engineering privacy by design privacy by design let s
play

Engineering privacy by design Privacy by Design Let's have it! - PowerPoint PPT Presentation

Nov 13, 2023 •134 likes •1.32k views

Engineering privacy by design Privacy by Design Let's have it! Information and Privacy Commissioner of Ontario https://www.ipc.on.ca/images/resources/7foundationalprinciples.pdf Privacy by Design Let's have it! Article 25 European

  1. Privacy-Preserving Electronic Toll Pricing Billing data Location data Billing data Homomorphic Commitments to: + ZK proofs that prices come from a correct policy

  2. Privacy-Preserving Electronic Toll Pricing Homomorphic Commitments to: + ZK proofs that prices come from a correct policy

  3. Privacy-Preserving Electronic Toll Pricing Homomorphic Commitments to: + ZK proofs that prices come from a correct policy

  4. Privacy-Preserving Electronic Toll Pricing Homomorphic Commitments to: + ZK proofs that prices come from a correct policy

  5. Case study: Electronic Toll Pricing Location is not needed, only the amount to bill! Service integrity

  6. Case study: Electronic Toll Pricing Privacy ENABLING Technologies

  7. A change in our way of thinking.... The Usual approach I want all data Data protection compliance Data I can collect

  8. A change in our way of thinking.... The Usual approach I want all data Data protection compliance Data I can collect The PbD approach Data needed for the purpose Maintain service integrity Data I will fjnally collect

  9. A change in our way of thinking.... The Usual approach

  10. Other case studies: Privacy-preserving Biometrics The Usual approach

  11. Other case studies: Privacy-preserving Biometrics The Usual approach t( ) =? t( )

  12. Other case studies: Privacy-preserving Biometrics The Usual approach Templates linkable across databases Reveal clear biometric Not revocable t( ) =? t( ) Many times not externalizable

  13. Other case studies: Privacy-preserving Biometrics The Usual approach Templates linkable across databases Reveal clear biometric Not revocable t( ) =? t( ) Many times not externalizable

  14. Other case studies: Privacy-preserving Biometrics The Usual approach Templates linkable across databases Reveal clear biometric Not revocable t( ) =? t( ) Many times not externalizable

  15. Other case studies: Privacy-preserving Passenger Registry The Usual approach in ?

  16. Other case studies: Privacy-preserving Passenger Registry The Usual approach Surveillance on all passengers in ?

  17. Other case studies: Privacy-preserving Passenger Registry The Usual approach Surveillance on all passengers in ?

  18. PART II: PART I: Evaluating Privacy in Reasoning about Privacy-Preserving Privacy when designing systems systems

  19. PART II: PART I: Evaluating Privacy in Reasoning about Privacy-Preserving Privacy when designing systems systems PRIVACY-PRESERVING SOLUTIONS CRYPTO-BASED VS ANONYMIZATION/OBFUSCATION

  20. PART II: PART I: Evaluating Privacy in Reasoning about Privacy-Preserving Privacy when designing systems systems PRIVACY-PRESERVING SOLUTIONS CRYPTO-BASED VS ANONYMIZATION/OBFUSCATION WELL ESTABLISHED DESIGN AND EVALUATION METHODS – Private searches – Private billing – Private comparison – Private sharing – Private statistics computation – Private electronic cash – Private genomic computations - ...

  21. PART II: PART I: Evaluating Privacy in Reasoning about Privacy-Preserving Privacy when designing systems systems PRIVACY-PRESERVING SOLUTIONS CRYPTO-BASED VS ANONYMIZATION/OBFUSCATION WELL ESTABLISHED DESIGN AND EVALUATION METHODS but expensive and require expertise

  22. PART II: PART I: Evaluating Privacy in Reasoning about Privacy-Preserving Privacy when designing systems systems PRIVACY-PRESERVING SOLUTIONS CRYPTO-BASED VS ANONYMIZATION/OBFUSCATION cheap but...

