protection goals for privacy engineering · 2015-05-29 · protection goals for privacy engineering...
TRANSCRIPT
![Page 1: PROTECTION GOALS FOR PRIVACY ENGINEERING · 2015-05-29 · PROTECTION GOALS FOR PRIVACY ENGINEERING Marit Hansen, Meiko Jensen, and Martin Rost International Workshop on Privacy Engineering](https://reader034.vdocuments.mx/reader034/viewer/2022042317/5f060a317e708231d415fdb6/html5/thumbnails/1.jpg)
www.datenschutzzentrum.de
PROTECTION GOALS FOR PRIVACY ENGINEERING
Marit Hansen, Meiko Jensen, and Martin Rost
International Workshop on Privacy Engineering
May 21, 2015 Protection Goals for Privacy Engineering
![Page 2: PROTECTION GOALS FOR PRIVACY ENGINEERING · 2015-05-29 · PROTECTION GOALS FOR PRIVACY ENGINEERING Marit Hansen, Meiko Jensen, and Martin Rost International Workshop on Privacy Engineering](https://reader034.vdocuments.mx/reader034/viewer/2022042317/5f060a317e708231d415fdb6/html5/thumbnails/2.jpg)
www.datenschutzzentrum.de
Outline
Protection Goals for Privacy Engineering
• Security Protection Goals
• Privacy Protection Goals
• Three Axes
• Conclusion
![Page 3: PROTECTION GOALS FOR PRIVACY ENGINEERING · 2015-05-29 · PROTECTION GOALS FOR PRIVACY ENGINEERING Marit Hansen, Meiko Jensen, and Martin Rost International Workshop on Privacy Engineering](https://reader034.vdocuments.mx/reader034/viewer/2022042317/5f060a317e708231d415fdb6/html5/thumbnails/3.jpg)
www.datenschutzzentrum.de
Security Protection Goals
Protection Goals for Privacy Engineering
![Page 4: PROTECTION GOALS FOR PRIVACY ENGINEERING · 2015-05-29 · PROTECTION GOALS FOR PRIVACY ENGINEERING Marit Hansen, Meiko Jensen, and Martin Rost International Workshop on Privacy Engineering](https://reader034.vdocuments.mx/reader034/viewer/2022042317/5f060a317e708231d415fdb6/html5/thumbnails/4.jpg)
www.datenschutzzentrum.de
Confidentiality
•
Protection Goals for Privacy Engineering
“The protection goal of
Confidentiality
is defined as the property that
(privacy-relevant) data
and services that process such data
cannot be accessed
by unauthorized entities.”
![Page 5: PROTECTION GOALS FOR PRIVACY ENGINEERING · 2015-05-29 · PROTECTION GOALS FOR PRIVACY ENGINEERING Marit Hansen, Meiko Jensen, and Martin Rost International Workshop on Privacy Engineering](https://reader034.vdocuments.mx/reader034/viewer/2022042317/5f060a317e708231d415fdb6/html5/thumbnails/5.jpg)
www.datenschutzzentrum.de
Confidentiality
•
Protection Goals for Privacy Engineering
• Secrecy
• Non-Disclosure
• Access Restrictions
• Security Clearances
• Data Minimization
• Steganography
• Unobservability
…in other words:
![Page 6: PROTECTION GOALS FOR PRIVACY ENGINEERING · 2015-05-29 · PROTECTION GOALS FOR PRIVACY ENGINEERING Marit Hansen, Meiko Jensen, and Martin Rost International Workshop on Privacy Engineering](https://reader034.vdocuments.mx/reader034/viewer/2022042317/5f060a317e708231d415fdb6/html5/thumbnails/6.jpg)
www.datenschutzzentrum.de
Confidentiality
•
Protection Goals for Privacy Engineering
• Data Encryption
in transit (TLS, HTTPS, SSH, …)
at rest (PGP, S/MIME, TrueCrypt, …)
…
• Data Segregation
Secret Sharing, Secure Multiparty Computations
Onion Routing
• Access Control Enforcement
Implementation Techniques:
![Page 7: PROTECTION GOALS FOR PRIVACY ENGINEERING · 2015-05-29 · PROTECTION GOALS FOR PRIVACY ENGINEERING Marit Hansen, Meiko Jensen, and Martin Rost International Workshop on Privacy Engineering](https://reader034.vdocuments.mx/reader034/viewer/2022042317/5f060a317e708231d415fdb6/html5/thumbnails/7.jpg)
www.datenschutzzentrum.de
Integrity
Protection Goals for Privacy Engineering
“The protection goal of
Integrity
is defined as the property that
(privacy-relevant) data
and services that process such data
cannot be modified in an unauthorized
or undetected manner.”
