20.2. Security and Privacy Frameworks Before I introduce the Privacy Space Framework, let's examine some of the other frameworks that served as a basis for this effort. 20.2.1. Codes of Fair Information Practice Since the 1970s, the guidelines for Fair Information Practice (FIP) have been used as a basis for talking about privacy and ethical data usage. The first code was developed by the U.S. Department of Health, Education, and Welfare[13] in 1973. That code lays down seven basic principles, listed in Table 20-1.[14] Variations on this code represent the most common type of privacy guidelines in use today. In 1980, for example, a code known as the OECD principles[15] was devised to help standardize information-handling practices in international trade. [13] HEW, Secretary's Advisory Committee on Automated Personal Data Systems, Records, Computers, and the Rights of Citizens (HEW Report), U.S. Department of Health, Education, and Welfare, 1973.
[14] Ibid.
[15] OECD, "Guidelines on the Protection of Privacy and Transborder Flows of Personal Data" (1980).
Table 20-1. Principles of Fair Information PracticePrinciple | Description |
|---|
Openness | The existence of record-keeping systems and databanks that contain personal data must be publicly known, along with a description of the main purpose and uses of the data. | Individual participation | Individuals should have a right to view all information that is collected about them; they must also be able to correct or remove data that is not timely, accurate, relevant, or complete. | Collection limitation | There should exist limits to the collection of personal data; data should be collected by lawful and fair means and should be collected, where appropriate, with the knowledge or consent of the subject. | Data quality | Personal data should be relevant to the purposes for which it is collected and used; personal data should be accurate, complete, and timely. | Finality | There should be limits to the use and disclosure of personal data. Data should be used only for purposes specified at the time of collection; data should not be otherwise disclosed without the consent of the data subject or other legal authority. | Security | Personal data should be protected by reasonable security safeguards against such risks as loss, unauthorized access, destruction, use, modification, or disclosure. | Accountability | Record keepers should be accountable for complying with fair information practices. |
The primary drawback of using any code of fair information practice for studying the privacy space is that none of them are particularly user centered. The codes and categories deal with contractual agreements, and not with the actual solutions that may be implemented on the user's computer. Fair Information Practice does little to enhance our understanding of the privacy space as viewed by the user, because the features examined in my study did not involve actual agreements between a data provider and a data collector. 20.2.2. The ISTPA Privacy Framework A more recent privacy framework is the International Security, Trust & Privacy Alliance (ISTPA) Privacy Framework , version 1.1.[16] The intent of the ISTPA is to build a global alliance of businesses and technology providers. Their goal is to perform research and evaluation of privacy standards, tools, and technologies and to try to set new standards for information handling. Their framework serves as an objective guideline or template for developing solutions to corporate privacy issues (especially corporations that have an interest in actively amassing sensitive personal data for use as a commodity). The ISTPA creates a means for assessing the completeness of proposed data-handling systems. The goal is to be able to account for personal information (PI) throughout its life cycle while provably adhering to the agreements under which it was collected, even if that information changes hands many times. [16] ISTPA, "ISTPA Privacy Framework," International Security & Privacy Trust Alliance (2002).
The ISTPA Privacy Framework identifies the services and capabilities listed in Table 20-2.[17] [17] Ibid.
Table 20-2. The ISTPA Privacy FrameworkService/Capability | Description |
|---|
Audit | Handles the recording and maintenance of events in any service to capture the data that is necessary to ensure compliance with the terms and policies of an agreement and any applicable regulations. | Certification | Manages and validates the credentials of any party or process involved in processing of a PI transaction. | Control | Functions as "repository gatekeeper" to ensure that access to PI that is stored by a data collection entity complies with the terms and policies of an agreement and any applicable regulations. | Enforcement | Handles redress when a data collection entity is not in conformance with the terms and policies of an agreement and any applicable regulations. | Interaction | Presents proposed agreements from a data collection entity to the data subject; receives the subject's personal information, preferences, and actions; confirms actions; manages movement of data into and out of the framework. To the extent that the data subject is represented by an agent, this service comprises the interface to the agent. | Negotiation | Handles arbitration of a proposal between a data collection entity and a data subject. Successful negotiation results in an agreement. Humans, agents, or any combination can handle negotiations. | Validation (capability) | Checks for the accuracy of PI at any point in its life cycle. | Agent (capability) | Allows the data subject both to access the individual's PI that is held by a data collection entity, and to correct or update it as necessary. | Usage (capability) | Functions as a "processing monitor" to ensure that active use of PI complies with the terms and policies of an agreement and any applicable regulations. Such uses may include transfer, derivation, aggregation, pseudo-anonymization, linking, and inference of data. |
While some of the categories shown in the table are based on the same code of FIP already discussed, the ISTPA Privacy Framework is designed for the very specific purpose of creating an auditable system so that companies and organizations can collect and manage people's personal information while adhering to whatever data-handling regulations have been imposed upon them. This privacy framework is designed to help companies fend off legal challenges by showing that they have made a good-faith attempt to uphold their obligations and agreements in an untidy global regulatory environment. Similar to the codes of FIP, the ISTPA Privacy Framework is not a user-centric approach; it is a crisp system for creating formal specifications to promote trustworthy handling of sensitive data. 20.2.3. Schneier's Security Processes Framework The last framework we will examine is based on a discussion in Schneier,[18] which we refer to as the Security Processes Framework. [18] Bruce Schneier, Secrets & Lies (New York: John Wiley & Sons, Inc., 2002).
