330 likes | 445 Views
E-Commerce Barriers in a Networked World. Mike Gurski Senior Policy & Technology Advisor Information & Privacy Commission, Ontario Canada CITO October 10 - 11, 2001. What the Experts Say. “Lack of privacy holding back e-commerce; FTC holds hearings.” Business Wire
E N D
E-Commerce Barriers in a Networked World Mike Gurski Senior Policy & Technology Advisor Information & Privacy Commission, Ontario Canada CITO October 10 - 11, 2001
What the Experts Say • “Lack of privacy holding back e-commerce; FTC holds hearings.” Business Wire • “90 percent of Web sites fail to comply with basic privacy principles.” Washington Post • “Due to consumers’ privacy concerns, e-commerce companies lost some $2.8 billion last year.” Forrester Research
When Things Go Wrong • Privacy lawsuits and disasters: • DoubleClick • Intel Pentium III • RealNetworks • Microsoft Hotmail • Amazon/Alexa • CD Universe • Look Communications • Toysmart
The Beginning of the Privacy Revolution • Anyone today who thinks the privacy issue has peaked is greatly mistaken… • Forrester Research, March 5, 2001 • It doesn’t take much for people to get really concerned about a particular company’s…privacy practices. • Johnathan Gaw, IDC Corp. March 29, 2001
The Threats to Privacy • Big Brother • Surveillance, control, no private space, • The Trial • Fractured personal data held by uncaring, unknowing authorities • The Matrix • Technology designs society & society’s perceived reality for its own ends • Commodification of Human Relationships • Life as the ultimate shopping experience
Enumerating the Barriers • Risk of Economic Injury • Identity theft • Unauthorised use of credit card information • Unwanted Intrusions • Phone calls • Computer based spam
Privacy Drivers • Large organizations disconnected from clients, gathering detailed data • Increasing amounts of personal data, held, consolidated, used • New privacy invasive technologies • Application of a technology paradigm geared to manufactured goods on humans
Privacy Defined: Think “Use” • Informational Privacy: Data Protection • Personal control over the collection, use and disclosure of any recorded information about an identifiable individual • The organisation’s responsibility for data protection and safeguarding personal information in its custody or control.
Authentication Data Integrity Confidentiality Non-repudiation Privacy; Data Protection (Fair Information Practices) Security Privacy and Security: The Difference
Fair Information Practices • Accountability • Identifying Purposes • Consent • Limiting Collection • Accuracy • Safeguards • Openness • Individual Access • Limiting Use, Disclosure, Retention • Challenging Compliance
Privacy By Design: Build It In • Build in privacy – up front, right in the design specifications. • Minimize the collection and routine use of personally identifiable information – use aggregate or coded information if possible. • Wherever possible, encrypt – implement anonymity and pseudonymity. • Assess the risks to privacy: conduct a privacy impact assessment; privacy audit. • Develop a corporate culture of privacy.
What to Do About Privacy • The Tools • Privacy Design Principles * • Technology Design Principles* • Privacy Impact Assessment Guide* • Privacy Architecture and the Privacy Architect* • Privacy Enhancing Technologies* • Privacy Diagnostic Tool *
Privacy Design Principles* • And Example: • Personal data should not be used or disclosed for purposes other than those specified in accordance with Principle 1 except: • a) with the consent of the data subject, b) by the authority of law, or c) for the safety of the community, including victims and witnesses. • Generally, personal information should be retained as necessary, but its use must be limited to its original purpose for collection • http://www.ipc.on.ca/english/pubpres/sum%5Fpap/papers/designpr.htm
Technology Design Principle* • An Example • Use Limitation Principle • Personal data should not be used or disclosed for purposes other than specified • Technology Design Principle • Information systems must be designed to halt unauthorised use. That involves a protocol for tracking who accesses specific information and for what purposes. The circumstances of use need to be recorded and attached to the personal information record.
