Slashdot Mirror
Designing Software With Privacy in Mind
dalektcalum writes "Dr. Ann Cavoukian, Canada's Information and Privacy Commissioner, recently gave a talk entitled Privacy by Design. The talk starts off by covering the basics of privacy, and privacy law, and then moves onto the important component: how to design software that properly protects users privacy. The majority of the talk is spent on design principles, but also examines specific technologies (such as Elliptical Curve Cryptography)." The site includes a flash video of the talk, but there are also several torrents for folks who want to avoid hammering their servers.
Bah, user privacy my bottom. Information wants to be free! Now the government privacy komisar wanting to implement biometrics to 'protect' me seems like some crazy leftist nutjob after my vital fluids.
Privacy is really important, and watching this talk makes me realize, I have not being doing my part as a software developer to respect users privacy. Hell I log way too much information, just to make debugging a little easier on the off chance I have to debug it in production. I'd encoruage all software developers out there to watch this talk, and take its message to heart.
I'm really glad this talk finally made it online. I'm a UW student, but unfortunately wasn't able to attend (stupid cap on number of math students...)
I'll believe they [the big companies and the government] are sincere about my privacy when they agree to store my personal information on *MY* disk space. Whenever they want to look at my personal information they need to tell me why, and I should have the right to say yea or nay to that request. Right now they claim that my personal information belongs to them, and there's no way for me to know anything about what they are doing with it.
In more detail, this should actually be implemented by my settings of my privacy preferences. Most requests would be handled routinely without my needing to consider them in detail. For example, if I'm requesting a loan from my bank and they want to check my credit history, then my privacy policy would be to check that it was really my bank and that I had really initiated the loan request, and then they could look at the required information. If they need to compile some summary statistics, I'd agree for them to look at some of my information long enough to tally it. Etc., etc.
If they need to make sure that I don't tamper with my data, they can sign it and put a checksum on it, and I won't be able to tamper with it. There are actually technologies that would still allow me to see what the information is even in that case. Actually, any technical problem you want to point at, I can refer you to the solutions. They are already published in the literature.
The *REAL* problem is that the companies want to own us.
Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.
...but interesting, too. ;)
Designing Software With Piracy in Mind
Picking on Google because of their prominence, but this is how Gmail could be designed to really respect my privacy by storing the data on my own computer. (This would also take care of the 2 GB limitation.)
The email and the indexes would live on my machine. When I reading some email with Gmail, it would scan the email and send only the appropriate keywords to Google, and they would respond with the appropriate ads to be displayed in the appropriate boxes on my computer--but they would not have any direct access to my email once I had received it.
This would actually open up a new field of backup services for email. Google could encrypt the email on my machine and backup only the encrypted data at their end. The encryption and decryption key need never be seen at their end--though of course I need to store them somewhere apart from the machine that is being backed up. They could also provide email syncing services in the same way without ever seeing the clear data that is being synced.
Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.
You might want to pay attention to what Dr. Cavoukian says. I've followed her public statements for quite a while, and she understands clearly what we're on the verge of throwing away by being casual about our privacy.
Just as an aside: You'll notice when you deal with privacy issues that many of the people who say, "If you aren't doing anything wrong, what are you trying to hide?" usually have pretty rigid limits on what parts of their own lives are on public display. Powerful organizations and people have tools to limit what you learn about them. Average folks have only their rights under the constitution. You won't have them for long if you forget that as a law-abiding citizen living your life in a free society, it's your right not to be bothered by people sticking their nose in your business.
I've calculated my velocity with such exquisite precision that I have no idea where I am.
There is a webcam of the place up at http://csclub.uwaterloo.ca/office/webcam-streaming.html with whom I can only assume is the sysadmin staring at some machines :P
Also, the office number is 1-519-888-4567 x 33870 (according to http://csclub.uwaterloo.ca/about/ )
I thought that there was going to be some talk about MicroSoft's, Adobe's and others techniques for acquiring and maintaining market share...
You know... all those copies of Windowses and Offices and Photoshops and etc...
Being so easily distributed and pirated that I am yet to see a user with a licensed Windows copy. Or a legal copy of Photoshop...
Mit der Dummheit kämpfen Götter selbst vergebens
Remember, if you have nothing to hide, take off all your clothes!
Please correct me if I got my facts wrong.
somehow it's simple: when government or bigbiz collects information about you, this information is stored in databases. from these information, conclusions are drawn. the simplest thing is that a health insurance won't accept you b/c you are genetically inferior. but, speaking of government, one german citizen was abducted by the CIA [1], another man was wrongfully imprisoned in guantanamo for 5 years [2].
this happened due to some entries in some databases about them hanging around with the wrong people.
