the fundamentals of privacy engineering
TRANSCRIPT
1 © Nokia 2016
The Fundamentals of
Privacy Engineering
Public
Dr. Ian Oliver
Bell Labs, Finland
21 April 2016
A Lecture Given at the University of Iowa
2 © Nokia 2016
PRIVACY as a legal construct
Public
•“The Right to Privacy” (Warren and Brandeis, 1890)•EU Data Protection Laws•Human Rights•...
3 © Nokia 2016
PRIVACY as a philisophical construct
Public
•ethics•morals•definition•...
4 © Nokia 2016
PRIVACY as an economic construct
Public
•cost•brand value•$£€
5 © Nokia 2016
PRIVACY as a ...
Public
Privacy by Design
6 © Nokia 2016
PRIVACY as a game theoretic construct
Public
7 © Nokia 2016
Public
Legal Engineering*large* semantic gap
PRIVACY as Systems Engineering
8 © Nokia 2016
Public
From here to here...
9 © Nokia 2016
Public
COMPLIANCE!
10 © Nokia 2016
Public
Privacy compliance
Information assymetry
Compliance
is fragile
11 © Nokia 2016
Compliance
is fragile
Public
char collectDataFlag = 'Y'; // Future proofed boolean// Y for yes, N for no
void collectDataFunction(){//collect IMEI, IMSI, MSISDN, TimeStamp and location//and send to the hardcoded IP address...
}
void checkDataCollection(){switch(collectDataFlag){
case 'N' :// don't do anything
case 'Y' :// ok to collect everythingcollectDataFunction();
}}
12 © Nokia 2016
Public
Engineers
Lawyers
Privacy Engineering Process
How do we address the privacyengineering problem?
Engineers need to speak to privacy lawyers...and vice versa...
The hard bit however is formalising all of this....
13 © Nokia 2016
Public
Engineers
Lawyers
Privacy Engineering Process
How do we address the privacyengineering problem?
14 © Nokia 2016
Public
How do we address the privacyengineering problem?
• Process
15 © Nokia 2016
Public
How do we address the privacyengineering problem?
• Process• Method (Technique, Skills)
• Requirements
• Ontology• Modelling• Metrics• Culture
Richard Hamming
1915-1998
The applications of knowledge, especially mathematics,
reveal the unity of all knowledge. In a new situation almost
anything and everything you ever learned might be
applicable, and the artificial divisions seem to vanish.
16 © Nokia 2016
Public
• Requirements• Ontology & Semantics• Modelling• Metrics• Culture
17 © Nokia 2016
Public
• Requirements
• Ontology & Semantics
• Modelling• Metrics• Culture
How to derive the requirements framework?
18 © Nokia 2016
Public
• Requirements• Ontology & Semantics• Modelling• Metrics• Culture
Everything you thought information was is wrong...
19 © Nokia 2016
Public
• Requirements• Ontology & Semantics• Modelling• Metrics• Culture
What is an IP address?
20 © Nokia 2016
Public
• Requirements• Ontology & Semantics• Modelling• Metrics• Culture
What’s the semantics of an IP address?
21 © Nokia 2016
Public
• Requirements• Ontology & Semantics• Modelling• Metrics• Culture
What’s the semantics of an IP address?
Which interpretation(s) do you want?....and when?....and why?
22 © Nokia 2016
Public
• Requirements• Ontology & Semantics• Modelling• Metrics• Culture
Is this a location?38°N 97°W
23 © Nokia 2016
Public
• Requirements• Ontology & Semantics• Modelling• Metrics• Culture
38°N 97°W
Toto, I've a feeling we're not in Kansas any more.
24 © Nokia 2016
Public
• Requirements• Ontology & Semantics• Modelling• Metrics• Culture
http://fusion.net/story/287592/internet-mapping-glitch-kansas-farm/
Is this a location?38°N 97°W == NULL
25 © Nokia 2016
Public
• Requirements• Ontology & Semantics• Modelling• Metrics• Culture
E-mail address as a login ID....
26 © Nokia 2016
Public
• Requirements• Ontology & Semantics• Modelling• Metrics• Culture
E-mail address as a login ID....
...the proof is left as an exercise to the reader.
27 © Nokia 2016
Public
• Requirements• Ontology & Semantics• Modelling• Metrics• Culture
28 © Nokia 2016
Public
• Requirements
• Ontology & Semantics
• Modelling• Metrics• Culture
29 © Nokia 2016
Public
• Requirements
• Ontology & Semantics
• Modelling• Metrics• Culture
30 © Nokia 2016
Public
• Requirements
• Ontology & Semantics
• Modelling• Metrics• Culture
31 © Nokia 2016
Public
• Requirements
• Ontology & Semantics
• Modelling• Metrics• Culture
Data
Type, Usage, Purpose, Provenance, Identity
Requirements
Risks
classified by
mapped to
mapped to
Risk Metric
calculates
RequirementAspects
32 © Nokia 2016
Public
• Requirements
• Ontology & Semantics
• Modelling• Metrics• Culture
Data
Type, Usage, Purpose, Provenance, Identity
Requirements
Risks
classified by
mapped to
mapped to
Risk Metric
calculates
RequirementAspectsFeedback
33 © Nokia 2016
Public
• Requirements
• Ontology & Semantics
• Modelling• Metrics• Culture
34 © Nokia 2016
Public
• Requirements
• Ontology & Semantics
• Modelling• Metrics• Culture
Probably not PII / Probably PII
35 © Nokia 2016
Public
• Requirements• Ontology & Semantics• Modelling• Metrics• Culture
An app that takes a photo and shares it *and* stores it in the cloud....
