This document summarizes a presentation given by Catherine Dwyer at the Pitney Bowes Privacy and Security Conference on June 26, 2012. The presentation discusses the concept of "Privacy by Design" and argues that it needs to evolve into "Privacy Requirements Engineering" in order to make privacy objectives more tangible and measurable. Specifically, Dwyer recommends emphasizing privacy requirements engineering, developing data visualization tools to model information flows, and determining if privacy requirements are being met within business processes.

1. Privacy by Design: Can it
Work?
Catherine Dwyer
Seidenberg School of
Computer Science & Information Systems
Pace University
New York, NY
Pitney Bowes Privacy and Security Conference
6/26/2012 © Catherine Dwyer 2012 1

2. Gehry Building
8 Spruce Street
Pitney Bowes Privacy and Security Conference
6/26/2012 © Catherine Dwyer 2012 2

3. Lawyers Technologists
Online Privacy
Organization
Citizens
s
Pitney Bowes Privacy and Security Conference
6/26/2012 © Catherine Dwyer 2012 3

4. Privacy Research Group – NYU
Law
Pitney Bowes Privacy and Security Conference
6/26/2012 © Catherine Dwyer 2012 4

5. What is Privacy by Design?
Ann Cavoukian, Information
& Privacy Commissioner, Ontario, Canada Privacy and Security Conference
Pitney Bowes
6/26/2012 © Catherine Dwyer 2012 5

6. Principles of Privacy by
Design
1. Proactive not Reactive; Preventative not
Remedial
2. Privacy as the Default Setting
3. Privacy Embedded into Design
4. Full Functionality — Positive-Sum, not
Zero-Sum
5. End-to-End Security — Full Lifecycle
Protection
6. Visibility and Transparency — Keep it
Open
7. Respect for User Privacy — Keep it User-
Centric
From www.privacybydesign.ca
Pitney Bowes Privacy and Security Conference
6/26/2012 © Catherine Dwyer 2012 6

7. Legal perspective
 4th Amendment: ―The right of the
people to be secure in their persons,
houses, papers, and effects, against
unreasonable searches and seizures,
shall not be violated, and no Warrants
shall issue, but upon probable cause,
supported by Oath or affirmation, and
particularly describing the place to be
searched, and the persons or things to
be seized.‖
Pitney Bowes Privacy and Security Conference
6/26/2012 © Catherine Dwyer 2012 7

8. Third party doctrine
 ―The Supreme Court has repeatedly
held, however, that the Fourth
Amendment does not protect information
revealed to third parties.‖ (Kerr, 2004)
 Third party – any
business, organization, ISP, cloud
service providers
 Once you ―share‖ data with a third
party, you lose 4th amendment protection
 4th amendment standard is ―probable
cause,‖ 3rd party standard is ―relevant to
an investigation‖ and ―not overbroad‖
(Kerr, 2004) Pitney Bowes Privacy and Security Conference
6/26/2012 © Catherine Dwyer 2012 8

9. Source: Google transparency report, more than
18,000 requests from governments around the
globe to Google user data (7/11-12/11) and Security Conference
Pitney Bowes Privacy
6/26/2012 © Catherine Dwyer 2012 9

10. Source:
WikiLeak
s
Pitney Bowes Privacy and Security Conference
6/26/2012 © Catherine Dwyer 2012 10

11. Problems With PbD
 ―Privacy by design is an amorphous
concept… it is not clear … what
regulators really have in mind when
they urge firms developing products to
build in privacy.‖ (Rubinstein, 2011)
 Requirements engineering is needed
to transform privacy by design from a
vague admonitions into a structured
design process with tangible outcomes
(Rubinstein, 2011)

Pitney Bowes Privacy and Security Conference
6/26/2012 © Catherine Dwyer 2012 11

12. Excerpt from FTC Staff Report, March 2012, which uses ―reasona
more than 50 times in a 112 page report.
Pitney Bowes Privacy and Security Conference
6/26/2012 © Catherine Dwyer 2012 12

