2008 12 08 2008 Privacy


Published on

A general talk on privacy in early 2009, with quite a few slides summarizing the US National Research Council\'s report "Protecting Individual Privacy in the Struggle Against Terrorists: A Framework for Program Assessment" that was issued in late 2008

Published in: Technology, News & Politics
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • 2008 12 08 2008 Privacy

    1. 1. Privacy <ul><li>Lance J. Hoffman </li></ul><ul><li>Distinguished Research Professor Computer Science Department </li></ul><ul><li>The George Washington University </li></ul><ul><li>Washington, DC </li></ul><ul><li>[email_address] </li></ul>
    2. 2. References (others on the cited websites and other sources) <ul><li>Prof. Lorrie Cranor, CMU </li></ul><ul><li>Robert Belair, Esq., Oldaker, Biden & Belair, Privacy Consulting Group </li></ul><ul><li>Kenneth Mortensen and Rebecca Richards, DHS Privacy Office </li></ul><ul><li>Ann Cavoukian, Information & Privacy Commissioner of Ontario </li></ul><ul><li>Peter J Reid, EDS Chief Privacy Officer </li></ul><ul><li>Alan F. Westin, Columbia University and Privacy Consulting Group </li></ul><ul><li>Robert Ellis Smith. 2000. Ben Franklin’s Web Site: Privacy and Curiosity from Plymouth Rock to the Internet. Providence: Privacy Journal. </li></ul><ul><li>Alan Westin. 1967. Privacy and Freedom . New York: Atheneum. </li></ul>
    3. 3. How Likely Are New Federal Privacy Laws? <ul><li>Expectations of the new Congress </li></ul><ul><ul><li>Democrats expecting to pick up 10 to15 House seats, 5 to 10 Senate seats </li></ul></ul><ul><ul><li>Presidential race closing but looks like Obama (Oct 16) [lots can happen in 3 weeks] </li></ul></ul><ul><ul><li>With larger Democratic majorities and pent-up demand for privacy legislation, there is an expectation for heightened activity </li></ul></ul><ul><ul><li>But , all of the obstacles to enactment of privacy legislation will remain in place </li></ul></ul><ul><li>Obstacles to enactment of privacy legislation </li></ul><ul><ul><li>Jurisdictional complications </li></ul></ul><ul><ul><li>Relatively attractive alternatives </li></ul></ul><ul><ul><ul><li>State legislation </li></ul></ul></ul><ul><ul><ul><li>State and federal regulatory action </li></ul></ul></ul><ul><ul><ul><li>Litigation </li></ul></ul></ul><ul><ul><ul><li>External pressure – advocacy groups, media, international pressure </li></ul></ul></ul><ul><ul><ul><li>Self-regulatory codes </li></ul></ul></ul><ul><li>Privacy topics likely to attract legislative activity </li></ul><ul><ul><li>Health care reform legislation will require privacy action on electronic health records and, perhaps, HIPAA reform </li></ul></ul><ul><ul><li>Immigration reform will raise significant ID authentication and related privacy issues </li></ul></ul><ul><ul><li>Numerous types of financial privacy issues will be likely to receive legislative attention </li></ul></ul><ul><ul><li>The use and availability of intelligence and surveillance type reports will be likely to receive legislative attention </li></ul></ul><ul><ul><li>Online privacy, behavioral profiling and social networking </li></ul></ul><ul><ul><li>Public record data </li></ul></ul><ul><ul><li>Personal tracking data; video surveillance; GPS; and black boxes </li></ul></ul>
    4. 4. Alan Westin’s four states of privacy <ul><li>Solitude </li></ul><ul><ul><li>individual separated from the group and freed form the observation of other persons </li></ul></ul><ul><li>Intimacy </li></ul><ul><ul><li>individual is part of a small unit </li></ul></ul><ul><li>Anonymity </li></ul><ul><ul><li>individual in public but still seeks and finds freedom from identification and surveillance </li></ul></ul><ul><li>Reserve </li></ul><ul><ul><li>the creation of a psychological barrier against unwanted intrusion - holding back communication </li></ul></ul>
    5. 5. Privacy Considerations in the New Information World “About 2004, the Information World Began to Change – in Ten Dimensions” – Alan F. Westin <ul><li>The all-pervasive Internet 2.0 </li></ul><ul><li>“ Identity crisis” and data breaches </li></ul><ul><li>Social networking and video posting </li></ul><ul><li>The Blogosphere </li></ul><ul><li>Behavioral target marketing </li></ul><ul><li>The mobile revolution </li></ul><ul><li>Anti-Terrorist Surveillance </li></ul><ul><li>Monitoring and photographing public spaces </li></ul><ul><li>Electronic patient health records </li></ul><ul><li>In the U. S., a growing culture rejecting privacy constraints </li></ul>
    6. 7. <ul><li>“ THE TERM ‘PRIVACY’ CAN BE USEFUL AS A SHORTHAND TO REFER TO A RELATED CLUSTER OF PROBLEMS, BUT BEYOND THIS USE, THE TERM ADDS LITTLE.” </li></ul><ul><li>A THEORY OF PRIVACY MUST PROVIDE GUIDANCE AS TO PRIVACY’S VALUE. … PRIVACY… DOES NOT HAVE A UNIFORM VALUE. ITS VALUE MUST BE WORKED OUT AS WE BALANCE IT AGAINST OPPOSING INTERESTS. </li></ul><ul><li>PRIVACY HAS A SOCIAL VALUE AND… ITS IMPORTANCE EMERGES FROM THE BENEFITS IT CONFERS UPON SOCIETY.THE VALUE OF AMELIORATING PRIVACY PROBLEMS LIES IN THE ACTIVITIES THAT PRIVACY PROTECTIONS ENABLE. </li></ul><ul><ul><ul><ul><li>-- all from Understanding Privacy , Harvard U. Press, 2008 </li></ul></ul></ul></ul>A more complex view of privacy makes it even more difficult to regulate (or program for); Solove says privacy has no core characteristics, advocates problem-solving approach
