Understanding Privacy By Design – ConFoo 2020

Transcript

1. UNDERSTANDING PRIVACY BY DESIGN MARCUS BOINTON — @SYNCHROM

2. UNDERSTANDING PRIVACY BY DESIGN PRIVACY? SECURITY? DATA PROTECTION? ▸ Security

   is about how to protect resources ▸ Data protection is using security to protect data ▸ Privacy is using security to protect personal data appropriately ▸ No privacy without security ▸ But you can have security without privacy!

3. UNDERSTANDING PRIVACY BY DESIGN WHAT IS PRIVACY BY DESIGN? ▸

   Term coined in 1995 by Ann Cavoukian, former Canadian information commissioner ▸ 7 high-level principles for designing systems that respect privacy ▸ Very broad and general — often criticised as “vague” ▸ Applies to all systems, electronic or paper-based

4. No one shall be subjected to arbitrary interference with his

   privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Universal Declaration of Human Rights Art. 12(exc), 1948 UNDERSTANDING PRIVACY BY DESIGN

5. UNDERSTANDING PRIVACY BY DESIGN PRIVACY BY DESIGN AND THE LAW

   ▸ Universal Declaration of Human Rights Art. 12, 1948 ▸ EC Convention 108, 1981 ▸ EU Data Protection Directive, 1995 ▸ EU e-Privacy Directive, 2002 ("Cookie law", UK PECR) ▸ EU General Data Protection Regulation (GDPR), 2016/2018 ▸ Data protection by design is part of GDPR — Article 25 & Recital 78 ▸ Forthcoming e-Privacy Regulation (ePR) will extend EU law

6. UNDERSTANDING PRIVACY BY DESIGN 1. PROACTIVE NOT REACTIVE; PREVENTATIVE NOT

   REMEDIAL

7. UNDERSTANDING PRIVACY BY DESIGN PROACTIVE, NOT REACTIVE ▸ Benefit: Avoid

   privacy mistakes ▸ Anticipate privacy-related events before they become a problem ▸ Needs to happen at the design stage; ask questions first: ▸ Why do we have this data? ▸ Where did this data come from? ▸ Now design your code to be able to answer them

8. UNDERSTANDING PRIVACY BY DESIGN 2. PRIVACY AS THE DEFAULT

9. UNDERSTANDING PRIVACY BY DESIGN PRIVACY AS THE DEFAULT ▸ Benefit:

   Avoid privacy mistakes ▸ If everything is used with default settings, privacy is preserved ▸ e.g. Don’t set persistent cookies prior to obtaining consent ▸ Yes, ad networks will not like this ▸ Flip side: any privacy exposure should be a deliberate decision ▸ and so it should be — as the data controller, you're liable!

10. UNDERSTANDING PRIVACY BY DESIGN 3. EMBED PRIVACY INTO DESIGN

11. UNDERSTANDING PRIVACY BY DESIGN EMBED PRIVACY IN DESIGN ▸ Benefit:

    Deal with privacy issues early to minimise cost ▸ Just as you aim to make functionality testable ▸ Privacy, accountability, auditability should be baked-in from the start ▸ Retrofitting is hard and expensive, so it usually won’t happen ▸ Build privacy into your framework, so that all code inherits it ▸ Add privacy tests to your CI pipeline

12. UNDERSTANDING PRIVACY BY DESIGN EMBED PRIVACY IN DESIGN class Visitor

    extends Model { use pbd; public $fillable = ['name', 'address', 'email']; public static $pbd_basis = [ 'name' => 'contract', 'address' => 'contract', 'email' => 'consent', ]; public static $pbd_retain = '1 month'; …

13. UNDERSTANDING PRIVACY BY DESIGN 4. FULL FUNCTIONALITY;
 POSITIVE-SUM, NOT ZERO-SUM

14. UNDERSTANDING PRIVACY BY DESIGN POSITIVE-SUM PRIVACY ▸ Benefit: Capitalise on

    your security to enable privacy benefits ▸ "E2E encryption means you can trust your conversations are private" ▸ "We don't need to ask for cookie consent because we set no cookies" ▸ Counter-examples: ▸ US sites blocking EU users ▸ Metadata leakage ▸ Facebook

