E-Commerce Barriers in a Networked World

Mike GurskiSenior Policy & Technology AdvisorInformation & Privacy Commission,

Ontario Canada

CITOOctober 10 - 11, 2001

What the Experts Say

“Lack of privacy holding back e-commerce; FTC holds hearings.”

Business Wire

“90 percent of Web sites fail to comply with basic privacy principles.”

Washington Post

“Due to consumers’ privacy concerns, e-commerce companies lost some $2.8 billion last year.”

Forrester Research

When Things Go Wrong Privacy lawsuits and disasters:

• DoubleClick

• Intel Pentium III

• RealNetworks

• Microsoft Hotmail

• Amazon/Alexa

• CD Universe

• Look Communications

• Toysmart

The Beginning of the Privacy Revolution Anyone today who thinks the privacy issue

has peaked is greatly mistaken…– Forrester Research, March 5, 2001

It doesn’t take much for people to get really concerned about a particular company’s…privacy practices.

– Johnathan Gaw, IDC Corp. March 29, 2001

The Threats to Privacy Big BrotherBig Brother

– Surveillance, control, Surveillance, control, no private space, no private space,

The TrialThe Trial– Fractured personal data held Fractured personal data held by uncaring, unknowing authoritiesby uncaring, unknowing authorities

The MatrixThe Matrix– Technology designs society Technology designs society & society’s perceived reality for its own ends& society’s perceived reality for its own ends

Commodification of Human RelationshipsCommodification of Human Relationships– Life as the ultimate shopping experienceLife as the ultimate shopping experience

Enumerating the Barriers

Risk of Economic Injury– Identity theft– Unauthorised use of credit card information

Unwanted Intrusions – Phone calls– Computer based spam

Privacy Drivers

Large organizations disconnected from clients, gathering detailed data

Increasing amounts of

personal data, held,

consolidated, used New privacy invasive

technologies Application of a technology paradigm geared to

manufactured goods on humans

Privacy Defined: Think “Use”

Informational Privacy: Data Protection

– Personal control over the collection, use and disclosure of any recorded information about an identifiable individual

– The organisation’s responsibility for data protection and safeguarding personal information in its custody or control.

Security Privacy

Authentication Data Integrity Confidentiality Non-repudiation

Privacy; Data Protection

(Fair Information Practices)

Privacy and Security: The Difference

Security

Fair Information Practices

• Accountability• Identifying Purposes• Consent• Limiting Collection• Accuracy• Safeguards• Openness• Individual Access• Limiting Use, Disclosure, Retention• Challenging Compliance

Privacy By Design: Build It In Build in privacy – up front, right in the design

specifications. Minimize the collection and routine use of

personally identifiable information – use aggregate or coded information if possible.

Wherever possible, encrypt – implement anonymity and pseudonymity.

Assess the risks to privacy: conduct a privacy impact assessment; privacy audit.

Develop a corporate culture of privacy.

What to Do About Privacy

The Tools– Privacy Design Principles *– Technology Design Principles*– Privacy Impact Assessment Guide*– Privacy Architecture and the Privacy Architect*– Privacy Enhancing Technologies*– Privacy Diagnostic Tool *

Privacy Design Principles* And Example:

– Personal data should not be used or disclosed for purposes other than those specified in accordance with Principle 1 except:

– a) with the consent of the data subject, b) by the authority of law, or c) for the safety of the community, including victims and witnesses.

– Generally, personal information should be retained as necessary, but its use must be limited to its original purpose for collection

http://www.ipc.on.ca/english/pubpres/sum%5Fpap/papers/designpr.htm

Technology Design Principle*

An Example– Use Limitation Principle

• Personal data should not be used or disclosed for purposes other than specified

– Technology Design Principle• Information systems must be designed to halt

unauthorised use. That involves a protocol for tracking who accesses specific information and for what purposes. The circumstances of use need to be recorded and attached to the personal information record.

