

55. DISCUSSION <<crossreferencing>> Thinking Local Knowledge References Lecturer<<data subject>> Audience <<speech, email, etc>> <<weird brain processes>> <<reading, listening>> <<neurons>> <<neurons>> <<speech, email, etc>> security class: Public information type: Content, Identity, Location, Temporal Identity: authenticated (1) Provenance: User Purpose: Primary Usage: Product Improvement, Future Human Lecturer YOU ME

Apr	MAY	Sep
	18
2014	2015	2022

Introduction to Privacy and Privacy Engineering

Ian Oliver

Transcript