privacy engineering tutorial (trustcom2015)
TRANSCRIPT
1 © Nokia Solutions and Networks 2014
Privacy Engineering
PUBLIC
Dr Ian Oliver
Security Research, Nokia Networks
7 April 2015
2 © Nokia Solutions and Networks 2014
Contents
•Quick Introduction & Contents
• A note of Privacy by Design
•Data Flow Modelling
• Language and its semantics
• Analysis
•Ontology and Terminology
• What’s wrong with ”PII” and ”Personal Data”
• Ontologies of Information, Requirements and RIsk
•Requirements Engineering
• Aspects, Development Flow and Privacy Ontologies
PUBLIC
•Risk
• Information classes
• The role of modelling and terminology
• Analysis, FMEA, RCA
• Metrics
• Differential Privacy, k-Anon, l-Div etc
• Hashing, and the identifier problem
• Encryption
•Culture
• Aviation, Surgery (!)
• Privacy as a safety-critical concern
•Summary and Questions
3 © Nokia Solutions and Networks 2014
Dataflow Modelling
<Change information classification in footer>
4 © Nokia Solutions and Networks 2014
Data Flow Modelling – Basic Syntax and Semantics
PUBLIC
5 © Nokia Solutions and Networks 2014
Data Flow Modelling - Partitioning
PUBLIC
6 © Nokia Solutions and Networks 2014
Data Flow Modelling - Annotations
PUBLIC
7 © Nokia Solutions and Networks 2014
Data Flow Modelling - Analysis
PUBLIC
•Processes ’preserve’ information
•Boundary Crossing
•Policy Calculation
• (and therefore Policy Generation)
8 © Nokia Solutions and Networks 2014
Data Flow Modelling - Annotations
PUBLIC
9 © Nokia Solutions and Networks 2014
Ontology and Terminology
<Change information classification in footer>
10 © Nokia Solutions and Networks 2014
Ontology and Terminology
PUBLIC
Personal Data and PII
11 © Nokia Solutions and Networks 2014
Ontology and Terminology
PUBLIC
Personal Data and PII
are the worst terms you can have for describing data
12 © Nokia Solutions and Networks 2014
Ontology and Terminology
PUBLIC
Personal Data and PII
are the worst terms you can have for describing data
these terms should be banned! never use them!
13 © Nokia Solutions and Networks 2014
Ontology and Terminology
PUBLIC
14 © Nokia Solutions and Networks 2014
Ontology and Terminology
PUBLIC
15 © Nokia Solutions and Networks 2014
Ontology and Terminology
PUBLIC
16 © Nokia Solutions and Networks 2014
Ontology and Terminology
PUBLIC
17 © Nokia Solutions and Networks 2014
Ontology and Terminology
PUBLIC
18 © Nokia Solutions and Networks 2014
Ontology and Terminology
PUBLIC
19 © Nokia Solutions and Networks 2014
Ontology and Terminology
PUBLIC
20 © Nokia Solutions and Networks 2014
Ontology and Terminology
PUBLIC
Personal Data and PII
21 © Nokia Solutions and Networks 2014
Ontology and Terminology
PUBLIC
Personal Data and PII
that fact that an information set contains
is derived or calculated from:
the information type, usage, purpose, provenance, jurisdiction etc. of the information set’s contents
22 © Nokia Solutions and Networks 2014
Ontology and Terminology
PUBLIC
Common Terminology and Meaning
is CRITICAL
to a shared understanding between all privacy parties
(lawyers, engineers, advocates)
23 © Nokia Solutions and Networks 2014
Requirements Engineering
<Change information classification in footer>
24 © Nokia Solutions and Networks 2014
Requirements Engineering
PUBLIC
Scary truth for privacy lawyers:
25 © Nokia Solutions and Networks 2014
Requirements Engineering
PUBLIC
Scary truth for privacy lawyers: You are all requirements engineers!
26 © Nokia Solutions and Networks 2014
Requirements Engineering
PUBLIC
27 © Nokia Solutions and Networks 2014
Requirements Engineering
PUBLIC
28 © Nokia Solutions and Networks 2014
Requirements Engineering
PUBLIC
Ontology class x Requirements Aspect x Level of Abstraction
29 © Nokia Solutions and Networks 2014
Requirements Engineering
PUBLIC
Ontology class x Requirements Aspect x Level of Abstraction
x Specific/Edge Cases
30 © Nokia Solutions and Networks 2014
Requirements Engineering
PUBLIC
Ontology class x Requirements Aspect x Level of Abstraction
x Specific/Edge Cases
Patterns
31 © Nokia Solutions and Networks 2014
Requirements Engineering
PUBLIC
Another scary truth for privacy lawyers:
32 © Nokia Solutions and Networks 2014
Requirements Engineering
PUBLIC
Another scary truth for privacy lawyers: Policies are Requirements
33 © Nokia Solutions and Networks 2014
Requirements Engineering
PUBLIC
Another scary truth for privacy lawyers: Policies are Requirements furthermore!
34 © Nokia Solutions and Networks 2014
Requirements Engineering
PUBLIC
Another scary truth for privacy lawyers: Policies are Requirements furthermore! Requirements are Policies!
