Privacy

Privacy is a human right. It is a moral thing (“What kind of world do you want to live in”). Privacy exists to prevent “chilling effects” (when individuals self-censor in their expressions, opinions and choices, even if they are perfectly legal, because they fear negative effects). This causes people to be less informed and organized, understand less and have less influence.

Important: Democracy and freedome are defended by the citizens, not be the authorities!

Authorities and Privacy

Allowing people to express their opinions is inconvenient for those in power. What if there was a way to shut them up…?

  • All-seeing, all knowing and vengeful “God”, punishing people thinking or doing “wrong”.
  • It becomes easier to rule and expand “control” the more control the state gets.
  • There are people that cannot stand others thinking differently (Authoritarians) who seek power to immpose their views on others.

If you give me two lines written by the hand of the most honest of men,
I will find something in them which will hang him.
Armand Jean du Plessis de Richelieu

Meaning: Almost any personal information can be used to ruin someones reputation even decades later!

Fear

Fear is the mind-killer…

  • it has strong negative impact on decision-making capabilities
  • people in fear are not able to rationally evaluate threats anymore
  • widespread fear is an invitation for erosion of freedom (create, amplify and spread fear so that the powerful become more powerful)

Why is this relevant to APSI?

  • unprecedented possibilities of data collection
  • decisions are made by IT experts in private or government employment
  • data-collection may look harmless, but it is not
  • data can be retained for a long time and even impact descendants
  • governments have already started using electronic attacks to obtain data
  • privacy violations can be reduced because it is (also partly) a technical security problem

Data

What can be done with data?

  • can be used to coerce and destory people
  • data recorded earlier in a person’s life can be used against them when they have or are about to obtain a position of power
  • most people do something stupid (especially when they were young)
  • medical data is always critical
  • can be used to identify and define “undesirable” persons/groups
  • can be used to disadvantage people (e.g. no access to healthcare or insurance because of known risk factors)

All data that pertains to an individual or a group of people!

There is no limit. As long as it refers to people, it is critical with regards to data privacy. Especially critical is medical data.

Principles of Data Privacy

  • Always perform a proper risk assessment before deploying systems
  • Ask for and store the least amount of data necessary
  • Delete data as soon as it is not needed anymore
  • Make sure that data is accurate
  • Make sure data is properly secured against unauthorized access
  • Respect human rights and laws
  • Inform when data is being recorded or given away and ask for permission

Data privacy include data security, because an attacker will most likely not respect privacy.

Encryption

Encryption only protects data that is not accessed or used (in transfer, in backups/long-term storage). Therefore, it can help with data privacy:

  • encrypt data in transfer and in long-term storage
  • decrypt only for the data owner
  • use cryptographic measures to secure credentials

Cloud

If you do not trust the cloud operator then do not store privacy related data in the cloud, period! To create this trust

  • the provider must be forbidden to share data except by an individual court order (inform affected individuals and allow protests)
  • collaboration with 3-letter agencies (CIA, FBI, MI6) must be forbidden
  • unauthorized copies must be forbidden
  • cloud provider must follow established security practices to prevent attacks
  • if conditions are violated, the provider must be held criminally liable

Data Anonymization

Anonymization is useful for statistics and normally a lot more difficult than it seems! De-anonymization becomes easier the more data there is and is usually not required to be 100% accurate. This means that simple approaches do not work (e.g. truncating data).

Principles of anonymization:

  • individuals must only be identifiable within a large group
  • derive a secondary result from anonymized data and delete the original
  • train a classifier (neural network), then work with that
  • create synthetic data matching the characteristics of the original (current research!)

To quantify quality of anonymization: k-anonymity

Pseudonymity

Pseudo-anonymity is, when personally identifiable information is replaced by made-up information. This is easier to do, but also easier to de-anonymize.

Comparison

AnonymityPseudonymity
Nobody should be able to recover individual personal dataRecovery only requires a “key”, records are kept intact
Statistics may be harder or become meaninglessStatistics are impacted less or not at all

GDPR

Even if we are in Switzerland, the GDPR matters. Affected is everyone who does business with someone within the EU. And in addition: the new Swiss Data Protection law is pretty close to the GDPR.

Disclaimer: Only the technological side of the GDPR

The GDPR applies to all data of natural persons and their characteristics as long as someone might be able to identify the person.

Examples:

  • IP addresses: the provider can usually deanonymize
  • Medical records belonging to an ID: even if you do not have access to the IDs, someone does!

Principles

  • Continued storage and processing only with a valid reason
  • No storage without consent
  • Time-dependent retention and deletion obligations
  • Requests of stored data by the people
  • Request of deletion, retraction of consent at any time

Long-Term Backups and Archives

Real world example: A company offers services for money. The relevant personal customer data needs to be kept 10 years and deleted after that.

Assume:

  1. The live system is backed up to tape ever month (tape referring to long term-storage)
  2. Every year, the tapes from January and July are turned into archives
  3. Archive tapes are deleted after 10 years
  4. The data is deleted from the live system 10 years after last transaction

How long after last transaction is customer data deleted? 19 - 21 years after!

What are the challenges?

  • Find all data if somebody requests it (even in the archives)
  • Delete all data if somebody requests it (see previous point)
  • Allow new trasactions anytime (data needs to be stored in live system for 10 years)

You are allowed to keep backups and the customer data therein for some period after (roughtly 3 - 6 months), but you must tell the customer about this. Restoring backup requires additional care now, because deleted customer data in live must not be restored from backup. The term “deleted” in a legal setting is defined more relaxed. Mark as deleted seems to be good enough, because it “requires prohibitive effort” to recover data. The same is true for data retained on archive tapes. Restoring an archive to read data is considered to require “prohibitive effort”. These interpretations may change in the future.

Crypto Shredding

A possible solution to fulfill the right to be forgotten. Creating crypto-keys for each business case and encrypting the required data allows the keys to be destroyed on request. This means data becomes useless. But it comes with significant downsides: key protection, secure deletion of keys and a lot of keys if every business case requires its own.

Audit-Proof

Sometimes systems must be audit-proof, which means that things cannot change and everything must be retrievable. This information cannot be deleted, so how does “audit-proof deletion” work?