Chapter 2: Engineering and Privacy

Question 1

What is the role of Project Managers in the Privacy ecosystem?

Answer 1

Ensure that adequate resources are available and that team members communicate effectively

Question 2

What is the role of Marketing and Sales in the Privacy ecosystem?

Answer 2

Work with customers to establish new requirements

Question 3

What is the role of Lawyers in the Privacy ecosystem?

Answer 3

Track regulatory issues

Question 4

What is the role of Requirements Engineers in the Privacy ecosystem?

Answer 4

Collect, analyze and manage requirements

Question 5

What is the role of Designers in the Privacy ecosystem?

Answer 5

Translate software requirements into an architecture or design

Question 6

What is the role of Programmers in the Privacy ecosystem?

Answer 6

Translate software design into source code

Question 7

What is the role of Testers in the Privacy ecosystem?

Answer 7

Validate that the software conforms to the requirements

Question 8

What is the role of Users in the Privacy ecosystem?

Answer 8

Operate or interact with the software

Question 9

What is the role of Administrators in the Privacy ecosystem?

Answer 9

Install and maintain the software

Question 10

What is the role of the Privacy Engineer in the Privacy ecosystem?

Answer 10

Is the Privacy Area Specialist

Serves as a repository of knowledge and works to tailor this knowledge for the different stakeholders

Question 11

What are the responsibilities of the Privacy Engineer in the Privacy ecosystem?

Answer 11

Collect critical regulatory requirements from lawyers
Validate that marketing requirements are consistent with laws and social norms
Meet with designers to discuss best practices when translating requirements into design specifications
Collect user feedback and monitor privacy blogs, mailing lists and newspapers for new privacy incidents
Develop a community of practice

Question 12

Name the 6 activities of software developers (regardless of the process used)

Answer 12

Requirements Engineering
Design
Implementation
Testing
Deployment
Maintenance

Question 13

Name 2 privacy lifecycle models

Answer 13

Privacy Management Reference Model (PMRM)

PReparing Industry to Privacy-by-design by supporting its Application in REsearch (PRIPARE)

Question 14

Name 2 privacy risk assessment methods

Answer 14

LINDDUN threat modeling method

Privacy Risk Assessment Methodology (PRAM)

Question 15

What is a Defect in software engineering?

Answer 15

A flaw in the requirements, design or implementation that can lead to a fault

Question 16

What is a Fault in software engineering?

Answer 16

An incorrect step, process or data definition in a computer program

Question 17

What is an Error in software engineering?

Answer 17

The difference between a computed, observed or measured value or condition and the true, specified or theoretically correct value or condition

Question 18

What is a Failure in software engineering?

Answer 18

The inability of a system or component to perform its required functions within specified performance requirements

Question 19

What is a Harm in software engineering?

Answer 19

The actual or potential ill effect or danger to an individual’s personal privacy, sometimes called a hazard

Question 20

What is a Functional Violation of Privacy?

Answer 20

When a system cannot perform a necessary function to ensure individual privacy

Question 21

Provide an example of a Functional Violation of Privacy

Answer 21

When PI is disclosed to an unauthorized third party

Defect: lines of computer code that do not correctly check that an access attempt is properly authorized

Fault: the execution of that source code

Error: unauthorized access

Failure: unauthorized third party access

Question 22

Define the term Risk

Answer 22

A potential adverse impact along with the likelihood that this impact will occur

Question 23

How are risks calculated?

Answer 23

Probability x impact

Question 24

What are the 4 ways of managing risk?

Answer 24

Accept
Transfer
Mitigate
Avoid

Question 25

Provide an example of transferring a risk

Answer 25

Property insurance

Question 26

Provide an example of mitigating a risk

Answer 26

Requiring users to log into a system

Question 27

Provide an example of avoiding a risk

Answer 27

Abandoning the functionality, data use or the entire system

Question 28

Name 6 privacy risk models

Answer 28

Compliance model
Fair Information Practice Principles (FIPPs)
Calo’s subjective/objective dichotomy
Solove’s taxonomy of privacy problems
Nissenbaum’s contextual integrity heuristic
NIST privacy risk model

Question 29

Describe the Compliance privacy risk model

Answer 29

Based on applicable legal and policies - model relies on examining elements of the system to identify deficiencies

