crowdsourcing privacy risk assessment an interactive model for evaluating and comparing privacy...
TRANSCRIPT
CrowdsourcingPrivacy Risk Assessment
An Interactive Model for Evaluating and Comparing Privacy Systems
• Provide an interactive display for stakeholders (including individual users, entire companies, or governments) to better understand their privacy considerations and options.
• Allow stakeholders to quickly see the relative strengths and weaknesses of a variety of privacy systems so that they can make privacy-related choices
• Enable a high degree of customization to meet the wide variety of stakeholder needs
Objectives
Definitions
StakeholderA user of the model who selects inputs and manipulates the
model
•System Owners, Developers, and Engineers
•An Organization's Legal and Policy Teams
•Product and Project Management Teams
•Government Agencies
•Consumers
Privacy SystemsAny organization, service, process, or program that handles personally identifying information (PII) and affects individual
privacy
•Uber
•Amazon Web Services
•Google Drive
•Apple iOS
•Bank of America
•United States Government
•Government of the People’s Republic of China
•Walmart
•BlueCross BlueShield
Fair Information Practice Principles (FIPPs)
The widely accepted framework of defining principles to be used in the evaluation of Privacy Systems
1. Transparency (T): systems should be transparent and notify individuals regarding collection, use, dissemination, and maintenance of personally identifiable information (PII).
2. Individual Participation (IP): Systems should involve the individual in the process of using PII and, to the extent practicable, seek individual consent for the collection, use, dissemination, and maintenance of PII. Systems should also provide mechanisms for appropriate access, correction, and redress regarding use of PII.
3. Purpose Specification (PS): Systems should specifically articulate the authority that permits the collection of PII and specifically articulate the purpose or purposes for which the PII is intended to be used.
4. Data Minimization (DM): Systems should only collect PII that is directly relevant and necessary to accomplish the specified purpose(s) and only retain PII for as long as is necessary to fulfill the specified purpose(s).
5. Use Limitation (UL): Systems should use PII solely for the purpose(s) specified in the notice. Sharing PII should be for a purpose compatible with the purpose for which the PII was collected.
6. Data Quality and Integrity (DQI): Systems should, to the extent practicable, ensure that PII is accurate, relevant, timely, and complete.
7. Security (S): Systems should protect PII (in all media) through appropriate security safeguards against risks such as loss, unauthorized access or use, destruction, modification, or unintended or inappropriate disclosure.
8. Accountability and Auditing (AA): Systems should be accountable for complying with these principles, providing training to all employees and contractors who use PII, and auditing the actual use of PII to demonstrate compliance with these principles and all applicable privacy protection requirements.
Adapted from “Appendix A – Fair Information Practice Principles (FIPPs)” of the National Strategy for Trusted Identities in Cyberspace, (April 2011)https://www.whitehouse.gov/sites/default/files/rss_viewer/NSTICstrategy_041511.pdf
Transparency1. Methods of Notification > Privacy Policy2. Methods of Notification > Popup3. Methods of Notification > Email4. Frequency of Notification > Time
Dependent5. Frequency of Notification > Usage
Dependent6. Frequency of Notification > Data Type
Dependent
Individual Participation7. Consent > Frequency of Consent > Time
Dependent8. Consent > Frequency of Consent > Usage
Dependent9. Consent > Frequency of Consent > Data
Type Dependent10. Consent > Options > Opt-in11. Consent > Options > Opt-out12. Consent > Difficulty > Timely13. Consent > Difficulty > Inexpensive14. Access > Frequency of Access > Time
Dependent15. Access > Frequency of Access > Data Type
Dependent16. Access > Actions Permitted > View17. Access > Actions Permitted > Download18. Access > Difficulty > Timely19. Access > Difficulty > Inexpensive20. Access > Difficulty > Instructions Provided21. Redress > Actions Permitted > Dispute22. Redress > Actions Permitted > Correct23. Redress > Actions Permitted > Update24. Redress > Actions Permitted > Delete25. Redress > Difficulty > Timely26. Redress > Difficulty > Inexpensive
27. Redress > Difficulty > Instructions provided
