Personal Privacy

Ross Anderson

Professor of Security Engineering

Cambridge University

Privacy Engineering

• Engineering for privacy, as for security or dependability, involves – computer science – for matters like scalability

– economics – systems often fail when the people who maintain them have the wrong incentives

– psychology – the feeling and the reality are often different

• Privacy is particularly hard because all three of these factors are often pushing the wrong way

Privacy and Business

• It’s economically efficient to charge different prices to different customers

• The falling costs of collecting and processing data make this easier

• The move if businesses online makes them more like the software business (with low marginal costs, network effects and lock-in) which makes price discrimination more profitable

• However price discrimination annoys people – especially those who end up paying more

Example – Facebook

• A newsworthy conflict of interest– Facebook wants to sell user data– Users want feeling of intimacy, small group, social

control

• Complex access controls – 60+ settings on 7 pages• Privacy almost never salient (deliberately!)• Over 90% of users never change defaults• This lets Facebook blame the customer when

things go wrong

How Privacy Scales

• Main privacy threat is usually insiders• Traditional GP: 12 staff have access to

10,000 records. Can cope with that! • What happens if we let 45,000 GPs plus

40,000 staff see 50,000,000 records?• Lesson from Scotland• Effect of pervasive malware• What’s done in intelligence agencies

‘Database State’

• The Joseph Rowntree Reform Trust sponsored a systematic study of all government systems that hold information on at least a substantial minority of us

• Authors: me, Ian Brown, Terri Dowty, Philip Ingelsant, William Heath, Angela Sasse

• Are these databases legal, and effective?• Which systems should the next Government,

scrap, keep or fix?

Database State (2)

• Of 46 systems, we found that 11 were almost certainly illegal

• Health: SUS, DCR – fall foul of I v Finland judgement

• Kids: eCAF, ONSET, ContactPoint• Home Office: NDNAD, NIR, IMP• DWP data sharing, National Fraud Initiative• The EU Prüm framework

Database State (3)

• We also found 29 ‘amber’ databases with significant problems including– National Childhood Obesity Database (why?)

– NHS Summary Care record (almost useless)

– National Pupil Database (mission creep)

– Police National Database (federating much stuff that used to be local, like the NHS)

• Only 6 of 46 databases got a green light (and one of those was an error)!

Where Are We Now?

• Three ‘red’ systems were closed down (NIR, ContactPoint, NAO)

• Other red systems being spun/renamed (IMP)• Two new ‘red’ systems – SCR and YJCMS• A number of ‘amber’ systems that harm privacy

while providing no benefit are spared (NCOD, NPD, Learner Records Service)

• In short: no real change, despite Coalition Agreement and the parties’ pre-election pitches

Statistical Security• The Department of Health wants to keep its

databases but protect privacy by stripping out patients’ names and addresses

• But this doesn’t in general work!• Example: find the salary of the female professor in

the computer lab as (average salary professors) - (average salary male professors) x (number of professors)

• With health it’s even harder – especially as researchers want longitudonal records that link up care episodes

Economics of Privacy

• Economics of security has been a rapidly growing field since 2001

• The economics of privacy are perplexing!• People say they value privacy, but usually

act otherwise• Is this due to ignorance, externalities, social

effects, …?• Will people suddenly become militant?

Conclusion• Privacy online is hard!• The economics, psychology and computer science

often push in the wrong direction• The private sector is motivated by price

discrimination• The public sector is somewhat similar with a drive

to ‘personalised service’ or ‘transformation government’

• What sets the boundary? European law? A public reaction against ‘creepy’ organisations? Rational rejection of surveillance by richer citizens?

Europe to the Rescue?

• The I v Finland case, 2008• Ms “I” was a nurse in Helsinki, HIV+• Her hospital systems let everyone see everything• Her colleagues found out about her HIV and

hounded her out of her job• ECHR: she had a right to restrict her health

records to clinicians involved directly in her care• Now, so do we all!