Question 30

Describe the Fair Information Practice Principles (FIPPs) privacy risk model

Answer 30

Model relies on aligning with requirements described in FIPPs - often dovetail with the compliance model

Question 31

Describe the Subjective/Objective Dichotomy privacy risk model

Answer 31

Relies on assessing the potential for subjective and objective harm - an analyst may examine elements of the system that relate to individuals’ expectations of how their information may be used, actual usage and consent or lack thereof to the collection and use of that information

Question 32

Describe NIST’s privacy risk model

Answer 32

Vulnerabilities are problematic data actions that describe system behaviors with privacy implications that create the potential for adverse event

Problematic data actions result in one or many problems for individuals

Question 33

List NIST’s catalog of 7 problematic data actions (NIST privacy risk model)

Answer 33

Appropriation
Distortion
Induced disclosure
Insecurity
Surveillance
Unanticipated revelation
Unwarranted restriction

Question 34

Describe the Appropriation problematic data action in the NIST privacy risk model

Answer 34

Use of PI in ways beyond what is expected or authorized by the individual

Question 35

Describe the Distortion problematic data action in the NIST privacy risk model

Answer 35

Use or dissemination of inaccurate or misleading PI

Question 36

Describe the Induced disclosure problematic data action in the NIST privacy risk model

Answer 36

When individuals are pressured to provide PI

Question 37

Describe the Insecurity problematic data action in the NIST privacy risk model

Answer 37

Involves lapses in data security

Question 38

Describe the Surveillance problematic data action in the NIST privacy risk model

Answer 38

When PI is tracked or monitored out of proportion to system objectives

Question 39

Describe the Unanticipated revelation problematic data action in the NIST privacy risk model

Answer 39

Unexpected exposure of facets of an individual as a result of processing

Question 40

Describe the Unwarranted restriction problematic data action in the NIST privacy risk model

Answer 40

Imposition of unjustified constraints on individuals regarding access to the system and its information as it relates to them

Question 41

List NIST’s catalog of 8 problems for individuals (NIST privacy risk model)

Answer 41

Loss of autonomy
Exclusion
Loss of liberty
Physical harm
Stigmatization
Power imbalance
Loss of trust
Economic loss

Question 42

Describe the Loss of autonomy problem for individuals in the NIST privacy risk model

Answer 42

Self-imposed restrictions on behaviour

Question 43

Describe the Exclusion problem for individuals in the NIST privacy risk model

Answer 43

Denying an individual knowledge about their PI or the ability to act upon that knowledge

Question 44

Describe the Loss of liberty problem for individuals in the NIST privacy risk model

Answer 44

Improperly raise the possibility of arrest or detainment

Question 45

Describe the Physical harm problem for individuals in the NIST privacy risk model

Answer 45

Direct bodily harm to an individual

Question 46

Describe the Stigmatization problem for individuals in the NIST privacy risk model

Answer 46

Linking information to an identify so as to stigmatize the person associated with that identity

Question 47

Describe the Power imbalance problem for individuals in the NIST privacy risk model

Answer 47

Enable abusive or unfair treatment of an individual

Question 48

Describe the Loss of trust problem for individuals in the NIST privacy risk model

Answer 48

Can result from violations of implicit or explicit expectations or agreements regarding the treatment of PI

Question 49

Describe the Economic loss problem for individuals in the NIST privacy risk model

Answer 49

Direct or indirect financial loss

Question 50

List the 3 categories of risk controls

Answer 50

Administrative
Technical
Physical

Question 51

Describe administrative risk controls

Answer 51

Controls governing an organization’s business practices

Question 52

Describe technical risk controls

Answer 52

Controls governing software processes and data

Question 53

Describe physical risk controls

Answer 53

Controls governing physical access to hard copies of data and the systems that process and store electronic copies

Question 54

List 4 administrative risk controls

Answer 54

Appointing a privacy officer who is responsible for organization-wide privacy practices
Developing and documenting privacy and security procedures
Conducting personnel training in privacy
Creating an inventory of personal information to track data practices

Question 55

List 5 technical risk controls

Answer 55

Implementing access control mechanisms
Auditing information access
Encrypting sensitive data
Managing individual consent
Posting privacy notices

Question 56

What are functional requirements?

