2002-10-22 Privacy Technology: Can we afford to wait for the future? Peter Hope-Tindall Peter...
-
date post
19-Dec-2015 -
Category
Documents
-
view
218 -
download
1
Transcript of 2002-10-22 Privacy Technology: Can we afford to wait for the future? Peter Hope-Tindall Peter...
2002-10-22
Privacy Technology: Can we Privacy Technology: Can we afford to wait for the future?afford to wait for the future?
Peter Hope-TindallPeter Hope-TindallPrivacy ArchitectPrivacy Architect
([email protected])([email protected])
Privacy by Design™
CACR 3rd Annual Privacy and Security WorkshopCACR 3rd Annual Privacy and Security Workshop
November 7-8, 2002November 7-8, 2002
2002-10-22
© 2002
PrivacyPrivacy
“Privacy is at the heart of liberty in the modern state.” Alan Westin
“the right to be let alone” Warren & Brandeis
““the right to exercise the right to exercise control over your personal control over your personal information.” information.” Ann CavoukianAnn Cavoukian
2002-10-22
© 2002
Defining PrivacyDefining PrivacyTraditional legal and societal test has Traditional legal and societal test has been framed around “Reasonable been framed around “Reasonable Expectation of Privacy” test. Expectation of Privacy” test.
Often used to justify removal of Often used to justify removal of privacy.privacy.
Fails to fully understand and express Fails to fully understand and express the complex nature of Privacy.the complex nature of Privacy.
2002-10-22
© 2002
Example: CCTV in Public Example: CCTV in Public SpacesSpaces
Most commentators would suggest we have Most commentators would suggest we have “No reasonable expectation of Privacy”“No reasonable expectation of Privacy”
Justification for CCTV or other tracking.Justification for CCTV or other tracking.
Not that simple:Not that simple:– In a public place,In a public place,
» Observable – Expectation that I will be observedObservable – Expectation that I will be observed» Anonymous/Pseudonymous - ExpectationAnonymous/Pseudonymous - Expectation» May/may not be LinkableMay/may not be Linkable
2002-10-22
© 2002
MarketplaceMarketplace Different definitions of PrivacyDifferent definitions of Privacy
– Privacy confused with Security (sometimes Privacy confused with Security (sometimes intentionally)intentionally)
Privacy as a Marketing toolPrivacy as a Marketing tool Must give up Privacy to improve SecurityMust give up Privacy to improve Security Technology solutions looking for a problemTechnology solutions looking for a problem Snake Oil Snake Oil Little in the way of Standards for Products and Little in the way of Standards for Products and
ServicesServices Nothing in the way of Certification & TestingNothing in the way of Certification & Testing
2002-10-22
© 2002
PKIPKI
2002-10-22
© 2002
Present day ProblemsPresent day Problems Traditional IT dogma has encouraged the Traditional IT dogma has encouraged the
collection of information.collection of information.– Opportunistic database designOpportunistic database design– Driven by hardware/software limitations of the pastDriven by hardware/software limitations of the past– Creates Other Problems (If you collect it; you need to Creates Other Problems (If you collect it; you need to
protect it!)protect it!) Privacy Aware IT will discourage the collection of Privacy Aware IT will discourage the collection of
information.information.– Minimalist database and system designMinimalist database and system design– JustificationJustification
2002-10-22
© 2002
Security and PrivacySecurity and Privacy
• authentication
• data-integrity
• confidentiality
• access controls
• non-repudiation
Security
Privacy
• data protection - FIPs (not FIPS)
n.b.n.b. FIPs: Fair Information PracticesFIPs: Fair Information Practices
FIPS: Federal Information Processing StandardsFIPS: Federal Information Processing Standards
2002-10-22
© 2002
Security vs. PrivacySecurity vs. Privacy Accountable to Accountable to
President/CEO Board of President/CEO Board of Directors.Directors.
Risk based assessment. Risk based assessment. (how likely is it?)(how likely is it?)
Access and use controls Access and use controls defined by the system defined by the system owner.owner.
Has been focused on Has been focused on protecting against protecting against outsiders.outsiders.
Accountable to the data Accountable to the data subject.subject.
Capabilities based Capabilities based assessment.assessment.(is it possible?)(is it possible?)
Access and use controls Access and use controls defined by defined by use limitation use limitation and consent of data subject and consent of data subject and legislation.and legislation.
Protecting against outsiders, Protecting against outsiders, insiders and system owner.insiders and system owner.
2002-10-22
© 2002
Different Approaches to PrivacyDifferent Approaches to PrivacyBuild in elements of personal Consent and ControlBuild in elements of personal Consent and Control
Central Repository/Decision Model – a rule Central Repository/Decision Model – a rule based or heuristic Privacy Model; EPMbased or heuristic Privacy Model; EPM
Divide and Conquer – strategic Divide and Conquer – strategic pseudonymisation/anonymisationpseudonymisation/anonymisation
Smart HardwareSmart Hardware– Privacy Rules Embedded in HardwarePrivacy Rules Embedded in Hardware
Smart DataSmart Data– Encapsulate Methods inside the dataEncapsulate Methods inside the data
2002-10-22
© 2002
Privacy Enhancing TechnologiesPrivacy Enhancing Technologies
Anonymization/Pseudonamization ToolsAnonymization/Pseudonamization Tools Proxies / Intelligent AgentsProxies / Intelligent Agents Firewalls / FiltersFirewalls / Filters Privacy LabelsPrivacy Labels Onion RoutingOnion Routing Policy ToolsPolicy Tools Encryption Tools & ServicesEncryption Tools & Services
2002-10-22
© 2002
What is Privacy ArchitectureWhat is Privacy Architecture
Initial ViewInitial ViewP
riva
cyP
riva
cy
Sec
urit
yS
ecur
ity
App
lica
tion
App
lica
tion
Tec
hnol
ogy
Tec
hnol
ogy
Dat
aD
ata
Net
wor
kN
etw
ork
2002-10-22
© 2002
RealityRealityP
riva
cyP
riva
cy
Sec
urit
yS
ecur
ity
App
lica
tion
App
lica
tion
Tec
hnol
ogy
Tec
hnol
ogy
Dat
aD
ata
Net
wor
kN
etw
ork
2002-10-22
© 2002
Where is Privacy Architecture?Where is Privacy Architecture?
PrivacyFramework
PIA PrivacyArchitecture
PrivacyArchitecture
Legislation
Guidelines
Directives
BestPractices
CommunicationPlan
2002-10-22
© 2002
PolicyPolicy(PIA)(PIA)
TechnologyTechnology(Privacy (Privacy Architecture)Architecture)
Privacy Privacy Framework/StrategyFramework/Strategy
2002-10-22
© 2002
Privacy FrameworkPrivacy Framework
Summary of Legislation, Practices, Directives, Summary of Legislation, Practices, Directives, Policies, High Level Overview of Proposed Policies, High Level Overview of Proposed System.System.
CustomizedCustomized Best PracticesBest Practices Document can be used as an early demonstration Document can be used as an early demonstration
of good faith and approachof good faith and approach Privacy chapter in RFPPrivacy chapter in RFP
2002-10-22
© 2002
PIA: Privacy Impact AssessmentPIA: Privacy Impact Assessment
Diagnostic ToolDiagnostic Tool Identifies IssuesIdentifies Issues May Respond to Issues with non-technical May Respond to Issues with non-technical
solutionssolutions May identify Issues to be resolved in May identify Issues to be resolved in
Privacy ArchitecturePrivacy Architecture Active and Passive: Introduce elements of Active and Passive: Introduce elements of
individual consent and controlindividual consent and control
2002-10-22
© 2002
Privacy ArchitecturePrivacy Architecture
Diagnostic ToolDiagnostic Tool Identifies Issues & OptionsIdentifies Issues & Options May Respond to Issues with technical May Respond to Issues with technical
solutionssolutions May identify Issues to be resolved in May identify Issues to be resolved in
PIA/PolicyPIA/Policy Active and Passive: Introduce elements of Active and Passive: Introduce elements of
individual consent and controlindividual consent and control
2002-10-22
© 2002
What is Privacy Architecture?What is Privacy Architecture?
Allow technical privacy problems identified in other Allow technical privacy problems identified in other architectures to be overcome.architectures to be overcome.
Bring together the privacy components of all Bring together the privacy components of all architectures in a single Privacy Chapter in the design architectures in a single Privacy Chapter in the design book (This can then be presented as the ‘Technical book (This can then be presented as the ‘Technical Privacy Design’ of an entire project.Privacy Design’ of an entire project.
Look for opportunities (Technical – in an active manner) Look for opportunities (Technical – in an active manner) for the introduction of privacy enhancing components, for the introduction of privacy enhancing components, which will tend to introduce elements of consent and which will tend to introduce elements of consent and individual control into the technical architecture.individual control into the technical architecture.
2002-10-22
© 2002
What is Privacy Architecture?What is Privacy Architecture?