![Page 8: PROTECTION GOALS FOR PRIVACY ENGINEERING · 2015-05-29 · PROTECTION GOALS FOR PRIVACY ENGINEERING Marit Hansen, Meiko Jensen, and Martin Rost International Workshop on Privacy Engineering](https://reader034.vdocuments.mx/reader034/viewer/2022042317/5f060a317e708231d415fdb6/html5/thumbnails/8.jpg)
www.datenschutzzentrum.de
Integrity
Protection Goals for Privacy Engineering
• Authenticity
• Detection of Data Changes
• Non-Repudiation
• Reliability
…in other words:
![Page 9: PROTECTION GOALS FOR PRIVACY ENGINEERING · 2015-05-29 · PROTECTION GOALS FOR PRIVACY ENGINEERING Marit Hansen, Meiko Jensen, and Martin Rost International Workshop on Privacy Engineering](https://reader034.vdocuments.mx/reader034/viewer/2022042317/5f060a317e708231d415fdb6/html5/thumbnails/9.jpg)
www.datenschutzzentrum.de
Integrity
Protection Goals for Privacy Engineering
• Digital Signatures
RSA, ElGamal
Message Authentication Codes
…
• Hash Values
• Access Control Enforcement
• Watchdogs / Canaries
• Two-Man Rules
Implementation Techniques:
![Page 10: PROTECTION GOALS FOR PRIVACY ENGINEERING · 2015-05-29 · PROTECTION GOALS FOR PRIVACY ENGINEERING Marit Hansen, Meiko Jensen, and Martin Rost International Workshop on Privacy Engineering](https://reader034.vdocuments.mx/reader034/viewer/2022042317/5f060a317e708231d415fdb6/html5/thumbnails/10.jpg)
www.datenschutzzentrum.de
Availability
Protection Goals for Privacy Engineering
“The protection goal of
Availability
is defined as the property that
access to (privacy-relevant) data
and to services that process such data
is always granted
in a comprehensible, processable, timely manner.”
![Page 11: PROTECTION GOALS FOR PRIVACY ENGINEERING · 2015-05-29 · PROTECTION GOALS FOR PRIVACY ENGINEERING Marit Hansen, Meiko Jensen, and Martin Rost International Workshop on Privacy Engineering](https://reader034.vdocuments.mx/reader034/viewer/2022042317/5f060a317e708231d415fdb6/html5/thumbnails/11.jpg)
www.datenschutzzentrum.de
Availability
Protection Goals for Privacy Engineering
• Redundancy
• Monitoring of Availability
• Responsiveness
• Accessibility
• Uptime
…in other words:
![Page 12: PROTECTION GOALS FOR PRIVACY ENGINEERING · 2015-05-29 · PROTECTION GOALS FOR PRIVACY ENGINEERING Marit Hansen, Meiko Jensen, and Martin Rost International Workshop on Privacy Engineering](https://reader034.vdocuments.mx/reader034/viewer/2022042317/5f060a317e708231d415fdb6/html5/thumbnails/12.jpg)
www.datenschutzzentrum.de
Availability
Protection Goals for Privacy Engineering
• Backups
• Load Balancers
• Failovers
• Redundant Components
• Avoidance of Single-Points-of-Failure
• Watchdogs / Canaries
Implementation Techniques:
![Page 13: PROTECTION GOALS FOR PRIVACY ENGINEERING · 2015-05-29 · PROTECTION GOALS FOR PRIVACY ENGINEERING Marit Hansen, Meiko Jensen, and Martin Rost International Workshop on Privacy Engineering](https://reader034.vdocuments.mx/reader034/viewer/2022042317/5f060a317e708231d415fdb6/html5/thumbnails/13.jpg)
www.datenschutzzentrum.de
Privacy Protection Goals
Protection Goals for Privacy Engineering
![Page 14: PROTECTION GOALS FOR PRIVACY ENGINEERING · 2015-05-29 · PROTECTION GOALS FOR PRIVACY ENGINEERING Marit Hansen, Meiko Jensen, and Martin Rost International Workshop on Privacy Engineering](https://reader034.vdocuments.mx/reader034/viewer/2022042317/5f060a317e708231d415fdb6/html5/thumbnails/14.jpg)
www.datenschutzzentrum.de
Unlinkability
“The protection goal of
Unlinkability
is defined as the property that
privacy-relevant data cannot be linked
across domains that are constituted by
a common purpose and context.”
