Privacy Rights Management Using DRM - Black Hat [PDF]

Privacy Rights Management Using DRM Is this a good idea? Larry Korba Information Security Group Black Hat Europe, May 19-20, 2004

Agenda • Introduction – Caveats – About this Work and the Speaker • Privacy in the EU – Laws, Elements, Principles • Mark-Up and Privacy Expression • Using DRM for PRM • Pitfalls • Conclusions

Introduction: Caveats • High Level view – Talk/email me for more detail • Translate into Technology – From Policy to Processes • Ask Questions – We will all learn more.

Introduction: About the Speaker • Researcher, Group Leader, Information Security Group • 8 Researchers –Security Intelligence to Privacy • Research Collaborations –Europe,Taiwan, CSE –Consult with SME

Introduction: About this Work • Privacy Incorporated Software Agent (PISA) Collaboration (2001-2004) – http://www.pet-pisa.nl/ • Me – Leader for the Canadian Parts of the PISA project – Network Privacy, Scalability, & Trustworthy HCI – This work: PISA Engendered

Privacy Basics: What is Privacy • The right to be left alone –Free from surveillance or interference • from other individuals, • from organisations or • from the state • A Fundamental Human Right in the EU

Privacy in the EU: The Basics • EU is in the vanguard. Also Canada, Australia, Hong Kong • In US: Privacy Legislation Patchwork • Individual Rights and Custodian Responsibilities, are described in the EU Data Directive 95/46/EC, (99/33/EC, 2002/58/EC) • In EU, Different Countries Deal with the Directive differently • Privacy Principles explain general requirements

Privacy in the EU: The Elements • Personally Identifiable Information (PII) • Data Subject – Citizen of the EU • Data Controller – Custodial Responsibility for PII • Data Processor – Processes PII – May be part of the Controller

Legislation: Relationship Between Elements

The Directive

Data

Decl Con ares stra ints Info Con rms Entrusstraint ts s

Data

Data Processor cts a r t Con Co nt ra ct s

Data Controller Data Subject

Data Processor

The Privacy Principles • Express the Essence of the Legislation (Directive) • Useful guidelines for understanding requirements • Different Countries have slightly different Principles

Legislation: Privacy Facilitation Principles • Express legislation intentions – Reporting the processing – Transparent processing – Finality & Purpose Limitation – Lawful basis for data processing – Data quality – Rights – Data traffic outside EU – Data processor processing – Security

Reporting the Processing • Processing of PII must be reported to Data Protection Authority, unless processing is exempt (e.g. anonymity)

Transparent Processing • Data Subject must be able to see who is processing what data for what purpose.

Finality & Purpose Limitation • PII may only be processed for the explicit, agreed upon, and legitimate purposes

Lawful Basis for Data Processing • PII processing must be: –legal for the type of data involved –Depends on the type of PII

Data Quality • PII must be – correct and as accurate as possible, – sufficient, – to-the-point • not excessive.

Rights • Data Subject has right to improve data and raise objections.

Data Traffic Outside EU • Sending PII Data outside EU –Only if adequate data protection offered

Data Processor Processing • If Controller outsources processing – Must assure control over processor

Security • Suitable technical and organizational procedures are required – Limit Access – Maintain Integrity – Secure Storage, Processing

EPAL, P3P, and other XML Variants • EPAL (ZKS, IBM) – Formalize Internal Privacy Policies – Fine grained Control – Authorization scheme for centralized control – Flexible – XML Standard track • P3P – Website privacy policy specification – Predefined data categories, data user list, purposes – Only a Use action

What about Enforcement? • EPAL must be built into systems. – IBM’s Enterprise Architecture shows some promise • But how do those systems help to enforce the privacy principles?

Approach for this Work… • DRM: used to control and meter use of digital information • Adapt Digital Rights Management to form a system for Privacy Rights Management • Use this approach to describe how to “Enforce” privacy principles • Describe drawbacks…

Digital Rights Management (Simplified) User User User User User User

Payment Gateway

Distributor Content Provider Web Server

Payment Transaction

User Db Rights Db Owner Db

Transaction Log Asset Management

DRM Server

Packager

Owner Owner Owners Protected Property

Electronic Property

Entity Relationships • Converting from DRM to PRM

PRM

DRM

Data Subject

Owner

Data Controller

Distributor/DRM System

Data Processor

User

Privacy Rights Management (Simplified) Data Controller

Processor Processor Processor Processor

Rights Fulfillment

Web Interface

User User User User Data User

Subject

Protected Data Server PRM Server

Packager

Protected Personal Data Processor Db Data Subject Db Rights Db Databases

Transaction Log

Personal Data

Data Directive Fit: Behaviors

Privacy Principles

– Reporting the processing – Transparent processing – Finality & Purpose Limitation – Lawful basis for data processing – Data quality – Rights – Data traffic outside EU – Data processor processing – Security

DRM Function Log use Know use Work used for specific purpose Appropriate use: Transform Law to Code Maintain quality May improve works Special Handling Software Protected Access/Storage Distribution

System Behavior: Some Examples & Ideas • Finality • Data Quality • Lawful Basis • Data Processing

• PII may only be processed for the explicit, agreed upon, and legitimate purpose

Finality

Policy Purpose

oecsyilrPpuocPiyPl p r e y s i P e o l u p o r c s u c s e l P o rpcoPyicoerslucorupyPliyoiy e u p s e y i P o P u p l s r l u i y s e c c o rlpcProlcesiuyoPlrPpiyciPl u s e p y i P P u p i o r o c r u s l e l o c P P i y ucrpsolPiyouesPipcoyrePlo s e o y P i p r o u l P e r s o l o c P c p r eccsuyirPlrpoPuceiysPpuyloyiP o e P p y P r i u o s e s l l P P i y p c r o c clerslcuooriyPilpoyesucoyiPl o P e p p r y P i u u o s i y e o r c s P l p r c l cPsrleosyiouPlPrpiePycooisPulcoyi p r p P y u i s o e u o l P r p r l c c u s scroplyPiluoesuPpicoeryypiPPloeoiyP c e p u P y s i u o o s r r l l P u i y c o rsiPllrpouPcPopiysiueyPlrpPcooiyePlc c u p P y i o u o P r r c l c ruluoroPPpiuorpPPloiPl P P u o u PII PPPP

Policy Data Purpose Tracking

I PIIPII PIIPII IPIIPII IPIIPI IIPIIPI IIPIIP PIPIIP

PIPXIP X fIrPX fIrPX fIrPX fIrPX fIrPX fIrPX fIrPX fIrPX fIrPX fIrPX fIrPX fIrPX fIrPX fIrX frfr

e Purpose Data Policy Policy Policy Policy Policy Policy Policy Policy Policy Policy Policy Data Purpose Purpose Purpose Purpose Purpose Purpose Purpose Purpose Purpose Purpose Purpose Purpose Purpose Policy Purpose Policy Purpose Policy Purpose Policy Purpose Policy Purpose Policy Purpose Policy Purpose Policy Purpose Policy Purpose Policy Purpose Policy Purpose Policy Purpose Policy Purpose Policy Purpose Policy Purpose Policy Purpose Policy Purpose Policy Purpose Policy Purpose Policy Purpose Policy Purpose Policy Purpose Policy Purpose Policy DataPurpose sPurpose Data e y o s Data c e y p i o l s r c e y p i PII PII PII PII PII PII PII PII PII PII PII Controller PII PII PII PII PII PII PII PII o u Processor eouPicpyecslry Subject Processor r l s s i y e c y l p E i P Processor s e u o o c o vE oePspycoryil evEne vEtnevEt nevEtn evEtne vEtnevEt nevEtn evEtne vEtnevEt nevEtn evEtne vEtnevEt nevEtn evtne tnt

PII

Transaction Log

PII PII Data Tracking Transaction Log

• PII must be: correct and as accurate as possible, sufficient, to-the-point, not excessive.