    7. 8. Federal and state laws and regulations Warning: IANAL <ul><li>Constitutional law governs the rights of individuals with respect to the government </li></ul><ul><li>Tort law governs disputes between private individuals or other private entities </li></ul><ul><li>Federal statutes </li></ul><ul><ul><li>Tend to be narrowly focused or sector-specific </li></ul></ul><ul><li>State law </li></ul><ul><ul><li>State constitutions may recognize explicit right to privacy (California, Georgia, Hawaii) </li></ul></ul><ul><ul><li>44 U.S. states now have Identity Theft Notification laws </li></ul></ul><ul><ul><li>New Data Breach and Encryption Laws (Massachusetts requires encrypting sensitive data on laptops and other portable devices (phones?) effective January 2009) </li></ul></ul><ul><ul><li>Many states have or are considering laws restricting use of SSN </li></ul></ul><ul><li>Local laws and regulations </li></ul><ul><ul><li>Some counties are redacting SSNs in online real estate documents, etc. </li></ul></ul>
    8. 9. Privacy laws vary around the world <ul><li>US has mostly sector-specific laws, with relatively minimal protections - often referred to as “patchwork quilt” </li></ul><ul><li>Fair Credit Reporting Act </li></ul><ul><li>Privacy Act </li></ul><ul><li>Freedom of Information Act </li></ul><ul><li>Family Educational Rights and Privacy Act </li></ul><ul><li>Right to Financial Privacy Act </li></ul><ul><li>Cable Communications Privacy Act </li></ul><ul><li>Electronic Communications Privacy Act </li></ul><ul><li>Video Privacy Protection Act </li></ul><ul><li>FCC TCPA & CPNI Rules </li></ul><ul><li>Driver’s Privacy Protection Act </li></ul><ul><li>Telecommunications Act </li></ul><ul><li>Children’s Online Privacy Protection Act </li></ul><ul><li>Wireless Communications and Public Safety Act </li></ul><ul><li>Gramm Leach Bliley Act </li></ul><ul><li>Health Insurance Portability & Accountability Act </li></ul><ul><li>FTC Do Not Call Registry & Telemarketing Rules </li></ul><ul><li>CAN-SPAM Act </li></ul><ul><li>Fair & Accurate Credit Transactions Act (FACTA) </li></ul><ul><li>Some Legislation Passed in Current Session of Congress </li></ul><ul><ul><li>May 2008: The Genetic Information Nondiscrimination Act of 2008 </li></ul></ul><ul><ul><li>July 2008: Foreign Intelligence Surveillance Amendments Act of 2008 </li></ul></ul>U.S. Privacy Laws Place Few If Any Restrictions on Trans-Border Data Flow
    9. 10. Privacy laws vary around the world <ul><li>European Data Protection Directive requires all European Union countries to adopt similar comprehensive privacy laws that recognize privacy as fundamental human right </li></ul><ul><ul><li>Privacy commissions in each country (some countries have national and state commissions) </li></ul></ul><ul><ul><li>Many European companies non-compliant with privacy laws (2002 study found majority of UK web sites non-compliant) </li></ul></ul><ul><li>Safe harbor: US companies self-certify adherence to requirements; EU reserves right to renegotiate if remedies for EU citizens prove to be inadequate </li></ul>Most International Privacy Laws Place Restrictions on Trans-Border Data Flow
    10. 11. COMMON ELEMENTS IN PRIVACY FRAMEWORKS http://usacm.acm.org/usacm/Issues/Privacy.htm http://www.ftc.gov/reports/privacy3/ http://www.oecd.org/document/18/0,3343,en_2649_34255_1815186_1_1_1_1,00.html http://aspe.hhs.gov/DATACNCL/1973privacy/tocprefacemembers.htm Accountability (4 recommendations) Recourse and Remedies Enforcement, Accountability, Recourse Accountability and Auditing Security (2 recommendations) Data Security Security, Information Quality, and Integrity Data Quality and Integrity Security Access (3 recommendations), Accuracy (4 recommendations) Data Quality and Access Individual Participation and Access Individual Participation Minimization (5 recommendations), Consent (2 recommendations) Choice and Consent Choice and Consent Minimization Use Limitation Openness (6 recommendations) Notice and Disclosure Notice and Awareness Transparency Purpose Specification USACM Policy Recommendations on Privacy (2006) US FTC Simplified Principles (1998) OECD 1980 US Fair Information Practices (HEW 1973)
    11. 12. Privacy policies and related issues <ul><li>Policies let consumers know about site’s privacy practices </li></ul><ul><li>Consumers can then decide whether or not practices are acceptable, when to opt-in or opt-out, and who to do business with </li></ul><ul><li>The presence of privacy policies increases consumer trust </li></ul><ul><li>Policies are often difficult to understand, hard to find, take a long time to read, change without notice </li></ul>
    12. 13. Facebook’s Privacy Policy <ul><li>… when printed out is nine pages (3,753 words) long </li></ul><ul><li>Will someone please tell me what its third-party privacy policy (1,212 words below) means? </li></ul>Sharing Your Information with Third Parties Facebook is about sharing information with others — friends and people in your networks — while providing you with privacy settings that restrict other users from accessing your information. We allow you to choose the information you provide to friends and networks through Facebook. Our network architecture and your privacy settings allow you to make informed choices about who has access to your information. We do not provide contact information to third party marketers without your permission. We share your information with third parties only in limited circumstances where we believe such sharing is 1) reasonably necessary to offer the service, 2) legally required or, 3) permitted by you. For example: Your News Feed and Mini-Feed may aggregate the information you provide and make it available to your friends and network members according to your privacy settings. You may set your preferences for your News Feed and Mini-Feed on your Privacy page. Unlike most sites on the Web, Facebook limits access to site information by third party search engine &quot;crawlers&quot; (e.g. Google, Yahoo, MSN, Ask). Facebook takes action to block access by these engines to personal information beyond your