Privacy by design


Published on

Originally presented at PRIMMA mobile privacy workshop, Imperial College London, 23 Sep 2010. Updated version given at Security and Privacy in Implantable Medical Devices workshop, EPFL, 1 April 2011, and a German Academy of Engineering conference in Berlin on 26 March 2012. Compact version given at Urban Prototyping conference, Imperial College London, 9 April 2013. Updated with ENISA privacy engineering report for 3rd Latin American Data Protection conference in Medellin, 28-29 May 2015.

Published in: Technology, News & Politics
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Parliament/Council versions:
  • Privacy by design

    1. 1. Privacy by Design Ian Brown, Prof. of Information Security and Privacy Oxford Internet Institute, University of Oxford @IanBrownOII
    2. 2. Privacy by Design principles 1. Proactive not Reactive; Preventative not Remedial 2. Privacy as the Default Setting 3. Privacy Embedded into Design 4. Full Functionality: Positive-Sum, not Zero-Sum 5. End-to-End Security — Full Lifecycle Protection 6. Visibility and Transparency — Keep it Open 7. Respect for User Privacy — Keep it User-Centric Cavoukian et al. (2010)
    3. 3. 32nd International Conference of DP and Privacy Commissioners (Jerusalem 2010) 1. Recognize Privacy by Design as an essential component of fundamental privacy protection; 2. Encourage the adoption of Privacy by Design’s Foundational Principles… as guidance to establishing privacy as an organization’s default mode of operation; 3. Invite Data Protection and Privacy Commissioners/Authorities to: a. promote Privacy by Design, as widely as possible through distribution of materials, education and personal advocacy; b. foster the incorporation of the Privacy by Design Foundational Principles in the formulation of privacy policy and legislation within their respective jurisdictions; c. proactively encourage research on Privacy by Design…
    4. 4. General Data Protection Regulation §23: Data protection by design and by default 1. …the controller… shall…implement appropriate and proportionate technical and organisational measures and procedures in such a way that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject… 2. The controller shall ensure that, by default, only those personal data are processed which are necessary for each specific purpose of the processing and are especially not collected, retained or disseminated beyond the minimum necessary for those purposes… COM(2012) 11 final
    5. 5. European Parliament’s additions • 1 … Data protection by design shall have particular regard to the entire lifecycle management of personal data from collection to processing to deletion, systematically focusing on comprehensive procedural safeguards regarding the accuracy, confidentiality, integrity, physical security and deletion of personal data. • 1a In order to foster its widespread implementation in different economic sectors, data protection by design shall be a prerequisite for public procurement tenders
    6. 6. Privacy system requirements • Purpose limitation (comprising both specification of the purpose and limiting the use to that stated purpose) • Data minimisation • Data quality • Transparency (Openness in OECD terms). • Data subject rights (in terms of consent, and the right to view, erase, and rectify personal data) • The right to be forgotten. • Adequate protection (Security Safeguards in OECD terms). • Data portability • Data breach notifications. • Accountability and (provable) compliance J-H Hoepmann (2014)
    7. 7. Privacy design strategies Strategy Pattern Minimise Select before you collect; anonymisation; pseudonymisation Hide (from all, or third, parties) Encryption, onion routing, anonymous credentials, homomorphic encryption Separate Distributed processing and storage where feasible; split database tables; secure multi-party computation; unlinkability Aggregate Aggregation over time and geography; dynamic location granularity Inform Transparency, data breach notifications, UI design Control Informed consent, UI design Enforce Access control, privacy rights management Demonstrate Privacy rights management, logging J-H Hoepmann (2014)
    8. 8. “Spy bins” and smartphones Image: Renew London
    9. 9. Transport pricing • Monitor all traffic centrally (London), at kerbside (W London) or deduct payment from pay-as-you-go toll cards (Singapore)? On- board unit (Balasch et al. 2010)? Or tax parking spaces? • Link all payment card usage (Oyster) or use unlinkable RFID tokens (Shenzen)? MIT Technology Review (2006)
    10. 10. Privacy-friendly smart meters • Personal data remains at customer premises under their direct control • Network broadcasts tariff data to meters, which control appliances • Heavily aggregated information used for billing and price comparison Rial and Danezis (2011)
    11. 11. Location-Based Services • Can we use features of mobile phone networks to supply anonymous, targeted adverts? H Haddadi, P Hui, T Henderson and I Brown (2010) MobiAd: Private and Scalable Mobile Advertising, ACM International Workshop on Mobility in the Evolving Internet Architecture, Chicago
    12. 12. Limitations • ENISA experts identify: • Fragility/non-composability of privacy properties • Privacy metrics and utility limitations • Increased complexity • Implementation obstacles • Unclear or too narrow interpretation • Utility in Internet of Things and Big Data systems • FTC staff IoT report: “flexible” minimisation: don’t collect data, or unneeded data, or sensitive data; de-identify; or seek consent • Article 29 Working Party: “insists that the data minimisation principle plays an essential role” (Opinion 8/2014) • EDPS: DP must cover “use and collection of data. A differentiation in this regard has never been made in EU data protection law and it has the potential to weaken the protection of fundamental rights.”
    13. 13. References • J. Balasch, A. Rial, C. Troncoso, C. Geuens, B. Preneel and I. Verbauwhede (2010) PrETP: Privacy-Preserving Electronic Toll Pricing. Usenix Security Symposium, pp. 63-78. • ENISA (2014), Privacy and Data Protection by Design – from policy to engineering. • European Data Protection Supervisor (2015) Value of the EU Data Protection Reform against the Big Data challenges, 5th European Data Protection Days, Berlin. • Federal Trade Commission Staff Report, Internet of Things: Privacy & Security in a Connected World, Jan. 2015. • H. Haddadi, P. Hui and I. Brown (2010) MobiAd: Private and Scalable Mobile Advertising, ACM International Workshop on Mobility in the Evolving Internet Architecture, Chicago. • J.-H. Hoepman (2014) Privacy Design Strategies (extended abstract). ICT Systems Security and Privacy Protection - 29th IFIP TC 11 International Conference, SEC 2014, Marrakech. • A. Rial and G. Danezis (2011) Privacy-Preserving Smart Metering, ACM Workshop on Privacy in the Electronic Society, Chicago.