Designing Software With Privacy in Mind

dalektcalum writes "Dr. Ann Cavoukian, Canada's Information and Privacy Commissioner, recently gave a talk entitled Privacy by Design. The talk starts off by covering the basics of privacy, and privacy law, and then moves onto the important component: how to design software that properly protects users privacy. The majority of the talk is spent on design principles, but also examines specific technologies (such as Elliptical Curve Cryptography)." The site includes a flash video of the talk, but there are also several torrents for folks who want to avoid hammering their servers.

Konspiracy

[bigmacd24]

Bah, user privacy my bottom. Information wants to be free! Now the government privacy komisar wanting to implement biometrics to 'protect' me seems like some crazy leftist nutjob after my vital fluids.

Re:

[khellendros1984]

*They're* over *there* sitting in *their* chairs. Thank you.

important points

[crazyirishhobo]

Privacy is really important, and watching this talk makes me realize, I have not being doing my part as a software developer to respect users privacy. Hell I log way too much information, just to make debugging a little easier on the off chance I have to debug it in production. I'd encoruage all software developers out there to watch this talk, and take its message to heart.

Re:

[fosterNutrition]

It takes all of two seconds if you do it right:

#define DEBUG

#ifdef DEBUG
logInsaneAmountsOfData();
#endif

And then when you go to production, remove the first line. Voila!

Re:

[mOdQuArK!]

That works right up until you're trying to debug a problem which occurs only in production.

Re:

[quanticle]

If you have problems in production that you don't have in test, then you're not doing your job properly. Ideally, you should be getting problems in test that you don't get in production, as you're pushing your code past realistic limits to see how it fails.

Re:

[SoftwareJuggler]

If you have problems in production that you don't have in test, then you're not doing your job properly.

Only if you can control your production environment. If you are releasing your software to the general public, there is no way to test all of the configurations that are out there, so it is inevitable that you will have problems on configurations that were not tested against.

Re:

[shmlco]

How about like developing a service to store medical information online... and then tying it to a global ID you use for every other one of their online services?

http://arstechnica.com/news.ars/post/20071006-microsoft-wants-your-health-care-records-trust.html [arstechnica.com]

Possession is 9 points of the law

[shanen]

I'll believe they [the big companies and the government] are sincere about my privacy when they agree to store my personal information on *MY* disk space. Whenever they want to look at my personal information they need to tell me why, and I should have the right to say yea or nay to that request. Right now they claim that my personal information belongs to them, and there's no way for me to know anything about what they are doing with it.

In more detail, this should actually be implemented by my settings of my privacy preferences. Most requests would be handled routinely without my needing to consider them in detail. For example, if I'm requesting a loan from my bank and they want to check my credit history, then my privacy policy would be to check that it was really my bank and that I had really initiated the loan request, and then they could look at the required information. If they need to compile some summary statistics, I'd agree for them to look at some of my information long enough to tally it. Etc., etc.

If they need to make sure that I don't tamper with my data, they can sign it and put a checksum on it, and I won't be able to tamper with it. There are actually technologies that would still allow me to see what the information is even in that case. Actually, any technical problem you want to point at, I can refer you to the solutions. They are already published in the literature.

The *REAL* problem is that the companies want to own us.

A concrete example for Gmail

[shanen]

Picking on Google because of their prominence, but this is how Gmail could be designed to really respect my privacy by storing the data on my own computer. (This would also take care of the 2 GB limitation.)

The email and the indexes would live on my machine. When I reading some email with Gmail, it would scan the email and send only the appropriate keywords to Google, and they would respond with the appropriate ads to be displayed in the appropriate boxes on my computer--but they would not have any direct a

Re:A concrete example for Gmail

[RAMMS+EIN]

That might work for you if you keep your computer on and connected to the Internet at all time. Back in the day, people used web mail exactly because they didn't have a computer that was always connected to the 'net. If you do have a computer that is always on, you have no use for gmail. Just host your mail on your computer and you _will_ be in control, not just with respect to privacy, but also about the interface, supported protocols, ecryption, filtering; everything.

