Building in Privacy from the Bottom up: How to Preserve Privacy in a Security-Centric World - PowerPoint PPT Presentation

Loading...

PPT – Building in Privacy from the Bottom up: How to Preserve Privacy in a Security-Centric World PowerPoint presentation | free to download - id: 4a556d-ZTM5O



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Building in Privacy from the Bottom up: How to Preserve Privacy in a Security-Centric World

Description:

Building in Privacy from the Bottom up: How to Preserve Privacy in a Security-Centric World Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario – PowerPoint PPT presentation

Number of Views:154
Avg rating:3.0/5.0
Slides: 28
Provided by: ipc12
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Building in Privacy from the Bottom up: How to Preserve Privacy in a Security-Centric World


1
Building in Privacy from the Bottom up How to
Preserve Privacy in a Security-Centric World
  • Ann Cavoukian, Ph.D.
  • Information Privacy Commissioner/Ontario
  • Carnegie Melon University Lecture
  • Pittsburg, PA
  • November 4, 2004

2
Impetus for Change
  • Growth of Privacy as a Global Issue
  • EU Directive on Data Protection
  • Increasing amounts of personal data collected,
    consolidated, aggregated
  • Consumer Backlash heightened consumer
    expectations

3
Importance of Consumer Trust
  • In the post-9/11 world
  • Consumers either as concerned or more concerned
    about online privacy
  • Concerns focused on the business use of personal
    information, not new government surveillance
    powers
  • If consumers have confidence in a companys
    privacy practices, consumers are more likely to
  • Increase volume of business with
    company.... 91
  • Increase frequency of business.... 90
  • Stop doing business with company if PI
    misused83
  • Harris/Westin Poll, Nov. 2001 Feb. 2002

4
How The Public Divides on Privacy
The Privacy Dynamic - Battle Dr. Alan
Westin for the minds of the pragmatists
5
Information Privacy Defined
  • Information Privacy Data Protection
  • Freedom of choice control informational
    self-determination
  • Personal control over the collection, use and
    disclosure of any recorded information about an
    identifiable individual

6
What Privacy is Not
  • Security ? Privacy

7
The Privacy/Security Relationship
  • Privacy relates to personal control over ones
    personal information
  • Security relates to organizational control over
    information
  • These represent two overlapping, but distinct
    activities

8
Privacy and Security The Difference
  • Authentication
  • Data Integrity
  • Confidentiality
  • Non-repudiation
  • Privacy Data Protection
  • Fair Information Practices
  • Security
  • Organizational control of information
    through information systems

9
The Perils of Not Protecting Privacy
  • Privacy disasters
  • Intel Pentium III
  • RealNetworks
  • Microsoft HotMail
  • Amazon/Alexa
  • CD Universe
  • Look Communications
  • It was skin searing experience. We cant take
    another hit like that.
  • MS Senior Executive

10
Technology Can Help
  • The most effective means to counter technologys
    erosion of privacy is technology itself.
  • Alan Greenspan, Federal Reserve Chairman
  • A technology should reveal no more information
    than is necessaryit should be built to be the
    least revealing system possible.
  • Dr. Lawrence Lessig, Harvard,
    September 1999

11
Privacy By Design Build It In
  • Build in privacy up front, right in the design
    specifications
  • Minimize the collection and routine use of
    personally identifiable information use
    aggregate or coded information if possible
  • Wherever possible, encrypt personal information
  • Think about anonymity and pseudonymity
  • Assess the risks to privacy conduct a privacy
    impact assessment privacy audit

12
Privacy by DesignTechnology
  • Architectures of Identification
  • PKI confidentiality or surveillance
  • Biometrics privacy or social control
  • Business/government drivers for designing trust
    into systems and programs
  • Wireless technology m-commerce
  • convergence, convenience, control

13
Biometrics The Myth of Accuracy
  • The problem with large databases containing
    thousands (or millions) of biometric templates
  • False positives
  • False negatives

14
Biometric Identification False Positive
Challenge
  • Even if you have a 1 in 10,000 error rate per
    fingerprint, then a person being scanned against
    a million-record data set will be flagged as
    positive 100 times. And thats every person. A
    system like that would be useless because
    everyone would be a false positive.
  • Bruce Schneier, quoted in Ann Cavoukians
    Submission to the Standing
  • Committee on Citizenship and Immigration,
    November 4, 2003
  • http//www.ipc.on.ca/docs/110403ac-e.pdf

