Chapter 2: Engineering and Privacy Flashcards
What is the role of Project Managers in the Privacy ecosystem?
Ensure that adequate resources are available and that team members communicate effectively
What is the role of Marketing and Sales in the Privacy ecosystem?
Work with customers to establish new requirements
What is the role of Lawyers in the Privacy ecosystem?
Track regulatory issues
What is the role of Requirements Engineers in the Privacy ecosystem?
Collect, analyze and manage requirements
What is the role of Designers in the Privacy ecosystem?
Translate software requirements into an architecture or design
What is the role of Programmers in the Privacy ecosystem?
Translate software design into source code
What is the role of Testers in the Privacy ecosystem?
Validate that the software conforms to the requirements
What is the role of Users in the Privacy ecosystem?
Operate or interact with the software
What is the role of Administrators in the Privacy ecosystem?
Install and maintain the software
What is the role of the Privacy Engineer in the Privacy ecosystem?
Is the Privacy Area Specialist
Serves as a repository of knowledge and works to tailor this knowledge for the different stakeholders
What are the responsibilities of the Privacy Engineer in the Privacy ecosystem?
Collect critical regulatory requirements from lawyers
Validate that marketing requirements are consistent with laws and social norms
Meet with designers to discuss best practices when translating requirements into design specifications
Collect user feedback and monitor privacy blogs, mailing lists and newspapers for new privacy incidents
Develop a community of practice
Name the 6 activities of software developers (regardless of the process used)
Requirements Engineering Design Implementation Testing Deployment Maintenance
Name 2 privacy lifecycle models
Privacy Management Reference Model (PMRM)
PReparing Industry to Privacy-by-design by supporting its Application in REsearch (PRIPARE)
Name 2 privacy risk assessment methods
LINDDUN threat modeling method
Privacy Risk Assessment Methodology (PRAM)
What is a Defect in software engineering?
A flaw in the requirements, design or implementation that can lead to a fault
What is a Fault in software engineering?
An incorrect step, process or data definition in a computer program
What is an Error in software engineering?
The difference between a computed, observed or measured value or condition and the true, specified or theoretically correct value or condition
What is a Failure in software engineering?
The inability of a system or component to perform its required functions within specified performance requirements
What is a Harm in software engineering?
The actual or potential ill effect or danger to an individual’s personal privacy, sometimes called a hazard
What is a Functional Violation of Privacy?
When a system cannot perform a necessary function to ensure individual privacy
Provide an example of a Functional Violation of Privacy
When PI is disclosed to an unauthorized third party
Defect: lines of computer code that do not correctly check that an access attempt is properly authorized
Fault: the execution of that source code
Error: unauthorized access
Failure: unauthorized third party access
Define the term Risk
A potential adverse impact along with the likelihood that this impact will occur
How are risks calculated?
Probability x impact
What are the 4 ways of managing risk?
Accept
Transfer
Mitigate
Avoid
Provide an example of transferring a risk
Property insurance
Provide an example of mitigating a risk
Requiring users to log into a system
Provide an example of avoiding a risk
Abandoning the functionality, data use or the entire system
Name 6 privacy risk models
Compliance model
Fair Information Practice Principles (FIPPs)
Calo’s subjective/objective dichotomy
Solove’s taxonomy of privacy problems
Nissenbaum’s contextual integrity heuristic
NIST privacy risk model
Describe the Compliance privacy risk model
Based on applicable legal and policies - model relies on examining elements of the system to identify deficiencies
Describe the Fair Information Practice Principles (FIPPs) privacy risk model
Model relies on aligning with requirements described in FIPPs - often dovetail with the compliance model
Describe the Subjective/Objective Dichotomy privacy risk model
Relies on assessing the potential for subjective and objective harm - an analyst may examine elements of the system that relate to individuals’ expectations of how their information may be used, actual usage and consent or lack thereof to the collection and use of that information
Describe NIST’s privacy risk model
Vulnerabilities are problematic data actions that describe system behaviors with privacy implications that create the potential for adverse event
Problematic data actions result in one or many problems for individuals
List NIST’s catalog of 7 problematic data actions (NIST privacy risk model)
Appropriation Distortion Induced disclosure Insecurity Surveillance Unanticipated revelation Unwarranted restriction
Describe the Appropriation problematic data action in the NIST privacy risk model
Use of PI in ways beyond what is expected or authorized by the individual
Describe the Distortion problematic data action in the NIST privacy risk model
Use or dissemination of inaccurate or misleading PI
Describe the Induced disclosure problematic data action in the NIST privacy risk model
When individuals are pressured to provide PI
Describe the Insecurity problematic data action in the NIST privacy risk model
Involves lapses in data security
Describe the Surveillance problematic data action in the NIST privacy risk model
When PI is tracked or monitored out of proportion to system objectives
Describe the Unanticipated revelation problematic data action in the NIST privacy risk model
Unexpected exposure of facets of an individual as a result of processing
Describe the Unwarranted restriction problematic data action in the NIST privacy risk model
Imposition of unjustified constraints on individuals regarding access to the system and its information as it relates to them
List NIST’s catalog of 8 problems for individuals (NIST privacy risk model)
Loss of autonomy Exclusion Loss of liberty Physical harm Stigmatization Power imbalance Loss of trust Economic loss
Describe the Loss of autonomy problem for individuals in the NIST privacy risk model
Self-imposed restrictions on behaviour
Describe the Exclusion problem for individuals in the NIST privacy risk model
Denying an individual knowledge about their PI or the ability to act upon that knowledge
Describe the Loss of liberty problem for individuals in the NIST privacy risk model
Improperly raise the possibility of arrest or detainment
Describe the Physical harm problem for individuals in the NIST privacy risk model
Direct bodily harm to an individual
Describe the Stigmatization problem for individuals in the NIST privacy risk model
Linking information to an identify so as to stigmatize the person associated with that identity
Describe the Power imbalance problem for individuals in the NIST privacy risk model
Enable abusive or unfair treatment of an individual
Describe the Loss of trust problem for individuals in the NIST privacy risk model
Can result from violations of implicit or explicit expectations or agreements regarding the treatment of PI
Describe the Economic loss problem for individuals in the NIST privacy risk model
Direct or indirect financial loss
List the 3 categories of risk controls
Administrative
Technical
Physical
Describe administrative risk controls
Controls governing an organization’s business practices
Describe technical risk controls
Controls governing software processes and data
Describe physical risk controls
Controls governing physical access to hard copies of data and the systems that process and store electronic copies
List 4 administrative risk controls
Appointing a privacy officer who is responsible for organization-wide privacy practices
Developing and documenting privacy and security procedures
Conducting personnel training in privacy
Creating an inventory of personal information to track data practices
List 5 technical risk controls
Implementing access control mechanisms Auditing information access Encrypting sensitive data Managing individual consent Posting privacy notices
What are functional requirements?
They describe a specific function of the intended information system
What are non-functional requirements?
They describe a constraint or property of the system that an engineer can trace to functional requirements or design elements
Legal standards are non-functional requirements
What is the purpose of a tracing matrix?
They trace requirements to downstream artifacts, such as software designs, source code and test cases - they also trace requirements to user agreements, such as privacy policies, terms of use agreements, end-user license agreements and so on
In goal-based analysis, what are protections?
Statements that aim to protect a user’s privacy
In goal-based analysis, what are vulnerabilities?
Statements that threaten a user’s privacy
When developing privacy completeness arguments, what is meant by ensuring tracing is complete?
Whether the tracing is complete from privacy policy statements to software artifacts that implement those statements
When developing privacy completeness arguments, what is meant by ensuring the life cycle is complete?
At each step in the data life cycle for a specific data type, the engineer considers whether the data type requires special consideration
When developing privacy completeness arguments, what is meant by ensuring our legal interpretation is complete?
While it is impossible to completely cover every prospective interpretation by an auditor, regulator or judge, there are steps that engineers can take to broaden the scope of their interpretations to capture missed requirement
When developing privacy completeness arguments, what is meant by removing or generalizing preconditions?
Generalizing this requirement so that it applies to any personal information, regardless of whether the information concerns practices conducted in that jurisdiction
Has the benefit of streamlining business practices at the cost of extending those practices to other situations where they may not be otherwise required by law or standards
When developing privacy completeness arguments, what is meant by grounding legal terms in the domain?
Legal terms determine when a privacy regulation applies and are often purposely written to be abstract so as to make laws flexible and adaptable to new situations or technologies
For example, California Civil Code requires protecting access codes that can be used to access a personal financial account - This code chapter does not define access code or financial account, thus leaving the interpretation to IT developers and their legal counsel
When developing privacy completeness arguments, what is meant by refining by refrainment?
Privacy laws often describe goals to be achieved or obligations about what a covered organization must meet
For example, the law may not say that stealing cryptographic keys is a privacy breach but if you treat it as if it is, the data is more secure
When developing privacy completeness arguments, what is meant by revealing the regulatory goal?
IT developer can seek to comply with the letter of the law, the alternative is to comply with the goal of the law to acquire longer-term benefits, and often the area specialist can help identify these goals
What is an anti-goal?
