Privacy by Design - Engineering Privacy

Privacy by Design – Engineering Privacy

Workshop Report

August 31-September 1, 2015 Pittsburgh, PA

Omni William Penn Hotel, William Penn Place, Pittsburgh, PA, United States

Overview

This workshop surveyed emerging challenges in engineering privacy from applications of cryptographic protocols and privacy-preserving databases, to formal notations and programming languages in identity management, de-identification, and software specification. This survey reviewed known challenges, such as understanding privacy policies (e.g., privacy laws in regulated sectors like healthcare and finance; privacy promises in self-regulated sectors like Web services) in computational terms so that tools can be developed to help with their enforcement, which includes conflicts introduced by cross-references from one legal text to another, difficulties reflecting use based models, modeling business process’ compliance with the law; and policy weaknesses exposed by computer scientists that limit the utility of translation for privacy protection (e.g., the atomic view of information types that ignores statistical correlations leading to weak de-identification requirements and ineffective approaches to privacy-preserving big data analytics). The workshop raised awareness of how well these results address the concepts and open problems identified in workshop #2, as well as serve to identify open research questions.

Privacy by Design Workshops

This workshop was one of four aimed at identifying a shared research vision to support the practice of privacy-by-design. They convened both practitioners with direct experience of the challenges in implementing privacy-by-design from a range of fields—software developers, privacy engineers, usability and interaction designers, chief privacy officers—and researchers from an equally broad range of disciplines.

The goals for the four workshops included:

To take stock of the methods, tools, and approaches currently used to design for privacy.
Broaden the lens through which privacy-by-design is viewed by the research community—positioning technical design along side theoretical/conceptual, organizational, and regulatory design questions.
Begin the process of building an interdisciplinary community of researchers to develop broader theoretical foundations, systematic approaches, as well as organizational and regulatory models for supporting the practice of privacy-by-design.

Other Privacy by Design Workshops
Workshop 1- State of Research and Practice
Workshop 2- Privacy Enabling Design
Workshop 4- Catalyzing Privacy by Design

Agenda

August 31, 2015 (Monday)

08:00 AM	Breakfast \| Conference B
09:00 AM	Session 1: Opening Remarks and Introductions \| Conference A Deirdre Mulligan, UC Berkeley Travis Breaux, Carnegie Mellon
09:30 AM	Session 2: Requirements and Policy Languages \| Conference A Limin Jia, Carnegie Mellon Travis Breaux, Carnegie Mellon Becky Richards, NSA
10:30 AM	Break \| Outside Conference A
10:50 AM	Session 3: Threat Modeling \| Conference A Susan Landau, Worcester Polytechnic Institute Naomi Lefkovitz, NIST Giles Hogben, Google
11:40 AM	Session 4: Identity Management \| Conference A Naomi Lefkovitz, NIST Paul Grassi, Connect.gov David Kelts, MorphoTrust
12:30 PM	Lunch \| Conference B
01:30 PM	Session 5: Privacy Tool Clinic, Part 1 \| Conference A Chair: Seda Gurses, Princeton Tool Presenters: Daniel Smullen, Carnegie Mellon Travis Breaux, Carnegie Mellon Carmela Troncoso, Gradiant Ilya Mironov, Google Aleksandra Korolova, Stanford Tool Ringers: Eleanor Birrell, Cornell Mohit Gupta, Clever Lorrie Cranor, Carnegie Mellon Joe Hall, CDT Gerald Friedland, UC Berkeley Ira Rubinstein, NYU
02:30 PM	Session 6: Conception of Privacy \| Conference A Deirdre Mulligan, UC Berkeley Helen Nissenbaum, NYU
03:30 PM	Break \| Outside Conference A
04:00 PM	Session 7: Privacy Tool Clinic, Part 2 \| Conference A Chair: Seda Gurses, Princeton Tool Presenters: Daniel Smullen, Carnegie Mellon Carmela Gonzalez Troncoso, Gradient Aleksandra Korolova, Stanford Tool Ringers: Damien Desfontaines, Google Katie Shilton, UM College Park Matthew Fredrikson, Carnegie Mellon Bethan Cantrell, Microsoft Khaled El Elmam, University of Ottawa Helen Nissenbaum, NYU
05:00 PM	Session 8: Wrap-up on Day 1 \| Conference A
06:30 PM	Dinner \| Grand Concourse Restaurant Walk: leave from lobby at 6:10 Cab: leave from lobby at 6:20

September 1, 2015 (Tuesday)

