Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Understanding Privacy By Design – ConFoo 2020

Understanding Privacy By Design – ConFoo 2020

GDPR has brought privacy & security to the fore, but it's not obvious to developers how to make privacy part of everyday development. "Privacy by design" has been around since 1995, but is only now receiving the attention it deserves, providing a set of high-level principles that can be used to embed privacy into development culture and workflows. Find out how we can use modern frameworks, tools, and automation to build auditable privacy into our applications.

B4814d6790e91f01c77cac9d25db12b6?s=128

Marcus Bointon

February 26, 2020
Tweet

Transcript

  1. UNDERSTANDING PRIVACY BY DESIGN MARCUS BOINTON — @SYNCHROM

  2. UNDERSTANDING PRIVACY BY DESIGN PRIVACY? SECURITY? DATA PROTECTION? ▸ Security

    is about how to protect resources ▸ Data protection is using security to protect data ▸ Privacy is using security to protect personal data appropriately ▸ No privacy without security ▸ But you can have security without privacy!
  3. UNDERSTANDING PRIVACY BY DESIGN WHAT IS PRIVACY BY DESIGN? ▸

    Term coined in 1995 by Ann Cavoukian, former Canadian information commissioner ▸ 7 high-level principles for designing systems that respect privacy ▸ Very broad and general — often criticised as “vague” ▸ Applies to all systems, electronic or paper-based
  4. No one shall be subjected to arbitrary interference with his

    privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Universal Declaration of Human Rights Art. 12(exc), 1948 UNDERSTANDING PRIVACY BY DESIGN
  5. UNDERSTANDING PRIVACY BY DESIGN PRIVACY BY DESIGN AND THE LAW

    ▸ Universal Declaration of Human Rights Art. 12, 1948 ▸ EC Convention 108, 1981 ▸ EU Data Protection Directive, 1995 ▸ EU e-Privacy Directive, 2002 ("Cookie law", UK PECR) ▸ EU General Data Protection Regulation (GDPR), 2016/2018 ▸ Data protection by design is part of GDPR — Article 25 & Recital 78 ▸ Forthcoming e-Privacy Regulation (ePR) will extend EU law
  6. UNDERSTANDING PRIVACY BY DESIGN 1. PROACTIVE NOT REACTIVE; PREVENTATIVE NOT

    REMEDIAL
  7. UNDERSTANDING PRIVACY BY DESIGN PROACTIVE, NOT REACTIVE ▸ Benefit: Avoid

    privacy mistakes ▸ Anticipate privacy-related events before they become a problem ▸ Needs to happen at the design stage; ask questions first: ▸ Why do we have this data? ▸ Where did this data come from? ▸ Now design your code to be able to answer them
  8. UNDERSTANDING PRIVACY BY DESIGN 2. PRIVACY AS THE DEFAULT

  9. UNDERSTANDING PRIVACY BY DESIGN PRIVACY AS THE DEFAULT ▸ Benefit:

    Avoid privacy mistakes ▸ If everything is used with default settings, privacy is preserved ▸ e.g. Don’t set persistent cookies prior to obtaining consent ▸ Yes, ad networks will not like this ▸ Flip side: any privacy exposure should be a deliberate decision ▸ and so it should be — as the data controller, you're liable!
  10. UNDERSTANDING PRIVACY BY DESIGN 3. EMBED PRIVACY INTO DESIGN

  11. UNDERSTANDING PRIVACY BY DESIGN EMBED PRIVACY IN DESIGN ▸ Benefit:

    Deal with privacy issues early to minimise cost ▸ Just as you aim to make functionality testable ▸ Privacy, accountability, auditability should be baked-in from the start ▸ Retrofitting is hard and expensive, so it usually won’t happen ▸ Build privacy into your framework, so that all code inherits it ▸ Add privacy tests to your CI pipeline
  12. UNDERSTANDING PRIVACY BY DESIGN EMBED PRIVACY IN DESIGN class Visitor

    extends Model { use pbd; public $fillable = ['name', 'address', 'email']; public static $pbd_basis = [ 'name' => 'contract', 'address' => 'contract', 'email' => 'consent', ]; public static $pbd_retain = '1 month'; …
  13. UNDERSTANDING PRIVACY BY DESIGN 4. FULL FUNCTIONALITY;
 POSITIVE-SUM, NOT ZERO-SUM

