Title: Building in Privacy from the Bottom up: How to Preserve Privacy in a Security-Centric World
1Building in Privacy from the Bottom up How to
Preserve Privacy in a Security-Centric World
- Ann Cavoukian, Ph.D.
- Information Privacy Commissioner/Ontario
- Carnegie Melon University Lecture
- Pittsburg, PA
- November 4, 2004
2Impetus for Change
- Growth of Privacy as a Global Issue
- EU Directive on Data Protection
- Increasing amounts of personal data collected,
consolidated, aggregated - Consumer Backlash heightened consumer
expectations
3Importance of Consumer Trust
- In the post-9/11 world
- Consumers either as concerned or more concerned
about online privacy - Concerns focused on the business use of personal
information, not new government surveillance
powers - If consumers have confidence in a companys
privacy practices, consumers are more likely to - Increase volume of business with
company.... 91 - Increase frequency of business.... 90
- Stop doing business with company if PI
misused83 - Harris/Westin Poll, Nov. 2001 Feb. 2002
4How The Public Divides on Privacy
The Privacy Dynamic - Battle Dr. Alan
Westin for the minds of the pragmatists
5Information Privacy Defined
- Information Privacy Data Protection
- Freedom of choice control informational
self-determination - Personal control over the collection, use and
disclosure of any recorded information about an
identifiable individual
6What Privacy is Not
7The Privacy/Security Relationship
- Privacy relates to personal control over ones
personal information - Security relates to organizational control over
information - These represent two overlapping, but distinct
activities
8Privacy and Security The Difference
- Authentication
- Data Integrity
- Confidentiality
- Non-repudiation
- Privacy Data Protection
- Fair Information Practices
- Security
- Organizational control of information
through information systems
9The Perils of Not Protecting Privacy
- Privacy disasters
- Intel Pentium III
- RealNetworks
- Microsoft HotMail
- Amazon/Alexa
- CD Universe
- Look Communications
- It was skin searing experience. We cant take
another hit like that. - MS Senior Executive
10Technology Can Help
- The most effective means to counter technologys
erosion of privacy is technology itself. - Alan Greenspan, Federal Reserve Chairman
- A technology should reveal no more information
than is necessaryit should be built to be the
least revealing system possible. - Dr. Lawrence Lessig, Harvard,
September 1999
11Privacy By Design Build It In
- Build in privacy up front, right in the design
specifications - Minimize the collection and routine use of
personally identifiable information use
aggregate or coded information if possible - Wherever possible, encrypt personal information
- Think about anonymity and pseudonymity
- Assess the risks to privacy conduct a privacy
impact assessment privacy audit
12Privacy by DesignTechnology
- Architectures of Identification
- PKI confidentiality or surveillance
- Biometrics privacy or social control
- Business/government drivers for designing trust
into systems and programs - Wireless technology m-commerce
- convergence, convenience, control
13Biometrics The Myth of Accuracy
- The problem with large databases containing
thousands (or millions) of biometric templates - False positives
- False negatives
14Biometric Identification False Positive
Challenge
- Even if you have a 1 in 10,000 error rate per
fingerprint, then a person being scanned against
a million-record data set will be flagged as
positive 100 times. And thats every person. A
system like that would be useless because
everyone would be a false positive. -
- Bruce Schneier, quoted in Ann Cavoukians
Submission to the Standing - Committee on Citizenship and Immigration,
November 4, 2003 - http//www.ipc.on.ca/docs/110403ac-e.pdf
15Facial Recognition the Reality
- Test results less than stellar
- - Logan Airport pilot had a 50 error rate in
real world conditions - - U.S. State Department has stated that facial
recognition has unacceptably high error rates - - U of Ottawa tests this summer resulted in
accuracy rates between 75 to more than 90 - - National Institute for Standards and
Technology, under ideal lighting and controlled
environment conditions reported 90 accuracy - Superbowl facial recognition no longer considered
useful by subsequent organizers - Biometrics Benched for Super Bowl By Randy
Dotinga, Wired Magazine
16STEPS The Context
- Terrorist attacks 9/11
- Government concerns over public safety
- U.S. Patriot and anti-terrorist legislation
- Polarized debate for Security/Privacy
17Change the Paradigm
- Old Paradigm Zero Sum Game
- New Paradigm (win-win)
- Security Privacy Freedom
- Expand the discourse Privacy and Security are
not polar opposites but essential components - http//www.ipc.on.ca/docs/steps.pdf
18The Challenge for Solution Developers
- Introduce privacy into the concept, design and
implementation of technology solutions - Promote existing STEPs
- 3-D Holographic Scanner respecting physical
privacy while enhancing security - Biometric encryption better security plus
ironclad privacy
19Fair Information PracticesA Brief History
- OECD Guidelines on the Protection of Privacy and
Transborder Flows of Personal Data - EU Directive on Data Protection
- CSA Model Code for the Protection of Personal
Information - Canada Personal Information Protection and
Electronic Documents Act (PIPEDA)
20Summary of Fair Information Practices
- Accountability
- Identifying Purposes
- Consent
- Limiting Collection
- Limiting Use, Disclosure, Retention
- Accuracy
- Safeguards
- Openness
- Individual Access
- Challenging Compliance
21Privacy Diagnostic Tool
- Simple, plain-language tool (paper and
e-versions) - Free self-administered
- CSA model code to examine an organizations
privacy management practices - www.ipc.on.ca/PDT
22Privacy Enhancing Technologies
- What are PETs?
- Anonymisers, pseudonomisers, intermediaries
- Their Strengths
- tools to protect personal information
- Their Limitations
- usually individual responses to an existing
architecture - sometimes someone still has your personal
information
23PETTEP
- Privacy Enhancing Technologies Testing and
Evaluation Project - How does one determine whether a technology can
deliver on its privacy promises? - PETTEP is intended to test the claims of various
technologies regarding their ability to perform
in a privacy protective manner
24PETTEP (contd)
- Modeled on the Common Criteria an international
standard used to test the security components of
technologies - For privacy, Fair Information Practices (FIP)
would form the basis of the testing - The challenge is to translate FIPs into the
functional requirements of the Common Criteria
to find the design correlates of FIPs
25PETTEP Status Update
- EDS has partnered with the IPC and PETTEP to
develop an enhancement of the Privacy Chapter in
the Common Criteria - EDS is also committed to developing the necessary
privacy profiles that will form the basis of
testing and evaluating the privacy claims of
various technologies - PETTEP, the IPC and EDS plan to pilot several
technologies/systems to refine the enhanced
Privacy Chapter.
26Final Thought
Anyone today who thinks the privacy issue has
peaked is greatly mistakenwe are in the early
stages of a sweeping change in attitudes that
will fuel political battles and put once-routine
business practices under the microscope. Forreste
r Research, March 5, 2001
27How to Contact Us
- Commissioner Ann Cavoukian
- Information Privacy Commissioner/Ontario
- 2 Bloor Street East, Suite 1400
- Toronto, Ontario M4W 1A8
- Phone (416) 326-3333
- Web www.ipc.on.ca
- E-mail commissioner_at_ipc.on.ca