Building in Privacy from the Bottom up: How to Preserve Privacy in a Security-Centric World Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario Carnegie Melon University Lecture Pittsburg, PA November 4, 2004

Slide 2 Impetus for Change Growth of Privacy as a Global Issue EU Directive on Data Protection Increasing amounts of personal data collected, consolidated, aggregated Consumer Backlash; heightened consumer expectations

Slide 3 Importance of Consumer Trust In the post-9/11 world: Consumers either as concerned or more concerned about online privacy Concerns focused on the business use of personal information, not new government surveillance powers If consumers have confidence in a companys privacy practices, consumers are more likely to: Increase volume of business with company……....91% Increase frequency of business……………….…...90% Stop doing business with company if PI misused…83% Harris/Westin Poll, Nov & Feb. 2002

Slide 4 How The Public Divides on Privacy The Privacy Dynamic - BattleDr. Alan Westin for the minds of the pragmatists

Slide 5 Information Privacy Defined Information Privacy: Data Protection Freedom of choice; control; informational self-determination Personal control over the collection, use and disclosure of any recorded information about an identifiable individual

Slide 6 What Privacy is Not Security Privacy

Slide 7 The Privacy/Security Relationship Privacy relates to personal control over ones personal information Security relates to organizational control over information These represent two overlapping, but distinct activities

Slide 8 Authentication Data Integrity Confidentiality Non-repudiation Privacy; Data Protection Fair Information Practices Privacy and Security: The Difference Security: Organizational control of information through information systems

Slide 9 The Perils of Not Protecting Privacy… Privacy disasters –Intel Pentium III –RealNetworks –Microsoft HotMail –Amazon/Alexa –CD Universe –Look Communications It was skin searing experience. We cant take another hit like that. MS Senior Executive

Slide 10 Technology Can Help The most effective means to counter technologys erosion of privacy is technology itself. Alan Greenspan, Federal Reserve Chairman A technology should reveal no more information than is necessary…it should be built to be the least revealing system possible. Dr. Lawrence Lessig, Harvard, September 1999

Slide 11 Privacy By Design: Build It In Build in privacy – up front, right in the design specifications Minimize the collection and routine use of personally identifiable information – use aggregate or coded information if possible Wherever possible, encrypt personal information Think about anonymity and pseudonymity Assess the risks to privacy: conduct a privacy impact assessment; privacy audit

Slide 12 Privacy by Design:Technology Architectures of Identification PKI: confidentiality or surveillance Biometrics: privacy or social control Business/government drivers for designing trust into systems and programs Wireless technology: m-commerce convergence, convenience, control

Slide 13 Biometrics: The Myth of Accuracy The problem with large databases containing thousands (or millions) of biometric templates: False positives False negatives

Slide 14 Biometric Identification: False Positive Challenge Even if you have a 1 in 10,000 error rate per fingerprint, then a person being scanned against a million-record data set will be flagged as positive 100 times. And thats every person. A system like that would be useless because everyone would be a false positive. Bruce Schneier, quoted in Ann Cavoukians Submission to the Standing Committee on Citizenship and Immigration, November 4,

Slide 15 Facial Recognition: the Reality Test results less than stellar - Logan Airport pilot had a 50% error rate in real world conditions - U.S. State Department has stated that facial recognition has unacceptably high error rates - U of Ottawa tests this summer resulted in accuracy rates between 75% to more than 90% - National Institute for Standards and Technology, under ideal lighting and controlled environment conditions reported 90% accuracy -Superbowl facial recognition no longer considered useful by subsequent organizers Biometrics Benched for Super Bowl By Randy Dotinga, Wired MagazineRandy Dotinga

Slide 16 STEPS: The Context Terrorist attacks 9/11 Government concerns over public safety U.S. Patriot and anti-terrorist legislation Polarized debate for Security/Privacy

Slide 17 Change the Paradigm Old Paradigm: Zero Sum Game New Paradigm: (win-win) Security + Privacy = Freedom Expand the discourse: Privacy and Security are not polar opposites but essential components

Slide 18 The Challenge for Solution Developers Introduce privacy into the concept, design and implementation of technology solutions Promote existing STEPs: 3-D Holographic Scanner: respecting physical privacy while enhancing security Biometric encryption: better security plus ironclad privacy

Slide 19 Fair Information Practices: A Brief History OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data EU Directive on Data Protection CSA Model Code for the Protection of Personal Information Canada Personal Information Protection and Electronic Documents Act (PIPEDA)

Slide 20 Summary of Fair Information Practices Accountability Identifying Purposes Consent Limiting Collection Limiting Use, Disclosure, Retention Accuracy Safeguards Openness Individual Access Challenging Compliance

Slide 21 Privacy Diagnostic Tool Simple, plain-language tool (paper and e-versions) Free & self-administered CSA model code to examine an organizations privacy management practices

Slide 22 Privacy Enhancing Technologies What are PETs? Anonymisers, pseudonomisers, intermediaries Their Strengths tools to protect personal information Their Limitations usually individual responses to an existing architecture sometimes someone still has your personal information

Slide 23 PETTEP Privacy Enhancing Technologies Testing and Evaluation Project How does one determine whether a technology can deliver on its privacy promises? PETTEP is intended to test the claims of various technologies regarding their ability to perform in a privacy protective manner

Slide 24 PETTEP (contd) Modeled on the Common Criteria – an international standard used to test the security components of technologies For privacy, Fair Information Practices (FIP) would form the basis of the testing The challenge is to translate FIPs into the functional requirements of the Common Criteria – to find the design correlates of FIPs

Slide 25 PETTEP Status Update EDS has partnered with the IPC and PETTEP to develop an enhancement of the Privacy Chapter in the Common Criteria; EDS is also committed to developing the necessary privacy profiles that will form the basis of testing and evaluating the privacy claims of various technologies; PETTEP, the IPC and EDS plan to pilot several technologies/systems to refine the enhanced Privacy Chapter.

Slide 26 Final Thought Anyone today who thinks the privacy issue has peaked is greatly mistaken…we are in the early stages of a sweeping change in attitudes that will fuel political battles and put once-routine business practices under the microscope. Forrester Research, March 5, 2001

How to Contact Us Commissioner Ann Cavoukian Information & Privacy Commissioner/Ontario 2 Bloor Street East, Suite 1400 Toronto, Ontario M4W 1A8 Phone: (416) Web: