privacy engineering tietosuojavataava2_lakikoulutus_oliver_14feb2014_public
TRANSCRIPT
1 © Nokia 2016
Privacy Engineering:A very quick and incomplete introduction
Public
Dr. Ian Oliver
Bell Labs, Finland
14 February 2017
A Lecture Given at Tietosuojavataava 2.0, Helsinki, Finland
2 © Nokia 2016
PRIVACY as a legal construct
Public
• “The Right to Privacy” (Warren and Brandeis, 1890)
• EU Data Protection Laws• Human Rights• ...
9 © Nokia 2016Public
Privacy compliance
Privacy compliance
Information assymetry
Information assymetry
Compliance is fragile
10 © Nokia 2016
Complianceis fragile
Public
char collectDataFlag = 'Y'; // Future proofed boolean // Y for yes, N for no
void collectDataFunction(){//collect IMEI, IMSI, MSISDN, TimeStamp and location//and send to the hardcoded IP address...
}
void checkDataCollection(){switch(collectDataFlag){
case 'N' : // don't do anythingcase 'Y' : // ok to collect everything collectDataFunction();
}}
14 © Nokia 2016Public
How do we address the privacy engineering problem?
• Process• Method (Technique, Skills)
• Requirements• Ontology• Modelling• Metrics• Culture
Richard Hamming1915-1998
The applications of knowledge, especially mathematics, reveal the unity of all knowledge. In a new situation almost
anything and everything you ever learned might be applicable, and the artificial divisions seem to vanish.
16 © Nokia 2016Public
• Requirements• Ontology & Semantics• Modelling• Metrics• Culture
Stop using the term
“Personal Data”
17 © Nokia 2016Public
• Requirements• Ontology & Semantics• Modelling• Metrics• Culture
What is an IP address?
18 © Nokia 2016Public
• Requirements• Ontology &
Semantics• Modelling• Metrics• Culture
What’s the semantics of an IP address?
19 © Nokia 2016Public
• Requirements• Ontology & Semantics• Modelling• Metrics• Culture
What’s the semantics of an IP address?
Which interpretation(s) do you want?
....and when?....and why?
20 © Nokia 2016Public
• Requirements• Ontology & Semantics• Modelling• Metrics• Culture
Is this a location?38°N 97°W
21 © Nokia 2016Public
• Requirements• Ontology & Semantics• Modelling• Metrics• Culture
38°N 97°W
Toto, I've a feeling we're not in Kansas any more.
22 © Nokia 2016Public
• Requirements• Ontology & Semantics• Modelling• Metrics• Culture
http://fusion.net/story/287592/internet-mapping-glitch-kansas-farm/
Is this a location?38°N 97°W == NULL
23 © Nokia 2016Public
• Requirements• Ontology & Semantics• Modelling• Metrics• Culture
E-mail address as a login ID....
24 © Nokia 2016Public
• Requirements• Ontology & Semantics• Modelling• Metrics• Culture
E-mail address as a login ID....
...left as an exercise to the reader.
30 © Nokia 2016Public
• Requirements• Ontology &
Semantics• Modelling• Metrics• Culture
Probably not personal data / Probably personal data
Warning: Highly Simplified!
31 © Nokia 2016Public
• Requirements• Ontology &
Semantics• Modelling• Metrics• Culture
Worked example:
An app that takes a photo and shares it *and* stores it in the cloud....
...you probably have at least one of these on your mobile device...
39 © Nokia 2016Public
• Requirements• Ontology & Semantics• Modelling• Metrics• Culture
Metrics for privacy are “mathematically” hard
40 © Nokia 2016Public
• Requirements• Ontology & Semantics• Modelling• Metrics• Culture
Simple rule of thumb: Take the maximal value of risk for any given combination of fields
This has all the properties of a
metric
This has all the properties of a
metric
41 © Nokia 2016Public
• Requirements• Ontology & Semantics• Modelling• Metrics• Culture
Overconstrained Systems
42 © Nokia 2016Public
• Requirements• Ontology & Semantics• Modelling• Metrics• Culture
Overconstrained Systems
Risk Management through FMEA analysis
43 © Nokia 2016Public
• Requirements• Ontology & Semantics• Modelling• Metrics - Anonymisation• Culture
Amount of anonymisation
Am
ou
nt
of
info
rma
tio
n
44 © Nokia 2016Public
• Requirements• Ontology & Semantics• Modelling• Metrics - Anonymisation• Culture
Amount of anonymisation
Am
ou
nt
of
info
rma
tio
n
sufficiently and correctly applied
45 © Nokia 2016Public
• Requirements• Ontology & Semantics• Modelling• Metrics - Anonymisation• Culture
Amount of anonymisation
Am
ou
nt
of
info
rma
tio
n NOT sufficiently anonymised
Sufficiently anonymised
46 © Nokia 2016Public
• Requirements• Ontology & Semantics• Modelling• Metrics - Anonymisation• Culture
Amount of anonymisation
Am
ou
nt
of
info
rma
tio
n
Useful
NOT useful
47 © Nokia 2016Public
• Requirements• Ontology & Semantics• Modelling• Metrics - Anonymisation• Culture
Amount of anonymisation
Am
ou
nt
of
info
rma
tio
n
With luck your useful data will be sufficiently anonymised
48 © Nokia 2016Public
• Requirements• Ontology & Semantics• Modelling• Metrics - Anonymisation• Culture
● Suppression● Hashing● Encryption● “Noise”
● Aside: Maintaining Links for enabling revocation of consent to use
● Equivalence Classes● K-Anon, l-Div, t-Close, etc...● Differential Privacy● ...
