Transcript of "Privacy-by-Design Cavoukian TTI March 2011"
Privacy By Design |034 Traffic Technology International February/March 2011 www.TrafficTechnologyToday.com
| Privacy By Design Private party Bern Grush interviews Ontario’s privacy commissioner, Dr Ann Cavoukian, who explains that protecting driver privacy while tolling is as important as – and has a lot in common with – protecting personal medical and smart grid data Illustration courtesy of Shutterstock T he engineering solution to traffic congestion is simple to describe but very complex to deploy. The keystone to its solution, congestion pricing, has evident technical and economic components, but its core and most difficult issues are social. Issues such as affordability, fairness and equitability are complex to argue as well as to solve. But the issue most commonly raised in protest against congestion pricing is privacy. And this is frequently expressed in the most personal of terms – for example, ‘I don’t want my spouse to know where I am.’ I’m sure you’ll agree that privacy is important for more reasons other than this. Privacy is a concern because congestion-pricing systems need some mechanism to be sure the right vehicle (or vehicle owner) will be billed the correct fee on behalf of the correct road operator. It doesn’t matter which technology we propose to use, the privacy issue can always be raised. To make matters worse, all of the technologies used to collect payment for road use – even the collection of fuel taxes – can be viewed as having a privacy issue. The reason for this is that any payment that is made at a specific location – or because your vehicle was at a specific location – could The 7 Foundational Principles of Privacy by Design1. Privacy by Design is proactive 3. Privacy by Design is 5. Privacy by Design is embedded operations remain rather than reactive. embedded into the design into a system prior to the first visible and transparent. Preventative rather than and architecture of IT systems element of information being 7. Privacy by Design requires remedial, it anticipates and and business practices. collected in order to provide architects and operators prevents privacy invasive Privacy becomes an essential end-to-end security and to keep user-centricity and events before they happen. component of core system lifecycle protection. respect for user privacy2. Privacy by Design operates as functionality. 6. Privacy by Design engages uppermost, by offering the default setting. It seeks to 4. Privacy by Design seeks to visibility and transparency to measures such as strong deliver the maximum degree accommodate full functionality assure all stakeholders that the privacy defaults, appropriate of privacy by ensuring that – handling all legitimate business practice or technology notice, and empowering personal data is automatically interests and objectives in involved is operating according user-friendly options. protected. As the default a positive-sum, ‘win-win’ to the stated promises and rules, no action is required on manner, rather than a dated, objectives, and subject to Distilled from http://www. the part of the individual to zero-sum approach with independent verification. ipc.on.ca/images/Resources/ protect their privacy. unnecessary trade-offs. Its component parts and 7foundationalprinciples.pdf February/March 2011 Traffic Technology International www.TrafficTechnologyToday.com 035
Privacy By Design | Private disclosure Ontario’s information and privacy commissioner, Dr Ann Cavoukian, explains about the Privacy by Design concept and how it applies to electronic road tolling Dr Cavoukian, I understand that you a proactive approach, embedding privacy from the outset. In that sense, it is have been thinking about privacy protections directly into the design of the technology-neutral. Whatever system is and road use since 1994, triggered system and, above all, exhibiting respect involved – including navigation satellites by the first use of automated toll for user privacy. for road tolling – PbD requires that you collection in Ontario. What were build it from the ground up, with privacy the original reasons your office Can you say more about Privacy as the default setting. looked at the issue? by Design? What is its most Data minimization is key. The Sofia AC: When we first learned the 407 ETR important feature? Memorandum already requires that the would be using electronic technology AC: Privacy by Design (PbD) advances anonymity of drivers be preserved. If the to collect data on highway users for the view that the future of privacy cannot service can be provided anonymously, the purposes of automatic billing, be assured solely by compliance with then it should be. Indeed, eliminating we proactively contacted the Ontario regulatory frameworks; rather, privacy the collection of personally identifiable Transportation Capital Corporation assurance must become an organization’s information also eliminates the subsequent (OTCC) as a result of the privacy issues default mode of operation. Initially, duty of care that extends to the collection involved – ranging from tracking to I advanced the deployment of Privacy- and retention of personally identifiable secondary uses of information. Enhancing Technologies (PETs) information. Where no personal information Intelligent transportation systems as the solution. Today, I believe a more exists, the privacy concern disappears. have the capability of being privacy substantial approach is required – If a system cannot function without invasive, but with privacy built in, these extending the use of PETs to PETs Plus – personal information, then such information systems can be transformed into privacy- taking a