Purpose Specification28. Authority Granter > None29. Authority Granter > Data Subject30. Authority Granter > Law31. Types of Purpose > Provide Services32. Types of Purpose > Market/advertise33. Types of Purpose > Profile/analytics34. Articulation Method for Authority / Purpose
> Privacy Policy35. Articulation Method for Authority / Purpose
> Popup36. Articulation Method for Authority / Purpose
> Email37. Frequency of Articulation > Time
Dependent38. Frequency of Articulation > Usage
Dependent39. Frequency of Articulation > Data Type
Dependent
Data Minimization40. Types of Data Collected > Public > Written
Posts41. Types of Data Collected > Personal >
Multimedia > Photos42. Types of Data Collected > Personal >
Multimedia > Video43. Types of Data Collected > Personal >
Multimedia > Audio44. Types of Data Collected > Personal >
Contact > Email45. Types of Data Collected > Personal >
Contact > Postal Address46. Types of Data Collected > Personal >
Contact > Phone Number47. Types of Data Collected > Private >
Demographics > Age48. Types of Data Collected > Private >
Demographics > Race49. Types of Data Collected > Private >
Demographics > Gender50. Types of Data Collected > Sensitive >
Activities51. Types of Data Collected > Sensitive >
Purchase History52. Types of Data Collected > Sensitive >
Location53. Types of Data Collected > Highly Sensitive
> Financial54. Types of Data Collected > Highly Sensitive
> Health55. Types of Data Collected > Highly Sensitive
> SSN56. Sources of Data > Manual > Data Subject57. Sources of Data > Manual > Other Data
Subjects58. Sources of Data > Automatic > Cookies59. Sources of Data > Automatic > Pixels60. Sources of Data > Automatic > Metadata
Use Limitation61. General > Provide Services to DS62. General > Communicate with DS63. General > Enable DS Customization64. Security > Improve Services65. Security > Diagnostics/Troubleshooting66. Commercial > Marketing67. Analytical > Profiling68. Sharing > Recipient > Affiliated
Companies69. Sharing > Recipient > Third Party >
General70. Sharing > Recipient > Third Party >
Security71. Sharing > Recipient > Third Party >
Commercial72. Sharing > Recipient > Third Party >
Analytical73. Sharing > Recipient > Third Party >
Government74. Sharing > Geography > Local75. Sharing > Geography > National76. Sharing > Geography > Regional77. Sharing > Geography > International
Data Quality and Integrity78. Storage > Location79. Storage > Duration80. Management > Retrieval81. Management > Duplication82. Management > Backup
Security83. Loss Prevention84. Unauthorized Access / Use85. Destruction86. Modification87. Unintended Disclosure > Breach
Notification88. Compliance
Accountability and Auditing89. Complying90. Training > Data Protection Officer
appointed91. Auditing > Mechanisms in place92. Auditing > Frequency of Auditing93. Auditing > Internal or External Auditor
System PracticesThe actions and policies of a Privacy System
All identified System Practices used by the model are listed below.
Despite the attempt to identify highly specific System Practices to produce a comprehensive evaluation of each FIPP, there are other System Practices that may not be included. Alternatively, certain users of the model may conclude that some of the included System Practices should be removed.
The model recognizes that the process of evaluating FIPPs is highly qualitative and seeks to leverage a crowdsourcing methodology as a way to overcome this obstacle. User input regarding which System Practices should be included or excluded (that is, crowdsourcing the System Practices) is a key feature of this model; a user can choose as many or as few System Practices to include as they want.
System PracticesThe actions and policies of a Privacy System
Transparency
1. Methods of Notification > Privacy Policy2. Methods of Notification > Popup3. Methods of Notification > Email4. Frequency of Notification > Time
Dependent5. Frequency of Notification > Usage
Dependent6. Frequency of Notification > Data Type
Dependent
Methodology for Identifying System Practices:
System Practices were identified based on the language used to define each FIPP:
• For example, the language defining the Transparency FIPP focused on notifying individuals. Using this keyword, the question: “what is notifying a function of?” was asked to identify measurement variables.
• This led to the identification of “Methods of Notification” and “Frequency of Notification” as two variables that could be used to measure notifying. (“Notifying is a function of the methods used to notify and the frequency with which notification is given.“).
