crowdsourcing privacy risk assessment an interactive model for evaluating and comparing privacy...

CrowdsourcingPrivacy Risk Assessment

An Interactive Model for Evaluating and Comparing Privacy Systems

• Provide an interactive display for stakeholders (including individual users, entire companies, or governments) to better understand their privacy considerations and options.

• Allow stakeholders to quickly see the relative strengths and weaknesses of a variety of privacy systems so that they can make privacy-related choices

• Enable a high degree of customization to meet the wide variety of stakeholder needs

Objectives

Definitions

StakeholderA user of the model who selects inputs and manipulates the

model

•System Owners, Developers, and Engineers

•An Organization's Legal and Policy Teams

•Product and Project Management Teams

•Government Agencies

•Consumers

Privacy SystemsAny organization, service, process, or program that handles personally identifying information (PII) and affects individual

privacy

•Facebook

•Uber

•Amazon Web Services

•Google Drive

•Apple iOS

•Bank of America

•United States Government

•Government of the People’s Republic of China

•Walmart

•BlueCross BlueShield

Fair Information Practice Principles (FIPPs)

The widely accepted framework of defining principles to be used in the evaluation of Privacy Systems

1. Transparency (T): systems should be transparent and notify individuals regarding collection, use, dissemination, and maintenance of personally identifiable information (PII).

2. Individual Participation (IP): Systems should involve the individual in the process of using PII and, to the extent practicable, seek individual consent for the collection, use, dissemination, and maintenance of PII. Systems should also provide mechanisms for appropriate access, correction, and redress regarding use of PII.

3. Purpose Specification (PS): Systems should specifically articulate the authority that permits the collection of PII and specifically articulate the purpose or purposes for which the PII is intended to be used.

4. Data Minimization (DM): Systems should only collect PII that is directly relevant and necessary to accomplish the specified purpose(s) and only retain PII for as long as is necessary to fulfill the specified purpose(s).

5. Use Limitation (UL): Systems should use PII solely for the purpose(s) specified in the notice. Sharing PII should be for a purpose compatible with the purpose for which the PII was collected.

6. Data Quality and Integrity (DQI): Systems should, to the extent practicable, ensure that PII is accurate, relevant, timely, and complete.

7. Security (S): Systems should protect PII (in all media) through appropriate security safeguards against risks such as loss, unauthorized access or use, destruction, modification, or unintended or inappropriate disclosure.

8. Accountability and Auditing (AA): Systems should be accountable for complying with these principles, providing training to all employees and contractors who use PII, and auditing the actual use of PII to demonstrate compliance with these principles and all applicable privacy protection requirements.

Adapted from “Appendix A – Fair Information Practice Principles (FIPPs)” of the National Strategy for Trusted Identities in Cyberspace, (April 2011)https://www.whitehouse.gov/sites/default/files/rss_viewer/NSTICstrategy_041511.pdf

https://www.whitehouse.gov/sites/default/files/rss_viewer/NSTICstrategy_041511.pdf

Transparency1. Methods of Notification > Privacy Policy2. Methods of Notification > Popup3. Methods of Notification > Email4. Frequency of Notification > Time

Dependent5. Frequency of Notification > Usage

Dependent6. Frequency of Notification > Data Type

Dependent

Individual Participation7. Consent > Frequency of Consent > Time

Dependent8. Consent > Frequency of Consent > Usage

Dependent9. Consent > Frequency of Consent > Data

Type Dependent10. Consent > Options > Opt-in11. Consent > Options > Opt-out12. Consent > Difficulty > Timely13. Consent > Difficulty > Inexpensive14. Access > Frequency of Access > Time

Dependent15. Access > Frequency of Access > Data Type

Dependent16. Access > Actions Permitted > View17. Access > Actions Permitted > Download18. Access > Difficulty > Timely19. Access > Difficulty > Inexpensive20. Access > Difficulty > Instructions Provided21. Redress > Actions Permitted > Dispute22. Redress > Actions Permitted > Correct23. Redress > Actions Permitted > Update24. Redress > Actions Permitted > Delete25. Redress > Difficulty > Timely26. Redress > Difficulty > Inexpensive

27. Redress > Difficulty > Instructions provided

Purpose Specification28. Authority Granter > None29. Authority Granter > Data Subject30. Authority Granter > Law31. Types of Purpose > Provide Services32. Types of Purpose > Market/advertise33. Types of Purpose > Profile/analytics34. Articulation Method for Authority / Purpose

