www.ipc.on.ca

Building in Privacy from the Building in Privacy from the Bottom up: How to Preserve Bottom up: How to Preserve Privacy in a Security-Centric Privacy in a Security-Centric

WorldWorld

Ann Cavoukian, Ph.D.Ann Cavoukian, Ph.D.Information & Privacy Commissioner/Ontario

Carnegie Melon University Lecture

Pittsburg, PA

November 4, 2004

www.ipc.on.cawww.ipc.on.ca Slide 2

Impetus for Change

Growth of Privacy as a Global Issue

EU Directive on Data Protection

Increasing amounts of personal data collected, consolidated, aggregated

Consumer Backlash; heightened consumer expectations

www.ipc.on.cawww.ipc.on.ca Slide 3

Importance of Consumer Trust

In the post-9/11 world:• Consumers either as concerned or more concerned about online

privacy• Concerns focused on the business use of personal information, not

new government surveillance powers

If consumers have confidence in a company’s privacy practices, consumers are more likely to:• Increase volume of business with company…….... 91%• Increase frequency of business……………….…... 90%• Stop doing business with company if PI misused…83%

Harris/Westin Poll, Nov. 2001 & Feb. 2002

www.ipc.on.cawww.ipc.on.ca Slide 4

How The Public Divides on Privacy

The “Privacy Dynamic” - Battle Dr. Alan Westinfor the minds of the pragmatists

2554

2225

6312

3458

826

6410

0 20 40 60 80

1999

2000

2001

2003

UnconcernedPragmatistsFundamentalists

www.ipc.on.cawww.ipc.on.ca Slide 5

Information Privacy Defined

Information Privacy: Data Protection

• Freedom of choice; control; informational self-determination

• Personal control over the collection, use and disclosure of any recorded information about an identifiable individual

www.ipc.on.cawww.ipc.on.ca Slide 6

What Privacy is Not

Security Privacy

www.ipc.on.cawww.ipc.on.ca Slide 7

The Privacy/Security Relationship

Privacy relates to personal control over one’s personal information

Security relates to organizational control over information

These represent two overlapping, but distinct activities

www.ipc.on.cawww.ipc.on.ca Slide 8

AuthenticationData IntegrityConfidentialityNon-repudiation

Privacy; Data ProtectionFair Information Practices

Privacy and Security: The Difference

Security: Organizational control

of information through information systems

www.ipc.on.cawww.ipc.on.ca Slide 9

The Perils of Not Protecting Privacy…

Privacy “disasters” – Intel Pentium III– RealNetworks– Microsoft HotMail – Amazon/Alexa– CD Universe– Look Communications

“ It was skin searing experience. We can’t take another hit like that.”

MS Senior Executive

www.ipc.on.cawww.ipc.on.ca Slide 10

Technology Can Help

“The most effective means to counter technology’s erosion of privacy is technology itself.”

Alan Greenspan, Federal Reserve Chairman

“A technology should reveal no more information than is necessary…it should be built to be the least revealing system possible.”

Dr. Lawrence Lessig, Harvard, September 1999

www.ipc.on.cawww.ipc.on.ca Slide 11

Privacy By Design: Build It In

Build in privacy – up front, right in the design specifications

Minimize the collection and routine use of personally identifiable information – use aggregate or coded information if possible

Wherever possible, encrypt personal information

Think about anonymity and pseudonymity Assess the risks to privacy: conduct a privacy

impact assessment; privacy audit

www.ipc.on.cawww.ipc.on.ca Slide 12

Privacy by Design:Technology

Architectures of Identification• PKI: confidentiality or surveillance• Biometrics: privacy or social control

Business/government drivers for designing trust into systems and programs

Wireless technology: m-commerce• convergence, convenience, control

www.ipc.on.cawww.ipc.on.ca Slide 13

Biometrics: The Myth of Accuracy

The problem with large databases containing thousands (or millions) of biometric templates:

• False positives

• False negatives

www.ipc.on.cawww.ipc.on.ca Slide 14

Biometric Identification: False Positive Challenge

Even if you have a 1 in 10,000 error rate per fingerprint, then a person being scanned against a million-record data set will be flagged as positive 100 times. And that’s every person. A system like that would be useless because everyone would be a false positive.

