Presentation Outline

Similar documents
Privacy by Design: Integrating Technology into Global Privacy Practices

RFID and privacy - Some industry perspectives (ICC, EICTA)

Protection of Privacy Policy

Should privacy impact assessments be mandatory? David Wright Trilateral Research & Consulting 17 Sept 2009

Privacy by design: the definitive workshop. A foreword by Ann Cavoukian, Ph.D

8 Executive summary. Intelligent Software Agent Technologies: Turning a Privacy Threat into a Privacy Protector

Submission of the Information & Privacy Commissioner, Ontario, Canada

CCTV Policy. Policy reviewed by Academy Transformation Trust on June This policy links to: T:Drive. Safeguarding Policy Data Protection Policy

CCTV Policy. Policy reviewed by Academy Transformation Trust on June This policy links to: Safeguarding Policy Data Protection Policy

ITAC RESPONSE: Modernizing Consent and Privacy in PIPEDA

Our position. ICDPPC declaration on ethics and data protection in artificial intelligence

Global Alliance for Genomics & Health Data Sharing Lexicon

Executive Summary Industry s Responsibility in Promoting Responsible Development and Use:

Pr i v a c y. Change the Paradigm. A White Paper. Ann Cavoukian, Ph.D. Information and Privacy Commissioner of Ontario, Canada

Whatever Happened to the. Fair Information Practices?

Privacy engineering, privacy by design, and privacy governance

Standards and privacy engineering ISO, OASIS, PRIPARE and Other Important Developments

March 27, The Information Technology Industry Council (ITI) appreciates this opportunity

Biometric Data, Deidentification. E. Kindt Cost1206 Training school 2017

About the Office of the Australian Information Commissioner

Privacy Law in Canada: Obligations and Risks in the Cyber Age Dina L. Maxwell Associate Lawyer

Violent Intent Modeling System

24 May Committee Secretariat Justice Committee Parliament Buildings Wellington. Dear Justice Select Committee member,

What does the revision of the OECD Privacy Guidelines mean for businesses?

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Privacy framework

Privacy Impact Assessments

PRIVACY ANALYTICS WHITE PAPER

CONSENT IN THE TIME OF BIG DATA. Richard Austin February 1, 2017

Legal Aspects of Identity Management and Trust Services

Pan-Canadian Trust Framework Overview

ICAO. ICAO Council JTC1 ISO/IEC. Air Transport Committee SC17 TAG/MRTD WG3 ICBWG NTWG DOC ISO National Bodies.

Personal Data Protection Competency Framework for School Students. Intended to help Educators

MULTIPLE SCENARIOS FOR PRIVATE-SECTOR USE OF RFID

Responsible Data Use Policy Framework

IMPLEMENTING HSPD-12: A PROGRAM MANAGER S PERSPECTIVE

Australian Census 2016 and Privacy Impact Assessment (PIA)

Lecture 7 Ethics, Privacy, and Politics in the Age of Data

ARTICLE 29 Data Protection Working Party

EXIN Privacy and Data Protection Foundation. Preparation Guide. Edition

Privacy by Design Assessment and Certification. For discussion purposes only

ISO/TR TECHNICAL REPORT. Intelligent transport systems System architecture Privacy aspects in ITS standards and systems

Staffordshire Police

Enabling Trust in e-business: Research in Enterprise Privacy Technologies

Before the NATIONAL HIGHWAY TRAFFIC SAFETY ADMINISTRATION Washington, D.C Docket No. NHTSA

Committee on the Internal Market and Consumer Protection. of the Committee on the Internal Market and Consumer Protection

Global Standards Symposium. Security, privacy and trust in standardisation. ICDPPC Chair John Edwards. 24 October 2016

COMMUNICATIONS POLICY

Integrating Fundamental Values into Information Flows in Sustainability Decision-Making

Analysis of Privacy and Data Protection Laws and Directives Around the World

Is Privacy Still an Issue for Data Mining? Chris Clifton 11 October, 2007

GUIDELINES ON PRIVACY BY DESIGN AND PRIVACY IMPACT ASSESSMENT

Toronto Real Estate Board Submission to Office of the Privacy Commissioner of Canada. July 2016

IAB Europe Guidance THE DEFINITION OF PERSONAL DATA. IAB Europe GDPR Implementation Working Group WHITE PAPER

APEC Internet and Digital Economy Roadmap

Privacy by Design: essential for organizational accountability and strong business practices

An Introduction to a Taxonomy of Information Privacy in Collaborative Environments

Re: Review of Market and Social Research Privacy Code

Where s The Beep? Privacy, Security, & User (Mis)undestandings of RFID

Privacy and Security in an On Demand World

Privacy and Security in Europe Technology development and increasing pressure on the private sphere

RFID, user identity and the public interest

Smart Cards in the Public Sector

PROGRAM CONCEPT NOTE Theme: Identity Ecosystems for Service Delivery

Developing a Code of Practice for the Connected Car IT.CAN 21st Annual Conference October 23, Abstract

Hong Kong Personal Data Protection Regulatory Framework From Compliance to Accountability

28 TH INTERNATIONAL CONFERENCE OF DATA PROTECTION

This policy sets out how Legacy Foresight and its Associates will seek to ensure compliance with the legislation.