  23. PART II: PART I: Evaluating Privacy in Reasoning about Privacy-Preserving Privacy when designing systems systems PRIVACY-PRESERVING SOLUTIONS CRYPTO-BASED VS ANONYMIZATION/OBFUSCATION cheap but... DIFFICULT TO DESIGN / EVALUATE

  24. PART II: PART I: Evaluating Privacy in Reasoning about Privacy-Preserving Privacy when designing systems systems PRIVACY-PRESERVING SOLUTIONS CRYPTO-BASED VS ANONYMIZATION/OBFUSCATION cheap but... DIFFICULT TO DESIGN / EVALUATE

  25. PART II: PART I: Evaluating Privacy in Reasoning about Privacy-Preserving Privacy when designing systems systems PRIVACY-PRESERVING SOLUTIONS CRYPTO-BASED VS ANONYMIZATION/OBFUSCATION cheap but... DIFFICULT TO DESIGN / EVALUATE

  26. PART II: PART I: Evaluating Privacy in Reasoning about Privacy-Preserving Privacy when designing systems systems PRIVACY-PRESERVING SOLUTIONS CRYPTO-BASED VS ANONYMIZATION/OBFUSCATION cheap but... DIFFICULT TO DESIGN / EVALUATE

  27. PART II: PART I: Evaluating Privacy in Reasoning about Privacy-Preserving Privacy when designing systems systems PRIVACY-PRESERVING SOLUTIONS CRYPTO-BASED VS ANONYMIZATION/OBFUSCATION cheap but... DIFFICULT TO DESIGN / EVALUATE

  28. PART II: PART I: Evaluating Privacy in Reasoning about Privacy-Preserving Privacy when designing systems systems PRIVACY-PRESERVING SOLUTIONS CRYPTO-BASED VS ANONYMIZATION/OBFUSCATION cheap but... DIFFICULT TO DESIGN / EVALUATE

  29. PART II: PART I: Evaluating Privacy in Reasoning about Privacy-Preserving Privacy when designing systems systems PRIVACY-PRESERVING SOLUTIONS CRYPTO-BASED VS ANONYMIZATION/OBFUSCATION cheap but... DIFFICULT TO DESIGN / EVALUATE

  30. We need technical objectives – PRIVACY GOALS Pseudonymity : pseudonymous as ID (personal data!) Anonymity : decoupling identity and action Unlinkability : hiding link between actions Unobservability : hiding the very existence of actions Plausible deniability : not possible to prove a link between identity and action “obfuscation” : not possible to recover a real item from a noisy item

  31. We need technical objectives – PRIVACY GOALS Pseudonymity : pseudonymous as ID (personal data!) Anonymity : decoupling identity and action Unlinkability : hiding link between actions Unobservability : hiding the very existence of actions Plausible deniability : not possible to prove a link between identity and action “obfuscation” : not possible to recover a real item from a noisy item Why is it so difficult t to Evaluate them?

  32. Let's take one example: Anonymity Art. 29 WP’s opinion on anonymization techniques: 3 criteria to decide a dataset is non-anonymous (pseudonymous): 1) is it still possible to single out an individual 2) is it still possible to link two records within a dataset (or between two datasets) 3) can information be inferred concerning an individual? http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/fjles/2014/wp216_en.pdf

  33. Let's take one example: Anonymity 1) is it still possible to single out an individual “the median size of the individual's anonymity set in the U.S. working population is 1, 21 and 34,980, for locations known at the granularity of a census block, census track and county respectively” location

  34. Let's take one example: Anonymity 1) is it still possible to single out an individual “if the location of an individual is specifjed hourly, and with a spatial resolution equal to that given by the carrier’s antennas, four spatio-temporal points are enough to uniquely identify 95% of the individuals.” [15 montsh, 1.5M people] location

  35. Let's take one example: Anonymity 1) is it still possible to single out an individual location web browser

  36. Let's take one example: Anonymity 1) is it still possible to single out an individual location “It was found that 87% (216 million of 248 million) of the population in the United States had reported characteristics that likely made them unique based only on web browser {5-digit ZIP, gender, date of birth}”

  37. Let's take one example: Anonymity 2) Link two records within a dataset (or datasets) take two graphs representing social networks and map the nodes to each other based on the graph structure alone —no usernames, no nothing Netflix Prize, Kaggle contest social graphs

  38. Let's take one example: Anonymity take two graphs representing social networks and map the nodes to each other based on the graph structure alone —no usernames, no nothing Netflix Prize, Kaggle contest social graphs Technique to automate graph de- anonymization based on machine learning. Does not need to know the algorithm!

  39. Let's take one example: Anonymity 2) Link two records within a dataset (or datasets)

  40. Let's take one example: Anonymity 2) Link two records within a dataset (or datasets)

  41. “Anti-surveillance PETs” technical goals privacy properties: Anonymity 3) infer information about an individual “Based on GPS tracks from, we identify the latitude and longitude of their homes. From these locations, we used a free Web service to do a reverse “white pages” lookup, which takes a latitude and longitude coordinate as input and gives an address and name. [172 individuals]”

  42. Let's take one example: Anonymity 3) infer information about an individual “We investigate the subtle cues to user identity that may be exploited in attacks on the privacy of users in web search query logs. We study the application of simple classifjers to map a sequence of queries into the gender, age, and location of the user issuing the queries.”

  43. Let's take one example: Anonymity Magical thinking! this cannot happen in general! Data anonymization is a weak privacy mechanism Only to be used when other protections are also applied. (contractual, organizational)

  44. Let's take one example: Anonymity Magical thinking! this cannot happen in general! Data anonymization is a weak privacy mechanism Only to be used when other protections are also applied. (contractual, organizational) Impossible to sanitize without severely damaging usefulness Removing PII is not enough! - Any aspect could lead to re-identification

  45. Let's take one example: Anonymity Magical thinking! this cannot happen in general! Data anonymization is a weak privacy mechanism Only to be used when other protections are also applied. (contractual, organizational) Impossible to sanitize without severely damaging usefulness Removing PII is not enough! - Any aspect could lead to re-identification Risk of de-anonymization? Probabilistic Analysis Pr[identity action | observation ] →

  46. Privacy evaluation is a Probabilistic analy lysis systematic reasoning to evaluate a mechanism Anonymity - Pr[identity → action | observation ] Unlinkability - Pr[action A action B | observation ] ↔ Obfuscation - Pr[real action | observed noisy action ]

  47. Privacy evaluation is a Probabilistic analy lysis systematic reasoning to evaluate a mechanism Anonymity - Pr[identity → action | observation ] Unlinkability - Pr[action A action B | observation ] ↔ Obfuscation - Pr[real action | observed noisy action ]

  48. Privacy evaluation is a Probabilistic analy lysis systematic reasoning to evaluate a mechanism Anonymity - Pr[identity → action | observation ] Unlinkability - Pr[action A action B | observation ] ↔ Obfuscation - Pr[real action | observed noisy action ]

  49. Privacy evaluation is a Probabilistic analy lysis systematic reasoning to evaluate a mechanism Anonymity - Pr[identity → action | observation ] Unlinkability - Pr[action A action B | observation ] ↔ Obfuscation - Pr[real action | observed noisy action ]

  50. Privacy evaluation is a Probabilistic analy lysis systematic reasoning to evaluate a mechanism Anonymity - Pr[identity → action | observation ] Unlinkability - Pr[action A action B | observation ] ↔ Obfuscation - Pr[real action | observed noisy action ]

  51. Privacy evaluation is a Probabilistic analy lysis systematic reasoning to evaluate a mechanism Anonymity - Pr[identity → action | observation ] Unlinkability - Pr[action A action B | observation ] ↔ Obfuscation - Pr[real action | observed noisy action ]

  52. Privacy evaluation is a Probabilistic analy lysis systematic reasoning to evaluate a mechanism Anonymity - Pr[identity → action | observation ] Unlinkability - Pr[action A action B | observation ] ↔ Obfuscation - Pr[real action | observed noisy action ]

