Privacy engineering

Last updated

Privacy engineering is an emerging field of engineering which aims to provide methodologies, tools, and techniques to ensure systems provide acceptable levels of privacy. Its focus lies in organizing and assessing methods to identify and tackle privacy concerns within the engineering of information systems. [1]

Contents

In the US, an acceptable level of privacy is defined in terms of compliance to the functional and non-functional requirements set out through a privacy policy, which is a contractual artifact displaying the data controlling entities compliance to legislation such as Fair Information Practices, health record security regulation and other privacy laws. In the EU, however, the General Data Protection Regulation (GDPR) sets the requirements that need to be fulfilled. In the rest of the world, the requirements change depending on local implementations of privacy and data protection laws.

Definition and scope

The definition of privacy engineering given by National Institute of Standards and Technology (NIST) is: [2]

Focuses on providing guidance that can be used to decrease privacy risks, and enable organizations to make purposeful decisions about resource allocation and effective implementation of controls in information systems.

While privacy has been developing as a legal domain, privacy engineering has only really come to the fore in recent years as the necessity of implementing said privacy laws in information systems has become a definite requirement to the deployment of such information systems. For example, IPEN outlines their position in this respect as: [3]

One reason for the lack of attention to privacy issues in development is the lack of appropriate tools and best practices. Developers have to deliver quickly in order to minimize time to market and effort, and often will re-use existing components, despite their privacy flaws. There are, unfortunately, few building blocks for privacy-friendly applications and services, and security can often be weak as well.

Privacy engineering involves aspects such as process management, security, ontology and software engineering. [4] The actual application of these derives from necessary legal compliances, privacy policies and 'manifestos' such as Privacy-by-Design. [5]

Relationship between PbD and Privacy Engineering Pbdmanifestoengineering.png
Relationship between PbD and Privacy Engineering

Towards the more implementation levels, privacy engineering employs privacy enhancing technologies to enable anonymisation and de-identification of data. Privacy engineering requires suitable security engineering practices to be deployed, and some privacy aspects can be implemented using security techniques. A privacy impact assessment is another tool within this context and its use does not imply that privacy engineering is being practiced.

One area of concern is the proper definition and application of terms such as personal data, personally identifiable information, anonymisation and pseudo-anonymisation which lack sufficient and detailed enough meanings when applied to software, information systems and data sets.

Another facet of information system privacy has been the ethical use of such systems with particular concern on surveillance, big data collection, artificial intelligence etc. Some members of the privacy and privacy engineering community advocate for the idea of ethics engineering or reject the possibility of engineering privacy into systems intended for surveillance.

Software engineers often encounter problems when interpreting legal norms into current technology. Legal requirements are by nature neutral to technology and will in case of legal conflict be interpreted by a court in the context of the current status of both technology and privacy practice.

Core practices

As this particular field is still in its infancy and somewhat dominated by the legal aspects, the following list just outlines the primary areas on which privacy engineering is based:

Despite the lack of a cohesive development of the above areas, courses already exist for the training of privacy engineering. [8] [9] [10] The International Workshop on Privacy Engineering co-located with IEEE Symposium on Security and Privacy provides a venue to address "the gap between research and practice in systematizing and evaluating approaches to capture and address privacy issues while engineering information systems". [11] [12] [13]

A number of approaches to privacy engineering exist. The LINDDUN [14] methodology takes a risk-centric approach to privacy engineering where personal data flows at risk are identified and then secured with privacy controls. [15] [16] Guidance for interpretation of the GDPR has been provided in the GDPR recitals, [17] which have been coded into a decision tool [18] that maps GDPR into software engineering forces [18] with the goal to identify suitable privacy design patterns. [19] [20] One further approach uses eight privacy design strategies - four technical and four administrative strategies - to protect data and to implement data subject rights. [21]

Aspects of information

Privacy engineering is particularly concerned with the processing of information over the following aspects or ontologies and their relations [22] to their implementation in software:

Further to this how the above then affect the security classification, risk classification and thus the levels of protection and flow within a system can then the metricised or calculated.