Creating and managing individual identities

Privacy Management in Smart Cities

TABLE OF CONTENTS OUR MISSION OUR MEMBERS OUR PLAN C_TEC S PRIORITIES WORDSMITH + BLACKSMITH

RFID and Privacy an antagonism?

A Guide for Structuring and Implementing PIAs

PIA Expectations of the OPC

Privacy in the Age of Big Data: The Challenges and Opportunities for Privacy Research

DATA PROTECTION IMPACT ASSESSMENT

PRIVACY IMPACT ASSESSMENT

Ethics and technology

Data Protection and Privacy in a M2M world. Yiannis Theodorou, Regulatory Policy Manager GSMA Latam Plenary Peru, November 2013

Privacy Values and Privacy by Design Annie I. Antón

Identity Management and its impact on the Digital Economy

Toward Objective Global Privacy Standards. Ari Schwartz Senior Internet Policy Advisor

LAB3-R04 A Hard Privacy Impact Assessment. Post conference summary

ESSENTIAL RECIPES FOR THE DIGITAL JOURNEY OF ENTERPRISES

Wireless Sensor Networks and Privacy

AI AS A FORCE OF GOOD

Privacy Impact Assessment Desk Reference Guide

Digital Identity Innovation Canada s Opportunity to Lead the World. Digital ID and Authentication Council of Canada Pre-Budget Submission

Youth Online: Beware of the 5 Ps When Using Social Networks

Privacy Issues with Sharing Reputation across Virtual Communities

Enabling ICT for. development

End-to-End Privacy Accountability

Nymity Demonstrating Compliance Manual: A Structured Approach to Privacy Management Accountability

ONR Strategy 2015 to 2020

Advancing Health and Prosperity. A Brief to the Advisory Panel on Healthcare Innovation

2

PRIVACY IMPACT ASSESSMENT CONDUCTING A PRIVACY IMPACT ASSESSMENT ON SURVEILLANCE CAMERA SYSTEMS (CCTV)

Session 1, Part 2: Emerging issues in e-commerce Australian experiences of privacy and consumer protection regulation

Report to Congress regarding the Terrorism Information Awareness Program

Applying Privacy by Design in Software Engineering - An European Perspective

Canada s Digital ID Future - A Federated Approach

Transcription:

Functional requirements for privacy enhancing systems Fred Carter Senior Policy & Technology Advisor Office of the Information & Privacy Commissioner / Ontario, Canada OECD Workshop on Digital Identity Management Trondheim, Norway 09 May 2007 Presentation Outline 1. IPC Work 2. Challenge 3. PETs & FIPs 4. IDM: 7 Laws 5. IDM: Biometric Encryption 6. Next Steps 1

1. IPC work to date Independent agency of gov t; we oversee three laws Longstanding interest & involvement in privacy, technology and law/compliance issues. IPC approach: constructive engagement; ICT both a threat to and opportunity for privacy; seek pragmatic win-win scenarios Some publications: Path to Anonymity; guidance on use of PKI, DRM, Privacy-embedded 7 Laws of Identity, Biometrics, Biometric Encryption; ID Theft; Intelligent Agents, P3P, RFID, Privacy and the Open Networked Enterprise, Privacy Diagnostic Tool; PIA for health, contactless smart cards; mobile device security; STEPs, etc. IPC website: www.ipc.on.ca 2. Challenge Advent of ICTs, increasingly data-intensive activities, transformed private and publicsector services, many potential benefits Primary challenge: overcoming weak public confidence, trust, use/adoption Relentless negative news, e.g.: multi-million $$$ failures and boondoggles; high-profile privacy & security breaches; poor IT security report cards = loss of confidence in Privacy Can Help 2

3. Info Privacy Defined Effective governance can come from: 1. Laws, legislation, regulation 2. Industry self-regulation, codes of conduct, best practices, guidelines, standards, policies, audit & certification practices governance 3. PETs / Technology solutions 4. Public opinion / market acceptance Founded on the Fair Information Practices (FIPs) PETs just one element in the IPC privacy toolkit 3. PETs & FIPs Many FIPs in use around the world FIPs can be condensed into three primary and substantive impulses: 1. Data Minimization 2. User Participation and Control 3. Information Security Good success evangelizing to public policymakers, information security, auditors, developers, etc. Expressed in myriad ways, depending on context. 3

3. PETs & FIPs Building FIPs into ICTs: our Mantra Whole information system, not one component (e.g., RFID tag, smart card, biometric reader) Build privacy in early, at the design stage Privacy/anonymity the default starting point (identifiability, observability, linkability) Maximize involvement and participation of data subjects and system users. Identity issues are a subset of information privacy issues 4. IDM & 7 Laws The Case for Privacy-embedded 7 Laws of Identity 4

