Privacy: Accountability and Enforceability

1
Privacy Accountability and Enforceability

• Jamie Yoo
• April 11, 2006
• CPSC 457 Sensitive Information in a Wired World

2
Control of Personal Information

• Basic Problem
• Data subject lacks control of sensitive
  information after initial disclosure
• Organizations lack control of the information
  that they manage once they disclose it to third
  parties

3
Fair Information Practices Principles

• Collection limitation
• Data quality
• Security safeguards
• Openness
• Purpose specification
• Use limitation
• Individual participation
• Accountability

4
Fair Information Practice Principles are guiding
principles not law.

• Problem Companies will claim to follow fair
  information practice principles but degree of
  implementation varies among companies.

5
Example Data Resellers
6
Data Resellers (Brokers)

• Information Resellers are businesses that collect
  and aggregate personal information from multiple
  sources and make it available to their customers.

7
Collection Limitation
Privacy Problems

• Information Resellers Generally Do Not Limit Data
  Collection to Specific Purposes and Do Not Notify
  Data Subjects

8
Collection Limitation Problem

• Resellers are limited only by laws that apply to
  specific kinds of information.
• Otherwise, resellers aggregate unrestricted
  amounts of personal information.
• No provisions are made to notify the data
  subjects when the reseller obtains personal data.
• Individuals are not afforded an opportunity to
  express or withhold their consent because many
  times resellers do not have a direct relationship
  with data subjects.
• Some offer an opt-out option but usually under
  limited circumstances for specific types of data
  and under specific conditions.

9
Data Quality
Privacy Problems

• Information Resellers Do Not Ensure That Personal
  Information They Provide is Accurate for Specific
  Purposes

10
Data Quality Problem

• No standard mechanism for verifying the accuracy
  of the data obtained
• Some privacy policies state that resellers expect
  their data to contain some errors
• Varying policies regarding correction of data
  determined to be inaccurate as obtained by them
• Because they are not the original source of the
  personal information, information resellers
  generally direct individuals to the original
  sources to correct any errors.
• That is, data that may be perfectly adequate for
  one purpose may not be precise enough or
  appropriate for another purpose.

11
Purpose Specification
Privacy Problems

• Information Resellers Specification of the
  Purpose of Data Collection Consists of Broad
  Descriptions of Business Categories

12
Purpose Specification Problem

• Information resellers specify purpose in a broad,
  general way by describing the types of businesses
  that use their data.
• They generally do not designate specific intended
  uses for each of their data collections.
• Generally, resellers obtain information that has
  already been collected for a specific purpose and
  make that information available to their
  customers, who in turn have a much broader
  variety of purposes for using it.

13
Accountability
Privacy Problems

• Often times, data subjects do not even know that
  data resellers are selling their personal
  information, so accountability from an individual
  data subjects standpoint is less than ideal.

14
Problems withCurrent Solutions
15
Limitations of Legislation

• Either too broad or too specific
• Slow to change
• Difficulty to enforce
• Especially across borders

16
Limitations of the FTC

• The Commission prosecutes unfair and deceptive
  practices violations.
• However, usually letters from consumers or
  businesses, Congressional inquiries, or articles
  on consumer or economic subjects triggers an FTC
  investigation.
• Unfortunately, data subjects are often not even
  aware of privacy violations, especially since
  they are not usually aware of specific instances
  of data disclosures by authorized data recipients
  to third parties

17
P3P

• P3P is a semi-structured privacy policy
  specification language that allows an
  organization to specify its website privacy
  practices in a machine-readable format.
• A P3P policy expresses the privacy practices
  related to the particular page or pages it
  governs it covers any information collection on
  those pages, the purposes of that collection, the
  information recipient, and the length of that
  informations retention.
• Specifications are checked by a browser/user
  agent, against user-specified preferences, to
  determine whether the organization follows
  user-acceptable privacy practices.
• Users agent allows the load of a page, prevents
  the load, or notifies the user that the site does
  not (or may not) comply with the users preset
  preferences.
• Limitations After initial disclosure of personal
  information, user has no mechanism for
  enforcement.

18
Enterprise Privacy Authorization Language (EPAL)

• Interoperability language for exchanging privacy
  policy in a structured format between
  applications/enterprises
• Access-centric
• Based on strong associations of fine-grained
  privacy policies (sticky policies)
• EPAL Policy Defines lists of hierarchies of
• Data categories
• User categories
• Purposes
• Actions
• Obligations
• Conditions

19
Example of EPAL Rule
20
Current Usage Scenario
Consumer bases her decision on announced P3P
policy, which is not formally related to
operative EPAL policy.
21
Issues

• Privacy promises made without mechanism for
  enforcement
• The stickiness of policies is not enforceable
• Too much trust in the enterprise
• Leakages can still happen
• Minimal user involvement (negotiation)
• Privacy management is more than authorization

22
Recommendation
23
Third Party AuditorTracing Auditing Data

• Trusted third party to provide a mechanism for
  auditing/logging each disclosure
• Manages and records release of data (encryption)
• Validates privacy policy adhering environment of
  recipient
• Creates a paper trail
• Legislation to prosecute privacy violations
• In particular, legislation regulating the data
  brokering industry (ex require deletion/renewal
  of data after x years, etc)
• Auditing should help with prosecution

24
Suggested Scenario
Personal Data (encrypted)
Personal Data (encrypted)
Enterprise 1
Privacy Policies (EPAL rules)
Privacy Policies
Data Subject
Enterprise 2
Decryption Key
Trust Auditing and Tracing Authority
25
Details

• Identity-Based Encryption Data Sender encrypts
  data package (data privacy policy), Trusted
  Auditing Authority provides decryption keys to
  verified Data Recipient
• Trusted Computing defined by Auditor could be
  used to ensure privacy policy adhering
  environment
• Would allow for greater stickiness of policies
  to data (tamper-proof data tags)
• Privacy policy rules (ex expiration date, etc)
• Digital signatures to indicate where the data
  came from (third party or directly from the user)

26
Limitations

• Difficult to build a trusted network of this type
• Inherent technical difficulty in representing
  privacy policies as machine-readable code remains
• Ex A very large number of EPAL rules required to
  implement HIPAA, making it difficult to implement
  as well as maintain.
• Future of Trusted Computing is unknown
• Regardless of technical solutions, there must be
  legislative enforcement to encourage this type of
  rigorous auditing and also to prosecute
  violations