49 © Nokia 2016Public
• Requirements• Ontology & Semantics• Modelling• Metrics - Anonymisation• Culture
ID x LOCATION x TIME
ID x LOCATION
ID x TIME
LOCATION x TIMEID x LOCATION
ID LOCATION TIME
Rules of Thumb:
Practically all data sets can be reduced down to structures involving identites, locations and timestamps.
Identifing the structures (which will likely be overlapping) is hard
Each individual structure has its own “privacy properties” and links to others (principal component analysis)
50 © Nokia 2016Public
• Requirements• Ontology & Semantics• Modelling• Metrics - Anonymisation• Culture
Exercise 1:
● Describe how to “sufficiently” anonymise the following data points,● Which can be recovered after anonymisation?● Which can be combined (even after anonymisation)● Which can be used as identifiers – either wholly, partially or composite?● Which can be used as locations, and which infer locations?● When do these need to be anonymised● Define “sufficiently” for each individually and then in combinations● When do you apply supress, hash, encrypt, k-anon, diff Priv etc?
Your nameYour country of birthYour date of birthYour home router/computer’s MAC addressYour home router/computer’s IP addressYour mobile phone numberYour IMEI (mobile device identifier)Your shopping listYour web browsing historyYour web browser identification stringNumber of childrenYour medical records (complete)Finland’s cizitens’ medical recordsYour heart rate, blood pressure etcYour exercise routeYour car’s movements (traffic management)Your last speeding/parking ticket
Your web server logsYour mobile phone billYour email addressYour passwordYour credit card numberYour credit card usageYour login-IDYour holiday travel plansThe information you send via the US ESTA ProgrammeThe attendance to this lectureThe attendance to this lecture plus each attendee’s route hereYour usage of public transportYour social media postings (FB, Twitter etc)Your shared media (photos)
51 © Nokia 2016Public
• Requirements• Ontology & Semantics• Modelling• Metrics - Anonymisation• Culture
Exercise 2
What are the properties of a data set (and its subsets) that make that data “personal data”?
Discuss.
55 © Nokia 2016Public
• Requirements• Ontology & Semantics• Modelling• Metrics• Culture
Standard “safety-critical” system tooling & techniquesFMEA, RCA, etc
56 © Nokia 2016Public
Summary
• Terminology and Ontology• Modelling• Requirements• Analysis• Metrics and Anonymisation• Culture
57 © Nokia 2016Public
Additional Material
https://www.bell-labs.com/usr/ian.oliver
Ian Oliver (2016). Experiences in the Development and Usage of a Privacy Requirements Framework. Requirements Engineering 2016, Beijing, China
Ian Oliver, Yoan Miche (2016). On the Development of A Metric for Quality of Information Content over Anonymised Data-Sets. Quatic 2016, Lisbon, Portugal
Ian Oliver (2016). Using Safety-Critical Concepts in Privacy Engineering. Sixteenth International Crisis Management Workshop (CriM'16) and Oulu Winter School
Silke Holtmanns, Siddharth Prakash Rao, Ian Oliver (2016) User location tracking attacks for LTE networks using the interworking functionality. Networking 2016: 315-322
Ian Oliver, Silke Holtmanns (2015) Aligning the Conflicting Needs of Privacy, Malware Detection and Network Protection. TrustCom/BigDataSE/ISPA (1) 2015: 547-554
Ian Oliver (2014). Privacy Engineering: A Data Flow and Ontoligical Approach. ISBN-13: 978-1497569713 (Paperback) via Amazon