Privacy Engineering from an engineer's view

1 © Nokia 2016

Privacy Engineering

from an engineer’s view

Public

Dr. Ian Oliver

Bell Labs, Finland

27 May 2016

A Lecture Given at DSummit, Stockholm, Sweden

2 © Nokia 2016

Does anyone notice a problem here...

Public

Privacy as legal aspect: From Warren and Brandeis (1895) to the GDPR

3 © Nokia 2016

Just missing a few things...

Public

Privacy as legal aspect: From Warren and Brandeis (1895) to the GDPRPrivacy as an economic aspect: Ackerlof et al (Lemons!)Privacy as a philisophical aspect: Nissembaum, Solove et alPrivacy as a security aspect: Schneier – to name just one...Privacy as an ideal: Cavoukian and PbDPrivacy as a socioligical construct: Lessig et alPrivacy as a game theoretic construct: Nash et al (+sum games)Privacy as an engineering construct: Dennedy et al, Oliver, ...

4 © Nokia 2016

and how do we view things...

Public

5 © Nokia 2016

and how do we view things...

Public

GPDR = $$$ ... get me the lawyers ...

Compliance is everything

6 © Nokia 2016

Now do you see the problem?

Public

7 © Nokia 2016

Traditional Compliance Must Go

Public

8 © Nokia 2016

Public

9 © Nokia 2016

Public

10 © Nokia 2016

Compliance

is fragile

Public

Good thing we have this otherwise we’d be in trouble...

Joke:Q: How many lawyers does it take to write a system compliant?

11 © Nokia 2016

Compliance

is fragile

Public

Good thing we have this otherwise we’d be in trouble...

Joke:Q: How many lawyers does it take to write a system compliant?

A: We value your privacy...

12 © Nokia 2016

Compliance

is fragile

Public

char collectDataFlag = 'Y'; // Future proofed boolean// Y for yes, N for no

void collectDataFunction(){//collect IMEI, IMSI, MSISDN, TimeStamp and location//and send to the hardcoded IP address...

}

void checkDataCollection(){switch(collectDataFlag){

case 'N' :// don't do anything

case 'Y' :// ok to collect everythingcollectDataFunction();

}}

13 © Nokia 2016

Public

Question:

how many lines of code between any two points in this model?

14 © Nokia 2016

Story time ....

Public

15 © Nokia 2016

Public

A long time ago...

I became our first privacy architect...

Auditing mobile device applications and associated infrastructure from an engineering perspective...

16 © Nokia 2016

Public

Or...

go and invent how to do this because no-one else has/can/wants to, because...

the engineers don’t want to speak to the lawyers,

the lawyers don’t want to the speak to the engineers,

and we’re in a mess...

17 © Nokia 2016

We developed:

• Epics and Use cases for Privacy

• Checklists

• Software Development Process Integration

• Audit Procedures

- integrated non-functional areas: privacy, secuity, performance, continuity

and the result was...

18 © Nokia 2016

Failure

19 © Nokia 2016

Why didn’t it work?

• Despite highly trained personel

• To much adherence to process

- Processes tell everyone the order of what to do

- Difficulty in handling exceptions and experts

- Processes treat people as idiots

• Replace responsibility and expertise

- with something called ”compliance”

• Tick-box oriented

- Ask questions, Accept answers, TICK!

- Limited understanding and context of naswers

• Limited time-scale

- One-off review

20 © Nokia 2016

?

21 © Nokia 2016

We developed:

• Simpler ”Checklists”

• Training Courses

• Realised that no-one understood each other

• Tried to ban the terms ”PII” and ”Personal Data”

• Tried to formulate requirements

• Introduced more risk management ideas, eg: RCA, FMEA

and the result was...

22 © Nokia 2016

Failure

23 © Nokia 2016

What’s the problem now?

• Communication

• Process over method

• Lack of understanding of roles

- I am a privacy officer, therefore, I am right

- You are ’just’ an engineer

• Lack of both legal and engineering techniques

• The privacy organisation itself

• Privacy by Design

24 © Nokia 2016

What’s the problem now...?

Actually it was much worse

So much emphasis on ’compliance’

We the privacy oranisation are right

Engineers don’t know anything....

25 © Nokia 2016

????!!!

26 © Nokia 2016

Just 3 simple things to solve...

Communication

Culture

Role

27 © Nokia 2016

Communication

Public

28 © Nokia 2016

Probably not personal data/ Probably personal data

34 © Nokia 2016

34

Serendipity

© 2013 HERE | Title | Author | Company confidential

or...how to retain sanity in a rapidly changing, chaotic environment where you don’t know anything and there’s no rule book or process...

36 © Nokia 2016

36

The Sterile Field


Key:

• Sterile

• Non-sterile

Movement of materials from one area to the other must be controlled to prevent contamination of the sterile field with non-sterile items

Strict protocols prevent contamination

38 © Nokia 2016

Public

Roles

R&D Team Checklist

(before review)

R&D Team Checklist

(post-review)

Audit Team Checklist(sign-in)

Audit Team Checklist

(time-out)

Audit Team Checklist(sign-out)

Project development & processes (time)

System

under

auditPrivacy

Officer

Legal

Security

Architects

39 © Nokia 2016

Public

Roles

R&D Team Checklist

(before review)

R&D Team Checklist

(post-review)

Audit Team Checklist(sign-in)

Audit Team Checklist

(time-out)

Audit Team Checklist(sign-out)

Project development & processes (time)

System

under

auditPrivacy

Officer

Legal

Security

Architects

the process does not and can not stop because of lack of compliance....

41 © Nokia 2016

Public

Your job as privacy professionals is to understand the state of the system – regardless of whether it is good or bad – before moving on...

There can be no privacy heroes

Privacy Engineering from an engineer's view

Technology

Transcript of Privacy Engineering from an engineer's view