PRIVACY ENHANCING TECHNOLOGIES INTRODUCTION
INTRODUCTION TO PRIVACY ENHANCING TECHNOLOGIES OUR MISSION Least Authority’s mission is to build and support ethical and usable technology solutions that advance digital security and privacy as fundamental human rights.
INTRODUCTION TO PRIVACY ENHANCING TECHNOLOGIES WHAT ARE PETS? Protect personal data. Privacy by design. Require security. Security by design, not policy. Technical transparency.
INTRODUCTION TO PRIVACY ENHANCING TECHNOLOGIES WE MUST DEFEND OUR OWN PRIVACY IF WE EXPECT TO HAVE ANY. Eric Hughes A Cypherpunk’s Manifesto
INTRODUCTION TO PRIVACY ENHANCING TECHNOLOGIES SECURITY FACILITATES PRIVACY Confidentiality Integrity Availability &
INTRODUCTION TO PRIVACY ENHANCING TECHNOLOGIES PETS STRATEGIES ▸ Data minimisation ▸ Informed consent ▸ Obfuscation ▸ Decentralization ▸ Pseudonymity ▸ Anonymity ▸ Capability-based security (not identity-based) = Control over Personal Data
INTRODUCTION TO PRIVACY ENHANCING TECHNOLOGIES 97668B75285 D67BA7FB5BF C66546491FD TECHNICAL APPROACHES D6A631DCB77 622900A78B3 ▸ Public key infrastructure/digital signatures 6D1F024B9 ▸ Hashes, salting and cryptographic hash 97668B75285 algorithms D67BA7FB5BF C66546491FD ▸ Off-chain/out-of-network data storage D6A631DCB77 622900A78B3 ▸ Mixing & decoys 6D1F024B9 ▸ Homomorphic Encryption 97668B75285 D67BA7FB5BF ▸ Zero-knowledge proofs C66546491FD D6A631DCB77 ▸ Secure multi-party computation 622900A78B3 6D1F024B9
INTRODUCTION TO PRIVACY ENHANCING TECHNOLOGIES SECURITY IN IT IS LIKE LOCKING YOUR HOUSE OR CAR – IT DOESN'T STOP THE BAD GUYS, BUT IF IT'S GOOD ENOUGH THEY MAY MOVE ON TO AN EASIER TARGET. Paul Herbka, Director, Cloud and Managed Services, Denovo
INTRODUCTION TO PRIVACY ENHANCING TECHNOLOGIES RISK MANAGEMENT ▸ Identify risks and assess: ▸ Probability ▸ Impact ▸ Responsibility ▸ Then decide: ▸ Accept ▸ Transfer ▸ Avoid Nothing is 100% safe. ▸ Reduce
INTRODUCTION TO PRIVACY ENHANCING TECHNOLOGIES THREAT MODELING ▸ What do you have that someone else might want? Identify 1 ▸ Who would want this information you have? ▸ How could they get this information? Define 2 ▸ When could they get this information? Prioritize ▸ What are they willing to do to get this 3 information? ▸ What are you willing to do to prevent this?
INTRODUCTION TO PRIVACY ENHANCING TECHNOLOGIES ATTACK VECTORS SPoF ▸ Central authority, certification and admission control (denial-of-service attacks) ▸ Permissionless admission and proof-of-humanness (bots/botnets) ▸ Reputation management and multiple identities (Sybil attacks) ▸ Consensus methods and truth (Byzantine faults) ▸ Peer communications and data integrity (man-in-the-middle and poisoning attacks) ▸ Voting and incentives (gaming attacks)
INTRODUCTION TO PRIVACY ENHANCING TECHNOLOGIES CHANGE THE PRIVACY PARADIGM ▸ Talk about why privacy matters and how the paradigm shift can happen ▸ Bridge learning from research to implementation teams utilising new technical approaches ▸ Publish regulations analysis, code, security audit reports and discuss lessons learned ▸ Fund new security research and implementation experiments, including UI/UX focus ▸ Make more developer resources that support security and privacy by design ▸ Engage in policy and governance discussions to ensure security is a priority ▸ Try new approaches to incentivize ethical design and issue disclosure ▸ Build partnerships and coalitions of privacy-tech professionals ▸ Set up training programs to help others be “privacy-minded”
EVERY PROGRAM AND EVERY PRIVILEGED USER OF THE SYSTEM SHOULD OPERATE USING THE LEAST AMOUNT OF PRIVILEGE NECESSARY https://leastauthority.com TO COMPLETE THE JOB. Liz@LeastAuthority.com Twitter: @LeastAuthority Jerome Saltzer
Recommend
More recommend