4. IDM & 7 Laws Growing online ID req ts pose privacy problems: Online fraud and security concerns are inhibiting confidence, trust, and the growth of e-commerce Fears of online surveillance and excessive collection, use and disclosure of identity information by others are also diminishing confidence and use in the Internet Lack of individual user empowerment and control online over one s own personal data is diminishing confidence and use in the internet Password fatigue: weak/reused passwords What is Needed: improved user control, data minimization techniques, privacy protection, and stronger security 4. Privacy-Embedded 7 Laws of Identity 1. Personal Control and Consent: Technical identity systems must only reveal information identifying a user with the user s consent; 2. Minimal Disclosure For Limited Use: Data Minimization The Identity Metasystem must disclose the least identifying information possible. This is the most stable, long-term solution. It is also the most privacy protective solution; 3. Justifiable Parties: Need To Know Access Identity systems must be designed so the disclosure of identifying information is limited to parties having a necessary and justifiable place in a given identity relationship; 5

4. Privacy-Embedded 7 Laws of Identity 4. Directed Identity: Protection and Accountability A universal Identity Metasystem must be capable of supporting a range of identifiers with varying degrees of observability and privacy; 5. Pluralism of Operators and Technologies: Minimizing Surveillance The interoperability of different identity technologies and their providers must be enabled by a universal Identity Metasystem; 6. The Human Face: Understanding Is Key Users must figure prominently in any system, integrated through clear human-machine communications, offering strong protection against identity attacks; 7. Consistent Experience Across Contexts: Enhanced User Empowerment And Control The unifying Identity Metasystem must guarantee its users a simple, consistent experience while enabling separation of contexts through multiple operators and technologies. 4. IDM & 7 Laws The Privacy-Embedded 7 Laws of Identity offer: Easier and more direct control over one s personal information when online; Embedded ability to minimize the amount of identifying data revealed online; Embedded ability to minimize the linkage between different identities and online activities; Embedded ability to detect fraudulent email messages and web sites (less spam, phishing, pharming, online fraud). 6

4. IDM & 7 Laws Attractive Features of the 7 Laws: Fresh response/approach to real-world problems Failure of MS Passport model acknowledged Recognition of market drivers for success Clear expression of key FIPs, esp. Laws 1 & 2 If not a PET itself, then an enabling framework/foundation for PETs IPC is technology-agnostic w.r.t. how these Laws are expressed or obeyed. 4. IDM & 7 Laws Response to date: Neutral to positive reaction from public, policymakers, media, and industry Enhanced public awareness and dialogue Interest and engagement from other industry and standards initiatives, e.g: Liberty Alliance IBM/Higgins Credentica 7

5. IDM & Biometric Encryption The problem: Growing biometrics deployment and use poses significant risks and threats to privacy, security Biometrics a lifetime permanent identifier, worse than a password (access control) Inadequate for large-scale 1:many ID uses. Secondary uses, function creep, data matching, surveillance, profiling, discrimination Misuse of data: Identity fraud, theft, etc. One data breach can trigger public backlash. 5. IDM & Biometric Encryption BE Embodies core privacy practices: 1. Data minimization: no retention of biometric image or template, minimizing potential for secondary uses, loss, misuse 2. Maximal individual control: Individuals keep their biometric data private, and can use it to generate or change unique ( anonymous ) account identifiers, and encrypt own data. 3. Improved security: authentication, communication and data security are enhanced. 8

5. IDM & Biometric Encryption IPC Objectives: Stimulate demand for PETs: Bring this biometric technology to attention of public, privacy advocates, policymakers: it is possible and should be considered, even demanded. Stimulate supply of PETs: Encourage research, development and marketization of privacyenhancing technologies as viable solutions for realworld problems. 6. Next Steps Key stakeholders: (demand-side) Public / Media Public policymakers Privacy advocates Key stakeholders: (supply-side) Industry Technologists, Developers Integrators 9

6. Next Steps Challenge: Increase demand for PETs Increase awareness and interest in PETs Spotlight, recognize, promote PETs solutions Encourage and recognize early adopters, success Challenge: Increase supply of PETs Increase awareness and interest in PETs Spotlight, recognize, promote PETs solutions Encourage and recognize early adopters, success How to Contact Us Fred Carter Senior Policy & Technology Advisor Information & Privacy Commissioner of Ontario 2 Bloor Street East, Suite 1400 Toronto, Ontario, Canada M4W 1A8 Phone: +1.416.326.3333 Web: www.ipc.on.ca 10

Extra Slides OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data Eight Principles: 1. Collection Limitation 2. Data Quality 3. Purpose Specification 4. Use Limitation 5. Security Safeguards 6. Openness 7. Individual Participation 8. Accountability 11

Fair Information Practices (CSA Privacy Code) Accountability Identifying Purposes Consent Limiting Collection Limiting Use, Disclosure, Retention Accuracy Safeguards Openness Individual Access Challenging Compliance PETs & IDM Privacy Enhancing Technologies (or Tools) include those that empower individuals to manage their own identities in a privacy enhancing manner. These include tools or systems to: anonymize and pseudonymize identities; securely manage login ids and passwords and other authentication requirements; manage contactibility or reachability; generally, allow users to selectively disclose their PII to others and to exert maximum control over their PII once disclosed. Identity issues are a subset of information privacy issues. 12

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback