2002-10-22

Privacy Technology: Can we Privacy Technology: Can we afford to wait for the future?afford to wait for the future?

Peter Hope-TindallPeter Hope-TindallPrivacy ArchitectPrivacy Architect

(pht@dataPrivacy.com)(pht@dataPrivacy.com)

Privacy by Design™

CACR 3rd Annual Privacy and Security WorkshopCACR 3rd Annual Privacy and Security Workshop

November 7-8, 2002November 7-8, 2002

2002-10-22

© 2002

PrivacyPrivacy

“Privacy is at the heart of liberty in the modern state.” Alan Westin

“the right to be let alone” Warren & Brandeis

““the right to exercise the right to exercise control over your personal control over your personal information.” information.” Ann CavoukianAnn Cavoukian

2002-10-22

© 2002

Defining PrivacyDefining PrivacyTraditional legal and societal test has Traditional legal and societal test has been framed around “Reasonable been framed around “Reasonable Expectation of Privacy” test. Expectation of Privacy” test.

Often used to justify removal of Often used to justify removal of privacy.privacy.

Fails to fully understand and express Fails to fully understand and express the complex nature of Privacy.the complex nature of Privacy.

2002-10-22

© 2002

Example: CCTV in Public Example: CCTV in Public SpacesSpaces

Most commentators would suggest we have Most commentators would suggest we have “No reasonable expectation of Privacy”“No reasonable expectation of Privacy”

Justification for CCTV or other tracking.Justification for CCTV or other tracking.

Not that simple:Not that simple:– In a public place,In a public place,

» Observable – Expectation that I will be observedObservable – Expectation that I will be observed» Anonymous/Pseudonymous - ExpectationAnonymous/Pseudonymous - Expectation» May/may not be LinkableMay/may not be Linkable

2002-10-22

© 2002

MarketplaceMarketplace Different definitions of PrivacyDifferent definitions of Privacy

– Privacy confused with Security (sometimes Privacy confused with Security (sometimes intentionally)intentionally)

Privacy as a Marketing toolPrivacy as a Marketing tool Must give up Privacy to improve SecurityMust give up Privacy to improve Security Technology solutions looking for a problemTechnology solutions looking for a problem Snake Oil Snake Oil Little in the way of Standards for Products and Little in the way of Standards for Products and

ServicesServices Nothing in the way of Certification & TestingNothing in the way of Certification & Testing

2002-10-22

© 2002

PKIPKI

2002-10-22

© 2002

Present day ProblemsPresent day Problems Traditional IT dogma has encouraged the Traditional IT dogma has encouraged the

collection of information.collection of information.– Opportunistic database designOpportunistic database design– Driven by hardware/software limitations of the pastDriven by hardware/software limitations of the past– Creates Other Problems (If you collect it; you need to Creates Other Problems (If you collect it; you need to

protect it!)protect it!) Privacy Aware IT will discourage the collection of Privacy Aware IT will discourage the collection of

information.information.– Minimalist database and system designMinimalist database and system design– JustificationJustification

2002-10-22

© 2002

Security and PrivacySecurity and Privacy

• authentication

• data-integrity

• confidentiality

• access controls

• non-repudiation

Security

Privacy

• data protection - FIPs (not FIPS)

n.b.n.b. FIPs: Fair Information PracticesFIPs: Fair Information Practices

FIPS: Federal Information Processing StandardsFIPS: Federal Information Processing Standards

2002-10-22

© 2002

Security vs. PrivacySecurity vs. Privacy Accountable to Accountable to

President/CEO Board of President/CEO Board of Directors.Directors.

Risk based assessment. Risk based assessment. (how likely is it?)(how likely is it?)

Access and use controls Access and use controls defined by the system defined by the system owner.owner.

Has been focused on Has been focused on protecting against protecting against outsiders.outsiders.

Accountable to the data Accountable to the data subject.subject.

Capabilities based Capabilities based assessment.assessment.(is it possible?)(is it possible?)

Access and use controls Access and use controls defined by defined by use limitation use limitation and consent of data subject and consent of data subject and legislation.and legislation.

Protecting against outsiders, Protecting against outsiders, insiders and system owner.insiders and system owner.