In the early 1990s, Bruce Schneier was best known as an author and researcher in the field of cryptography. But after spending years educating people about cryptography, Schneier had an epiphany: "People are erratic, capricious, and barely comprehensible." Even the strongest cryptography was no match for a person who misused it. Schneier proceeded to take a more human-centered approach to the problem of security and quickly realized that security is a process rather than a product. He went on to describe four security processes, summarized in Table 20-3. The security processes deal with prevention, detection, response, and recovery; they focus on "attacks" from the outside, but also deal with introspective matters. Schneier has the beginnings of a truly user-oriented approach to security, but in my opinion, he still concentrates too much on an "outside looking in" perspective. Table 20-3. Security Processes FrameworkSecurity process | Description/Notes |
|---|
Prevent attacks | Prevention is the obvious first step, and digital security tends to rely wholly on prevention via cryptography, firewalls, and so forth. A prevention-only strategy can work if the prevention mechanisms are perfect and cannot be circumvented. The best prevention follows these principles: secure the weakest link; use choke points; compartmentalize information; use defense in depth; fail securely; leverage unpredictability; embrace simplicity; enlist the users; assure (audit); and question anomalies. | Detect attacks | Detection logically follows prevention because it is fundamentally impossible to prevent all attacks. On the Internet, detection can be a lot of work. A simple form of detection involves reading, understanding, and interpreting audit logs. The goal is to locate intruders in as close to real time as possible. | Respond to attacks | Response goes hand in hand with detection. If there is no response, then there is no reason to bother with detection. Response involves making the problem stop as well as tracking down and locating the culprits. | Recover from attacks | Recovering means fixing a problem after the bad guys are gone. This can mean patching the exploited code or cutting your losses and rebuilding a system from scratch. |
20.2.4. The Privacy Space Framework The Privacy Space Framework, consisting of the five categories listed in Table 20-4, is based upon the Security Processes Framework described in the previous section. Note that four of the five categories (all but Awareness) are based on work by Schneier.[19] Borrowing from this well-conceived work serves our purposes and offers a firm starting point from which to work. However, the Privacy Space Framework attempts to classify the user experience and further understand the features of privacy solutions. While the category names are based on Schneier's work, the definitions have been modified to be more focused on user behaviors relating to privacy rather than security. [19] Ibid.
Table 20-4. Privacy Space FrameworkCategory | Description |
|---|
Awareness | Anything that conveys information without requiring the user to act. Awareness features are informative and help you monitor what is going on. | Detection | Tools or features that scan or actively look for potential problems. Often, detection tools are always running in the background; a virus scanner is a common detection tool that looks for malware and for certain dangerous operations being performed in memory. | Prevention | A feature or tool that is used as a precaution. Encryption or digital signatures are preventative in nature. Secure deletion of electronic documents is a good example of a preventative feature. | Response | Taking action after a problem has been detected is a response. Examples of responses include canceling your credit card after it has been stolen, and blocking incoming network traffic from certain IP addresses. | Recovery | Features and tools that help you get back to normal. Examples of recovery include restoring to the last known good state, patching bugs that allowed intruders to gain unauthorized access, and reinstalling corrupted files. |
Now that I have introduced the Privacy Space Framework, let's move on to discuss the research that led to its creation and continued development. |
