Privacy Engineering Sarah Spiekermann & Lorrie Faith Cranor DIMACS Workshop, Rutgers University January 2007
Privacy Engineering • Privacy Threats arising through IS activities • User Privacy Concerns and 2 Layers of Responsibility for Privacy Engineers • “Privacy by Policy” vs. “Privacy by Architecture” • Designing Privacy by Architecture • Client centricity • Identifiability • Forms of Trust created through Fair Information Practices • Implementing Fair Information Practices • Recognizing Responsibility for Data Sharing Networks
2-Layer ResponsibilityFramework User Privacy Concerns Data Recipient IS activities with regards to personal data internalunauthorized2nd use external unauthorized2nd use Controlof personaldata collected Layer II improperaccess errors Processing Transfer reducedjudgments combiningdata Storage Service Edge 1 2 Network Edge unauthorizedcollection unauthorizedexecution Layer I AccessControl exposure Attention/inflow of data Client Side User Privacy Concerns and 2 Layers of Responsibility for Privacy Engineers
Fair Information Practices are the typical short-cut approach to privacy engineering. • (1) Notice: Data collectors should provide consumers with clear and conspicuous notice of their information practices, including what information they collect, how they collect it (e.g., directly or through non-obvious means such as cookies), how they use it, how they provide Choice, Access, and Security to consumers, whether they disclose the information collected to other entities, and whether other 3rd entities besides themselves are collecting information about consumers as part of the service. • (2) Choice: Data collectors should offer consumers choices as to how their personal identifying information is used beyond the use for which the information was provided (e.g., to consummate a transaction). Such choice would encompass both internal secondary uses (such as marketing back to consumers) and external secondary uses (such as disclosing data to other entities). • (3) Access: Data collectors should offer consumers reasonable access to the information which is collected about them, including a reasonable opportunity to review information and to correct inaccuracies or delete information. • (4) Security: Data collectors should take reasonable steps to protect the security of the information they collect from consumers.
Fair Information Practices are the typical short-cut approach to privacy engineering.
non-identifieddata collection Privacy byArchitecture Privacy byPolicy through FIPs increased privacy friendliness identifieddata collection network centricarchitecture client centricarchitecture “Privacy by Policy” vs. “Privacy by Architecture”
Designing Privacy by Architecture: Client Centricity Network Centricity Client Centricity services services requests Network Client Client requests
Knowledge-based Trust: the more someone knows about somebody else, the more behavior becomes predictable and understandable Structural Assurance: safety nets, legal recourse, guarantees Calculative Trust: rational assessment of the other party’s benefits and costs of cheating Fair Information Practices Privacy Policies & Agents (i.e. Privacy Bird) Privacy Seals (i.e. TRUSTe) Fair Information Practices create Knowledge-based Trust
external parties:government/litigation related parties content/serviceprovider 3rd party 3rd party Main User accessprovider peers 3rd party secondaryuser 3rd party application/system provider Recognizing Responsibility for Data Sharing Networks (I) data sharingalways exists data sharingcould exist
Recognizing Responsibility for Data Sharing Networks (II) Party X should inform about party Y Y X ()
Thank you for your attention!For more information, please contact the authors:Sarah Spiekermann, Humboldt University Berlin; email@example.comLorrie Faith Cranor, Carnegie Mellon University; firstname.lastname@example.org