An attacker’s own goals or malicious obstacles to a system
Describe client-server architecture
Describes the relationship between the client, which is typically a program that runs on a local computer, and the server, which is the program that runs on a remote computer
Describe service-oriented architecture
Aim to decouple services from large-scale servers
This enables reuse and separation of concerns and, for increasingly larger systems, improved load balancing by allowing designers to replicate services across multiple machines
Describe peer-to-peer architecture
An extreme alternative to client-server architectures whereby each peer is both a client and a server
What are design patterns?
Design patterns describe recurring problems through a shared solution that can be repeatedly reused to solve the problem
List the 4 elements of a design pattern
- Pattern name
- Problem description
- Solution
- Consequences
List the 8 privacy design strategies that have been defined to date
Minimize Hide Separate Aggregate Inform Control Enforce Demonstrate
What are dark patterns?
Techniques to de-emphasize, obscure or make ambiguous more privacy-preserving response options (making opt-out buttons smaller or lower contrast, not clearly differentiating between required and optional information…)
What are trade-spaces?
Important tools for helping engineers, including privacy engineers, think through design trade-offs
What is a commonly known trade-space?
Juxtaposing the extent of data sanitization (aka de-identification) with the utility of the sanitized data
What are quality attributes in software engineering?
Crosscutting concerns that cannot be addressed by a single function
Define identifiability
The extent to which a person can be identified within a system
What are the 4 stages in Sarah Spiekermann and Lorrie Faith Cranor’s framework for privacy-friendly system design (degrees of identifiability)
Stage 0 - Identified
Stage 1 - Pseudonymous (linkable with reasonable effort)
Stage 2 - Pseudonymous (not linkable with reasonable effort)
Stage 3 - Anonymous
What is network centricity?
The extent to which personal information remains local to the client - for example, a designer may choose to retain personal information on the client side and transfer this information only for the limited purpose of completing a transaction
Define confidentiality
Refers to the extent to which personal information is accessible by others
Define availability
The need to ensure that information is available to satisfy business needs, typically thought of as a security property
Define integrity
The extent that the system maintains a reliable state, including the quality of data as being free from error
List 3 concerns related to integrity
Accuracy
Completeness
Currency
Define mobility
Extent to which a system is able to track movement from one location to another (laptop, smart phone…)
What privacy risks does mobility introduce
Location tracking
Possibility of devices being lost or stolen
How can we mitigate mobility related risks
Increase security
Minimize the amount of data stored locally
List the NIST Privacy Engineering Objectives
Predictability
Manageability
Disassociability
What is Predictability according to NIST
Aims to enable reliable assumptions about a system, particularly its data and the processing of that data, by all stakeholders
What is Manageability according to NIST
The ability to granularly administer personal information, including modification, disclosure and deletion
What is Disassociability according to NIST
Minimization of connections between data and individuals to the extent compatible with system operational requirements
What are the 2 activities included in testing
Verification
Validation
In testing, what is the verification activity?
Ensures that a resultant system performs according to its requirements
In testing, what is the validation activity?
Ensures that requirements satisfy the original needs of the user base for whom the system was developed
What does unit testing cover?
Individual functions and system components
What does integration testing cover?
Interactions between groups of components
What does system testing cover?
Completed portions of the whole system
What does acceptance testing cover?
Requirements validation
What does regression testing cover?
Ensuring that changes made to an existing system do not affect other components within the system
What activities are typically included in system testing?
Security
Performance
Stress
Privacy requirements that relate to the gross behaviour of the system can also be tested at this time
What is synthetic data?
Data generated for the purposes of testing - aims to mimic the desired attributes of the real data
What is the drawback of synthetic data?
May not adequately represent the variety and messiness of real data
What are the characteristics of Alpha testing?
- Is performed on feature-incomplete systems
- Occurs on a small scale, with tens to hundreds of users, rather than thousands or tens of thousands
- Is seldom open to the public
- Is intended to determine major bugs and offer early requirements validation
- Is conducted in-house or through a third-party testing service that will also conduct tests “behind closed doors”
- Will feature extensive means of data collection, given the low number of users involved in the test
What are the privacy concerns specific to Alpha testing?
Incomplete and underdeveloped systems
Absence of proper data handling may not be obvious to users (transparency issue)
Data may not be fully protected
What are the characteristics of Beta testing?
- Performed on feature-complete systems
- Occurs on a large scale and are often open to the public
- Intended to identify bugs and issues that may interfere with live deployment of the system
- Often conducted on users’ personal or employer-owned machines, which may feature a variety of configurations and states
- Officiated by the organization developing the system
- Rely on user issue reporting and other means of data collection that may continue to be available once the system goes live
What are the privacy concerns specific to Beta testing?
First time the system will be so widely available or public
