Confidential 1

ISTPA Framework Project

Combining Security and Privacy

Throughout the Life Cycle of

Personal Information

MICHAEL WILLETT

Wave Systems Chair: ISTPA Framework Project

Personal

InformationPrivacy

Wave Wave

Michael Willett:

(Assume the listener is familiar with the overall ISTPA mission, projects, and objectives)

The objective of the Framework Project is to develop an analytic framework for privacy services that “implement” the privacy fair information practices and privacy principles.

The Framework can serve as both an operational model for evolving implementations and as a tool for assessing the completeness of solutions.

Michael Willett:

(Assume the listener is familiar with the overall ISTPA mission, projects, and objectives)

The objective of the Framework Project is to develop an analytic framework for privacy services that “implement” the privacy fair information practices and privacy principles.

The Framework can serve as both an operational model for evolving implementations and as a tool for assessing the completeness of solutions.

Confidential 2

PRIVACY

EU Data Protection DirectiveSafe Harbor/FTC

HIPAA

GLB

Web Services

Identity/Authentication/SSO

Liberty Alliance

Microsoft Passport

Trust @ the Edge

e-BusinessCOPPA

Confidential 3

PRIVACY ?Privacy = Isolation

Privacy = Anonymity

Privacy = Confidentiality

Privacy = Access Control

Confidential 4

Security: locks, guards, passwords, cryptography, digital signatures, … establishment and maintenance of measures to protect a system.  

Privacy: proper handling and use of personal information (PI) throughout its life cycle, consistent with the preferences of the subject.

Confidence/trust: freedom from worry; a feeling.

Security + Privacy Confidence/TrustVALUE

Definitions

Michael Willett:

Security deals with PROTECTION of a system, whereas privacy deals with the USE of personal information (PI). Security is an essential element of privacy, but even in a secure environment, PI can be misused (ie, inconsistent with the preferences of the PI subject).

Trust is not a technology or even a process; rather, trust is a feeling. By implementing security and privacy and adding customer value, we strive to

engender trust in the customer/consumer.

Michael Willett:

Security deals with PROTECTION of a system, whereas privacy deals with the USE of personal information (PI). Security is an essential element of privacy, but even in a secure environment, PI can be misused (ie, inconsistent with the preferences of the PI subject).

Trust is not a technology or even a process; rather, trust is a feeling. By implementing security and privacy and adding customer value, we strive to

engender trust in the customer/consumer.

Confidential 5

PERSONAL INFORMATION

PREFERENCES

PROPER

HANDLING

CONSISTENCY USE OF

PERSONAL INFORMATION

PERSONAL INFORMATION LIFE CYCLE

PRIVACY MANAGEMENT

Confidential 6

Fair Information Practices

Notice and AwarenessChoice and ConsentIndividual AccessInformation Quality and IntegrityUpdate and CorrectionEnforcement and Recourse

Michael Willett:

These fair information practices are more “operational” than the principles, but are still missing the procedural and functional “glue” to tie them together into a system.

The names of the practices are self-explanatory as to the desired behavior. For example, Choice and Consent means that the subject of the requested PI can exercise choice over the types of PI collected and can consent to that collection (either opt-out or opt-in) and the subsequent use of the PI by the requestor.

Michael Willett:

These fair information practices are more “operational” than the principles, but are still missing the procedural and functional “glue” to tie them together into a system.

The names of the practices are self-explanatory as to the desired behavior. For example, Choice and Consent means that the subject of the requested PI can exercise choice over the types of PI collected and can consent to that collection (either opt-out or opt-in) and the subsequent use of the PI by the requestor.

Confidential 7

Life Cycle Management of PI

Source/Subject Intermediary Repository/Custodian

Requestor/Receiver

Touch Points

Michael Willett:

If PI never left the immediate control of the subject, then privacy would not be a problem. Issues arise when PI leaves the immediate control of the subject and moves through/to various touch points, where others may be able to “touch” and see the PI. Privacy is a PI life cycle issue.

Michael Willett:

If PI never left the immediate control of the subject, then privacy would not be a problem. Issues arise when PI leaves the immediate control of the subject and moves through/to various touch points, where others may be able to “touch” and see the PI. Privacy is a PI life cycle issue.

Confidential 8

“Operational” Requirements

Interfacing

ControlLife Cycle

Issues

Exception

Processing

Security

Integrity

Michael Willett:

To create an operational framework, various system capabilities must be identified that are not explicit at the privacy requirements level (requirements = privacy practices, principles ). For example, a Control function is essential to honoring the PI usage desires of the subject, but is not explicit in the privacy principles. Interfacing to the Framework is not explicit in the privacy principles , but is another essential operational service.