> Privacy Policy35. Articulation Method for Authority / Purpose

> Popup36. Articulation Method for Authority / Purpose

> Email37. Frequency of Articulation > Time

Dependent38. Frequency of Articulation > Usage

Dependent39. Frequency of Articulation > Data Type

Dependent

Data Minimization40. Types of Data Collected > Public > Written

Posts41. Types of Data Collected > Personal >

Multimedia > Photos42. Types of Data Collected > Personal >

Multimedia > Video43. Types of Data Collected > Personal >

Multimedia > Audio44. Types of Data Collected > Personal >

Contact > Email45. Types of Data Collected > Personal >

Contact > Postal Address46. Types of Data Collected > Personal >

Contact > Phone Number47. Types of Data Collected > Private >

Demographics > Age48. Types of Data Collected > Private >

Demographics > Race49. Types of Data Collected > Private >

Demographics > Gender50. Types of Data Collected > Sensitive >

Activities51. Types of Data Collected > Sensitive >

Purchase History52. Types of Data Collected > Sensitive >

Location53. Types of Data Collected > Highly Sensitive

> Financial54. Types of Data Collected > Highly Sensitive

> Health55. Types of Data Collected > Highly Sensitive

> SSN56. Sources of Data > Manual > Data Subject57. Sources of Data > Manual > Other Data

Subjects58. Sources of Data > Automatic > Cookies59. Sources of Data > Automatic > Pixels60. Sources of Data > Automatic > Metadata

Use Limitation61. General > Provide Services to DS62. General > Communicate with DS63. General > Enable DS Customization64. Security > Improve Services65. Security > Diagnostics/Troubleshooting66. Commercial > Marketing67. Analytical > Profiling68. Sharing > Recipient > Affiliated

Companies69. Sharing > Recipient > Third Party >

General70. Sharing > Recipient > Third Party >

Security71. Sharing > Recipient > Third Party >

Commercial72. Sharing > Recipient > Third Party >

Analytical73. Sharing > Recipient > Third Party >

Government74. Sharing > Geography > Local75. Sharing > Geography > National76. Sharing > Geography > Regional77. Sharing > Geography > International

Data Quality and Integrity78. Storage > Location79. Storage > Duration80. Management > Retrieval81. Management > Duplication82. Management > Backup

Security83. Loss Prevention84. Unauthorized Access / Use85. Destruction86. Modification87. Unintended Disclosure > Breach

Notification88. Compliance

Accountability and Auditing89. Complying90. Training > Data Protection Officer

appointed91. Auditing > Mechanisms in place92. Auditing > Frequency of Auditing93. Auditing > Internal or External Auditor

System PracticesThe actions and policies of a Privacy System

All identified System Practices used by the model are listed below.

Despite the attempt to identify highly specific System Practices to produce a comprehensive evaluation of each FIPP, there are other System Practices that may not be included. Alternatively, certain users of the model may conclude that some of the included System Practices should be removed.

The model recognizes that the process of evaluating FIPPs is highly qualitative and seeks to leverage a crowdsourcing methodology as a way to overcome this obstacle. User input regarding which System Practices should be included or excluded (that is, crowdsourcing the System Practices) is a key feature of this model; a user can choose as many or as few System Practices to include as they want.

System PracticesThe actions and policies of a Privacy System

Transparency

1. Methods of Notification > Privacy Policy2. Methods of Notification > Popup3. Methods of Notification > Email4. Frequency of Notification > Time

Dependent5. Frequency of Notification > Usage

Dependent6. Frequency of Notification > Data Type

Dependent

Methodology for Identifying System Practices:

System Practices were identified based on the language used to define each FIPP:

• For example, the language defining the Transparency FIPP focused on notifying individuals. Using this keyword, the question: “what is notifying a function of?” was asked to identify measurement variables.

• This led to the identification of “Methods of Notification” and “Frequency of Notification” as two variables that could be used to measure notifying. (“Notifying is a function of the methods used to notify and the frequency with which notification is given.“).

A high level of granularity was sought to ensure a comprehensive evaluation of the FIPP:

• With regards to the Transparency FIPP, rather than just evaluating “Methods” and “Frequency” in general, they were further subdivided to provide more specific evaluation criteria. To accomplish this, similar questions were again asked: “what is Methods a function of?” and “what is Frequency a function of?” This led to the identification of different methods of notification (notification in Privacy Policies, in Popups, or in Emails) as well as different frequencies of notification (based on time, usage of data, or type of data).

• This high level of granularity ensures that the FIPP is evaluated based on a wide range of specific criteria, rather than just a few general ones.

