Privacy Risk Analysis. Sourya Joyee De

Чтение книги онлайн.

СКАЧАТЬ for the privacy risk analysis, in particular for the identification of the privacy weaknesses and the capacities of the risk sources to get access to the personal data.

      To summarize, the description should be sufficient to ensure that all potential privacy problems arising out of the system can be detected [106]. In most cases (at least for systems developed following a rigorous methodology), a detailed documentation about the system should already be available and it should be sufficient to supplement it with some additional information to meet the requirements of a privacy risk analysis.

      In this chapter, we present a set of attributes useful to characterize a processing system with a view to privacy risk analysis (Section 3.1) and introduce the running example used throughout this book (the BEMS System) with its attributes (Section 3.2).

3.1 SYSTEM ATTRIBUTES

      In order to meet the needs of the subsequent steps of the privacy risk analysis, the description of the system should include at least the following attributes:

      1. The functional specification describing the functionalities that the system is supposed to provide, including the potential use cases or scenarios. The functional specification should be consistent with the declared purpose of the system. It is also useful during the analysis to check compliance with the data minimization principle (personal data should be collected only if necessary to achieve the purpose).

      2. The controls including all existing measures (technical and organizational) to protect personal data. Precise knowledge of existing controls is necessary to detect potential privacy weaknesses.

      3. The interface including all interactions of the system with the external world, including users and other systems, and the possibility or not to collect the consent of the user. The interface is useful, inter alia, to detect potential risks related to data dissemination, transfers to third parties and lack of control from the users.

      4. The data flows describing the internal view of the system, including the basic components, their locations, supporting assets, the access rights and the data flows between them. The analysis of the data flows is instrumental in the search for privacy weaknesses.

      5. The supporting assets consisting of all software, hardware and networks on which the system relies and the stakeholders controlling them. Supporting assets, in conjunction with data flows and actors, are useful to analyze the capacities of the risk sources to get access to personal data.

      6. The actors having access to the system or interacting with it, including roles inside the organization of the data controller and the access rights of each actor.

      This set of attributes is inspired by previous work on privacy risk analysis. For example, the view-based approach proposed by Oetzel and Spiekermann [106] includes:

      1. The system view, which takes into account applications, system components, hardware, software, interfaces and the network topology.

      2. The functional view, which consists of generic business processes, use cases, technical controls, roles and users.

      3. The data view, which consists of categories of data processed by the system, data flow diagrams, actors and data types.

      4. The physical environment view, which includes physical security and operational controls such as backup and contingency measures.

      A whole chapter (Chapter 4) is dedicated to personal data in this book. The other components presented in [106] overlap with the above list of attributes.

      The definition of the data flows is a key part of the characterization of a system. A standard approach is to resort to data flow diagrams (DFD), which are structured, graphical representations based on four main types of building blocks: external entities, data stores, data flows and processes [166]. Deng et al. [40] propose an enhanced representation of data flows with trust boundaries to separate trustworthy and untrustworthy elements of the system. These boundaries are used to identify the potential risk sources. As argued in [166], the definition of the DFD is a crucial step in a privacy risk analysis and an incorrect DFD is likely to result in erroneous conclusions about privacy risks. Moreover, the granularity of the DFD dictates the level of detail at which the analysis can be conducted.

3.2 ILLUSTRATION: THE BEMS SYSTEM

      In this section, we introduce the BEMS¹ System used to illustrate the concepts discussed throughout this book. The BEMS System includes the billing and the energy management functionalities of a hypothetical smart grid system. This choice is not insignificant: smart grid initiatives, which are now under deployment in many countries, already face a large number of privacy related questions. As utility providers promise benefits in terms of home energy management, researchers [20, 36, 64, 88, 95, 98, 122, 159] warn against the potential privacy harms posed by the collection of highly granular energy consumption data. Many potential privacy harms of various levels of likelihood and severity have already been identified, including surveillance by governments and law enforcing bodies [25, 43, 88, 94, 96], burglary [88, 94, 122] and targeted advertising [19, 25, 88, 93, 94, 122]. Utility providers are facing the task of taking appropriate measures and convincing both their consumers and regulatory bodies that these measures are sufficient to handle potential harms. Carrying out privacy impact assessments is therefore inevitable for the smart grid industry [36]. Needless to say, our goal is not to provide a full scale privacy risk analysis for a smart grid system here but, more modestly, to use some of its features as a working example to illustrate the notions presented in this book.

      The system attributes introduced in the previous section are defined as follows for the BEMS System:

      1. Functional specification.

      – The User Registration System is used to register new consumers with the utility provider.

      – The Consumer Information System stores and manages all consumer identification, contact, billing and energy management information. It consists of the Consumer Data Store and the Consumer Information Management Application. The latter implements security functions for the protection of the Consumer Data Store. In particular, it is involved in ensuring that only authorized applications, sub-systems and actors get access to the data. It also performs other functions such as the creation of the meter ID and the user portal account number.

      – The Meter Data Management System stores and manages the energy consumption data and the corresponding meter ID. It consists of the Meter Data Store and the Meter Data Management Application. The Meter Data Management Application ensures that only authorized sub-systems, applications and actors can access the data and implements other security-related functions to ensure the protection of the Meter Data Store.

      – The Utility Gateway collects energy consumption data (corresponding to meter IDs) from smart meters. It contributes to the implementation of some functionalities of the Meter Data Management Application by ensuring that only the authorized subsystems, applications and actors can access the data.

      – The Smart Meter collects energy consumption data from home appliances. It includes a security module to encrypt and sign the data before sending it to the utility gateway.

      – The Payment Management System handles all billing, payment and energy management related functions. It consists of three applications: the Billing Application that generates СКАЧАТЬ