...you probably have at least one of these on your mobile device...
36 © Nokia 2016
Public
• Requirements• Ontology & Semantics• Modelling• Metrics• Culture
37 © Nokia 2016
Public
• Requirements
• Ontology & Semantics
• Modelling• Metrics• Culture
38 © Nokia 2016
Public
• Requirements
• Ontology & Semantics
• Modelling• Metrics• Culture
39 © Nokia 2016
Public
• Requirements
• Ontology & Semantics
• Modelling• Metrics• Culture
40 © Nokia 2016
Public
• Requirements
• Ontology & Semantics
• Modelling• Metrics• Culture
41 © Nokia 2016
Public
• Requirements
• Ontology & Semantics
• Modelling• Metrics• Culture
42 © Nokia 2016
Public
• Requirements
• Ontology & Semantics
• Modelling• Metrics• Culture
43 © Nokia 2016
Public
• Requirements
• Ontology & Semantics
• Modelling• Metrics• Culture
Modelling
Method
Ontology
Analysis{Engineering
44 © Nokia 2016
Public
• Requirements
• Ontology & Semantics
• Modelling• Metrics• Culture
There are no [good/usable] metrics for privacy
45 © Nokia 2016
Public
• Requirements
• Ontology & Semantics
• Modelling• Metrics• Culture
There are no [good/usable] metrics for privacy
There are some frameworkseg: NIST
46 © Nokia 2016
Public
• Requirements
• Ontology & Semantics• Modelling• Metrics• Culture
Increasing amount of risk
Take the maximal value of risk for any givencombination of fields
This has all theproperties of a metric
Ian Oliver, Silke Holtmanns (2015). Aligning the Conflicting Needs of Privacy, Malware Detection and Nework Protection. TrustCom’15
47 © Nokia 2016
Public
• Requirements
• Ontology & Semantics• Modelling• Metrics• Culture
48 © Nokia 2016
Public
• Requirements
• Ontology & Semantics
• Modelling• Metrics• Culture
Overconstrainted systemsRefinement
Retrenchment
Architecting/Engineering
Data
Type, Usage, Purpose, Provenance, Identity
Requirements
Risks
Risk Metric
49 © Nokia 2016
Public
• Requirements
• Ontology & Semantics
• Modelling• Metrics• Culture
50 © Nokia 2016
Public
privacy breach
• Requirements
• Ontology & Semantics
• Modelling• Metrics• Culture
51 © Nokia 2016
Public
• Requirements
• Ontology & Semantics
• Modelling• Metrics• Culture
52 © Nokia 2016
Public
• Requirements
• Ontology & Semantics
• Modelling• Metrics• Culture
53 © Nokia 2016
Public
• Requirements
• Ontology & Semantics
• Modelling• Metrics• Culture
54 © Nokia 2016
Public
http://www.healthbeatblog.com/2011/05/doctors-heroes-or-members-of-a-pit-crew/
Atul Gawande, 2011
• Requirements
• Ontology & Semantics
• Modelling• Metrics• Culture
55 © Nokia 2016
Public
”We in privacy, however, have been slow to grasp ... how the volume of information
has changed our work and responsibilities...” he added,”The rapid growth in
information collection is not just a difference in degree but a difference in kind ... the
reality is that privacy’s complexity has exceed our individual capabilities as privacy
advocates.”
• Requirements
• Ontology & Semantics
• Modelling• Metrics• Culture
56 © Nokia 2016
Public
There can be no [privacy] heroes
James ReasonThe Human Contribution
(with modification by author)
• Requirements
• Ontology & Semantics
• Modelling• Metrics• Culture
57 © Nokia 2016
Public
The fundamental theorem of
privacy
• Requirements
• Ontology & Semantics
• Modelling• Metrics• Culture• Bonus
58 © Nokia 2016
Public
The fundamental theorem of
privacy
• Requirements
• Ontology & Semantics
• Modelling• Metrics• Culture• Bonus
𝑡0
𝑡1
𝐷1 ×⋯ × 𝐷𝑛 < 𝜀𝑈
D1...Dn is a set of linkable data sets, t0 and t1 define an extract over those sets, e is an entropy threshold for a given ”universe” U
actually it is a LOT more complex than this, but there’s fame and glory for the person who writes down the correct equation
59 © Nokia 2016
Public
Summary
• Shared Ontology
• Modelling• Requirements• Analysis• (Libraries and Patterns)
• Metrics and Risk
• Culture
• The Fundamental Equation of Privacy
not discussed in this presentation