Building in Privacy from the Bottom up: How to Preserve Privacy in a Security-Centric World

1
Building in Privacy from the Bottom up How to
Preserve Privacy in a Security-Centric World

• Ann Cavoukian, Ph.D.
• Information Privacy Commissioner/Ontario
• Carnegie Melon University Lecture
• Pittsburg, PA
• November 4, 2004

2
Impetus for Change

• Growth of Privacy as a Global Issue
• EU Directive on Data Protection
• Increasing amounts of personal data collected,
  consolidated, aggregated
• Consumer Backlash heightened consumer
  expectations

3
Importance of Consumer Trust

• In the post-9/11 world
• Consumers either as concerned or more concerned
  about online privacy
• Concerns focused on the business use of personal
  information, not new government surveillance
  powers
• If consumers have confidence in a companys
  privacy practices, consumers are more likely to
• Increase volume of business with
  company.... 91
• Increase frequency of business.... 90
• Stop doing business with company if PI
  misused83
• Harris/Westin Poll, Nov. 2001 Feb. 2002

4
How The Public Divides on Privacy
The Privacy Dynamic - Battle Dr. Alan
Westin for the minds of the pragmatists
5
Information Privacy Defined

• Information Privacy Data Protection
• Freedom of choice control informational
  self-determination
• Personal control over the collection, use and
  disclosure of any recorded information about an
  identifiable individual

6
What Privacy is Not

• Security ? Privacy

7
The Privacy/Security Relationship

• Privacy relates to personal control over ones
  personal information
• Security relates to organizational control over
  information
• These represent two overlapping, but distinct
  activities

8
Privacy and Security The Difference

• Authentication
• Data Integrity
• Confidentiality
• Non-repudiation
• Privacy Data Protection
• Fair Information Practices

• Security
• Organizational control of information
  through information systems

9
The Perils of Not Protecting Privacy

• Privacy disasters
• Intel Pentium III
• RealNetworks
• Microsoft HotMail
• Amazon/Alexa
• CD Universe
• Look Communications
• It was skin searing experience. We cant take
  another hit like that.
• MS Senior Executive

10
Technology Can Help

• The most effective means to counter technologys
  erosion of privacy is technology itself.
• Alan Greenspan, Federal Reserve Chairman
• A technology should reveal no more information
  than is necessaryit should be built to be the
  least revealing system possible.
• Dr. Lawrence Lessig, Harvard,
  September 1999

11
Privacy By Design Build It In

• Build in privacy up front, right in the design
  specifications
• Minimize the collection and routine use of
  personally identifiable information use
  aggregate or coded information if possible
• Wherever possible, encrypt personal information
• Think about anonymity and pseudonymity
• Assess the risks to privacy conduct a privacy
  impact assessment privacy audit

12
Privacy by DesignTechnology

• Architectures of Identification
• PKI confidentiality or surveillance
• Biometrics privacy or social control
• Business/government drivers for designing trust
  into systems and programs
• Wireless technology m-commerce
• convergence, convenience, control

13
Biometrics The Myth of Accuracy

• The problem with large databases containing
  thousands (or millions) of biometric templates
• False positives
• False negatives

14
Biometric Identification False Positive
Challenge

• Even if you have a 1 in 10,000 error rate per
  fingerprint, then a person being scanned against
  a million-record data set will be flagged as
  positive 100 times. And thats every person. A
  system like that would be useless because
  everyone would be a false positive.
• Bruce Schneier, quoted in Ann Cavoukians
  Submission to the Standing
• Committee on Citizenship and Immigration,
  November 4, 2003
• http//www.ipc.on.ca/docs/110403ac-e.pdf

15
Facial Recognition the Reality

• Test results less than stellar
• - Logan Airport pilot had a 50 error rate in
  real world conditions
• - U.S. State Department has stated that facial
  recognition has unacceptably high error rates
• - U of Ottawa tests this summer resulted in
  accuracy rates between 75 to more than 90
• - National Institute for Standards and
  Technology, under ideal lighting and controlled
  environment conditions reported 90 accuracy
• Superbowl facial recognition no longer considered
  useful by subsequent organizers
• Biometrics Benched for Super Bowl  By Randy
  Dotinga, Wired Magazine

16
STEPS The Context

• Terrorist attacks 9/11
• Government concerns over public safety
• U.S. Patriot and anti-terrorist legislation
• Polarized debate for Security/Privacy

17
Change the Paradigm

• Old Paradigm Zero Sum Game
• New Paradigm (win-win)
• Security Privacy Freedom
• Expand the discourse Privacy and Security are
  not polar opposites but essential components
• http//www.ipc.on.ca/docs/steps.pdf

18
The Challenge for Solution Developers

• Introduce privacy into the concept, design and
  implementation of technology solutions
• Promote existing STEPs
• 3-D Holographic Scanner respecting physical
  privacy while enhancing security
• Biometric encryption better security plus
  ironclad privacy

19
Fair Information PracticesA Brief History

• OECD Guidelines on the Protection of Privacy and
  Transborder Flows of Personal Data
• EU Directive on Data Protection
• CSA Model Code for the Protection of Personal
  Information
• Canada Personal Information Protection and
  Electronic Documents Act (PIPEDA)

20
Summary of Fair Information Practices

• Accountability
• Identifying Purposes
• Consent
• Limiting Collection
• Limiting Use, Disclosure, Retention
• Accuracy

• Safeguards
• Openness
• Individual Access
• Challenging Compliance

21
Privacy Diagnostic Tool

• Simple, plain-language tool (paper and
  e-versions)
• Free self-administered
• CSA model code to examine an organizations
  privacy management practices
• www.ipc.on.ca/PDT

22
Privacy Enhancing Technologies

• What are PETs?
• Anonymisers, pseudonomisers, intermediaries
• Their Strengths
• tools to protect personal information
• Their Limitations
• usually individual responses to an existing
  architecture
• sometimes someone still has your personal
  information

23
PETTEP

• Privacy Enhancing Technologies Testing and
  Evaluation Project
• How does one determine whether a technology can
  deliver on its privacy promises?
• PETTEP is intended to test the claims of various
  technologies regarding their ability to perform
  in a privacy protective manner

24
PETTEP (contd)

• Modeled on the Common Criteria an international
  standard used to test the security components of
  technologies
• For privacy, Fair Information Practices (FIP)
  would form the basis of the testing
• The challenge is to translate FIPs into the
  functional requirements of the Common Criteria
  to find the design correlates of FIPs

25
PETTEP Status Update

• EDS has partnered with the IPC and PETTEP to
  develop an enhancement of the Privacy Chapter in
  the Common Criteria
• EDS is also committed to developing the necessary
  privacy profiles that will form the basis of
  testing and evaluating the privacy claims of
  various technologies
• PETTEP, the IPC and EDS plan to pilot several
  technologies/systems to refine the enhanced
  Privacy Chapter.

26
Final Thought

Anyone today who thinks the privacy issue has
peaked is greatly mistakenwe are in the early
stages of a sweeping change in attitudes that
will fuel political battles and put once-routine
business practices under the microscope. Forreste
r Research, March 5, 2001
27
How to Contact Us

• Commissioner Ann Cavoukian
• Information Privacy Commissioner/Ontario
• 2 Bloor Street East, Suite 1400
• Toronto, Ontario M4W 1A8
• Phone (416) 326-3333
• Web www.ipc.on.ca
• E-mail commissioner_at_ipc.on.ca