Dwyer "Privacy by Design: Can It Work?"
-
Upload
cathy-dwyer -
Category
Technology
-
view
466 -
download
0
Transcript of Dwyer "Privacy by Design: Can It Work?"
![Page 1: Dwyer "Privacy by Design: Can It Work?"](https://reader036.fdocuments.us/reader036/viewer/2022081401/5578ee3ed8b42a5c5c8b4f51/html5/thumbnails/1.jpg)
Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012
1
Privacy by Design: Can it Work?
Catherine DwyerSeidenberg School of Computer Science & Information SystemsPace UniversityNew York, NY
![Page 2: Dwyer "Privacy by Design: Can It Work?"](https://reader036.fdocuments.us/reader036/viewer/2022081401/5578ee3ed8b42a5c5c8b4f51/html5/thumbnails/2.jpg)
Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012
2
Gehry Building8 Spruce Street
![Page 3: Dwyer "Privacy by Design: Can It Work?"](https://reader036.fdocuments.us/reader036/viewer/2022081401/5578ee3ed8b42a5c5c8b4f51/html5/thumbnails/3.jpg)
Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012
3
Online Privacy
LawyersTechnologist
s
Organizations
Citizens
![Page 4: Dwyer "Privacy by Design: Can It Work?"](https://reader036.fdocuments.us/reader036/viewer/2022081401/5578ee3ed8b42a5c5c8b4f51/html5/thumbnails/4.jpg)
Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012
4
Privacy Research Group – NYU Law
![Page 5: Dwyer "Privacy by Design: Can It Work?"](https://reader036.fdocuments.us/reader036/viewer/2022081401/5578ee3ed8b42a5c5c8b4f51/html5/thumbnails/5.jpg)
Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012
5
What is Privacy by Design?
Ann Cavoukian, Information& Privacy Commissioner, Ontario, Canada
![Page 6: Dwyer "Privacy by Design: Can It Work?"](https://reader036.fdocuments.us/reader036/viewer/2022081401/5578ee3ed8b42a5c5c8b4f51/html5/thumbnails/6.jpg)
Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012
6
Principles of Privacy by Design1. Proactive not Reactive; Preventative not
Remedial 2. Privacy as the Default Setting 3. Privacy Embedded into Design 4. Full Functionality — Positive-Sum, not Zero-
Sum 5. End-to-End Security — Full Lifecycle
Protection 6. Visibility and Transparency — Keep it Open 7. Respect for User Privacy — Keep it User-
Centric From www.privacybydesign.ca
![Page 7: Dwyer "Privacy by Design: Can It Work?"](https://reader036.fdocuments.us/reader036/viewer/2022081401/5578ee3ed8b42a5c5c8b4f51/html5/thumbnails/7.jpg)
Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012
7
Legal perspective4th Amendment: “The right of the
people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”
![Page 8: Dwyer "Privacy by Design: Can It Work?"](https://reader036.fdocuments.us/reader036/viewer/2022081401/5578ee3ed8b42a5c5c8b4f51/html5/thumbnails/8.jpg)
Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012
8
Third party doctrine“The Supreme Court has repeatedly held,
however, that the Fourth Amendment does not protect information revealed to third parties.” (Kerr, 2004)
Third party – any business, organization, ISP, cloud service providers
Once you “share” data with a third party, you lose 4th amendment protection
4th amendment standard is “probable cause,” 3rd party standard is “relevant to an investigation” and “not overbroad” (Kerr, 2004)
![Page 9: Dwyer "Privacy by Design: Can It Work?"](https://reader036.fdocuments.us/reader036/viewer/2022081401/5578ee3ed8b42a5c5c8b4f51/html5/thumbnails/9.jpg)
Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012
9
Source: Google transparency report, more than 18,000 requests from governments around the globe to Google user data (7/11-12/11)
![Page 10: Dwyer "Privacy by Design: Can It Work?"](https://reader036.fdocuments.us/reader036/viewer/2022081401/5578ee3ed8b42a5c5c8b4f51/html5/thumbnails/10.jpg)
Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012
10
Source: WikiLeaks
![Page 11: Dwyer "Privacy by Design: Can It Work?"](https://reader036.fdocuments.us/reader036/viewer/2022081401/5578ee3ed8b42a5c5c8b4f51/html5/thumbnails/11.jpg)
Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012
11
Problems With PbD“Privacy by design is an amorphous
concept… it is not clear … what regulators really have in mind when they urge firms developing products to build in privacy.” (Rubinstein, 2011)
Requirements engineering is needed to transform privacy by design from a vague admonitions into a structured design process with tangible outcomes (Rubinstein, 2011)
![Page 12: Dwyer "Privacy by Design: Can It Work?"](https://reader036.fdocuments.us/reader036/viewer/2022081401/5578ee3ed8b42a5c5c8b4f51/html5/thumbnails/12.jpg)
Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012
12
Excerpt from FTC Staff Report, March 2012, which uses “reasonable” more than 50 times in a 112 page report.