Bruce Schneier, quoted in Ann Cavoukian’s Submission to the Standing Committee on Citizenship and Immigration, November 4, 2003

http://www.ipc.on.ca/docs/110403ac-e.pdf

www.ipc.on.cawww.ipc.on.ca Slide 15

Facial Recognition: the Reality

Test results less than stellar- Logan Airport pilot had a 50% error rate in real world

conditions- U.S. State Department has stated that facial recognition has

“unacceptably high error rates”- U of Ottawa tests this summer resulted in accuracy rates

between 75% to more than 90%- National Institute for Standards and Technology, under ‘ideal

lighting and controlled environment conditions’ reported 90% accuracy

- Superbowl facial recognition no longer considered ‘useful’ by subsequent organizers

“Biometrics Benched for Super Bowl”  By Randy Dotinga, Wired Magazine

www.ipc.on.cawww.ipc.on.ca Slide 16

STEPS: The Context

Terrorist attacks 9/11

Government concerns over public safety

U.S. Patriot and anti-terrorist legislation

Polarized debate for Security/Privacy

www.ipc.on.cawww.ipc.on.ca Slide 17

Change the Paradigm

Old Paradigm: Zero Sum GameNew Paradigm: (win-win)

Security + Privacy = FreedomExpand the discourse: Privacy and Security

are not polar opposites but essential components

http://www.ipc.on.ca/docs/steps.pdf

www.ipc.on.cawww.ipc.on.ca Slide 18

The Challenge for Solution Developers

Introduce privacy into the concept, design and implementation of technology solutions

Promote existing STEPs: 3-D Holographic Scanner: respecting physical

privacy while enhancing security Biometric encryption: better security plus

ironclad privacy

www.ipc.on.cawww.ipc.on.ca Slide 19

Fair Information Practices:A Brief History

OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data

EU Directive on Data Protection

CSA Model Code for the Protection of Personal Information

Canada Personal Information Protection and Electronic Documents Act (PIPEDA)

www.ipc.on.cawww.ipc.on.ca Slide 20

Summary of Fair Information Practices

AccountabilityIdentifying PurposesConsentLimiting CollectionLimiting Use,

Disclosure, RetentionAccuracy

SafeguardsOpennessIndividual AccessChallenging

Compliance

www.ipc.on.cawww.ipc.on.ca Slide 21

Privacy Diagnostic Tool

Simple, plain-language tool (paper and e-versions)

Free & self-administered

CSA model code to examine an organization’s privacy management practices

www.ipc.on.ca/PDT

www.ipc.on.cawww.ipc.on.ca Slide 22

Privacy Enhancing Technologies

What are PETs?

• Anonymisers, pseudonomisers, intermediaries

Their Strengths

• tools to protect personal information

Their Limitations

• usually individual responses to an existing architecture

• sometimes someone still has your personal information

www.ipc.on.cawww.ipc.on.ca Slide 23

PETTEP

Privacy Enhancing Technologies Testing and Evaluation Project

How does one determine whether a technology can deliver on its privacy promises?

PETTEP is intended to test the claims of various technologies regarding their ability to perform in a privacy protective manner

www.ipc.on.cawww.ipc.on.ca Slide 24

PETTEP (cont’d)

Modeled on the Common Criteria – an international standard used to test the security components of technologies

For privacy, Fair Information Practices (FIP) would form the basis of the testing

The challenge is to translate FIPs into the functional requirements of the Common Criteria – to find the design correlates of FIPs

www.ipc.on.cawww.ipc.on.ca Slide 25

PETTEP Status Update

EDS has partnered with the IPC and PETTEP to develop an enhancement of the Privacy Chapter in the Common Criteria;

EDS is also committed to developing the necessary privacy profiles that will form the basis of testing and evaluating the privacy claims of various technologies;

PETTEP, the IPC and EDS plan to pilot several technologies/systems to refine the enhanced Privacy Chapter.

www.ipc.on.cawww.ipc.on.ca Slide 26

Final Thought

“Anyone today who thinks the privacy issue has peaked is greatly mistaken…we are in the early stages of a sweeping change in attitudes that will fuel political battles and put once-routine business practices under the microscope.”

Forrester Research, March 5, 2001

www.ipc.on.ca

How to Contact UsHow to Contact Us

Commissioner Ann CavoukianCommissioner Ann CavoukianInformation & Privacy Commissioner/Ontario

2 Bloor Street East, Suite 1400

Toronto, Ontario M4W 1A8

Phone: (416) 326-3333

Web: www.ipc.on.ca

E-mail: commissioner@ipc.on.ca