Presentation is loading. Please wait.

Presentation is loading. Please wait.

Jody Blanke and Janine Hiller August 7, 2017

Published byΘέμις Ιωάννου Modified over 5 years ago

Similar presentations

Presentation on theme: "Jody Blanke and Janine Hiller August 7, 2017"— Presentation transcript:

1 Jody Blanke and Janine Hiller August 7, 2017
Predictability As an Objective for Privacy Engineering and Risk Management Jody Blanke and Janine Hiller August 7, 2017

2 Cybersecurity and Privacy are two different concepts, however
The Cybersecurity Framework by NIST is widely recognized: adopted by private sector as well Review of Cybersecurity Framework identified that privacy protection is NOT well defined and therefore not necessarily well protected in federal systems

3 Enter . . .

4 An Engineering Approach to Privacy
(A Systems Approach)

5 Relationship Between Information Security and Privacy: now working on Privacy

6 The Privacy Framework In January 2017, NIST released An Introduction to Privacy Engineering and Risk Management in Federal Systems An Engineering Approach to Privacy Components for Privacy Engineering in Federal Systems Privacy Engineering Objectives Predictability Manageability Disassociability Introducing a Privacy Risk Model Privacy Risk Factors Privacy Risk Characteristics

7 Privacy Engineering: Objectives

8

9 Privacy Objectives support the Circular A-130 FIPPs
Access and Amendment Accountability Authority Minimization Quality and Integrity Individual Participation Purpose Specification and Use Limitation Security Transparency

10 Aligning A-130 FIPPs with the Privacy and Security Objectives

11 Focus on Predictability

12 What does Predictability really mean
What does Predictability really mean? (Especially in an era of quickly changing technology) “A reliable sense of what is occurring with PII in a system is core to building trust and accountability” “By framing predictability in terms of reliable assumptions, agencies can begin to measure more concretely the capabilities in a system that supports these principles” “If system owners and operators can reliably describe what is occurring with PII, they can better maintain accountability for system compliance with organizational privacy policies and system privacy requirements” “Predictability is about designing systems so that stakeholders are not surprised by the handling of PII”

13 The Meaning and Application of Predictability: Comparison to Legal Concepts
Patent Law and Nonobviousness Reasonableness NOTE: 1) these are analogies and comparisons, not direct applications, and 2) we include analysis of the impact of broader acceptance by the private sector

14 Patent Law: Predictable=Obvious Improvement Predictability is bad for the patent applicant but good for the privacy engineer. When an inventor improves upon an existing, patent protected technology or product, the improvement itself must be non-obvious in order to obtain a patent. The legal determination of whether the improvement is obvious, and therefore not patentable, invokes the question of whether the improvement upon, or a different use of, an existing invention is predictable. 2011 patent drawing for an improved method of delivering shaving lotion via soft pads on a razor

15 Determining Predictability
Prior Art will be considered to determine nonobviousness By analogy, determining prior art for use of PII and privacy protections requires a longitudinal understanding of the use of PII and privacy This is most pressing in today’s environment of fast changing data uses, similar to improvements on patented products In KSR International Co. v. Teleflex Inc. (KSR), the Supreme Court stated that: “When a work is available in one field of endeavor, design incentives and other market forces can prompt variations of it, either in the same field or a different one. If a person of ordinary skill can implement a predictable variation, § 103 likely bars its patentability.”

16 Two ways of viewing predictability for improvements:
“the improvement is more than the predictable use of prior art elements according to their established functions.” OR “[t]he combination of familiar elements according to known methods is likely to be obvious when it does no more than yield predictable results.” KSR (2007) Cotropia: Type I and Type II predictability. Type I is a gap analysis, Type II suffers from hindsight bias DANGER: Type II predictability induces Hindsight Bias for use of personal data under NIST predictability

17 Mapping Your Home---Sharing the Information with Smart Home/Smart Cities?

18 Reasonableness The “Reasonable Man” The “Ordinary Man”
The “Reasonable Person” The “Reasonable Woman” The “Ordinary Man” The “Average Joe” The “Man on the Clapham Omnibus” The “Man on the Street”

