Ms Christine Page-Hanify Speaker Presentation


Published on

Published in: Technology, News & Politics
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Quickly address: for example, video surveillance cameras – how long before we can use search engines for queries like “all images of Charles Palmer and his child from last Saturday”. “be prepared for access” = ?
  • Control over information in attribute cert’s ? Is this the IDEMIX stuff?
  • Ms Christine Page-Hanify Speaker Presentation

    1. 1. Harriet Pearson V.P. Workforce and Chief Privacy Officer IBM Technology: Supporting a Culture of Privacy in Your Organisation
    2. 2. The Information Explosion Continues… <ul><li>Technology Trends </li></ul><ul><li>COMPUTING </li></ul><ul><li>Chips/$ 10x in 5 years </li></ul><ul><li>Computing power/$ 10x in 4 years </li></ul><ul><li>STORAGE </li></ul><ul><li>Storage/$ 10x in 6 years </li></ul><ul><li>COMMUNICATIONS </li></ul><ul><li>Backbone 100x in 5 years </li></ul><ul><li>Local loop 100x in next 5 years </li></ul>
    3. 3. Total Amount of Data Connected to The Internet <ul><li>2001 1 petabyte (10 15 bytes) </li></ul><ul><li>2006 1 exabyte (10 18 bytes) </li></ul><ul><li>2010 1 zettabyte (10 21 bytes) </li></ul><ul><li>The result of: </li></ul><ul><li>More people spending </li></ul><ul><li>More time using </li></ul><ul><li>More data-rich applications </li></ul><ul><li>More replication and caching of data </li></ul>
    4. 4. The Future Is Here…
    5. 5. The BIG Question <ul><li>How to balance individuals’ interest in privacy with the benefits of faster, easier, more insightful sharing of information? </li></ul><ul><li>A culture of privacy—supported by technology--is required! </li></ul>
    6. 6. Enterprise Privacy Management <ul><li>Enterprises want to meet privacy expectations – but need support </li></ul><ul><li>Privacy practices implementing the promises must be enforced & controlled </li></ul><ul><ul><li>from access control to privacy authorization </li></ul></ul><ul><ul><li>enforcement on enterprise data systems </li></ul></ul><ul><ul><li>reporting back to data subjects </li></ul></ul><ul><ul><li>audit by independent third parties </li></ul></ul><ul><li>Compatibility with laws, regulations, and public promises </li></ul><ul><ul><li>easy to understand and maintain by non-technical people </li></ul></ul><ul><ul><li>easy to derive new policies from existing ones (laws, corporate, sector, …) </li></ul></ul><ul><ul><li>well-defined relation to P3P and similar standards as they are developed </li></ul></ul>
    7. 7. Security and Privacy Research at IBM Austin Almaden Yorktown Zurich Beijing Tokyo Delhi Haifa
    8. 8. Security and Privacy Research at IBM <ul><li>DRM </li></ul><ul><li>Privacy </li></ul><ul><li>Secure Systems </li></ul><ul><li>Secure Software </li></ul><ul><li>Security HW </li></ul><ul><li>Ethical Hacking </li></ul><ul><li>Cryptography </li></ul><ul><li>Privacy </li></ul><ul><li>Wireless security </li></ul><ul><li>Biometrics </li></ul><ul><li>Cryptography </li></ul><ul><li>Privacy </li></ul><ul><li>Dependability </li></ul><ul><li>Intrusion Detection </li></ul><ul><li>Java Card / JCOP </li></ul><ul><li>XML Security </li></ul><ul><li>Privacy </li></ul><ul><li>Watermarking </li></ul><ul><li>Crypto HW </li></ul>Almaden Yorktown Zurich Tokyo
    9. 9. IBM Privacy Research Institute: What and How… <ul><li>Our mission </li></ul><ul><li>To develop new enterprise privacy technologies, services and products, and to drive privacy technology awareness to our customers, partners and the scientific community </li></ul><ul><li>How </li></ul><ul><li>More than 40 scientists at the 8 IBM Research labs </li></ul><ul><li>Close cooperation with teams in business units, e.g. IBM Tivoli and IBM Global Services </li></ul><ul><li>Marketplace realities and needs are at the fore of our thought and solutions </li></ul>
    10. 10. Some Examples : Privacy-Enhancing Applications and a Standard <ul><li>Statistical data mining ( Hippocratic Database ) </li></ul><ul><ul><li>Novel randomization tricks let enterprises make statistics w/o putting individual records at risk. </li></ul></ul><ul><li>Surveillance technologies ( PeopleVision ) </li></ul><ul><ul><li>Novel image processing technologies will hide all personally identifiable info, until needed (if ever) </li></ul></ul><ul><li>EPAL ( E nterprise P rivacy A uthorization L anguage ) </li></ul><ul><ul><li>Is the first XML based mark up language designed to enable organizations to translate their privacy policies into IT control statements and enforce policies </li></ul></ul>
