In just a few days, GDPR will become enforceable across the pond from where I live. Its reach, however, extends far beyond Europe. Let us have a look at some guiding principles in the United States via privacy policies, policy guidelines, and published privacy principles.
I have been a dues paying member of ACM for about 8 years. Recently, USACM has published a Statement on the Importance of Preserving Personal Privacy. I want to delve into it here because it connects directly with our past. That will set the precedence for the future i.e. Big Data, IOT.
Foundational Privacy Principles and Practices
ACM announced the new policy here – it is worth a read because it sets the stage for the principles they advocate. Here are some important takeaways:
- Based upon the Fair Information Practice Principles by the FTC.
- Suggestive and not prescriptive
- Minimize Personally Identifiable Information (PII)
- Communication with the consumer whose data has been collected
- Belief that emerging technologies should not come at the expense of personal privacy
The principles are intended to provide a broad framework, from which case-specific solutions can be developed.
Their goal here is to lay forth “the basis for building data privacy into modern technological systems”. Keep in mind these are guidelines and not implementation definitions. I will list the principles issues by ACM with my commentary.
- Fairness – automated systems should not hurt you in the handling of data
- An interesting contemporary question here is “what about autonomous cars?” Just like a race condition in computer science – when an inevitable crash is imminent someone must lose.
- Transparency – telling people how their data is being collected, used, retained, and disclosed
- I like the idea of transparency here. This is probably one of the items most capable of being done.
- Collection Limitation and Minimization – collect and retain data only when strictly necessary to provide a service, minimize identifiable data.
- A challenge with Social Media. A legitimate societal objective is much harder to restrict.
- Individual Control – consent to acquisition of an individual’s data should be meaningful and fully informed. Allow restriction of sharing, collection, retention.
- Extra coding will be needed for sites and applications since if the data was volunteered is less than some features and services will need to be changed or removed.
- Data Integrity and Quality – ensuring data, backups, and copies are accurate, current, and complete for the intended purpose. Perform data quality assessments.
- Some of this is already done. After all, there is a market incentive for accurate information on people.
- Data Security – protect personal data against loss, misuse, unauthorized disclosure, and alteration. Audit access and use of personal data.
- Audit access and usage for sure. Here we need enforcement or the whole thing becomes a thought experiment or dream. Every time there is a breach, the victim says they were taking security seriously and did everything they could do to prevent it. I am not saying we should be deciding on implementation but more a protocol. Without enforcement, this is like playing No Limit HoldEm with fake or other people’s money.
- Data Retention and Disposal – retention and destruction policy. De-identifying data where feasible.
- I am not sure about your shop but there are a lot of organizations that simply do not archive let alone dispose of their data. Why would they? I do like the de-identification point.
- Privacy Enhancement – promote and implement techniques that minimize or eliminate the collection of personal data
- For some businesses, this goes against their whole business model. Especially for social media, the whole point is to share your data with others.
- Management and Accountability
- Risk Management
I will say there is a lot of “hope” here. We need more than wishful thinking to assert our privacy in the modern era.
In the past people did not have to worry so much about this. Communication was nowhere near as powerful and freely available as it is today. Finding someone’s picture, SSN, address, likes and dislikes was the province of close friends (not the SSN). Today it is openly available to actors around the world at their fingertips.
Lots of hope here but not much enforcement. I agree with building privacy into systems – these principles may help define “how” we do it.
Fair Information Practice Principles (FIPPS)
ACM’s privacy principles were built and based on the FIPPS from the FTC. They originated to establish guidelines for information in an electronic marketplace. Although developed in the late 1990s it was originally based off or privacy thoughts from the 1970s.
What about non-commerce? This is dated material that doesn’t yet consider social media and other online activities e.g. Gmail.
The document can be read here thanks to the Internet Archive. Let us look at the core principles:
- Notice / Awareness – consumers should be given notice of an entity’s info practices BEFORE any personal info is collected from them, identification of the data, usage, potential recipients, voluntary vs required, how the data is collected, how is it kept safe and accurate (confidentiality and integrity)
- The most fundamental principle, everything else is only meaningful when a consumer has notice
- Choice / Consent – giving consumers options to control how their data is used, opt-in vs opt-out, consumers often don’t have a fair say here
- Access / Participation – consumers ability to view the data collected and also to verify and contest its accuracy, must be inexpensive for the consumer to do
- Integrity / Security – collectors should ensure data they collect is accurate and secure
- Encryption is strongly suggested
- Enforcement / Redress – 3 conceptual approaches
- Self-Regulation – condition of membership in an industry association, external audits, certification, etc.
- Private Remedies – creates strong incentives for entities to adopt, ensure compensation for misuse
- Government – civil or criminal penalties
Lastly, FIPPS has commentary on data collection from children. It was ahead of its times!
Parents should receive notice and have means to control collection and use
Likely unfair practice to collect info and sell or disclose to 3rd party
Parents have a right to ensure data collected from their children is accurate
A note about encryption: it is shocking that in 2018 the most confidential bits of data are not always encrypted. The LinkedIn Hack of 2012 is my favorite example. They were hashing with SHA-1. I wrote about the SHAppening – this has been known since 2007 but not demonstrated to be cracked until 2018. Nevertheless, shame on LinkedIn for knowingly using a vulnerable hashing algorithm.
It is not enough to encrypt. You must also avoid usage of compromised hashing algorithms like SHA-1 and MD5.
DHS Privacy Office – Guide to Implementing Privacy
The US Department of Homeland Security published in 2010 a set of guidelines for protecting privacy. It was the first statutorily created privacy office in the federal government. In the wake of Watergate, it was based off the FIPPS and the tenants of the Privacy Act of 1974. This was a first for governing the use of PII. It is central to the Freedom of Information Act (FOIA).
NOTE: the original document if you want to read it – Guide to Implementing Privacy
It is largely a framework of privacy laws through which the Privacy Office accomplishes its activities and mission. Comprised of:
- Privacy Act of 1974
- E-government Act of 2002
- Freedom of Information Act of 1966
- Section 222 of the Homeland Security Act of 2002
- Implementing the recommendations of the 9/11 Commission Act of 2007
- Executive Order 13392 Improving Agency Disclosure of Information
- Office of Management and Budget (OMB) memorandum that specifies privacy requirements and recommendations
DHS Privacy Technology Implementation Guide
Prior to that was the DHS Privacy Technology Implementation Guide of 2007. I will briefly describe some of the contents.
- Like the other privacy policies we have discussed, this guide not prescriptive but rather descriptive.
- Itemized review of PII
- Ensure minimization of PII
- Use limitation of PII
- Formal change management process
- PIA – privacy impact assessments
- SORN – system of records notice
- PII data dictionary
- Data model
- Process flow model
- Data quality standards
- Audit / log activities
You can read about other DHS Privacy and CyberSecurity Policies here.
Our Hope? Privacy Engineering!
Things seem dire indeed in 2018. Fortunately, an emerging discipline that does more than just suggest nicely but rather puts into implementation solid privacy practices. Check out the CMU Privacy Day earlier this year. There is lots more than verbose longing for data security and privacy.
There is actually a Data Privacy Day..
Read The Privacy Engineer’s Manifesto and see if that brightens your day.
Please also watch Michelle Dennedy speak at CMU CyLab – it will change how you see data privacy.
That is the kind of “hope” we need!
If you liked this then you might enjoy reading about Data Privacy Day 2018.