Post on 11-Jun-2015
Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012
1
Privacy by Design: Can it Work?
Catherine DwyerSeidenberg School of Computer Science & Information SystemsPace UniversityNew York, NY
Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012
2
Gehry Building8 Spruce Street
Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012
3
Online Privacy
LawyersTechnologist
s
Organizations
Citizens
Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012
4
Privacy Research Group – NYU Law
Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012
5
What is Privacy by Design?
Ann Cavoukian, Information& Privacy Commissioner, Ontario, Canada
Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012
6
Principles of Privacy by Design1. Proactive not Reactive; Preventative not
Remedial 2. Privacy as the Default Setting 3. Privacy Embedded into Design 4. Full Functionality — Positive-Sum, not Zero-
Sum 5. End-to-End Security — Full Lifecycle
Protection 6. Visibility and Transparency — Keep it Open 7. Respect for User Privacy — Keep it User-
Centric From www.privacybydesign.ca
Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012
7
Legal perspective4th Amendment: “The right of the
people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”
Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012
8
Third party doctrine“The Supreme Court has repeatedly held,
however, that the Fourth Amendment does not protect information revealed to third parties.” (Kerr, 2004)
Third party – any business, organization, ISP, cloud service providers
Once you “share” data with a third party, you lose 4th amendment protection
4th amendment standard is “probable cause,” 3rd party standard is “relevant to an investigation” and “not overbroad” (Kerr, 2004)
Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012
9
Source: Google transparency report, more than 18,000 requests from governments around the globe to Google user data (7/11-12/11)
Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012
10
Source: WikiLeaks
Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012
11
Problems With PbD“Privacy by design is an amorphous
concept… it is not clear … what regulators really have in mind when they urge firms developing products to build in privacy.” (Rubinstein, 2011)
Requirements engineering is needed to transform privacy by design from a vague admonitions into a structured design process with tangible outcomes (Rubinstein, 2011)
Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012
12
Excerpt from FTC Staff Report, March 2012, which uses “reasonable” more than 50 times in a 112 page report.
Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012
13
Design & Model
Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012
14
Engineer &
Build
Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012
15
Tangible Outcome
Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012
16
Gehry building – 8 Spruce Street
Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012
17
Design versus engineering
Design focuses on models
Engineering focuses on requirements
Requirements must be measurable and verifiable
Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012
18
Moving to privacy engineeringNeed to move from “privacy by
design” to “privacy requirements engineering”
Design can capture broad objectives (“buildings should be constructed with fireproof materials”)
Engineering makes those objectives tangible (“fireproof material must be able to bear weight for four hours of fire at 1000 degrees F”)
Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012
19
Example: Privacy Principle“Companies should incorporate
substantive privacy protections into their practices, such as data security, reasonable collection limits, sound retention practices, and data accuracy.” (source: FTC Staff Report, March 2012)
Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012
20
Engineering Requirements“The risk of data exposure can be
further minimized by reducing the sensitivity of stored data wherever possible … for example, when using the customer’s IP address to determine location for statistical analysis, discard the IP address after mapping it to a city or town.”
source: Microsoft Privacy Guidelines for Developers, 2008
Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012
21
How can this be accomplished?Qualitiative – focus
groups/interviews with domain experts/stakeholders
Quantitative – formal analysis of statutes and regulations (see Breaux and Anton, 2007)
Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012
22
Source: “A Framework for Modeling Privacy Requirements in Role Engineering,” He and Anton, 2003
RBAC = Role Based Access Control
Privacy Requirements Engineering
Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012
23
Development tools are neededCan’t manage the complexity of
describing privacy engineering requirements “by hand,” takes too long
Can’t audit privacy of information systems ‘by hand,’ not comprehensive enough
Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012
24
Ghostery: Tracking tools found on Dictionary.com
Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012
25
Firefox Collusion: Graph of tracking entities and flow of data
Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012
26
Network traffic visualization
Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012
27
RecommendationsEmphasize privacy requirements
engineeringDevelop data visualization tools
(enterprise level) that model information flows and identify privacy weaknesses
Model information flow within business processes and determine if privacy requirements are being met
Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012
28
Questions?Thank you!
Catherine DwyerSeidenberg School of Computer Science and Information SystemsPace University
Twitter: @ProfCDwyer