Definitions of privacy

Privacy is an area dominated by legal aspects but requires implementation using, ostensibly, engineering techniques, disciplines and skills. Privacy Engineering as an overall discipline takes its basis from considering privacy not just as a legal aspect or engineering aspect and their unification but also utilizing the following areas: [25]

The impetus for technological progress in privacy engineering stems from general privacy laws and various particular legal acts:

See also

Notes and references

  1. Gürses, Seda, and Jose M. Del Alamo. "Privacy engineering: Shaping an emerging field of research and practice." IEEE Security & Privacy 14.2 (2016): 40-46.
  2. "Privacy Engineering at NIST". NIST. Retrieved 3 May 2015.
  3. "Background and purpose" . Retrieved 9 May 2015.
  4. Oliver, Ian (July 2014). Privacy Engineering: A Dataflow and Ontological Approach (1st ed.). CreateSpace. ISBN   978-1497569713. Archived from the original on 14 March 2018. Retrieved 3 May 2015.
  5. Gürses, Seda; Troncoso, Carmela; Diaz, Claudia (2011). Engineering Privacy by Design (PDF). International Conference on Privacy and Data Protection (CPDP) Book. Retrieved 11 May 2015.
  6. Dennedy, Fox, Finneran (2014-01-23). The Privacy Engineer's Manifesto (1st ed.). APress. ISBN   978-1-4302-6355-5.{{cite book}}: CS1 maint: multiple names: authors list (link)
  7. MITRE Corp. "Privacy Engineering Framework". Archived from the original on 4 May 2015. Retrieved 4 May 2015.
  8. "MSIT-Privacy Engineering". Carnegie Mellon University.
  9. "Privacy Engineering". cybersecurity.berkeley.edu. University of California, Berkeley.
  10. Oliver, Ian (17 March 2015). "Introduction to Privacy and Privacy Engineering". EIT Summer School, University of Brighton. Archived from the original on 18 May 2015. Retrieved 9 May 2015.
  11. "International Workshop on Privacy Engineering". IEEE Security.
  12. "IEEE Symposium on Security and Privacy". IEEE Security.
  13. Gurses, Del Alamo (Mar 2016), Privacy Engineering: Shaping an Emerging Field of Research and Practice, vol. 14, IEEE Security and Privacy
  14. "HOME". LINDDUN.
  15. "A LINDDUN-Based framework for privacy threat analysis on identification and authentication processes". Computers & Security.
  16. Wuyts, K., & Joosen, W. (2015). LINDDUN privacy threat modeling: a tutorial. CW Reports. accessed 2019-12-10
  17. "Recitals of the GDPR (General Data Protection Regulation)".
  18. 1 2 "GDPR tool".
  19. Colesky, M.; Demetzou, K.; Fritsch, L.; Herold, S. (2019-03-01). "Helping Software Architects Familiarize with the General Data Protection Regulation". 2019 IEEE International Conference on Software Architecture Companion (ICSA-C). pp. 226–229. doi:10.1109/ICSA-C.2019.00046. ISBN   978-1-7281-1876-5. S2CID   155108256.
  20. Lenhard, J.; Fritsch, L.; Herold, S. (2017-08-01). "A Literature Study on Privacy Patterns Research". 2017 43rd Euromicro Conference on Software Engineering and Advanced Applications (SEAA). pp. 194–201. doi:10.1109/SEAA.2017.28. ISBN   978-1-5386-2141-7. S2CID   26302099.
  21. Colesky, M.; Hoepman, J.; Hillen, C. (2016-05-01). "A Critical Analysis of Privacy Design Strategies". 2016 IEEE Security and Privacy Workshops (SPW). pp. 33–40. doi:10.1109/SPW.2016.23. ISBN   978-1-5090-3690-5. S2CID   15713950.
  22. Stanford Encyclopedia of Philosophy. "Semantic Conceptions of Information" . Retrieved 9 May 2015.
  23. Article 29 Data Protection Working Party (16 February 2010), Opinion 1/2010 on the concepts of "controller" and "processor", vol. 00264/10/EN WP 169{{citation}}: CS1 maint: numeric names: authors list (link)
  24. Paul Groth, Luc Moreau. "An Overview of the PROV Family of Documents". W3C. Retrieved 10 May 2015.
  25. Gurses, Seda; del Alamo, Jose M. (March 2016). "Privacy Engineering: Shaping an Emerging Field of Research and Practice". IEEE Security & Privacy. 14 (2): 40–46. doi:10.1109/MSP.2016.37. ISSN   1540-7993. S2CID   10983799.
  26. "Privacy by design | Karlstads universitet". www.kau.se.
  27. Fischer-Hübner, Simone; Martucci, Leonardo A.; Fritsch, Lothar; Pulls, Tobias; Herold, Sebastian; Iwaya, Leonardo H.; Alfredsson, Stefan; Zuccato, Albin (2018). "A MOOC on Privacy by Design and the GDPR" (PDF). In Drevin, Lynette; Theocharidou, Marianthi (eds.). Information Security Education – Towards a Cybersecure Society. IFIP Advances in Information and Communication Technology. Vol. 531. Springer International Publishing. pp. 95–107. doi:10.1007/978-3-319-99734-6_8. ISBN   978-3-319-99734-6.
  28. "Carnegie Mellon University Privacy Engineering Program".
  29. "CMU Privacy Engineering Student Blogs and Work".