Privacy Impact Assessment* • A tool developed by the provincial government to address privacy issues related to information systems • An example of questions under Use Limitation • Is personal Information used exclusively for the stated purposes and for uses that the average client would consider to be consistent with those purposes?__ • Are personal identifiers, such as the social insurance number, used for the purposes of linking across multiple databases?__ • Where data matching or profiling occurs, is it consistent with the stated purposes for which the personal information is collected?__ • Is there a record of use maintained for any use or disclosure not consistent with original stated purposes?__ • Is the record of use attached to the personal information record?__ • www.gov.on.ca/MBS/english/fip/pia/pianew.html
the person responsible for ensuring that the design of a given technology or system or process provides sufficient and appropriate protection of personal information Courtesy, Peter J. Hope-Tindall Chief Privacy Architect dataPrivacy Partners Ltd. (pht@dataPrivacy.com) What is a Privacy Architect ?
Privacy Architect Functions • Identify and define privacy requirements • Explain privacy concepts to the key personnel • Analyze technological components and processes • Evaluate privacy risk characteristics • Make recommendations to decision-makers about balancing privacy interests
Privacy Architect - Deliverables • Develop a conceptual, logical and technical privacy architecture which is feasible, cost-effective, of acceptable technological risk, works within the given computer and security architectures and meets the organization’s privacy needs and requirements
Privacy Architect’s Areas of Action • Legal • Policy • Strategy • Education • Technical
Security Architect Vs. Privacy Architect* • The security architect focuses on access controls and authorized access as defined by the system owner • A risk based approach is generally used and may include multiple layers of passwords, use of biometrics and/or cryptography, and generally an overlay of preventive, detective (reporting) and corrective controls
Security Architect Vs. Privacy Architect (2) • In contrast, the privacy architect focuses on the collection, use, disclosure and retention of data as mandated by the law and consented to by the individual whose data it is • The system owner is NOT the ultimate authority where privacy is concerned and may in fact be one of the parties from whom the data must be safeguarded
Risk-based Vs. Capability-based Analysis • Risk based analysis - how likely is it to occur • Capabilities-based analysis - can it possibly happen • Concept of Institutional override
Relationship between Privacy and Security • In theory, privacy and security may be completely different elements of a system • In practice, security is a facilitator of privacy and an important foundation to it • No matter how excellent security may be, it is never, of itself, sufficient to ensure privacy
Relationship between Privacy and Internal Controls* • Risk-based context • Good control environment reduces privacy risk • No matter how excellent controls may be, they are never, of themselves, sufficient to ensure privacy
Capabilities-based Privacy • Theoretically, privacy can be established solely by the use of capabilities-limited technology which is unable by design to do anything to compromise privacy, no matter who may authorize or request it • In practice, total reliance on technology is untenable
Capabilities-based Privacy • Maintaining good privacy almost always includes establishing good security, maintaining privacy controls (preventive, detective and corrective), and conducting periodic privacy audits, including those aimed at ensuring compliance with the law
Technical Education for Privacy • To ensure adequate privacy protection in the future, we may have to re-think how we educate our next generation of technologists • The message may have to change from maximum capability and flexibility of design to prescribed capabilities only and privacy-effective design. Don’t collect what you don’t need!
Privacy Plan* • Identify current practices • Follow the data: collection and use • Identify the Gaps • Est. Centre of Privacy Excellence • Internal staff, external advisory body • Plan for Compliance • Schedule implementation, audit, post implementation evaluation • Plan for non-Compliance • Emergency response plan
Privacy Enhancing Technologies* • Anonymisers, • Pseudonymisers, • Data Hiding Technologies.
Privacy Diagnostic * • A Question & Answer Format • CD or Web download • Based on Fair Information Practices • A good way to take your privacy temperature
A Closing Thought “To survive mounting consumer anxiety… firms need to institutionalize their commitment to protecting… customers’ privacy by taking a comprehensive, whole-view approach… The cost of a privacy PR blowout can range from tens of thousands to millions of dollars… and this doesn’t include lost business and damage to the brand.” -Forrester Research
How to Contact Us Mike Gurski. Information & Privacy Commission/Ontario 80 Bloor Street West, Suite 1700 Toronto, Ontario M5S 2V1 Phone: (416) 325-9164 Web: www.ipc.on.ca E-mail: mgurski@ipc.on.ca