SlideShare a Scribd company logo

Dwyer "Privacy by Design: Can It Work?"

Download as PPTX, PDF
Cathy Dwyer
Cathy Dwyer
TechnologyNews & Politics
1 of 28
Privacy by Design: Can it Work? Catherine Dwyer Seidenberg School of Computer Science & Information Systems Pace University New York, NY Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012 1
Gehry Building 8 Spruce Street Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012 2
Lawyers Technologists Online Privacy Organization Citizens s Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012 3
Privacy Research Group – NYU Law Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012 4
What is Privacy by Design? Ann Cavoukian, Information & Privacy Commissioner, Ontario, Canada Privacy and Security Conference Pitney Bowes 6/26/2012 © Catherine Dwyer 2012 5
Principles of Privacy by Design 1. Proactive not Reactive; Preventative not Remedial 2. Privacy as the Default Setting 3. Privacy Embedded into Design 4. Full Functionality — Positive-Sum, not Zero-Sum 5. End-to-End Security — Full Lifecycle Protection 6. Visibility and Transparency — Keep it Open 7. Respect for User Privacy — Keep it User- Centric From www.privacybydesign.ca Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012 6
Legal perspective  4th Amendment: ―The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.‖ Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012 7
Third party doctrine  ―The Supreme Court has repeatedly held, however, that the Fourth Amendment does not protect information revealed to third parties.‖ (Kerr, 2004)  Third party – any business, organization, ISP, cloud service providers  Once you ―share‖ data with a third party, you lose 4th amendment protection  4th amendment standard is ―probable cause,‖ 3rd party standard is ―relevant to an investigation‖ and ―not overbroad‖ (Kerr, 2004) Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012 8
Source: Google transparency report, more than 18,000 requests from governments around the globe to Google user data (7/11-12/11) and Security Conference Pitney Bowes Privacy 6/26/2012 © Catherine Dwyer 2012 9
Source: WikiLeak s Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012 10
Problems With PbD  ―Privacy by design is an amorphous concept… it is not clear … what regulators really have in mind when they urge firms developing products to build in privacy.‖ (Rubinstein, 2011)  Requirements engineering is needed to transform privacy by design from a vague admonitions into a structured design process with tangible outcomes (Rubinstein, 2011)  Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012 11
Excerpt from FTC Staff Report, March 2012, which uses ―reasona more than 50 times in a 112 page report. Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012 12
Design & Model Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012 13
Engineer & Build Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012 14
Tangible Outcome Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012 15
Gehry building – 8 Spruce Street Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012 16
Design versus engineering  Design focuses on models  Engineering focuses on requirements  Requirements must be measurable and verifiable Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012 17
Moving to privacy engineering  Need to move from ―privacy by design‖ to ―privacy requirements engineering‖  Design can capture broad objectives (―buildings should be constructed with fireproof materials‖)  Engineering makes those objectives tangible (―fireproof material must be able to bear weight for four hours of fire at 1000 degrees F‖) Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012 18
Example: Privacy Principle  ―Companies should incorporate substantive privacy protections into their practices, such as data security, reasonable collection limits, sound retention practices, and data accuracy.‖ (source: FTC Staff Report, March 2012) Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012 19
Engineering Requirements  ―The risk of data exposure can be further minimized by reducing the sensitivity of stored data wherever possible … for example, when using the customer‘s IP address to determine location for statistical analysis, discard the IP address after mapping it to a city or town.‖  source: Microsoft Privacy Guidelines for Developers, 2008 Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012 20
How can this be accomplished?  Qualitiative – focus groups/interviews with domain experts/stakeholders  Quantitative – formal analysis of statutes and regulations (see Breaux and Anton, 2007) Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012 21
Privacy Requirements Engineering Source: ―A Framework for Modeling Privacy Requirements in Role Engineering,‖ He and Anton, 2003 RBAC = Role Based Access Control Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012 22
Development tools are needed  Can‘t manage the complexity of describing privacy engineering requirements ―by hand,‖ takes too long  Can‘t audit privacy of information systems ‗by hand,‘ not comprehensive enough Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012 23
Ghostery: Tracking tools found on Dictionary.co Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012 24
Firefox Collusion: Graph of tracking entities and flow of data Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012 25
Network traffic visualization Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012 26
Recommendations  Emphasize privacy requirements engineering  Develop data visualization tools (enterprise level) that model information flows and identify privacy weaknesses  Model information flow within business processes and determine if privacy requirements are being met Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012 27
Questions?  Thank you!  Catherine Dwyer Seidenberg School of Computer Science and Information Systems Pace University  Twitter: @ProfCDwyer Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012 28

