Chapter 2: Engineering and Privacy Flashcards
(107 cards)
1
Q
What is the role of Project Managers in the Privacy ecosystem?
A
Ensure that adequate resources are available and that team members communicate effectively
2
Q
What is the role of Marketing and Sales in the Privacy ecosystem?
A
Work with customers to establish new requirements
3
Q
What is the role of Lawyers in the Privacy ecosystem?
A
Track regulatory issues
4
Q
What is the role of Requirements Engineers in the Privacy ecosystem?
A
Collect, analyze and manage requirements
5
Q
What is the role of Designers in the Privacy ecosystem?
A
Translate software requirements into an architecture or design
6
Q
What is the role of Programmers in the Privacy ecosystem?
A
Translate software design into source code
7
Q
What is the role of Testers in the Privacy ecosystem?
A
Validate that the software conforms to the requirements
8
Q
What is the role of Users in the Privacy ecosystem?
A
Operate or interact with the software
9
Q
What is the role of Administrators in the Privacy ecosystem?
A
Install and maintain the software
10
Q
What is the role of the Privacy Engineer in the Privacy ecosystem?
A
Is the Privacy Area Specialist
Serves as a repository of knowledge and works to tailor this knowledge for the different stakeholders
11
Q
What are the responsibilities of the Privacy Engineer in the Privacy ecosystem?
A
Collect critical regulatory requirements from lawyers
Validate that marketing requirements are consistent with laws and social norms
Meet with designers to discuss best practices when translating requirements into design specifications
Collect user feedback and monitor privacy blogs, mailing lists and newspapers for new privacy incidents
Develop a community of practice
12
Q
Name the 6 activities of software developers (regardless of the process used)
A
Requirements Engineering Design Implementation Testing Deployment Maintenance
13
Q
Name 2 privacy lifecycle models
A
Privacy Management Reference Model (PMRM)
PReparing Industry to Privacy-by-design by supporting its Application in REsearch (PRIPARE)
14
Q
Name 2 privacy risk assessment methods
A
LINDDUN threat modeling method
Privacy Risk Assessment Methodology (PRAM)
15
Q
What is a Defect in software engineering?
A
A flaw in the requirements, design or implementation that can lead to a fault
16
Q
What is a Fault in software engineering?
A
An incorrect step, process or data definition in a computer program
17
Q
What is an Error in software engineering?
A
The difference between a computed, observed or measured value or condition and the true, specified or theoretically correct value or condition
18
Q
What is a Failure in software engineering?
A
The inability of a system or component to perform its required functions within specified performance requirements
19
Q
What is a Harm in software engineering?
A
The actual or potential ill effect or danger to an individual’s personal privacy, sometimes called a hazard
20
Q
What is a Functional Violation of Privacy?
A
When a system cannot perform a necessary function to ensure individual privacy
21
Q
Provide an example of a Functional Violation of Privacy
A
When PI is disclosed to an unauthorized third party
Defect: lines of computer code that do not correctly check that an access attempt is properly authorized
Fault: the execution of that source code
Error: unauthorized access
Failure: unauthorized third party access
22
Q
Define the term Risk
A
A potential adverse impact along with the likelihood that this impact will occur
23
Q
How are risks calculated?
A
Probability x impact
24
Q
What are the 4 ways of managing risk?
A
Accept
Transfer
Mitigate
Avoid
25
Provide an example of transferring a risk
Property insurance
26
Provide an example of mitigating a risk
Requiring users to log into a system
27
Provide an example of avoiding a risk
Abandoning the functionality, data use or the entire system
28
Name 6 privacy risk models
Compliance model
Fair Information Practice Principles (FIPPs)
Calo's subjective/objective dichotomy
Solove's taxonomy of privacy problems
Nissenbaum's contextual integrity heuristic
NIST privacy risk model
29
Describe the Compliance privacy risk model
Based on applicable legal and policies - model relies on examining elements of the system to identify deficiencies
30
Describe the Fair Information Practice Principles (FIPPs) privacy risk model
Model relies on aligning with requirements described in FIPPs - often dovetail with the compliance model
31
Describe the Subjective/Objective Dichotomy privacy risk model
Relies on assessing the potential for subjective and objective harm - an analyst may examine elements of the system that relate to individuals’ expectations of how their information may be used, actual usage and consent or lack thereof to the collection and use of that information
32
Describe NIST's privacy risk model
Vulnerabilities are problematic data actions that describe system behaviors with privacy implications that create the potential for adverse event
Problematic data actions result in one or many problems for individuals
33
List NIST's catalog of 7 problematic data actions (NIST privacy risk model)
```
Appropriation
Distortion
Induced disclosure
Insecurity
Surveillance
Unanticipated revelation
Unwarranted restriction
```
34
Describe the Appropriation problematic data action in the NIST privacy risk model
Use of PI in ways beyond what is expected or authorized by the individual
35
Describe the Distortion problematic data action in the NIST privacy risk model
Use or dissemination of inaccurate or misleading PI
36
Describe the Induced disclosure problematic data action in the NIST privacy risk model
When individuals are pressured to provide PI
37
Describe the Insecurity problematic data action in the NIST privacy risk model
Involves lapses in data security
38
Describe the Surveillance problematic data action in the NIST privacy risk model
When PI is tracked or monitored out of proportion to system objectives
39
Describe the Unanticipated revelation problematic data action in the NIST privacy risk model
Unexpected exposure of facets of an individual as a result of processing
40