name, profile picture, and limited aggregated data about your profile (e.g. number of wall postings). We may provide information to service providers to help us bring you the services we offer. Specifically, we may use third parties to facilitate our business, such as to host the service at a co-location facility for servers, to send out email updates about Facebook, to remove repetitive information from our user lists, to process payments for products or services, to offer an online job application process, or to provide search results or links (including sponsored links). In connection with these offerings and business operations, our service providers may have access to your personal information for use for a limited time in connection with these business activities. Where we utilize third parties for the processing of any personal information, we implement reasonable contractual and technical protections limiting the use of that information to the Facebook-specified purposes. If you, your friends, or members of your network use any third-party applications developed using the Facebook Platform (&quot;Platform Applications&quot;), those Platform Applications may access and share certain information about you with others in accordance with your privacy settings. You may opt-out of any sharing of certain or all information through Platform Applications on the Privacy Settings page. In addition, third party developers who have created and operate Platform Applications (&quot;Platform Developers&quot;), may also have access to your personal information (excluding your contact information) if you permit Platform Applications to access your data. Before allowing any Platform Developer to make any Platform Application available to you, Facebook requires the Platform Developer to enter into an agreement which, among other things, requires them to respect your privacy settings and strictly limits their collection, use, and storage of your information. However, while we have undertaken contractual and technical steps to restrict possible misuse of such information by such Platform Developers, we of course cannot and do not guarantee that all Platform Developers will abide by such agreements. Please note that Facebook does not screen or approve Platform Developers and cannot control how such Platform Developers use any personal information that they may obtain in connection with Platform Applications . In addition, Platform Developers may require you to sign up to their own terms of service, privacy policies or other policies, which may give them additional rights or impose additional obligations on you , so please make sure to review these terms and policies carefully before using any Platform Application. You can report any suspected misuse of information through the Facebook Platform and we will investigate any such claim and take appropriate action against the Platform Developer up to and including terminating their participation in the Facebook Platform and/or other formal legal action. We occasionally provide demonstration accounts that allow non-users a glimpse into the Facebook world. Such accounts have only limited capabilities (e.g., messaging is disabled) and passwords are changed regularly to limit possible misuse. We may be required to disclose user information pursuant to lawful requests, such as subpoenas or court orders, or in compliance with applicable laws. We do not reveal information until we have a good faith belief that an information request by law enforcement or private litigants meets applicable legal standards. Additionally, we may share account or other information when we believe it is necessary to comply with law, to protect our interests or property, to prevent fraud or other illegal activity perpetrated through the Facebook service or using the Facebook name, or to prevent imminent bodily harm. This may include sharing information with other companies, lawyers, agents or government agencies. We let you choose to share information with marketers or electronic commerce providers through sponsored groups or other on-site offers. We may offer stores or provide services jointly with other companies on Facebook. You can tell when another company is involved in any store or service provided on Facebook, and we may share customer information with that company in connection with your use of that store or service. Facebook Beacon is a means of sharing actions you have taken on third party sites, such as when you make a purchase or post a review, with your friends on Facebook. In order to provide you as a Facebook user with clear disclosure of the activity information being collected on third party sites and potentially shared with your friends on Facebook, we collect certain information from that site and present it to you after you have completed an action on that site. You have the choice to have Facebook discard that information, or to share it with your friends. To learn more about the operation of the service, we encourage you to read the tutorial here . To opt out of the service altogether, click here . Like many other websites that interact with third party sites, we may receive some information even if you are logged out from Facebook, or that pertains to non-Facebook users, from those sites in conjunction with the technical operation of the system. In cases where Facebook receives information on users that are not logged in, or on non-Facebook users, we do not attempt to associate it with individual Facebook accounts and will discard it. If the ownership of all or substantially all of the Facebook business, or individual business units owned by Facebook, Inc., were to change, your user information may be transferred to the new owner so the service can