Recommended

Privacy by Design Seminar - Jan 22, 2015
Privacy by Design Seminar - Jan 22, 2015Privacy by Design Seminar - Jan 22, 2015
Privacy by Design Seminar - Jan 22, 2015
Dr. Ann Cavoukian
 
Privacy by design
Privacy by designPrivacy by design
Privacy by design
blogzilla
 
The Myth of Zero-Risk Solutions; The Benefits of Privacy by Design
The Myth of Zero-Risk Solutions; The Benefits of Privacy by DesignThe Myth of Zero-Risk Solutions; The Benefits of Privacy by Design
The Myth of Zero-Risk Solutions; The Benefits of Privacy by Design
Dr. Ann Cavoukian
 
Towards Privacy by Design. Key issues to unlock science.
Towards Privacy by Design. Key issues to unlock science.Towards Privacy by Design. Key issues to unlock science.
Towards Privacy by Design. Key issues to unlock science.
Marlon Domingus
 
Privacy by design for startups: legal and technology
Privacy by design for startups: legal and technologyPrivacy by design for startups: legal and technology
Privacy by design for startups: legal and technology
Ishay Tentser
 
Privacy by Design: White Papaer
Privacy by Design: White PapaerPrivacy by Design: White Papaer
Privacy by Design: White Papaer
Kristyn Greenwood
 
Privacy by design for peerlyst meetup
Privacy by design for peerlyst meetupPrivacy by design for peerlyst meetup
Privacy by design for peerlyst meetup
Ishay Tentser
 
Privacy by Design and by Default + General Data Protection Regulation with Si...
Privacy by Design and by Default + General Data Protection Regulation with Si...Privacy by Design and by Default + General Data Protection Regulation with Si...
Privacy by Design and by Default + General Data Protection Regulation with Si...
Peter Procházka
 

Recommended

Privacy by Design Seminar - Jan 22, 2015
Privacy by Design Seminar - Jan 22, 2015Privacy by Design Seminar - Jan 22, 2015
Privacy by Design Seminar - Jan 22, 2015
Dr. Ann Cavoukian
 
Privacy by design
Privacy by designPrivacy by design
Privacy by design
blogzilla
 
The Myth of Zero-Risk Solutions; The Benefits of Privacy by Design
The Myth of Zero-Risk Solutions; The Benefits of Privacy by DesignThe Myth of Zero-Risk Solutions; The Benefits of Privacy by Design
The Myth of Zero-Risk Solutions; The Benefits of Privacy by Design
Dr. Ann Cavoukian
 
Towards Privacy by Design. Key issues to unlock science.
Towards Privacy by Design. Key issues to unlock science.Towards Privacy by Design. Key issues to unlock science.
Towards Privacy by Design. Key issues to unlock science.
Marlon Domingus
 
Privacy by design for startups: legal and technology
Privacy by design for startups: legal and technologyPrivacy by design for startups: legal and technology
Privacy by design for startups: legal and technology
Ishay Tentser
 
Privacy by Design: White Papaer
Privacy by Design: White PapaerPrivacy by Design: White Papaer
Privacy by Design: White Papaer
Kristyn Greenwood
 
Privacy by design for peerlyst meetup
Privacy by design for peerlyst meetupPrivacy by design for peerlyst meetup
Privacy by design for peerlyst meetup
Ishay Tentser
 
Privacy by Design and by Default + General Data Protection Regulation with Si...
Privacy by Design and by Default + General Data Protection Regulation with Si...Privacy by Design and by Default + General Data Protection Regulation with Si...
Privacy by Design and by Default + General Data Protection Regulation with Si...
Peter Procházka
 
Mobile Solutions and Privacy – Not One at the Expense of the Other
Mobile Solutions and Privacy – Not One at the Expense of the Other Mobile Solutions and Privacy – Not One at the Expense of the Other
Mobile Solutions and Privacy – Not One at the Expense of the Other
bradley_g
 
Big data contains valuable information - Protect It!
Big data contains valuable information - Protect It!Big data contains valuable information - Protect It!
Big data contains valuable information - Protect It!
Praveenkumar Hosangadi
 
Big Data Security and Privacy - Presentation to AFCEA Cyber Symposium 2014
Big Data Security and Privacy - Presentation to AFCEA Cyber Symposium 2014Big Data Security and Privacy - Presentation to AFCEA Cyber Symposium 2014
Big Data Security and Privacy - Presentation to AFCEA Cyber Symposium 2014
kevintsmith
 
Advantages of privacy by design in IoE
Advantages of privacy by design in IoEAdvantages of privacy by design in IoE
Advantages of privacy by design in IoE
Marc Vael
 
Trivadis TechEvent 2016 Big Data Privacy and Security Fundamentals by Florian...
Trivadis TechEvent 2016 Big Data Privacy and Security Fundamentals by Florian...Trivadis TechEvent 2016 Big Data Privacy and Security Fundamentals by Florian...
Trivadis TechEvent 2016 Big Data Privacy and Security Fundamentals by Florian...
Trivadis
 
Building A Cloud-Ready Security Program
Building A Cloud-Ready Security ProgramBuilding A Cloud-Ready Security Program
Building A Cloud-Ready Security Program
NetIQ
 
MISA Cloud Workshop_ ipc privacy in the cloud
MISA Cloud Workshop_ ipc privacy in the cloudMISA Cloud Workshop_ ipc privacy in the cloud
MISA Cloud Workshop_ ipc privacy in the cloud
MISA Ontario Cloud SIG
 
Big data security the perfect storm
Big data security the perfect stormBig data security the perfect storm
Big data security the perfect storm
Ulf Mattsson
 
FINAL presentationMay2016
FINAL presentationMay2016FINAL presentationMay2016
FINAL presentationMay2016
Melissa Krasnow
 
The REAL Impact of Big Data on Privacy
The REAL Impact of Big Data on PrivacyThe REAL Impact of Big Data on Privacy
The REAL Impact of Big Data on Privacy
Claudiu Popa
 
Continuous Compliance 14.9.2016
Continuous Compliance 14.9.2016Continuous Compliance 14.9.2016
Continuous Compliance 14.9.2016
Digia Plc
 
Towards a Trustmark for IoT (April 2018)
Towards a Trustmark for IoT (April 2018)Towards a Trustmark for IoT (April 2018)
Towards a Trustmark for IoT (April 2018)
Peter Bihr
 
How privacy by design can be the key of your success at the time of the digit...
How privacy by design can be the key of your success at the time of the digit...How privacy by design can be the key of your success at the time of the digit...
How privacy by design can be the key of your success at the time of the digit...
Giulio Coraggio
 
Make it Last: Principals for Digital Preservation and Conservation
Make it Last: Principals for Digital Preservation and ConservationMake it Last: Principals for Digital Preservation and Conservation
Make it Last: Principals for Digital Preservation and Conservation
Trevor Owens
 
Information security in big data -privacy and data mining
Information security in big data -privacy and data miningInformation security in big data -privacy and data mining
Information security in big data -privacy and data mining
harithavijay94
 
PhD and Post PhD Network Security Visualization Research
PhD and Post PhD Network Security Visualization ResearchPhD and Post PhD Network Security Visualization Research
PhD and Post PhD Network Security Visualization Research
Kulsoom Abdullah
 
ThinAir Endpoint Visibility Security HIMSS2018 Brian_Reed
ThinAir Endpoint Visibility Security HIMSS2018 Brian_ReedThinAir Endpoint Visibility Security HIMSS2018 Brian_Reed
ThinAir Endpoint Visibility Security HIMSS2018 Brian_Reed
ThinAir
 
NetIQ Directory & Resource Administrator Helps Kindred Healthcare Achieve Com...
NetIQ Directory & Resource Administrator Helps Kindred Healthcare Achieve Com...NetIQ Directory & Resource Administrator Helps Kindred Healthcare Achieve Com...
NetIQ Directory & Resource Administrator Helps Kindred Healthcare Achieve Com...
NetIQ
 
