I agree with all this and I would add other privacy problems not well captured by the "harms" approach, eg, being subject to discrimination as a result of profiles built from behavioral data. Further, focussing on quantifiable harms to the individual does not capture "harms" that affect communities or society at large rather than just individuals, eg, the erosion of basic rights and freedoms that results from intrusive mass surveillance.
We briefly touch on this topic in a paper we just finished (discussion section). Not sure it is really relevant to this discussion as our focus is to critically compare how social network privacy is framed by computer security and HCI researchers. In case anyone is interested, it is available here https://www.cosic.esat.kuleuven.be/publications/article-2270.pdf On 01 Mar 2013, at 12:37:6, Stephen Farrell wrote: > > Hi Robin, > > On 03/01/2013 10:54 AM, Robin Wilton wrote: >> Two areas that I'm aware of: >> >> 1 - There's a growing and reasonably mature body of work (mostly in the >> public sector) on Privacy Impact Analysis. Most of that is based on >> classifying data as "Personal", "Sensitive Personal" or "Neither of the >> above" and then assessing the risk and impact of its inappropriate >> disclosure. >> >> 2 - The concept of "harm" is also a key one for privacy risk models, but has >> distinct shortcomings. For instance, it can't deal well with data breaches >> where you suspect data has been lost, but you can't tell whether anything >> bad has happened as a result. It has also been a rather crude metric up to >> now, with the US, for instance, tending to rule that "harm" must be >> financial in order to qualify for redress. However, the "harm" model is >> gradually becoming more nuanced, for instance by classification into >> 'physical harm, financial harm and reputational harm'. A far as I'm aware, >> though, that kind of model has yet to be turned into a clear methodology... > > Got any references? Be good to take a peek. > > I guess where I'm unsure is that the risk analysis approach assumes that > we know about vulnerabilities that affect the protocol (either specific > or possible) and we then do a coarse-grained assessment of the threat > (in terms of impact and probability of occurrence); iteratively add > countermeasures to the design, then rinse and repeat until all the > really bad stuff we know about is countered or we've run out of cycles. > > That doesn't capture e.g. that an identifier that I keep using for an > extended duration can become more and more personally identifying over > time, nor that the payloads associated with that identifier might get > more (or less) sensitive over time, from a user's perspective. And > probably a bunch of other privacy related things get missed as well > for example the kinds of temporal correlation that was problematic > in the netflix case, [1] or the potential privacy concerns with > the data that a protocol accumulates over time on hosts that take > part in that protocol. (Now that I mention that, maybe there's an > approach there - to do a risk analysis not on the protocol but > on the set of data that hosts playing or watching the new > protocol can possibly accumulate over time, and also considering > the likely other protocols those hosts or watchers can see or > run?) > > Basically, I'm puzzled as to how to do a good job here, but I > suspect I'm not alone;-) > > BTW, this doesn't impact much on the IAB draft, I don't believe we > have anything much better we can say at this point. It might be > worth mentioning the concern with methodology in that draft though, > and I don't think that's currently done (didn't read it all again > though.) > > S. > > [1] http://arxiv.org/abs/cs/0610105 > > >> >> HTH, >> >> Robin >> >> >> >> Robin Wilton >> >> Technical Outreach Director - Identity and Privacy >> >> On 1 Mar 2013, at 09:37, Stephen Farrell <[email protected]> wrote: >> >>> >>> >>> On 03/01/2013 05:48 AM, SM wrote: >>>> >>>> >>>> At 18:25 28-02-2013, David Singer wrote: >>>>> in 'privacy considerations' I think we need to explore the privacy >>>>> consequences of using protocols 'appropriately'. And there are, and >>>>> it's no longer OK not to worry about them as we design protocols. >>>> >>>> Yes. >>> >>> +1 >>> >>> Personally, I have a not-worked-out theory that the kind of >>> risk analysis we use in security doesn't apply much to >>> considering privacy and that some other methodology would be >>> better, or is needed. >>> >>> Anyone know of generic worked-out methodologies for analysing >>> privacy issues? >>> >>> S. >>> _______________________________________________ >>> ietf-privacy mailing list >>> [email protected] >>> https://www.ietf.org/mailman/listinfo/ietf-privacy >> >> > _______________________________________________ > ietf-privacy mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/ietf-privacy -------------------------------------------------------------------------- Prof. Dr. Ir. Claudia Diaz Katholieke Universiteit Leuven Dept. Electrical Engineering-ESAT / COSIC Kasteelpark Arenberg 10, B-3001 Leuven, BELGIUM tel: +32 16 32 18 14 fax: +32 16 32 19 69 email: claudia.diaz (at) esat.kuleuven.be web: http://homes.esat.kuleuven.be/~cdiaz/ -------------------------------------------------------------------------- _______________________________________________ ietf-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/ietf-privacy