A high level of granularity was sought to ensure a comprehensive evaluation of the FIPP:
• With regards to the Transparency FIPP, rather than just evaluating “Methods” and “Frequency” in general, they were further subdivided to provide more specific evaluation criteria. To accomplish this, similar questions were again asked: “what is Methods a function of?” and “what is Frequency a function of?” This led to the identification of different methods of notification (notification in Privacy Policies, in Popups, or in Emails) as well as different frequencies of notification (based on time, usage of data, or type of data).
• This high level of granularity ensures that the FIPP is evaluated based on a wide range of specific criteria, rather than just a few general ones.
MagnitudeChosen and assigned to a System Practice by the User to
quantify the privacy intrusion or protection of each System Practice
Magnitude Meaning
1System Practice is highly intrusive of privacy
2System Practice is moderately intrusive of privacy
3System Practice has little overall intrusion into or protection of privacy
4System Practice moderately protects privacy
5 System Practice highly protects privacy
Example Privacy System: Facebook
FIPP FIPP Privacy Score
Transparency 3.67
Individual Participation 3.19
Purpose Specification 1.67
Data Minimization 1.95
Use Limitation 2.24
Data Quality and Integrity 3.80
Security 1.67
Accountability and Auditing 3.40
Average of FIPP Privacy Scores
2.70
Privacy System System Privacy Score
Facebook 2.70
Google . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
Privacy ScoresA FIPP Privacy Score is a computation that evaluates an individual FIPP within a single Privacy System. Therefore, a single Privacy System will have eight FIPP Privacy Scores–one for each FIPP.
•FIPP Privacy Scores assess categories of similar System Practices. Using FIPP Privacy Scores to first assess categories, rather than jumping right to an overall assessment of the Privacy System, helps identify more specific strengths and weaknesses of the system.For instance, an overall assessment might not highlight the fact that a Privacy System is strong in Data Minimization but weak in Use Limitation. In contrast, first assessing the individual FIPPs would highlight that difference.
A System Privacy Score is a computation that evaluates all the FIPP Privacy Scores of a single Privacy System. Therefore, a single Privacy System will have one System Privacy Score. System Privacy Scores can be used to compare different Privacy Systems.
The Model
•Transparency•Individual Participation•Purpose Specification
•Data Minimization•Use Limitation•Data Quality and Integrity
•Security•Accountability and
Auditing
Fair Information Privacy Principles (FIPP)
System Practices (for selected FIPP)
Transparency1. Methods of
Notification: Privacy Policy
2. Methods of Notification: Popup
3. Methods of Notification: Email
4. Frequency of Notification: Time Dependent
5. Frequency of Notification: Usage Dependent
6. Frequency of Notification: Data Type Dependent
Individual Participation7. Consent...Access...8. Redress...
Purpose Specification
9. Authority Granter...10....
Data Minimization ...
Use Limitation ...
Data Quality and Integrity ...
Security ...
Accountability and Auditing ...
Privacy Systems
•Magnitude: 1.00 - 5.00
Magnitude (input for each System Practice)
Compute a function of the Magnitudes assigned to the System Practices of the selected FIPP.
FIPP Privacy Score
System Privacy Score
selectFIPP
selectSystem Practice
computeFIPP Privacy Score
another System
Practice?
computeSystem Privacy Score
selectSystem
Yes
No
inputMagnitude
another FIPP?
Yes
No
Compute a function of all the FIPP Privacy Scores that were computed for the selected System.
•Facebook•Uber•Amazon Web
Services•Google Drive•Apple iOS
•Bank of America•U.S. Government•P.R.C. Government
•Walmart•BlueCross
BlueShield
Not All System
Practices are Shown
Example
selectFIPP
selectSystem Practice
computeFIPP Privacy Score
computeSystem Privacy Score
selectSystem
No
inputMagnitude
another FIPP?
Yes
No
another System
Practice?
Yes
selectFIPP
selectSystem Practice
computeFIPP Privacy Score
computeSystem Privacy Score
System:Facebook
No
inputMagnitude
another FIPP?