  14. UNDERSTANDING PRIVACY BY DESIGN POSITIVE-SUM PRIVACY ▸ Benefit: Capitalise on

    your security to enable privacy benefits ▸ "E2E encryption means you can trust your conversations are private" ▸ "We don't need to ask for cookie consent because we set no cookies" ▸ Counter-examples: ▸ US sites blocking EU users ▸ Metadata leakage ▸ Facebook
  15. UNDERSTANDING PRIVACY BY DESIGN METADATA LEAKAGE EXAMPLE ilovefurries.com othersite.com example.com

    avatars.blah/emailmd5 Email MD5 IP Browser fingerprint Cookies Referrer site Time Email MD5 IP Browser fingerprint Cookies Referrer site Time proxy
  16. UNDERSTANDING PRIVACY BY DESIGN 5. END-TO-END SECURITY –
 FULL LIFECYCLE

    PROTECTION
  17. UNDERSTANDING PRIVACY BY DESIGN END-TO-END LIFECYCLE PROTECTION ▸ A chain

    is only as strong as its weakest link ▸ Security is the foundation on which privacy rests ▸ Follow the the journey of data through your system ▸ Assess security & privacy from the moment data enters the system… ▸ via every interaction with internal and external services… ▸ to the point at which it is deleted
  18. UNDERSTANDING PRIVACY BY DESIGN 6. VISIBILITY AND TRANSPARENCY – KEEP

    IT OPEN
  19. UNDERSTANDING PRIVACY BY DESIGN VISIBILITY & TRANSPARENCY ▸ Benefit: Builds

    trust ▸ 7th Data Protection Principle of GDPR — need to demonstrate compliance ▸ Avoid security by obscurity ▸ e.g. document your password policy & handling ▸ Let data subjects see how you’re using their data ▸ Not just that you are ▸ e.g. document third parties, link to their policies
  20. UNDERSTANDING PRIVACY BY DESIGN 7. RESPECT FOR USER PRIVACY –

    KEEP IT USER-CENTRIC
  21. UNDERSTANDING PRIVACY BY DESIGN RESPECT FOR USER PRIVACY ▸ At

    an organisational level, put the interests of the individual first ▸ Use strong privacy defaults ▸ Send appropriate notifications ▸ Provide receipts! ▸ Do what you say you will (and back it up with transparency) ▸ Don’t do what you didn’t say you would do!
  22. UNDERSTANDING PRIVACY BY DESIGN OWASP TOP-10 PRIVACY RISKS ▸ Web

    Application Vulnerabilities ▸ Operator-side data leakage ▸ Insufficient data breach response ▸ Insufficient deletion of personal data ▸ Non-transparent policies, terms and conditions ▸ Collection of data not required for the primary purpose ▸ Sharing of data with third party ▸ Outdated personal data ▸ Missing or insufficient session expiration ▸ Insecure data transfer
  23. UNDERSTANDING PRIVACY BY DESIGN IMPLEMENTING PRIVACY BY DESIGN ▸ Scan

    your own site for obvious external issues: https://webbkoll.dataskydd.net ▸ Extend frameworks ▸ Privacy-enhancing technologies can help clients ▸ Disposable email, ad/tracker blockers, private browsing, Tor, VPNs, DoH ▸ 3P proxying on server side ▸ Perform a Privacy Impact Assessment (PIA & DPIA) — GDPR Article 35 ▸ CNIL's PIA tool provides great guidance & structure
  24. UNDERSTANDING PRIVACY BY DESIGN PRIVACY BY DESIGN PRINCIPLES Full functionality;


    Positive-sum, not zero-sum End-to-end security —
 full lifecycle protection Privacy as the default Visibility and transparency — keep it open Embed privacy into design Proactive not reactive; preventative not remedial Respect for user privacy — keep it user-centric
  25. UNDERSTANDING PRIVACY BY DESIGN QUESTIONS & THANK YOU ▸ Marcus

    Bointon ▸ info.smartmessages.net ▸ radical.sexy ▸ @SynchroM / @PrivacySpider ▸ Synchro on Github (PHPMailer!) & Stack Overflow
  26. UNDERSTANDING PRIVACY BY DESIGN LINKS TO MENTIONED RESOURCES ▸ CNIL

    PIA tool: https://www.cnil.fr/en/open-source-pia-software- helps-carry-out-data-protection-impact-assesment ▸ OWASP top-10 privacy: https://www.owasp.org/index.php/ OWASP_Top_10_Privacy_Risks_Project ▸ Privacy checker: https://webbkoll.dataskydd.net ▸ GDPR reference: https://gdpr-info.eu