Protection Goals for Privacy Engineering
![Page 15: PROTECTION GOALS FOR PRIVACY ENGINEERING · 2015-05-29 · PROTECTION GOALS FOR PRIVACY ENGINEERING Marit Hansen, Meiko Jensen, and Martin Rost International Workshop on Privacy Engineering](https://reader034.vdocuments.mx/reader034/viewer/2022042317/5f060a317e708231d415fdb6/html5/thumbnails/15.jpg)
www.datenschutzzentrum.de
Unlinkability
Protection Goals for Privacy Engineering
• Data Minimization
• Necessity / Need-to-Know
• Purpose Binding
• Separation of Power
• Unobservability
• Undetectability
…in other words:
![Page 16: PROTECTION GOALS FOR PRIVACY ENGINEERING · 2015-05-29 · PROTECTION GOALS FOR PRIVACY ENGINEERING Marit Hansen, Meiko Jensen, and Martin Rost International Workshop on Privacy Engineering](https://reader034.vdocuments.mx/reader034/viewer/2022042317/5f060a317e708231d415fdb6/html5/thumbnails/16.jpg)
www.datenschutzzentrum.de
Unlinkability
Protection Goals for Privacy Engineering
• Data Avoidance / Reduction
• Access Control Enforcement
• Generalization
Anonymization/Pseudonymization
Abstraction
Derivation
• Separation / Isolation
• Avoidance of Identifiers
Implementation Techniques:
![Page 17: PROTECTION GOALS FOR PRIVACY ENGINEERING · 2015-05-29 · PROTECTION GOALS FOR PRIVACY ENGINEERING Marit Hansen, Meiko Jensen, and Martin Rost International Workshop on Privacy Engineering](https://reader034.vdocuments.mx/reader034/viewer/2022042317/5f060a317e708231d415fdb6/html5/thumbnails/17.jpg)
www.datenschutzzentrum.de
Unlinkability
Protection Goals for Privacy Engineering
Think of it as …
![Page 18: PROTECTION GOALS FOR PRIVACY ENGINEERING · 2015-05-29 · PROTECTION GOALS FOR PRIVACY ENGINEERING Marit Hansen, Meiko Jensen, and Martin Rost International Workshop on Privacy Engineering](https://reader034.vdocuments.mx/reader034/viewer/2022042317/5f060a317e708231d415fdb6/html5/thumbnails/18.jpg)
www.datenschutzzentrum.de
Transparency
Protection Goals for Privacy Engineering
“The protection goal of
Transparency
is defined as the property that
all privacy-relevant data processing
−including the legal, technical,
and organizational setting−
can be understood and reconstructed at any time.”
![Page 19: PROTECTION GOALS FOR PRIVACY ENGINEERING · 2015-05-29 · PROTECTION GOALS FOR PRIVACY ENGINEERING Marit Hansen, Meiko Jensen, and Martin Rost International Workshop on Privacy Engineering](https://reader034.vdocuments.mx/reader034/viewer/2022042317/5f060a317e708231d415fdb6/html5/thumbnails/19.jpg)
www.datenschutzzentrum.de
Transparency
Protection Goals for Privacy Engineering
• Openness
• Accountability
• Documentation
• Reproducibility
• Notice (and Choice)
• Auditability
• Full-Disclosure
…in other words:
![Page 20: PROTECTION GOALS FOR PRIVACY ENGINEERING · 2015-05-29 · PROTECTION GOALS FOR PRIVACY ENGINEERING Marit Hansen, Meiko Jensen, and Martin Rost International Workshop on Privacy Engineering](https://reader034.vdocuments.mx/reader034/viewer/2022042317/5f060a317e708231d415fdb6/html5/thumbnails/20.jpg)
www.datenschutzzentrum.de
Transparency
Protection Goals for Privacy Engineering
• Logging and Reporting
• User Notifications
• Documentation
• Status Dashboards
• Privacy Policies
• Transparency Services for Personal Data
• Data Breach Notifications
Implementation Techniques:
![Page 21: PROTECTION GOALS FOR PRIVACY ENGINEERING · 2015-05-29 · PROTECTION GOALS FOR PRIVACY ENGINEERING Marit Hansen, Meiko Jensen, and Martin Rost International Workshop on Privacy Engineering](https://reader034.vdocuments.mx/reader034/viewer/2022042317/5f060a317e708231d415fdb6/html5/thumbnails/21.jpg)
www.datenschutzzentrum.de
Transparency
Protection Goals for Privacy Engineering
Think of it as …
![Page 22: PROTECTION GOALS FOR PRIVACY ENGINEERING · 2015-05-29 · PROTECTION GOALS FOR PRIVACY ENGINEERING Marit Hansen, Meiko Jensen, and Martin Rost International Workshop on Privacy Engineering](https://reader034.vdocuments.mx/reader034/viewer/2022042317/5f060a317e708231d415fdb6/html5/thumbnails/22.jpg)
www.datenschutzzentrum.de
Intervenability
Protection Goals for Privacy Engineering
“The protection goal of
Intervenability
is defined as the property that
intervention is possible concerning all
ongoing or planned privacy-relevant
data processing.”
![Page 23: PROTECTION GOALS FOR PRIVACY ENGINEERING · 2015-05-29 · PROTECTION GOALS FOR PRIVACY ENGINEERING Marit Hansen, Meiko Jensen, and Martin Rost International Workshop on Privacy Engineering](https://reader034.vdocuments.mx/reader034/viewer/2022042317/5f060a317e708231d415fdb6/html5/thumbnails/23.jpg)
www.datenschutzzentrum.de
Intervenability
Protection Goals for Privacy Engineering
• Self-determination
• User Controls
• Rectification or Erasure of Data
• (Notice and) Choice
• Consent Withdrawal
• Claim Lodging / Dispute Raising
• Process Interruption
…in other words:
![Page 24: PROTECTION GOALS FOR PRIVACY ENGINEERING · 2015-05-29 · PROTECTION GOALS FOR PRIVACY ENGINEERING Marit Hansen, Meiko Jensen, and Martin Rost International Workshop on Privacy Engineering](https://reader034.vdocuments.mx/reader034/viewer/2022042317/5f060a317e708231d415fdb6/html5/thumbnails/24.jpg)
www.datenschutzzentrum.de
Intervenability
Protection Goals for Privacy Engineering
• Configuration Menu
• Help Desks
• Stop-Button for Processes
• Break-Glass / Alert Procedures
• System Snapshots
• Manual Override of Automated Decisions
• External Supervisory Authorities (DPAs)
Implementation Techniques:
![Page 25: PROTECTION GOALS FOR PRIVACY ENGINEERING · 2015-05-29 · PROTECTION GOALS FOR PRIVACY ENGINEERING Marit Hansen, Meiko Jensen, and Martin Rost International Workshop on Privacy Engineering](https://reader034.vdocuments.mx/reader034/viewer/2022042317/5f060a317e708231d415fdb6/html5/thumbnails/25.jpg)
www.datenschutzzentrum.de
Intervenability
Protection Goals for Privacy Engineering
Think of it as …
![Page 26: PROTECTION GOALS FOR PRIVACY ENGINEERING · 2015-05-29 · PROTECTION GOALS FOR PRIVACY ENGINEERING Marit Hansen, Meiko Jensen, and Martin Rost International Workshop on Privacy Engineering](https://reader034.vdocuments.mx/reader034/viewer/2022042317/5f060a317e708231d415fdb6/html5/thumbnails/26.jpg)
www.datenschutzzentrum.de
Three Axes
Protection Goals for Privacy Engineering
![Page 27: PROTECTION GOALS FOR PRIVACY ENGINEERING · 2015-05-29 · PROTECTION GOALS FOR PRIVACY ENGINEERING Marit Hansen, Meiko Jensen, and Martin Rost International Workshop on Privacy Engineering](https://reader034.vdocuments.mx/reader034/viewer/2022042317/5f060a317e708231d415fdb6/html5/thumbnails/27.jpg)
www.datenschutzzentrum.de
Confidentiality <-> Availability
Protection Goals for Privacy Engineering
Confidentiality
No access to data
No access to services
Authorized entities only
Availability
Full access to data
Full access to services
Everybody
![Page 28: PROTECTION GOALS FOR PRIVACY ENGINEERING · 2015-05-29 · PROTECTION GOALS FOR PRIVACY ENGINEERING Marit Hansen, Meiko Jensen, and Martin Rost International Workshop on Privacy Engineering](https://reader034.vdocuments.mx/reader034/viewer/2022042317/5f060a317e708231d415fdb6/html5/thumbnails/28.jpg)
www.datenschutzzentrum.de
Integrity <-> Intervenability
Protection Goals for Privacy Engineering
Integrity
No changes to data
No changes to process
Defined by processor
Intervenability
All types of changes
Full process flexibility
Defined by individual
![Page 29: PROTECTION GOALS FOR PRIVACY ENGINEERING · 2015-05-29 · PROTECTION GOALS FOR PRIVACY ENGINEERING Marit Hansen, Meiko Jensen, and Martin Rost International Workshop on Privacy Engineering](https://reader034.vdocuments.mx/reader034/viewer/2022042317/5f060a317e708231d415fdb6/html5/thumbnails/29.jpg)
