Confidential1 ISTPA Framework Project Combining Security and Privacy Throughout the Life Cycle of Personal Information MICHAEL WILLETT Wave Systems Chair: ISTPA Framework Project Personal Information Privacy Wave Michael Willett: (Assume the listener is familiar with the overall ISTPA mission, projects, and objectives) The objective of the Framework Project is to develop an analytic framework for privacy services that “implement” the privacy fair information practices and privacy principles. The Framework can serve as both an operational model for evolving implementations and as a tool for assessing the completeness of solutions. Michael Willett: (Assume the listener is familiar with the overall ISTPA mission, projects, and objectives) The objective of the Framework Project is to develop an analytic framework for privacy services that “implement” the privacy fair information practices and privacy principles. The Framework can serve as both an operational model for evolving implementations and as a tool for assessing the completeness of solutions.

Confidential2 PRIVACY EU Data Protection Directive Safe Harbor/FTC HIPAA GLB Web Services Identity/Authentication/SSO Liberty Alliance Microsoft Passport the Edge e-Business COPPA

Confidential3 PRIVACY ? Privacy = Isolation Privacy = Anonymity Privacy = Confidentiality Privacy = Access Control

Confidential4 Security: locks, guards, passwords, cryptography, digital signatures, … establishment and maintenance of measures to protect a system. Privacy: proper handling and use of personal information (PI) throughout its life cycle, consistent with the preferences of the subject. Confidence/trust: freedom from worry; a feeling. Security + Privacy Confidence/Trust VALUE Definitions Michael Willett: Security deals with PROTECTION of a system, whereas privacy deals with the USE of personal information (PI). Security is an essential element of privacy, but even in a secure environment, PI can be misused (ie, inconsistent with the preferences of the PI subject). Trust is not a technology or even a process; rather, trust is a feeling. By implementing security and privacy and adding customer value, we strive to engender trust in the customer/consumer. Michael Willett: Security deals with PROTECTION of a system, whereas privacy deals with the USE of personal information (PI). Security is an essential element of privacy, but even in a secure environment, PI can be misused (ie, inconsistent with the preferences of the PI subject). Trust is not a technology or even a process; rather, trust is a feeling. By implementing security and privacy and adding customer value, we strive to engender trust in the customer/consumer.

Confidential5 PERSONAL INFORMATION PREFERENCES PROPER HANDLING CONSISTENCY USE OF PERSONAL INFORMATION PERSONAL INFORMATION LIFE CYCLE PRIVACY MANAGEMENT

Confidential6 Fair Information Practices Notice and Awareness Choice and Consent Individual Access Information Quality and Integrity Update and Correction Enforcement and Recourse Michael Willett: These fair information practices are more “operational” than the principles, but are still missing the procedural and functional “glue” to tie them together into a system. The names of the practices are self- explanatory as to the desired behavior. For example, Choice and Consent means that the subject of the requested PI can exercise choice over the types of PI collected and can consent to that collection (either opt-out or opt- in) and the subsequent use of the PI by the requestor. Michael Willett: These fair information practices are more “operational” than the principles, but are still missing the procedural and functional “glue” to tie them together into a system. The names of the practices are self- explanatory as to the desired behavior. For example, Choice and Consent means that the subject of the requested PI can exercise choice over the types of PI collected and can consent to that collection (either opt-out or opt- in) and the subsequent use of the PI by the requestor.

Confidential7 Life Cycle Management of PI Source/Subject IntermediaryRepository/Custodian Requestor/ Receiver Touch Points Michael Willett: If PI never left the immediate control of the subject, then privacy would not be a problem. Issues arise when PI leaves the immediate control of the subject and moves through/to various touch points, where others may be able to “touch” and see the PI. Privacy is a PI life cycle issue. Michael Willett: If PI never left the immediate control of the subject, then privacy would not be a problem. Issues arise when PI leaves the immediate control of the subject and moves through/to various touch points, where others may be able to “touch” and see the PI. Privacy is a PI life cycle issue.

Confidential8 “Operational” Requirements Interfacing Control Life Cycle Issues Exception Processing Security Integrity Michael Willett: To create an operational framework, various system capabilities must be identified that are not explicit at the privacy requirements level (requirements = privacy practices, principles ). For example, a Control function is essential to honoring the PI usage desires of the subject, but is not explicit in the privacy principles. Interfacing to the Framework is not explicit in the privacy principles, but is another essential operational service. Michael Willett: To create an operational framework, various system capabilities must be identified that are not explicit at the privacy requirements level (requirements = privacy practices, principles ). For example, a Control function is essential to honoring the PI usage desires of the subject, but is not explicit in the privacy principles. Interfacing to the Framework is not explicit in the privacy principles, but is another essential operational service.