continue operations. In any such transfer of information, your user information would remain subject to the promises made in any pre-existing Privacy Policy. When you use Facebook, certain information you post or share with third parties (e.g., a friend or someone in your network), such as personal information, comments, messages, photos, videos, Marketplace listings or other information, may be shared with other users in accordance with the privacy settings you select. All such sharing of information is done at your own risk. Please keep in mind that if you disclose personal information in your profile or when posting comments, messages, photos, videos, Marketplace listings or other items , this information may become publicly available. Privacy policies typically require college-level reading skills to understand Privacy policies often include legalese and obfuscated language
    13. 14. “ Short privacy notices” (Hunton & Williams) Reduce privacy policy to at most seven boxes in standard format Privacy advocates prefer check boxes Idea adopted at 2003 International Conference of Data Protection & Privacy Commissioners USG agencies interested for financial privacy notices HOW TO REACH US SCOPE Dated: May 28, 2002 Acme Company Privacy Notice Highlights For more information about our privacy policy, write to: Consumer Department Acme Company 11 Main Street Anywhere, NY 10100 Or go to the privacy statement on our website at acme.com. We collect information directly from you and maintain information on your activity with us, including your visits to our website. We obtain information, such as your credit report and demographic and lifestyle information, from other information providers. PERSONAL INFORMATION We use information about you to manage your account and offer you other products and services we think may interest you. We share information about you with our sister companies to offer you products and services. We share information about you with other companies, like insurance companies, to offer you a wider array of jointly-offered products and services. We share information about you with other companies so they can offer you their products and services. USES You may opt out of receiving promotional information from us and our sharing your contact information with other companies. To exercise your choices, call (800) 123-1234 or click on “choice” at ACME.com. YOUR CHOICES You may request information on your billing and payment activities. IMPORTANT INFORMATION This statement applies to Acme Company and several members of the Acme family of companies.
    14. 15. Checkbox proposal WE SHARE [DO NOT SHARE] PERSONAL INFORMATION WITH OTHER WEBSITES OR COMPANIES. Collection: YES NO We collect personal information directly from you   We collect information about you from other sources:   We use cookies on our website   We use web bugs or other invisible collection methods   We install monitoring programs on your computer   Uses: We use information about you to: With Your Without Your Consent Consent Send you advertising mail   Send you electronic mail   Call you on the telephone   Sharing: We allow others to use your information to : With Your Without Your Consent Consent Maintain shared databases about you   Send you advertising mail   Send you electronic mail   Call you on the telephone N/A N/A Access: You can see and correct {ALL, SOME, NONE} of the information we have about you. Choices: You can opt-out of receiving from Us Affiliates Third Parties Advertising mail    Electronic mail    Telemarketing   N/A Retention: We keep your personal data for: { Six Months Three Years Forever} Change: We can change our data use policy {AT ANY TIME, WITH NOTICE TO YOU, ONLY FOR DATA COLLECTED IN THE FUTURE} Source: Robert Gellman, July 3, 2003
    15. 16. Towards a privacy “nutrition label” <ul><li>Standardized format </li></ul><ul><ul><li>People learn where to look for answers to their questions </li></ul></ul><ul><ul><li>Facilitates side-by-side policy comparisons </li></ul></ul><ul><li>Standardized language </li></ul><ul><ul><li>People learn what the terminology means </li></ul></ul><ul><li>Brief </li></ul><ul><ul><li>People can get their questions answered quickly </li></ul></ul><ul><li>Linked to extended view </li></ul><ul><ul><li>People can drill down and get more details if needed </li></ul></ul>
    16. 17. Managing Identity in the Future Much more professional networking
    17. 18. Managing Identity in the Future Much more social networking (too much?) Used without asking permission of (that) Lance Hoffman or his friends Hackers' Latest Target: Social Networking Sites By Brian Krebs Washingtonpost.com Staff Writer Saturday, August 9, 2008; D01 LAS VEGAS -- Social networking sites such as Facebook, MySpace and LinkedIn are fast emerging as some of the most fertile grounds for malicious software, identity thieves and online mischief-makers. And while some of the talks given here at Black Hat, one of the larger hacker conferences in the country, would probably make most people want to avoid the sites altogether, it turns out that staying off these networks may not be the safest option, either. … Paradoxically, there may be a danger in remaining a social networking site Luddite. After all, if you don't claim a space on these networks, someone else may do it for you as a way of scamming or attacking your friends and business contacts. With the permission and good humor of security pioneer Marcus Ranum, Hamiel and Moyer created a LinkedIn profile on Ranum's behalf, including a photo of him and bits from his résumé to make the profile look legit. In less than 24 hours, more than 50 people had joined his LinkedIn network. Among those taken in by the stunt was Ranum's sister.
