dwyer "privacy by design: can it work?"

Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012

1

Privacy by Design: Can it Work?

Catherine DwyerSeidenberg School of Computer Science & Information SystemsPace UniversityNew York, NY


2

Gehry Building8 Spruce Street


3

Online Privacy

LawyersTechnologist

s

Organizations

Citizens


4

Privacy Research Group – NYU Law


5

What is Privacy by Design?

Ann Cavoukian, Information& Privacy Commissioner, Ontario, Canada


6

Principles of Privacy by Design1. Proactive not Reactive; Preventative not

Remedial 2. Privacy as the Default Setting 3. Privacy Embedded into Design 4. Full Functionality — Positive-Sum, not Zero-

Sum 5. End-to-End Security — Full Lifecycle

Protection 6. Visibility and Transparency — Keep it Open 7. Respect for User Privacy — Keep it User-

Centric From www.privacybydesign.ca

http://www.privacybydesign.ca/


7

Legal perspective4th Amendment: “The right of the

people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”


8

Third party doctrine“The Supreme Court has repeatedly held,

however, that the Fourth Amendment does not protect information revealed to third parties.” (Kerr, 2004)

Third party – any business, organization, ISP, cloud service providers

Once you “share” data with a third party, you lose 4th amendment protection

4th amendment standard is “probable cause,” 3rd party standard is “relevant to an investigation” and “not overbroad” (Kerr, 2004)


9

Source: Google transparency report, more than 18,000 requests from governments around the globe to Google user data (7/11-12/11)


10

Source: WikiLeaks


11

Problems With PbD“Privacy by design is an amorphous

concept… it is not clear … what regulators really have in mind when they urge firms developing products to build in privacy.” (Rubinstein, 2011)

Requirements engineering is needed to transform privacy by design from a vague admonitions into a structured design process with tangible outcomes (Rubinstein, 2011)


12

Excerpt from FTC Staff Report, March 2012, which uses “reasonable” more than 50 times in a 112 page report.


13

Design & Model


14

Engineer &

Build


15

Tangible Outcome


16

Gehry building – 8 Spruce Street


17

Design versus engineering

Design focuses on models

Engineering focuses on requirements

Requirements must be measurable and verifiable


18

Moving to privacy engineeringNeed to move from “privacy by

design” to “privacy requirements engineering”

Design can capture broad objectives (“buildings should be constructed with fireproof materials”)

Engineering makes those objectives tangible (“fireproof material must be able to bear weight for four hours of fire at 1000 degrees F”)


19

Example: Privacy Principle“Companies should incorporate

substantive privacy protections into their practices, such as data security, reasonable collection limits, sound retention practices, and data accuracy.” (source: FTC Staff Report, March 2012)


20

Engineering Requirements“The risk of data exposure can be

further minimized by reducing the sensitivity of stored data wherever possible … for example, when using the customer’s IP address to determine location for statistical analysis, discard the IP address after mapping it to a city or town.”

source: Microsoft Privacy Guidelines for Developers, 2008


21

How can this be accomplished?Qualitiative – focus

groups/interviews with domain experts/stakeholders

Quantitative – formal analysis of statutes and regulations (see Breaux and Anton, 2007)


22

Source: “A Framework for Modeling Privacy Requirements in Role Engineering,” He and Anton, 2003

RBAC = Role Based Access Control

Privacy Requirements Engineering


23

Development tools are neededCan’t manage the complexity of

describing privacy engineering requirements “by hand,” takes too long

Can’t audit privacy of information systems ‘by hand,’ not comprehensive enough


24

Ghostery: Tracking tools found on Dictionary.com


25

Firefox Collusion: Graph of tracking entities and flow of data


26

Network traffic visualization


27

RecommendationsEmphasize privacy requirements

engineeringDevelop data visualization tools

(enterprise level) that model information flows and identify privacy weaknesses

Model information flow within business processes and determine if privacy requirements are being met


28

Questions?Thank you!

Catherine DwyerSeidenberg School of Computer Science and Information SystemsPace University

Twitter: @ProfCDwyer

dwyer "privacy by design: can it work?"

Technology

user privacy

nypitney bowes privacy

verifiablepitney bowes

wikileakspitney bowes

canada privacy

pbd privacy

privacy engineering

degrees fpitney bowes