IoT and Privacy by Design

Transcription

1 IoT and Privacy by Design Consumer privacy = security plus privacy control Consumer products legal and practical It s engineering you need engineering practices Addressing key policy issues use of standards Pete Eisenegger p.eisenegger@btinternet.com BSI Consumer Coordinator Digital Standards ANEC IoT and Privacy expert ISO Consumer Policy Committee Key Person Privacy BCS IoT Workshop 13 th June 2017

2 The law and practical product design 84 % 52 % 46 % % of the UK public who speed at any one time Laws that are used in clear cases of overstepping the mark 3 key practical challenges for Privacy by Design standards Consumers tick the box in 6 seconds Consumers can t remember lots of high strength passwords We don t keep our security up to date

3 The National / International Privacy Standards world UK = The National Standards Body BSI with it s Consumer and Public Interest Network Security and Privacy Technical Committee (IST 33) Europe = CEN, CENELEC and ETSI plus ANEC for consumer representation Mandate for RFID Privacy 2 key CEN standards (TC 225) Joint BSI-CPIN and ANEC Consumer Representatives Privacy Guides New CEN Cyber Security Technical Committee and ESTI commitees Consumer Representatives Privacy Guides Global = International Standards Organization and its Consumer Policy Committee (ISO/COPOLCO) Security and Privacy Technical Sub-Committee (JTC1/SC27) COPOLCO New Work Item Proposal Based on 7 years of groundwork Privacy by Design of Consumer Goods and Services

4 Security in depth Privacy Standards - the industry perspective Protect the data center from the outside world We, the consumers, are on the outside Once consumer data has been collected Data Protection law ISO/IEC Good practice standards series series Increasing risk Currently there isn t the privacy equivalent of product safety law that consumer products should protect our privacy

5 Privacy Standards the consumer perspective Domestic Privacy strategic standards gap Privacy in depth* Protect the individual from the outside world The organisations are on the outside e.g. Wearables and real time data ISO Privacy by Design of consumer goods and services Increasing risk Ref: ISO Focus article Are we safe with the Internet of Things? * Privacy in depth model created for EN 16571

6 So what is this Privacy by Design? Defining the product and setting it s context Key inputs: Understanding consumers needs and consumer context Product technology and security Establish requirements, design product and produce prototypes ISO Safety by Design Guide Product testing and design validation (inc. Privacy Impact Assessment) Prepare for product release Privacy by Design handbook Monitor the market and take remedial action when needed Product end of life Privacy Guides COPOLCO NWIP Privacy by Design of Consumer Goods and Services

7 Privacy needs input to standards Addressing key issues 1. The awareness dilemma people want routine operations to be automated, yet still in accordance with their wishes. 2. How much choice? people need to retain autonomy but not be overwhelmed by options. Defaults will play a vital role. 3. Who has control? consumers (and which consumers?), their machines, or the firms behind the machines? 4. How do people know that vendor claims are true? Lifting the bonnet will mean little to most of us. 5. Social and private interests may well diverge my freedom to drive unsurveilled puts you at risk of a traffic accident. Consumer need for contextual control ( 6 seconds to tick the box plus legal get outs ). Associated requirements for design of digitally connected devices to provide real time privacy controls supplemented by consent notices: - What the personal data items are that can be accessed by others - Who can access who's personal data - When personal data can be accessed - Where personal data can be processed - Purpose of personal data processing - Consumer primacy re: control of appliances A Privacy by Design Specification that product providers can be assessed against by 3 rd parties to raise consumer confidence An example of iphone real time privacy controls Consumers need for good governance Requirement: Governance to protect an individual s privacy should be transparent, proportional and fair while also including the public interest. Requirements for engaging stakeholders - lifted from BS 8900 Sustainable Development Management

8 The Security issue The consumer privacy need for security of their devices round the home, the intelligent connected car and wearables Privacy by Design requirements for : 1. Network connectivity and system security 2. Consumer digital devices inherent security 3. Keeping consumer protection up to date 4. Sourcing trustworthy apps and applications 5. Loss of digital devices 6. Security over a product lifecycle 7. Loss of corporate data 8. Consumer security information and notifications Identify technology vulnerabilities and exploits and design to minimize risks assessed through a Privacy Impact Assessment

9 and finally but most importantly Consumer Centricity Understanding consumers and consumer context Types of consumers: their capabilities and vulnerabilities Use cases definition and specification, i.e. scenarios for intended use, unintended use, misuse and malicious use 3 rd party consumer equipment required for product to function (smartphones, routers etc.) Consumer privacy needs derived from use cases leading to associated product design requirements What good looks like

10 Thank you Pete Eisenegger BCS IoT Workshop 13 th June 2017