www.datenschutzzentrum.de
Unlinkability <-> Transparency
Protection Goals for Privacy Engineering
Unlinkability
No linkable data
No disclosure of process
Need-to-Know
Transparency
Full linkability of data
Full disclosure of process
Want-to-Know
![Page 30: PROTECTION GOALS FOR PRIVACY ENGINEERING · 2015-05-29 · PROTECTION GOALS FOR PRIVACY ENGINEERING Marit Hansen, Meiko Jensen, and Martin Rost International Workshop on Privacy Engineering](https://reader034.vdocuments.mx/reader034/viewer/2022042317/5f060a317e708231d415fdb6/html5/thumbnails/30.jpg)
www.datenschutzzentrum.de
The Six-Pointed Star
Protection Goals for Privacy Engineering
Integrity
Confidentiality Unlinkability
Intervenability
Transparency Availability
![Page 31: PROTECTION GOALS FOR PRIVACY ENGINEERING · 2015-05-29 · PROTECTION GOALS FOR PRIVACY ENGINEERING Marit Hansen, Meiko Jensen, and Martin Rost International Workshop on Privacy Engineering](https://reader034.vdocuments.mx/reader034/viewer/2022042317/5f060a317e708231d415fdb6/html5/thumbnails/31.jpg)
www.datenschutzzentrum.de
The Six-Pointed Star
Protection Goals for Privacy Engineering
Integrity
Confidentiality Unlinkability
Intervenability
Transparency Availability
![Page 32: PROTECTION GOALS FOR PRIVACY ENGINEERING · 2015-05-29 · PROTECTION GOALS FOR PRIVACY ENGINEERING Marit Hansen, Meiko Jensen, and Martin Rost International Workshop on Privacy Engineering](https://reader034.vdocuments.mx/reader034/viewer/2022042317/5f060a317e708231d415fdb6/html5/thumbnails/32.jpg)
www.datenschutzzentrum.de
Conclusion
Protection Goals for Privacy Engineering
![Page 33: PROTECTION GOALS FOR PRIVACY ENGINEERING · 2015-05-29 · PROTECTION GOALS FOR PRIVACY ENGINEERING Marit Hansen, Meiko Jensen, and Martin Rost International Workshop on Privacy Engineering](https://reader034.vdocuments.mx/reader034/viewer/2022042317/5f060a317e708231d415fdb6/html5/thumbnails/33.jpg)
www.datenschutzzentrum.de
Conclusion
Protection Goals for Privacy Engineering
• Protection Goals have proven very useful:
for Implementers
for Lawyers
for Data Protection Authorities
for Users
• Privacy Protection Goals:
Unlinkability
Transparency
Intervenability
I
C U
Iv
T A
![Page 34: PROTECTION GOALS FOR PRIVACY ENGINEERING · 2015-05-29 · PROTECTION GOALS FOR PRIVACY ENGINEERING Marit Hansen, Meiko Jensen, and Martin Rost International Workshop on Privacy Engineering](https://reader034.vdocuments.mx/reader034/viewer/2022042317/5f060a317e708231d415fdb6/html5/thumbnails/34.jpg)
www.datenschutzzentrum.de
References
Protection Goals for Privacy Engineering
Shaping the Future
of Electronic Identity
partly funded by
EU FP7,
GA n° 318424
www.futureid.eu
Forum Privatheit
und selbstbestimmtes Leben
in der Digitalen Welt
(Privacy Forum Germany)
partly funded by the
German Federal Ministry
of Education and Research
www.forum-privatheit.de
![Page 35: PROTECTION GOALS FOR PRIVACY ENGINEERING · 2015-05-29 · PROTECTION GOALS FOR PRIVACY ENGINEERING Marit Hansen, Meiko Jensen, and Martin Rost International Workshop on Privacy Engineering](https://reader034.vdocuments.mx/reader034/viewer/2022042317/5f060a317e708231d415fdb6/html5/thumbnails/35.jpg)
www.datenschutzzentrum.de
Protection Goals for Privacy Engineering
Thank You!
Unabhängiges Landeszentrum für
Datenschutz Schleswig-Holstein
Phone: 0431 988 – 1200
http://www.datenschutzzentrum.de/
Protection Goals
for Privacy Engineering
Marit Hansen,
Meiko Jensen,
and Martin Rost
I
C U
Iv
T A