Confidential9 Privacy Services/Capabilities (©)  Interaction  Agent ©  Validation  Negotiation  Enforcement  Control  Audit (Log)  Certification  Usage ©  Access © Michael Willett: After several iterative rounds, the Framework Project team has evolved the following operational Services: SERVICE DESCRIPTION Agent A software process acting on behalf of a data subject or a requestor to engage with one or more of the other Services defined in this Framework. Agent also refers to the human data subject in the case of a manual process. Interaction Handles presentation of proposed agreements from a data collection entity to a data subject; input of the subject’s personal information, preferences, and actions; and confirmation of actions. To the extent the data subject is represented by an Agent, this service comprises the interface to the Agent. Control Handles the role of “repository gatekeeper” to ensure that access to personal information stored by a data collection entity complies with the terms and policies of an agreement and any applicable regulations. Validation Handles checking for correctness of personal information at any point in its life cycle. Negotiation Handles arbitration of a proposal between a data collection entity and a data subject. Successful negotiation results in an agreement. Negotiation can be handled by humans, by agents, or any combination. Usage Handles the role of “processing monitor” to ensure that active use of personal information outside of the Control Service complies with the terms and policies of an agreement and any applicable regulations. Such uses include derivation, aggregation, anonymization, linking, and inference of data. Audit Handles the recording and maintenance of events in any Service to capture the data necessary to ensure compliance with the terms and policies of an agreement and any applicable regulations. Certification Handles validation of the credentials of any party involved in processing of a personal information transaction. Enforcement Handles redress when a data collection entity is not in conformance with the terms and policies of an agreement and any applicable regulations. Michael Willett: After several iterative rounds, the Framework Project team has evolved the following operational Services: SERVICE DESCRIPTION Agent A software process acting on behalf of a data subject or a requestor to engage with one or more of the other Services defined in this Framework. Agent also refers to the human data subject in the case of a manual process. Interaction Handles presentation of proposed agreements from a data collection entity to a data subject; input of the subject’s personal information, preferences, and actions; and confirmation of actions. To the extent the data subject is represented by an Agent, this service comprises the interface to the Agent. Control Handles the role of “repository gatekeeper” to ensure that access to personal information stored by a data collection entity complies with the terms and policies of an agreement and any applicable regulations. Validation Handles checking for correctness of personal information at any point in its life cycle. Negotiation Handles arbitration of a proposal between a data collection entity and a data subject. Successful negotiation results in an agreement. Negotiation can be handled by humans, by agents, or any combination. Usage Handles the role of “processing monitor” to ensure that active use of personal information outside of the Control Service complies with the terms and policies of an agreement and any applicable regulations. Such uses include derivation, aggregation, anonymization, linking, and inference of data. Audit Handles the recording and maintenance of events in any Service to capture the data necessary to ensure compliance with the terms and policies of an agreement and any applicable regulations. Certification Handles validation of the credentials of any party involved in processing of a personal information transaction. Enforcement Handles redress when a data collection entity is not in conformance with the terms and policies of an agreement and any applicable regulations.

Confidential10 Subject “Permission” Bound to PI BINDING PERMISSION PERSONAL INFORMATION LIFE CYCLE CONTAINER Michael Willett: In order for the PI subject to exercise vicarious control over the PI as it travels beyond the immediate control of the subject, the ‘permissions’ (allowable uses) granted by the PI subject must be bound in some way to the PI. Further, the binding mechanism must be robust enough and respected by subsequent touch points in the PI life cycle so as to faithfully support the usage desires of the subject. Depending on local or jurisdictional requirements, the binding mechanism could range from simple pointers to robust cryptography. The Framework does not mandate a particular binding, but rather treats the binding selection as a configuration parameter to the Framework. Michael Willett: In order for the PI subject to exercise vicarious control over the PI as it travels beyond the immediate control of the subject, the ‘permissions’ (allowable uses) granted by the PI subject must be bound in some way to the PI. Further, the binding mechanism must be robust enough and respected by subsequent touch points in the PI life cycle so as to faithfully support the usage desires of the subject. Depending on local or jurisdictional requirements, the binding mechanism could range from simple pointers to robust cryptography. The Framework does not mandate a particular binding, but rather treats the binding selection as a configuration parameter to the Framework.

