Acht Privacy Design Strategieën

Transcription

1 Acht Privacy Design Strategieën Jaap-Henk Hoepman 22 november 2017

2 Eight Privacy Design Strategies Or: how to make Privacy by Design concrete? Jaap-Henk // // // blog.xot.nl

3 About me Associate professor, Radboud University, Nijmegen, The Netherlands Privacy enhancing technologies Applied cryptography Internet of Things Scientific director, Privacy & Identity Lab Bringing together technical, legal and social sciences Blogger Jaap-Henk Hoepman // ( XOT ) // // Eight Privacy Design Strategies 3

4 Privacy is about protecting personal data Leave alone Give control Separate contexts Jaap-Henk Hoepman // ( XOT ) // // Eight Privacy Design Strategies 4

5 Government surveillance Jaap-Henk Hoepman // ( XOT ) // // Eight Privacy Design Strategies 5

6 business surveillance Jaap-Henk Hoepman // ( XOT ) // // Eight Privacy Design Strategies 6

7 And future developments Jaap-Henk Hoepman // ( XOT ) // // Eight Privacy Design Strategies 7

8 All these developments make people increasingly transparent, predictable and hence vulnerable. This is a problem for each of us individually, but also for our democratic society as a whole. Jaap-Henk Hoepman // ( XOT ) // // Eight Privacy Design Strategies 8

9 Privacy by design

10 Privacy by design Protect privacy when developing new technology: From concept to realisation Throughout the system development cycle Privacy is a quality attribute (like security, performance, ) Privacy by design is a process! Jaap-Henk Hoepman // ( XOT ) // // Eight Privacy Design Strategies 10

11 Why follow privacy by design? It reduces privacy risks And hence reputation damage or repair costs You can t loose what you don t have It enables business In e.g. Healthcare, Internet of Things, Quantified self Like security by design enables say Internet banking It becomes mandatory in 2018! The General Data Protection Regulation (GDPR) Jaap-Henk Hoepman // ( XOT ) // // Eight Privacy Design Strategies 11

12 But how? Jaap-Henk Hoepman // ( XOT ) // // Eight Privacy Design Strategies 12

13 Common engineering misconceptions #1 0/1 vs. Jaap-Henk Hoepman // ( XOT ) // // Eight Privacy Design Strategies 13

14 Common engineering misconceptions #2 Data controller = Jaap-Henk Hoepman // ( XOT ) // // Eight Privacy Design Strategies 14

15 Common engineering misconceptions #3 Privacy = Data minimisation Jaap-Henk Hoepman // ( XOT ) // // Eight Privacy Design Strategies 15

16 Personal data? So Name Social security number address But also License plate IP Address Likes Tweets Search terms Jaap-Henk Hoepman // ( XOT // ) Eight Privacy Design Strategies 16

17 Aside: what is Data Processing Action Relevant GDPR Personal Data Processing Examples Operate Adaptation; Alteration; Retrieval; Consultation; Use; Alignment; Combination Organisation; Structuring; Storage Store Retain Collect Share Change Breach opposite to (Erasure; Destruction) Collection; Recording Transmission; Dissemination; Making Available; opposite to (Restriction; Blocking) unauthorised third party (Adaptation; Alteration; Use; Alignment; Combination) unauthorised third party (Retrieval; Consultation) Jaap-Henk Hoepman // ( XOT ) // // Eight Privacy Design Strategies 17

18 Concept Development Privacy design strategies Implementation Privacy enhancing technologies Jaap-Henk Hoepman // ( XOT ) // // Eight Privacy Design Strategies 18

19 Privacy design strategies map fuzzy legal concepts Legal norms to concrete data protection goals to help control data (Technical) design requirements processing Jaap-Henk Hoepman // ( XOT ) // // Eight Privacy Design Strategies 19

20 Impact assessment & strategies Privacy Impact Assessment Concept Development Analysis Privacy Design Strategies Jaap-Henk Hoepman // ( XOT ) // // Eight Privacy Design Strategies 20

21 Eight privacy design strategies

22 Jaap-Henk Hoepman // ( XOT ) // // Eight Privacy Design Strategies 22

23 #1 Minimize Definition Limit as much as possible the processing of personal data. Associated tactics EXCLUDE: refraining from processing a data subject s personal data, partly or entirely, akin to blacklisting or opt out. SELECT: decide on a case by case basis on the full or partial usage of personal data, akin to whitelisting or opt-in. STRIP: removing unnecessary personal data fields from the system s representation of each user. DESTROY: completely removing a data subject s personal data. Example Select before you collect Jaap-Henk Hoepman // ( XOT ) // // Privacy by Design 23

24 #2 Separate Definition Distribute or isolate personal data as much as possible, to prevent correlation. Associated tactics DISTRIBUTE: partitioning personal data so that more access is required to process it. ISOLATE: processing parts of personal data independently, without access or correlation to related parts. Example A peer-to-peer social network. Jaap-Henk Hoepman // ( XOT ) // // Privacy by Design 24