19 Katz v. United States (1967)

20 Katz v. United States (1967) The Two-Prong Test
[F]irst that a person have established an actual (subjective) expectation of privacy and [S]econd, that the expectation be one that society is prepared to recognize as “reasonable” The “Reasonable Expectation of Privacy” Test

21 Katz v. U.S. The Reality The Katz test should be just one prong
an objective test That’s what had been proposed That’s what courts have actually applied

22 The Hope for Predictability

Download ppt "Jody Blanke and Janine Hiller August 7, 2017"

Similar presentations

Module N° 3 – ICAO SARPs related to safety management

Module N° 3 – ICAO SARPs related to safety management
What is GARP®? GARP® is an Acronym for Generally Accepted Recordkeeping Principles ARMA understands that records must be.

What is GARP®? GARP® is an Acronym for Generally Accepted Recordkeeping Principles ARMA understands that records must be.
NOTE: To change the image on this slide, select the picture and delete it. Then click the Pictures icon in the placeholde r to insert your own image. Cybersecurity.

NOTE: To change the image on this slide, select the picture and delete it. Then click the Pictures icon in the placeholde r to insert your own image. Cybersecurity.
Substantive environmental provisions Prof. Gyula Bándi.

Substantive environmental provisions Prof. Gyula Bándi.
“REACH-THROUGH CLAIMS”

“REACH-THROUGH CLAIMS”
Patents Copyright © 2009 - Jeffrey Pittman. Pittman - Cyberlaw & E- Commerce 2 Legal Framework of Patents The U.S. Constitution, Article 1, Section 8:

Patents Copyright © Jeffrey Pittman. Pittman - Cyberlaw & E- Commerce 2 Legal Framework of Patents The U.S. Constitution, Article 1, Section 8:
Determining Obviousness under 35 USC 103 in view of KSR International Co. v. Teleflex TC3600 Business Methods January 2008.

Determining Obviousness under 35 USC 103 in view of KSR International Co. v. Teleflex TC3600 Business Methods January 2008.
Vs. Miguel Chan UC Berkeley IEOR 190G March 2009.

Vs. Miguel Chan UC Berkeley IEOR 190G March 2009.
ISMT 520 Lecture #6: Protecting Technical and Business Process Innovations Dr. Theodore H. K. Clark Associate Professor and Academic Director of MSc Programs.

ISMT 520 Lecture #6: Protecting Technical and Business Process Innovations Dr. Theodore H. K. Clark Associate Professor and Academic Director of MSc Programs.
PROCEDURES FOR SELECTING THE CONTRACTOR

PROCEDURES FOR SELECTING THE CONTRACTOR
Expanded Version of COSO a presentation by Steve Wadleigh Expanded Version of COSO a presentation by Steve Wadleigh Standards for Internal Control in the.

Expanded Version of COSO a presentation by Steve Wadleigh Expanded Version of COSO a presentation by Steve Wadleigh Standards for Internal Control in the.
Informed Consent and HIPAA Tim Noe Coordinating Center.

Informed Consent and HIPAA Tim Noe Coordinating Center.
Eurasian Corporate Governance Roundtable

Eurasian Corporate Governance Roundtable
The Role of Risk Management and Assurance in Effective Organizational Governance Urton Anderson The University of Texas at Austin.

The Role of Risk Management and Assurance in Effective Organizational Governance Urton Anderson The University of Texas at Austin.
Information Systems Controls for System Reliability -Information Security-

Information Systems Controls for System Reliability -Information Security-
Utility Requirement in Japan Makoto Ono, Ph.D. Anderson, Mori & Tomotsune Website:

Utility Requirement in Japan Makoto Ono, Ph.D. Anderson, Mori & Tomotsune Website:
Determining Obviousness Under 35 U.S.C. § 103 After KSR v. Teleflex

Determining Obviousness Under 35 U.S.C. § 103 After KSR v. Teleflex
Strategy #5. IT Architecture and IT Infrastructure are Metaphors Architecture - the relationship between planning and building Infrastructure - examples.

Strategy #5. IT Architecture and IT Infrastructure are Metaphors Architecture - the relationship between planning and building Infrastructure - examples.
Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013 DRAFT.

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013 DRAFT.
NIST Special Publication Revision 1

NIST Special Publication Revision 1

Similar presentations

Ads by Google