E-Commerce Barriers in a Networked World
Mike GurskiSenior Policy & Technology AdvisorInformation & Privacy Commission,
Ontario Canada
CITOOctober 10 - 11, 2001
What the Experts Say
“Lack of privacy holding back e-commerce; FTC holds hearings.”
Business Wire
“90 percent of Web sites fail to comply with basic privacy principles.”
Washington Post
“Due to consumers’ privacy concerns, e-commerce companies lost some $2.8 billion last year.”
Forrester Research
When Things Go Wrong Privacy lawsuits and disasters:
• DoubleClick
• Intel Pentium III
• RealNetworks
• Microsoft Hotmail
• Amazon/Alexa
• CD Universe
• Look Communications
• Toysmart
The Beginning of the Privacy Revolution Anyone today who thinks the privacy issue
has peaked is greatly mistaken…– Forrester Research, March 5, 2001
It doesn’t take much for people to get really concerned about a particular company’s…privacy practices.
– Johnathan Gaw, IDC Corp. March 29, 2001
The Threats to Privacy Big BrotherBig Brother
– Surveillance, control, Surveillance, control, no private space, no private space,
The TrialThe Trial– Fractured personal data held Fractured personal data held by uncaring, unknowing authoritiesby uncaring, unknowing authorities
The MatrixThe Matrix– Technology designs society Technology designs society & society’s perceived reality for its own ends& society’s perceived reality for its own ends
Commodification of Human RelationshipsCommodification of Human Relationships– Life as the ultimate shopping experienceLife as the ultimate shopping experience
Enumerating the Barriers
Risk of Economic Injury– Identity theft– Unauthorised use of credit card information
Unwanted Intrusions – Phone calls– Computer based spam
Privacy Drivers
Large organizations disconnected from clients, gathering detailed data
Increasing amounts of
personal data, held,
consolidated, used New privacy invasive
technologies Application of a technology paradigm geared to
manufactured goods on humans
Privacy Defined: Think “Use”
Informational Privacy: Data Protection
– Personal control over the collection, use and disclosure of any recorded information about an identifiable individual
– The organisation’s responsibility for data protection and safeguarding personal information in its custody or control.
Security Privacy
Authentication Data Integrity Confidentiality Non-repudiation
Privacy; Data Protection
(Fair Information Practices)
Privacy and Security: The Difference
Security
Fair Information Practices
• Accountability• Identifying Purposes• Consent• Limiting Collection• Accuracy• Safeguards• Openness• Individual Access• Limiting Use, Disclosure, Retention• Challenging Compliance
Privacy By Design: Build It In Build in privacy – up front, right in the design
specifications. Minimize the collection and routine use of
personally identifiable information – use aggregate or coded information if possible.
Wherever possible, encrypt – implement anonymity and pseudonymity.
Assess the risks to privacy: conduct a privacy impact assessment; privacy audit.
Develop a corporate culture of privacy.
What to Do About Privacy
The Tools– Privacy Design Principles *– Technology Design Principles*– Privacy Impact Assessment Guide*– Privacy Architecture and the Privacy Architect*– Privacy Enhancing Technologies*– Privacy Diagnostic Tool *
Privacy Design Principles* And Example:
– Personal data should not be used or disclosed for purposes other than those specified in accordance with Principle 1 except:
– a) with the consent of the data subject, b) by the authority of law, or c) for the safety of the community, including victims and witnesses.
– Generally, personal information should be retained as necessary, but its use must be limited to its original purpose for collection
http://www.ipc.on.ca/english/pubpres/sum%5Fpap/papers/designpr.htm
Technology Design Principle*
An Example– Use Limitation Principle
• Personal data should not be used or disclosed for purposes other than specified
– Technology Design Principle• Information systems must be designed to halt
unauthorised use. That involves a protocol for tracking who accesses specific information and for what purposes. The circumstances of use need to be recorded and attached to the personal information record.