Answer 56

They describe a specific function of the intended information system

Question 57

What are non-functional requirements?

Answer 57

They describe a constraint or property of the system that an engineer can trace to functional requirements or design elements
Legal standards are non-functional requirements

Question 58

What is the purpose of a tracing matrix?

Answer 58

They trace requirements to downstream artifacts, such as software designs, source code and test cases - they also trace requirements to user agreements, such as privacy policies, terms of use agreements, end-user license agreements and so on

Question 59

In goal-based analysis, what are protections?

Answer 59

Statements that aim to protect a user’s privacy

Question 60

In goal-based analysis, what are vulnerabilities?

Answer 60

Statements that threaten a user’s privacy

Question 61

When developing privacy completeness arguments, what is meant by ensuring tracing is complete?

Answer 61

Whether the tracing is complete from privacy policy statements to software artifacts that implement those statements

Question 62

When developing privacy completeness arguments, what is meant by ensuring the life cycle is complete?

Answer 62

At each step in the data life cycle for a specific data type, the engineer considers whether the data type requires special consideration

Question 63

When developing privacy completeness arguments, what is meant by ensuring our legal interpretation is complete?

Answer 63

While it is impossible to completely cover every prospective interpretation by an auditor, regulator or judge, there are steps that engineers can take to broaden the scope of their interpretations to capture missed requirement

Question 64

When developing privacy completeness arguments, what is meant by removing or generalizing preconditions?

Answer 64

Generalizing this requirement so that it applies to any personal information, regardless of whether the information concerns practices conducted in that jurisdiction
Has the benefit of streamlining business practices at the cost of extending those practices to other situations where they may not be otherwise required by law or standards

Question 65

When developing privacy completeness arguments, what is meant by grounding legal terms in the domain?

Answer 65

Legal terms determine when a privacy regulation applies and are often purposely written to be abstract so as to make laws flexible and adaptable to new situations or technologies
For example, California Civil Code requires protecting access codes that can be used to access a personal financial account - This code chapter does not define access code or financial account, thus leaving the interpretation to IT developers and their legal counsel

Question 66

When developing privacy completeness arguments, what is meant by refining by refrainment?

Answer 66

Privacy laws often describe goals to be achieved or obligations about what a covered organization must meet
For example, the law may not say that stealing cryptographic keys is a privacy breach but if you treat it as if it is, the data is more secure

Question 67

When developing privacy completeness arguments, what is meant by revealing the regulatory goal?

Answer 67

IT developer can seek to comply with the letter of the law, the alternative is to comply with the goal of the law to acquire longer-term benefits, and often the area specialist can help identify these goals

Question 68

What is an anti-goal?

Answer 68

An attacker’s own goals or malicious obstacles to a system

Question 69

Describe client-server architecture

Answer 69

Describes the relationship between the client, which is typically a program that runs on a local computer, and the server, which is the program that runs on a remote computer

Question 70

Describe service-oriented architecture

Answer 70

Aim to decouple services from large-scale servers

This enables reuse and separation of concerns and, for increasingly larger systems, improved load balancing by allowing designers to replicate services across multiple machines

Question 71

Describe peer-to-peer architecture

Answer 71

An extreme alternative to client-server architectures whereby each peer is both a client and a server

Question 72

What are design patterns?

Answer 72

Design patterns describe recurring problems through a shared solution that can be repeatedly reused to solve the problem

Question 73

List the 4 elements of a design pattern

Answer 73

1. Pattern name
2. Problem description
3. Solution
4. Consequences

Question 74

List the 8 privacy design strategies that have been defined to date

Answer 74

Minimize
Hide
Separate
Aggregate
Inform
Control
Enforce
Demonstrate

Question 75

What are dark patterns?

Answer 75

Techniques to de-emphasize, obscure or make ambiguous more privacy-preserving response options (making opt-out buttons smaller or lower contrast, not clearly differentiating between required and optional information…)

Question 76

What are trade-spaces?

Answer 76

Important tools for helping engineers, including privacy engineers, think through design trade-offs

Question 77

What is a commonly known trade-space?

Answer 77

Juxtaposing the extent of data sanitization (aka de-identification) with the utility of the sanitized data

Question 78

What are quality attributes in software engineering?