    18. 19. Building a System that Manages Identity Landau, Susan and Deirdre Mulligan. “ I’m Pc01002/SpreingPeeper/ED288I.6; Who are you?” IEEE: Security and Privacy 6.2 (March/April 2008): 13-15 Hansen, Marit, Ari Schwartz, and Alissa Cooper. “ Privacy and Identity Management”, IEEE: Security and Privacy 6.2 (March/April 2008): 38-45 <ul><li>Determine whether identity is necessary </li></ul><ul><ul><li>What is the application? </li></ul></ul><ul><ul><li>What are its uses? </li></ul></ul><ul><ul><li>What is the larger context? </li></ul></ul><ul><li>If identity is necessary, </li></ul><ul><ul><li>consider identity risks </li></ul></ul><ul><ul><ul><li>What can go wrong with the system, or what are the initiators or initiating events (undesirable starting events) that lead to adverse consequences)? </li></ul></ul></ul><ul><ul><ul><li>What and how severe are the potential problems or the adverse consequences? </li></ul></ul></ul><ul><ul><ul><li>How likely to occur are these undesirable consequences? </li></ul></ul></ul><ul><ul><li>Discourage unnecessary linkages -- Ex: separate medical PII from other PII and from non-PII </li></ul></ul><ul><li>Implement privacy and security during design (“build in, don’t bolt on”) </li></ul>
    19. 20. Challenges and Solutions in Identity Management Dhamija, Rachna and Lisa Dusseault. “The Seven Flaws of Identity Management” IEEE: Security and Privacy 6.2 (March/April 2008): 24-29 <ul><li>Identity management is not a goal in itself (give users what they want) </li></ul><ul><li>Users follow the path of least resistance (make it the secure path) </li></ul><ul><li>Reduce cognitive burden -- Think of how your system will be used in the larger context of other systems. Don’t replace one burden with another. </li></ul><ul><li>Reduce the number of trust decisions users have to make, since repeated user consent could lead to maximum information disclosure </li></ul><ul><li>Use mutual authentication (not just user authentication). Assume that your systems and users will be attacked and design your systems with that in mind. </li></ul><ul><li>Trust must be earned, so be trustworthy </li></ul>
    20. 21. Building a System that Manages Identity Adopt Trust-Enhancing Measures <ul><li>Be a Trustworthy Gatekeeper so users will choose you over competition </li></ul><ul><li>Take advantage of previous work (don’t reinvent the wheel) </li></ul><ul><li>Ex: Microsoft Privacy Guidelines for Developing Software Products and Services </li></ul><ul><ul><li>http://www.microsoft.com/downloads/details.aspx?FamilyId = </li></ul></ul><ul><ul><li>C48CF80F-6E87-48F5-83EC-A18D1AD2FC1F&displaylang=en </li></ul></ul><ul><ul><li>Scenario 1: Transferring PII to and from the Customer’s System Scenario 2: Storing PII on the Customer’s System Scenario 3: Transferring Anonymous Data from the Customer’s </li></ul></ul><ul><ul><li>System Scenario 4: Installing Software on a Customer’s System Scenario 5: Deploying a Website Scenario 6: Storing and Processing User Data at the Company Scenario 7: Transferring User Data Outside the Company Scenario 8: Interacting with Children Scenario 9: Server Deployment </li></ul></ul>
    21. 22. Building a System that Manages Identity Adopt Trust-Enhancing Measures Privacy is in the Security Development Lifecycle for Computer Software So get to know and work with your security people; suggest using something like the following to build security and privacy together.