[1] http://en.wikipedia.org/wiki/Khalid_El-Masri
[2] http://en.wikipedia.org/wiki/Murat_Kurnaz
...but my copy of xp is licensed! imagine, i actually paid for it (okay, not myself but my employer).
Dr. Ann Cavoukian is Raffi Cavoukian's sister. Yes, that's right - that Canadian's children entertainer. :-)
Text or it didn't happen.
C'mon - the same tired rehash with people getting modded 'interesting' for saying one of either...
1. If you're not guilty, you've nothing to hide, think of the children, terrorists, blah, blah...
-OR-
2. The Govt. or others, (normally Google), should not have the right to know *everything* about you, rant, rave, loss of civil liberties...
Surely it's rather more nuanced than that? I've got 'nothing to hide', but I'm not about to publish my e-mail here, any more than I am about to leave my car in the street with the keys in it. As always, the lawmakers lag behind technology, so it's up to us to act responsibly - both as custodians of information, and citizens. Don't capture and store more personal information than you really need, and don't tolerate others doing it either.
It boils down to this: AT THIS POINT IN TIME, it's not quite so bad. If you're not doing anything wrong, you have nothing to fear.
However, there WILL COME A TIME when the definition of 'WRONG' changes and suddenly you're rounded up for being in the 'WRONG' category due to all the evidence they have against you in the myriad of databases they have on you.
Cases in point:
- Supporters of the Tzar during the Octoberist revolution, dissenters and non-party members in Soviet Russia
- Jews, Catholics, Gays, and others in Nazi Germany when they decided these many in these groups were enemies of the state
She's not Canada's privacy commissioner, she's Ontario's (a province of Canada) Information and Privacy Commissioner.
As a matter of practice, you store a key to the data on the user's machine but not the data itself. You also use and password or something so that if the user looses the key or logs in from another PC that key can be replaced. If you store the real user data in the local machine (say in a cookie for web apps) than the loss of the cookie means the application breaks for that user. User environments are not reliability enough for this to be acceptable.
The problem with quotes on the internet, is that nobody bothers to check their veracity. -- Abraham Lincoln
What result are you talking about that you think I would not like? The premise was that my personal data should be stored locally. This used to be the default case. A 100 years ago, almost all of my personal data could only be obtained by asking me, since almost all records of my personal data were stored in my head. That's why the prohibition against involuntary self-incrimination was so important... If you have some argument against the Fifth Amendment, I'm curious what it might be--and I have a few highly personal and highly objectionable questions that I bet you don't want to answer.
The question of backup is a completely *DIFFERENT* aspect of software privacy. There are a number of possibilities that still consider privacy. For example, you could divide the files into multiple pieces with one of the encodings such that some number of pieces need to be collected before the decryption is possible, though the most common solution is to trust one entity to hold all of the backup. However, in either of those cases you can still encrypt the data that is being backed up and keep the decryption key locally or in a trusted escrow system.
Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.
Rule 1: Don't collect any personal data you don't need for the operation of the program or web site.
Rule 2: For information you DO collect, do not trust the end user not to loose it.
Your points primarily relate to rule 1 -- That is, my application should not be storing any data not directly needed for its operation. I don't collection ss# because there is no need. I don't store credit card numbers because there is no need. You can't have stolen from me what I do not store.
On these points, I agree completely with you.
My point is on that information I do need (in the case of my work, this involves cell phone numbers and email, often home address and telephone numbers as well) my users would be very upset if I did not store this on my end so that it was available to them without them having to re-enter it from any other PC or if they deleted local cookies.
The problem with quotes on the internet, is that nobody bothers to check their veracity. -- Abraham Lincoln
Your thinking seems to be muddled. Protecting the security of information (as for backup services) or sharing information (via networks) do *NOT* require knowing what that information is. Google (or other companies) could support backup and information sharing services of personal information without ever having actual access to the information in question.
They [again referring to corporations and governments] don't want to do that because it is more convenient for them to collect, look at, exploit, and (in a worst case) even release your personal information. My original point was that the only real defense of privacy would be if we hold and control our own personal information, which could potentially take us back to the Bill of Rights. Especially in the case of a government, if the government wants access to our personal information, they should have to show why. As it stands now, the government can simply buy most of our personal data directly from the companies that 'own' it.
Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.
