PRIVACY ENGINEERING WITH LINDDUNKIM WUYTS – ARAM HOVSEPYAN

PRIVACY ENGINEERING

2

We’re building self-driving cars and planning Mars missions – but we haven’t figured out how to make sure people’s vacuum cleaners don’t join botnets.

#JSConfAU2016

PRIVACY ENGINEERING

3

http://www.independent.co.uk/news/business/news/my-friend-cayla-i-que-intelligent-robot-genesis-smart-toys-spying-on-children-a7469741.htmlhttp://fortune.com/2016/12/08/my-friend-cayla-doll/

4

GDPR OBLIGATIONS

• Implement “appropriate” technical and organizational measures

• Implement measures that meet principles of data protection by design and data protection by default

LINDDUN PRIVACY-BY-DESIGN FRAMEWORK

Systematic support for elicitation and mitigation of privacy threats in software systems

From high-level model of the system

Privacy knowledge base

5

• Linkability• Identifiability• Non-repudation• Detectability• Disclosure of information

• Unawareness• Non-Compliance

NON-REPUDIATION

DETECTABILITY

© Allan Ringgaard

LINDDUN IN A NUTSHELL

• LINDDUNthreattaxonomy• Mappingtable

Analysis

Processsupport Knowledgesupport

4. Driverselectionandprioritization5. Decision&trade-offsupport:mitigation

strategy6. Instantiationofmitigationstrategy:

patterns,tactics,PETs,…

• Taxonomyofmitigationstrategies• Classificationofprivacy-enhancing

technologies(PETs)

Mitigatio

n

CORE

CORE

1. Analysisscoping:DFD,assumptionmanagement,prioritization

2. Privacythreatidentification&elicitation3. Template-drivendocumentation

Privacy Impact Assessment

Traceability documentation

MITIGAT

IONTAX

ONOMY

MITIGAT

IONTAX

ONOMY

Threattarget L I N D D U N

Datastore Socialnetworkdb X X x x X X*

Dataflow Userdatastream(user-portal)

...

L I N D D U N

Datastore X X X X X X

Data flow X X X X X X

Process X X X X X X

Entity X X X

1.DFD

2.Map

3.Elicitanddocumentthreats

1.User

2.Portal

3.Service

4.Socialnetworkdata

MITIGAT

IONTAX

ONOMY

MAP

PING

TEMPLAT

E

10

4.Prioritizethreats

T01

IMPACT

LIKELIHOOD

5.ElicitMitigationStrategies

Nr Threat MitigationStrategies

1 Linking data(atdatastore)

Minimizecollecteddatabygeneralization…

…

6.Selectsolutions

...

Guardexposure

...

ConfidentialityEncryption

Symmetrickey&publickeyencryption[MOV97],Deniableencryption[Nao02],Homomorphicencryption[FG07],Verifiableencryption[CD98]

Accesscontrol

Context-basedaccesscontrol[GMPT01],

Privacy-awareaccesscontrol[CF08,ACK+09]

Minimization

Remove /

Hide

Receiverprivacy

Privateinformationretrieval[CGKS98],Oblivioustransfer[Rab81,Cac98]

Databaseprivacy

Privacypreservingdatamining[VBF+04,Pin02],Searchableencryption[ABC+05],Privatesearch[OS05]

General seeguardexposure- confidentiality–encryption

Replace /

Generalize K-anonymitymodel[Swe02b,Swe02a],l-Diversity[MGKV06] M

ITIGAT

IONTAX

ONOMY

PETsOVE

RVIEW

MITIGATIONSTRATEGY LINDDUNTHREATTREE...

GuardexposureCompliance NCConfidentiality ID_ds,NR_ds,*_pMinimization L_ds,I_ds,D_ds

MaximizeaccuracyReviewdata U_2...M

ITIGAT

ION

MAP

PING

Nr Threat Threattreeleaf nodes

1 Linkingdata(atdatastore)

Storingtoomuchdata

Informationdisclosureofdatastore

…

Created in 2010 *

Extended and improved based on empirical studies and feedback

Well received by community100+ citations

Analyzed and applied in European projects

1 4 920 18

32 34

Google scholar status February 2017

LINDDUN FACTS & FIGURES

"LINDDUN provides a clear methodology throughwhich engineers can translate general privacyconcerns into system objectives and further intoactual technical responses answering on practicalmisuse scenarios. It makes a continuous adaptationpossible at several levels (system objectives, threattree patterns, mitigation strategies) for new technicaldevelopments.”

FP7 BYTE projectD4.2 Evaluating and addressing positive and negative

societal externalities

Deliverable D4.2Evaluating and addressing positive and negative societal externalities

* Collaboration of DistriNet and COSIC

LINDDUN IN THE WILD

12

“[LINDDUN] is, in many ways, one of themost serious and thought-provokingapproaches to privacy threat modeling, andthose seriously interested in privacy shouldtake a look at it.’’

Adam Shostack (Microsoft)Threat Modeling,Wiley, 2014

“The LINDDUN methodology broadly shares theprinciples of the CNIL method but it puts forwards amore systematic approach based on data flowdiagrams and privacy threat tree patterns.”

European Union Agency for Network and Information Security (ENISA)Privacy and Data Protection by Design – from policy to engineering. December 2014.

The catalogue of privacy threats is taken from LINDDUN. Itis used in the privacy risk management process to identify privacy risksources. […] The catalogue of privacy measures is taken fromLINDDUN. It is used in the privacy engineering design process toidentify privacy and security controls.

ISO/IEC 27550 – Privacy Engineeringfirst working draft. January 2017

LINDDUN IN A NUTSHELL

13

Systematic support for privacy by design

Solid scientific foundation

Ongoing pilot projects with industry

PRIVACY ENGINEERING WITH LINDDUNKIM WUYTS – ARAM HOVSEPYAN

www.linddun.org