Hands-on Privacy (IPC Munich 2023)

Transcript

1. MARCUS BOINTON – IPC 2023 Key points on privacy &

   security, and ways to check sites for them HANDS-ON PRIVACY

2. Hands-on Privacy – Marcus Bointon @[email protected] IPC Munich 2023 PRIVACY

   LAWS -CoE Data Protection Convention 108 — 1981! -EU Data Protection Directive 95/46/EC 1995 -EU e-Privacy Directive 2002 – Cookie law -CoE Convention 108+ 2018 -GDPR, UK Data Protection Act 2018 -Privacy shield collapse & SCCs 2020 -EU DSA 2022 & DMA 2023 – Gatekeepers

3. Hands-on Privacy – Marcus Bointon @[email protected] IPC Munich 2023 CHAT

   CONTROL CATASTROPHE -CSAM scanning to rule them all -Real-time, indiscriminate mass surveillance without oversight -Age veri fi cation, loss of anonymity -Banning encryption tools, chat, tor, VPNs -https://www.patrick-breyer.de/en/posts/chat-control/

4. Hands-on Privacy – Marcus Bointon @[email protected] IPC Munich 2023 CONTROLLER

   PROCESSOR MANAGES DATA ACTS ON BEHALF OF CONTROLLER SUBJECT WHO THE DATA IS ABOUT

5. Hands-on Privacy – Marcus Bointon @[email protected] IPC Munich 2023 Processing

   must be lawful,
 fair, and transparent Store identi fi able subjects no longer than necessary Process data so as to protect accuracy, integrity, and con fi dentiality Collect & process data for speci fi c, explicit, and legitimate purposes Demonstrate compliance 
 with all principles Data adequate, relevant, and limited to the stated purposes DATA PROTECTION PRINCIPLES

6. Hands-on Privacy – Marcus Bointon @[email protected] IPC Munich 2023 BASIS

   FOR PROCESSING Contract “We need your address to send you this thing you bought” Legal obligation Vital interest Legitimate interest Public interest Consent “This person has a penicillin allergy” “This person has COVID-19” “We need to combat fraud” – not “We want your data” “Please can we send you our newsletter?” “Keep employee insurance data for 40 years”

7. Hands-on Privacy – Marcus Bointon @[email protected] IPC Munich 2023 PRIVACY

   BY DESIGN PRINCIPLES -Proactive not Reactive; Preventative not Remedial -Privacy as the Default -Privacy Embedded into Design -Full Functionality – Positive-Sum, not Zero-Sum -End-to-End Security – Full Lifecycle Protection -Visibility and Transparency – Keep it Open -Respect for User Privacy – Keep it User-Centric

8. Hands-on Privacy – Marcus Bointon @[email protected] IPC Munich 2023 DO

   I NEED TO SHOW A CONSENT BANNER? -No… -Yes if you: -Set non-essential cookies (anything but 1st-party session) -Load tracking scripts e.g. Google Analytics -Share anything with third parties, e.g. Google fonts, ads -Hate your users -Most cookie setting widgets are trolling by ad networks, thus pointless -Privacy by default – if you continue, nothing should be tracked

9. Hands-on Privacy – Marcus Bointon @[email protected] IPC Munich 2023 WHAT

   GOES IN A PRIVACY POLICY? -Not something that has to be agreed to – that’s T&Cs -Identify controller and processors -Describe what data is collected, when, why, where it goes, how long it’s kept -List all 3Ps data is shared with -How to request DSARs -Opt-out / objection procedures

10. Hands-on Privacy – Marcus Bointon @[email protected] IPC Munich 2023 MANUAL

    TESTING -Just visit the site -Look at the cookie popup -If there is one -Cry over those evil dark patterns… -Read privacy policy -Look at login page -Open dev tools, look at cookies & scripts

11. Hands-on Privacy – Marcus Bointon @[email protected] IPC Munich 2023 AUTOMATED

    TESTING TOOLS -https://securityheaders.com -https://www.ssllabs.com/ssltest/ -https://webbkoll.dataskydd.net -https://themarkup.org/blacklight/ -https://pagexray.fouanalytics.com

12. Hands-on Privacy – Marcus Bointon @[email protected] IPC Munich 2023 PEOPLE

    AND ORGANISATIONS -Heather Burns @[email protected] -Pat Walshe @[email protected] -Rowenna Fielding @[email protected] -@[email protected] @[email protected] -https://www.luizajarovsky.com/ -https://ico.org.uk -https://www.openrightsgroup.org, https://www.eff.org/