PROTECTION GOALS FOR PRIVACY ENGINEERING

Size: px

Start display at page:

Download "PROTECTION GOALS FOR PRIVACY ENGINEERING"

Alison Cummings
6 years ago
Views:

1 PROTECTION GOALS FOR PRIVACY ENGINEERING Marit Hansen, Meiko Jensen, and Martin Rost International Workshop on Privacy Engineering May 21, 2015

2 Outline Security Protection Goals Privacy Protection Goals Three Axes Conclusion

3 Security Protection Goals

4 Confidentiality The protection goal of Confidentiality is defined as the property that (privacy-relevant) data and services that process such data cannot be accessed by unauthorized entities.

5 Confidentiality in other words: Secrecy Non-Disclosure Access Restrictions Security Clearances Data Minimization Steganography Unobservability

6 Implementation Techniques: Data Encryption Confidentiality in transit (TLS, HTTPS, SSH, ) at rest (PGP, S/MIME, TrueCrypt, ) Data Segregation Secret Sharing, Secure Multiparty Computations Onion Routing Access Control Enforcement

7 Integrity The protection goal of Integrity is defined as the property that (privacy-relevant) data and services that process such data cannot be modified in an unauthorized or undetected manner.

8 Integrity in other words: Authenticity Detection of Data Changes Non-Repudiation Reliability

9 Implementation Techniques: Integrity Digital Signatures RSA, ElGamal Message Authentication Codes Hash Values Access Control Enforcement Watchdogs / Canaries Two-Man Rules

10 Availability The protection goal of Availability is defined as the property that access to (privacy-relevant) data and to services that process such data is always granted in a comprehensible, processable, timely manner.

11 Availability in other words: Redundancy Monitoring of Availability Responsiveness Accessibility Uptime

12 Implementation Techniques: Availability Backups Load Balancers Failovers Redundant Components Avoidance of Single-Points-of-Failure Watchdogs / Canaries

13 Privacy Protection Goals

14 Unlinkability The protection goal of Unlinkability is defined as the property that privacy-relevant data cannot be linked across domains that are constituted by a common purpose and context.

15 Unlinkability in other words: Data Minimization Necessity / Need-to-Know Purpose Binding Separation of Power Unobservability Undetectability

16 Implementation Techniques: Unlinkability Data Avoidance / Reduction Access Control Enforcement Generalization Anonymization/Pseudonymization Abstraction Derivation Separation / Isolation Avoidance of Identifiers

17 Unlinkability Think of it as

18 Transparency The protection goal of Transparency is defined as the property that all privacy-relevant data processing including the legal, technical, and organizational setting can be understood and reconstructed at any time.

19 Transparency in other words: Openness Accountability Documentation Reproducibility Notice (and Choice) Auditability Full-Disclosure

20 Implementation Techniques: Transparency Logging and Reporting User Notifications Documentation Status Dashboards Privacy Policies Transparency Services for Personal Data Data Breach Notifications

21 Transparency Think of it as

22 Intervenability The protection goal of Intervenability is defined as the property that intervention is possible concerning all ongoing or planned privacy-relevant data processing.

23 Intervenability in other words: Self-determination User Controls Rectification or Erasure of Data (Notice and) Choice Consent Withdrawal Claim Lodging / Dispute Raising Process Interruption

24 Implementation Techniques: Intervenability Configuration Menu Help Desks Stop-Button for Processes Break-Glass / Alert Procedures System Snapshots Manual Override of Automated Decisions External Supervisory Authorities (DPAs)

25 Intervenability Think of it as

26 Three Axes

27 Confidentiality <-> Availability No access to data No access to services Authorized entities only Full access to data Full access to services Everybody Confidentiality Availability

28 Integrity <-> Intervenability No changes to data No changes to process Defined by processor All types of changes Full process flexibility Defined by individual Integrity Intervenability

29 Unlinkability <-> Transparency No linkable data No disclosure of process Need-to-Know Full linkability of data Full disclosure of process Want-to-Know Unlinkability Transparency

30 The Six-Pointed Star Confidentiality Unlinkability Integrity Intervenability Transparency Availability

31 The Six-Pointed Star Confidentiality Unlinkability Integrity Intervenability Transparency Availability

32 Conclusion

33 Conclusion Protection Goals have proven very useful: for Implementers for Lawyers for Data Protection Authorities for Users C U Privacy Protection Goals: Unlinkability I Iv Transparency Intervenability T A

34 References Shaping the Future of Electronic Identity partly funded by EU FP7, GA n Forum Privatheit und selbstbestimmtes Leben in der Digitalen Welt (Privacy Forum Germany) partly funded by the German Federal Ministry of Education and Research

35 C U Thank You! I Iv Protection Goals for Privacy Engineering T A Marit Hansen, Meiko Jensen, and Martin Rost Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein Phone: uld6@datenschutzzentrum.de

Data Protection and Ethics in Healthcare

Data Protection and Ethics in Healthcare Harald Zwingelberg ULD June 14 th, 2017 at Brocher Foundation, Geneva Organized by: with input by: Overview Goal: Protection of people Specific legal setting for