privacy engineering tutorial (trustcom2015)
TRANSCRIPT
1 © Nokia Solutions and Networks 2014
Privacy Engineering
PUBLIC
Dr Ian Oliver
Security Research, Nokia Networks
7 April 2015
2 © Nokia Solutions and Networks 2014
Contents
•Quick Introduction & Contents
• A note of Privacy by Design
•Data Flow Modelling
• Language and its semantics
• Analysis
•Ontology and Terminology
• What’s wrong with ”PII” and ”Personal Data”
• Ontologies of Information, Requirements and RIsk
•Requirements Engineering
• Aspects, Development Flow and Privacy Ontologies
PUBLIC
•Risk
• Information classes
• The role of modelling and terminology
• Analysis, FMEA, RCA
• Metrics
• Differential Privacy, k-Anon, l-Div etc
• Hashing, and the identifier problem
• Encryption
•Culture
• Aviation, Surgery (!)
• Privacy as a safety-critical concern
•Summary and Questions
3 © Nokia Solutions and Networks 2014
Dataflow Modelling
<Change information classification in footer>
7 © Nokia Solutions and Networks 2014
Data Flow Modelling - Analysis
PUBLIC
•Processes ’preserve’ information
•Boundary Crossing
•Policy Calculation
• (and therefore Policy Generation)
9 © Nokia Solutions and Networks 2014
Ontology and Terminology
<Change information classification in footer>
11 © Nokia Solutions and Networks 2014
Ontology and Terminology
PUBLIC
Personal Data and PII
are the worst terms you can have for describing data
12 © Nokia Solutions and Networks 2014
Ontology and Terminology
PUBLIC
Personal Data and PII
are the worst terms you can have for describing data
these terms should be banned! never use them!
21 © Nokia Solutions and Networks 2014
Ontology and Terminology
PUBLIC
Personal Data and PII
that fact that an information set contains
is derived or calculated from:
the information type, usage, purpose, provenance, jurisdiction etc. of the information set’s contents
22 © Nokia Solutions and Networks 2014
Ontology and Terminology
PUBLIC
Common Terminology and Meaning
is CRITICAL
to a shared understanding between all privacy parties
(lawyers, engineers, advocates)
23 © Nokia Solutions and Networks 2014
Requirements Engineering
<Change information classification in footer>
24 © Nokia Solutions and Networks 2014
Requirements Engineering
PUBLIC
Scary truth for privacy lawyers:
25 © Nokia Solutions and Networks 2014
Requirements Engineering
PUBLIC
Scary truth for privacy lawyers: You are all requirements engineers!
28 © Nokia Solutions and Networks 2014
Requirements Engineering
PUBLIC
Ontology class x Requirements Aspect x Level of Abstraction
29 © Nokia Solutions and Networks 2014
Requirements Engineering
PUBLIC
Ontology class x Requirements Aspect x Level of Abstraction
x Specific/Edge Cases
30 © Nokia Solutions and Networks 2014
Requirements Engineering
PUBLIC
Ontology class x Requirements Aspect x Level of Abstraction
x Specific/Edge Cases
Patterns
31 © Nokia Solutions and Networks 2014
Requirements Engineering
PUBLIC
Another scary truth for privacy lawyers:
32 © Nokia Solutions and Networks 2014
Requirements Engineering
PUBLIC
Another scary truth for privacy lawyers: Policies are Requirements
33 © Nokia Solutions and Networks 2014
Requirements Engineering
PUBLIC
Another scary truth for privacy lawyers: Policies are Requirements furthermore!
34 © Nokia Solutions and Networks 2014
Requirements Engineering
PUBLIC
Another scary truth for privacy lawyers: Policies are Requirements furthermore! Requirements are Policies!
