The Future of Privacy


Is there a future for privacy?

Why

The target of this session is to illuminate the security of personal data from a strategic point of view: risks, controls and measures, and future trends. At the end of this session there should be a set of expert statements concerning current and future challenges for improving the security of personal data. We can use the statements to launch a public OWASP campaign on privacy. A session concerning privacy was held during the OWASP Summit 2011 (see (1)) - the results of that workshop may serve as a basis for the 2017 session.

It is possible to argue that privacy is not a priority in the work of OWASP, but I disagree.

  • Privacy is a very important topic for everyone. As it relates to information security, it should be a priority for OWASP.
  • Improving privacy in the future will primarily be a software challenge, especially for web applications and IoT. That is OWASP.
  • OWASP is well known by experts, but not by the public. I think OWASP should have more weight in public discussion, and a privacy campaign is a good way to raise OWASP’s public profile.

What

  • Personal data risk assessment: Definition and categorization of assets, criticality, vulnerabilities, threat vectors, risks. What work is already done, what remains to be worked out?
  • Privacy-“triage”: what kinds of data are already “lost”, what can still be saved?
  • Which technical solutions will we need in the future - not what is technically possible but what is needed from the viewpoint of individuals?
  • What are the upcoming challenges of web application security for improving privacy/protection of personal data?
  • Who are the stakeholders of these technical developments?
  • Which driving forces can be used to kick-off development processes?

Outcomes

  • OWASP Privacy statements
  • Concept of a campaign and compliance of OWASP community and foundation, road map

Synopsis and Takeaways

“Is there a future for privacy?”

Wilhelm von Humboldt, 1791: “There is no freedom without security”

— A. GENERAL —

A.1 It’s not a legal question! Privacy as matter for individuals, not courts!

A.2 It’s not question of compliance (of companies, organizations, etc)!

A.3 It’s not a question of identifiability: we assume here that you ARE identifiable!

A.4 Review resources: are there resources for privacy which

- list types of privacy items

- deliver categorys of privacy

— B. RISKS —-

B.1 Types of privacy / personal data (brain storming)

including criticality (high medium low none)
- Name
- Gender
- Address
- Email address
- Phone numbers
- Photos/Videos of person
- Date of birth
- Place of birth
- Name of schools / universities / employers
- Job-position
- Salary
- Property
- Passport data
- Biometric data, e.g. Thumbprint
- Social security number / health insurance ID
- IP-Address
- Cookies
- Credit-Card numbers
- Bank account numbers
- Health data
- DNA-profile
- Live style data / tracking
    - Location data / movement profiles
- Consumer data
- Digital signatures
- Digitally stored manual signatures (e.g. signature pads)
- Criminal records
- Political, religious or philosophical beliefs

B.2 Categories of privacy / personal data (brain storming)

Main categories:
- Personal identifiable information (PII)
- Sensitive personal information (SPI) [context dependend]

Sub categories: - Legally relevant data - Insurance relevant data - Socially relevant data - Financial data

— C. CONTROLS & MEASURES (WEB-APPS) —

C.1 Browser technology: what should be improved (not: what is technical possible and not what vendors like to do)

C.2 Rules for apps: privacy by design

C.3 Automated information to individuals, not on request (e.g. once a year etc)

— D. FUTURE TRENDS —

D.1 Are there technical solutions conceivable, which help individuals to collect

  • Who has which type of personal data stored
  • Where is it stored?

This concerns “white hats”, that is, companies, organizations, and governments who have stored data.

The “black hats” (criminal individuals or gangs) are not in focus here.

Who

The target audience for this Working Session is:

  • Everyone who cares about privacy.

References:

(1) OWASP Summit 2011 Working Session “Privacy” ( https://www.owasp.org/index.php/Talk:Summit_2011_Working_Sessions/Session073 )


Working materials

  • Agenda and results: https://drive.google.com/file/d/0B1vROwh8vCBGWGR6VENqak9SaHc/view?usp=sharing


Back to list of all Working Sessions and Tracks

Edit this page here