Michael Willett:

To create an operational framework, various system capabilities must be identified that are not explicit at the privacy requirements level (requirements = privacy practices, principles ). For example, a Control function is essential to honoring the PI usage desires of the subject, but is not explicit in the privacy principles. Interfacing to the Framework is not explicit in the privacy principles , but is another essential operational service.

Confidential 9

Privacy Services/Capabilities (©)

InteractionAgent ©ValidationNegotiationEnforcement

ControlAudit (Log)CertificationUsage ©Access ©

Michael Willett:

After several iterative rounds, the Framework Project team has evolved the following operational Services:

  SERVICE DESCRIPTION

Agent

A software process acting on behalf of a data subject or a requestor to engage with one or more of the other Services defined in this Framework. Agent also refers to the human data subject in the case of a manual process.

Interaction

Handles presentation of proposed agreements from a data collection entity to a data subject; input of the subject’s personal information, preferences, and actions; and confirmation of actions. To the extent the data subject is represented by an Agent, this service comprises the interface to the Agent.

Control

Handles the role of “repository gatekeeper” to ensure that access to personal information stored by a data collection entity complies with the terms and policies of an agreement and any applicable regulations.

Validation

Handles checking for correctness of personal information at any point in its life cycle.

Negotiation

Handles arbitration of a proposal between a data collection entity and a data subject. Successful negotiation results in an agreement. Negotiation can be handled by humans, by agents, or any combination.

Usage

Handles the role of “processing monitor” to ensure that active use of personal information outside of the Control Service complies with the terms and policies of an agreement and any applicable regulations. Such uses include derivation, aggregation, anonymization, linking, and inference of data.

Audit

Handles the recording and maintenance of events in any Service to capture the data necessary to ensure compliance with the terms and policies of an agreement and any applicable regulations.

Certification

Handles validation of the credentials of any party involved in processing of a personal information transaction.

Enforcement

Handles redress when a data collection entity is not in conformance with the terms and policies of an agreement and any applicable regulations.

Michael Willett:

After several iterative rounds, the Framework Project team has evolved the following operational Services:

  SERVICE DESCRIPTION

Agent

A software process acting on behalf of a data subject or a requestor to engage with one or more of the other Services defined in this Framework. Agent also refers to the human data subject in the case of a manual process.

Interaction

Handles presentation of proposed agreements from a data collection entity to a data subject; input of the subject’s personal information, preferences, and actions; and confirmation of actions. To the extent the data subject is represented by an Agent, this service comprises the interface to the Agent.

Control

Handles the role of “repository gatekeeper” to ensure that access to personal information stored by a data collection entity complies with the terms and policies of an agreement and any applicable regulations.

Validation

Handles checking for correctness of personal information at any point in its life cycle.

Negotiation

Handles arbitration of a proposal between a data collection entity and a data subject. Successful negotiation results in an agreement. Negotiation can be handled by humans, by agents, or any combination.

Usage

Handles the role of “processing monitor” to ensure that active use of personal information outside of the Control Service complies with the terms and policies of an agreement and any applicable regulations. Such uses include derivation, aggregation, anonymization, linking, and inference of data.

Audit

Handles the recording and maintenance of events in any Service to capture the data necessary to ensure compliance with the terms and policies of an agreement and any applicable regulations.

Certification

Handles validation of the credentials of any party involved in processing of a personal information transaction.

Enforcement

Handles redress when a data collection entity is not in conformance with the terms and policies of an agreement and any applicable regulations.

Confidential 10

Subject “Permission” Bound to PI

BINDING

PERMISSION

PERSONAL

INFORMATION

LIFE

CYCLE

CONTAINER

Michael Willett:

In order for the PI subject to exercise vicarious control over the PI as it travels beyond the immediate control of the subject, the ‘permissions’ (allowable uses) granted by the PI subject must be bound in some way to the PI. Further, the binding mechanism must be robust enough and respected by subsequent touch points in the PI life cycle so as to faithfully support the usage desires of the subject.

Depending on local or jurisdictional requirements, the binding mechanism could range from simple pointers to robust cryptography. The Framework does not mandate a particular binding, but rather treats the binding selection as a configuration parameter to the Framework.

Michael Willett:

In order for the PI subject to exercise vicarious control over the PI as it travels beyond the immediate control of the subject, the ‘permissions’ (allowable uses) granted by the PI subject must be bound in some way to the PI. Further, the binding mechanism must be robust enough and respected by subsequent touch points in the PI life cycle so as to faithfully support the usage desires of the subject.

Depending on local or jurisdictional requirements, the binding mechanism could range from simple pointers to robust cryptography. The Framework does not mandate a particular binding, but rather treats the binding selection as a configuration parameter to the Framework.

Confidential 11

PI Container (PIC)

PI Contract

PI

Intended Use

Credentials

Policies

Conditions

Permissions

Identity Credentials

Signature

BINDING

Michael Willett:

In order to transport the PI bound to the permissions throughout its life cycle, a “PI Container” is used. The binding mechanism is a configuration parameter, from simple pointers to full cryptographic binding.

