Privacy Engineering
Closing the gap betweenPrivacy by Design and implementation
Tomi Mikkonen | CTOPrivaon [email protected]@tmikkone
Antti Vähä-Sipilä | Software Security GuyF-Secure
[email protected]@anttivs
IAPP Europe Data Protection Congress 2014BRUSSELS | 18–20 NOVEMBER
Context
Privacy Program
Strategy
Governance
Principles
RequirementsImplementation
Assurance
Monitoring
Privacy Engineering
Privacy by Design
“Privacy by Design (PbD) refers to the philosophy and approach of embedding privacy into the design specifications of various technologies”
Ann Cavoukian, Information and Privacy Commissioner, Ontario
Proactive, not reactive Privacy as defaultEmbedded into design Full functionalityEnd-to-end security Visibility and transparencyRespect for user privacy
7 foundational principles
Privacy Program
Strategy
Governance
Principles
RequirementsImplementation
Assurance
Monitoring
The Gap
The Gap of PbD
Processes
Policies
Implementation
Disconnect
Disconnect
“Organisations are often uncertain how to implement systems that comply with data protection law, and are left to manage privacy in accordance with ‘best efforts’, with each system approaching the issue on a case-by-case basis. There are no internationally-recognized standards to guide organisations in implementing privacy controls.”
“’Privacy by Design’ consists of a number of principles that can be applied from the onset of systems development to mitigate privacy concerns and achieve data protection compliance. However, these principles remain vague and leave many open questions about their application when engineering systems.”
ICO Privacy by Design report, 2008
Engineering Privacy by Design. Gürses et al., 2011
Privacy Engineering
• Activities and tools to build privacy into products
• Produce evidence for assurance
• Communication between governance and development functions
• More “how” than “what” to do
Fundamentals
• No best practice / guideline to implement privacy
• “Privacy must be built-in, not bolted on” – Integral part of product development
– There is no coding guideline for privacy
– Privacy cannot be “tested into” product
• Privacy does not prevent cool things from happening. The implementation just needs to be done “in right way”
Who defines the “right way”?
Security
Marketing AnalyticsDesign
Legal Sourcing
Acceptable privacy design
Compliance-based strategies
Risk-based strategies
Dramatis personae
Legal Developers
Security Auditors
Quality Assurance
Architects Analytics
Business
Business (functional)
requirements
Development& testing
Go / No Go
Business
Developers Quality Assurance
Architects
Business (functional)
requirements
Development& testing
Go / No Go
Business / compliance privacy
requirements
Triage and business-level PIABusiness, legal, analytics, architects
Business (functional)
requirements
Development& testing
Go / No Go
Business / compliance privacy
requirements
Security controls,privacy acceptance
criteria & PETs
Technical PIA(part of threat modelling)Architects, developers, security
Triage and business-level PIABusiness, legal, analytics, architects
Business (functional)
requirements
Development
& testing
Go / No Go
Business / compliance privacy
requirements
Security controls,privacy acceptance
criteria & PETs Implementation of privacy-related test casesDevelopers, QA
Technical PIA(part of threat modelling)Architects, developers, security
Triage and business-level PIABusiness, legal, analytics, architects
Business (functional)
requirements
Development& testing
Go / No Go
Business / compliance privacy
requirements
Security controls,privacy acceptance
criteria & PETs
Privacyassuranceevidence
Evaluating evidenceBusiness, legal, auditors
Implementation of privacy-related test casesDevelopers, QA
Technical PIA(part of threat modelling)Architects, developers, security
Triage and business-level PIABusiness, legal, analytics, architects
Summary this far
1. High-level privacy principles do not necessarily tell exactly what to do
2. Privacy engineering enables communications between governance and R&D functions
3. In a modern software development model, privacy engineering needs to be iterative and the evidence needs to be continuous
CASE: COOKIES AND AN ONLINE MARKETING CAMPAIGN
Privacy Engineering in Practice
Cookies & privacy
Design notices
Create cookiepolicy
Conduct PIA
Implementation
Cookie inventory Cookie inventory
Time
“Modern” software development
• All work is on a prioritised backlog
• Incremental development
• Test automation
– Quality assurance in dev team
• Continuous Integration
• Automated deployment
Modern development
Time
Implementation Implementation Implementation Implementation
Continuous testing
Continuous deployment
Requirement Requirement RequirementRequirement
Not modern
Design notices
Create cookiepolicy
Conduct PIA
Implementation
Cookie inventory Cookie inventory
Time
Online Marketing Campaign
Short-term
Purchases through third party web shops
Campaign performance must be measurable:1. How many visitors clicked the ad?2. How many visitors bough the product?
Implemented by digital marketing agency
Technical PIA with an MSC
Browser
URLshortener Analytics Affiliate Web shop
Set cookie & redirect
Purchase
Click ad
Redirect
Recall modern development
Implementation Implementation Implementation Implementation
Continuous testing
Continuous deployment
Requirement
Time
Requirement RequirementRequirement
Tests pass ok
Implementation Implementation Implementation Implementation
Continuous testing
Continuous deployment
Requirement
Time
Requirement RequirementRequirement
ALL OK!
Test failures stop deployment
Implementation Implementation Implementation Implementation
Continuous testing
Continuous deployment
Requirement
Time
Requirement Requirement“Add banner”
NOT OK
Depl.
NOTOK
Non-modern systemdoesn’t even see it happening
Design notices
Create cookiepolicy
Conduct PIA
Implementation
Cookie inventory Cookie inventory
Time
Add banner
Remove banner
Non-modern developmentdoesn’t even see it happening
Design notices
Create cookiepolicy
Conduct PIA
Implementation
Cookie inventory Cookie inventory
Time
Add banner
Remove banner
Non-compliantbut nobody notices!