Related Research Articles

Security engineering is the process of incorporating security controls into an information system so that the controls become an integral part of the system’s operational capabilities. It is similar to other systems engineering activities in that its primary motivation is to support the delivery of engineering solutions that satisfy pre-defined functional and user requirements, but it has the added dimension of preventing misuse and malicious behavior. Those constraints and restrictions are often asserted as a security policy.

<span class="mw-page-title-main">Software architecture</span> High level structures of a software system

Software architecture is the set of structures needed to reason about a software system and the discipline of creating such structures and systems. Each structure comprises software elements, relations among them, and properties of both elements and relations.

Data security means protecting digital data, such as those in a database, from destructive forces and from the unwanted actions of unauthorized users, such as a cyberattack or a data breach.

In the context of software engineering, software quality refers to two related but distinct notions:

A privacy policy is a statement or legal document that discloses some or all of the ways a party gathers, uses, discloses, and manages a customer or client's data. Personal information can be anything that can be used to identify an individual, not limited to the person's name, address, date of birth, marital status, contact information, ID issue, and expiry date, financial records, credit information, medical history, where one travels, and intentions to acquire goods and services. In the case of a business, it is often a statement that declares a party's policy on how it collects, stores, and releases personal information it collects. It informs the client what specific information is collected, and whether it is kept confidential, shared with partners, or sold to other firms or enterprises. Privacy policies typically represent a broader, more generalized treatment, as opposed to data use statements, which tend to be more detailed and specific.

In systems engineering and requirements engineering, a non-functional requirement (NFR) is a requirement that specifies criteria that can be used to judge the operation of a system, rather than specific behaviours. They are contrasted with functional requirements that define specific behavior or functions. The plan for implementing functional requirements is detailed in the system design. The plan for implementing non-functional requirements is detailed in the system architecture, because they are usually architecturally significant requirements.

Software assurance (SwA) is a critical process in software development that ensures the reliability, safety, and security of software products. It involves a variety of activities, including requirements analysis, design reviews, code inspections, testing, and formal verification. One crucial component of software assurance is secure coding practices, which follow industry-accepted standards and best practices, such as those outlined by the Software Engineering Institute (SEI) in their CERT Secure Coding Standards (SCS).

Information security standards are techniques generally outlined in published materials that attempt to protect the cyber environment of a user or organization. This environment includes users themselves, networks, devices, all software, processes, information in storage or transit, applications, services, and systems that can be connected directly or indirectly to networks.

