Privacy by Design. Ian Brown, Prof. of Information Security and Privacy Oxford Internet Institute, University of

Transcription

1 Privacy by Design Ian Brown, Prof. of Information Security and Privacy Oxford Internet Institute, University of

2 Privacy by Design principles 1. Proactive not Reactive; Preventative not Remedial 2. Privacy as the Default Setting 3. Privacy Embedded into Design 4. Full Functionality: Positive-Sum, not Zero-Sum 5. End-to-End Security Full Lifecycle Protection 6. Visibility and Transparency Keep it Open 7. Respect for User Privacy Keep it User-Centric Cavoukian et al. (2010)

3 32 nd International Conference of DP and Privacy Commissioners (Jerusalem 2010) 1. Recognize Privacy by Design as an essential component of fundamental privacy protection; 2. Encourage the adoption of Privacy by Design s Foundational Principles as guidance to establishing privacy as an organization s default mode of operation; 3. Invite Data Protection and Privacy Commissioners/Authorities to: a. promote Privacy by Design, as widely as possible through distribution of materials, education and personal advocacy; b. foster the incorporation of the Privacy by Design Foundational Principles in the formulation of privacy policy and legislation within their respective jurisdictions; c. proactively encourage research on Privacy by Design

4 General Data Protection Regulation 23: Data protection by design and by default 1. the controller shall implement appropriate and proportionate technical and organisational measures and procedures in such a way that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject 2. The controller shall ensure that, by default, only those personal data are processed which are necessary for each specific purpose of the processing and are especially not collected, retained or disseminated beyond the minimum necessary for those purposes COM(2012) 11 final

5 European Parliament s additions 1 Data protection by design shall have particular regard to the entire lifecycle management of personal data from collection to processing to deletion, systematically focusing on comprehensive procedural safeguards regarding the accuracy, confidentiality, integrity, physical security and deletion of personal data. 1a In order to foster its widespread implementation in different economic sectors, data protection by design shall be a prerequisite for public procurement tenders

6 Privacy system requirements Purpose limitation (comprising both specification of the purpose and limiting the use to that stated purpose) Data minimisation Data quality Transparency (Openness in OECD terms). Data subject rights (in terms of consent, and the right to view, erase, and rectify personal data) The right to be forgotten. Adequate protection (Security Safeguards in OECD terms). Data portability Data breach notifications. Accountability and (provable) compliance J-H Hoepmann (2014)

7 Privacy design strategies Strategy Minimise Hide (from all, or third, parties) Separate Aggregate Inform Control Enforce Demonstrate Pattern Select before you collect; anonymisation; pseudonymisation Encryption, onion routing, anonymous credentials, homomorphic encryption Distributed processing and storage where feasible; split database tables; secure multi-party computation; unlinkability Aggregation over time and geography; dynamic location granularity Transparency, data breach notifications, UI design Informed consent, UI design Access control, privacy rights management Privacy rights management, logging J-H Hoepmann (2014)

8 Spy bins and smartphones Image: Renew London

9 Transport pricing Monitor all traffic centrally (London), at kerbside (W London) or deduct payment from pay-as-you-go toll cards (Singapore)? Onboard unit (Balasch et al. 2010)? Or tax parking spaces? Link all payment card usage (Oyster) or use unlinkable RFID tokens (Shenzen)? MIT Technology Review (2006)

10 Privacy-friendly smart meters Personal data remains at customer premises under their direct control Network broadcasts tariff data to meters, which control appliances Heavily aggregated information used for billing and price comparison Rial and Danezis (2011)

11 H Haddadi, P Hui, T Henderson and I Brown (2010) MobiAd: Private and Scalable Mobile Advertising, ACM International Workshop on Mobility in the Evolving Internet Architecture, Chicago Location-Based Services Can we use features of mobile phone networks to supply anonymous, targeted adverts?

12 Limitations ENISA experts identify: Fragility/non-composability of privacy properties Privacy metrics and utility limitations Increased complexity Implementation obstacles Unclear or too narrow interpretation Utility in Internet of Things and Big Data systems FTC staff IoT report: flexible minimisation: don t collect data, or unneeded data, or sensitive data; de-identify; or seek consent Article 29 Working Party: insists that the data minimisation principle plays an essential role (Opinion 8/2014) EDPS: DP must cover use and collection of data. A differentiation in this regard has never been made in EU data protection law and it has the potential to weaken the protection of fundamental rights.

13 References J. Balasch, A. Rial, C. Troncoso, C. Geuens, B. Preneel and I. Verbauwhede (2010) PrETP: Privacy-Preserving Electronic Toll Pricing. Usenix Security Symposium, pp ENISA (2014), Privacy and Data Protection by Design from policy to engineering. European Data Protection Supervisor (2015) Value of the EU Data Protection Reform against the Big Data challenges, 5 th European Data Protection Days, Berlin. Federal Trade Commission Staff Report, Internet of Things: Privacy & Security in a Connected World, Jan H. Haddadi, P. Hui and I. Brown (2010) MobiAd: Private and Scalable Mobile Advertising, ACM International Workshop on Mobility in the Evolving Internet Architecture, Chicago. J.-H. Hoepman (2014) Privacy Design Strategies (extended abstract). ICT Systems Security and Privacy Protection - 29th IFIP TC 11 International Conference, SEC 2014, Marrakech. A. Rial and G. Danezis (2011) Privacy-Preserving Smart Metering, ACM Workshop on Privacy in the Electronic Society, Chicago.