Re:

[ShieldW0lf]

No, you won't. You have no idea how many hops the data is making, who is in the middle, where copies are being stored.

If you live your life in a way that demands privacy to assure your personal security, you will be disappointed.

The privacy debates going these days are a bunch of bullshit. Privacy is a myth, and it serves the interests of those who already have access to all the data and don't want to lose that edge by sharing it with everyone else.

We should be striving towards dismantling the myth, banis

Re:

[rtb61]

You just don't get it. Privacy is not hardware or software, it is a legislated requirement the the general public via government forces upon companies.

This article is a growing sign of the times, the wild wild west of the internet is coming to an end. In terms of what a company will be allowed to know or keep records of, with regards to the general public will tighten up and basically be reduced to the absolute minimum required for order placement and account keeping processes.

Privacy is not a myth, pri

Re:

[shanen]

Okay, I'm correcting you because you got your facts wrong. You don't have to leave your computer on all day to receive non-Web-based email because the email is stored on servers until you receive it. Your point of confusion is apparently whether or not you want to be able to access that email from *ANY* computer that is connected to the Internet, or whether you should only be able to access that email from *YOUR* own computer. The question of whether or not your computer is turned on is purely specious. You

Re:

[RAMMS+EIN]

``You don't have to leave your computer on all day to receive non-Web-based email because the email is stored on servers until you receive it.''

Well, yes, of course, but I was replying to a post where the suggestion was that the mail is stored on _your_ computer. I interpreted that to mean that it isn't stored on someone else's server, because that would kind of make the whole point moot.

``The big problem with being able to read your personal email from anywhere is that it basically means that anyone else c

Re:

[shanen]

And what if the email is transmitted in the clear and passes by someone with a packet sniffer?

By the way, that relates to one of the nifty but little known features of Gmail. If you access Gmail with HTTPS instead of HTTP, then the entire connection stays encrypted. Most other Web-based email systems only attempt to encrypt the password exchange, and then go into the clear.

Though I can't prove it, I'm pretty sure that the email is stored in the clear on Gmail's servers. We know they are constantly searching

Re:

[turbidostato]

"And what if the email is transmitted in the clear and passes by someone with a packet sniffer?"

I own my computer and I access e-mail (once on its mailbox) via secure protocols like IMAPS and/or HTTPS.
Of course that doesn't cope with the MTA to MTA transmission which is usually in the clear.

But then, that's what PGP/GPG is for.

"Though I can't prove it, I'm pretty sure that the email is stored in the clear on Gmail's servers"

That's pretty irrelevant. It's obvious that the end user is doing nothing to decyph

Re:

[shanen]

Basically if you agree to use SMTP you are accepting that the email will be transmitted in the clear. Most people live with that because they don't even think about it. It sort of falls under the imaginary projection: "It's illegal to look at my snail mail, so my email must be safe." Whatever the legal status of email, it's pretty clear that the neo-GOPs do not feel that way about our personal information, which is where it connects to the original topic in terms of designing software so that it does not in

Re:

[turbidostato]

"Basically if you agree to use SMTP you are accepting that the email will be transmitted in the clear."

Which part of "that's what PGP/GPG (or S/MIME) is for" didn't you understand?

Re:

[shanen]

I'm not saying it's impossible within SMTP. Or what is your intended point?

Re:

[turbidostato]

"I'm not saying it's impossible within SMTP. Or what is your intended point?"

My intended point is that by using the SMT protocol I'm not "basically [...] accepting that the email will be transmitted in the clear": there are known and not difficult to use protocols that are specifically designed to cypher point-to-point e-mail messages.

Re:

[Chmcginn]

This would actually open up a new field of backup services for email. Google could encrypt the email on my machine and backup only the encrypted data at their end. The encryption and decryption key need never be seen at their end--though of course I need to store them somewhere apart from the machine that is being backed up.