Confidential11 PI Container (PIC) PI Contract PI Intended Use Credentials Policies Conditions Permissions Identity Credentials Signature BINDING Michael Willett: In order to transport the PI bound to the permissions throughout its life cycle, a “PI Container” is used. The binding mechanism is a configuration parameter, from simple pointers to full cryptographic binding. Included in the container are the Contract (including the negotiated Permissions) and the Credentials for the subject. Michael Willett: In order to transport the PI bound to the permissions throughout its life cycle, a “PI Container” is used. The binding mechanism is a configuration parameter, from simple pointers to full cryptographic binding. Included in the container are the Contract (including the negotiated Permissions) and the Credentials for the subject.

Confidential12 PI Touch Point Structure Requestor/Receiver (pull/push PI) Legal, Technical, Administrative Security/Privacy (technologies/practices) Personal Information Michael Willett: At each touch point, a layered structure can be provided, with the requestor/receiver of PI at the top and the PI itself at the bottom (or innermost). The intervening layers consist of the security and privacy functions (ie, the Framework), with a legal, technical, and administrative upper layer serving as the configuration or ‘parameterization’ layer for the Framework. Specific technology and policy choices are not hard-wired into the Framework, but rather are configured into the Framework at run time. It is better to have ample, selectable parameters in the overall design, so that an installed implementation can simply be configured, instead of being replaced or upgraded. Michael Willett: At each touch point, a layered structure can be provided, with the requestor/receiver of PI at the top and the PI itself at the bottom (or innermost). The intervening layers consist of the security and privacy functions (ie, the Framework), with a legal, technical, and administrative upper layer serving as the configuration or ‘parameterization’ layer for the Framework. Specific technology and policy choices are not hard-wired into the Framework, but rather are configured into the Framework at run time. It is better to have ample, selectable parameters in the overall design, so that an installed implementation can simply be configured, instead of being replaced or upgraded.

Confidential13 Legal, Regulatory, and Policy Context Security Foundation Agent Control Interaction Negotiation Data SubjectData Requestor Usage PI, Preferences & PIC Repository Agent Control Interaction Negotiation PIC Repository PI Container (PIC) EnforcementAuditCertificationValidation Privacy SERVICES/CAPABILITIES Assurance Services Access Michael Willett: Shown is a typical configuration of the privacy Services, with an Agent Service representing both the Subject and the Data Requestor. Interaction, Negotiation, and the all-important Control function provide a front-end to the secure data repository. The Assurance Services of Validation, Certification, Audit, and Enforcement support both nodes, whereas Usage supports the Data Requestor. The security services (eg, OpenGroup taxonomy) are available to all the privacy services. The Legal, Regulatory, and Policy Context provides the necessary configuration and parameterization layer. Michael Willett: Shown is a typical configuration of the privacy Services, with an Agent Service representing both the Subject and the Data Requestor. Interaction, Negotiation, and the all-important Control function provide a front-end to the secure data repository. The Assurance Services of Validation, Certification, Audit, and Enforcement support both nodes, whereas Usage supports the Data Requestor. The security services (eg, OpenGroup taxonomy) are available to all the privacy services. The Legal, Regulatory, and Policy Context provides the necessary configuration and parameterization layer.

Confidential14 Legal, Regulatory, and Policy Context Security Foundation Agent Control Interaction Negotiation Data SubjectData Requestor Usage PI, Preferences & PIC Repository Agent Control Interaction Negotiation PIC Repository PI Container (PIC) EnforcementAuditCertificationValidation Privacy Practices Assurance Services Notice Awareness Choice Consent Quality/Integrity Access Update Correction Enforcement Recourse Michael Willett: The original fair information practices are overlaid on the Privacy Framework, showing the operational “implementation” of the practices. Note that Individual Access is a “use case” application of the Framework, exploiting Negotiation. Michael Willett: The original fair information practices are overlaid on the Privacy Framework, showing the operational “implementation” of the practices. Note that Individual Access is a “use case” application of the Framework, exploiting Negotiation.

Confidential15 Summary -Privacy: consumer prejudice, legal time bomb - ISTPA: “… admin/technical/legal framework…” - Privacy = proper handling...consistent…preferences - Operational privacy principles/practices: SERVICES - Combine with Security Services (eg, OpenGroup) - Usability studies (w/Johns Hopkins Univ) - Privacy Framework version 1 document (30 May) - CMU + ISTPA Technical Partnership Michael Willett: The Privacy Framework structure is still evolving; your input and suggestions are welcome. The Framework Project is actively validating the Framework with Use Cases. Michael Willett: The Privacy Framework structure is still evolving; your input and suggestions are welcome. The Framework Project is actively validating the Framework with Use Cases.

Confidential16 ISTPA: To receive a copy of the ISTPA Privacy Framework v1.0 doc, Write to: