More Related Content
Similar to Dwyer "Privacy by Design: Can It Work?" (20)
Dwyer "Privacy by Design: Can It Work?"
- 1. Privacy by Design: Can it
Work?
Catherine Dwyer
Seidenberg School of
Computer Science & Information Systems
Pace University
New York, NY
Pitney Bowes Privacy and Security Conference
6/26/2012 © Catherine Dwyer 2012 1
- 2. Gehry Building
8 Spruce Street
Pitney Bowes Privacy and Security Conference
6/26/2012 © Catherine Dwyer 2012 2
- 3. Lawyers Technologists
Online Privacy
Organization
Citizens
s
Pitney Bowes Privacy and Security Conference
6/26/2012 © Catherine Dwyer 2012 3
- 4. Privacy Research Group – NYU
Law
Pitney Bowes Privacy and Security Conference
6/26/2012 © Catherine Dwyer 2012 4
- 5. What is Privacy by Design?
Ann Cavoukian, Information
& Privacy Commissioner, Ontario, Canada Privacy and Security Conference
Pitney Bowes
6/26/2012 © Catherine Dwyer 2012 5
- 6. Principles of Privacy by
Design
1. Proactive not Reactive; Preventative not
Remedial
2. Privacy as the Default Setting
3. Privacy Embedded into Design
4. Full Functionality — Positive-Sum, not
Zero-Sum
5. End-to-End Security — Full Lifecycle
Protection
6. Visibility and Transparency — Keep it
Open
7. Respect for User Privacy — Keep it User-
Centric
From www.privacybydesign.ca
Pitney Bowes Privacy and Security Conference
6/26/2012 © Catherine Dwyer 2012 6
- 7. Legal perspective
4th Amendment: ―The right of the
people to be secure in their persons,
houses, papers, and effects, against
unreasonable searches and seizures,
shall not be violated, and no Warrants
shall issue, but upon probable cause,
supported by Oath or affirmation, and
particularly describing the place to be
searched, and the persons or things to
be seized.‖
Pitney Bowes Privacy and Security Conference
6/26/2012 © Catherine Dwyer 2012 7
- 8. Third party doctrine
―The Supreme Court has repeatedly
held, however, that the Fourth
Amendment does not protect information
revealed to third parties.‖ (Kerr, 2004)
Third party – any
business, organization, ISP, cloud
service providers
Once you ―share‖ data with a third
party, you lose 4th amendment protection
4th amendment standard is ―probable
cause,‖ 3rd party standard is ―relevant to
an investigation‖ and ―not overbroad‖
(Kerr, 2004) Pitney Bowes Privacy and Security Conference
6/26/2012 © Catherine Dwyer 2012 8
- 9. Source: Google transparency report, more than
18,000 requests from governments around the
globe to Google user data (7/11-12/11) and Security Conference
Pitney Bowes Privacy
6/26/2012 © Catherine Dwyer 2012 9
- 10. Source:
WikiLeak
s
Pitney Bowes Privacy and Security Conference
6/26/2012 © Catherine Dwyer 2012 10
- 11. Problems With PbD
―Privacy by design is an amorphous
concept… it is not clear … what
regulators really have in mind when
they urge firms developing products to
build in privacy.‖ (Rubinstein, 2011)
Requirements engineering is needed
to transform privacy by design from a
vague admonitions into a structured
design process with tangible outcomes
(Rubinstein, 2011)
Pitney Bowes Privacy and Security Conference
6/26/2012 © Catherine Dwyer 2012 11
- 12. Excerpt from FTC Staff Report, March 2012, which uses ―reasona
more than 50 times in a 112 page report.
Pitney Bowes Privacy and Security Conference
6/26/2012 © Catherine Dwyer 2012 12
- 13. Design & Model
Pitney Bowes Privacy and Security Conference
6/26/2012 © Catherine Dwyer 2012 13
- 14. Engineer
&
Build
Pitney Bowes Privacy and Security Conference
6/26/2012 © Catherine Dwyer 2012 14
- 15. Tangible Outcome
Pitney Bowes Privacy and Security Conference
6/26/2012 © Catherine Dwyer 2012 15
- 16. Gehry building – 8 Spruce Street
Pitney Bowes Privacy and Security Conference
6/26/2012 © Catherine Dwyer 2012 16
- 17. Design versus engineering
Design focuses
on models
Engineering
focuses on
requirements
Requirements
must be
measurable and
verifiable
Pitney Bowes Privacy and Security Conference
6/26/2012 © Catherine Dwyer 2012 17
- 18. Moving to privacy engineering
Need to move from ―privacy by
design‖ to ―privacy requirements
engineering‖
Design can capture broad objectives
(―buildings should be constructed with
fireproof materials‖)
Engineering makes those objectives
tangible (―fireproof material must be
able to bear weight for four hours of
fire at 1000 degrees F‖)
Pitney Bowes Privacy and Security Conference
6/26/2012 © Catherine Dwyer 2012 18
- 19. Example: Privacy Principle
―Companies should incorporate
substantive privacy protections into
their practices, such as data security,
reasonable collection limits, sound
retention practices, and data
accuracy.‖ (source: FTC Staff Report,
March 2012)
Pitney Bowes Privacy and Security Conference
6/26/2012 © Catherine Dwyer 2012 19
- 20. Engineering Requirements
―The risk of data exposure can be
further minimized by reducing the
sensitivity of stored data wherever
possible … for example, when using
the customer‘s IP address to
determine location for statistical
analysis, discard the IP address after
mapping it to a city or town.‖
source: Microsoft Privacy Guidelines
for Developers, 2008
Pitney Bowes Privacy and Security Conference
6/26/2012 © Catherine Dwyer 2012 20
- 21. How can this be
accomplished?
Qualitiative – focus groups/interviews
with domain experts/stakeholders
Quantitative – formal analysis of
statutes and regulations (see Breaux
and Anton, 2007)
Pitney Bowes Privacy and Security Conference
6/26/2012 © Catherine Dwyer 2012 21
- 22. Privacy Requirements
Engineering
Source: ―A Framework for Modeling Privacy Requirements
in Role Engineering,‖ He and Anton, 2003
RBAC = Role Based Access Control
Pitney Bowes Privacy and Security Conference
6/26/2012 © Catherine Dwyer 2012 22
- 23. Development tools are
needed
Can‘t manage the complexity of
describing privacy engineering
requirements ―by hand,‖ takes too long
Can‘t audit privacy of information
systems ‗by hand,‘ not comprehensive
enough
Pitney Bowes Privacy and Security Conference
6/26/2012 © Catherine Dwyer 2012 23
- 24. Ghostery: Tracking tools found on Dictionary.co
Pitney Bowes Privacy and Security Conference
6/26/2012 © Catherine Dwyer 2012 24
- 25. Firefox Collusion: Graph of tracking entities and flow of data
Pitney Bowes Privacy and Security Conference
6/26/2012 © Catherine Dwyer 2012 25
- 27. Recommendations
Emphasize privacy requirements
engineering
Develop data visualization tools
(enterprise level) that model
information flows and identify privacy
weaknesses
Model information flow within business
processes and determine if privacy
requirements are being met
Pitney Bowes Privacy and Security Conference
6/26/2012 © Catherine Dwyer 2012 27
- 28. Questions?
Thank you!
Catherine Dwyer
Seidenberg School of Computer
Science and Information Systems
Pace University
Twitter: @ProfCDwyer
Pitney Bowes Privacy and Security Conference
6/26/2012 © Catherine Dwyer 2012 28