Bringing PETs to the Mainstream by Using Evaluation Ken Anderson Assistant Privacy Commissioner Information & Privacy Commissioner/Ontario Ken.Anderson@ipc.on.ca
Agenda • Trends in large scale electronic systems • Privacy Defined • Privacy Enhancing Technologies (PETs) • Privacy Enhancing Technologies Testing and Evaluation Project (PETTEP) • Common Criteria • PETTEP developments
Trends in Large Scale Electronic Systems • Governments around the world are increasingly moving to smart cards and PKI to provide better identification and additional services to the public (e.g. UK Chip and PIN Program, Canada E-Pass)) • Enhance ID process • Prevent counterfeiting and protect against Identity Theft • Integrate different forms of IDs used for several purposes into one (Italy’s national id combines biometric, driver’s license, official id and health card) • Improve and add new services • Movement from “interacting” in-person to on-line • Combine with 3rd party services (e.g. Hong Kong Octopus Card, combines, fare transport card and digital cash in some outlets)
More Trends in Large Scale Electronic Systems • Services incorporated on National/Enterprise Scale (for example): • Government-to-Citizen • Identification Documents (Italian national ID cards) • Voting • Taxes Online (Canada Customs and Revenue Agency) • Personal forms and documents • On-line access to government services and information (Hong Kong Electronic Service Delivery) • Digital notary (PKI) • Government-to-Business • Taxes • Business forms and documents • On-line access to government services and information • Digital notary (PKI)
Privacy Defined • Personal control over the collection, use and disclosure of any recorded information about an identifiable individual • An organization's responsibility for data protection and safeguarding personal information in its custody or control
Privacy Concerns are increasing • Concern that information is collected, used, disclosed and protected properly • Compliance with legislation
Privacy Enhancing Technologies PETs have been defined as “a coherent system of Information and Communications Technology measures that protect privacy by eliminating or reducing personal data or by preventing unnecessary and/or undesired processing of personal data; all without losing the functionality of the data system“ - Dr. John Borking
Privacy Enhancing Technologies • A Partial List of Types of PETs • Anonymizers/Pseudonymizers • Limited Show Blind Signatures • Biometric Encryption • Secret Sharing • Privacy Preserving Data Mining • Unlinkable databases • Unobservable data management
The Concern. Need to be able to trust PETs in order to Deploy Are barriers to… Different Testing schemes No defined criteria PETs Proliferation No international coordination Need to evaluate PETs under a common standard recognized internationally
Privacy Enhancing Technologies Testing and Evaluation Project (PETTEP)
PETTEP • March 2001: Ontario IPC formed an international team to take on the challenge of developing testing criteria for PET’s • Privacy Enhancing Technologies Testing and Evaluation Project (PETTEP) • Members included Privacy and CC experts from government, industry and legal • US Department of Defense • IBM • Microsoft • Data Protection/Privacy Commissions.
PETTEP Goals • Goals: Short Term to Long Term • Develop Testing Criteria for Labs • Implement Pilot Testing • Foster PET Technology Development • Advocate Technology Implementation • Design Privacy Protections into Technology Standards
Enter the Common Criteria The Common Criteria (CC) represents the outcome of a series of efforts to develop criteria for evaluation of IT security that are broadly useful within the international community. http://www.commoncriteria.org/
PETTEP • Consider basing evaluation of PETs on the CC • Internationally accepted criteria for ITS products • National evaluation schemes already exist to provide oversight, lab accreditation and evaluation methodology • Although intended for security - Privacy elements already included • “Security Functionality Requirements” may be mapped to the elements of the Privacy Fair Information Practices
Why the Common Criteria as Foundation? • The Common Criteria had a place-holder already developed for privacy technologies that dealt with observability, linkability, traceability and anonymity. • The Communications & Security Establishment (CSE), US National Security Agency’s Canadian equivalent, joined the project and funded two initial contracts to examine elements of this project • The Common Criteria scheme was both endorsed by a growing number of national governments and formed an International Standards Organization (ISO) standard. • Independent testing labs around the world are accredited Common Criteria certifiers.
Using the Protection Profile Model in the Common Criteria • Protection Profile (a standard tool of the Common Criteria) • A statement of user need • A system design document • A consistent thread from ‘what’ to ‘how’ • Based on fair information practices • Provides high-level guidelines • Implementation independent • Protection profile is an agreed upon approach within PETTEP to address evaluation of privacy functionality.
PETTEP Approach • Map Fair Information Practices to CC where possible • Determine how to approach evaluation of PETs – based on technology grouping, multiple Protects, single Protection Profiles, package? • Gain understanding and consensus within PETTEP membership on way ahead • Work within PETTEP to make reality soon
PETTEP 1st Workshop • Sept 11 2001 – Kiel, Germany • Initial meeting • Agreed upon use of Common Criteria (CC) • Reviewed & discussed Straw Man Privacy Protection Profile developed by DOMUS IT Security Lab.
PETTEP: The 2nd Workshop April 2002: San Francisco • Undertook analysis of Electronic Warfare Associates-Canada Limited approach which proposed a new set of functional requirements directly related to Privacy that needed to be introduced to the Common Criteria
PETTEP - The 3rd Workshop - Dresden March 2003: Dresden Germany Fair Information Practices divided into 4 categories – allowing for the development of 4 Protection Profiles US Department of Defense consultants presented the first Protection Profile – Privacy Security Draft Protection Profile reviewed and generally accepted by Participants
PETTEP – Privacy PP Development Security Accuracy Collection Accountability Includes: • Security and Safeguards • Openness • Includes: • Data Accuracy • Includes: • Consent • Identifying purpose • Limit use/disclosure • Limit collection • Includes: • Accountability • Challenging compliance • Individual access
PETTEP - The 4th Workshop - Kiel • Analysis of CC for re-usable elements for Privacy • Final review of Privacy Security PP developed by DoD • Planned DoD CC evaluation of smart card using Privacy Protection Profiles • Review of proposed Data Protection Commission Privacy Seals as interim step in PETTEP • Examination of issues and way ahead
Challenges remaining • How to use the existing functionality of the CC in creation of Privacy Protection Profiles (PP’s) (mapping of FIPS) – OR – are additional privacy functions required? • Development of the other PP’s • Evaluation of the designated PET products to the PP (proof of concept) • The need to evaluate more PET products (via PP or Security Targets) • How to encourage vendors to have PET products evaluated • Gaining acceptance of the PETTEP approach by the International Common Criteria • Time!and Money!!
Summary and Closing Thoughts • Next Steps for next 18 months: • Continue PETTEP workshops to review work by partners • Test technologies using Privacy Protection Profiles • Refine Privacy component of Common Criteria • Present to International CC body to accept Privacy additions to the Common Criteria
Thank You Ken Anderson Assistant Privacy Commissioner Information & Privacy Commissioner/Ontario Ken.Anderson@ipc.on.ca