Foundational Principles Flashcards
Helen Nissenbaum’s Contextual Integrity
Norm based
norms are domain specific - IE: norms for governing banking information will differ from norms governing medical information.
Norms are context specific - IE: an individual can have their own reasons for controlling access to their information in specific situations based on their own expectations
Ryan Calo’s Harm Dimensions
Objective Harms - measurable and observable (IE: person’s privacy has been violated and direct harm exists)
Subjective Harms - expectation of harms. Subjective harms may have the same impact as objective harms because the individual has taken similar steps to protect themselves.
IE: the perception of harm is just as likely to have significantly negative impact as experienced objective harms
Security is traditionally defined as….
(1) Confidentiality - ensures that information is only accessible by unauthorized individuals
(2) Integrity - ensures that information has not been unintentionally modified
(3) Availability - ensures that information is readily available when needed
FIPs
Fair Information Practices - established by the Health, Education and Welfare Advisory Committed on Automated Data Systems in 1972
FIPPs
The Fair Information Practice Principles - US Federal Trade Commission (FTC) and used as guidance to businesses in the US
NIST
NISTIR 8062 - An Introduction to Privacy Engineering and Risk Management in Federal Systems - published by the US National Institute of Standards and Technology (NIST)
OECD
The Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980) - published by the Organization for Economic Cooperation and Development (OECD)
APEC
The Privacy Framework - published by the Asia-Pacific Economic Cooperation (APEC)
OECD Guidelines
(1) Collection Limitation - limitation of data, obtained lawfully and fair means, knowledge and consent of subject;
(2) Data Quality Principles - data should be relevant to purposes, extent necessary, accurate, complete, and up to date
(3) Purposes Specification Principle - use specified at time of collection, use is limited, specified on change of purpose
(4) Use Limitation Principle - data not disclosed, used, available for purposes outside of specific use without (1) consent or (2) authority of law
(5) Security Safeguards Principles - protected by reasonable security safeguards
(6) Openness Principle - open about development, policies and principles of data use and data controller
(7) Individual Participation Principle - individuals right to (1) obtain from data controller info about their data (2) communication re data at a reasonable time, manner and form (3) reasons if denied and challenge denial; (4) if successful, data erased
(8) Accountability Principle - data controller accountable for complying with measures
Data Life Cycle
Consent / Notice - Collection - Disclosure
Consent / Notice - Processing - Retention - Destruction
Data Collection Types
(1) First-party collection - data subject provides data directly to collector
(2) Surveillance - collector observes data streams without interfering with subject’s behavior
(3) Repurposing - data is assigned for a different use
(4) Third-party collection - data is transferred to third-party for new data collection
Explicit Consent of Data Collection
Individual is required to expressly act to communicate consent
EX: clicking a checkbox, clicking button of privacy notice, responding to automatically generated email
Passive or Complied Consent of Data Collection
IE: Inclusion of a conspicuous link on a privacy notified describing collection activities
Data Life Cycle: Maximize-Information-Utility
Views data as the basis for monetization and new revenue and seeks to collect and retain as much data as possible
Information broadly collected and shared, retention persists up to the physical limits of org’s storage devices
Data Life Cycle: Minimize-privacy-risk
Views data as potentially toxic with inherent risks that can result in significant, irreversible privacy harms
Defect, Fault, Error, Failure, and Harm
(1) Defect - a flaw in the requirements, designs or implementation that can lead to a fault (IE: a line of source code that does not correctly check that an access attempt is properly authorized)
(2) Fault - an incorrect step, process or data definition in a computer program (IE: execution of that source code that leads to error)
(3) Error - difference between a computed, observed or measured value or condition and the true, specified or theoretically correct value or condition (IE: unauthorized access as opposed to a notice that unauthorized access will occur)
(4) Failure - inability of a system or component to perform its required functions within specified performance requirements (IE: unauthorized third-party access)
(5) Harm - actual or potential danger to an individuals personal privacy
Solove’s Four Risks of Privacy Harms
(1) Information collection
(2) Information processing
(3) information dissemination
(4) invasion
Formulation of Risk
Risk is the potential adverse impact along with the likelihood that the impact will occur
Risk = probability of an adverse impact (x) impact of the event
Risk: Compliance Model
Risks are delineated as the failure to do what is required or avoid what is prohibited
IE: GDPR, HIPAA, etc.
Risk: FIPPs
Adopted by FTC and US Department of Homeland Security
Most FIPPs principles are relative to the purpose of the system
Risk: Calo’s Subjective/Objective Dichotomy
Falls into two categories - (1) Subjective and (2) Objective
Any privacy threat that is perceivable by individuals corresponds to a subjective privacy harm
Risk: Solove’s Taxonomy - Information Collection
(1) Surveillance - observation and capturing of individual’s activities (IE: Track users link clicks and pages visited)
(2) Interrogation - actively questioning an individual or probing for information (IE: requires an individual enter their phone number for registration)
Risk: Solove’s Taxomony - Information Processing
(1) Aggregation - combining pieces of information to produce a whole greater than its parts (IE: retail views purchases for large tote bags, unscented lotions, prenatal vitamins = individual is pregnant)
(2) Identification - links information to specific individuals (IE: cookies for browsing histories)
(3) Insecurity - failure to protect individual’s information (IE: website fails to encrypt communications)
(4) Secondary Use -using information without consent for purposes unrelated to original use (IE: retailer uses email for marketing purposes as opposed to purchase)
(5) Exclusion - denies an individual knowledge/participation in what is done with their information (IE: marketing firm uses purchase data to advertise under a different name)
Risk: Solove’s Taxonomy - Information Dissemination
(1) Breach of Confidentiality - release of PII
(2) Disclosure - revealing truthful information that negatively affects how others view the individual (IE: lifestyle member list)
(3) Distortion - spreading false and inaccurate information (IE: employment verification mistake)
(4) Exposure - information that is normally concealed, including private physical details about our bodies
(5) Increased accessibility - information more easily attainable (IE: child entertainment service allows adults to register and interact)
(6) Blackmail - threat to disclose information against their will
(7) Appropriation - using someone’s identity for another person’s purposes
Risk: Solove’s Taxonomy - Intrusion and Decisional Interference
(1) Intrusion - consists of acts that disturb an individual’s solitude or tranquility (IE: mobile alerts)
(2) Decisional Interference - involves others inserting themselves into a decision-making process that affects a person’s personal affairs (IE: website limits negative reviews for bias)
Helen Nissenbaum’s Contextual Integrity
Maintaining personal information in alignment with informational norms that apply to a particular context.
An analyst must establish existing informational norms and then determine how the system may disrupt those norms.
NIST Privacy Risk Model
embedded in Privacy Risk Assessment Methodology (PRAM) - includes vulnerabilities (problematic data actions), adverse effects (problems for individuals) and the relative likelihood’s and impacts of those event.
NIST Privacy Risk Model - Problematic Data Actions
(1) Appropriation - when PI is used in ways beyond what is expected/authorized by individual
(2) Distortion - the use of dissemination of inaccurate/misleading PI
(3) Induced disclosure - individual’s are pressured to provide PI
(4) Insecurity - lapses in data security
(5) Surveillance - PI is tracked/monitored out of proportion to system objectives
(6) Unanticipated revelation - unexpected exposure of facets of an individual as a result of processing
(7) Unwarranted restriction - imposition of unjustified constraints on individuals regarding access to the system and its information as it relates to them
NIST Privacy Risk Model - Problems for Individuals
(1) Loss of Autonomy - self-imposed restrictions on behavior
(2) Exclusion - denies individuals knowledge about their PI or ability to act
(3) Loss of liberty - improperly rises the possibility of arrest/detainment
(4) Physical harm - direct bodily harm to an individual
(5) Stigmatization - links information to an identity so as to stigmatize the person associated with the identity
(6) Power imbalance - enables abusive or unfair treatment of an individual
(7) Loss of Trust - result from violations of implicit or explicit expectation or agreements regarding treatment of PI
(8) Economic loss - direct or indirect financial loss
Privacy Risk Management Framework and 7 Steps
A process for applying a risk model to a specific information system in order to identify and address risks.
(1) Characterization
(2) Threat
(3) Vulnerability and event identification
(4) Risk Assessment
(5) Risk Response Determination
(6) Risk Control Implementation
(7) Monitoring and Reviewing
Privacy Risk Management Framework - Characterization
Identifying the purpose of the system -> how PI flows/processed on the systems -> technologies in place to support the system
Privacy Risk Management Framework - Risk Response Determination
(1) Accept the risk - if risk is low, may be reasonable and necessary to accept the risk
(2) Transfer the risk - if other entities can manage the risk better, transfer the risk (IE: payroll services)
(3) Mitigate the risk - best option when IT developer can implement privacy controls that reduce risk (IE: daily backups)
(4) Avoid the risk - avoid risk by changing the system design or business process
Privacy Risk Management Framework - Risk Control Implementation
(1) Administrative Controls - business practices
(2) Technical Controls - governs software processes and data
(3) Physical Controls - governs physical access to hard copies of data and systems that process and store electronic copies
Documenting Requirements
SRS - software requirement specification
(1) Functional requirements - describes a specific function of the intended information system (IE: this system shall encrypt credit card numbers)
(2) Nonfunctional requirements - describe a constraint or property of the system that an engineer can trace to functional requirements or design elements (IE: system shall not disclosure PI without consent)
Trace Matrices
Trace link from a requirement to a privacy law = requirement implements the law
Trace link to a design element = requirement is implemented by the design element
Includes rationale description of the trace link (IE: X provides an exception for any disclosure that is required by law or regulation)