positive-sum (full functionality) should not be kept for longer than is enhancing ones. My office worked approach, not just a zero-sum trade-off. necessary for the purposes collected. Of extensively with the OTCC to ensure that privacy was considered throughout Whatever system is involved – including all phases of the development and implementation of this project. navigation satellites for road tolling – PbD For example, together, we were able to ensure that the public had the option to requires that you build it from the ground up, travel the 407 ETR anonymously. This with privacy as the default setting included making an initial payment into an anonymous account from which toll This encompasses three things: IT course, no secondary uses should be charges would be deducted automatically, systems, accountable business practices, permitted without consent. These are the with no invoice or bill sent to your home. and physical design and networked fundamentals, and here PbD and the Sofia infrastructure. The most important Memorandum are very closely aligned. How hard was it to align the 407 ETR Principles of PbD are its proactive, with your privacy principles? positive-sum nature and respect for So you’re saying that these provisions AC: Not very. The OTCC was already user privacy. PbD is not intended as must be accounted for in technology considering privacy issues when we a conceptual abstraction. I developed architecture and program design from contacted them. They were receptive to it to ensure real and positive changes the beginning in order to get it right? building in full privacy protection from in our everyday lives. AC: Absolutely, otherwise you risk what the outset. With the help of my office, they my colleague, Professor Kai Rannenberg, were able to meet the Seven Foundational How would PbD influence the use of calls ‘Privacy by Disaster’. It’s not enough Principles of a concept I developed called navigation satellites for road tolling? to fix the problem after thousands of users ‘Privacy by Design’. This included taking AC: PbD is all about building privacy in have already been exposed to a privacy036 Traffic Technology International February/March 2011 www.TrafficTechnologyToday.com
| Privacy By Design entail revealing that you and/or yourbreach. That’s why the first principle vehicle was at that location at a certain time.of PbD is to be ‘proactive, not reactive’. Hence, if you pay for fuel with a credit card,PbD anticipates and prevents privacy- it is easy to infer that you were likely at ainvasive events, before they happen. certain fueling station at a particular time.It does not wait for privacy risks At the other extreme, the road useto materialize, nor does it seek to offer payment collection technology mostremedies for resolving privacy infractions commonly feared – GNSS (GPS) – isonce they have occurred – it aims to arguably the most private, as we shallprevent them from occurring. see, but it has to be managed properly I believe it is critical to be proactive and to achieve that status.constantly address privacy issues through From 2002 to 2010, I worked with ana prolific yet targeted campaign such as innovator of road use metering technologyPbD. Unless the public, government and that used Global Navigation Satellitebusinesses are well informed on what the Systems (GNSS). Hence, I have beenissues are – and the concerns associated concerned with driver privacy for quitewith privacy – the issues may only surfaceafter the fact, as privacy complaints, whichin my view is too little, too late. If we collect and Cavoukian applied retain trip data from Privacy by Design principles to private vehicles for the Ontario’s 407 ETR in the 1990s agreed purpose, say, of assessing road use fees or pay-as-you-drive insurance premiums, this could create a fabulous source of data for secondary applications a while. During this time, I have come to appreciate the work of several privacy experts and privacy commissioners.Many people are talking about using Singular among these is Dr Ann Cavoukian,road-use data for improving the PhD, Ontario’s privacy commissioner (seetransportation network, for planning interview opposite).expansions and transit, and forimproving real-time navigation. If trip More data for more purposesdata must remain under user control, We tend to approach complex problemsas the Sofia Memorandum insists, what such as healthcare, smart grids, and nowdoes that imply for those programs? traffic management by capturing, storing,AC: Whether we are talking about new mining, and analyzing more data, whichsystems, technologies, or business practices, may be kept longer to study yet morethe key from a privacy perspective is trends. Most data now has multipleembedding privacy right from the outset purposes – and some of these purposes mayas a core functionality of the system be unanticipated when the data is collected.requirements. In the kinds of examples In many ways, it is the opportunity tothat you mentioned, thinking through the piece together data from disparate sourcesprivacy issues in the design stage would – for good or harm – that creates moremake it clear that most of these applications alarm than data coming from any singledon’t actually require personally identifiable application. Whether for capability,data. Aggregated or anonymized data precision or profit, data-heavy applicationswould provide most of what is needed. are increasingly interconnected, integrated, Indeed, building privacy in as a design and pervasive. As they grow in span andrequirement can be eye-opening. Designers power, one can only imagine the migrainesoften assume that personal information this can cause for privacy commissioners.is necessary, when it is not. But where If we collect and retain trip datapersonally identifying information really from private vehicles for the agreedis necessary, then you need to have clearly purpose – say, of assessing road use feesidentified purposes for collecting the data, or pay-as-you-drive insurance premiums –and transparent rules about how it will be this could create a fabulous source ofused, disclosed, and later destroyed. data for secondary applications, such as traffic studies, congestion studies, February/March 2011 Traffic Technology International www.TrafficTechnologyToday.com 037
