Where Do You Draw the Creepy Line? Privacy, Big Data Analytics and the Internet of Things

Transcription

1 Where Do You Draw the Creepy Line? Privacy, Big Data Analytics and the Internet of Things aisa.org.a u aisa.org.a u Rebecca Herold, CEO The Privacy Professor 1 rebeccaherold@rebeccaherold.com

2 Agenda Technology Evolution Privacy Perspectives Persistent Beliefs About Privacy Increasing Numbers of Privacy and Cybersecurity Incidents What is Privacy? Consumerization and Mobility Cloud Services Big Data Internet of Things Addressing Privacy aisa.org.a u 2 Case Studies

3 Things vs. More Than Things Things: Shirts and tops 3 Page 3

4 Things vs. More Than Things More than things: SMART Shirts and tops 4 Page 4

5 Things vs. More Than Things Things: Socks 5 Page 5

6 Things vs. More Than Things More than Things: Smart Socks 6 Page 6

7 Things vs. More Than Things Things: Prescription pills 7 Page 7

8 Things vs. More Than Things More than Things: Smart prescription pills 8 Page 8

9 Things vs. More Than Things Things: Tableware 9 Page 9

10 Things vs. More Than Things More than Things: Smart Tableware 10 Page 10

11 Things vs. More Than Things Things: Cars 11 Page 11

12 Things vs. More Than Things More than Things: Smart Cars 12 Page 12

13 Privacy Perspectives Real privacy threat 13 Page 13

14 Privacy Perspectives Versus perceived threat Attacks on those flying personal drones Drone shield clothing 14 Page 14

15 Privacy Attitudes/Actions Threaten Privacy There s no law against it! It s not personal information Posting about someone else Cyber attacks only are a problem for large organizations The only people talking about this are those who will profit from the scare tactics. Public Facebook post: I see you at the Train/Maroon 5 concert I m 17 rows behind you! Page 15

16 Persistent Beliefs Dangerous statements that have valid points, but must be balanced by considering privacy ramifications There is no personal information involved, so there are no privacy impacts. Encrypt it and you don t have to worry. If people put their personal information online they want you to have it! Too many privacy protections inhibit innovation and positive advances. There is no privacy anyway, so there s no use to spend time and effort on it. Page 16

17 Personal Data Sharing is Increasing Study: 75% of health wearables and apps sent personal data to 3rd parties without users' knowledge Study: Top 20 health related apps sent personal data to as many as 70 third parties 17 Page 17

18 Cybersecurity Incidents are Increasing Cisco 2014 Annual Security Report: Mobile apps regularly downloaded without any thought of security. 99% of all mobile malware target Android devices. Trojans targeting Java Micro Edition (J2ME)-capable devices in 2 nd place with 0.84% of all mobile malware encounters. 71% of Android users have the highest encounter rates with all forms of webdelivered malware, followed by Apple iphone users with 14%. 18 Page 18

19 Cybersecurity Incidents are Increasing Symantec Latin American + Caribbean Cyber Security Trends, June 2014 In total, over 552 million identities around the world were exposed in 2013, putting consumer credit card information, birth dates, government ID numbers, home addresses, medical records, phone numbers, financial information, addresses, logins, passwords, and other personal information into the criminal underground. Stolen credit cards can be sold for as high as $100 per card on the black market, making data breaches a low risk and simple, yet profitable activity for cybercriminals. Globally, 8 breaches each exposed 10 million identities or more. 19 Page 19

20 Cybersecurity Incidents are Increasing 20 Page 20

21 Cybersecurity Incidents are Increasing But business leaders refuse to take action, or even believe there are threats. I fail to see this threat ever becoming real. Cyber attacks have always been agai nst the masses not the individuals. This is more hype than anything. The only people that support this are those that will profit from the scare tactics. 21 Page 21

22 Privacy Incidents are Increasing 4th Annual Benchmark Study on Patient Privacy & Data Security by Ponemon Institute Criminal attacks on healthcare organizations increased 100% since % of organizations say employee negligence is biggest worry followed by use of public cloud services (41%), mobile device insecurity (40%) and cyber attackers (39%). Despite the concerns about employee negligence and the use of insecure mobile devices, 88% of organizations permit employees and medical staff to use their own mobile devices to connect to their organization s networks or enterprise systems such as . 40% say they use the cloud heavily, an increase from 32% in % are either somewhat confident (33%) or not confident (40% ) that their business associates would be able to detect, perform an incident risk assessment and notify their organization in the event of a data breach incident as required under the business associate agreement. Page 22 22

23 Privacy Incidents are Increasing 3 rd Party Risks Unauthorized access by insiders Loss and theft of devices storing personal information Non-compliance with security and privacy requirements Using information in ways they are not authorized to do Malware 23 Page 23

24 Privacy Incidents are Increasing 24 Page 24

25 What is Privacy? Informational Privacy Bodily Privacy Territorial Privacy Communications Privacy Page 25

26 Personal Information Elements Organizational Information General Information Business and personal addresses Name Gender Age and date of birth Marital status Home address Account number Social Security number License plate number Citizenship Languages spoken Veteran status Disabled status IP address (some jurisdictions) Dozens (hundreds?) more Business and personal phone numbers Business and personal addresses Must Also Consider Internal identification numbers Sensitive Information Government-issued identification numbers New Types of Information/Data Identity verification information *ANY* Data That Can Point to an Individual And the list goes on Page 26 26

27 Consumerization of IT & Privacy Page 27

28 Mobility Benefits Page 28 Page 28

29 Mobility & Privacy BYOD results in BYOA Tablets & Smartphones USBs Data collected through apps Access to the customer s device Malware Phishing Securing data in transit Securing data in storage Page 29 Page 29

30 Cloud Services & Privacy Page 30 Page 30

31 Big Data Use Limitations Retention & Disposal Availability Disclosure Controls Integrity Page 31 Page 31

32 Big Data Privacy Risks Anonymization could become impossible Data masking could become impossible People don't realize the risks Bad actions based on incorrect interpretations Ethical issues with driving behavior Discrimination Few (if any) legal protections to involved individuals Exists infinitely Concerns for e-discovery Making patents and copyrights irrelevant Page 32

33 Internet of Things Privacy Risks Creates a more pervasive "Big Brother" society Individuals don't know they are sharing their data Little to no control of data collected Traditional privacy principles (e.g., FIPPs) may not be feasible Few (if any) legal protections to involved individuals No standards for building in privacy Currently no way to communicate privacy issues from/through the devices Page 33

34 Disclosure Controls By 2015, 25 billion devices are projected Internet of Things to be connected to the Internet; this number could double to 50 billion devices by the end of the decade. Use Limitations The M2M market will expand to 24 billion smart sensors by 2020 and will be worth approximately $1.2 trillion Retention & Disposal TRENDNet failed to employ reasonable and appropriate security during the design and testing of consumer software. TRENDNet failed to monitor third-party security vulnerability reports. Availability Integrity Page 34

35 Taken from 35

36 Internet of Things: Medical Devices

37 Internet of Things: Wearable Technologies

38 Internet of Things: Mobile Linkages Page 38

39 Internet of Things: Energy Usage

40 Internet of Things: Smart Appliances Smart meter HAN Smart Grid? HAN Smart appliance Internet? Smart meter HAN Internet? Page 40

41 Address Privacy Risks by Building In Privacy Controls Page 41

42 Privacy Principles OECD Privacy Principles Collection Limitation Principle Data Quality Principle Purpose Specification Principle Use Limitation Principle Security Safeguards Principle Openness Principle Individual Participation Principle Accountability Principle The Australian Information Privacy Principles align closely with the OECD Privacy Principles: IPP 1: manner and purpose of collection IPP 2: collecting information directly from individuals IPP 3: collecting information generally IPP 4: storage and security IPPs 5 7: access and amendment IPPs 8 10: information use IPP 11: disclosure Page 42 42

43 Case Studies Drones over public national park forest Accountability Individual Participation Use to determine insect damage to trees Privacy concerns: - People in park will be recorded - Adjacent property will be recorded - Other? Possible privacy mitigation actions: - Use GPS settings in drone - Establish drone flight height requirements - Use face blurring technologies - Post signs - Only use when park is closed - Other? Openness Security Safeguards Use Limitation Purpose Specification Data Quality Collection Limitation 43 Page 43

44 Case Studies Smart prescription pills Use to track health of patient Privacy concerns: - Inapproriate sharing of health data - Inappropriate use of health data - Health data modification - Securing the transmission of data - Other? Possible privacy mitigation actions: - Use encryption - Log access to data - Other? Accountability Individual Participation Openness Security Safeguards Use Limitation Purpose Specification Data Quality Collection Limitation 44 Page 44

45 Case Studies Smart Meters Use to track and control energy usage to save energy Privacy concerns: - Activities within the house will be revealed - Energy usage may be inappropriately shared - Energy usage could be controlled - Other? Possible privacy mitigation actions: - Lengthen energy usage readings - Send aggregate data to utility - Restrict data sharing - Other? Accountability Individual Participation Openness Security Safeguards Use Limitation Purpose Specification Data Quality Collection Limitation 45 Page 45

46 Case Studies Use of Drones in Farming Accountability Individual Participation Openness Use to check crops and livestock Privacy concerns: - Others would obtain the images - Farmers would use inappropriately - Other? Possible privacy mitigation actions: - Establish limits via GPS settings - Require drones to be registered and logs subject to monitoring - Other? Security Safeguards Use Limitation Purpose Specification Data Quality Collection Limitation 46 Page 46

47 Case Studies Smart Glasses Accountability Individual Participation Manufacturer wants to include privacy protections Privacy concerns: - Those in vicinity will be recorded w/o their consent - Used to steal IP (e.g., movies, etc.) - Other? Possible privacy mitigation actions: - Have visible light/sound when it is recording - Other? Openness Security Safeguards Use Limitation Purpose Specification Data Quality Collection Limitation 47 Page 47

48 Managing the Risks Use most appropriate privacy principles (e.g., OECD) Assign responsibility Establish information security and privacy policies Create supporting procedures and standards Provide training and ongoing awareness Establish oversight Ask: Will the way in which you use, share, present, retain, etc. data about individuals be viewed as creepy? Page 48

49 Initiatives U.S. NIST Privacy Engineering Workshop Beginning to address the technical engineering issues Page 49

50 Questions? Rebecca Herold & Associates, LLC The Privacy Professor Des Moines, Iowa Phone Web sites: Blog: Rebecca Herold, CIPM, CIPP/US, CIPT, CISSP, CISM, CISA, FLMI TwitterID: Page 50 Page 50