Privacy Impact Assessment* A tool developed by the provincial government to
address privacy issues related to information systems An example of questions under Use Limitation
– Is personal Information used exclusively for the stated purposes and for uses that the average client would consider to be consistent with those purposes?__
– Are personal identifiers, such as the social insurance number, used for the purposes of linking across multiple databases?__
– Where data matching or profiling occurs, is it consistent with the stated purposes for which the personal information is collected?__
– Is there a record of use maintained for any use or disclosure not consistent with original stated purposes?__
– Is the record of use attached to the personal information record?__ www.gov.on.ca/MBS/english/fip/pia/pianew.html
What is a Privacy Architect ?
the person responsible for ensuring that the design of a given technology or system or process provides sufficient and appropriate protection of personal information
Courtesy, Peter J. Hope-Tindall Chief Privacy Architect dataPrivacy Partners Ltd.
Privacy Architect Functions
Identify and define privacy requirements Explain privacy concepts to the key
personnel Analyze technological components and
processes Evaluate privacy risk characteristics Make recommendations to decision-makers
about balancing privacy interests
Privacy Architect - Deliverables
Develop a conceptual, logical and technical privacy architecture which is feasible, cost-effective, of acceptable technological risk, works within the given computer and security architectures and meets the organization’s privacy needs and requirements
Privacy Architect’s Areas of Action
Legal Policy Strategy Education Technical
Security Architect Vs. Privacy Architect*
The security architect focuses on access controls and authorized access as defined by the system owner
A risk based approach is generally used and may include multiple layers of passwords, use of biometrics and/or cryptography, and generally an overlay of preventive, detective (reporting) and corrective controls
Security Architect Vs. Privacy Architect (2)
In contrast, the privacy architect focuses on the collection, use, disclosure and retention of data as mandated by the law and consented to by the individual whose data it is
The system owner is NOT the ultimate authority where privacy is concerned and may in fact be one of the parties from whom the data must be safeguarded
Risk-based Vs. Capability-based Analysis
Risk based analysis - how likely is it to occur
Capabilities-based analysis - can it possibly happen
Concept of Institutional override
Relationship between Privacy and Security In theory, privacy and security may be
completely different elements of a system
In practice, security is a facilitator of privacy and an important foundation to it
No matter how excellent security may be, it is never, of itself, sufficient to ensure privacy
Relationship between Privacy and Internal Controls*
Risk-based context
Good control environment reduces privacy risk
No matter how excellent controls may be, they are never, of themselves, sufficient to ensure privacy
Capabilities-based Privacy Theoretically, privacy can be established
solely by the use of capabilities-limited technology which is unable by design to do anything to compromise privacy, no matter who may authorize or request it
In practice, total reliance on technology is untenable
Capabilities-based Privacy
Maintaining good privacy almost always includes establishing good security, maintaining privacy controls (preventive, detective and corrective), and conducting periodic privacy audits, including those aimed at ensuring compliance with the law
Technical Education for Privacy
To ensure adequate privacy protection in the future, we may have to re-think how we educate our next generation of technologists
The message may have to change from maximum capability and flexibility of design to prescribed capabilities only and privacy-effective design. Don’t collect what you don’t need!
Privacy Plan* Identify current practices
– Follow the data: collection and use Identify the Gaps Est. Centre of Privacy Excellence
– Internal staff, external advisory body Plan for Compliance
– Schedule implementation, audit, post implementation evaluation
Plan for non-Compliance– Emergency response plan
Privacy Enhancing Technologies* Anonymisers, Pseudonymisers, Data Hiding Technologies.
Privacy Diagnostic *
A Question & Answer Format CD or Web download Based on Fair Information Practices A good way to take your privacy
temperature
A Closing Thought
“To survive mounting consumer anxiety… firms need to institutionalize their commitment to protecting… customers’ privacy by taking a comprehensive, whole-view approach… The cost of a privacy PR blowout can range from tens of thousands to millions of dollars… and this doesn’t include lost business and damage to the brand.”
-Forrester Research
How to Contact Us
Mike Gurski.
Information & Privacy Commission/Ontario
80 Bloor Street West, Suite 1700
Toronto, Ontario M5S 2V1
Phone: (416) 325-9164
Web: www.ipc.on.ca
E-mail: [email protected]