35 © Nokia Solutions and Networks 2014
Requirements Engineering
PUBLIC
increasing strength of requirements or
decreasing risk
36 © Nokia Solutions and Networks 2014
Requirements Engineering
PUBLIC
increasing strength of requirements or
decreasing risk
beyond here we can not construct a system
37 © Nokia Solutions and Networks 2014
Requirements Engineering
PUBLIC
increasing strength of requirements or
decreasing risk
beyond here we can not construct a system
the sum of all our requirements
38 © Nokia Solutions and Networks 2014
Requirements Engineering
PUBLIC
increasing strength of requirements or
decreasing risk
beyond here we can not construct a system
the sum of all our requirements
zone of acceptable
risk
retrenchment of requirements
39 © Nokia Solutions and Networks 2014
Risk
<Change information classification in footer>
40 © Nokia Solutions and Networks 2014
Risk
PUBLIC
•Information classes •The role of modelling and terminology •Analysis, FMEA, RCA •Metrics •Differential Privacy, k-Anon, l-Div etc •Hashing, and the identifier problem •Encryption
Privacy Engineering is about managing risk through a well-defined, rigorous process of construction and measurement encompassing all abstraction levels
41 © Nokia Solutions and Networks 2014
Risk
PUBLIC
•Information classes •The role of modelling and terminology •Analysis, FMEA, RCA •Metrics •Differential Privacy, k-Anon, l-Div etc •Hashing, and the identifier problem •Encryption
Privacy Engineering is about managing risk through a well-defined, rigorous process of construction and measurement encompassing all abstraction levels •lawyers call this due dilligence •engineers call this ”good engineering” •privacy advocates call this ”woo yeah!! privacy baby!!”
42 © Nokia Solutions and Networks 2014
Risk
PUBLIC
We do not have simple metrics for risk Other than potential cost in financial terms
43 © Nokia Solutions and Networks 2014
Risk
PUBLIC
The role of modelling and terminology
44 © Nokia Solutions and Networks 2014
Risk
PUBLIC
Failure Mode and Effect Analysis
45 © Nokia Solutions and Networks 2014
Risk
PUBLIC
Anonymisation •k-anonymisation •l-diversity •Differential Privacy •Hashing •Encryption
46 © Nokia Solutions and Networks 2014
Risk
PUBLIC
Syntactical Changes eg: Hashing
47 © Nokia Solutions and Networks 2014
Culture
<Change information classification in footer>
48 © Nokia Solutions and Networks 2014
Culture
PUBLIC
•Information classes •The role of modelling and terminology •Analysis, FMEA, RCA •Metrics •Differential Privacy, k-Anon, l-Div etc •Hashing, and the identifier problem •Encryption
Privacy should be a safety-critical aspect of engineering
49 © Nokia Solutions and Networks 2014
Culture
PUBLIC
•Information classes •The role of modelling and terminology •Analysis, FMEA, RCA •Metrics •Differential Privacy, k-Anon, l-Div etc •Hashing, and the identifier problem •Encryption
Privacy should be, must become a safety-critical aspect of engineering
50 © Nokia Solutions and Networks 2014
Culture
PUBLIC
51 © Nokia Solutions and Networks 2014
Culture
PUBLIC
52 © Nokia Solutions and Networks 2014
Culture
PUBLIC
53 © Nokia Solutions and Networks 2014
Culture
PUBLIC
54 © Nokia Solutions and Networks 2014
Culture
PUBLIC
55 © Nokia Solutions and Networks 2014
Culture
PUBLIC
Privacy Engineering Culture is about managinging, quantifying and qualifying risk
not eliminating it
56 © Nokia Solutions and Networks 2014
Summary
<Change information classification in footer>
57 © Nokia Solutions and Networks 2014
•Quick Introduction
•Data Flow Modelling
• Language and its semantics
• Analysis
•Ontology and Terminology
• What’s wrong with ”PII” and ”Personal Data”
• Ontologies of Information, Requirements and RIsk
•Requirements Engineering
• Aspects, Development Flow and Privacy Ontologies
PUBLIC
•Risk
• Information classes
• The role of modelling and terminology
• Analysis, FMEA, RCA
• Metrics
• Differential Privacy, k-Anon, l-Div etc
• Hashing, and the identifier problem
• Encryption
•Culture
• Aviation, Surgery (!)
• Privacy as a safety-critical concern
58 © Nokia Solutions and Networks 2014
The End
<Change information classification in footer>
59 © Nokia Solutions and Networks 2014
Colors and fonts Use sentence case for slide titles
<Change information classification in footer>
Core and background colors
18 65 145
0 201 255
104 113 122
168 187 192
216 217 218
R G B
We use blue and white predominantly, and selectively call out key points in light blue. If necessary, we use our palette of grays to help highlight supporting information.
Document fonts Nokia Pure is our business font and should be used as a priority.
If you do not have this font installed, Arial is the
acceptable alternative.
the presentation title should be in lower case using Nokia Pure Headline Light. Slide titles should be in sentence case using Nokia Pure Headline Light.
Body copy text should be sentence case using Nokia Pure Text Light.
60 © Nokia Solutions and Networks 2014
Colors and text combinations
<Change information classification in footer>
A a A a A a A a A a
A a
A a
A a
A a
A a
A a
A a
A a
A a
A a
A a
A a
A a
A a
A a
A a
A a
A a
A a
A a
A a
A a
A a
A a
A a
X
X
X
X
X X X
!
X
!
!
!
! !
X
X
!
A a
A a
A a
A a
A a
X
!
!
X
!
Do not use.
Avoid using with small text.
!