Privacy Impact Assessment* A tool developed by the provincial government to

address privacy issues related to information systems An example of questions under Use Limitation

– Is personal Information used exclusively for the stated purposes and for uses that the average client would consider to be consistent with those purposes?__

– Are personal identifiers, such as the social insurance number, used for the purposes of linking across multiple databases?__

– Where data matching or profiling occurs, is it consistent with the stated purposes for which the personal information is collected?__

– Is there a record of use maintained for any use or disclosure not consistent with original stated purposes?__

– Is the record of use attached to the personal information record?__ www.gov.on.ca/MBS/english/fip/pia/pianew.html

What is a Privacy Architect ?

the person responsible for ensuring that the design of a given technology or system or process provides sufficient and appropriate protection of personal information

Courtesy, Peter J. Hope-Tindall Chief Privacy Architect dataPrivacy Partners Ltd.

(pht@dataPrivacy.com)

Privacy Architect Functions

Identify and define privacy requirements Explain privacy concepts to the key

personnel Analyze technological components and

processes Evaluate privacy risk characteristics Make recommendations to decision-makers

about balancing privacy interests

Privacy Architect - Deliverables

Develop a conceptual, logical and technical privacy architecture which is feasible, cost-effective, of acceptable technological risk, works within the given computer and security architectures and meets the organization’s privacy needs and requirements

Privacy Architect’s Areas of Action

Legal Policy Strategy Education Technical

Security Architect Vs. Privacy Architect*

The security architect focuses on access controls and authorized access as defined by the system owner

A risk based approach is generally used and may include multiple layers of passwords, use of biometrics and/or cryptography, and generally an overlay of preventive, detective (reporting) and corrective controls

Security Architect Vs. Privacy Architect (2)

In contrast, the privacy architect focuses on the collection, use, disclosure and retention of data as mandated by the law and consented to by the individual whose data it is

The system owner is NOT the ultimate authority where privacy is concerned and may in fact be one of the parties from whom the data must be safeguarded

Risk-based Vs. Capability-based Analysis

Risk based analysis - how likely is it to occur

Capabilities-based analysis - can it possibly happen

Concept of Institutional override

Relationship between Privacy and Security In theory, privacy and security may be

completely different elements of a system

In practice, security is a facilitator of privacy and an important foundation to it

No matter how excellent security may be, it is never, of itself, sufficient to ensure privacy

Relationship between Privacy and Internal Controls*

Risk-based context

Good control environment reduces privacy risk

No matter how excellent controls may be, they are never, of themselves, sufficient to ensure privacy

Capabilities-based Privacy Theoretically, privacy can be established

solely by the use of capabilities-limited technology which is unable by design to do anything to compromise privacy, no matter who may authorize or request it

In practice, total reliance on technology is untenable

Capabilities-based Privacy

Maintaining good privacy almost always includes establishing good security, maintaining privacy controls (preventive, detective and corrective), and conducting periodic privacy audits, including those aimed at ensuring compliance with the law

Technical Education for Privacy

To ensure adequate privacy protection in the future, we may have to re-think how we educate our next generation of technologists

The message may have to change from maximum capability and flexibility of design to prescribed capabilities only and privacy-effective design. Don’t collect what you don’t need!

Privacy Plan* Identify current practices

– Follow the data: collection and use Identify the Gaps Est. Centre of Privacy Excellence

– Internal staff, external advisory body Plan for Compliance

– Schedule implementation, audit, post implementation evaluation

Plan for non-Compliance– Emergency response plan

Privacy Enhancing Technologies* Anonymisers, Pseudonymisers, Data Hiding Technologies.

Privacy Diagnostic *

A Question & Answer Format CD or Web download Based on Fair Information Practices A good way to take your privacy

temperature

A Closing Thought

“To survive mounting consumer anxiety… firms need to institutionalize their commitment to protecting… customers’ privacy by taking a comprehensive, whole-view approach… The cost of a privacy PR blowout can range from tens of thousands to millions of dollars… and this doesn’t include lost business and damage to the brand.”

-Forrester Research

How to Contact Us

Mike Gurski.

Information & Privacy Commission/Ontario

80 Bloor Street West, Suite 1700

Toronto, Ontario M5S 2V1

Phone: (416) 325-9164

Web: www.ipc.on.ca

E-mail: mgurski@ipc.on.ca