08:00 AM	Breakfast \| Conference B
09:00 AM	Session 9: Reflections from Day 1 \| Conference A Deirdre Mulligan, UC Berkeley
09:30 AM	Session 10: Composability \| Conference A Anupam Datta, Carnegie Mellon Michael Tschantz, ICSI Ashwin Machanavajjhala, Duke Robert Ferguson, Automatic Labs
11:00 AM	Break \| Outside Conference A
11:30 AM	Session 11: Standards \| Conference A Lorrie Cranor, Carnegie Mellon Dawn Jutla, St. Mary’s University Nick Doty, UC Berkeley
12:30 PM	Lunch \| Conference B
01:30 PM	Session 12: Practical De-Identification \| Conference A Khaled El Emam, University of Ottawa Matthew Fredrikson, Carnegie Mellon Ira Rubinstein, NYU
02:30 PM	Session 13: Design Patterns for Privacy \| Conference A Nick Doty, UC Berkeley José M. del Álamo, Universidad Politecnica de Madrid Richard Chow, Intel Mohit Gupta, Clever Jaap-Henk Hoepman, Radboud University Nijmegen
03:45 PM	Session 14: Wrap up on Day 2 \| Conference A

Participants

Participant Lightning Slides

Organizing Committee:

Deirdre K. Mulligan (Chair) University of California, Berkeley

Annie Antón Georgia Institute of Technology

Ken Bamberger University of California, Berkeley

Travis Breaux Carnegie Mellon University

Nathan Good Good Research

Susan Graham University of California, Berkeley and the Computing Community Consortium

Seda Gürses New York University

Susan Landau Worcester Polytechnic Institute

Helen Nissenbaum New York University

Fred Schneider Cornell University

Peter Swire Georgia Institute of Technology

Ira Rubinstein New York University

Ann Drobnis Computing Community Consortium Director

Logistics

The Computing Community Consortium (CCC) will cover travel expenses for all participants who desire it. Please make your hotel reservation, using the link you receive after registering for the workshop. Participants are asked to make their own travel arrangements to get to the workshop, including purchasing airline tickets. Following the symposium, CCC will circulate a reimbursement form that participants will need to complete and submit, along with copies of receipts for amounts exceeding $75.

In general, standard Federal travel policies apply: CCC will reimburse for non-refundable economy airfare on U.S. Flag carriers; and no alcohol will be covered.

For more information, please see the Guidelines for Participant Reimbursements from CCC.

Additional questions about the reimbursement policy should be directed to Ann Drobnis, CCC Director (adrobnis [at] cra.org).

Resources

Privacy Engineering Tool Clinic

The objective of this tool clinic is to reflect on privacy (engineering) tools in the presence of interdisciplinary experts from academia, industry, government and civil society. During a tool clinic session, toolmakers present their tool, then two ringers steer and stir a lively discussion with an multi-disciplinary group of participants. The exercise aims to promote the collective evaluation of the tool with a focus on future directions for the presented tool. During tool clinic sessions the participants are encouraged to put themselves in the shoes of the designer and to reflect on a privacy engineering problem in the context of a concrete artifact. At the same time, the sessions provide toolmakers with an opportunity to rethink their tools in the presence of a group of experts with trans-disciplinary skills. By raising questions around production, licensing, deployment, use, legal implications, maintenance and sustainability the tool clinic also encourages participants to think about privacy engineering in holistic terms.

You can read more about tool clinics here: http://bit.ly/1K1OegK

The Tools:

Eddy: A privacy requirements specification language that privacy analysts can use to express requirements over acts to collect, use, transfer and retain personal and technical information.

Eddy Workshop Info Sheet

Eddy Website: https://gaius.isri.cmu.edu:8210/eddy/

Tool Makers:
Daniel Smullen and Travis Breaux, CMU

Ringers Session 1:
Eleanor Birrell, Cornell
Mohit Gupta, Clever

Ringers Session 2:
Damien Desfontaines, Google
Katie Shilton, UM College Park

RAPPOR: A technology for crowdsourcing statistics from end-user client software anonymously and with strong privacy guarantees.

Google’s blog post: http://googleresearch.blogspot.com/2014/10/learning-statistics-with-privacy-aided.html
Academic paper: http://arxiv.org/abs/1407.6981
Open source project: https://github.com/google/rappor

Tool Makers:
Ilya Mironov, Google and Aleksandra Korolova, USC

Ringers Session 1:
Gerald Friedland, UC Berkeley
Ira Rubinstein, NYU

Ringers Session 2:
Khaled El Emam, University of Ottawa
Helen Nissenbaum, NYU

Privacy Preserving Genomics Sharing Tool: A tool that allows for privacy-preserving sharing and visualization of genomic sequences, keeping them encrypted while they traverse outsourced environments.

Genomic Sharing Info Sheet

Flow Sheet

Tool Maker:
Carmela Troncoso, Gradient

Ringers Session 1:
Lorrie Cranor, Carnegie Mellon
Joe Hall, CDT

Ringers Session 2:
Matthew Fredrikson, Carnegie Mellon
Bethan Cantrell, Microsoft