On the toxicity of personal data

1
On the toxicity of personal data

• Dr Ian Brown
• Oxford Internet Institute
• University of Oxford

2
Individuals hit by UK data breaches since July
2006
3
Measuring system security requirements

• Scale and complexity
• Number of users
• Sensitivity of data
• Connections to other systems, particularly less
  trusted including Internet
• Attractiveness as target

Source B. R. Gladman and I. Brown (2007)
Security, Safety and the National Identity
Register. In S. G. Davies I. Hosein (eds), The
Identity Project an assessment of the UK
Identity Cards Bill and its implications, London
School of Economics pp.187-200.
4
Key privacy engineering steps

• Understand your problem
• Design system to minimise collection, storage and
  access to personally identifiable information
• Engineer security system to enforce privacy
  policies
• Enforce controls and audit remaining accesses

Source S. Marsh, I. Brown and F. Khaki (2008)
Privacy Engineering. Cybersecurity KTN white
paper
5
Software quality

• Prof. Martyn Thomas almost every IT supplier in
  the world today is incompetent the typical rate
  of delivered faults after full user acceptance
  testing from the main suppliers in the industry
  over many years has been steady at around 20
  faults per thousand lines of code. We know how to
  deliver software with a fault rate that is down
  around 0.1 faults per thousand lines of code and
  the industry does not adopt these techniques.
  Evidence to Home Affairs Select Committee,
  24/2/2004

6
Insider fraud
Source What price privacy?, Information
Commissioner, May 2006
7
Government data sinks

• If data can be collected about individuals, there
  will be government pressure to store and access
  that information
• E.g. PATRIOT Act National Security Letters, NSA
  activities within the US, EU data retention
  directive, National DNA Database
• Data minimisation is a key requirement for
  privacy in this legislative environment
• Encryption is no protection if governments can
  compel decryption