Post on 10-Jan-2017
1 © Nokia 2016
Privacy Engineering
from an engineer’s view
Public
Dr. Ian Oliver
Bell Labs, Finland
27 May 2016
A Lecture Given at DSummit, Stockholm, Sweden
2 © Nokia 2016
Does anyone notice a problem here...
Public
Privacy as legal aspect: From Warren and Brandeis (1895) to the GDPR
3 © Nokia 2016
Just missing a few things...
Public
Privacy as legal aspect: From Warren and Brandeis (1895) to the GDPRPrivacy as an economic aspect: Ackerlof et al (Lemons!)Privacy as a philisophical aspect: Nissembaum, Solove et alPrivacy as a security aspect: Schneier – to name just one...Privacy as an ideal: Cavoukian and PbDPrivacy as a socioligical construct: Lessig et alPrivacy as a game theoretic construct: Nash et al (+sum games)Privacy as an engineering construct: Dennedy et al, Oliver, ...
4 © Nokia 2016
and how do we view things...
Public
5 © Nokia 2016
and how do we view things...
Public
GPDR = $$$ ... get me the lawyers ...
Compliance is everything
6 © Nokia 2016
Now do you see the problem?
Public
7 © Nokia 2016
Traditional Compliance Must Go
Public
8 © Nokia 2016
Public
9 © Nokia 2016
Public
10 © Nokia 2016
Compliance
is fragile
Public
Good thing we have this otherwise we’d be in trouble...
Joke:Q: How many lawyers does it take to write a system compliant?
11 © Nokia 2016
Compliance
is fragile
Public
Good thing we have this otherwise we’d be in trouble...
Joke:Q: How many lawyers does it take to write a system compliant?
A: We value your privacy...
12 © Nokia 2016
Compliance
is fragile
Public
char collectDataFlag = 'Y'; // Future proofed boolean// Y for yes, N for no
void collectDataFunction(){//collect IMEI, IMSI, MSISDN, TimeStamp and location//and send to the hardcoded IP address...
}
void checkDataCollection(){switch(collectDataFlag){
case 'N' :// don't do anything
case 'Y' :// ok to collect everythingcollectDataFunction();
}}
13 © Nokia 2016
Public
Question:
how many lines of code between any two points in this model?
14 © Nokia 2016
Story time ....
Public
15 © Nokia 2016
Public
A long time ago...
I became our first privacy architect...
Auditing mobile device applications and associated infrastructure from an engineering perspective...
16 © Nokia 2016
Public
Or...
go and invent how to do this because no-one else has/can/wants to, because...
the engineers don’t want to speak to the lawyers,
the lawyers don’t want to the speak to the engineers,
and we’re in a mess...
17 © Nokia 2016
We developed:
• Epics and Use cases for Privacy
• Checklists
• Software Development Process Integration
• Audit Procedures
- integrated non-functional areas: privacy, secuity, performance, continuity
and the result was...
18 © Nokia 2016
Failure
19 © Nokia 2016
Why didn’t it work?
• Despite highly trained personel
• To much adherence to process
- Processes tell everyone the order of what to do
- Difficulty in handling exceptions and experts
- Processes treat people as idiots
• Replace responsibility and expertise
- with something called ”compliance”
• Tick-box oriented
- Ask questions, Accept answers, TICK!
- Limited understanding and context of naswers
• Limited time-scale
- One-off review
20 © Nokia 2016
?
21 © Nokia 2016
We developed:
• Simpler ”Checklists”
• Training Courses
• Realised that no-one understood each other
• Tried to ban the terms ”PII” and ”Personal Data”
• Tried to formulate requirements
• Introduced more risk management ideas, eg: RCA, FMEA
and the result was...
22 © Nokia 2016
Failure
23 © Nokia 2016
What’s the problem now?
• Communication
• Process over method
• Lack of understanding of roles
- I am a privacy officer, therefore, I am right
- You are ’just’ an engineer
• Lack of both legal and engineering techniques
• The privacy organisation itself
• Privacy by Design
24 © Nokia 2016
What’s the problem now...?
Actually it was much worse
So much emphasis on ’compliance’
We the privacy oranisation are right
Engineers don’t know anything....
25 © Nokia 2016
????!!!
26 © Nokia 2016
Just 3 simple things to solve...
Communication
Culture
Role
27 © Nokia 2016
Communication
Public
28 © Nokia 2016
Probably not personal data/ Probably personal data
29 © Nokia 2016
Forget process, just get the information about what’s going on...
30 © Nokia 2016
Forget process, just get the information about what’s going on...
Who in your company does all the innovation and knows what your products or services really do?
31 © Nokia 2016
Forget process, just get the information about what’s going on...
Who knows if your systems are compliant?
32 © Nokia 2016
Just 2 simple things to solve...
Communication
Culture
Role
33 © Nokia 2016
Public
Roles and Culture Already solved...
34 © Nokia 2016
34
Serendipity
© 2013 HERE | Title | Author | Company confidential
or...how to retain sanity in a rapidly changing, chaotic environment where you don’t know anything and there’s no rule book or process...
35 © Nokia 2016
35
The Sterile Field
© 2013 HERE | Title | Author | Company confidential
Key:
• Sterile
• Non-sterile
36 © Nokia 2016
36
The Sterile Field
© 2013 HERE | Title | Author | Company confidential
Key:
• Sterile
• Non-sterile
Movement of materials from one area to the other must be controlled to prevent contamination of the sterile field with non-sterile items
Strict protocols prevent contamination
37 © Nokia 2016
Public
Culture
38 © Nokia 2016
Public
Roles
R&D Team Checklist
(before review)
R&D Team Checklist
(post-review)
Audit Team Checklist(sign-in)
Audit Team Checklist
(time-out)
Audit Team Checklist(sign-out)
Project development & processes (time)
System
under
auditPrivacy
Officer
Legal
Security
Architects
39 © Nokia 2016
Public
Roles
R&D Team Checklist
(before review)
R&D Team Checklist
(post-review)
Audit Team Checklist(sign-in)
Audit Team Checklist
(time-out)
Audit Team Checklist(sign-out)
Project development & processes (time)
System
under
auditPrivacy
Officer
Legal
Security
Architects
the process does not and can not stop because of lack of compliance....
40 © Nokia 2016
Public
Treat privacy as a safety-critical aspect
41 © Nokia 2016
Public
Your job as privacy professionals is to understand the state of the system – regardless of whether it is good or bad – before moving on...
There can be no privacy heroes