Enduring Digital Access: Establishing, Supporting, and Sustaining Digital Cur...
Enduring Digital Access: Establishing, Supporting, and Sustaining Digital Cur...Enduring Digital Access: Establishing, Supporting, and Sustaining Digital Cur...
Enduring Digital Access: Establishing, Supporting, and Sustaining Digital Cur...
Trevor Owens
 
Spotlight on Technology 2017
Spotlight on Technology 2017Spotlight on Technology 2017
Spotlight on Technology 2017
Craig Devlin
 
ITC568 Cloud Privacy and SecurityThe Cloud Security Ecosyste.docx
ITC568 Cloud Privacy and SecurityThe Cloud Security Ecosyste.docxITC568 Cloud Privacy and SecurityThe Cloud Security Ecosyste.docx
ITC568 Cloud Privacy and SecurityThe Cloud Security Ecosyste.docx
christiandean12115
 
Supporting Open Data Publishers
Supporting Open Data PublishersSupporting Open Data Publishers
Supporting Open Data Publishers
Derilinx
 

More Related Content

What's hot

Big Data Security and Privacy - Presentation to AFCEA Cyber Symposium 2014
Big Data Security and Privacy - Presentation to AFCEA Cyber Symposium 2014Big Data Security and Privacy - Presentation to AFCEA Cyber Symposium 2014
Big Data Security and Privacy - Presentation to AFCEA Cyber Symposium 2014
kevintsmith
 
MISA Cloud Workshop_ ipc privacy in the cloud
MISA Cloud Workshop_ ipc privacy in the cloudMISA Cloud Workshop_ ipc privacy in the cloud
MISA Cloud Workshop_ ipc privacy in the cloud
MISA Ontario Cloud SIG
 
Big data security the perfect storm
Big data security the perfect stormBig data security the perfect storm
Big data security the perfect storm
Ulf Mattsson
 
FINAL presentationMay2016
FINAL presentationMay2016FINAL presentationMay2016
FINAL presentationMay2016
Melissa Krasnow
 

What's hot (20)

Mobile Solutions and Privacy – Not One at the Expense of the Other
Mobile Solutions and Privacy – Not One at the Expense of the Other Mobile Solutions and Privacy – Not One at the Expense of the Other
Mobile Solutions and Privacy – Not One at the Expense of the Other
 
Big data contains valuable information - Protect It!
Big data contains valuable information - Protect It!Big data contains valuable information - Protect It!
Big data contains valuable information - Protect It!
 
Big Data Security and Privacy - Presentation to AFCEA Cyber Symposium 2014
Big Data Security and Privacy - Presentation to AFCEA Cyber Symposium 2014Big Data Security and Privacy - Presentation to AFCEA Cyber Symposium 2014
Big Data Security and Privacy - Presentation to AFCEA Cyber Symposium 2014
 
Advantages of privacy by design in IoE
Advantages of privacy by design in IoEAdvantages of privacy by design in IoE
Advantages of privacy by design in IoE
 
Trivadis TechEvent 2016 Big Data Privacy and Security Fundamentals by Florian...
Trivadis TechEvent 2016 Big Data Privacy and Security Fundamentals by Florian...Trivadis TechEvent 2016 Big Data Privacy and Security Fundamentals by Florian...
Trivadis TechEvent 2016 Big Data Privacy and Security Fundamentals by Florian...
 
Building A Cloud-Ready Security Program
Building A Cloud-Ready Security ProgramBuilding A Cloud-Ready Security Program
Building A Cloud-Ready Security Program
 
MISA Cloud Workshop_ ipc privacy in the cloud
MISA Cloud Workshop_ ipc privacy in the cloudMISA Cloud Workshop_ ipc privacy in the cloud
MISA Cloud Workshop_ ipc privacy in the cloud
 
Big data security the perfect storm
Big data security the perfect stormBig data security the perfect storm
Big data security the perfect storm
 
FINAL presentationMay2016
FINAL presentationMay2016FINAL presentationMay2016
FINAL presentationMay2016
 
The REAL Impact of Big Data on Privacy
The REAL Impact of Big Data on PrivacyThe REAL Impact of Big Data on Privacy
The REAL Impact of Big Data on Privacy
 
Continuous Compliance 14.9.2016
Continuous Compliance 14.9.2016Continuous Compliance 14.9.2016
Continuous Compliance 14.9.2016
 
Towards a Trustmark for IoT (April 2018)
Towards a Trustmark for IoT (April 2018)Towards a Trustmark for IoT (April 2018)
Towards a Trustmark for IoT (April 2018)
 
How privacy by design can be the key of your success at the time of the digit...
How privacy by design can be the key of your success at the time of the digit...How privacy by design can be the key of your success at the time of the digit...
How privacy by design can be the key of your success at the time of the digit...
 
Make it Last: Principals for Digital Preservation and Conservation
Make it Last: Principals for Digital Preservation and ConservationMake it Last: Principals for Digital Preservation and Conservation
Make it Last: Principals for Digital Preservation and Conservation
 
Information security in big data -privacy and data mining
Information security in big data -privacy and data miningInformation security in big data -privacy and data mining
Information security in big data -privacy and data mining
 
PhD and Post PhD Network Security Visualization Research
PhD and Post PhD Network Security Visualization ResearchPhD and Post PhD Network Security Visualization Research
PhD and Post PhD Network Security Visualization Research
 
ThinAir Endpoint Visibility Security HIMSS2018 Brian_Reed
ThinAir Endpoint Visibility Security HIMSS2018 Brian_ReedThinAir Endpoint Visibility Security HIMSS2018 Brian_Reed
ThinAir Endpoint Visibility Security HIMSS2018 Brian_Reed
 
NetIQ Directory & Resource Administrator Helps Kindred Healthcare Achieve Com...
NetIQ Directory & Resource Administrator Helps Kindred Healthcare Achieve Com...NetIQ Directory & Resource Administrator Helps Kindred Healthcare Achieve Com...
NetIQ Directory & Resource Administrator Helps Kindred Healthcare Achieve Com...
 
Enduring Digital Access: Establishing, Supporting, and Sustaining Digital Cur...
Enduring Digital Access: Establishing, Supporting, and Sustaining Digital Cur...Enduring Digital Access: Establishing, Supporting, and Sustaining Digital Cur...
Enduring Digital Access: Establishing, Supporting, and Sustaining Digital Cur...
 
Spotlight on Technology 2017
Spotlight on Technology 2017Spotlight on Technology 2017
Spotlight on Technology 2017
 

Similar to Dwyer "Privacy by Design: Can It Work?"

ITC568 Cloud Privacy and SecurityThe Cloud Security Ecosyste.docx
ITC568 Cloud Privacy and SecurityThe Cloud Security Ecosyste.docxITC568 Cloud Privacy and SecurityThe Cloud Security Ecosyste.docx
ITC568 Cloud Privacy and SecurityThe Cloud Security Ecosyste.docx
christiandean12115
 
Big Data and Analytics
Big Data and AnalyticsBig Data and Analytics
Big Data and Analytics
dmurph4
 
Forecast 2014: eDiscovery and Forensics
Forecast 2014: eDiscovery and Forensics Forecast 2014: eDiscovery and Forensics
Forecast 2014: eDiscovery and Forensics
Open Data Center Alliance
 
Privacy & Data Breach: 2012 Recap, 2013 Predictions
Privacy & Data Breach: 2012 Recap, 2013 PredictionsPrivacy & Data Breach: 2012 Recap, 2013 Predictions
Privacy & Data Breach: 2012 Recap, 2013 Predictions
Resilient Systems
 

Similar to Dwyer "Privacy by Design: Can It Work?" (20)

ITC568 Cloud Privacy and SecurityThe Cloud Security Ecosyste.docx
ITC568 Cloud Privacy and SecurityThe Cloud Security Ecosyste.docxITC568 Cloud Privacy and SecurityThe Cloud Security Ecosyste.docx
ITC568 Cloud Privacy and SecurityThe Cloud Security Ecosyste.docx
 
Supporting Open Data Publishers
Supporting Open Data PublishersSupporting Open Data Publishers
Supporting Open Data Publishers
 
Vidyo Corporate
Vidyo Corporate Vidyo Corporate
Vidyo Corporate
 
Say Good-Bye to Zero-Sum: Say Hello to Privacy and Marketing, by Design
Say Good-Bye to Zero-Sum: Say Hello to Privacy and Marketing, by DesignSay Good-Bye to Zero-Sum: Say Hello to Privacy and Marketing, by Design
Say Good-Bye to Zero-Sum: Say Hello to Privacy and Marketing, by Design
 
Gdpr action plan - ISSA
Gdpr action plan - ISSAGdpr action plan - ISSA
Gdpr action plan - ISSA
 
Big Data and Analytics
Big Data and AnalyticsBig Data and Analytics
Big Data and Analytics
 
It's About the Data, Stupid: Mobile Security and BYOD for Healthcare
It's About the Data, Stupid: Mobile Security and BYOD for HealthcareIt's About the Data, Stupid: Mobile Security and BYOD for Healthcare
It's About the Data, Stupid: Mobile Security and BYOD for Healthcare
 
IS17428_ISACA_Chennai_20220910.pptx
IS17428_ISACA_Chennai_20220910.pptxIS17428_ISACA_Chennai_20220910.pptx
IS17428_ISACA_Chennai_20220910.pptx
 
Security best ways to protect your intellectual capital
Security best ways to protect your intellectual capitalSecurity best ways to protect your intellectual capital
Security best ways to protect your intellectual capital
 
Modern Authentication for a Connected World
Modern Authentication for a Connected WorldModern Authentication for a Connected World
Modern Authentication for a Connected World
 
Applied data analytics_v1_6.23
Applied data analytics_v1_6.23Applied data analytics_v1_6.23
Applied data analytics_v1_6.23
 
DEFeND Project Presentation - July 2018
DEFeND Project Presentation - July 2018DEFeND Project Presentation - July 2018
DEFeND Project Presentation - July 2018
 
What CIOs and CFOs Need to Know About Cyber Security
What CIOs and CFOs Need to Know About Cyber SecurityWhat CIOs and CFOs Need to Know About Cyber Security
What CIOs and CFOs Need to Know About Cyber Security
 
Protecting What Matters...An Enterprise Approach to Cloud Security
Protecting What Matters...An Enterprise Approach to Cloud SecurityProtecting What Matters...An Enterprise Approach to Cloud Security
Protecting What Matters...An Enterprise Approach to Cloud Security
 
Forecast 2014: eDiscovery and Forensics
Forecast 2014: eDiscovery and Forensics Forecast 2014: eDiscovery and Forensics
Forecast 2014: eDiscovery and Forensics
 
Privacy & Data Breach: 2012 Recap, 2013 Predictions
Privacy & Data Breach: 2012 Recap, 2013 PredictionsPrivacy & Data Breach: 2012 Recap, 2013 Predictions
Privacy & Data Breach: 2012 Recap, 2013 Predictions
 
Balancing Privacy and Openness in Sakai's Open Academic Environment
Balancing Privacy and Openness in Sakai's Open Academic EnvironmentBalancing Privacy and Openness in Sakai's Open Academic Environment
Balancing Privacy and Openness in Sakai's Open Academic Environment
 
Con8834 bring your own identity - final
Con8834 bring your own identity - finalCon8834 bring your own identity - final
Con8834 bring your own identity - final
 
Out of the Blue: Responding to New Zero-Day Threats
Out of the Blue: Responding to New Zero-Day ThreatsOut of the Blue: Responding to New Zero-Day Threats
Out of the Blue: Responding to New Zero-Day Threats
 
Big Data and Security - Where are we now? (2015)
Big Data and Security - Where are we now? (2015)Big Data and Security - Where are we now? (2015)
Big Data and Security - Where are we now? (2015)
 

Recently uploaded

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 

Recently uploaded (20)

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 

Dwyer "Privacy by Design: Can It Work?"