    11. 11. EPAL Summary <ul><li>EPAL is designed to make it easier for enterprises to translate their privacy policies into machine-readable descriptions of data handling procedures </li></ul><ul><li>EPAL provides enterprises with a way to automate the enforcement of privacy policies across IT applications and systems </li></ul><ul><ul><li>enables organizations to enforce P3P policies behind the Web, among applications and databases </li></ul></ul><ul><li>EPAL ’s evolution has been influenced by feedback from diverse enterprises </li></ul><ul><ul><li>can be the core of a coherent privacy mgmt framework </li></ul></ul>
    12. 12. Privacy Policy Example <ul><li>Privacy Statement </li></ul><ul><ul><li>&quot; Email can be used for the book-of-the-month club if consent has been given and age is more than 13&quot; </li></ul></ul><ul><li>EPAL Rule </li></ul><ul><li>< ALLOW </li></ul><ul><li>user-category = &quot;borderless-books </li></ul><ul><li>data-category = &quot;email“ </li></ul><ul><li>purpose = &quot;book-of-the-month-club“ </li></ul><ul><li>operation = &quot;read“ </li></ul><ul><li>condition = &quot;/CustomerRecord/Consent/Book Club=True&& /CustomerRecord/age>13&quot; > </li></ul>User Category Operation Condition Purpose Obligation Data Category
    13. 13. EPAL vs. P3P P3P (Platform for Privacy Preferences) EPAL (Enterprise Privacy Authorization Language) Automated policy comparison capability does not exist Automated policy comparison P3P is designed for presenting policy to end users Is designed to describe to users data handling practices necessary to keep the promises made in public privacy notice Limited to opt-in/opt-out conditions Rich condition language (Boolean condition language) Hard-coded vocabulary: restricted Policy itself provides vocabulary: flexible B-to-C oriented Supports B-to-B and B-to-C
    14. 14. Government of Alberta – Privacy Architecture <ul><li>Requirement: a “Privacy/Technology Roadmap” to help apply the Government of Alberta Enterprise Architecture (GAEA) Privacy Principles and guide related technology decisions </li></ul><ul><li>Solution: a phased architecture with specific practical near-term guidance and a long range blueprint based on leading-edge thinking such as IBM’s EPA and EPAL </li></ul>
    15. 15. <ul><li>Phase 1 </li></ul><ul><li>Terminology – a common language for discussing privacy requirements, issues and solutions </li></ul><ul><li>Identification Keys - how will data subjects be uniquely identified? </li></ul><ul><li>Data Classification - how should personal information or its uses be classified? </li></ul><ul><li>Data Sharing, Re-Use and Placement – to what extent can personal information be shared between departments and where should it be stored? </li></ul><ul><li>Phase 2 </li></ul><ul><li>User Interface - what privacy related features are required and what should they look like? </li></ul><ul><li>Data Transformation - guidance for rendering data anonymous </li></ul><ul><li>Data Subject Access to Data – how should Data Subjects be provided with access to </li></ul><ul><li>their own data? </li></ul><ul><li>Software Acquisition Criteria – privacy criteria for both privacy-enhancing and general software </li></ul><ul><ul><li>Consent and Choice - rules for what consents and choices are to be offered </li></ul></ul><ul><ul><li>Access Control – expression of “need to know” in a privacy context </li></ul></ul><ul><li>Phase 3 </li></ul><ul><li>Use of Technology to Monitor Privacy Compliance - where should technology be used vs. processes and procedures </li></ul><ul><li>Use of Technology to Enforce Privacy Rules - where should technology be used vs. processes and procedures </li></ul>GoA Privacy Architecture Requirements
    16. 16. <ul><li>Phase 1: </li></ul><ul><li>Terminology  Privacy Glossary </li></ul><ul><li>Identification Keys  Identification Key Scheme/Privacy Protection Component </li></ul><ul><li>Data Classification  Privacy Taxonomy – P3P and EPAL based </li></ul><ul><li>Data Sharing, Re-Use and Placement  Data Band Placement Process </li></ul><ul><li>Phase 2: </li></ul><ul><li>Data Transformation  Privacy Transformation Techniques </li></ul><ul><li>Software Acquisition, User Interface, Consent and Choice  Privacy Design Guidance </li></ul><ul><li>Access Control  EPAL -based access rules </li></ul><ul><li>Data Subject Access  Process leveraging Privacy Taxonomy etc. </li></ul><ul><li>Phase 3: </li></ul><ul><li>Technology to Enforce/Monitor Privacy  EPA /ISTPA based component/services based conceptual model </li></ul>GoA Privacy Architecture Solutions
    17. 17. Concluding Thoughts <ul><li>Foundational work underway by various vendors and early-adopting leaders to refine privacy-enabling technologies and business processes </li></ul><ul><li>Pace of adoption: led by “early adopters,” needs support by all stakeholders; e.g. data protection commissioners, advocates, other leaders </li></ul>