Answer 78

Crosscutting concerns that cannot be addressed by a single function

Question 79

Define identifiability

Answer 79

The extent to which a person can be identified within a system

Question 80

What are the 4 stages in Sarah Spiekermann and Lorrie Faith Cranor’s framework for privacy-friendly system design (degrees of identifiability)

Answer 80

Stage 0 - Identified
Stage 1 - Pseudonymous (linkable with reasonable effort)
Stage 2 - Pseudonymous (not linkable with reasonable effort)
Stage 3 - Anonymous

Question 81

What is network centricity?

Answer 81

The extent to which personal information remains local to the client - for example, a designer may choose to retain personal information on the client side and transfer this information only for the limited purpose of completing a transaction

Question 82

Define confidentiality

Answer 82

Refers to the extent to which personal information is accessible by others

Question 83

Define availability

Answer 83

The need to ensure that information is available to satisfy business needs, typically thought of as a security property

Question 84

Define integrity

Answer 84

The extent that the system maintains a reliable state, including the quality of data as being free from error

Question 85

List 3 concerns related to integrity

Answer 85

Accuracy
Completeness
Currency

Question 86

Define mobility

Answer 86

Extent to which a system is able to track movement from one location to another (laptop, smart phone…)

Question 87

What privacy risks does mobility introduce

Answer 87

Location tracking

Possibility of devices being lost or stolen

Question 88

How can we mitigate mobility related risks

Answer 88

Increase security

Minimize the amount of data stored locally

Question 89

List the NIST Privacy Engineering Objectives

Answer 89

Predictability
Manageability
Disassociability

Question 90

What is Predictability according to NIST

Answer 90

Aims to enable reliable assumptions about a system, particularly its data and the processing of that data, by all stakeholders

Question 91

What is Manageability according to NIST

Answer 91

The ability to granularly administer personal information, including modification, disclosure and deletion

Question 92

What is Disassociability according to NIST

Answer 92

Minimization of connections between data and individuals to the extent compatible with system operational requirements

Question 93

What are the 2 activities included in testing

Answer 93

Verification

Validation

Question 94

In testing, what is the verification activity?

Answer 94

Ensures that a resultant system performs according to its requirements

Question 95

In testing, what is the validation activity?

Answer 95

Ensures that requirements satisfy the original needs of the user base for whom the system was developed

Question 96

What does unit testing cover?

Answer 96

Individual functions and system components

Question 97

What does integration testing cover?

Answer 97

Interactions between groups of components

Question 98

What does system testing cover?

Answer 98

Completed portions of the whole system

Question 99

What does acceptance testing cover?

Answer 99

Requirements validation

Question 100

What does regression testing cover?

Answer 100

Ensuring that changes made to an existing system do not affect other components within the system

Question 101

What activities are typically included in system testing?

Answer 101

Security
Performance
Stress
Privacy requirements that relate to the gross behaviour of the system can also be tested at this time

Question 102

What is synthetic data?

Answer 102

Data generated for the purposes of testing - aims to mimic the desired attributes of the real data

Question 103

What is the drawback of synthetic data?

Answer 103

May not adequately represent the variety and messiness of real data

Question 104

What are the characteristics of Alpha testing?

Answer 104

• Is performed on feature-incomplete systems
• Occurs on a small scale, with tens to hundreds of users, rather than thousands or tens of thousands
• Is seldom open to the public
• Is intended to determine major bugs and offer early requirements validation
• Is conducted in-house or through a third-party testing service that will also conduct tests “behind closed doors”
• Will feature extensive means of data collection, given the low number of users involved in the test

Question 105

What are the privacy concerns specific to Alpha testing?

Answer 105

Incomplete and underdeveloped systems
Absence of proper data handling may not be obvious to users (transparency issue)
Data may not be fully protected

Question 106

What are the characteristics of Beta testing?

Answer 106

• Performed on feature-complete systems
• Occurs on a large scale and are often open to the public
• Intended to identify bugs and issues that may interfere with live deployment of the system
• Often conducted on users’ personal or employer-owned machines, which may feature a variety of configurations and states
• Officiated by the organization developing the system
• Rely on user issue reporting and other means of data collection that may continue to be available once the system goes live

Question 107

What are the privacy concerns specific to Beta testing?

Answer 107

First time the system will be so widely available or public