- Personal Identifiable Information (PII): Information which can be linked back to an individual
- Data subject: Individual that is linked to the PII
- Data Controller: To whom the PII is released
- Item of Interest (IOI): Information related to an individual
- Hard privacy (data minimisation): releasing less information
- Soft privacy (data release): considers post-release scenarios
Terminologies
|
Definitions
|
Properties
|
| Unlinkability | - Not being able to distinguish whether 2 IOIs are related | - Hiding the link between two or more actions, identities, and pieces of information |
| Anonymity | - Not being able to identify the subject within a set of subject | - Unlinkability and Anonymity are related: if an IOI and a subject are unlinkable, the subject is anonymous w.r.t. the IOI - Subject anonymity - Recipient anonymity |
| Pseudonymity | - Use of pseudonyms as identifiers, which is an identifier of a subject other than one of the subject's real names | |
| Plausible Deniability | - The ability to deny having performed an action that other parties can neither confirm nor contradict - Being able to repudiate having performed an action |
- Complimentary to non-repudiation - Non-repudiation and plausible deniability are mutually exclusive |
| Undetectability | - Not being able to sufficiently distinguish whether it exists or not | |
| Unobservability | - Undetectability of the IOI against all subjectsuninvolved in it and anonymity of the subject(s)involved in the IOI even against the other subject(s) involved in that IOI | - Unobservability = undetectability + anonymity - Sender unobservability - Recipient unobservability - Relationship unobservability |
| Confidentiality | - Authorised restrictions on information access and disclosure | |
| Awareness | - Being conscious about consequences of sharing PII | |
| Compliance | - Following regulations and internal business policies |
- Solove's taxonomy
* Information collection: surveillance and interrogation
* Information processing: aggregation, identification, insecurity, secondary use and exclusion
* Information dissemination: breach of confidentiality, disclosure, exposure, increased accessability, appropriation and distortion
* Invasion: incation violations and decisional interference violations
- FIPPs (For Information Practice Principles) taxonomy
* Notice / Awareness: customers should be informed before collecting PII
* Choice / Consent: customers must be able to choose how their PII will be used
* Access / Participation: users should be able to access PII
* Integrity / security: data should be accurate and secure
- Privacy by Design
* Proactive not reactive; Precentative not remedial
* Privacy as default setting
* Privacy embedded into design
* Full functionality - positive sum, not zero-sum
* End-to-end security - full lifecycle protection
* Visibility and transparency - keep it open
* Respect for user privacy - keep it user-centric
https://www.techopedia.com/definition/24954/internet-privacy
2. LINDDUN
(Linkability / Identifiability / Non-Repudiation / Detectability / Disclosure of information / Unawareness / Non-Compliance)
: methodology to help software engineers with limited privacy expertise to introduce privacy early in the SDLC
1) Define DFDs (Data Flow Diagrams)
2) Map pricvacy threats to DFD elements
Threat
|
Privacy Property
|
Definition
|
| Linkability | Unlinkability | Distinguish whether 2 IOIs are related |
| Identifiability | Anonymity Pseudonymity |
Pinpoint the identify of a subject |
| Non-Repudiation | Plausible Deniability | Gather evidence so that a party cannot deny having performed an action |
| Detectability | Undetectability | Distinguish whether an item of interest exists |
| Disclosure of information | Confidentiality | Exposing information to someone not authorised to see it |
| Unawareness | Awareness | User unawareness of which information is providing to the system and the consequence of it |
| Non-Compliance | Compliance | System is not compliant with data protection legislation |
L
|
I
|
N
|
D
|
D
|
U
|
N
|
|
| External Entity |
X
|
X
|
X
|
||||
| Process |
X
|
X
|
X
|
X
|
X
|
X
|
|
| Data Store |
X
|
X
|
X
|
X
|
X
|
X
|
|
| Data Flow |
X
|
X
|
X
|
X
|
X
|
X
|
- Assumptions: When adding DFD elements, the number of threats grows exponentially
=> Assumptions are explicit or implicit choices to trust an element of the software to behave as expected
3) Identify threat scenarios
- For each potential threat denoted by an "X" placed in the mapping table identify a concrete threat
- Use the LINDDUN Privacy Threat Tree Catalog
4) Prioritise Privacy Threats
- Risk level given by the combination of likelihood and impact
5) Elicit mitigation strategies
- Use the mapping table that links mitigation strategies and LINDDUN threat trees
6) Select corresponding PETs (Privacy Enhancing Techniques)
https://sites.google.com/site/linddunstudy/
댓글 없음:
댓글 쓰기