15. UNDERSTANDING PRIVACY BY DESIGN METADATA LEAKAGE EXAMPLE ilovefurries.com othersite.com example.com

    avatars.blah/emailmd5 Email MD5 IP Browser fingerprint Cookies Referrer site Time Email MD5 IP Browser fingerprint Cookies Referrer site Time proxy

16. UNDERSTANDING PRIVACY BY DESIGN 5. END-TO-END SECURITY –
 FULL LIFECYCLE

    PROTECTION

17. UNDERSTANDING PRIVACY BY DESIGN END-TO-END LIFECYCLE PROTECTION ▸ A chain

    is only as strong as its weakest link ▸ Security is the foundation on which privacy rests ▸ Follow the the journey of data through your system ▸ Assess security & privacy from the moment data enters the system… ▸ via every interaction with internal and external services… ▸ to the point at which it is deleted

18. UNDERSTANDING PRIVACY BY DESIGN 6. VISIBILITY AND TRANSPARENCY – KEEP

    IT OPEN

19. UNDERSTANDING PRIVACY BY DESIGN VISIBILITY & TRANSPARENCY ▸ Benefit: Builds

    trust ▸ 7th Data Protection Principle of GDPR — need to demonstrate compliance ▸ Avoid security by obscurity ▸ e.g. document your password policy & handling ▸ Let data subjects see how you’re using their data ▸ Not just that you are ▸ e.g. document third parties, link to their policies

20. UNDERSTANDING PRIVACY BY DESIGN 7. RESPECT FOR USER PRIVACY –

    KEEP IT USER-CENTRIC

21. UNDERSTANDING PRIVACY BY DESIGN RESPECT FOR USER PRIVACY ▸ At

    an organisational level, put the interests of the individual first ▸ Use strong privacy defaults ▸ Send appropriate notifications ▸ Provide receipts! ▸ Do what you say you will (and back it up with transparency) ▸ Don’t do what you didn’t say you would do!

22. UNDERSTANDING PRIVACY BY DESIGN OWASP TOP-10 PRIVACY RISKS ▸ Web

    Application Vulnerabilities ▸ Operator-side data leakage ▸ Insufficient data breach response ▸ Insufficient deletion of personal data ▸ Non-transparent policies, terms and conditions ▸ Collection of data not required for the primary purpose ▸ Sharing of data with third party ▸ Outdated personal data ▸ Missing or insufficient session expiration ▸ Insecure data transfer

23. UNDERSTANDING PRIVACY BY DESIGN IMPLEMENTING PRIVACY BY DESIGN ▸ Scan

    your own site for obvious external issues: https://webbkoll.dataskydd.net ▸ Extend frameworks ▸ Privacy-enhancing technologies can help clients ▸ Disposable email, ad/tracker blockers, private browsing, Tor, VPNs, DoH ▸ 3P proxying on server side ▸ Perform a Privacy Impact Assessment (PIA & DPIA) — GDPR Article 35 ▸ CNIL's PIA tool provides great guidance & structure

24. UNDERSTANDING PRIVACY BY DESIGN PRIVACY BY DESIGN PRINCIPLES Full functionality;


    Positive-sum, not zero-sum End-to-end security —
 full lifecycle protection Privacy as the default Visibility and transparency — keep it open Embed privacy into design Proactive not reactive; preventative not remedial Respect for user privacy — keep it user-centric

25. UNDERSTANDING PRIVACY BY DESIGN QUESTIONS & THANK YOU ▸ Marcus

    Bointon ▸ info.smartmessages.net ▸ radical.sexy ▸ @SynchroM / @PrivacySpider ▸ Synchro on Github (PHPMailer!) & Stack Overflow

26. UNDERSTANDING PRIVACY BY DESIGN LINKS TO MENTIONED RESOURCES ▸ CNIL

    PIA tool: https://www.cnil.fr/en/open-source-pia-software- helps-carry-out-data-protection-impact-assesment ▸ OWASP top-10 privacy: https://www.owasp.org/index.php/ OWASP_Top_10_Privacy_Risks_Project ▸ Privacy checker: https://webbkoll.dataskydd.net ▸ GDPR reference: https://gdpr-info.eu