![Page 13: Dwyer "Privacy by Design: Can It Work?"](https://reader036.fdocuments.us/reader036/viewer/2022081401/5578ee3ed8b42a5c5c8b4f51/html5/thumbnails/13.jpg)
Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012
13
Design & Model
![Page 14: Dwyer "Privacy by Design: Can It Work?"](https://reader036.fdocuments.us/reader036/viewer/2022081401/5578ee3ed8b42a5c5c8b4f51/html5/thumbnails/14.jpg)
Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012
14
Engineer &
Build
![Page 15: Dwyer "Privacy by Design: Can It Work?"](https://reader036.fdocuments.us/reader036/viewer/2022081401/5578ee3ed8b42a5c5c8b4f51/html5/thumbnails/15.jpg)
Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012
15
Tangible Outcome
![Page 16: Dwyer "Privacy by Design: Can It Work?"](https://reader036.fdocuments.us/reader036/viewer/2022081401/5578ee3ed8b42a5c5c8b4f51/html5/thumbnails/16.jpg)
Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012
16
Gehry building – 8 Spruce Street
![Page 17: Dwyer "Privacy by Design: Can It Work?"](https://reader036.fdocuments.us/reader036/viewer/2022081401/5578ee3ed8b42a5c5c8b4f51/html5/thumbnails/17.jpg)
Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012
17
Design versus engineering
Design focuses on models
Engineering focuses on requirements
Requirements must be measurable and verifiable
![Page 18: Dwyer "Privacy by Design: Can It Work?"](https://reader036.fdocuments.us/reader036/viewer/2022081401/5578ee3ed8b42a5c5c8b4f51/html5/thumbnails/18.jpg)
Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012
18
Moving to privacy engineeringNeed to move from “privacy by
design” to “privacy requirements engineering”
Design can capture broad objectives (“buildings should be constructed with fireproof materials”)
Engineering makes those objectives tangible (“fireproof material must be able to bear weight for four hours of fire at 1000 degrees F”)
![Page 19: Dwyer "Privacy by Design: Can It Work?"](https://reader036.fdocuments.us/reader036/viewer/2022081401/5578ee3ed8b42a5c5c8b4f51/html5/thumbnails/19.jpg)
Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012
19
Example: Privacy Principle“Companies should incorporate
substantive privacy protections into their practices, such as data security, reasonable collection limits, sound retention practices, and data accuracy.” (source: FTC Staff Report, March 2012)
![Page 20: Dwyer "Privacy by Design: Can It Work?"](https://reader036.fdocuments.us/reader036/viewer/2022081401/5578ee3ed8b42a5c5c8b4f51/html5/thumbnails/20.jpg)
Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012
20
Engineering Requirements“The risk of data exposure can be
further minimized by reducing the sensitivity of stored data wherever possible … for example, when using the customer’s IP address to determine location for statistical analysis, discard the IP address after mapping it to a city or town.”
source: Microsoft Privacy Guidelines for Developers, 2008
![Page 21: Dwyer "Privacy by Design: Can It Work?"](https://reader036.fdocuments.us/reader036/viewer/2022081401/5578ee3ed8b42a5c5c8b4f51/html5/thumbnails/21.jpg)
Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012
21
How can this be accomplished?Qualitiative – focus
groups/interviews with domain experts/stakeholders
Quantitative – formal analysis of statutes and regulations (see Breaux and Anton, 2007)
![Page 22: Dwyer "Privacy by Design: Can It Work?"](https://reader036.fdocuments.us/reader036/viewer/2022081401/5578ee3ed8b42a5c5c8b4f51/html5/thumbnails/22.jpg)
Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012
22
Source: “A Framework for Modeling Privacy Requirements in Role Engineering,” He and Anton, 2003
RBAC = Role Based Access Control
Privacy Requirements Engineering
![Page 23: Dwyer "Privacy by Design: Can It Work?"](https://reader036.fdocuments.us/reader036/viewer/2022081401/5578ee3ed8b42a5c5c8b4f51/html5/thumbnails/23.jpg)
Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012
23
Development tools are neededCan’t manage the complexity of
describing privacy engineering requirements “by hand,” takes too long
Can’t audit privacy of information systems ‘by hand,’ not comprehensive enough
![Page 24: Dwyer "Privacy by Design: Can It Work?"](https://reader036.fdocuments.us/reader036/viewer/2022081401/5578ee3ed8b42a5c5c8b4f51/html5/thumbnails/24.jpg)
Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012
24
Ghostery: Tracking tools found on Dictionary.com
![Page 25: Dwyer "Privacy by Design: Can It Work?"](https://reader036.fdocuments.us/reader036/viewer/2022081401/5578ee3ed8b42a5c5c8b4f51/html5/thumbnails/25.jpg)
Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012
25
Firefox Collusion: Graph of tracking entities and flow of data
![Page 26: Dwyer "Privacy by Design: Can It Work?"](https://reader036.fdocuments.us/reader036/viewer/2022081401/5578ee3ed8b42a5c5c8b4f51/html5/thumbnails/26.jpg)
Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012
26
Network traffic visualization
![Page 27: Dwyer "Privacy by Design: Can It Work?"](https://reader036.fdocuments.us/reader036/viewer/2022081401/5578ee3ed8b42a5c5c8b4f51/html5/thumbnails/27.jpg)
Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012
27
RecommendationsEmphasize privacy requirements
engineeringDevelop data visualization tools
(enterprise level) that model information flows and identify privacy weaknesses
Model information flow within business processes and determine if privacy requirements are being met
![Page 28: Dwyer "Privacy by Design: Can It Work?"](https://reader036.fdocuments.us/reader036/viewer/2022081401/5578ee3ed8b42a5c5c8b4f51/html5/thumbnails/28.jpg)
Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012
28
Questions?Thank you!
Catherine DwyerSeidenberg School of Computer Science and Information SystemsPace University
Twitter: @ProfCDwyer