  53. Privacy evaluation is a Probabilistic analy lysis systematic reasoning to evaluate a mechanism Anonymity - Pr[identity → action | observation ] Unlinkability - Pr[action A action B | observation ] ↔ Obfuscation - Pr[real action | observed noisy action ]

  54. Privacy evaluation is a Probabilistic analy lysis systematic reasoning to evaluate a mechanism Anonymity - Pr[identity → action | observation ] Unlinkability - Pr[action A action B | observation ] ↔ Obfuscation - Pr[real action | observed noisy action ]

  55. “Inversion”? what do you mean? 1) Analytical mechanism inversion Given the description of the system, develop the mathematical expressions that effectively invert the system:

  56. “Inversion”? what do you mean? 1) Analytical mechanism inversion Given the description of the system, develop the mathematical expressions that effectively invert the system:

  57. “Inversion”? what do you mean? 1) Analytical mechanism inversion Given the description of the system, develop the mathematical expressions that effectively invert the system:

Recommend

Privacy engineering, CyLab privacy by design, privacy impact assessments, and privacy governance

Privacy engineering, CyLab privacy by design, privacy impact assessments, and privacy governance

Privacy engineering, CyLab privacy by design, privacy impact assessments, and privacy governance Engineering & Public Policy Lorrie Faith Cranor November 11, 2014 y & c S a e v c i u r P r i t e y l b L a a s

555 views • 21 slides
Privacy engineering, CyLab privacy by design, privacy impact assessments, and privacy governance

Privacy engineering, CyLab privacy by design, privacy impact assessments, and privacy governance

Privacy engineering, CyLab privacy by design, privacy impact assessments, and privacy governance Engineering & Public Policy Lorrie Faith Cranor October 29, 2013 y & c S a e v c i u r P r i t e y l b L a a s

245 views • 20 slides
Privacy engineering, privacy by design, and privacy governance Engineering & Public Policy

Privacy engineering, privacy by design, and privacy governance Engineering & Public Policy

CyLab Privacy engineering, privacy by design, and privacy governance Engineering & Public Policy Lorrie Faith Cranor November 17, 2015 y & c S a e v c i u r P r i t e y l b L a a s b U o 8-533 / 8-733 /

539 views • 22 slides
Privacy by Design Deirdre K. Mulligan Privacy by design, why now? Legal Drivers E- Government

Privacy by Design Deirdre K. Mulligan Privacy by design, why now? Legal Drivers E- Government

Privacy by Design Deirdre K. Mulligan Privacy by design, why now? Legal Drivers E- Government Act of 2002 and OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002 Resolution on Privacy by Design, Data Protection

556 views • 41 slides
Privacy Engineering Objectives and Risk Model Objective-Based Design for Improving Privacy in

Privacy Engineering Objectives and Risk Model Objective-Based Design for Improving Privacy in

Privacy Engineering Objectives and Risk Model Objective-Based Design for Improving Privacy in Information Systems 1 NIST research has a broad impact shutterstock.com shutterstocom G. Hooijer/ D. Stork/ Facilitates trade and fair Improves

405 views • 18 slides
Engineering Privacy By Design Seda Grses COSIC, ESAT K.U. Leuven Belgium 1 Outline -

Engineering Privacy By Design Seda Grses COSIC, ESAT K.U. Leuven Belgium 1 Outline -

Engineering Privacy By Design Seda Grses COSIC, ESAT K.U. Leuven Belgium 1 Outline - Introduction and Approach - Privacy Requirements Definition Problem - Privacy Requirements Analysis Problem - Policy and Compliance - Privacy By Design -

1.48k views • 63 slides
Privacy and Security by Design: Regulatory Compliance Will Not be Enough to Preserve our Privacy

Privacy and Security by Design: Regulatory Compliance Will Not be Enough to Preserve our Privacy

Privacy and Security by Design: Regulatory Compliance Will Not be Enough to Preserve our Privacy Ann Cavoukian, Ph.D. Distinguished Expert-in-Residence Privacy by Design Centre of Excellence Ryerson University Ryerson CSR Institute / PPOCIR

3.12k views • 64 slides
Privacy by Design Principles of Privacy-Aware Ubiquitous Systems Marc Langheinrich Privacy by

Privacy by Design Principles of Privacy-Aware Ubiquitous Systems Marc Langheinrich Privacy by

Privacy by Design Principles of Privacy-Aware Ubiquitous Systems Marc Langheinrich Privacy by Design ETH Zurich, Switzerland www.inf.ethz.ch/~langhein Ubicomp 2001, Atlanta Contents Ubicomp 2001, Atlanta ! Privacy primer Does privacy

680 views • 22 slides
Paradigms of Privacy Research & Privacy Engineering Seda Grses f.s.gurses@tudelft.nl TU

Paradigms of Privacy Research & Privacy Engineering Seda Grses f.s.gurses@tudelft.nl TU

Paradigms of Privacy Research & Privacy Engineering Seda Grses f.s.gurses@tudelft.nl TU Delft/ KU Leuven 18. June 2019 GDPR requires data protection by design and by default (Article 25) A complex law with many requirements. More

950 views • 58 slides
Privacy by Design A technical perspective Carmela Troncoso Gradiant The usual privacy

Privacy by Design A technical perspective Carmela Troncoso Gradiant The usual privacy

PR eparing I ndustry to P rivacy-by-design by supporting its A pplication in RE search Privacy by Design A technical perspective Carmela Troncoso Gradiant The usual privacy scenario Protect personal data from third parties Data

359 views • 9 slides
From Privacy Protection to Interface Design: Implementing Information Privacy in Human-Computer

From Privacy Protection to Interface Design: Implementing Information Privacy in Human-Computer

From Privacy Protection to Interface Design: Implementing Information Privacy in Human-Computer Interactions Andrew S. Patrick Steve Kenny Independent Consultant National Research Council of Canada stephen_mh_kenny@yahoo.com

407 views • 22 slides
Privacy by Design in EUs GDPR Botjan Brumen University of Maribor Faculty of Electrical

Privacy by Design in EUs GDPR Botjan Brumen University of Maribor Faculty of Electrical

Privacy by Design in EUs GDPR Botjan Brumen University of Maribor Faculty of Electrical Engineering and Computer Science Slovenia Background Respect for privacy: Not a new phenomenon: the polis (gr. ): the public area of

389 views • 6 slides
The Vital Need for Privacy and Security by Design Ann Cavoukian, Ph.D. Executive Director

The Vital Need for Privacy and Security by Design Ann Cavoukian, Ph.D. Executive Director

The Vital Need for Privacy and Security by Design Ann Cavoukian, Ph.D. Executive Director Global Privacy & Security by Design Centre Technion Summer School on Cyber Security Haifa, Israel September 9, 2020 Lets Dispel The Myths

929 views • 55 slides
Privacy Enhancing T echnologies Carmela Troncoso, Gradiant PRIPARE Workshop on Privacy by Design

Privacy Enhancing T echnologies Carmela Troncoso, Gradiant PRIPARE Workshop on Privacy by Design

T rialog, Atos, T rilateral, Inria , AUP, Gradiant, UPM, UUlm, Fraunhofer SIT, WIT , KU Leuve Privacy Enhancing T echnologies Carmela Troncoso, Gradiant PRIPARE Workshop on Privacy by Design Ulm 9 th -10 th March 2015 11/03/2015 Privacy

668 views • 48 slides
Lightning Introductions PRIVACY ENABLING DESIGN May 7-8, 2015 Brian Anderson / IBM Where does

Lightning Introductions PRIVACY ENABLING DESIGN May 7-8, 2015 Brian Anderson / IBM Where does

Lightning Introductions PRIVACY ENABLING DESIGN May 7-8, 2015 Brian Anderson / IBM Where does privacy end and security begin? What are the responsibilities of an organization to protect their assets while balancing the privacy of those who