15
Facial Recognition the Reality
  • Test results less than stellar
  • - Logan Airport pilot had a 50 error rate in
    real world conditions
  • - U.S. State Department has stated that facial
    recognition has unacceptably high error rates
  • - U of Ottawa tests this summer resulted in
    accuracy rates between 75 to more than 90
  • - National Institute for Standards and
    Technology, under ideal lighting and controlled
    environment conditions reported 90 accuracy
  • Superbowl facial recognition no longer considered
    useful by subsequent organizers
  • Biometrics Benched for Super Bowl  By Randy
    Dotinga, Wired Magazine

16
STEPS The Context
  • Terrorist attacks 9/11
  • Government concerns over public safety
  • U.S. Patriot and anti-terrorist legislation
  • Polarized debate for Security/Privacy

17
Change the Paradigm
  • Old Paradigm Zero Sum Game
  • New Paradigm (win-win)
  • Security Privacy Freedom
  • Expand the discourse Privacy and Security are
    not polar opposites but essential components
  • http//www.ipc.on.ca/docs/steps.pdf

18
The Challenge for Solution Developers
  • Introduce privacy into the concept, design and
    implementation of technology solutions
  • Promote existing STEPs
  • 3-D Holographic Scanner respecting physical
    privacy while enhancing security
  • Biometric encryption better security plus
    ironclad privacy

19
Fair Information Practices A Brief History
  • OECD Guidelines on the Protection of Privacy and
    Transborder Flows of Personal Data
  • EU Directive on Data Protection
  • CSA Model Code for the Protection of Personal
    Information
  • Canada Personal Information Protection and
    Electronic Documents Act (PIPEDA)

20
Summary of Fair Information Practices
  • Accountability
  • Identifying Purposes
  • Consent
  • Limiting Collection
  • Limiting Use, Disclosure, Retention
  • Accuracy
  • Safeguards
  • Openness
  • Individual Access
  • Challenging Compliance

21
Privacy Diagnostic Tool
  • Simple, plain-language tool (paper and
    e-versions)
  • Free self-administered
  • CSA model code to examine an organizations
    privacy management practices
  • www.ipc.on.ca/PDT

22
Privacy Enhancing Technologies
  • What are PETs?
  • Anonymisers, pseudonomisers, intermediaries
  • Their Strengths
  • tools to protect personal information
  • Their Limitations
  • usually individual responses to an existing
    architecture
  • sometimes someone still has your personal
    information

23
PETTEP
  • Privacy Enhancing Technologies Testing and
    Evaluation Project
  • How does one determine whether a technology can
    deliver on its privacy promises?
  • PETTEP is intended to test the claims of various
    technologies regarding their ability to perform
    in a privacy protective manner

24
PETTEP (contd)
  • Modeled on the Common Criteria an international
    standard used to test the security components of
    technologies
  • For privacy, Fair Information Practices (FIP)
    would form the basis of the testing
  • The challenge is to translate FIPs into the
    functional requirements of the Common Criteria
    to find the design correlates of FIPs

25
PETTEP Status Update
  • EDS has partnered with the IPC and PETTEP to
    develop an enhancement of the Privacy Chapter in
    the Common Criteria
  • EDS is also committed to developing the necessary
    privacy profiles that will form the basis of
    testing and evaluating the privacy claims of
    various technologies
  • PETTEP, the IPC and EDS plan to pilot several
    technologies/systems to refine the enhanced
    Privacy Chapter.

26
Final Thought

Anyone today who thinks the privacy issue has
peaked is greatly mistakenwe are in the early
stages of a sweeping change in attitudes that
will fuel political battles and put once-routine
business practices under the microscope. Forreste
r Research, March 5, 2001
27
How to Contact Us
  • Commissioner Ann Cavoukian
  • Information Privacy Commissioner/Ontario
  • 2 Bloor Street East, Suite 1400
  • Toronto, Ontario M4W 1A8
  • Phone (416) 326-3333
  • Web www.ipc.on.ca
  • E-mail commissioner_at_ipc.on.ca
About PowerShow.com