MagnitudeChosen and assigned to a System Practice by the User to

quantify the privacy intrusion or protection of each System Practice

Magnitude Meaning

1System Practice is highly intrusive of privacy

2System Practice is moderately intrusive of privacy

3System Practice has little overall intrusion into or protection of privacy

4System Practice moderately protects privacy

5 System Practice highly protects privacy

Example Privacy System: Facebook

FIPP FIPP Privacy Score

Transparency 3.67

Individual Participation 3.19

Purpose Specification 1.67

Data Minimization 1.95

Use Limitation 2.24

Data Quality and Integrity 3.80

Security 1.67

Accountability and Auditing 3.40

Average of FIPP Privacy Scores

2.70

Privacy System System Privacy Score

Facebook 2.70

Google . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

Privacy ScoresA FIPP Privacy Score is a computation that evaluates an individual FIPP within a single Privacy System. Therefore, a single Privacy System will have eight FIPP Privacy Scores–one for each FIPP.

•FIPP Privacy Scores assess categories of similar System Practices. Using FIPP Privacy Scores to first assess categories, rather than jumping right to an overall assessment of the Privacy System, helps identify more specific strengths and weaknesses of the system.For instance, an overall assessment might not highlight the fact that a Privacy System is strong in Data Minimization but weak in Use Limitation. In contrast, first assessing the individual FIPPs would highlight that difference.

A System Privacy Score is a computation that evaluates all the FIPP Privacy Scores of a single Privacy System. Therefore, a single Privacy System will have one System Privacy Score. System Privacy Scores can be used to compare different Privacy Systems.

The Model

•Transparency•Individual Participation•Purpose Specification

•Data Minimization•Use Limitation•Data Quality and Integrity

•Security•Accountability and

Auditing

Fair Information Privacy Principles (FIPP)

System Practices (for selected FIPP)

Transparency1. Methods of

Notification: Privacy Policy

2. Methods of Notification: Popup

3. Methods of Notification: Email

4. Frequency of Notification: Time Dependent

5. Frequency of Notification: Usage Dependent

6. Frequency of Notification: Data Type Dependent

Individual Participation7. Consent...Access...8. Redress...

Purpose Specification

9. Authority Granter...10....

Data Minimization ...

Use Limitation ...

Data Quality and Integrity ...

Security ...

Accountability and Auditing ...

Privacy Systems

•Magnitude: 1.00 - 5.00

Magnitude (input for each System Practice)

Compute a function of the Magnitudes assigned to the System Practices of the selected FIPP.

FIPP Privacy Score

System Privacy Score

selectFIPP

selectSystem Practice

computeFIPP Privacy Score

another System

Practice?

computeSystem Privacy Score

selectSystem

Yes

No

inputMagnitude

another FIPP?

Yes

No

Compute a function of all the FIPP Privacy Scores that were computed for the selected System.

•Facebook•Uber•Amazon Web

Services•Google Drive•Apple iOS

•Bank of America•U.S. Government•P.R.C. Government

•Walmart•BlueCross

BlueShield

Not All System

Practices are Shown

Example

selectFIPP




selectSystem

No

inputMagnitude

another FIPP?

Yes

No

another System

Practice?

Yes

selectFIPP




System:Facebook

No

inputMagnitude

another FIPP?

Yes

No

Facebook

another System

Practice?

Yes

System:Facebook

Facebook

Transparency

FIPP:Transparency


No

another FIPP?

Yes

No

another System

Practice?

Yesinput

Magnitude



Facebook

Transparency

System Practice

1. Methods of Notification: Privacy Policy

System:Facebook

FIPP:Transparency

No

another FIPP?

No

another System

Practice?

Yes

Yes

System Practice:1. Methods of


inputMagnitude



FIPP:Transparency

System:Facebook

No

Magnitude: 3.00

another FIPP?

Yes

No

another System

Practice?

Yes



Facebook

Transparency

System Practice Magnitude


3.00



FIPP:Transparency

System:Facebook

No

another FIPP?

Yes

No

another System

Practice?

Yes


inputMagnitude

Facebook

Transparency



3.00



FIPP:Transparency


Notification: Popup

System:Facebook

No

Magnitude: 5.00

another FIPP?

Yes

No

Yes

another System

Practice?

Facebook

Transparency



3.00


5.00



FIPP:Transparency

another System

Practice?

System:Facebook

Yes

No

another FIPP?

Yes

No


inputMagnitude

Facebook

Transparency



3.00


5.00



FIPP:Transparency


Notification: Email

System:Facebook

No

Magnitude: 4.00

another FIPP?

Yes

No

Yes

another System

Practice?

Facebook

Transparency



3.00

2. Methods of Notification: Popup 5.00


4.00



FIPP:Transparency

System:Facebook

Yes

No

another FIPP?

Yes

No

another System

Practice?


inputMagnitude

Facebook

Transparency



3.00



4.00



FIPP:Transparency

System Practice:4. Frequency of

Notification: Time Dependent

System:Facebook

No

Magnitude: 3.00

another FIPP?

Yes

No

Yes

another System

Practice?

Facebook

Transparency



3.00


3. Methods of Notification: Email 4.00


3.00



FIPP:Transparency

System:Facebook

Yes

No

another FIPP?

Yes

No

another System

Practice?


inputMagnitude


Facebook

Transparency



3.00




3.00


FIPP:Transparency


Notification: Usage Dependent

System:Facebook

No

Magnitude: 5.00

another FIPP?

Yes

No

Yes

another System

Practice?

Facebook

Transparency



3.00




3.00


5.00computeFIPP Privacy Score


FIPP:Transparency

System:Facebook

Yes

No

another FIPP?

Yes

No

another System

Practice?


inputMagnitude

Facebook

Transparency



3.00




3.00


5.00computeFIPP Privacy Score


FIPP:Transparency


Notification: Data Type Dependent

System:Facebook

Magnitude: 2.00

another FIPP?

Yes

No

Yes

No

another System

Practice?

Facebook

Transparency



3.00




3.00


5.00


2.00



FIPP:Transparency

System:Facebook

No

Magnitude: 2.00

another FIPP?

Yes

No

Yes

another System

Practice?



Facebook

Transparency



3.00




3.00


5.00


2.00



FIPP:Transparency

System:Facebook

Magnitude: 2.00

another FIPP?

Yes

No

Yes




No

another System

Practice?

Facebook

Transparency



3.00




3.00


5.00


2.00


FIPP:Transparency

System:Facebook

Magnitude: 2.00

another FIPP?

Yes

No

Yes



No

another System

Practice?

FIPP Privacy Score:3.67

Facebook

Transparency



3.00




3.00


5.00


2.00

FIPP Privacy Score 3.67



System:Facebook

another FIPP?

Yes

No

Yes

another System

Practice?

No

selectFIPP


inputMagnitude


Facebook (Summary of FIPP Privacy Scores)


Transparency 3.67

FIPP:Individual

Participation

System:Facebook

another FIPP?

Yes

No

Yes

No

inputMagnitude


another System

Practice?

Facebook

Individual Participation




Facebook

Individual Participation


. . . . . .

. . . . . .

. . . . . .

. . . . . .FIPP Privacy Score 3.19

FIPP:Individual

Participation


System:Facebook

another FIPP?

Yes

No

Yes

No

FIPP Privacy Score:3.19

inputMagnitude


another System

Practice?

System:Facebook

another FIPP?

Yes

No

Yes

another System

Practice?

No

selectFIPP


Facebook


Transparency 3.67


Facebook (Summary of FIPP Privacy Scores)

inputMagnitude



inputMagnitude

System:Facebook

another FIPP?

Yes

No

Yes

another System

Practice?

No

selectFIPP


Facebook (Summary of FIPP Privacy Score)


Transparency 3.67




Use Limitation 2.24


Security 1.67




System:Facebook

another FIPP?

Yes

No

Yes

another System

Practice?

No

selectFIPP




Transparency 3.67




Use Limitation 2.24


Security 1.67


inputMagnitude



System:Facebook

Yes

No


another System

Practice?

Yes

selectFIPP



Transparency 3.67




Use Limitation 2.24


Security 1.67


System Privacy Score 2.70another FIPP?

No

System Privacy Score:2.70

inputMagnitude


selectSystem

Yes

No


inputMagnitude


another System

Practice?

Yes

selectFIPP

another FIPP?

No


another System?

selectSystem

Yes

No


another System

Practice?

Yes

selectFIPP

another FIPP?

No

Yes

another System?


inputMagnitude


System:Google

Yes

No


another System

Practice?

Yes

selectFIPP

another FIPP?

No

Yes

another System?


inputMagnitude


System:Google

Yes

No


another System

Practice?

Yes

selectFIPP

another FIPP?

No

Yes

another System?


inputMagnitude


COMPARISON CHART

System System Privacy Score

Facebook 2.70

Google . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

Details

Functions

FIPP Privacy Score

To compute a System Privacy Score, an average (or other function) of all the FIPP Privacy Scores for that System is taken.

System Privacy Score

To compute a FIPP Privacy Score, an average (or other function) of all the Magnitudes assigned to the System Practices of the selected FIPP is taken.

2. FIPP

Data Entry3. System Practices

1. System and User

4. M

ag

nitu

des

References• NSTIC Appendix A - Fair Information Practice Principles

• Privacy Online: A Report to Congress (Federal Trade Commission, 1998)

• NIST Special Publication 800-53r4, Appendix J

• “Records, Computers and the Rights of Citizens” (US Department of Health, Education and Welfare,1973)

• US Privacy Act of 1974

• NIST Privacy Engineering Objectives and Risk Model Discussion Draft

• NIST 8062: Privacy Risk Management for Federal Information Systems

crowdsourcing privacy risk assessment an interactive model for evaluating and comparing privacy...

Documents