    22. 23. Privacy Management Insights Ryan West, “The Psychology of Security”, Communications of the ACM 51:4 (April 2008), pp. 34-40 <ul><li>Work with, not against, human psychology </li></ul><ul><li>Users routinely multitask and if bad things have not happened to them in the past tend to not read relevant text (e.g., privacy statements) </li></ul><ul><li>Possible solutions: </li></ul><ul><li>Increase user awareness (outreach program) </li></ul><ul><li>Create alerts and messages that are distinguishable from other messages and have a higher level of importance when seen, </li></ul><ul><li>These alerts should not get in the way of users’ primary goals (users are often in the middle of a task when the system asks them to make a security and privacy decision that may require diverting their attention to it) </li></ul><ul><li>Increase awareness that web traffic is being monitored </li></ul>
    23. 24. Chief privacy officers <ul><li>Companies are increasingly appointing CPOs to have a central point of contact for privacy concerns </li></ul><ul><li>Role of CPO varies in each company </li></ul><ul><ul><li>Draft privacy policy </li></ul></ul><ul><ul><li>Respond to customer concerns </li></ul></ul><ul><ul><li>Educate employees about company privacy policy </li></ul></ul><ul><ul><li>Review new products and services for compliance with privacy policy </li></ul></ul><ul><ul><li>Develop new initiatives to keep company out front on privacy issue </li></ul></ul><ul><ul><li>Monitor pending privacy legislation </li></ul></ul>
    24. 25. Is this social or professional networking or both, and does it matter, and if so, why? Used with permission of my friend Harriet Pearson USE CDM I
    25. 26. How Are Security and Privacy Different? <ul><li>Authentication </li></ul><ul><li>Access controls </li></ul><ul><li>Availability </li></ul><ul><li>Confidentiality </li></ul><ul><li>Integrity </li></ul><ul><li>Retention </li></ul><ul><li>Storage </li></ul><ul><li>Backup </li></ul><ul><li>Incident response </li></ul><ul><li>Recovery </li></ul>Protection Mechanisms Many Privacy Laws Also Restrict Trans-Border Data Flow of Personal Information Attribution?????? Security Privacy <ul><li>“ Individual Rights” </li></ul><ul><li>Fairness of Use </li></ul><ul><li>Notice </li></ul><ul><li>Choice </li></ul><ul><li>Access </li></ul><ul><li>Accountability </li></ul><ul><li>Security </li></ul>Personal Information- Handling Mechanisms
    26. 27. Technical Controls for Security and Privacy -- Authentication <ul><li>Something you know </li></ul><ul><ul><li>Passwords – traditional </li></ul></ul><ul><ul><li>Passwords – federated </li></ul></ul><ul><ul><li>Passphrases, images, challenge responses </li></ul></ul><ul><li>Something you have </li></ul><ul><ul><li>Physical (machine-readable) token </li></ul></ul><ul><li>Something you are </li></ul>Source: Wikipedia At Walt Disney World biometric measurements are taken from the fingers of guests to ensure that the person's ticket is used by the same person from day to day
    27. 28. Technical Controls for Security and Privacy Authentication -- Biometrics Wayman, James L. “Biometrics in Identity Management Systems” IEEE: Security and Privacy 6.2 (March/April 2008): 30-37. <ul><li>Biometrics reduce need for other identifiers </li></ul><ul><li>Still have to safeguard the data representing the biometrics </li></ul><ul><li>Helpful when used in conjunction with other items </li></ul><ul><ul><li>(“multi-factor authentication”) </li></ul></ul><ul><li>Example </li></ul><ul><ul><li>Something you know </li></ul></ul><ul><ul><li>Something you have </li></ul></ul><ul><ul><li>Your location </li></ul></ul><ul><ul><li>Something you are </li></ul></ul>Multi-factor Authentication (not identification)
    28. 29. Managing Identity in the Future What about privacy in third party applications*? <ul><li>Defaults are typically set to encourage a lot of sharing </li></ul><ul><li>There are app-checkers for privacy written by unknown suppliers, since third party application defaults may allow (and even coerce) even more sharing </li></ul><ul><li>But even these app-checkers may have permissive defaults </li></ul><ul><li>And, of course, it’s easy to share these, with their permissive defaults, with your “friends” </li></ul>“ Third party applications” often involve “generative systems” (Jonathan Zittrain, The Future of the Internet and How to Stop It , Yale University Press, 2008)
    29. 30. Identity Management in the Future: More Dynamic Markets Fitzgerald, Michael “Predicting Where You’ll Go and What You’ll Like”, The New York Times 22 June 2008 Acquisti, Alessandro. “Identity Management, Privacy and Price Discrimination” , IEEE: Security and Privacy 6.2 (March/April 2008): 46-50 <ul><ul><ul><li>Tracking peoples’ daily whereabouts using GPS information gathered from cell phones </li></ul></ul></ul><ul><ul><ul><ul><li>Helps predict economic trends and gives business insight on where to open stores and have sales </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Can empower buyers to set prices (eBay or by walking by [GPS triggers “opportunity alert” to store and to buyer]) </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Sellers can differentiate using anonymous credentials that allow merchant to price to a particular segment of consumer population (but “Soak the rich” algorithm will require high-valued customers (or their electronic agents) to be smart enough to recognize and deal with adverse price discrimination) </li></ul></ul></ul></ul>