A cybersecurity regulation comprises directives that safeguard information technology and computer systems with the purpose of forcing companies and organizations to protect their systems and information from cyberattacks like viruses, worms, Trojan horses, phishing, denial of service (DOS) attacks, unauthorized access and control system attacks. While cybersecurity regulations aim to minimize cyber risks and enhance protection, the uncertainty arising from frequent changes or new regulations can significantly impact organizational response strategies.

Information assurance (IA) is the practice of assuring information and managing risks related to the use, processing, storage, and transmission of information. Information assurance includes protection of the integrity, availability, authenticity, non-repudiation and confidentiality of user data. IA encompasses both digital protections and physical techniques. These methods apply to data in transit, both physical and electronic forms, as well as data at rest. IA is best thought of as a superset of information security, and as the business outcome of information risk management.

Quality engineering is the discipline of engineering concerned with the principles and practice of product and service quality assurance and control. In software development, it is the management, development, operation and maintenance of IT systems and enterprise architectures with high quality standard.

Virgil Dorin Gligor is a Romanian-American professor of electrical and computer engineering who specializes in the research of network security and applied cryptography.

Privacy-enhancing technologies (PET) are technologies that embody fundamental data protection principles by minimizing personal data use, maximizing data security, and empowering individuals. PETs allow online users to protect the privacy of their personally identifiable information (PII), which is often provided to and handled by services or applications. PETs use techniques to minimize an information system's possession of personal data without losing functionality. Generally speaking, PETs can be categorized as either hard or soft privacy technologies.

Data portability is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. closed platforms, thus subjecting them to vendor lock-in and making the creation of data backups or moving accounts between services difficult.

<span class="mw-page-title-main">View model</span> Framework for enterprise and system engineering

A view model or viewpoints framework in systems engineering, software engineering, and enterprise engineering is a framework which defines a coherent set of views to be used in the construction of a system architecture, software architecture, or enterprise architecture. A view is a representation of the whole system from the perspective of a related set of concerns.

Cloud computing security or, more simply, cloud security, refers to a broad set of policies, technologies, applications, and controls utilized to protect virtualized IP, data, applications, services, and the associated infrastructure of cloud computing. It is a sub-domain of computer security, network security, and, more broadly, information security.

Privacy by design is an approach to systems engineering initially developed by Ann Cavoukian and formalized in a joint report on privacy-enhancing technologies by a joint team of the Information and Privacy Commissioner of Ontario (Canada), the Dutch Data Protection Authority, and the Netherlands Organisation for Applied Scientific Research in 1995. The privacy by design framework was published in 2009 and adopted by the International Assembly of Privacy Commissioners and Data Protection Authorities in 2010. Privacy by design calls for privacy to be taken into account throughout the whole engineering process. The concept is an example of value sensitive design, i.e., taking human values into account in a well-defined manner throughout the process.

<span class="mw-page-title-main">General Data Protection Regulation</span> EU regulation on the processing of personal data

The General Data Protection Regulation is a European Union regulation on information privacy in the European Union (EU) and the European Economic Area (EEA). The GDPR is an important component of EU privacy law and human rights law, in particular Article 8(1) of the Charter of Fundamental Rights of the European Union. It also governs the transfer of personal data outside the EU and EEA. The GDPR's goals are to enhance individuals' control and rights over their personal information and to simplify the regulations for international business. It supersedes the Data Protection Directive 95/46/EC and, among other things, simplifies the terminology.

Data anonymization is a type of information sanitization whose intent is privacy protection. It is the process of removing personally identifiable information from data sets, so that the people whom the data describe remain anonymous.

Hard privacy technologies are methods of protecting data. Hard privacy technologies and soft privacy technologies both fall under the category of privacy enchancing technologies. Hard privacy technologies allow online users to protect their privacy through different services and applications without the trust of the third-parties. The data protection goal is data minimization and reduction of the trust in third-parties and the freedom to conceal information or to communicate.