E-Commerce Barriers in a Networked World

1
E-Commerce Barriers in a Networked World

• Mike Gurski
• Senior Policy Technology Advisor
• Information Privacy Commission,
• Ontario Canada
• CITO
• October 10 - 11, 2001

2
What the Experts Say

• Lack of privacy holding back e-commerce
• FTC holds hearings.
• Business Wire
• 90 percent of Web sites fail to comply with
  basic privacy principles.
• Washington Post
• Due to consumers privacy concerns, e-commerce
  companies lost some 2.8 billion last year.
• Forrester Research

3
When Things Go Wrong

• Privacy lawsuits and disasters
• DoubleClick
• Intel Pentium III
• RealNetworks
• Microsoft Hotmail
• Amazon/Alexa
• CD Universe
• Look Communications
• Toysmart

4
The Beginning of the Privacy Revolution

• Anyone today who thinks the privacy issue has
  peaked is greatly mistaken
• Forrester Research, March 5, 2001
• It doesnt take much for people to get really
  concerned about a particular companysprivacy
  practices.
• Johnathan Gaw, IDC Corp. March 29, 2001

5
The Threats to Privacy

• Big Brother
• Surveillance, control,
• no private space,
• The Trial
• Fractured personal data held
• by uncaring, unknowing authorities
• The Matrix
• Technology designs society
• societys perceived reality for its own
  ends
• Commodification of Human Relationships
• Life as the ultimate shopping experience

6
Enumerating the Barriers

• Risk of Economic Injury
• Identity theft
• Unauthorised use of credit card information
• Unwanted Intrusions
• Phone calls
• Computer based spam

7
Privacy Drivers

• Large organizations disconnected from clients,
  gathering detailed data
• Increasing amounts of
• personal data, held,
• consolidated, used
• New privacy invasive
• technologies
• Application of a technology paradigm geared to
  manufactured goods on humans

8
Privacy Defined Think Use

• Informational Privacy Data Protection
• Personal control over the collection, use and
  disclosure of any recorded information about an
  identifiable individual
• The organisations responsibility for data
  protection and safeguarding personal information
  in its custody or control.

9
Security ? Privacy
10
Privacy and Security The Difference

• Authentication
• Data Integrity
• Confidentiality
• Non-repudiation
• Privacy Data Protection
• (Fair Information Practices)

• Security

11
Fair Information Practices

• Accountability
• Identifying Purposes
• Consent
• Limiting Collection
• Accuracy
• Safeguards
• Openness
• Individual Access
• Limiting Use, Disclosure, Retention
• Challenging Compliance

12
Privacy By Design Build It In

• Build in privacy up front, right in the design
  specifications.
• Minimize the collection and routine use of
  personally identifiable information use
  aggregate or coded information if possible.
• Wherever possible, encrypt implement anonymity
  and pseudonymity.
• Assess the risks to privacy conduct a privacy
  impact assessment privacy audit.
• Develop a corporate culture of privacy.

13
What to Do About Privacy

• The Tools
• Privacy Design Principles
• Technology Design Principles
• Privacy Impact Assessment Guide
• Privacy Architecture and the Privacy Architect
• Privacy Enhancing Technologies
• Privacy Diagnostic Tool

14
Privacy Design Principles

• And Example
• Personal data should not be used or disclosed for
  purposes other than those specified in accordance
  with Principle 1 except
• a) with the consent of the data subject, b) by
  the authority of law, or c) for the safety of
  the community, including victims and witnesses.
• Generally, personal information should be
  retained as necessary, but its use must be
  limited to its original purpose for collection
• http//www.ipc.on.ca/english/pubpres/sum5Fpap/pap
  ers/designpr.htm

15
Technology Design Principle

• An Example
• Use Limitation Principle
• Personal data should not be used or disclosed for
  purposes other than specified
• Technology Design Principle
• Information systems must be designed to halt
  unauthorised use. That involves a protocol for
  tracking who accesses specific information and
  for what purposes. The circumstances of use need
  to be recorded and attached to the personal
  information record.

