Transcript

Privacy: Accountability and Enforceability

Jamie Yoo

April 11, 2006

CPSC 457: Sensitive Information in a Wired World

Control of Personal InformationBasic Problem:

Data subject lacks control of sensitive information after initial disclosure

Organizations lack control of the information that they manage once they disclose it to third parties

Fair Information Practices Principles Collection limitation Data quality Security safeguards Openness Purpose specification Use limitation Individual participation Accountability

Fair Information Practice Principles are guiding principles not law.

Problem: Companies will claim to follow fair information practice principles but degree of implementation varies among companies.

Example: Data Resellers

Data Resellers (Brokers) Information Resellers are businesses that collect and

aggregate personal information from multiple sources

and make it available to their customers.

Collection LimitationInformation Resellers Generally Do Not Limit Data Collection to Specific Purposes and Do Not Notify Data Subjects

Privacy Problems

Collection Limitation Problem Resellers are limited only by laws that apply to specific kinds of

information. Otherwise, resellers aggregate unrestricted amounts of

personal information. No provisions are made to notify the data subjects when the

reseller obtains personal data. Individuals are not afforded an opportunity to express or withhold

their consent because many times resellers do not have a direct relationship with data subjects.

Some offer an “opt-out” option but usually under limited circumstances for specific types of data and under specific conditions.

Data QualityInformation Resellers Do Not Ensure That Personal Information They Provide is Accurate for Specific Purposes

Privacy Problems

Data Quality Problem No standard mechanism for verifying the accuracy of the data

obtained Some privacy policies state that resellers expect their data to

contain some errors Varying policies regarding correction of data determined to be

inaccurate as obtained by them Because they are not the original source of the personal

information, information resellers generally direct individuals to the original sources to correct any errors.

That is, data that may be perfectly adequate for one purpose may not be precise enough or appropriate for another purpose.

Purpose SpecificationInformation Resellers’ Specification of the Purpose of Data Collection Consists of Broad Descriptions of Business Categories

Privacy Problems

Purpose Specification Problem

Information resellers specify purpose in a broad, general way by describing the types of businesses that use their data.

They generally do not designate specific intended uses for each of their data collections.

Generally, resellers obtain information that has already been collected for a specific purpose and make that information available to their customers, who in turn have a much broader variety of purposes for using it.

AccountabilityOften times, data subjects do not even know that data resellers are selling their personal information, so accountability from an individual data subject’s standpoint is less than ideal.

Privacy Problems

Problems withCurrent “Solutions”

Limitations of LegislationEither too broad or too specificSlow to changeDifficulty to enforce

Especially across borders

Limitations of the FTC The Commission prosecutes “unfair and

deceptive practices” violations. However, usually “letters from consumers or

businesses, Congressional inquiries, or articles on consumer or economic subjects” triggers an FTC investigation.

Unfortunately, data subjects are often not even aware of privacy violations, especially since they are not usually aware of specific instances of data disclosures by authorized data recipients to third parties

P3P P3P is a semi-structured privacy policy specification language

that allows an organization to specify its website privacy practices in a machine-readable format.

A P3P policy expresses the privacy practices related to the particular page or pages it governs; it covers any information collection on those pages, the purposes of that collection, the information recipient, and the length of that information’s retention.

Specifications are checked by a browser/user agent, against user-specified preferences, to determine whether the organization follows user-acceptable privacy practices.

User’s agent allows the load of a page, prevents the load, or notifies the user that the site does not (or may not) comply with the user’s preset preferences.

Limitations: After initial disclosure of personal information, user has no mechanism for enforcement.

Enterprise Privacy Authorization Language (EPAL) Interoperability language for exchanging privacy policy

in a structured format between applications/enterprises Access-centric Based on “strong associations” of fine-grained privacy

policies (“sticky policies”) EPAL Policy: Defines lists of hierarchies of

Data categories User categories Purposes Actions Obligations Conditions

Privacy Policy (informal):

Allow a sales agent or a sales supervisor to collect a customer's data for order entry if the customer is older than 13 years of age and the customer has been notified of the privacy policy. Delete the data 3 years from now.

EPAL Privacy Rule:

ruling allow

user category sales department

action store

data category customer-record

purpose order-processing

conditionthe customer is older than 13 years of age

obligation delete the data 3 years from now

Example of EPAL Rule

Service Provider Consumer

Reveals PersonalInformation

Accepts or Rejects

Consumer bases her decision on announced P3P policy, which is not

formally related to operative EPAL policy.

P3P PolicyTransmits User

AgentConfigures

Respects

EPAL Policy

Current Usage Scenario

Issues Privacy promises made without mechanism

for enforcement The “stickiness” of policies is not enforceable Too much trust in the enterprise Leakages can still happen

Minimal user involvement (negotiation) Privacy management is more than

authorization

Recommendation

Third Party Auditor:Tracing & Auditing Data Trusted third party to provide a mechanism for

auditing/logging each disclosure Manages and records release of data (encryption) Validates privacy policy adhering environment of

recipient Creates a paper trail

Legislation to prosecute privacy violations In particular, legislation regulating the data

brokering industry (ex: require deletion/renewal of data after x years, etc)

Auditing should help with prosecution

Suggested Scenario

Trust Auditing and

Tracing Authority

Enterprise 1

Enterprise 2

Personal Data

(encrypted)Privacy Policies

Data Subject

Personal Data

(encrypted)Privacy Policies (EPAL rules)

Decryption Key

Details Identity-Based Encryption: Data Sender encrypts

data package (data + privacy policy), Trusted Auditing Authority provides decryption keys to verified Data Recipient

Trusted Computing defined by Auditor could be used to ensure privacy policy adhering environment Would allow for greater “stickiness” of policies to data

(tamper-proof data tags): Privacy policy rules (ex: expiration date, etc) Digital signatures to indicate where the data came from (third

party or directly from the user)

Limitations Difficult to build a trusted network of this type Inherent technical difficulty in representing privacy

policies as machine-readable code remains Ex: A very large number of EPAL rules required to

implement HIPAA, making it difficult to implement as well as maintain.

Future of Trusted Computing is unknown Regardless of technical solutions, there must be

legislative enforcement to encourage this type of rigorous auditing and also to prosecute violations


Recommended