2002-10-22

© 2002

Different Approaches to PrivacyDifferent Approaches to PrivacyBuild in elements of personal Consent and ControlBuild in elements of personal Consent and Control

Central Repository/Decision Model – a rule Central Repository/Decision Model – a rule based or heuristic Privacy Model; EPMbased or heuristic Privacy Model; EPM

Divide and Conquer – strategic Divide and Conquer – strategic pseudonymisation/anonymisationpseudonymisation/anonymisation

Smart HardwareSmart Hardware– Privacy Rules Embedded in HardwarePrivacy Rules Embedded in Hardware

Smart DataSmart Data– Encapsulate Methods inside the dataEncapsulate Methods inside the data

2002-10-22

© 2002

Privacy Enhancing TechnologiesPrivacy Enhancing Technologies

Anonymization/Pseudonamization ToolsAnonymization/Pseudonamization Tools Proxies / Intelligent AgentsProxies / Intelligent Agents Firewalls / FiltersFirewalls / Filters Privacy LabelsPrivacy Labels Onion RoutingOnion Routing Policy ToolsPolicy Tools Encryption Tools & ServicesEncryption Tools & Services

2002-10-22

© 2002

What is Privacy ArchitectureWhat is Privacy Architecture

Initial ViewInitial ViewP

riva

cyP

riva

cy

Sec

urit

yS

ecur

ity

App

lica

tion

App

lica

tion

Tec

hnol

ogy

Tec

hnol

ogy

Dat

aD

ata

Net

wor

kN

etw

ork

2002-10-22

© 2002

RealityRealityP

riva

cyP

riva

cy

Sec

urit

yS

ecur

ity

App

lica

tion

App

lica

tion

Tec

hnol

ogy

Tec

hnol

ogy

Dat

aD

ata

Net

wor

kN

etw

ork

2002-10-22

© 2002

Where is Privacy Architecture?Where is Privacy Architecture?

PrivacyFramework

PIA PrivacyArchitecture

PrivacyArchitecture

Legislation

Guidelines

Directives

BestPractices

CommunicationPlan

2002-10-22

© 2002

PolicyPolicy(PIA)(PIA)

TechnologyTechnology(Privacy (Privacy Architecture)Architecture)

Privacy Privacy Framework/StrategyFramework/Strategy

2002-10-22

© 2002

Privacy FrameworkPrivacy Framework

Summary of Legislation, Practices, Directives, Summary of Legislation, Practices, Directives, Policies, High Level Overview of Proposed Policies, High Level Overview of Proposed System.System.

CustomizedCustomized Best PracticesBest Practices Document can be used as an early demonstration Document can be used as an early demonstration

of good faith and approachof good faith and approach Privacy chapter in RFPPrivacy chapter in RFP

2002-10-22

© 2002

PIA: Privacy Impact AssessmentPIA: Privacy Impact Assessment

Diagnostic ToolDiagnostic Tool Identifies IssuesIdentifies Issues May Respond to Issues with non-technical May Respond to Issues with non-technical

solutionssolutions May identify Issues to be resolved in May identify Issues to be resolved in

Privacy ArchitecturePrivacy Architecture Active and Passive: Introduce elements of Active and Passive: Introduce elements of

individual consent and controlindividual consent and control

2002-10-22

© 2002

Privacy ArchitecturePrivacy Architecture

Diagnostic ToolDiagnostic Tool Identifies Issues & OptionsIdentifies Issues & Options May Respond to Issues with technical May Respond to Issues with technical

solutionssolutions May identify Issues to be resolved in May identify Issues to be resolved in

PIA/PolicyPIA/Policy Active and Passive: Introduce elements of Active and Passive: Introduce elements of

individual consent and controlindividual consent and control

2002-10-22

© 2002

What is Privacy Architecture?What is Privacy Architecture?

Allow technical privacy problems identified in other Allow technical privacy problems identified in other architectures to be overcome.architectures to be overcome.

Bring together the privacy components of all Bring together the privacy components of all architectures in a single Privacy Chapter in the design architectures in a single Privacy Chapter in the design book (This can then be presented as the ‘Technical book (This can then be presented as the ‘Technical Privacy Design’ of an entire project.Privacy Design’ of an entire project.

Look for opportunities (Technical – in an active manner) Look for opportunities (Technical – in an active manner) for the introduction of privacy enhancing components, for the introduction of privacy enhancing components, which will tend to introduce elements of consent and which will tend to introduce elements of consent and individual control into the technical architecture.individual control into the technical architecture.

2002-10-22

© 2002

What is Privacy Architecture?What is Privacy Architecture?

Look for opportunities (Technical – in a Look for opportunities (Technical – in a responsive manner) for the introduction of responsive manner) for the introduction of compensating components in response to issues compensating components in response to issues raised during conceptual and logical design, in raised during conceptual and logical design, in response to issues identified in a PIA, and in response to issues identified in a PIA, and in response to policy decisions made.response to policy decisions made.