Look for opportunities (Technical – in a Look for opportunities (Technical – in a responsive manner) for the introduction of responsive manner) for the introduction of compensating components in response to issues compensating components in response to issues raised during conceptual and logical design, in raised during conceptual and logical design, in response to issues identified in a PIA, and in response to issues identified in a PIA, and in response to policy decisions made.response to policy decisions made.
Provide privacy oversight and expertise to the Provide privacy oversight and expertise to the architectural development sessions, definition of architectural development sessions, definition of terms, to participate in the foundational grounding terms, to participate in the foundational grounding of all of the architecture areas.of all of the architecture areas.
2002-10-22
© 2002
What is Privacy Architecture?What is Privacy Architecture?SummarySummary
Technical Privacy LeadershipTechnical Privacy Leadership Focus of PrivacyFocus of Privacy Responsive RoleResponsive Role Active RoleActive Role Educational Role Educational Role
2002-10-22
© 2002
Problems with the Traditional Problems with the Traditional PIAPIA
Often encourages ‘compliance mentality’Often encourages ‘compliance mentality’ Point of pain may become point of no solutionPoint of pain may become point of no solution Risk that issues may be reported and forgottenRisk that issues may be reported and forgotten Emphasizes Policy and Legislative solutions Emphasizes Policy and Legislative solutions
notnot technical solutions technical solutions Integration with IT Architecture group Integration with IT Architecture group
problemsproblems
2002-10-22
© 2002
How do we measure success?How do we measure success?
IdentityIdentity– Measures the degree to which information is Measures the degree to which information is
personally identifiable.personally identifiable.
LinkabilityLinkability– Measures the degree to which data tuples or Measures the degree to which data tuples or
transactions are linked to each other. transactions are linked to each other.
ObservabilityObservability– Measures the degree to which identity or linkability Measures the degree to which identity or linkability
may be impacted from the use of a system.may be impacted from the use of a system.
With thanks and apologies to the Common CriteriaWith thanks and apologies to the Common Criteria
2002-10-22
© 2002
Identity (nymity)Identity (nymity)
Anonymity Non-ReversiblePseudonymity
from Greek pseudonumon, neuter of
pseudonumos, falsely named
The quality or state of being
unknown. without name
from Latin verus, true,
truly named
Verinymity
Measures the degree to which information is personally identifiable.
ReversiblePseudonymity
2002-10-22
© 2002
LinkabilityLinkability This metric requires n data elements. Where n > 1.
Measures the degree to which data elements are linked to each other. (Identity measurement can be thought of as the degree to which data elements are linkable to the verinym or true name of the data subject).
Unlinkability
It cannot be determined which set of
transactions belong which each other.
It may be fully determined which set of
transactions belong with each other.
Example: Transactions belonging to the same
individual.
Full Linkability
2002-10-22
© 2002
LinkabilityLinkability
The requirements for unlinkability are intended to protect the user against the use of profiling of operations. For example, when a telephone smart card is employed with a unique number, the telephone company can determine the behavior of the user of this telephone card. Hiding the relationship between different invocations of a service or access of a resource will prevent this kind of information gathering.
Unlinkability requires that different operations cannot be related. This relationship can take several forms. For example, the user associated with the operation, or the terminal which initiated the action, or the time the action was executed.
The primary solution to linkability is generally the token based approach, with an awareness of other factors (time, location, message contents (which we refer to as observability)) which could also tend to allow transactions to be linked. In addition, approaches such as message padding and ‘salting’ are employed to prevent data matches.
2002-10-22
© 2002
ObservabilityObservability
Measures the degree to which identity or linkability may be impacted from the use of a system.
Nothing can be inferred from the record of the
use of a system.
No record is made of the use of resources,
location or transactions.
Full ObservabilityNon Observability
Identity or Linkability can be inferred from the record of the use
of a system.
Full audit record is made of the use of
resources, location or transactions.
2002-10-22
© 2002
Identity
Observ
abili
ty
Linkability
2002-10-22
© 2002
Target…Target…
Decrease amounts of identityDecrease amounts of identity Decrease amounts of linkabilityDecrease amounts of linkability Decrease amounts of ObservabilityDecrease amounts of Observability
2002-10-22
© 2002
Process Title: Renew Smart Card File Name: Page - 3Ver: 4.2
Drawn By: Smart Card Business Design TeamManagement Board Secretariat - Smart Card Project Date: 10/05/01
Client
Client ServiceInterface(agent,
kiosk, etc.)
