Part one: The privacy by design challenge

Introduction

Consumer trust in the ability of public authorities and private organisations to manage personal information is at an all-time low ebb. A stream of high-profile privacy incidents in the UK over the past year has shaken confidence in the data sharing agenda for government with associated impacts on high-profile data management programmes, and businesses are having to work that much harder to persuade customers to release personal information to them.

Despite a host of high-profile investigations and reports into the problem, more needs to be done to develop a long-term strategy for personal information management that engages all sectors, reduces privacy-related risks, and inspires individuals to entrust organisations with their data.

This is where privacy by design comes in: the evolution of a new approach to the management of personal information that ingrains privacy principles into every part of every system in every organisation. The challenge is great, since the approach must be acceptable to public authorities, private organisations and consumers alike, and for it to succeed it must result in the evolution of a ‘privacy by design ecosystem’ in which all the stakeholders work together to build privacy needs into their data management lifecycle.

Understanding privacy and data protection

Privacy is a complex concept that varies greatly between cultures, but is generally recognised to be ‘the right to be left alone’. It is at the heart of any trust relationship involving an individual, whether that relationship is with another individual or an organisation. When an individual feels that his or her privacy has been invaded or abused – and this is often a subjective judgement – the trust relationship can be damaged or destroyed, which can cause significant harm to both individuals and organisations.

In Europe, information privacy has coalesced around the concept of data protection, which is the application of privacy principles to the processing of personal information. The UK Data Protection Act (DPA), which is an implementation of the EU Data Protection Directive, states that anyone who processes personal information must comply with eight principles, which make sure that personal information is, for example, fairly and lawfully processed, and adequate, relevant and not excessive. For many organisations, the data protection approach to privacy tends to be a compliance-driven process: public authorities are obliged to do so through their own regulatory mandates, and private organisations often view it as a compliance issue. This compliance-driven focus can result in a somewhat low-key, ‘tick the box’ approach to privacy management. Ongoing data loss incidents prove that this approach comes up short.

In consequence, organisations can fail to consider privacy in a broader context and therefore may not address key privacy issues, such as assessing information risks from the individual’s perspective; adopting transparency and data minimisation principles; exploiting opportunities for differentiation through enhanced privacy practices; and ensuring that privacy needs influence their identity management agenda (since identity technologies are invariably needed to deliver effective privacy approaches).

Privacy and identity

Privacy is intimately entwined with identity. Organisations use identity technologies to bind personal information to the individual: good approaches deliver greater anonymity and privacy for the individual, whilst poor approaches collect, duplicate and expose personal information. Organisations that fail to recognise the link between identity systems and privacy leave themselves vulnerable to data loss incidents. Privacy and identity should be addressed as part of the same agenda, and in this report the word privacy includes all the aspects of identity that have a privacy connection.

“Personal information, be it biographical, biological, genealogical, historical, transactional, locational, relational, computational, vocational or reputational, is the stuff that makes up our modern identity. It must be managed responsibly. When it is not, accountability is undermined and confidence in our evolving information society is eroded. It may very well be that our fundamental ideas about identity and privacy that we have collectively pursued and the technologies that we have adopted, must change and adapt in a rapidly evolving world of connectivity”
- Ann Cavoukian Ph.D,
Information Commissioner of Ontario

Ownership and control

At the heart of the current privacy debate is the key concept of ownership and control over personal information. Advocates argue that without control individuals cannot have real privacy: the individual should have control over use of their personal information, and using their own resources, or those of an independent third-party, be able to give, revoke or withhold consent for organisations to use this information.

The future of privacy

Huge technology developments lie ahead. Web 2.0 offers potentially astounding capabilities, with almost unlimited access to programs, services, processing power and data storage – where the user will have no idea which computer, organisation or even country is involved. In this environment, privacy and identity management in particular will be the foundation of success. Without it the full benefits – for both individuals and organisations – will not be realised. Privacy by design is the way to meet this challenge.

What is privacy by design?

The purpose of privacy by design is to give due consideration to privacy needs prior to the development of new initiatives – in other words, to consider the impact of a system or process on individuals’ privacy and to do this throughout the systems lifecycle, thus ensuring that appropriate controls are implemented and maintained.