    30. 31. Government Surveillance of Citizens, Residents, Everyone? <ul><li>Kafka, The Trial </li></ul><ul><li>Orwell, 1984 </li></ul><ul><li>Maryland dissidents </li></ul><ul><li>Skype China room </li></ul><ul><li>SF ATT Room </li></ul><ul><li>Recent NAS report </li></ul>
    31. 32. Protecting Individual Privacy in the Struggle Against Terrorists: A Framework for Program Assessment National Research Council, October 2008 http://www.nap.edu/catalog.php?record_id=12452 <ul><li>Address the challenges of technology for countering </li></ul><ul><li>terrorists, especially </li></ul><ul><ul><ul><ul><li>Data mining and information fusion, </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Available and emerging surveillance technologies and their IT support, </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Behavioral surveillance, </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Attendant privacy issues </li></ul></ul></ul></ul><ul><li>Address “ever-present tension” </li></ul><ul><ul><li>Protection of our Nation or Privacy and Civil Liberties </li></ul></ul><ul><ul><li>Protection of our Nation and Privacy and Civil Liberties </li></ul></ul><ul><ul><li>Committee view: </li></ul></ul><ul><ul><li>Sometimes “or”, sometimes “and” </li></ul></ul>
    32. 33. Basic Premises <ul><li>The United States faces two real and serious threats from terrorists. </li></ul><ul><ul><li>Terrorist acts themselves, and </li></ul></ul><ul><ul><li>Inappropriate or disproportionate responses to them. </li></ul></ul><ul><li>The terrorist threat does not justify government activities or operations that contravene existing law. </li></ul><ul><li>Terrorist challenges do not warrant fundamental changes in our level of privacy protection. </li></ul><ul><li>Science and technologies are important dimensions of counterterrorism efforts. </li></ul><ul><li>Counterterrorist programs should provide other benefits when possible. </li></ul>Protecting Individual Privacy in the Struggle Against Terrorists: A Framework for Program Assessment
    33. 34. In short… <ul><li>We want the counter-terrorism community to have the best possible tools. </li></ul><ul><ul><li>With realistic assessment of capabilities and effectiveness. </li></ul></ul><ul><li>We want our privacy protected. </li></ul><ul><ul><li>Through oversight, assessment, common sense, lawfulness, and continual improvement </li></ul></ul>Protecting Individual Privacy in the Struggle Against Terrorists: A Framework for Program Assessment
    34. 35. The Core of the Report <ul><li>A Framework for Evaluating Information-Based Programs for </li></ul><ul><ul><li>Effectiveness and </li></ul></ul><ul><ul><li>Consistency with U.S. Laws and Values </li></ul></ul><ul><li>Applicable to all information-based programs for specific government purposes, such as counterterrorism, both classified and unclassified. </li></ul><ul><li>Wanted a framework that was: </li></ul><ul><ul><li>Realistic; </li></ul></ul><ul><ul><li>Broadly applicable; </li></ul></ul><ul><ul><li>Consistent with U.S. laws and values; </li></ul></ul><ul><ul><li>Based on common sense, best practice, and lessons learned; and </li></ul></ul><ul><ul><li>Leads to continuous improvement and accountability. </li></ul></ul>Protecting Individual Privacy in the Struggle Against Terrorists: A Framework for Program Assessment
    35. 36. Framework: Effectiveness Programs should have or be: <ul><li>Clearly stated purpose-what are you trying to achieve? </li></ul><ul><li>Rational Basis—why should we even think it might work? </li></ul><ul><li>Sound Experimental Basis—is there empirical demonstration that it can work? </li></ul><ul><li>Scalable—will it work at scale? </li></ul><ul><li>Operations or Business Processes—how does the program work within itself? </li></ul><ul><li>Capable of being integrated with other inter- and intra-organizational entities—how does it interact with other elements? </li></ul>Protecting Individual Privacy in the Struggle Against Terrorists: A Framework for Program Assessment
    36. 37. Framework: Effectiveness Programs must have or be: <ul><li>Robust-is it resistant to countermeasures? </li></ul><ul><li>Appropriate and Reliable Data—is the data good? </li></ul><ul><li>Data Stewardship-is the data protected properly? </li></ul><ul><li>Objectivity-who evaluates the program? (not program advocates!) </li></ul><ul><li>Ongoing Assessment—programs evolve, and evolved version requires examination as well </li></ul><ul><li>Documented—are effectiveness and compliance documented? Or merely asserted? </li></ul>Protecting Individual Privacy in the Struggle Against Terrorists: A Framework for Program Assessment
    37. 38. Framework: Consistent with U.S. Laws and Values <ul><li>Data </li></ul><ul><ul><li>Need—why is personal data needed? </li></ul></ul><ul><ul><li>Sources—where does data come from? Is it legal? </li></ul></ul><ul><ul><li>Appropriateness—are data good for the intended use? </li></ul></ul><ul><ul><li>Third-Party Data require additional protections </li></ul></ul><ul><ul><ul><li>Repurposed data should be explicitly repurposed </li></ul></ul></ul><ul><ul><ul><li>Leave 3 rd party data in place if possible </li></ul></ul></ul><ul><ul><ul><li>Consider adequacy explicitly </li></ul></ul></ul>Protecting Individual Privacy in the Struggle Against Terrorists: A Framework for Program Assessment
