privacy engineering

Privacy Engineering

Closing the gap betweenPrivacy by Design and implementation

Tomi Mikkonen | CTOPrivaon [email protected]@tmikkone

Antti Vähä-Sipilä | Software Security GuyF-Secure

[email protected]@anttivs

IAPP Europe Data Protection Congress 2014BRUSSELS | 18–20 NOVEMBER

Context

Privacy Program

Strategy

Governance

Principles

RequirementsImplementation

Assurance

Monitoring

Privacy Engineering

Privacy by Design

“Privacy by Design (PbD) refers to the philosophy and approach of embedding privacy into the design specifications of various technologies”

Ann Cavoukian, Information and Privacy Commissioner, Ontario

Proactive, not reactive Privacy as defaultEmbedded into design Full functionalityEnd-to-end security Visibility and transparencyRespect for user privacy

7 foundational principles

Privacy Program

Strategy

Governance

Principles

RequirementsImplementation

Assurance

Monitoring

The Gap

The Gap of PbD

Processes

Policies

Implementation

Disconnect

Disconnect

“Organisations are often uncertain how to implement systems that comply with data protection law, and are left to manage privacy in accordance with ‘best efforts’, with each system approaching the issue on a case-by-case basis. There are no internationally-recognized standards to guide organisations in implementing privacy controls.”

“’Privacy by Design’ consists of a number of principles that can be applied from the onset of systems development to mitigate privacy concerns and achieve data protection compliance. However, these principles remain vague and leave many open questions about their application when engineering systems.”

ICO Privacy by Design report, 2008

Engineering Privacy by Design. Gürses et al., 2011

Privacy Engineering

• Activities and tools to build privacy into products

• Produce evidence for assurance

• Communication between governance and development functions

• More “how” than “what” to do

Fundamentals

• No best practice / guideline to implement privacy

• “Privacy must be built-in, not bolted on” – Integral part of product development

– There is no coding guideline for privacy

– Privacy cannot be “tested into” product

• Privacy does not prevent cool things from happening. The implementation just needs to be done “in right way”

Who defines the “right way”?

Security

Marketing AnalyticsDesign

Legal Sourcing

Acceptable privacy design

Compliance-based strategies

Risk-based strategies

Dramatis personae

Legal Developers

Security Auditors

Quality Assurance

Architects Analytics

Business

Business (functional)

requirements

Development& testing

Go / No Go

Business

Developers Quality Assurance

Architects


requirements


Go / No Go

Business / compliance privacy

requirements

Triage and business-level PIABusiness, legal, analytics, architects


requirements


Go / No Go


requirements

Security controls,privacy acceptance

criteria & PETs

Technical PIA(part of threat modelling)Architects, developers, security



requirements

Development

& testing

Go / No Go


requirements


criteria & PETs Implementation of privacy-related test casesDevelopers, QA




requirements


Go / No Go


requirements


criteria & PETs

Privacyassuranceevidence

Evaluating evidenceBusiness, legal, auditors

Implementation of privacy-related test casesDevelopers, QA



Summary this far

1. High-level privacy principles do not necessarily tell exactly what to do

2. Privacy engineering enables communications between governance and R&D functions

3. In a modern software development model, privacy engineering needs to be iterative and the evidence needs to be continuous

CASE: COOKIES AND AN ONLINE MARKETING CAMPAIGN

Privacy Engineering in Practice

Cookies & privacy

Design notices

Create cookiepolicy

Conduct PIA

Implementation

Cookie inventory Cookie inventory

Time

“Modern” software development

• All work is on a prioritised backlog

• Incremental development

• Test automation

– Quality assurance in dev team

• Continuous Integration

• Automated deployment

Modern development

Time

Implementation Implementation Implementation Implementation

Continuous testing

Continuous deployment

Requirement Requirement RequirementRequirement

Not modern

Design notices

Create cookiepolicy

Conduct PIA

Implementation


Time

Online Marketing Campaign

Short-term

Purchases through third party web shops

Campaign performance must be measurable:1. How many visitors clicked the ad?2. How many visitors bough the product?

Implemented by digital marketing agency

Technical PIA with an MSC

Browser

URLshortener Analytics Affiliate Web shop

Set cookie & redirect

Purchase

Click ad

Redirect

Recall modern development


Continuous testing


Requirement

Time

Requirement RequirementRequirement

Tests pass ok


Continuous testing


Requirement

Time

Requirement RequirementRequirement

ALL OK!

Test failures stop deployment


Continuous testing


Requirement

Time

Requirement Requirement“Add banner”

NOT OK

Depl.

Non-modern systemdoesn’t even see it happening

Design notices

Create cookiepolicy

Conduct PIA

Implementation


Time

Add banner

Remove banner

Non-modern developmentdoesn’t even see it happening

Design notices

Create cookiepolicy

Conduct PIA

Implementation


Time

Add banner

Remove banner

Non-compliantbut nobody notices!