25 #3 Abstract Definition Limit as much as possible the detail in which personal data is processed. Associated tactics SUMMARIZE: extracting commonalities in personal data by finding and processing correlations instead of the data itself. GROUP: inducing less detail from personal data prior to processing, by allocating into common categories. PERTURB: add noise or approximate the real value of a data item. Example Aggregate data over time, in e.g. smart grids Jaap-Henk Hoepman // ( XOT ) // // Privacy by Design 25

26 #4 Hide Definition Prevent personal data to become public or known. Associated tactics RESTRICT: preventing unauthorized access to personal data. MIX: processing personal data randomly within a large enough group to reduce correlation. ENCRYPT: encrypt data (in transit or at rest) OBFUSCATE: preventing understandability of personal data to those without the ability to decipher it. DISSOCIATE: removing the correlation between different pieces of personal data. Example End-to-end encryption; Tor Jaap-Henk Hoepman // ( XOT ) // // Privacy by Design 26

27 #5 Inform Definition Inform data subjects about the processing of their personal data. Associated tactics SUPPLY: making available extensive resources on the processing of personal data, including policies, processes, and potential risks. NOTIFY: alerting data subjects to any new information about processing of their personal data in a timely manner. EXPLAIN: detailing information on personal data processing in a concise and understandable form. Example Privacy icons Algorithmic transparency Jaap-Henk Hoepman // ( XOT ) // // Privacy by Design 27

28 #6 Control Definition Provide data subjects control about the processing of their personal data. Associated tactics CONSENT: only processing the personal data for which explicit, freely-given, and informed consent is received. CHOOSE: allowing for the selection or exclusion of personal data, partly or wholly, from any processing. UPDATE: providing data subjects with the means to keep their personal data accurate and up to date. RETRACT: honouring the data subject s right to the complete removal of any personal data in a timely fashion. Example Obtaining consent; implement a privacy dashboard Jaap-Henk Hoepman // ( XOT ) // // Privacy by Design 28

29 #7 Enforce Definition Commit to processing personal data in a privacy friendly way, and enforce this. Associated tactics CREATE: acknowledging the value of privacy and deciding upon policies which enable it, and processes which respect personal data. MAINTAIN: considering privacy when designing or modifying features, and updating policies and processes to better protect personal data. UPHOLD: ensuring that policies are adhered to by treating personal data as an asset, and privacy as a goal to incentivize as a critical feature. Example Specify and enforce a privacy policy ( Jaap-Henk Hoepman // ( XOT ) // // Privacy by Design 29

30 #8 Demonstrate Definition Demonstrate you are processing personal data in a privacy friendly way. Associated tactics LOG: tracking all processing of data, without revealing personal data, securing and reviewing the information gathered for any risks. AUDIT: examining all day to day activities for any risks to personal data, and responding to any discrepancies seriously. REPORT: analyzing collected information on tests, audits, and logs periodically to review improvements to the protection of personal data. Example Logging; Privacy management system (cf. ISO information security management systems) Jaap-Henk Hoepman // ( XOT ) // // Privacy by Design 30

31 Eight privacy design strategies Data oriented MINIMIZE Limit as much as possible the processing of personal data. SEPARATE Distribute or isolate personal data as much as possible, to prevent correlation. ABSTRACT Limit as much as possible the detail in which personal data is processed. HIDE Prevent personal data to become public or known. Process oriented INFORM Inform data subjects about the processing of their personal data. CONTROL Provide data subjects control about the processing of their personal data. ENFORCE Commit to processing personal data in a privacy friendly way, and enforce this. DEMONSTRATE Demonstrate you are processing personal data in a privacy friendly way. Jaap-Henk Hoepman // ( XOT ) // // Privacy by Design 31

32 Concluding remarks // Eight Privacy Design Strategies 32

33 Concluding remarks Limits to privacy by design Privacy is fragile; may break when combining or extending systems The level of privacy protection is hard to define and measure, making different systems hard to compare Implementation obstacles Incentives and effective deterrence mechanisms needed Better understanding of privacy (by design) as a process needed Tools to support privacy by design in practice are missing Stronger role of standardisation Jaap-Henk Hoepman // ( XOT ) // // Eight Privacy Design Strategies 33

34 Further information G. Danezis, J. Domingo-Ferrer, M. Hansen, J.-H. Hoepman, D. L. Metayer, R. Tirtea, and S. Schiffner. Privacy and Data Protection by Design - from policy to engineering. Technical report, ENISA, December ISBN , DOI / M. Colesky, J.-H. Hoepman, and C. Hillen. A Critical Analysis of Privacy Design Strategies. In 2016 International Workshop on Privacy Engineering IWPE'16, San Jose, CA, USA, May info@xot.nl blog.xot.nl Jaap-Henk Hoepman // ( XOT ) // // Eight Privacy Design Strategies 34