Click here to load reader

Privacy: Accountability and Enforceability

  • View

  • Download

Embed Size (px)


Privacy: Accountability and Enforceability. Jamie Yoo April 11, 2006 CPSC 457: Sensitive Information in a Wired World. Control of Personal Information. Basic Problem: Data subject lacks control of sensitive information after initial disclosure - PowerPoint PPT Presentation

Text of Privacy: Accountability and Enforceability

  • Privacy: Accountability and EnforceabilityJamie YooApril 11, 2006CPSC 457: Sensitive Information in a Wired World

  • Control of Personal InformationBasic Problem: Data subject lacks control of sensitive information after initial disclosureOrganizations lack control of the information that they manage once they disclose it to third parties

  • Fair Information Practices PrinciplesCollection limitationData qualitySecurity safeguardsOpennessPurpose specificationUse limitationIndividual participationAccountability

  • Fair Information Practice Principles are guiding principles not law.Problem: Companies will claim to follow fair information practice principles but degree of implementation varies among companies.

  • Example: Data Resellers

  • Data Resellers (Brokers)Information Resellers are businesses that collect and aggregate personal information from multiple sources and make it available to their customers.

  • Collection LimitationInformation Resellers Generally Do Not Limit Data Collection to Specific Purposes and Do Not Notify Data SubjectsPrivacy Problems

  • Collection Limitation ProblemResellers are limited only by laws that apply to specific kinds of information.Otherwise, resellers aggregate unrestricted amounts of personal information.No provisions are made to notify the data subjects when the reseller obtains personal data.Individuals are not afforded an opportunity to express or withhold their consent because many times resellers do not have a direct relationship with data subjects.Some offer an opt-out option but usually under limited circumstances for specific types of data and under specific conditions.

  • Data QualityInformation Resellers Do Not Ensure That Personal Information They Provide is Accurate for Specific Purposes Privacy Problems

  • Data Quality ProblemNo standard mechanism for verifying the accuracy of the data obtainedSome privacy policies state that resellers expect their data to contain some errorsVarying policies regarding correction of data determined to be inaccurate as obtained by themBecause they are not the original source of the personal information, information resellers generally direct individuals to the original sources to correct any errors. That is, data that may be perfectly adequate for one purpose may not be precise enough or appropriate for another purpose.

  • Purpose SpecificationInformation Resellers Specification of the Purpose of Data Collection Consists of Broad Descriptions of Business Categories Privacy Problems

  • Purpose Specification ProblemInformation resellers specify purpose in a broad, general way by describing the types of businesses that use their data.They generally do not designate specific intended uses for each of their data collections.Generally, resellers obtain information that has already been collected for a specific purpose and make that information available to their customers, who in turn have a much broader variety of purposes for using it.

  • AccountabilityOften times, data subjects do not even know that data resellers are selling their personal information, so accountability from an individual data subjects standpoint is less than ideal.Privacy Problems

  • Problems withCurrent Solutions

  • Limitations of LegislationEither too broad or too specificSlow to changeDifficulty to enforceEspecially across borders

  • Limitations of the FTCThe Commission prosecutes unfair and deceptive practices violations.However, usually letters from consumers or businesses, Congressional inquiries, or articles on consumer or economic subjects triggers an FTC investigation.Unfortunately, data subjects are often not even aware of privacy violations, especially since they are not usually aware of specific instances of data disclosures by authorized data recipients to third parties

  • P3PP3P is a semi-structured privacy policy specification language that allows an organization to specify its website privacy practices in a machine-readable format. A P3P policy expresses the privacy practices related to the particular page or pages it governs; it covers any information collection on those pages, the purposes of that collection, the information recipient, and the length of that informations retention.Specifications are checked by a browser/user agent, against user-specified preferences, to determine whether the organization follows user-acceptable privacy practices. Users agent allows the load of a page, prevents the load, or notifies the user that the site does not (or may not) comply with the users preset preferences. Limitations: After initial disclosure of personal information, user has no mechanism for enforcement.

  • Enterprise Privacy Authorization Language (EPAL)Interoperability language for exchanging privacy policy in a structured format between applications/enterprisesAccess-centricBased on strong associations of fine-grained privacy policies (sticky policies)EPAL Policy: Defines lists of hierarchies ofData categoriesUser categoriesPurposesActionsObligationsConditions

  • Example of EPAL Rule

    Privacy Policy (informal):Allow a sales agent or a sales supervisor to collect a customer's data for order entry if the customer is older than 13 years of age and the customer has been notified of the privacy policy. Delete the data 3 years from now.EPAL Privacy Rule:rulingallowuser categorysales departmentactionstoredata categorycustomer-recordpurposeorder-processingconditionthe customer is older than 13 years of ageobligationdelete the data 3 years from now

  • Consumer bases her decision on announced P3P policy, which is not formally related to operative EPAL policy.Current Usage Scenario

  • IssuesPrivacy promises made without mechanism for enforcementThe stickiness of policies is not enforceableToo much trust in the enterpriseLeakages can still happenMinimal user involvement (negotiation)Privacy management is more than authorization

  • Recommendation

  • Third Party Auditor:Tracing & Auditing DataTrusted third party to provide a mechanism for auditing/logging each disclosureManages and records release of data (encryption)Validates privacy policy adhering environment of recipientCreates a paper trailLegislation to prosecute privacy violationsIn particular, legislation regulating the data brokering industry (ex: require deletion/renewal of data after x years, etc)Auditing should help with prosecution

  • Suggested ScenarioTrust Auditing and Tracing AuthorityEnterprise 1Enterprise 2Personal Data(encrypted)Privacy PoliciesData SubjectPersonal Data(encrypted)Privacy Policies (EPAL rules)Decryption Key

  • DetailsIdentity-Based Encryption: Data Sender encrypts data package (data + privacy policy), Trusted Auditing Authority provides decryption keys to verified Data RecipientTrusted Computing defined by Auditor could be used to ensure privacy policy adhering environmentWould allow for greater stickiness of policies to data (tamper-proof data tags):Privacy policy rules (ex: expiration date, etc)Digital signatures to indicate where the data came from (third party or directly from the user)

  • LimitationsDifficult to build a trusted network of this typeInherent technical difficulty in representing privacy policies as machine-readable code remainsEx: A very large number of EPAL rules required to implement HIPAA, making it difficult to implement as well as maintain.Future of Trusted Computing is unknownRegardless of technical solutions, there must be legislative enforcement to encourage this type of rigorous auditing and also to prosecute violations

Search related