  • 1. Privacy by Design: Can it Work? Catherine Dwyer Seidenberg School of Computer Science & Information Systems Pace University New York, NY Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012 1
  • 2. Gehry Building 8 Spruce Street Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012 2
  • 3. Lawyers Technologists Online Privacy Organization Citizens s Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012 3
  • 4. Privacy Research Group – NYU Law Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012 4
  • 5. What is Privacy by Design? Ann Cavoukian, Information & Privacy Commissioner, Ontario, Canada Privacy and Security Conference Pitney Bowes 6/26/2012 © Catherine Dwyer 2012 5
  • 6. Principles of Privacy by Design 1. Proactive not Reactive; Preventative not Remedial 2. Privacy as the Default Setting 3. Privacy Embedded into Design 4. Full Functionality — Positive-Sum, not Zero-Sum 5. End-to-End Security — Full Lifecycle Protection 6. Visibility and Transparency — Keep it Open 7. Respect for User Privacy — Keep it User- Centric From www.privacybydesign.ca Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012 6
  • 7. Legal perspective  4th Amendment: ―The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.‖ Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012 7
  • 8. Third party doctrine  ―The Supreme Court has repeatedly held, however, that the Fourth Amendment does not protect information revealed to third parties.‖ (Kerr, 2004)  Third party – any business, organization, ISP, cloud service providers  Once you ―share‖ data with a third party, you lose 4th amendment protection  4th amendment standard is ―probable cause,‖ 3rd party standard is ―relevant to an investigation‖ and ―not overbroad‖ (Kerr, 2004) Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012 8
  • 9. Source: Google transparency report, more than 18,000 requests from governments around the globe to Google user data (7/11-12/11) and Security Conference Pitney Bowes Privacy 6/26/2012 © Catherine Dwyer 2012 9
  • 10. Source: WikiLeak s Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012 10
  • 11. Problems With PbD  ―Privacy by design is an amorphous concept… it is not clear … what regulators really have in mind when they urge firms developing products to build in privacy.‖ (Rubinstein, 2011)  Requirements engineering is needed to transform privacy by design from a vague admonitions into a structured design process with tangible outcomes (Rubinstein, 2011)  Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012 11
  • 12. Excerpt from FTC Staff Report, March 2012, which uses ―reasona more than 50 times in a 112 page report. Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012 12
  • 13. Design & Model Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012 13
  • 14. Engineer & Build Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012 14
  • 15. Tangible Outcome Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012 15
  • 16. Gehry building – 8 Spruce Street Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012 16
  • 17. Design versus engineering  Design focuses on models  Engineering focuses on requirements  Requirements must be measurable and verifiable Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012 17
  • 18. Moving to privacy engineering  Need to move from ―privacy by design‖ to ―privacy requirements engineering‖  Design can capture broad objectives (―buildings should be constructed with fireproof materials‖)  Engineering makes those objectives tangible (―fireproof material must be able to bear weight for four hours of fire at 1000 degrees F‖) Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012 18
  • 19. Example: Privacy Principle  ―Companies should incorporate substantive privacy protections into their practices, such as data security, reasonable collection limits, sound retention practices, and data accuracy.‖ (source: FTC Staff Report, March 2012) Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012 19
  • 20. Engineering Requirements  ―The risk of data exposure can be further minimized by reducing the sensitivity of stored data wherever possible … for example, when using the customer‘s IP address to determine location for statistical analysis, discard the IP address after mapping it to a city or town.‖  source: Microsoft Privacy Guidelines for Developers, 2008 Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012 20
  • 21. How can this be accomplished?  Qualitiative – focus groups/interviews with domain experts/stakeholders  Quantitative – formal analysis of statutes and regulations (see Breaux and Anton, 2007) Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012 21
  • 22. Privacy Requirements Engineering Source: ―A Framework for Modeling Privacy Requirements in Role Engineering,‖ He and Anton, 2003 RBAC = Role Based Access Control Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012 22
  • 23. Development tools are needed  Can‘t manage the complexity of describing privacy engineering requirements ―by hand,‖ takes too long  Can‘t audit privacy of information systems ‗by hand,‘ not comprehensive enough Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012 23
  • 24. Ghostery: Tracking tools found on Dictionary.co Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012 24
  • 25. Firefox Collusion: Graph of tracking entities and flow of data Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012 25
  • 26. Network traffic visualization Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012 26
  • 27. Recommendations  Emphasize privacy requirements engineering  Develop data visualization tools (enterprise level) that model information flows and identify privacy weaknesses  Model information flow within business processes and determine if privacy requirements are being met Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012 27
  • 28. Questions?  Thank you!  Catherine Dwyer Seidenberg School of Computer Science and Information Systems Pace University  Twitter: @ProfCDwyer Pitney Bowes Privacy and Security Conference 6/26/2012 © Catherine Dwyer 2012 28