TFA is about writing code that treats the data it uses securely. We're not talking about having off-site backups through the internet necessarily. Nobody (surely not me) is saying you should back up your data to an internet site that stores it in a way they can see it. I'm talking about the data you need for the application to work properly -- in the case of an online application. I'm saying you can't rely on the user to store it. You have to store it in your application. Yes, you should do so in a secure way, but you have to be able to read it so that you can use it to do whatever your application does. If your application doesn't need it, you shouldn't be storing it at all.
The problem with quotes on the internet, is that nobody bothers to check their veracity. -- Abraham Lincoln
I, for one, just want to say: thank you for that link
/. article was really useful for me... now mod me offtopic :-)
I don't think I'd have found it without that article, but I'm very interested. I'm downloading it right now (via torrent)
this is one of the rare occasions, when reading a
The MAFIAA is a bunch of mindless jerks who will be the first up against the wall when the revolution comes
*They're* over *there* sitting in *their* chairs. Thank you.
It is pitch black. You are likely to be eaten by a grue.
The slide labeled
"More Security Per Bit"
At the bottom right should be 512.
Cases in point:
- Supporters of the Tzar during the Octoberist revolution, dissenters and non-party members in Soviet Russia
- Jews, Catholics, Gays, and others in Nazi Germany when they decided these many in these groups were enemies of the state
C'mon -- that's ancient history.
- Martin Luther King
- Daniel Ellsberg
- United Farm Workers' Union
- the Quakers
- people in the Catholic Worker movement
- all the people J. Edgar Transvestite held under the whip like sheep with his dossiers
- probably Mother Theresa
- probably you already
- certainly me for my activities in the 60s, 70s and 80s
I'm glad some people are being honest and asking questions. Kudos to RAMMS+EIN.
Claiming that privacy's significance is fundamentally rooted in philosophical axioms specifically about privacy are all fine and well, but for those of us who live for more important things in life, something a bit more substantial is required.
IMHO, the significance of privacy breaks down into four issues, all derived from axiomatic benevolence (a very popular axiom):
1) Societal taboos: Society is irrational. Most people are not bright thinkers, and have a great deal of difficulty with the abstract logic required to view all aspects of life from an objective point of view (no, objective POV does not mean mean or median point of view; FOX news is not "fair and balanced.") If we lived in a society which had a strong rational majority, this point would be rendered pretty irrelevant. Take the relatively recent acceptance of homosexuality by society: if society were largely rational, then pre-existing societal taboos would not be a compelling reason to protect people's privacy. However, since social revolutions don't occur over night, the only way to let such people live in peace is to give them a degree of privacy within which to live. If we took away their privacy now, many people might simply choose to wholly deny their secret inclinations, and no social revolution would ever occur.
2) Omniscience versus state secrets: Are the majority of surveillance advocates actually suggesting we divulge all state secrets? Personally, I'm in favor of an entirely transparent government. However if this is not part of the no-privacy-deal, get ready for a kick in the nuts: The power to erase privacy is an awesomely frightening power that makes conspiracy theories start to look like real possibilities. If you're used to summarily disregarding conspiracy theorists as raving madmen, and you don't think privacy is important, get ready to change your tune. Once the kind of concentrated surveillance power the Bush administration dreams of actually exists, there ceases to be a practical limit domestic black ops. The most convoluted of conspiracy theories will no longer be relegated to novels, it will really be able to happen. (I'm not accusing the government of doing anything like this, but the government isn't a single person. Resist the inclination to personify organizations; they aren't that simple. A single rogue government agent with sufficient power would be all that's needed.)
3) Revolution: Strongly related to the first two points is something that has already been demonstrated (and demonstrated against) in our own country. Giving the government or the public access to everything you read is not completely unlike giving them access to everything you think. There are people in our country, including many of middle-eastern descent, who have a real, credible fear of purchasing certain books with a credit card, or checking them out at a library. Profiling, no matter how distasteful, is real, and its role in law enforcement is not going to go away. Beside that, there is the issue of trial in the court of public opinion: People should not have to face ridicule or discriminatory treatment for entertaining or studying currently-unfavorable ideas. Our culture would be locked into the status quo, with no opportunity for radical improvement.
4) Law enforcement: Although this point is largely predicated upon the potential for a fully pervasive surveillance system, it's still an important consideration. A public policy dismantling any notions of personal privacy does not automatically compel individuals to actually comply to the point of volunteering the most private details of their lives. Every person with a vibrator or porno collection to hide would be highly suspect in a community where everyone let the cops rummage through their homes on a whim. This is the same reason I use encryption to communicate with friends and colleagues, and the same reason that I don't allo