privacy enhancing technologies, privacy by design · jaap-henk hoepman // ( xot ) // het pi.lab...
TRANSCRIPT
Jaap-Henk Hoepman
@xotoxot // [email protected] // www.xot.nl // blog.xot.nl
Privacy Enhancing Technologies, Privacy by design
Hoe kan technologie compliance
met de GDPR verhogen?
Jaap-Henk Hoepman // ( XOT ) //
Over mij
Universitair hoofddocent Radboud Universiteit
● Privacy enhancing technologies
● Applied cryptography
● Internet of Things
Blogger
● http://blog.xot.nl
// Privacy by Design and Privacy Enhancing Technologies 212-4-2016
Jaap-Henk Hoepman // ( XOT ) //
Het PI.lab
Samenwerking tussen:
● Radboud Universiteit – ICIS
● Tilburg Universiteit – TILT
● TNO – Security; Strategy & Policy
Wetenschappelijk directeur
● Jaap-Henk Hoepman
Zakelijk directeur
● Marc van Lieshout
// Privacy by Design and Privacy Enhancing Technologies 312-4-2016
Jaap-Henk Hoepman // ( XOT ) //
Contents
What is privacy (from tech perspective)
Privacy by design
Privacy design strategies
Privacy Enhancing Technologies
Other developments
Concluding remarks
12-4-2016 // Privacy by Design and Privacy Enhancing Technologies 4
What is privacy
12-4-2016 // Privacy by Design and Privacy Enhancing Technologies
5
Jaap-Henk Hoepman // ( XOT ) // 12-4-2016 // Privacy by Design and Privacy Enhancing Technologies 6
Jaap-Henk Hoepman // ( XOT ) //
What is privacy from a technical perspective
Confidentiality
● Access control; Anonymity
Integrity
● Authenticity
Availability
Unlinkability
● Entities; events
Intervenability
Transparency
12-4-2016 // Privacy by Design and Privacy Enhancing Technologies 7
(Hansen, Jensen, & Rost, 2015)
Jaap-Henk Hoepman // ( XOT ) //
Transfer
Different types of data/information
Volunteered
● What you reveal explicitly when asked
Observed
● What you reveal implicitly by your behaviour
Inferred
● What is derived from other data about you
// Privacy by Design and Privacy Enhancing Technologies 8
[World Economic Forum Report Personal Data: The Emergence of a New Asset Class]
12-4-2016
Jaap-Henk Hoepman // ( XOT ) //
Data vs Metadata
Metadata (= Behavioural data)
● Condensed (information rich, easy to process)
● More ”true” (judge a man not on what he says but on what he does)
// Privacy by Design and Privacy Enhancing Technologies 912-4-2016
Privacy by design
12-4-2016 // Privacy by Design and Privacy Enhancing Technologies
10
Jaap-Henk Hoepman // ( XOT ) //
Privacy by design
Protect privacy when developing new technology:
● From concept…
● … to realisation
Privacy is a quality attribute (like security, performance,…)
Privacy by design is a process!