Privacy By Design | The Sofia Memorandum The International Working Four recommendations were the detailed trip data is fully 4. In terms of enforcement, the Group on Data Protection in made by the WG that were and permanently deleted system should not ascertain Telecommunications has been designed to protect the privacy from the system after the the identity of the driver nor active since 1983. Founded in the of drivers and vehicle owners: charges have been settled, in owner of a vehicle unless there framework of the International 1. The anonymity of the driver order to prevent the creation is evidence that the driver has Conference of Data Protection can and should be preserved of movement profiles or the committed something that is and Privacy Commissioners, it by using the so-called smart potential for function-creep. defined as a violation of the formulates recommendations to client or anonymous proxy 3. Processing of personal data road pricing system. improve the protection of privacy approaches that keep drivers’ for other purposes (e.g. pay- in telecommunications. The personal data under their sole as-you-drive insurance or The above recommendations Sofia Memorandum – issued control and do not require off- behavioral-based marketing), have been distilled from at the 45th meeting of the WG board location record-keeping. should only be possible with www.datenschutz-berlin. in March 2009 – directs its 2. Road pricing systems can and clear and unambiguous de/attachments/647/WP_Road_ guidance toward road pricing. should be designed so that consent from the individual. Pricing_Final_675.38.12.pdfnavigation optimization, and for all sorts privacy in the face of the ever-growing juggernaut of data captureof marketing and planning purposes. and mining. Dr Cavoukian’s work for the past couple of decades hasIntegrated with other data we could not only sharpened and formalized that focus, but has even applieddevelop a phenomenal degree of valuable it specifically to road tolling. Her pre-science foreshadowed the 2009knowledge about an urban area, a city, Sofia Memorandum (see sidebar, above) that is specifically designedor a group of people. At the same time, for satellite-based road use charging. The seven principles ofthis data could obviously be directed to Privacy by Design incorporate privacy throughout the designharmful purposes. and operation of technology, operational systems, work processes, management structures, and physical spaces. According toSeven design principles Cavoukian, they “explode the myth that privacy competes withIt’s encouraging for anyone concerned other values in a zero-sum equation”. That myth suggests, forwith privacy to know that there are tested example, that in order to realize fully the efficiencies of a system,guidelines such as Privacy by Design (see such as a smart road use metering system, we must give up someThe Seven Foundational Principles of Privacy by privacy. “But this is a myth based on false dichotomies andDesign sidebar) to preserve and enshrine a paradigm that posits our core values as being in conflict with one another. That simply is unnecessary.” Approaching the development of a satellite-based road tolling system with these seven principles in mind means we can realize all the benefits of a reinvigorated traffic management and road-funding system, while enabling drivers to enjoy full privacy for their private trips. Privacy can and must co-exist alongside functionality, operational efficiency, organizational control, security, and usability in a positive-sum – rather than zero-sum – equation. There are likely many important and necessary uses of trip information in the context of solving the congestion problem. Without diminishing the benefits of the available solutions, it is possible to design privacy directly into them by making it the default in all physical, administrative, and technological aspects of the system. More privacy, not less The two most common comments I hear regarding road-use charging and privacy are “over my dead body” and, in contradiction, “they already have your cell phone and credit card data”. Neither are helpful or useful. There is no need to invade privacy to assess and collect a road use fee. And there is no need An ‘anonymous to taunt drivers by reminding them of existing and unrelated account’ allows users to travel the privacy risks. No-one wants more privacy exposure. 407 ETR and pay The Sofia Memorandum makes road use charging more private charges without than credit card purchase at a fueling station and far more private having to reveal who than current RFID/DSRC methods. Systems that can protect privacy they are – no personal to this degree already exist – i.e. systems designed using PbD and identification is according to the Sophia Memorandum guidelines. If you advocate required greater privacy than you have now, ensure that any proposals for road user charging include these safeguards, then buy an all electric vehicle, charge it at home, and stay away from fueling stations! ●038 Traffic Technology International February/March 2011 www.TrafficTechnologyToday.com