Yes
No
another System
Practice?
Yes
System:Facebook
Transparency
FIPP:Transparency
selectSystem Practice
No
another FIPP?
Yes
No
another System
Practice?
Yesinput
Magnitude
computeFIPP Privacy Score
computeSystem Privacy Score
Transparency
System Practice
1. Methods of Notification: Privacy Policy
System:Facebook
FIPP:Transparency
No
another FIPP?
No
another System
Practice?
Yes
Yes
System Practice:1. Methods of
Notification: Privacy Policy
inputMagnitude
computeFIPP Privacy Score
computeSystem Privacy Score
FIPP:Transparency
System:Facebook
No
Magnitude: 3.00
another FIPP?
Yes
No
another System
Practice?
Yes
System Practice:1. Methods of
Notification: Privacy Policy
Transparency
System Practice Magnitude
1. Methods of Notification: Privacy Policy
3.00
computeFIPP Privacy Score
computeSystem Privacy Score
FIPP:Transparency
System:Facebook
No
another FIPP?
Yes
No
another System
Practice?
Yes
selectSystem Practice
inputMagnitude
Transparency
System Practice Magnitude
1. Methods of Notification: Privacy Policy
3.00
computeFIPP Privacy Score
computeSystem Privacy Score
FIPP:Transparency
System Practice:2. Methods of
Notification: Popup
System:Facebook
No
Magnitude: 5.00
another FIPP?
Yes
No
Yes
another System
Practice?
Transparency
System Practice Magnitude
1. Methods of Notification: Privacy Policy
3.00
2. Methods of Notification: Popup
5.00
computeFIPP Privacy Score
computeSystem Privacy Score
FIPP:Transparency
another System
Practice?
System:Facebook
Yes
No
another FIPP?
Yes
No
selectSystem Practice
inputMagnitude
Transparency
System Practice Magnitude
1. Methods of Notification: Privacy Policy
3.00
2. Methods of Notification: Popup
5.00
computeFIPP Privacy Score
computeSystem Privacy Score
FIPP:Transparency
System Practice:3. Methods of
Notification: Email
System:Facebook
No
Magnitude: 4.00
another FIPP?
Yes
No
Yes
another System
Practice?
Transparency
System Practice Magnitude
1. Methods of Notification: Privacy Policy
3.00
2. Methods of Notification: Popup 5.00
3. Methods of Notification: Email
4.00
computeFIPP Privacy Score
computeSystem Privacy Score
FIPP:Transparency
System:Facebook
Yes
No
another FIPP?
Yes
No
another System
Practice?
selectSystem Practice
inputMagnitude
Transparency
System Practice Magnitude
1. Methods of Notification: Privacy Policy
3.00
2. Methods of Notification: Popup 5.00
3. Methods of Notification: Email
4.00
computeFIPP Privacy Score
computeSystem Privacy Score
FIPP:Transparency
System Practice:4. Frequency of
Notification: Time Dependent
System:Facebook
No
Magnitude: 3.00
another FIPP?
Yes
No
Yes
another System
Practice?
Transparency
System Practice Magnitude
1. Methods of Notification: Privacy Policy
3.00
2. Methods of Notification: Popup 5.00
3. Methods of Notification: Email 4.00
4. Frequency of Notification: Time Dependent
3.00
computeFIPP Privacy Score
computeSystem Privacy Score
FIPP:Transparency
System:Facebook
Yes
No
another FIPP?
Yes
No
another System
Practice?
selectSystem Practice
inputMagnitude
computeFIPP Privacy Score
Transparency
System Practice Magnitude
1. Methods of Notification: Privacy Policy
3.00
2. Methods of Notification: Popup 5.00
3. Methods of Notification: Email 4.00
4. Frequency of Notification: Time Dependent
3.00
computeSystem Privacy Score
FIPP:Transparency
System Practice:5. Frequency of
Notification: Usage Dependent
System:Facebook
No
Magnitude: 5.00
another FIPP?
Yes
No
Yes
another System
Practice?
