Aram H., researcher at DistriNet - KULeuven, presented the LINDDUN methodology (°2010) in already a bit simplified form (3 instead of 6 steps) while the team is working to further operationalise it AND align it with GDPR.
With LINDDUN you systematically approach the technical elements of appropriate measures to protect the data in 3 steps:
1 describe the data (flow) elements
2 elicit threats relating to linkability, identifiability, non-repudiation, detectability, disclosure of information, unawareness, non-compliance (and focus by making reasonable assumptions)
3 manage the threats, especially by mitigating them based on the threat taxonomy
You can find more on the methodology on linddun.org
This presentation was part of a series of presenters that filled the Privacy Design Lab that was organised by / together with the US Chamber of Commerce on 6 November 2017.
1. Towards GDPR Compliance with LINDDUN
Aram Hovsepyan
Kim Wuyts
https://www.facebook.com/LINDDUN.privacy/
https://twitter.com/linddun
https://linddun.org
2. 2
2
Large team of
professionals
§ 12 faculty members
§ 8 research managers
§ 15 postdocs
§ 50 PhD Students
§ Business office
Project-centric research
§ fundamental research at the
core
§ strategic basic research
§ applied research
with industry
§ contract research
Distributed
Software
Software
engineering
Secure
Software
7. LINDDUN* Framework
› Step 1: describe the system
› create a data flow diagram (DFD)
› describe all data
› Step 2: elicit threats/risks
› map threats to DFD elements
› identify threats using attack trees
› Step 3: manage threats/risks
› prioritize in dialog with the DPO
› mitigate using a taxonomy of PETs
7* We present a modified version of LINDDUN
12. Step 2: Elicit threats
12
Security/Privacy mavens Experts in other areas
LINDDUN
AttackTrees
Checklists
CAPEC
STRIDE
13. Step 2: Map threats to DFD elements
13
Linkability
Identifiability
Non-repudiation
Detectability
Information
Disclosure
Content
Unawareness
Policy&Consent
Non-compliance
Data store X X X X X X
Data flow X X X X X X
Process X X X X X X
Entity X X X
MAPPINGTEMPLATE
14. Assumptions
› Pre-conditions / invariants that invalidate threats, e.g.:
› non-repudiation threats often not applicable
› secure communication (https A+ grade)
› identifiability and linkability threats not be applicable to
closed systems
14
17. Step 2: example
17
Threat 1 Using the forgot password feature we can identify a system user. DFD 4
(Detectability).
Description Forgot password feature asks the email address of the user and after
resetting the password says that a reset password email is successfully sent
to the user. This could lead to identifiability problems where an attacker can
easily check whether the user has a registration within the platform.
Countermeasure None
Likelihood Limited
Impact Negligible
Action point Modify the forgot password feature to always produce the same message
making it impossible to figure out whether the user with the specified email
address exists or not.
Reference D_p (12)
18. Step 2: example
18
Threat 3 Storing a complete log of user actions. DFD 4 (Identifiability, Linkability,
Unawareness, Non-compliance)
Description All user actions are logged in the system for statistical purposes. This poses a significant
privacy threat for a number of categories, such as, unawareness and non-compliance. Note
that even if this data is anonymized, the threats for identifiability and linkability remain as we
could match the user last login time and figure out the user log actions.
Countermeasure None
Likelihood Maximum (administrators can always have a look at the complete log).
Impact Limited (to be discussed with DPOs).
Action point • Make sure the privacy policy reflects that a detailed log is collected.
• Keep the log, but drop the link to the users (impossible to track teams).
• Reduce the time accuracy for the logs (e.g., keep only the action hour, and not the minute
and second).
Reference L_ds6, I_ds5, I_ds6, U_2, NC_3 (4)
23. LINDDUN
› Systematic technical data privacy impact assessment framework
› Solid scientific foundation
› 30 years security research
› 10 years privacy research
› Collaborative effort with COSIC and CiTiP
› Validated through empirical studies and pilot projects
23
https://linddun.org