980 views • 52 slides
Do Not Beg: Moving Beyond Do Not Track with Privacy By Design Mike Perry W3C DNT Nov 28, 2012

Do Not Beg: Moving Beyond Do Not Track with Privacy By Design Mike Perry W3C DNT Nov 28, 2012

Do Not Beg: Moving Beyond Do Not Track with Privacy By Design Mike Perry W3C DNT Nov 28, 2012 Do Not Track as Privacy By Design The meat of the initial IETF DNT Draft: A server acting in a third-party capacity MUST NOT track a user or

293 views • 10 slides
Discussion of Privacy as a Tool for Robust Mechanism Design

Discussion of Privacy as a Tool for Robust Mechanism Design

Discussion of Privacy as a Tool for Robust Mechanism Design in Large Markets Leeat Yariv General Theme Interpret differenAal privacy as a

275 views • 25 slides
Privacy and data protection by design cross-over of multiple disciplines Marit Hansen

Privacy and data protection by design cross-over of multiple disciplines Marit Hansen

Privacy and data protection by design cross-over of multiple disciplines Marit Hansen Privacy and Information Commissioner Schleswig-Holstein, Germany marit.hansen@datenschutzzentrum.de Annual Privacy Forum 2015 Luxembourg, 7 October,

551 views • 29 slides
Privacy Design Patterns and Anti-Patterns Patterns Misapplied and Unintended Consequences Nick

Privacy Design Patterns and Anti-Patterns Patterns Misapplied and Unintended Consequences Nick

Privacy Design Patterns and Anti-Patterns Patterns Misapplied and Unintended Consequences Nick Doty & Mohit Gupta UC Berkeley, School of Information Privacy-by-Design ... in practice for designers and developers of technologies document

266 views • 11 slides
Privacy by Design? Marc Langheinrich University of Lugano (USI) Switzerland Projects

Privacy by Design? Marc Langheinrich University of Lugano (USI) Switzerland Projects

The Everyday Life of Surveillance (V): Architectures, Spaces, Territories Privacy by Design? Marc Langheinrich University of Lugano (USI) Switzerland Projects Ubiquitous Privacy Computing Gothenburg Lancaster Paris Zurich Patras

1.15k views • 92 slides
Privacy by design and (big or not-so-big) clinical research data (management) Safeguarding

Privacy by design and (big or not-so-big) clinical research data (management) Safeguarding

Privacy by design and (big or not-so-big) clinical research data (management) Safeguarding privacy while maximizing scientific benefits: a biostatisticians approach to good data management Ronald Brand Dep of Medical Statistics, section

436 views • 26 slides
$ Lesson Ten Consumer Privacy 04/09 privacy and information information privacy: privacy that

$ Lesson Ten Consumer Privacy 04/09 privacy and information information privacy: privacy that

Presentation Slides $ Lesson Ten Consumer Privacy 04/09 privacy and information information privacy: privacy that involves the rights of individuals in relation to information about them that is circulating in society. why privacy is an

318 views • 13 slides
Privacy Protection privacy notions and metrics; privacy in RFID systems; location privacy in

Privacy Protection privacy notions and metrics; privacy in RFID systems; location privacy in

Privacy Protection privacy notions and metrics; privacy in RFID systems; location privacy in vehicular networks; Security and Cooperation in Wireless Networks Georg-August University Gttingen Chapter outline 1 Important privacy related

1.12k views • 33 slides
Towards Privacy by Design in Personal e-Health Systems George Drosatos Pavlos S. Efraimidis,

Towards Privacy by Design in Personal e-Health Systems George Drosatos Pavlos S. Efraimidis,

Towards Privacy by Design in Personal e-Health Systems George Drosatos Pavlos S. Efraimidis, Garrath Williams and Eleni Kaldoudi School of Medicine Dept. of Electric and Computer Engineering Democritus University of Thrace This work was

486 views • 14 slides

More recommend