Transparency
System Practice Magnitude
1. Methods of Notification: Privacy Policy
3.00
2. Methods of Notification: Popup 5.00
3. Methods of Notification: Email 4.00
4. Frequency of Notification: Time Dependent
3.00
5. Frequency of Notification: Usage Dependent
5.00computeFIPP Privacy Score
computeSystem Privacy Score
FIPP:Transparency
System:Facebook
Yes
No
another FIPP?
Yes
No
another System
Practice?
selectSystem Practice
inputMagnitude
Transparency
System Practice Magnitude
1. Methods of Notification: Privacy Policy
3.00
2. Methods of Notification: Popup 5.00
3. Methods of Notification: Email 4.00
4. Frequency of Notification: Time Dependent
3.00
5. Frequency of Notification: Usage Dependent
5.00computeFIPP Privacy Score
computeSystem Privacy Score
FIPP:Transparency
System Practice:6. Frequency of
Notification: Data Type Dependent
System:Facebook
Magnitude: 2.00
another FIPP?
Yes
No
Yes
No
another System
Practice?
Transparency
System Practice Magnitude
1. Methods of Notification: Privacy Policy
3.00
2. Methods of Notification: Popup 5.00
3. Methods of Notification: Email 4.00
4. Frequency of Notification: Time Dependent
3.00
5. Frequency of Notification: Usage Dependent
5.00
6. Frequency of Notification: Data Type Dependent
2.00
computeFIPP Privacy Score
computeSystem Privacy Score
FIPP:Transparency
System:Facebook
No
Magnitude: 2.00
another FIPP?
Yes
No
Yes
another System
Practice?
System Practice:6. Frequency of
Notification: Data Type Dependent
Transparency
System Practice Magnitude
1. Methods of Notification: Privacy Policy
3.00
2. Methods of Notification: Popup 5.00
3. Methods of Notification: Email 4.00
4. Frequency of Notification: Time Dependent
3.00
5. Frequency of Notification: Usage Dependent
5.00
6. Frequency of Notification: Data Type Dependent
2.00
computeFIPP Privacy Score
computeSystem Privacy Score
FIPP:Transparency
System:Facebook
Magnitude: 2.00
another FIPP?
Yes
No
Yes
computeFIPP Privacy Score
System Practice:6. Frequency of
Notification: Data Type Dependent
No
another System
Practice?
Transparency
System Practice Magnitude
1. Methods of Notification: Privacy Policy
3.00
2. Methods of Notification: Popup 5.00
3. Methods of Notification: Email 4.00
4. Frequency of Notification: Time Dependent
3.00
5. Frequency of Notification: Usage Dependent
5.00
6. Frequency of Notification: Data Type Dependent
2.00
computeSystem Privacy Score
FIPP:Transparency
System:Facebook
Magnitude: 2.00
another FIPP?
Yes
No
Yes
System Practice:6. Frequency of
Notification: Data Type Dependent
No
another System
Practice?
FIPP Privacy Score:3.67
Transparency
System Practice Magnitude
1. Methods of Notification: Privacy Policy
3.00
2. Methods of Notification: Popup 5.00
3. Methods of Notification: Email 4.00
4. Frequency of Notification: Time Dependent
3.00
5. Frequency of Notification: Usage Dependent
5.00
6. Frequency of Notification: Data Type Dependent
2.00
FIPP Privacy Score 3.67
computeSystem Privacy Score
computeSystem Privacy Score
System:Facebook
another FIPP?
Yes
No
Yes
another System
Practice?
No
selectFIPP
computeFIPP Privacy Score
inputMagnitude
selectSystem Practice
Facebook (Summary of FIPP Privacy Scores)
FIPP FIPP Privacy Score
Transparency 3.67
FIPP:Individual
Participation
System:Facebook
another FIPP?
Yes
No
Yes
No
inputMagnitude
selectSystem Practice
another System
Practice?
Individual Participation
System Practice Magnitude
computeSystem Privacy Score
computeFIPP Privacy Score
Individual Participation
System Practice Magnitude
. . . . . .
. . . . . .
. . . . . .
. . . . . .FIPP Privacy Score 3.19
FIPP:Individual
Participation
computeSystem Privacy Score
System:Facebook
another FIPP?