11
Throughout the system development cycle
12-4-2016 // Privacy by Design and Privacy Enhancing Technologies
Jaap-Henk Hoepman // ( XOT ) //
Software development cycle
// Privacy by Design and Privacy Enhancing Technologies 12
ConceptDevelopment
Implemen-tation
Privacy enhancing technologies
12-4-2016
Jaap-Henk Hoepman // ( XOT ) // 12-4-2016 // Privacy by Design and Privacy Enhancing Technologies 13
Jaap-Henk Hoepman // ( XOT ) //
Impact assessment & strategies
// Privacy by Design and Privacy Enhancing Technologies 14
ConceptDevelopment
Analysis
Privacy Design Strategies
Privacy Impact Assessment
12-4-2016
Privacy design strategies
Jaap-Henk Hoepman // ( XOT ) //
Source #1: Solove
12-4-2016 // Privacy by Design and Privacy Enhancing Technologies 16
Information storage
Information flow
Jaap-Henk Hoepman // ( XOT ) //
Source #2: data protection law
Core principles
● Data minimisation
● Purpose limitation
● Proportionality
● Subsidiarity
● Data subject rights: consent, (re)view
● Adequate protection
● (Provable) Compliance
12-4-2016 // Privacy by Design and Privacy Enhancing Technologies 17
Jaap-Henk Hoepman // ( XOT ) //
Wat is ‘Data Processing’…
Action Relevant GDPR Personal Data Processing ExamplesOperate Adaptation; Alteration; Retrieval; Consultation; Use; Alignment; Combination
Store Organisation; Structuring; Storage
Retain opposite to (Erasure; Destruction)
Collect Collection; Recording
ShareTransmission; Dissemination; Making Available; opposite to (Restriction; Blocking)
Change unauthorised third party (Adaptation; Alteration; Use; Alignment; Combination)
Breach unauthorised third party (Retrieval; Consultation)
// Privacy by Design and Privacy Enhancing Technologies 1812-4-2016
Jaap-Henk Hoepman // ( XOT ) //
Database tables
12-4-2016 // Privacy by Design and Privacy Enhancing Technologies 19
Attributes
Ind
ivid
uals
minimise separate aggregate hide
Jaap-Henk Hoepman // ( XOT ) //
Eight privacy design strategies
// Privacy by Design and Privacy Enhancing Technologies 2012-4-2016
Jaap-Henk Hoepman // ( XOT ) //
Eight privacy design strategies
HIDE:
● preventing exposure of access, association, visibility, and understandability of personal information to reduce the likelihood of privacy violations.
MINIMIZE:
● limiting usage of personal information to reduce the impact of privacy violations.
SEPARATE:
● preventing the correlation of personal information to reduce the likelihood of privacy violations.
ABSTRACT:
● limiting the detail of personal information to reduce the impact of privacy violations.
CONTROL:
● providing data subjects with means to consent to, choose, update, and retract from personal information in a timely manner.
INFORM:
● providing data subjects with clear explanation and timely notification on personal information.
ENFORCE:
● ensuring commitment to continually create, maintain, and uphold policies and technical controls regarding personal information.
DEMONSTRATE:
● ensuring available evidence to test, audit, log, and report on policies and technical controls regarding personal information.
12-4-2016 // Privacy by Design and Privacy Enhancing Technologies 21
Jaap-Henk Hoepman // ( XOT ) //
The eight strategies in detail
Strategy Underlying Goals Effects on Actions Regarding Personal Data
ENFORCE
ensu
rin
g
as a
bu
nd
ant
commitment
as p
oss
ible
fo
r
creating, maintaining and upholding on policies and technical controls
regarding
sto
rage
,
colle
ctio
n,
rete
nti
on
,
shar
ing,
chan
ges,
bre
ach
es
or
op
erat
ion
on
per
son
al d
ata,
in a
tim
ely
man
ner
,
wit
hin
th
e co
nst
rain
ts o
f th
e ag
reed
up
on
pu
rpo
ses.
DEMONSTRATE evidencetesting, auditing, logging, and
reporting
CONTROL
pro
vid
ing means
consenting to, choosing, updating, and retracting
From
INFORM clarity providing, explaining, and notifying On sharing
MINIMISE
limit
ing usage
as m
uch
as
po
ssib
le b
y excluding, selecting, stripping, or destroying
Any
retention
AGGREGATE detail summarising or groupingcollection
SEPARATE
pre
ven
tin
g correlation distributing or isolating