ProgramManager
CRC
C
Yes
No
Go toPrepare Card
Production File
and
and
and
1
1
4
2 3
End
and
No
Yes
2
De-identifyDe-identify De-LinkDe-Link
2002-10-22
© 2002
Let’s SimplifyLet’s Simplify Simple Artifacts that can be utilized Simple Artifacts that can be utilized
anywhere within the architecture:anywhere within the architecture:
De-identification De-identification
ServiceService
De-linkingDe-linking
ServiceService
De-observabilityDe-observability
ServiceService
ConsentConsent
Collection Collection
ServiceService
Consent Consent
Verification Verification
ServiceService
2002-10-22
© 2002
Use CaseUse Case
2002-10-22
© 2002
Activity DiagramsActivity Diagrams
2002-10-22
© 2002
SummarySummary
Objective MetricObjective Metric Encourages a multi-discipline approachEncourages a multi-discipline approach Allows privacy success of new measures to Allows privacy success of new measures to
be quantified even with today’s non-optimal be quantified even with today’s non-optimal technologytechnology
Allow privacy impact of new measures to Allow privacy impact of new measures to be minimizedbe minimized
Allows iteration and improvementAllows iteration and improvement
2002-10-22
© 2002
Success ConsiderationsSuccess Considerations Open discussionOpen discussion
– Comes naturally to technologists but not always to Comes naturally to technologists but not always to government or liability conscious companiesgovernment or liability conscious companies
Technology is not evil despite what some would have us Technology is not evil despite what some would have us believebelieve
Statutory ProtectionStatutory Protection Develop the Best Technology and the Best PolicyDevelop the Best Technology and the Best Policy Search for improvementSearch for improvement It’s not easy - Privacy without tools/technologies is hardIt’s not easy - Privacy without tools/technologies is hard Technology, law and policy/practices; we need all three!Technology, law and policy/practices; we need all three!
2002-10-22
© 2002
ConcernsConcerns Lawful Access - Public Safety & PrivacyLawful Access - Public Safety & Privacy Privacy Sensitive ProjectsPrivacy Sensitive Projects
– Infrastructure with surveillance opportunityInfrastructure with surveillance opportunity– Smart Cards/PKISmart Cards/PKI– BiometricsBiometrics– Data Aggregation (Physical or Logical)Data Aggregation (Physical or Logical)
» Federated data warehouseFederated data warehouse
Where Auditability requires Identity Where Auditability requires Identity – Reversible Pseudonymity is an optionReversible Pseudonymity is an option
» Cryptographic key for identity resolution in custody of Cryptographic key for identity resolution in custody of oversight bodyoversight body
2002-10-22
© 2002
RecommendationsRecommendations
Build an accurate data and system modelBuild an accurate data and system model Attempt to align privacy and securityAttempt to align privacy and security
– PETsPETs– honest threat modelshonest threat models– make anonymity and pseudonymity the default make anonymity and pseudonymity the default
wherever possiblewherever possible In case of impasseIn case of impasse
– Choice of last resortChoice of last resort– ensure that privacy invasive security actually helpsensure that privacy invasive security actually helps– raise the barraise the bar
2002-10-22
© 2002
Interesting TechnologyInteresting Technology
Biometric EncryptionBiometric Encryption Digital Credentials – Stefan BrandsDigital Credentials – Stefan Brands
– www.credentica.comwww.credentica.com ““PKI Lite” – PKI primitives without all of PKI Lite” – PKI primitives without all of
the trust & cross certification questions the trust & cross certification questions answered.answered.
2002-10-22
© 2002
ResourcesResources
http://www.privacyarchitecture.comhttp://www.privacyarchitecture.com ““Rethinking Public Key Infrastructures and Rethinking Public Key Infrastructures and
Digital Certificates: Building in Privacy,”Digital Certificates: Building in Privacy,” “ISBN 0-262-02491-8, MIT Press, August “ISBN 0-262-02491-8, MIT Press, August 20002000
http://www.ipc.on.cahttp://www.ipc.on.ca Roger ClarkeRoger Clarke
– http://www.anu.edu.au/people/Roger.Clarke/http://www.anu.edu.au/people/Roger.Clarke/
2002-10-22
© 2002
Contact InformationContact Information
Peter Hope-TindallPeter Hope-Tindall
dataPrivacy Partners Ltd.dataPrivacy Partners Ltd.
5744 Prairie Circle5744 Prairie Circle
Mississauga, ON L5N 6B5Mississauga, ON L5N 6B5
Phone:Phone: +1 (416) 410-0240+1 (416) 410-0240
E-Mail:E-Mail: [email protected]@dataprivacy.com
2002-10-22
© 2002
2002-10-22
© 2002
2002-10-22
© 2002