Yes
No
Yes
No
FIPP Privacy Score:3.19
inputMagnitude
selectSystem Practice
another System
Practice?
System:Facebook
another FIPP?
Yes
No
Yes
another System
Practice?
No
selectFIPP
selectSystem Practice
FIPP FIPP Privacy Score
Transparency 3.67
Individual Participation 3.19
Facebook (Summary of FIPP Privacy Scores)
inputMagnitude
computeSystem Privacy Score
computeFIPP Privacy Score
inputMagnitude
System:Facebook
another FIPP?
Yes
No
Yes
another System
Practice?
No
selectFIPP
selectSystem Practice
Facebook (Summary of FIPP Privacy Score)
FIPP FIPP Privacy Score
Transparency 3.67
Individual Participation 3.19
Purpose Specification 1.67
Data Minimization 1.95
Use Limitation 2.24
Data Quality and Integrity 3.80
Security 1.67
Accountability and Auditing 3.40
computeSystem Privacy Score
computeFIPP Privacy Score
System:Facebook
another FIPP?
Yes
No
Yes
another System
Practice?
No
selectFIPP
selectSystem Practice
Facebook (Summary of FIPP Privacy Score)
FIPP FIPP Privacy Score
Transparency 3.67
Individual Participation 3.19
Purpose Specification 1.67
Data Minimization 1.95
Use Limitation 2.24
Data Quality and Integrity 3.80
Security 1.67
Accountability and Auditing 3.40
inputMagnitude
computeSystem Privacy Score
computeFIPP Privacy Score
System:Facebook
Yes
No
selectSystem Practice
another System
Practice?
Yes
selectFIPP
Facebook (Summary of FIPP Privacy Score)
FIPP FIPP Privacy Score
Transparency 3.67
Individual Participation 3.19
Purpose Specification 1.67
Data Minimization 1.95
Use Limitation 2.24
Data Quality and Integrity 3.80
Security 1.67
Accountability and Auditing 3.40
System Privacy Score 2.70another FIPP?
No
System Privacy Score:2.70
inputMagnitude
computeFIPP Privacy Score
selectSystem
Yes
No
computeFIPP Privacy Score
inputMagnitude
selectSystem Practice
another System
Practice?
Yes
selectFIPP
another FIPP?
No
computeSystem Privacy Score
another System?
selectSystem
Yes
No
selectSystem Practice
another System
Practice?
Yes
selectFIPP
another FIPP?
No
Yes
another System?
computeFIPP Privacy Score
inputMagnitude
computeSystem Privacy Score
selectSystem
Yes
No
selectSystem Practice
another System
Practice?
Yes
selectFIPP
another FIPP?
No
Yes
another System?
computeFIPP Privacy Score
inputMagnitude
computeSystem Privacy Score
System:Google
Yes
No
selectSystem Practice
another System
Practice?
Yes
selectFIPP
another FIPP?
No
Yes
another System?
computeFIPP Privacy Score
inputMagnitude
computeSystem Privacy Score
System:Google
Yes
No
selectSystem Practice
another System
Practice?
Yes
selectFIPP
another FIPP?
No
Yes
another System?
computeFIPP Privacy Score
inputMagnitude
computeSystem Privacy Score
COMPARISON CHART
System System Privacy Score
Facebook 2.70
Google . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
Details
Functions
FIPP Privacy Score
To compute a System Privacy Score, an average (or other function) of all the FIPP Privacy Scores for that System is taken.
System Privacy Score
To compute a FIPP Privacy Score, an average (or other function) of all the Magnitudes assigned to the System Practices of the selected FIPP is taken.
2. FIPP
Data Entry3. System Practices
1. System and User
4. M
ag
nitu
des
References• NSTIC Appendix A - Fair Information Practice Principles
• Privacy Online: A Report to Congress (Federal Trade Commission, 1998)
• NIST Special Publication 800-53r4, Appendix J
• “Records, Computers and the Rights of Citizens” (US Department of Health, Education and Welfare,1973)
• US Privacy Act of 1974
• NIST Privacy Engineering Objectives and Risk Model Discussion Draft
• NIST 8062: Privacy Risk Management for Federal Information Systems