HIDE exposuremixing, obfuscating, dissociating, or
restricting access tosharing
// Privacy by Design and Privacy Enhancing Technologies 2212-4-2016
Jaap-Henk Hoepman // ( XOT ) //
Tactics (that help achieve strategy goals)
MINIMISE HIDE SEPARATE ABSTRACT
EXCLUDE
SELECT
STRIP
DESTROY
RESTRICT
MIX
OBFUSCATE
DISSOCIATE
DISTRIBUTE
ISOLATE
SUMMARIZE
GROUP
INFORM CONTROL ENFORCE DEMONSTRATE
SUPPLY
NOTIFY
EXPLAIN
CONSENT
CHOOSE
UPDATE
RETRACT
CREATE
MAINTAIN
UPHOLD
AUDIT
LOG
REPORT
12-4-2016 // Privacy by Design and Privacy Enhancing Technologies 23
Privacy Enhancing Technologies (PETS)
12-4-2016// Privacy by Design and Privacy Enhancing Technologies
24
Jaap-Henk Hoepman // ( XOT ) //
Classification of PETS
Communication
Authentication and identity management
Storage privacy
Private computation (aka homomorphic encryption ;-)
Transparency
Intervenability
Privacy in databases
12-4-2016 // Privacy by Design and Privacy Enhancing Technologies 25
Jaap-Henk Hoepman // ( XOT ) //
Cryptography
Symmetric key cryptography
(Asymmetric) Public key cryptography
Confidentiality
● Encryption/decryption
Integrity
● Hash function
Authenticity
● Message Authentication Code (MAC)
● (Digital) Signature
12-4-2016 // Privacy by Design and Privacy Enhancing Technologies 26
Jaap-Henk Hoepman // ( XOT ) // 12-4-2016 // Privacy by Design and Privacy Enhancing Technologies 27
Encryption
encrypt decrypt
plaintext
e.g. “attack at dawn”
“attack at dawn”
ciphertext
e.g. “sdwr$350/.]{]gtdfc”
Secret!
secret?
public?
Jaap-Henk Hoepman // ( XOT ) // 12-4-2016 // Privacy by Design and Privacy Enhancing Technologies 28
Cipher: algoritme + sleutels
Cipher (i.e. cryptosysteem)
● “Public” algorithm +
● “Secret” keys
encrypt decrypt“attack” “sdwr$350” “attack”“gfd6#Q”
Jaap-Henk Hoepman // ( XOT ) // 12-4-2016 // Privacy by Design and Privacy Enhancing Technologies 29
Symmetric ciphers
Properties
● Same key to encrypt/decrypt
● Fast
● Short keys (128-256 bits)
Examples
● Data Encryption Standard (DES)
● Advanced Encryption Standard (AES)
29562956
Jaap-Henk Hoepman // ( XOT ) // 12-4-2016 // Privacy by Design and Privacy Enhancing Technologies 30
Asymmetric ciphers
Properties
● Public (encrypt) en private (decrypt) keys
● Slow
● Long keys(1024-2048 bits)
Voorbeelden
● RSA
● Diffie Hellman
Jaap-Henk Hoepman // ( XOT ) // 12-4-2016 // Privacy by Design and Privacy Enhancing Technologies 31
Hashfunctions
Properties
● “one-way”
● “collision resistance”
● Hashcode 128-256 bits long
Examples
● SHA-256
Jaap-Henk Hoepman // ( XOT ) //
Communication privacy: TLS, SSH
12-4-2016 // Privacy by Design and Privacy Enhancing Technologies 32
Jaap-Henk Hoepman // ( XOT ) //
Anonymous communication
12-4-2016 // Privacy by Design and Privacy Enhancing Technologies 33
Jaap-Henk Hoepman // ( XOT ) // 12-4-2016 // Privacy by Design and Privacy Enhancing Technologies 34
Jaap-Henk Hoepman // ( XOT ) // 12-4-2016 // Privacy by Design and Privacy Enhancing Technologies 35
Jaap-Henk Hoepman // ( XOT ) //
Zero knowledge
The cave of Ali Baba
12-4-2016 // Privacy by Design and Privacy Enhancing Technologies 36
Jaap-Henk Hoepman // ( XOT ) //
eID: traditional
12-4-2016 // Privacy by Design and Privacy Enhancing Technologies 37
Identity Provider Relying Party
User
attributes
All parties are on lineSecurity and privacy
risks
Jaap-Henk Hoepman // ( XOT ) //
eID: ABC based : Issuing
12-4-2016 // Privacy by Design and Privacy Enhancing Technologies 38
Credential Issuer Relying Party
User
Jaap-Henk Hoepman // ( XOT ) //
eID: ABC based : showing
12-4-2016 // Privacy by Design and Privacy Enhancing Technologies 39
Credential Issuer Relying Party
User
unlinkable Has certificate grantingaccess to attributes
Jaap-Henk Hoepman // ( XOT ) //
Storage privacy
Cloud provider has the key Only user has the key
12-4-2016 // Privacy by Design and Privacy Enhancing Technologies 40
Jaap-Henk Hoepman // ( XOT ) //
Private computation
Secure multiparty computation
● Compiles an ideal function performed by a trusted third party into
one that is jointly executed by the participants (without a trusted
party at all).