16
Privacy Impact Assessment

• A tool developed by the provincial government to
  address privacy issues related to information
  systems
• An example of questions under Use Limitation
• Is personal Information used exclusively for the
  stated purposes and for uses that the average
  client would consider to be consistent with those
  purposes?__
• Are personal identifiers, such as the social
  insurance number, used for the purposes of
  linking across multiple databases?__
• Where data matching or profiling occurs, is it
  consistent with the stated purposes for which the
  personal information is collected?__
• Is there a record of use maintained for any use
  or disclosure not consistent with original stated
  purposes?__
• Is the record of use attached to the personal
  information record?__
• www.gov.on.ca/MBS/english/fip/pia/pianew.html

17
What is a Privacy Architect ?

• the person responsible for ensuring that the
  design of a given technology or system or process
  provides sufficient and appropriate protection of
  personal information
• Courtesy,
• Peter J. Hope-Tindall
• Chief Privacy Architect
• dataPrivacy Partners Ltd.
• (pht_at_dataPrivacy.com)

18
Privacy Architect Functions

• Identify and define privacy requirements
• Explain privacy concepts to the key personnel
• Analyze technological components and processes
• Evaluate privacy risk characteristics
• Make recommendations to decision-makers about
  balancing privacy interests

19
Privacy Architect - Deliverables

• Develop a conceptual, logical and technical
  privacy architecture which is feasible,
  cost-effective, of acceptable technological risk,
  works within the given computer and security
  architectures and meets the organizations
  privacy needs and requirements

20
Privacy Architects Areas of Action

• Legal
• Policy
• Strategy
• Education
• Technical

21
Security Architect Vs. Privacy Architect

• The security architect focuses on access controls
  and authorized access as defined by the system
  owner
• A risk based approach is generally used and may
  include multiple layers of passwords, use of
  biometrics and/or cryptography, and generally an
  overlay of preventive, detective (reporting) and
  corrective controls

22
Security Architect Vs. Privacy Architect (2)

• In contrast, the privacy architect focuses on the
  collection, use, disclosure and retention of data
  as mandated by the law and consented to by the
  individual whose data it is
• The system owner is NOT the ultimate authority
  where privacy is concerned and may in fact be one
  of the parties from whom the data must be
  safeguarded

23
Risk-based Vs. Capability-based Analysis

• Risk based analysis - how likely is it to occur
• Capabilities-based analysis - can it possibly
  happen
• Concept of Institutional override

24
Relationship between Privacy and Security

• In theory, privacy and security may be completely
  different elements of a system
• In practice, security is a facilitator of privacy
  and an important foundation to it
• No matter how excellent security may be, it is
  never, of itself, sufficient to ensure privacy

25
Relationship between Privacy and Internal
Controls

• Risk-based context
• Good control environment reduces privacy risk
• No matter how excellent controls may be, they are
  never, of themselves, sufficient to ensure privacy

26
Capabilities-based Privacy

• Theoretically, privacy can be established solely
  by the use of capabilities-limited technology
  which is unable by design to do anything to
  compromise privacy, no matter who may authorize
  or request it
• In practice, total reliance on technology is
  untenable

27
Capabilities-based Privacy

• Maintaining good privacy almost always includes
  establishing good security, maintaining privacy
  controls (preventive, detective and corrective),
  and conducting periodic privacy audits, including
  those aimed at ensuring compliance with the law

28
Technical Education for Privacy

• To ensure adequate privacy protection in the
  future, we may have to re-think how we educate
  our next generation of technologists
• The message may have to change from maximum
  capability and flexibility of design to
  prescribed capabilities only and
  privacy-effective design. Dont collect what you
  dont need!

29
Privacy Plan

• Identify current practices
• Follow the data collection and use
• Identify the Gaps
• Est. Centre of Privacy Excellence
• Internal staff, external advisory body
• Plan for Compliance
• Schedule implementation, audit, post
  implementation evaluation
• Plan for non-Compliance
• Emergency response plan

30
Privacy Enhancing Technologies

• Anonymisers,
• Pseudonymisers,
• Data Hiding Technologies.

31
Privacy Diagnostic

• A Question Answer Format
• CD or Web download
• Based on Fair Information Practices
• A good way to take your privacy temperature

32
A Closing Thought

• To survive mounting consumer anxiety firms need
  to institutionalize their commitment to
  protecting customers privacy by taking a
  comprehensive, whole-view approach The cost of a
  privacy PR blowout can range from tens of
  thousands
• to millions of dollars and this doesnt include
  lost business and damage to the brand.
• -Forrester Research

33
How to Contact Us
Mike Gurski. Information Privacy
Commission/Ontario 80 Bloor Street West, Suite
1700 Toronto, Ontario M5S 2V1 Phone (416)
325-9164 Web www.ipc.on.ca E-mail
mgurski_at_ipc.on.ca