Included in the container are the Contract (including the negotiated Permissions) and the Credentials for the subject.

Michael Willett:

In order to transport the PI bound to the permissions throughout its life cycle, a “PI Container” is used. The binding mechanism is a configuration parameter, from simple pointers to full cryptographic binding.

Included in the container are the Contract (including the negotiated Permissions) and the Credentials for the subject.

Confidential 12

PI Touch Point Structure

Requestor/Receiver (pull/push PI)

Legal, Technical, Administrative

Security/Privacy (technologies/practices)

Personal Information

Michael Willett:

At each touch point, a layered structure can be provided, with the requestor/receiver of PI at the top and the PI itself at the bottom (or innermost). The intervening layers consist of the security and privacy functions (ie, the Framework), with a legal, technical, and administrative upper layer serving as the

configuration or ‘parameterization’ layer for the Framework. Specific technology and policy choices are not hard-wired into the Framework, but rather are configured into the Framework at run time.

It is better to have ample, selectable parameters in the overall design, so that an installed implementation can simply be configured, instead of being replaced or upgraded.

Michael Willett:

At each touch point, a layered structure can be provided, with the requestor/receiver of PI at the top and the PI itself at the bottom (or innermost). The intervening layers consist of the security and privacy functions (ie, the Framework), with a legal, technical, and administrative upper layer serving as the

configuration or ‘parameterization’ layer for the Framework. Specific technology and policy choices are not hard-wired into the Framework, but rather are configured into the Framework at run time.

It is better to have ample, selectable parameters in the overall design, so that an installed implementation can simply be configured, instead of being replaced or upgraded.

Confidential 13Legal, Regulatory, and Policy Context

Security Foundation

Agent

Control

Interaction

Negotiation

Data Subject Data Requestor

Usage

PI, Preferences& PIC Repository

Agent

Control

Interaction

Negotiation

PIC Repository

PIContainer

(PIC)

EnforcementAuditCertificationValidation

Privacy SERVICES/CAPABILITIES

Assurance Services

Access

Michael Willett:

Shown is a typical configuration of the privacy Services, with an Agent Service representing both the Subject and the Data Requestor. Interaction, Negotiation, and the all-important Control function provide a front-end to the secure data repository. The Assurance Services of Validation, Certification, Audit, and Enforcement support both nodes, whereas Usage supports the Data Requestor.

The security services (eg, OpenGroup taxonomy) are available to all the privacy services. The Legal, Regulatory, and Policy Context provides the necessary configuration and parameterization layer.

Michael Willett:

Shown is a typical configuration of the privacy Services, with an Agent Service representing both the Subject and the Data Requestor. Interaction, Negotiation, and the all-important Control function provide a front-end to the secure data repository. The Assurance Services of Validation, Certification, Audit, and Enforcement support both nodes, whereas Usage supports the Data Requestor.

The security services (eg, OpenGroup taxonomy) are available to all the privacy services. The Legal, Regulatory, and Policy Context provides the necessary configuration and parameterization layer.

Confidential 14Legal, Regulatory, and Policy Context

Security Foundation

Agent

Control

Interaction

Negotiation

Data Subject Data Requestor

Usage

PI, Preferences& PIC Repository

Agent

Control

Interaction

Negotiation

PIC Repository

PIContainer

(PIC)

EnforcementAuditCertificationValidation

Privacy Practices

Assurance Services

Notice

Awareness

Choice

Consent

Quality/Integrity

Access Update

Correction

Enforcement

Recourse

Michael Willett:

The original fair information practices are overlaid on the Privacy Framework, showing the operational “implementation” of the practices. Note that Individual Access is a “use case” application of the Framework, exploiting Negotiation.

Michael Willett:

The original fair information practices are overlaid on the Privacy Framework, showing the operational “implementation” of the practices. Note that Individual Access is a “use case” application of the Framework, exploiting Negotiation.

Confidential 15

Summary-Privacy: consumer prejudice, legal time bomb

- ISTPA: “… admin/technical/legal framework…”

- Privacy = proper handling...consistent…preferences

- Operational privacy principles/practices: SERVICES

- Combine with Security Services (eg, OpenGroup)

- Usability studies (w/Johns Hopkins Univ)

- Privacy Framework version 1 document (30 May)

- CMU + ISTPA Technical Partnership

Michael Willett:

The Privacy Framework structure is still evolving; your input and suggestions are welcome. The Framework Project is actively validating the Framework with Use Cases.

Michael Willett:

The Privacy Framework structure is still evolving; your input and suggestions are welcome. The Framework Project is actively validating the Framework with Use Cases.

Confidential 16

ISTPA: www.istpa.org

To receive a copy of the ISTPA Privacy Framework v1.0 doc,

Write to:

director@istpa.org