Why bother storing it on your end if you're going to do this? A web-based email could encrypt email as you checked it, using a key stored on your machine, and then delete the original

Re:

[shanen]

Because you need to have it in the clear to do the searching. (Actually this is not strictly true. There are ways to search encrypted data, but not as effectively.) Right now the indexing and searching runs on Google's servers, but if the mail is on your local machine, then you'd also do the indexing and searching on your own machine.

It does get more complicated when you consider the funding aspects, which basically means advertising revenue in Google's case. However, the question here would be what needs t

Re:

[Chmcginn]

But this gets back to the other problem of accesibility. I like being able to check my email from home, work, or anywhere. I don't necessarily trust it enough to include, say, medical information there...

And, yes, it's a good guess that anything with 'citizen' in it is probably a joke.

Re:

[shanen]

I addressed this in more detail in another reply, but it sounds like it would be sufficient access for you to replicate your email system among a relatively small number of computers (which would also solve your email backup problem).

Re:

[turbidostato]

"But this gets back to the other problem of accesibility. I like being able to check my email from home, work, or anywhere."

Then you could have a fixed-IP xDSL connection and manage you own mail server/webmail, not that it is such a "geeky" task.

Re:A concrete example for Gmail

[noidentity]

You do realize that e-mail is sent in cleartext the whole way, don't you?

Re:

[WarJolt]

Btw, Google does data mining across all products.

You could publish a public key and have all senders encrypt their e-mail. I've had to do this using PGP for some sensitive e-mail communication. You can still use gmail servers, but you'd either have to decrypt the e-mail yourself or use a program that does it for you automatically.

If you're worried about private information then encrypt it. As long as you're sending e-mail without encryption your data in unsafe. Too bad most websites don't have a checkbox th

The sad truth is that you wouldn't like the result

[CFD339]

As a matter of practice, you store a key to the data on the user's machine but not the data itself. You also use and password or something so that if the user looses the key or logs in from another PC that key can be replaced. If you store the real user data in the local machine (say in a cookie for web apps) than the loss of the cookie means the application breaks for that user. User environments are not reliability enough for this to be acceptable.

Re:The sad truth is that you wouldn't like the res

[shanen]

What result are you talking about that you think I would not like? The premise was that my personal data should be stored locally. This used to be the default case. A 100 years ago, almost all of my personal data could only be obtained by asking me, since almost all records of my personal data were stored in my head. That's why the prohibition against involuntary self-incrimination was so important... If you have some argument against the Fifth Amendment, I'm curious what it might be--and I have a few highl

Difference between rule 1 and rule 2 in this case.

[CFD339]

Rule 1: Don't collect any personal data you don't need for the operation of the program or web site.
Rule 2: For information you DO collect, do not trust the end user not to loose it.

Your points primarily relate to rule 1 -- That is, my application should not be storing any data not directly needed for its operation. I don't collection ss# because there is no need. I don't store credit card numbers because there is no need. You can't have stolen from me what I do not store.

On these points, I agree compl

Re:Difference between rule 1 and rule 2 in this ca

[shanen]

Your thinking seems to be muddled. Protecting the security of information (as for backup services) or sharing information (via networks) do *NOT* require knowing what that information is. Google (or other companies) could support backup and information sharing services of personal information without ever having actual access to the information in question.

They [again referring to corporations and governments] don't want to do that because it is more convenient for them to collect, look at, exploit, and (in

Sure, but that's not what TFA is about.

[CFD339]

TFA is about writing code that treats the data it uses securely. We're not talking about having off-site backups through the internet necessarily. Nobody (surely not me) is saying you should back up your data to an internet site that stores it in a way they can see it. I'm talking about the data you need for the application to work properly -- in the case of an online application. I'm saying you can't rely on the user to store it. You have to store it in your application. Yes, you should do so in a se

misread...

[cosmocain]

...but interesting, too. ;)

Designing Software With Piracy in Mind

Hey! Me too!