Privacy by design in the systems lifecycle

For a privacy by design approach to be effective, it must take into account the full lifecycle of any system or process, from the earliest stages of the system business case, through requirements gathering and design, to delivery, testing, operations, and out to the final decommissioning of the system.

This lifetime approach ensures that privacy controls are stronger, simpler and therefore cheaper to implement, harder to by-pass, and fully embedded in the system as part of its core functionality. However, neither current design practices in the private and public sectors, nor existing tools tend to 8 readily support such an approach. Current privacy practices and technologies are geared towards ‘spot’ implementations and ‘spot’ verifications to confirm that privacy designs and practices are correct at a given moment within a given scope of inspection.

Use of privacy impact assessments (PIAs)

Where the success of a project depends on people accepting, adopting and using a new system, privacy concerns can be a significant risk factor that threatens the return on the organisation’s investment. In order to address this risk, it is advisable to use a risk management technique commonly referred to as a privacy impact assessment (PIA).

In 2007, the Information Commissioner published a PIA approach. This first step in promoting PIAs laid out what to do but not ‘how’ it should be done or what methods or processes are considered sound. A further positive step was taken in 2008 when the government made it mandatory to conduct a PIA on all new government systems that collect and process personal information (the Canadian government introduced such a mandatory ruling in 2003 and has promoted PIAs since¹).

A possible criticism of the PIA is that it can be seen as overlapping with the many available processes for assessing information security requirements, but it is critical to take the PIA-driven viewpoint of the individual into account, something which few security risk assessment approaches do. It may, therefore, be more productive to integrate the two activities into a common risk assessment approach.

About privacy enhancing technologies (PETs)

There is no widely accepted definition for the term privacy enhancing technologies (PETs) although most encapsulate similar principles. A PET is something that:

reduces or eliminates the risk of contravening privacy principles and legislation;
minimises the amount of data held about individuals; or
empowers individuals to retain control of information about themselves at all times.

Today, there is a general understanding that PETs are consistent with good design objectives for any system or technology that handles personal information, and can offer demonstrable business benefits and competitive advantages for organisations that adopt them. PETs should not be ‘bolted-on’ to systems or technologies that would otherwise be privacy-invasive. Privacy-related objectives must be considered alongside business goals, and privacy considerations addressed at every stage of the systems lifecycle².

Classifying PETs

In the same way as there is no widely accepted definition for the term PETs, nor is there a recognised means of classification. Recently though, some studies have categorised PETs according to their main function as either privacy management or privacy protection tools ³,⁴.

Privacy management tools

Privacy management tools enable the user to look at the procedures and practices used by those who are handling personal information. They may also advise users of the consequences of the information processing performed leading to an improved understanding of privacy-related issues. There are a limited number of tools in existence today that cater for either the enterprise or the end-user market: examples include P3P ⁵ and IBM’s secure perspective ⁶ software.

Privacy metadata

Widespread adoption of user-centric identity management (U-Idm)⁷ platforms, and indeed most other PETs, will depend upon the existence of standard ways to describe our personal information and the manner in which it may be processed by information systems. This is generally achieved by attaching to information tags called metadata: additional information that details the likes of its source, the consent obtained, how it may be used, and the policies to which it is subject. The personal information may also be accompanied by a set of conditions, known as obligations, covering such things as the length of time that the data may be retained or whether the user’s consent is given for passing the information to third parties.

Work is underway in the research community to investigate detailed metadata requirements and to encourage use and dissemination of standards through bodies such as W3C’s Policy Languages INterest Group (PLING)⁸.

Privacy protection tools

Privacy protection tools aim to hide the user’s identity, minimise the personal information revealed and camouflage network connections so that, for example, the originating IP address is not revealed. By learning the IP address an observer may be able to pinpoint the user’s geographic location to the nearest town or city or even uniquely identify the computer. Privacy protection tools may also authenticate transactions such as payments while making it impossible to trace a connection back to the user. Some of the software that falls into this category includes:

Anonymising tools: PETs in this category hide the IP address of the originator and, in the case of anonymous or pseudonymous mail, the source email address. Some ‘anonymous remailers’, such as Mixminion, employ sophisticated techniques that enable receivers to reply to messages. More generally, Tor is a network of virtual tunnels on the internet that individuals and groups can use to keep websites from tracking them, to connect to news sites, instant messaging services or similar network services when these are blocked by their internet service providers or may be sensitive in nature. A Firefox addon, the Torbutton, provides a way to securely and easily enable or disable the browser’s use of Tor at the click of a mouse. Microsoft’s Internet Explorer 8 will incorporate ‘InPrivate’⁹ functions to deliver similar privacy outcomes.
Anonymous or pseudonymous payment: The concept behind anonymous payment is straightforward and usually works in this way: the user purchases a pre-paid card that is identified by a unique number. When the user makes a purchase at an online store, payment is retrieved from the anonymous cash provider using the unique number on the card. Successful examples of commercial pre-paid cards include Paysafecard in Europe.

Information security tools: There are a number of applications for the end-user that are sometimes categorised as PETs but can equally be considered to be information security tools. Such tools are important to data protection and privacy but the primary goal is usually more modest: that of preventing unauthorised access to systems, files or communications over a network. For example, most web-server and browser software can encrypt communications using the TLS or SSL protocol and this feature has been a significant factor in increasing confidence in online banking and e-commerce services.

The future of PETs

Technological advances are increasing apace and there is no doubt that PETs can provide a way of harnessing these technologies to protect privacy. The need to minimise the collection and processing of personal information, and to design systems around that principle, will be supported by privacy-friendly identification and authentication mechanisms. PETs researchers agree that there is a need for the will to design systems in a privacy-friendly manner, and for enterprise developers and software vendors alike to incorporate PETs into their system designs.

In the near future, research into user-centric identity management (U-Idm) frameworks may represent a solution to the secure control and management of personal information. In most U-Idm frameworks users manage their own personal information which is stored on a personal computer or handheld device that they control. U-Idm could facilitate update of, say, address information to multiple parties or provide proof of age or proof of entitlement online without revealing unnecessary identifying details. An important milestone for this is Microsoft’s recent acquisition of Credentica’s U-Prove technology which exploits special cryptographic techniques enabling users to enforce data minimisation or prove certain characteristics. Microsoft intends to embed these features in its U-Idm software, Windows CardSpace.

The challenge for privacy by design

Despite the many developments in both PETs and other related security technologies, the slew of recent data loss incidents shows that privacy principles are not always reflected in the design of systems and associated business processes. Progress in the development of privacy-friendly systems has been disappointing, and there is a clear sense that both public authorities and private organisations could be doing more to protect individuals’ privacy.

A consequence of this failure to achieve privacy by design is a breakdown in relationships between individuals and public/private organisations. An environment is developing in which there are constant tensions between individuals and organisations, with a sense that privacy is subservient to the financial value of personal information (complaints about DVLA providing information to parking enforcement companies for a fee). As a result, individuals feel that they have insufficient knowledge of how their data is used, but they are aware from media reports and notifications that their data is being lost. When this happens, those responsible have rarely appeared to be held accountable for their actions.

“I dread to think how much information is out there about me” - Attendee, Privacy by Design workshop

There is a widespread perception that organisations fail to minimise the amount of data that they collect or retain. This has created an environment where public authorities and private organisations demand increasing amounts of information to offer services, and retain it for long periods, without providing a clear statement about the proportionality of that processing to the individual. Relationships with individuals have been ‘poisoned’ since some people now see it as acceptable to lie or withhold information from a service provider in order to obtain the service they are legitimately entitled to without having to hand over excessive personal information.

The challenge for privacy by design will be to achieve a cultural, management, technological and regulatory environment that can effectively address these problems and promote the broader use of PETs to protect privacy.

1 http://www.privcom.gc.ca/pia-efvp/index_e.asp

2 Dr Steve Marsh, Dr Ian Brown, and Fayaz Khaki. Privacy engineering whitepaper. http://tinyurl.com/5zv9b3

3 Lothar Fritsch. State of the art of privacy-enhancing technology (PET). http://publ.nr.no/4589

4 The META Group. Privacy enhancing technologies. http://tinyurl.com/6h3qru

5 http://www.w3.org/p3p/

6 http://tinyurl.com/6528k4

7 http://www.youtube.com/watch?v=RrpajcAgR1E

8 http://www.w3.org/Policy/pling/

9 http://tinyurl.com/6nl26k