Provide privacy oversight and expertise to the Provide privacy oversight and expertise to the architectural development sessions, definition of architectural development sessions, definition of terms, to participate in the foundational grounding terms, to participate in the foundational grounding of all of the architecture areas.of all of the architecture areas.

2002-10-22

© 2002

What is Privacy Architecture?What is Privacy Architecture?SummarySummary

Technical Privacy LeadershipTechnical Privacy Leadership Focus of PrivacyFocus of Privacy Responsive RoleResponsive Role Active RoleActive Role Educational Role Educational Role

2002-10-22

© 2002

Problems with the Traditional Problems with the Traditional PIAPIA

Often encourages ‘compliance mentality’Often encourages ‘compliance mentality’ Point of pain may become point of no solutionPoint of pain may become point of no solution Risk that issues may be reported and forgottenRisk that issues may be reported and forgotten Emphasizes Policy and Legislative solutions Emphasizes Policy and Legislative solutions

notnot technical solutions technical solutions Integration with IT Architecture group Integration with IT Architecture group

problemsproblems

2002-10-22

© 2002

How do we measure success?How do we measure success?

IdentityIdentity– Measures the degree to which information is Measures the degree to which information is

personally identifiable.personally identifiable.

LinkabilityLinkability– Measures the degree to which data tuples or Measures the degree to which data tuples or

transactions are linked to each other. transactions are linked to each other.

ObservabilityObservability– Measures the degree to which identity or linkability Measures the degree to which identity or linkability

may be impacted from the use of a system.may be impacted from the use of a system.

With thanks and apologies to the Common CriteriaWith thanks and apologies to the Common Criteria

2002-10-22

© 2002

Identity (nymity)Identity (nymity)

Anonymity Non-ReversiblePseudonymity

from Greek pseudonumon, neuter of

pseudonumos, falsely named

The quality or state of being

unknown. without name

from Latin verus, true,

truly named

Verinymity

Measures the degree to which information is personally identifiable.

ReversiblePseudonymity

2002-10-22

© 2002

LinkabilityLinkability This metric requires n data elements. Where n > 1.

Measures the degree to which data elements are linked to each other. (Identity measurement can be thought of as the degree to which data elements are linkable to the verinym or true name of the data subject).

Unlinkability

It cannot be determined which set of

transactions belong which each other.

It may be fully determined which set of

transactions belong with each other.

Example: Transactions belonging to the same

individual.

Full Linkability

2002-10-22

© 2002

LinkabilityLinkability

The requirements for unlinkability are intended to protect the user against the use of profiling of operations. For example, when a telephone smart card is employed with a unique number, the telephone company can determine the behavior of the user of this telephone card. Hiding the relationship between different invocations of a service or access of a resource will prevent this kind of information gathering.

Unlinkability requires that different operations cannot be related. This relationship can take several forms. For example, the user associated with the operation, or the terminal which initiated the action, or the time the action was executed.

The primary solution to linkability is generally the token based approach, with an awareness of other factors (time, location, message contents (which we refer to as observability)) which could also tend to allow transactions to be linked. In addition, approaches such as message padding and ‘salting’ are employed to prevent data matches.

2002-10-22

© 2002

ObservabilityObservability

Measures the degree to which identity or linkability may be impacted from the use of a system.

Nothing can be inferred from the record of the

use of a system.

No record is made of the use of resources,

location or transactions.

Full ObservabilityNon Observability

Identity or Linkability can be inferred from the record of the use

of a system.

Full audit record is made of the use of

resources, location or transactions.

2002-10-22

© 2002

Identity

Observ

abili

ty

Linkability

2002-10-22

© 2002

Target…Target…

Decrease amounts of identityDecrease amounts of identity Decrease amounts of linkabilityDecrease amounts of linkability Decrease amounts of ObservabilityDecrease amounts of Observability

2002-10-22

© 2002

Process Title: Renew Smart Card File Name: Page - 3Ver: 4.2

Drawn By: Smart Card Business Design TeamManagement Board Secretariat - Smart Card Project Date: 10/05/01

Client

Client ServiceInterface(agent,

kiosk, etc.)