[denzacar]

I thought that there was going to be some talk about MicroSoft's, Adobe's and others techniques for acquiring and maintaining market share...
You know... all those copies of Windowses and Offices and Photoshops and etc...
Being so easily distributed and pirated that I am yet to see a user with a licensed Windows copy. Or a legal copy of Photoshop...

unbelievable...

[cosmocain]

...but my copy of xp is licensed! imagine, i actually paid for it (okay, not myself but my employer).

Re:

[cosmocain]

it is simpler to use the pirated copy.

actually, it is - you don't have to activate anything, no personal data/information is transmitted or anything else of the downsides of legal copies. but is guess, we're getting near the -1, offtopic moderation ;)

Re:

[roie_m]

Good to know I'm not the only one.

Privacy

[hyades1]

You might want to pay attention to what Dr. Cavoukian says. I've followed her public statements for quite a while, and she understands clearly what we're on the verge of throwing away by being casual about our privacy.

Just as an aside: You'll notice when you deal with privacy issues that many of the people who say, "If you aren't doing anything wrong, what are you trying to hide?" usually have pretty rigid limits on what parts of their own lives are on public display. Powerful organizations and people ha

Re:Privacy

[RAMMS+EIN]

So, perhaps you can explain to us all exactly why privacy is so important. The whole story, because I'm sure we've all seen bits and pieces before. What exactly is the risk in letting some organization know everything about everyone? Would the same risk exist if everybody knew everything about everyone? Is the only organization we need to be afraid of the government, or are there others? What are the different kinds of information we need to be concerned about, and what are their relative values? If you could gain a hundred dollars by it, what would you be willing to give up? A million dollars? Your living expenses covered for the rest of your life? What information would you never want to give up, no matter what the reward? Does it depend in any way on societal taboos? If so, isn't the real problem the taboos, not the availability of information? Wouldn't the taboos disappear once we knew, for example, how many people really had visited porn sites? If you did something illegal and the government knew, a malicious government could arrest you for it. A malicious government could also arrest you even if you had never done anything illegal. So what does it matter what the government knows? Etc.

databases are risks

[erlehmann]

somehow it's simple: when government or bigbiz collects information about you, this information is stored in databases. from these information, conclusions are drawn. the simplest thing is that a health insurance won't accept you b/c you are genetically inferior. but, speaking of government, one german citizen was abducted by the CIA [1], another man was wrongfully imprisoned in guantanamo for 5 years [2].

this happened due to some entries in some databases about them hanging around with the wrong people.

[1]

Re:

[ricklow]

Because privacy protects you from abuse by people in positions of power. Pure and simple.

Re:

[ShieldW0lf]

No, privacy protects people in power from abuse by you. The people in power already have access to the things you're trying to keep private, and the things your neighbour is trying to keep private. They are holding all the cards already, and trying to keep you from getting your hands on them.

Re:Privacy - two points here

[Bearhouse]

C'mon - the same tired rehash with people getting modded 'interesting' for saying one of either...

1. If you're not guilty, you've nothing to hide, think of the children, terrorists, blah, blah...

-OR-

2. The Govt. or others, (normally Google), should not have the right to know *everything* about you, rant, rave, loss of civil liberties...

Surely it's rather more nuanced than that? I've got 'nothing to hide', but I'm not about to publish my e-mail here, any more than I am about to leave my car in the street wi

Re:

[--daz--]

It boils down to this: AT THIS POINT IN TIME, it's not quite so bad. If you're not doing anything wrong, you have nothing to fear.

However, there WILL COME A TIME when the definition of 'WRONG' changes and suddenly you're rounded up for being in the 'WRONG' category due to all the evidence they have against you in the myriad of databases they have on you.

Cases in point:
- Supporters of the Tzar during the Octoberist revolution, dissenters and non-party members in Soviet Russia
- Jews, Catholics, Gays, and oth

Down with privacy?

[hdon]

I'm glad some people are being honest and asking questions. Kudos to RAMMS+EIN.

