privacy engineering tietosuojavataava2_lakikoulutus_oliver_14feb2014_public

1 © Nokia 2016

Privacy Engineering:A very quick and incomplete introduction

Public

Dr. Ian Oliver

Bell Labs, Finland

14 February 2017

A Lecture Given at Tietosuojavataava 2.0, Helsinki, Finland

2 © Nokia 2016

PRIVACY as a legal construct

Public

• “The Right to Privacy” (Warren and Brandeis, 1890)

• EU Data Protection Laws• Human Rights• ...

3 © Nokia 2016

PRIVACY as a philisophical construct

Public

• ethics• morals• definition• ...

4 © Nokia 2016

PRIVACY as an economic construct

Public

• cost• brand value• $£€

5 © Nokia 2016

PRIVACY as a ...

Public

Privacy by Design

6 © Nokia 2016

PRIVACY as a game theoretic construct

Public

7 © Nokia 2016Public

From here to here...


COMPLIANCE!


Privacy compliance

Privacy compliance

Information assymetry

Information assymetry

Compliance is fragile

10 © Nokia 2016

Complianceis fragile

Public

char collectDataFlag = 'Y'; // Future proofed boolean // Y for yes, N for no

void collectDataFunction(){//collect IMEI, IMSI, MSISDN, TimeStamp and location//and send to the hardcoded IP address...

}

void checkDataCollection(){switch(collectDataFlag){

case 'N' : // don't do anythingcase 'Y' : // ok to collect everything collectDataFunction();

}}


How do we address the privacy in an engineering context?


How do we address the privacy engineering problem?

• Process



• Process



• Process• Method (Technique, Skills)

• Requirements• Ontology• Modelling• Metrics• Culture

Richard Hamming1915-1998

The applications of knowledge, especially mathematics, reveal the unity of all knowledge. In a new situation almost

anything and everything you ever learned might be applicable, and the artificial divisions seem to vanish.


• Requirements• Ontology & Semantics• Modelling• Metrics• Culture



Stop using the term

“Personal Data”



What is an IP address?


• Requirements• Ontology &

Semantics• Modelling• Metrics• Culture

What’s the semantics of an IP address?



What’s the semantics of an IP address?

Which interpretation(s) do you want?

....and when?....and why?



Is this a location?38°N 97°W



38°N 97°W

Toto, I've a feeling we're not in Kansas any more.



http://fusion.net/story/287592/internet-mapping-glitch-kansas-farm/

Is this a location?38°N 97°W == NULL



E-mail address as a login ID....



E-mail address as a login ID....

...left as an exercise to the reader.




Probably not personal data / Probably personal data

Warning: Highly Simplified!




Worked example:

An app that takes a photo and shares it *and* stores it in the cloud....

...you probably have at least one of these on your mobile device...



Metrics for privacy are “mathematically” hard



Simple rule of thumb: Take the maximal value of risk for any given combination of fields

This has all the properties of a

metric

This has all the properties of a

metric



Overconstrained Systems



Overconstrained Systems

Risk Management through FMEA analysis


• Requirements• Ontology & Semantics• Modelling• Metrics - Anonymisation• Culture

Amount of anonymisation

Am

ou

nt

of

info

rma

tio

n




Am

ou

nt

of

info

rma

tio

n

sufficiently and correctly applied




Am

ou

nt

of

info

rma

tio

n NOT sufficiently anonymised

Sufficiently anonymised




Am

ou

nt

of

info

rma

tio

n

Useful

NOT useful




Am

ou

nt

of

info

rma

tio

n

With luck your useful data will be sufficiently anonymised



● Suppression● Hashing● Encryption● “Noise”

● Aside: Maintaining Links for enabling revocation of consent to use

● Equivalence Classes● K-Anon, l-Div, t-Close, etc...● Differential Privacy● ...



ID x LOCATION x TIME

ID x LOCATION

ID x TIME

LOCATION x TIMEID x LOCATION

ID LOCATION TIME

Rules of Thumb:

Practically all data sets can be reduced down to structures involving identites, locations and timestamps.

Identifing the structures (which will likely be overlapping) is hard

Each individual structure has its own “privacy properties” and links to others (principal component analysis)



Exercise 1:

● Describe how to “sufficiently” anonymise the following data points,● Which can be recovered after anonymisation?● Which can be combined (even after anonymisation)● Which can be used as identifiers – either wholly, partially or composite?● Which can be used as locations, and which infer locations?● When do these need to be anonymised● Define “sufficiently” for each individually and then in combinations● When do you apply supress, hash, encrypt, k-anon, diff Priv etc?

Your nameYour country of birthYour date of birthYour home router/computer’s MAC addressYour home router/computer’s IP addressYour mobile phone numberYour IMEI (mobile device identifier)Your shopping listYour web browsing historyYour web browser identification stringNumber of childrenYour medical records (complete)Finland’s cizitens’ medical recordsYour heart rate, blood pressure etcYour exercise routeYour car’s movements (traffic management)Your last speeding/parking ticket

Your web server logsYour mobile phone billYour email addressYour passwordYour credit card numberYour credit card usageYour login-IDYour holiday travel plansThe information you send via the US ESTA ProgrammeThe attendance to this lectureThe attendance to this lecture plus each attendee’s route hereYour usage of public transportYour social media postings (FB, Twitter etc)Your shared media (photos)



Exercise 2

What are the properties of a data set (and its subsets) that make that data “personal data”?

Discuss.



Standard “safety-critical” system tooling & techniquesFMEA, RCA, etc


Summary

• Terminology and Ontology• Modelling• Requirements• Analysis• Metrics and Anonymisation• Culture


Additional Material

https://www.bell-labs.com/usr/ian.oliver

Ian Oliver (2016). Experiences in the Development and Usage of a Privacy Requirements Framework. Requirements Engineering 2016, Beijing, China

Ian Oliver, Yoan Miche (2016). On the Development of A Metric for Quality of Information Content over Anonymised Data-Sets. Quatic 2016, Lisbon, Portugal

Ian Oliver (2016). Using Safety-Critical Concepts in Privacy Engineering. Sixteenth International Crisis Management Workshop (CriM'16) and Oulu Winter School

Silke Holtmanns, Siddharth Prakash Rao, Ian Oliver (2016) User location tracking attacks for LTE networks using the interworking functionality. Networking 2016: 315-322

Ian Oliver, Silke Holtmanns (2015) Aligning the Conflicting Needs of Privacy, Malware Detection and Network Protection. TrustCom/BigDataSE/ISPA (1) 2015: 547-554

Ian Oliver (2014). Privacy Engineering: A Data Flow and Ontoligical Approach. ISBN-13: 978-1497569713 (Paperback) via Amazon

https://www.bell-labs.com/usr/ian.oliver