Privacy Rights Management Using DRM Is this a good idea? Larry Korba Information Security Group Black Hat Europe, May 19-20, 2004
Agenda • Introduction – Caveats – About this Work and the Speaker • Privacy in the EU – Laws, Elements, Principles • Mark-Up and Privacy Expression • Using DRM for PRM • Pitfalls • Conclusions
Introduction: Caveats • High Level view – Talk/email me for more detail • Translate into Technology – From Policy to Processes • Ask Questions – We will all learn more.
Introduction: About the Speaker • Researcher, Group Leader, Information Security Group • 8 Researchers –Security Intelligence to Privacy • Research Collaborations –Europe,Taiwan, CSE –Consult with SME
Introduction: About this Work • Privacy Incorporated Software Agent (PISA) Collaboration (2001-2004) – http://www.pet-pisa.nl/ • Me – Leader for the Canadian Parts of the PISA project – Network Privacy, Scalability, & Trustworthy HCI – This work: PISA Engendered
Privacy Basics: What is Privacy • The right to be left alone –Free from surveillance or interference • from other individuals, • from organisations or • from the state • A Fundamental Human Right in the EU
Privacy in the EU: The Basics • EU is in the vanguard. Also Canada, Australia, Hong Kong • In US: Privacy Legislation Patchwork • Individual Rights and Custodian Responsibilities, are described in the EU Data Directive 95/46/EC, (99/33/EC, 2002/58/EC) • In EU, Different Countries Deal with the Directive differently • Privacy Principles explain general requirements
Privacy in the EU: The Elements • Personally Identifiable Information (PII) • Data Subject – Citizen of the EU • Data Controller – Custodial Responsibility for PII • Data Processor – Processes PII – May be part of the Controller
Legislation: Relationship Between Elements
The Directive
Data
Decl Con ares stra ints Info Con rms Entrusstraint ts s
Data
Data Processor cts a r t Con Co nt ra ct s
Data Controller Data Subject
Data Processor
The Privacy Principles • Express the Essence of the Legislation (Directive) • Useful guidelines for understanding requirements • Different Countries have slightly different Principles
Legislation: Privacy Facilitation Principles • Express legislation intentions – Reporting the processing – Transparent processing – Finality & Purpose Limitation – Lawful basis for data processing – Data quality – Rights – Data traffic outside EU – Data processor processing – Security
Reporting the Processing • Processing of PII must be reported to Data Protection Authority, unless processing is exempt (e.g. anonymity)
Transparent Processing • Data Subject must be able to see who is processing what data for what purpose.
Finality & Purpose Limitation • PII may only be processed for the explicit, agreed upon, and legitimate purposes
Lawful Basis for Data Processing • PII processing must be: –legal for the type of data involved –Depends on the type of PII
Data Quality • PII must be – correct and as accurate as possible, – sufficient, – to-the-point • not excessive.
Rights • Data Subject has right to improve data and raise objections.
Data Traffic Outside EU • Sending PII Data outside EU –Only if adequate data protection offered
Data Processor Processing • If Controller outsources processing – Must assure control over processor
Security • Suitable technical and organizational procedures are required – Limit Access – Maintain Integrity – Secure Storage, Processing
EPAL, P3P, and other XML Variants • EPAL (ZKS, IBM) – Formalize Internal Privacy Policies – Fine grained Control – Authorization scheme for centralized control – Flexible – XML Standard track • P3P – Website privacy policy specification – Predefined data categories, data user list, purposes – Only a Use action
What about Enforcement? • EPAL must be built into systems. – IBM’s Enterprise Architecture shows some promise • But how do those systems help to enforce the privacy principles?