    38. 39. Framework: Consistent with U.S. Laws and Values <ul><li>Programs </li></ul><ul><ul><li>Objective of program - clear and lawful? </li></ul></ul><ul><ul><li>Compliance with existing law? </li></ul></ul><ul><ul><li>Effectiveness – scientifically demonstrated to be effective? </li></ul></ul><ul><ul><li>Frequency of false positives – acceptable? </li></ul></ul><ul><ul><li>Reporting and redress of false positives – how to report? How to correct? </li></ul></ul><ul><ul><li>Impact on individuals – what happens to individuals? </li></ul></ul><ul><ul><li>Data minimization – are data in excess of what is necessary collected? </li></ul></ul><ul><ul><li>Audit Trail – can users of the data be held individually accountable for abuse or non-compliance? </li></ul></ul><ul><ul><li>Security and access – are unauthorized users kept out? </li></ul></ul><ul><ul><li>Transparency – are the impacts and operation of the program understood by those affected by it? </li></ul></ul>Protecting Individual Privacy in the Struggle Against Terrorists: A Framework for Program Assessment
    39. 40. Framework: Consistent with U.S. Laws and Values <ul><li>Administration and Oversight </li></ul><ul><ul><li>Training – are users properly trained to use the program? </li></ul></ul><ul><ul><li>Agency Authorization – is the program actually authorized by the agency? </li></ul></ul><ul><ul><li>External Authorization – are mechanisms for obtaining external authorization in place when necessary? </li></ul></ul><ul><ul><li>Auditing for Compliance – is compliance reviewed at least annually? </li></ul></ul><ul><ul><li>Privacy Officer – is a policy-level officer in place to manage privacy issues? </li></ul></ul><ul><ul><li>Reporting – are all relevant policy makers kept informed and up to date about program operation? </li></ul></ul>Protecting Individual Privacy in the Struggle Against Terrorists: A Framework for Program Assessment
    40. 41. Conclusions: Privacy <ul><li>Privacy protection can be obtained through the use of a mix of technical and procedural mechanisms. </li></ul><ul><li>Data quality is a major issue in the protection of privacy. </li></ul><ul><li>Inferences about intent and/or state of mind implicate privacy issues to a much greater degree than assessments or determinations of capability. </li></ul>
    41. 42. Conclusions: Assessment of Counterterrorism Programs <ul><li>Program deployment and use must be based on criteria more demanding than “it’s better than doing nothing.” </li></ul>
    42. 43. Conclusions: Data Mining <ul><li>Currently, privacy violations arising from information-based programs using data mining and record linkage are not adequately addressed. </li></ul><ul><li>Data mining has been successful in private sector applications such as fraud detection. However, detecting and preempting terror attacks is vastly more difficult. </li></ul>
    43. 44. Conclusions: Data Mining, Cont’d <ul><li>Pattern-based data mining can help analysts determine how to deploy scarce investigative resources, and actions. Automated terrorist identification is not feasible. </li></ul>
    44. 45. Conclusions: Data Mining, Cont’d <ul><li>Systems that support analysts should have features that enhance privacy protection; however, privacy-preserving examination of individually identifiable records is not possible. </li></ul><ul><li>Data mining R&D using real population data is inherently privacy-invasive. </li></ul>
    45. 46. Conclusions: Deception Detection and Behavioral Surveillance <ul><li>Behavioral and physiological monitoring techniques might help detect: (a) individuals whose behavior and physiological states deviate from norms and (b) patterns of activity with well-established links to underlying psychological states. </li></ul><ul><li>R&D aimed at automated, remote, and rapid assessment of anomalous behavioral and activity with well-established links to psychological states relevant to terrorist intent is warranted. </li></ul>
    46. 47. Conclusions: Deception Detection and Behavioral Surveillance <ul><li>Technologies and techniques for behavioral observation have enormous potential for violating privacy. </li></ul>
    47. 48. Recommendation 1 <ul><li>Government agencies using information-based programs for counter-terrorist purposes should follow a systematic process such as the one described in the committee’s framework to evaluate the desirability and feasibility of any given program before such a program is set into motion. </li></ul>Protecting Individual Privacy in the Struggle Against Terrorists: A Framework for Program Assessment
    48. 49. Sub-Recommendations specify: <ul><li>Periodic application of Framework after deployment </li></ul><ul><li>Use of synthetic population data for R&D </li></ul><ul><li>Robust, independent oversight of programs and </li></ul><ul><li>Redress for innocent individuals harmed by programs. </li></ul>Protecting Individual Privacy in the Struggle Against Terrorists: A Framework for Program Assessment
    49. 50. Recommendation 2 <ul><li>The U.S. government should periodically review the nation’s law, policy, and procedures that protect the private information of individuals in light of changing technologies and circumstances. In particular, the U.S. Congress should re-examine existing law to consider how privacy should be protected in the context of information-based programs (e.g., data mining) for counterterrorist purposes. </li></ul>Protecting Individual Privacy in the Struggle Against Terrorists: A Framework for Program Assessment
    50. 51. Privacy <ul><li>Lance J. Hoffman </li></ul><ul><li>Distinguished Research Professor Computer Science Department </li></ul><ul><li>The George Washington University </li></ul><ul><li>Washington, DC </li></ul><ul><li>[email_address] </li></ul><ul><li>THE END </li></ul>