35 © Nokia Solutions and Networks 2014
Requirements Engineering
PUBLIC
increasing strength of requirements or
decreasing risk
36 © Nokia Solutions and Networks 2014
Requirements Engineering
PUBLIC
increasing strength of requirements or
decreasing risk
beyond here we can not construct a system
37 © Nokia Solutions and Networks 2014
Requirements Engineering
PUBLIC
increasing strength of requirements or
decreasing risk
beyond here we can not construct a system
the sum of all our requirements
38 © Nokia Solutions and Networks 2014
Requirements Engineering
PUBLIC
increasing strength of requirements or
decreasing risk
beyond here we can not construct a system
the sum of all our requirements
zone of acceptable
risk
retrenchment of requirements
40 © Nokia Solutions and Networks 2014
Risk
PUBLIC
•Information classes •The role of modelling and terminology •Analysis, FMEA, RCA •Metrics •Differential Privacy, k-Anon, l-Div etc •Hashing, and the identifier problem •Encryption
Privacy Engineering is about managing risk through a well-defined, rigorous process of construction and measurement encompassing all abstraction levels
41 © Nokia Solutions and Networks 2014
Risk
PUBLIC
•Information classes •The role of modelling and terminology •Analysis, FMEA, RCA •Metrics •Differential Privacy, k-Anon, l-Div etc •Hashing, and the identifier problem •Encryption
Privacy Engineering is about managing risk through a well-defined, rigorous process of construction and measurement encompassing all abstraction levels •lawyers call this due dilligence •engineers call this ”good engineering” •privacy advocates call this ”woo yeah!! privacy baby!!”
42 © Nokia Solutions and Networks 2014
Risk
PUBLIC
We do not have simple metrics for risk Other than potential cost in financial terms
45 © Nokia Solutions and Networks 2014
Risk
PUBLIC
Anonymisation •k-anonymisation •l-diversity •Differential Privacy •Hashing •Encryption
48 © Nokia Solutions and Networks 2014
Culture
PUBLIC
•Information classes •The role of modelling and terminology •Analysis, FMEA, RCA •Metrics •Differential Privacy, k-Anon, l-Div etc •Hashing, and the identifier problem •Encryption
Privacy should be a safety-critical aspect of engineering
49 © Nokia Solutions and Networks 2014
Culture
PUBLIC
•Information classes •The role of modelling and terminology •Analysis, FMEA, RCA •Metrics •Differential Privacy, k-Anon, l-Div etc •Hashing, and the identifier problem •Encryption
Privacy should be, must become a safety-critical aspect of engineering
55 © Nokia Solutions and Networks 2014
Culture
PUBLIC
Privacy Engineering Culture is about managinging, quantifying and qualifying risk
not eliminating it
57 © Nokia Solutions and Networks 2014
•Quick Introduction
•Data Flow Modelling
• Language and its semantics
• Analysis
•Ontology and Terminology
• What’s wrong with ”PII” and ”Personal Data”
• Ontologies of Information, Requirements and RIsk
•Requirements Engineering
• Aspects, Development Flow and Privacy Ontologies
PUBLIC
•Risk
• Information classes
• The role of modelling and terminology
• Analysis, FMEA, RCA
• Metrics
• Differential Privacy, k-Anon, l-Div etc
• Hashing, and the identifier problem
• Encryption
•Culture
• Aviation, Surgery (!)
• Privacy as a safety-critical concern
59 © Nokia Solutions and Networks 2014
Colors and fonts Use sentence case for slide titles
<Change information classification in footer>
Core and background colors
18 65 145
0 201 255
104 113 122
168 187 192
216 217 218
R G B
We use blue and white predominantly, and selectively call out key points in light blue. If necessary, we use our palette of grays to help highlight supporting information.
Document fonts Nokia Pure is our business font and should be used as a priority.
If you do not have this font installed, Arial is the
acceptable alternative.
the presentation title should be in lower case using Nokia Pure Headline Light. Slide titles should be in sentence case using Nokia Pure Headline Light.
Body copy text should be sentence case using Nokia Pure Text Light.
60 © Nokia Solutions and Networks 2014
Colors and text combinations
<Change information classification in footer>
A a A a A a A a A a
A a
A a
A a
A a
A a
A a
A a
A a
A a
A a
A a
A a
A a
A a
A a
A a
A a
A a
A a
A a
A a
A a
A a
A a
A a
X
X
X
X
X X X
!
X
!
!
!
! !
X
X
!
A a
A a
A a
A a
A a
X
!
!
X
!
Do not use.
Avoid using with small text.
!