Approach for this Work… • DRM: used to control and meter use of digital information • Adapt Digital Rights Management to form a system for Privacy Rights Management • Use this approach to describe how to “Enforce” privacy principles • Describe drawbacks…
Digital Rights Management (Simplified) User User User User User User
Payment Gateway
Distributor Content Provider Web Server
Payment Transaction
User Db Rights Db Owner Db
Transaction Log Asset Management
DRM Server
Packager
Owner Owner Owners Protected Property
Electronic Property
Entity Relationships • Converting from DRM to PRM
PRM
DRM
Data Subject
Owner
Data Controller
Distributor/DRM System
Data Processor
User
Privacy Rights Management (Simplified) Data Controller
Processor Processor Processor Processor
Rights Fulfillment
Web Interface
User User User User Data User
Subject
Protected Data Server PRM Server
Packager
Protected Personal Data Processor Db Data Subject Db Rights Db Databases
Transaction Log
Personal Data
Data Directive Fit: Behaviors
Privacy Principles
– Reporting the processing – Transparent processing – Finality & Purpose Limitation – Lawful basis for data processing – Data quality – Rights – Data traffic outside EU – Data processor processing – Security
DRM Function Log use Know use Work used for specific purpose Appropriate use: Transform Law to Code Maintain quality May improve works Special Handling Software Protected Access/Storage Distribution
System Behavior: Some Examples & Ideas • Finality • Data Quality • Lawful Basis • Data Processing
• PII may only be processed for the explicit, agreed upon, and legitimate purpose
Finality
Policy Purpose
oecsyilrPpuocPiyPl p r e y s i P e o l u p o r c s u c s e l P o rpcoPyicoerslucorupyPliyoiy e u p s e y i P o P u p l s r l u i y s e c c o rlpcProlcesiuyoPlrPpiyciPl u s e p y i P P u p i o r o c r u s l e l o c P P i y ucrpsolPiyouesPipcoyrePlo s e o y P i p r o u l P e r s o l o c P c p r eccsuyirPlrpoPuceiysPpuyloyiP o e P p y P r i u o s e s l l P P i y p c r o c clerslcuooriyPilpoyesucoyiPl o P e p p r y P i u u o s i y e o r c s P l p r c l cPsrleosyiouPlPrpiePycooisPulcoyi p r p P y u i s o e u o l P r p r l c c u s scroplyPiluoesuPpicoeryypiPPloeoiyP c e p u P y s i u o o s r r l l P u i y c o rsiPllrpouPcPopiysiueyPlrpPcooiyePlc c u p P y i o u o P r r c l c ruluoroPPpiuorpPPloiPl P P u o u PII PPPP
Policy Data Purpose Tracking
I PIIPII PIIPII IPIIPII IPIIPI IIPIIPI IIPIIP PIPIIP
PIPXIP X fIrPX fIrPX fIrPX fIrPX fIrPX fIrPX fIrPX fIrPX fIrPX fIrPX fIrPX fIrPX fIrPX fIrX frfr
e Purpose Data Policy Policy Policy Policy Policy Policy Policy Policy Policy Policy Policy Data Purpose Purpose Purpose Purpose Purpose Purpose Purpose Purpose Purpose Purpose Purpose Purpose Purpose Policy Purpose Policy Purpose Policy Purpose Policy Purpose Policy Purpose Policy Purpose Policy Purpose Policy Purpose Policy Purpose Policy Purpose Policy Purpose Policy Purpose Policy Purpose Policy Purpose Policy Purpose Policy Purpose Policy Purpose Policy Purpose Policy Purpose Policy Purpose Policy Purpose Policy Purpose Policy Purpose Policy DataPurpose sPurpose Data e y o s Data c e y p i o l s r c e y p i PII PII PII PII PII PII PII PII PII PII PII Controller PII PII PII PII PII PII PII PII o u Processor eouPicpyecslry Subject Processor r l s s i y e c y l p E i P Processor s e u o o c o vE oePspycoryil evEne vEtnevEt nevEtn evEtne vEtnevEt nevEtn evEtne vEtnevEt nevEtn evEtne vEtnevEt nevEtn evtne tnt
PII
Transaction Log
PII PII Data Tracking Transaction Log
• PII must be: correct and as accurate as possible, sufficient, to-the-point, not excessive.
Data Quality Accuracy Check
uoPiypecl s r l e c p P o u y i ouiyPpeclsr s r l e p c o u P uoPpcelrsiy r s y i o e p l P c u o uocPpelorsiyP r s P y i o e p P l u o c oucPpleoisyrP r s P y i o e p P l u o uolPpeoiyPrsc c s r P y i e p o P o u l ouPpoeiyPsrc l r s c P e p y i P u o uoPipyecrsl r l s c e p P y i u o siyPpcesrl o u r l c o p P i u ourPplro u PII P P
Policy Data Purpose Tracking
I IPIIPII IIPIIPI IPIIPIIPI IPIIPIIPI IPIIPIIPI IPIIPIIPI PPIIPI
PIPXIP fIrPX X fIrPX fIrPX fIrPX fIrPX fIrPX frIPX fIrPX fIrPX fIrPX fIrPX fIrX frfr
DataRequest PIReq PIReq PIReq PIReq PIReq PIReq PIReq PIReq PIReq PIReq PIReq PIReq PIReqData Request Request Request Request Request Request Request Request Request Request RequestDatae PIReq Request Data Data s e y o E Ack Ack Ack Ack Ack Ack Ack Ack Ack Ack Ack Ack s PII PII PII PII PII PII PII PII PII PII PII PII PII PII PII PII PII PII Purpose Purpose Purpose Purpose Purpose Purpose Purpose Purpose Purpose Purpose Purpose Purpose Policy Purpose c Policy Policy Policy Policy Policy Policy Policy Policy Policy Policy Report Report Report Report Report Report Report Report Report Report Report Report Report Report e p vEpeyscErelovEiy Processor Controller Subject Processor i u o o n r s v E l e Processor c e v E rsuoPpiy tenvEe nvEtenvEtenvEt envEtenvEten vEtenvEtenvEe tnvEtenvEtev nEtevnEtenvEt evnEtenvEetn vEtenvEetvnEev tneEtvEntevEt nevnEtnevEtn evEtneveEtne vEtnveEtvnEevE tnetvEntevEt nevEtnnevEtn evtneevEtne tnvEttnevtn etn t
PII
Transaction Log
Policy Purpose
PII PII Data Tracking Transaction Log
Lawful Basis • PII processing must be: –legal for the type of data involved –Depends on the type of PII • How? –Labor-Intensive Review • What are we in store for in the Near Future?
Lawful Basis: Legal & Regulatory Compliance Ontology Developers
Ontology Users
Law Enforcement
Legal Experts
Laws, Directives, Decisions, etc.
Ontology Platform
Legal Ontology
Compliance Officials
Viewer Editor Search Analysis & Interpretation
Application Developers
Citizens Judicial System
Legislators
• If Controller outsources processing: Must assure control over processor
Data Processing • Must limit Processing, Distribution, Retention, Maximize Correctness • Ideas: – Audited Contracts (Controller Processor) • Security Standards, Record Keeping – Metered Access • But.. Data still in Clear for processing – Certified 3rd Party Processor? – Processing Container • Processing & Data Bound Together
Good & Bad: Using DRM for PRM • DRM for PRM appears a good fit – Useful way of approaching system development – Offers security, finality, processing reporting but… • Millions of Data Subjects: Scalability an Issue for Reporting processing • Assuring proper personal data processing: difficult or impossible • Beyond DRM, PRM must allow maintenance of Personal Data by data subjects – In EU, Privacy a basic human right. – In US, People tend to give up PII readily
PII being Treated as Property • Commoditization of PII? – Potential approach under consideration for US – Free Market sort of model – Citizen in Control • May bargain for good/services in exchange for PII • Quite different than the EU Model
Conclusions • Privacy Management Pressures – Legislation forces Compliance, More Data • EU: Leads World in legislation and enforcement • Privacy Principles Analysis + DRM adapted for PRM – Offers a way to understand system requirements • Particular challenges: – Scalability, Secure processing, Lawful Basis • Zero Knowledge, IBM, Others – Privacy Languages and Architectures – Dealing with Legacy Systems, still a challenge
Thank You… Questions?
[email protected] http://www.iit-iti.nrc-cnrc.gc.ca