Privacy Risk Analysis. Sourya Joyee De
Чтение книги онлайн.
Читать онлайн книгу Privacy Risk Analysis - Sourya Joyee De страница 5
The different approaches followed for the definition of personal data in the EU and the U.S. are further discussed in Chapter 4.
2.2 STAKEHOLDERS
The term “stakeholder” is commonly used in the literature, generally without definition. Even though its meaning may look obvious, we define it as follows to avoid any ambiguity.
Definition 2.2 Stakeholder. A stakeholder is any entity (individual or organization) to which a piece of data relates or that processes3 or gets access (legally or not) to a piece of data at any stage of its lifecycle.
The EU Directive provides comprehensive definitions of different types of stakeholders, whereas the U.S. privacy laws and regulations rely on sectoral definitions. In this book, we follow the same approach as the EU Directive and consider the following stakeholders:
• data controllers,
• data subjects,
• data processors and
• third parties.
We also chose to use definitions inspired by the EU Directive for these terms.
Definition 2.3 Data Subject [10, 32, 47, 48]. A data subject is an identified or identifiable natural person whom the personal data relates to.
Definition 2.4 Data Controller [32, 47]. A data controller is an entity (individual or organization) that, alone or jointly with others, determines the purpose, conditions and means of processing of personal data.
Definition 2.5 Data Processor [47]. A data processor is an entity (individual or organization) that processes personal data on behalf of the data controller.
Definition 2.6 Third Party [47]. A third party is an entity (individual or organization) other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or the processor, are authorized to process the data.
Typical examples of third parties include ad brokers installing cookies on the computer of the data subject, marketing companies receiving personal data from the data controller, or pairs in a social network.
Some difficulties may arise while applying these definitions in practical scenarios, especially those that involve multi-party processing arrangements and cloud computing. In some cases, the notion of the data controller and the data processor cannot be distinguished very easily.4
The roles defined above are not mutually exclusive. For example, a data controller for one set of data or operations may act as a data processor for another set of data or operations. Moreover, consistently with the approach followed in the EU Directive, the above definitions do not imply the lawfulness of the actions of any entity. A data controller, for example, may legally or illegally process data; it may process data without any legitimate purpose or collect more data than necessary for the purpose. This is in agreement with the opinion of the Working Party 29 [8] clarifying that the data controller only “determines” rather than “lawfully determines” the purpose and the means for data processing.
2.3 RISK SOURCES
One of the first steps in a risk analysis is to identify the potential sources of risks, that is to say the entities whose actions can lead to a privacy breach. These entities are often referred to as “adversaries” or “attackers” in the security literature but we prefer to use the term “risk source” here as it is less security-laden and it is not limited to malicious actors. We define a risk source as follows:
Definition 2.7 Risk source. A risk source is any entity (individual or organization) that may process (legally or illegally) personal data related to a data subject and whose actions may directly or indirectly, intentionally or unintentionally lead to privacy harms.
Any of the stakeholders, apart from the data subject himself,5 may be a risk source. Each risk source should be associated with a number of attributes, including its capabilities, background information, motivations, etc. We discuss risk sources and their attributes in Chapter 6.
2.4 FEARED EVENTS
A feared event is a technical event in the processing system that can lead to a privacy harm. An unauthorized party getting access to the health data of a patient or a controller re-identifying a person from an alleged anonymized dataset are examples of feared events. The occurrence of a feared event depends on the existence of weaknesses (of the system or the organization), which we call privacy weaknesses, and the ability of the risk sources to exploit them.
Definition 2.8 Feared Event. A feared event is an event of the processing system that may lead to a privacy harm.
Definition 2.9 Privacy weakness. A privacy weakness is a weakness in the data protection mechanisms (whether technical, organizational or legal) of a system or lack thereof.
As an illustration, a weak encryption algorithm used to protect personal data is a privacy weakness. Weak anonymization algorithms are other examples of privacy weaknesses. The term “vulnerability” is often used with a close meaning in the area of computer security, but we choose the expression “privacy weakness” here because in some cases privacy harms can stem from the functionality of the system itself6 (which would probably not be considered as a vulnerability in the usual sense of the word). For the same reason, we use the expression “harm scenario” to denote the succession of events leading to a feared event, which is often referred to as an “attack” in the security literature. In the simplest cases (for example an unauthorized employee getting access to unprotected data), the exploitation of the privacy weakness is the feared event itself and the harm scenario boils down to a single event. A more complex harm scenario would be a succession of access attempts using passwords from a dictionary and leading to the discovery of the correct password and the access to the personal data.
Definition 2.10 Harm scenario. A harm scenario is a succession of events or actions leading to a feared event.
2.5 PRIVACY HARMS
Feared events denote events (in a technical sense) that have to be avoided. The ultimate goal of a privacy risk analysis is the study of the impacts of these events on individuals, groups or society, which we call the “privacy harms.” For instance, the unauthorized access to health data (a feared event) by a risk source may cause privacy harms such as discrimination (against a patient or a group of patients) or psychological distress. Similarly, the illegal access to location data such as home address may lead to economic or physical injury (e.g., burglary or murder7).
The characterization of privacy harms is not an easy task as it may depend on many contextual factors (cultural, social, personal, etc.). Obviously, societies in different parts of the world follow different sets of unwritten rules and norms of behavior. For example, a data subject belonging to a certain society may feel uneasy if his religious beliefs (or lack thereof) or sexual preferences are revealed. “Acceptance in society” is generally