Claiming that privacy's significance is fundamentally rooted in philosophical axioms specifically about privacy are all fine and well, but for those of us who live for more important things in life, something a bit more substantial is required.

IMHO, the significance of privacy breaks down into four issues, all derived from axiomatic benevolence (a very popular axiom):

1) Societal taboos: Society is irrational. Most

Re:

[Have Brain Will Rent]

1) Societal taboos: Society is irrational. Most people are not bright thinkers...

Stop right there. It's not necessary for society to be irrational for there to be a danger, because individuals are irrational. I'd rather not have any nutbar, who decides to take a dislike to me, have unfettered access to personal details such as my schedule and movements.

Re:

[hyades1]

Forgive the somewhat scattered nature of this post. I'm REALLY pressed for time, and it's difficult to present a complex subject in simple terms without totally losing the point.

The problem is not with your facts but with their context. For one thing, we used to be guaranteed a level of anonymity by raw numbers. Technological advances are taking that away, but we still base our concept of what total lack of privacy would mean on our current situation. We still enjoy a level of protection we don't apprec

About Having Nothing to Hide

[RAMMS+EIN]

Remember, if you have nothing to hide, take off all your clothes!

Re:

[krischik]

Indeed. Nothing to hide /= nothing illegal.

Martin

Re:

[RAMMS+EIN]

Let us eat and drink and be merry, for tomorrow, they might make it illegal. ...

And don't think I'm kidding. I'm told that in Belarus, people have been arrested for smiling.

Re:About Having Nothing to Hide

[Plutonite]

I'm aware you're on the pro-privacy side, but it should not have to come to this. We DO have nothing to hide, some of us, yet the sanctity of our privacy should not be violated by anybody all the same. Even if we feel comfortable revealing something (information, body parts..etc) the revealing should still be a matter of our choice, done with our permission and with our knowledge. Why should I be compelled to do something that I have no interest in doing? Because you are asking me to? Who gives you authority over me? There are nudists who are perfectly convinced they have nothing to hide, and indeed they take it all off. But not for you. It's called freedom.

Your rhetoric is un-nice.

Re:

[RAMMS+EIN]

Just so you get the right picture, I am a naturist, but I do wear clothes where others can see me, because I not wish to needlessly upset them. As for privacy, I don't know where I stand. I'm all but certain that privacy is important, but I haven't yet seen a convincing argument as to the why.

Re:

[Plutonite]

You were correctly modded interesting, then.

I will not argue with you about your instinctive inclinations - if you do not feel the non-learned instinct most people have for protecting their reproductive organs with clothing at most times, and particularly in front of other people, then there is little in the way of argument that will convince you. The idea that those who do have these feelings are "hiding something" is correct here. They are in this case "hiding" something which society in general agrees th

Re:

[RAMMS+EIN]

Now that makes a whole lot of sense. They, whoever they are, cannot abuse what they don't have. Don't have your phone number? Can't call you. Etc.

Re:About Having Nothing to Hide

[turbidostato]

"I haven't yet seen a convincing argument as to the why."

That's because there's no argument to give. Privacy is the naturale state of things: you usually don't know anything about me. Then it is the one that breaks such a 'statu quo' the one that needs to convincingly argument about their intentions. I need no other "convincing argument" for my privacy than "such is my mood".

Trivia...

[mangledspine]

Dr. Ann Cavoukian is Raffi Cavoukian's sister. Yes, that's right - that Canadian's children entertainer. :-)

Video?

[BenoitRen]

Text or it didn't happen.

Small Correction

[sdt]

She's not Canada's privacy commissioner, she's Ontario's (a province of Canada) Information and Privacy Commissioner.

Re:

[dadragon]

You say that as if people from Ontario can tell the difference.

thank you

[AlgorithMan]

I, for one, just want to say: thank you for that link
I don't think I'd have found it without that article, but I'm very interested. I'm downloading it right now (via torrent)

this is one of the rare occasions, when reading a /. article was really useful for me... now mod me offtopic :-)