Homomorphic encryption
● 𝐸 𝑚1 +𝑚2 = 𝐸 𝑚1 ∗ 𝐸(𝑚2)
● You can compute a function over the plaintexts without knowing
them!
12-4-2016 // Privacy by Design and Privacy Enhancing Technologies 41
Jaap-Henk Hoepman // ( XOT ) //
Transparency & Intervenability
Classification
● Information about the processing taking place
● Information about the actual user data collected
● Information about the consequences of the processing and the data
Examples
● Privacy policies and icons
● Privacy seals
● Privacy dashboard
● Policy frameworks like P3P
● Tools like Lightbeam (formerly Collusion)
12-4-2016 // Privacy by Design and Privacy Enhancing Technologies 42
Other developments
12-4-2016 // Privacy by Design and Privacy Enhancing Technologies
43
Jaap-Henk Hoepman // ( XOT ) //
OWASP Top 10 Privacy Risks
Web Application Vulnerabilities
Operator-sided Data Leakage
Insufficient Data Breach Response
Insufficient Deletion of personal data
Non-transparent Policies, Terms and Conditions
Collection of data not required for the primary purpose
Sharing of data with third party
Outdated personal data
Missing or Insufficient Session Expiration
Insecure Data Transfer
12-4-2016 // Privacy by Design and Privacy Enhancing Technologies 44
Jaap-Henk Hoepman // ( XOT ) //
Standardisation
ISO
● ISO/IEC 29100:2011 Information technology -- Security techniques --
Privacy Framework.
● ISO/IEC 27001:2013 Information technology — Security techniques —
Information security management systems
W3C
● DoNotTrack (DNT), Platform for Privacy Preferences (P3P)
Internet Privacy Engineering Network
● https://secure.edps.europa.eu/EDPSWEB/edps/EDPS/IPEN
12-4-2016 // Privacy by Design and Privacy Enhancing Technologies 45
Concluding remarks
12-4-2016// Privacy by Design and Privacy Enhancing Technologies
46
Jaap-Henk Hoepman // ( XOT ) //
Concluding remarks
Limits to privacy by design
● Privacy is fragile; may break when combining or extending systems
● The level of privacy protection is hard to define and measure, making
different systems hard to compare
● Implementation obstacles
Incentives and effective deterrence mechanisms needed
Better understanding of privacy (by design) as a process needed
Tools to support privacy by design in practice are missing
Stronger role of standardisation
12-4-2016 // Privacy by Design and Privacy Enhancing Technologies 47
Jaap-Henk Hoepman // ( XOT ) //
Sources
● G. Danezis, J. Domingo-Ferrer, M. Hansen, J.-H. Hoepman, D. L. Metayer, R.
Tirtea, and S. Schiffner. Privacy and Data Protection by Design - from policy
to engineering. Technical report, ENISA, December 2014. ISBN 978-92-9204-
108-3, DOI 10.2824/38623. https://www.enisa.europa.eu/activities/identity-
and-trust/library/deliverables/privacy-and-data-protection-by-design
● OWASP Top 10 Privacy Risks:
https://www.owasp.org/index.php/OWASP_Top_10_Privacy_Risks_Project
● M. Colesky, J.-H. Hoepman, and C. Hillen. A Critical Analysis of Privacy
Design Strategies. In 2016 International Workshop on Privacy Engineering –
IWPE'16, San Jose, CA, USA, May 26 2016.
http://www.cs.ru.nl/~jhh/publications/iwpe-privacy-strategies.pdf
● Richtsnoeren DP; Art 29 WP
12-4-2016 // Privacy by Design and Privacy Enhancing Technologies 48
twitter: @xotoxot blog.xot.nl [email protected] www.xot.nl