Data Quality Accuracy Check

uoPiypecl s r l e c p P o u y i ouiyPpeclsr s r l e p c o u P uoPpcelrsiy r s y i o e p l P c u o uocPpelorsiyP r s P y i o e p P l u o c oucPpleoisyrP r s P y i o e p P l u o uolPpeoiyPrsc c s r P y i e p o P o u l ouPpoeiyPsrc l r s c P e p y i P u o uoPipyecrsl r l s c e p P y i u o siyPpcesrl o u r l c o p P i u ourPplro u PII P P

Policy Data Purpose Tracking

I IPIIPII IIPIIPI IPIIPIIPI IPIIPIIPI IPIIPIIPI IPIIPIIPI PPIIPI

PIPXIP fIrPX X fIrPX fIrPX fIrPX fIrPX fIrPX frIPX fIrPX fIrPX fIrPX fIrPX fIrX frfr

DataRequest PIReq PIReq PIReq PIReq PIReq PIReq PIReq PIReq PIReq PIReq PIReq PIReq PIReqData Request Request Request Request Request Request Request Request Request Request RequestDatae PIReq Request Data Data s e y o E Ack Ack Ack Ack Ack Ack Ack Ack Ack Ack Ack Ack s PII PII PII PII PII PII PII PII PII PII PII PII PII PII PII PII PII PII Purpose Purpose Purpose Purpose Purpose Purpose Purpose Purpose Purpose Purpose Purpose Purpose Policy Purpose c Policy Policy Policy Policy Policy Policy Policy Policy Policy Policy Report Report Report Report Report Report Report Report Report Report Report Report Report Report e p vEpeyscErelovEiy Processor Controller Subject Processor i u o o n r s v E l e Processor c e v E rsuoPpiy tenvEe nvEtenvEtenvEt envEtenvEten vEtenvEtenvEe tnvEtenvEtev nEtevnEtenvEt evnEtenvEetn vEtenvEetvnEev tneEtvEntevEt nevnEtnevEtn evEtneveEtne vEtnveEtvnEevE tnetvEntevEt nevEtnnevEtn evtneevEtne tnvEttnevtn etn t

PII

Transaction Log

Policy Purpose

PII PII Data Tracking Transaction Log

Lawful Basis • PII processing must be: –legal for the type of data involved –Depends on the type of PII • How? –Labor-Intensive Review • What are we in store for in the Near Future?

Lawful Basis: Legal & Regulatory Compliance Ontology Developers

Ontology Users

Law Enforcement

Legal Experts

Laws, Directives, Decisions, etc.

Ontology Platform

Legal Ontology

Compliance Officials

Viewer Editor Search Analysis & Interpretation

Application Developers

Citizens Judicial System

Legislators

• If Controller outsources processing: Must assure control over processor

Data Processing • Must limit Processing, Distribution, Retention, Maximize Correctness • Ideas: – Audited Contracts (Controller  Processor) • Security Standards, Record Keeping – Metered Access • But.. Data still in Clear for processing – Certified 3rd Party Processor? – Processing Container • Processing & Data Bound Together

Good & Bad: Using DRM for PRM • DRM for PRM appears a good fit – Useful way of approaching system development – Offers security, finality, processing reporting but… • Millions of Data Subjects: Scalability an Issue for Reporting processing • Assuring proper personal data processing: difficult or impossible • Beyond DRM, PRM must allow maintenance of Personal Data by data subjects – In EU, Privacy a basic human right. – In US, People tend to give up PII readily

PII being Treated as Property • Commoditization of PII? – Potential approach under consideration for US – Free Market sort of model – Citizen in Control • May bargain for good/services in exchange for PII • Quite different than the EU Model

Conclusions • Privacy Management Pressures – Legislation forces Compliance, More Data • EU: Leads World in legislation and enforcement • Privacy Principles Analysis + DRM adapted for PRM – Offers a way to understand system requirements • Particular challenges: – Scalability, Secure processing, Lawful Basis • Zero Knowledge, IBM, Others – Privacy Languages and Architectures – Dealing with Legacy Systems, still a challenge

Thank You… Questions? [email protected] http://www.iit-iti.nrc-cnrc.gc.ca