13. Design & Model
Pitney Bowes Privacy and Security Conference
6/26/2012 © Catherine Dwyer 2012 13

14. Engineer
&
Build
Pitney Bowes Privacy and Security Conference
6/26/2012 © Catherine Dwyer 2012 14

15. Tangible Outcome
Pitney Bowes Privacy and Security Conference
6/26/2012 © Catherine Dwyer 2012 15

16. Gehry building – 8 Spruce Street
Pitney Bowes Privacy and Security Conference
6/26/2012 © Catherine Dwyer 2012 16

17. Design versus engineering
 Design focuses
on models
 Engineering
focuses on
requirements
 Requirements
must be
measurable and
verifiable
Pitney Bowes Privacy and Security Conference
6/26/2012 © Catherine Dwyer 2012 17

18. Moving to privacy engineering
 Need to move from ―privacy by
design‖ to ―privacy requirements
engineering‖
 Design can capture broad objectives
(―buildings should be constructed with
fireproof materials‖)
 Engineering makes those objectives
tangible (―fireproof material must be
able to bear weight for four hours of
fire at 1000 degrees F‖)
Pitney Bowes Privacy and Security Conference
6/26/2012 © Catherine Dwyer 2012 18

19. Example: Privacy Principle
 ―Companies should incorporate
substantive privacy protections into
their practices, such as data security,
reasonable collection limits, sound
retention practices, and data
accuracy.‖ (source: FTC Staff Report,
March 2012)
Pitney Bowes Privacy and Security Conference
6/26/2012 © Catherine Dwyer 2012 19

20. Engineering Requirements
 ―The risk of data exposure can be
further minimized by reducing the
sensitivity of stored data wherever
possible … for example, when using
the customer‘s IP address to
determine location for statistical
analysis, discard the IP address after
mapping it to a city or town.‖
 source: Microsoft Privacy Guidelines
for Developers, 2008
Pitney Bowes Privacy and Security Conference
6/26/2012 © Catherine Dwyer 2012 20

21. How can this be
accomplished?
 Qualitiative – focus groups/interviews
with domain experts/stakeholders
 Quantitative – formal analysis of
statutes and regulations (see Breaux
and Anton, 2007)
Pitney Bowes Privacy and Security Conference
6/26/2012 © Catherine Dwyer 2012 21

22. Privacy Requirements
Engineering
Source: ―A Framework for Modeling Privacy Requirements
in Role Engineering,‖ He and Anton, 2003
RBAC = Role Based Access Control
Pitney Bowes Privacy and Security Conference
6/26/2012 © Catherine Dwyer 2012 22

23. Development tools are
needed
 Can‘t manage the complexity of
describing privacy engineering
requirements ―by hand,‖ takes too long
 Can‘t audit privacy of information
systems ‗by hand,‘ not comprehensive
enough
Pitney Bowes Privacy and Security Conference
6/26/2012 © Catherine Dwyer 2012 23

24. Ghostery: Tracking tools found on Dictionary.co
Pitney Bowes Privacy and Security Conference
6/26/2012 © Catherine Dwyer 2012 24

25. Firefox Collusion: Graph of tracking entities and flow of data
Pitney Bowes Privacy and Security Conference
6/26/2012 © Catherine Dwyer 2012 25

26. Network traffic visualization
Pitney Bowes Privacy and Security Conference
6/26/2012 © Catherine Dwyer 2012 26

27. Recommendations
 Emphasize privacy requirements
engineering
 Develop data visualization tools
(enterprise level) that model
information flows and identify privacy
weaknesses
 Model information flow within business
processes and determine if privacy
requirements are being met
Pitney Bowes Privacy and Security Conference
6/26/2012 © Catherine Dwyer 2012 27

28. Questions?
 Thank you!
 Catherine Dwyer
Seidenberg School of Computer
Science and Information Systems
Pace University
 Twitter: @ProfCDwyer
Pitney Bowes Privacy and Security Conference
6/26/2012 © Catherine Dwyer 2012 28