ProgramManager

CRC

C

Yes

No

Go toPrepare Card

Production File

and

and

and

1

1

4

2 3

End

and

No

Yes

2

De-identifyDe-identify De-LinkDe-Link

2002-10-22

© 2002

Let’s SimplifyLet’s Simplify Simple Artifacts that can be utilized Simple Artifacts that can be utilized

anywhere within the architecture:anywhere within the architecture:

De-identification De-identification

ServiceService

De-linkingDe-linking

ServiceService

De-observabilityDe-observability

ServiceService

ConsentConsent

Collection Collection

ServiceService

Consent Consent

Verification Verification

ServiceService

2002-10-22

© 2002

Use CaseUse Case

2002-10-22

© 2002

Activity DiagramsActivity Diagrams

2002-10-22

© 2002

SummarySummary

Objective MetricObjective Metric Encourages a multi-discipline approachEncourages a multi-discipline approach Allows privacy success of new measures to Allows privacy success of new measures to

be quantified even with today’s non-optimal be quantified even with today’s non-optimal technologytechnology

Allow privacy impact of new measures to Allow privacy impact of new measures to be minimizedbe minimized

Allows iteration and improvementAllows iteration and improvement

2002-10-22

© 2002

Success ConsiderationsSuccess Considerations Open discussionOpen discussion

– Comes naturally to technologists but not always to Comes naturally to technologists but not always to government or liability conscious companiesgovernment or liability conscious companies

Technology is not evil despite what some would have us Technology is not evil despite what some would have us believebelieve

Statutory ProtectionStatutory Protection Develop the Best Technology and the Best PolicyDevelop the Best Technology and the Best Policy Search for improvementSearch for improvement It’s not easy - Privacy without tools/technologies is hardIt’s not easy - Privacy without tools/technologies is hard Technology, law and policy/practices; we need all three!Technology, law and policy/practices; we need all three!

2002-10-22

© 2002

ConcernsConcerns Lawful Access - Public Safety & PrivacyLawful Access - Public Safety & Privacy Privacy Sensitive ProjectsPrivacy Sensitive Projects

– Infrastructure with surveillance opportunityInfrastructure with surveillance opportunity– Smart Cards/PKISmart Cards/PKI– BiometricsBiometrics– Data Aggregation (Physical or Logical)Data Aggregation (Physical or Logical)

» Federated data warehouseFederated data warehouse

Where Auditability requires Identity Where Auditability requires Identity – Reversible Pseudonymity is an optionReversible Pseudonymity is an option

» Cryptographic key for identity resolution in custody of Cryptographic key for identity resolution in custody of oversight bodyoversight body

2002-10-22

© 2002

RecommendationsRecommendations

Build an accurate data and system modelBuild an accurate data and system model Attempt to align privacy and securityAttempt to align privacy and security

– PETsPETs– honest threat modelshonest threat models– make anonymity and pseudonymity the default make anonymity and pseudonymity the default

wherever possiblewherever possible In case of impasseIn case of impasse

– Choice of last resortChoice of last resort– ensure that privacy invasive security actually helpsensure that privacy invasive security actually helps– raise the barraise the bar

2002-10-22

© 2002

Interesting TechnologyInteresting Technology

Biometric EncryptionBiometric Encryption Digital Credentials – Stefan BrandsDigital Credentials – Stefan Brands

– www.credentica.comwww.credentica.com ““PKI Lite” – PKI primitives without all of PKI Lite” – PKI primitives without all of

the trust & cross certification questions the trust & cross certification questions answered.answered.

2002-10-22

© 2002

ResourcesResources

http://www.privacyarchitecture.comhttp://www.privacyarchitecture.com ““Rethinking Public Key Infrastructures and Rethinking Public Key Infrastructures and

Digital Certificates: Building in Privacy,”Digital Certificates: Building in Privacy,” “ISBN 0-262-02491-8, MIT Press, August “ISBN 0-262-02491-8, MIT Press, August 20002000

http://www.ipc.on.cahttp://www.ipc.on.ca Roger ClarkeRoger Clarke

– http://www.anu.edu.au/people/Roger.Clarke/http://www.anu.edu.au/people/Roger.Clarke/

2002-10-22

© 2002

Contact InformationContact Information

Peter Hope-TindallPeter Hope-Tindall

dataPrivacy Partners Ltd.dataPrivacy Partners Ltd.

5744 Prairie Circle5744 Prairie Circle

Mississauga, ON L5N 6B5Mississauga, ON L5N 6B5

Phone:Phone: +1 (416) 410-0240+1 (416) 410-0240

E-Mail:E-Mail: pht@dataprivacy.compht@dataprivacy.com

2002-10-22

© 2002

2002-10-22

© 2002

2002-10-22

© 2002