Describe the Unwarranted restriction problematic data action in the NIST privacy risk model
Imposition of unjustified constraints on individuals regarding access to the system and its information as it relates to them
41
List NIST's catalog of 8 problems for individuals (NIST privacy risk model)
```
Loss of autonomy
Exclusion
Loss of liberty
Physical harm
Stigmatization
Power imbalance
Loss of trust
Economic loss
```
42
Describe the Loss of autonomy problem for individuals in the NIST privacy risk model
Self-imposed restrictions on behaviour
43
Describe the Exclusion problem for individuals in the NIST privacy risk model
Denying an individual knowledge about their PI or the ability to act upon that knowledge
44
Describe the Loss of liberty problem for individuals in the NIST privacy risk model
Improperly raise the possibility of arrest or detainment
45
Describe the Physical harm problem for individuals in the NIST privacy risk model
Direct bodily harm to an individual
46
Describe the Stigmatization problem for individuals in the NIST privacy risk model
Linking information to an identify so as to stigmatize the person associated with that identity
47
Describe the Power imbalance problem for individuals in the NIST privacy risk model
Enable abusive or unfair treatment of an individual
48
Describe the Loss of trust problem for individuals in the NIST privacy risk model
Can result from violations of implicit or explicit expectations or agreements regarding the treatment of PI
49
Describe the Economic loss problem for individuals in the NIST privacy risk model
Direct or indirect financial loss
50
List the 3 categories of risk controls
Administrative
Technical
Physical
51
Describe administrative risk controls
Controls governing an organization's business practices
52
Describe technical risk controls
Controls governing software processes and data
53
Describe physical risk controls
Controls governing physical access to hard copies of data and the systems that process and store electronic copies
54
List 4 administrative risk controls
Appointing a privacy officer who is responsible for organization-wide privacy practices
Developing and documenting privacy and security procedures
Conducting personnel training in privacy
Creating an inventory of personal information to track data practices
55
List 5 technical risk controls
```
Implementing access control mechanisms
Auditing information access
Encrypting sensitive data
Managing individual consent
Posting privacy notices
```
56
What are functional requirements?
They describe a specific function of the intended information system
57
What are non-functional requirements?
They describe a constraint or property of the system that an engineer can trace to functional requirements or design elements
Legal standards are non-functional requirements
58
What is the purpose of a tracing matrix?
They trace requirements to downstream artifacts, such as software designs, source code and test cases - they also trace requirements to user agreements, such as privacy policies, terms of use agreements, end-user license agreements and so on
59
In goal-based analysis, what are protections?
Statements that aim to protect a user's privacy
60
In goal-based analysis, what are vulnerabilities?
Statements that threaten a user's privacy
61
When developing privacy completeness arguments, what is meant by ensuring tracing is complete?
Whether the tracing is complete from privacy policy statements to software artifacts that implement those statements
62
When developing privacy completeness arguments, what is meant by ensuring the life cycle is complete?
At each step in the data life cycle for a specific data type, the engineer considers whether the data type requires special consideration
63
When developing privacy completeness arguments, what is meant by ensuring our legal interpretation is complete?
While it is impossible to completely cover every prospective interpretation by an auditor, regulator or judge, there are steps that engineers can take to broaden the scope of their interpretations to capture missed requirement
64
When developing privacy completeness arguments, what is meant by removing or generalizing preconditions?
Generalizing this requirement so that it applies to any personal information, regardless of whether the information concerns practices conducted in that jurisdiction
Has the benefit of streamlining business practices at the cost of extending those practices to other situations where they may not be otherwise required by law or standards
65
When developing privacy completeness arguments, what is meant by grounding legal terms in the domain?
Legal terms determine when a privacy regulation applies and are often purposely written to be abstract so as to make laws flexible and adaptable to new situations or technologies
For example, California Civil Code requires protecting access codes that can be used to access a personal financial account - This code chapter does not define access code or financial account, thus leaving the interpretation to IT developers and their legal counsel
66
When developing privacy completeness arguments, what is meant by refining by refrainment?
Privacy laws often describe goals to be achieved or obligations about what a covered organization must meet
For example, the law may not say that stealing cryptographic keys is a privacy breach but if you treat it as if it is, the data is more secure
67
When developing privacy completeness arguments, what is meant by revealing the regulatory goal?
IT developer can seek to comply with the letter of the law, the alternative is to comply with the goal of the law to acquire longer-term benefits, and often the area specialist can help identify these goals
68
What is an anti-goal?
An attacker's own goals or malicious obstacles to a system
69
Describe client-server architecture
Describes the relationship between the client, which is typically a program that runs on a local computer, and the server, which is the program that runs on a remote computer
70
Describe service-oriented architecture
Aim to decouple services from large-scale servers
This enables reuse and separation of concerns and, for increasingly larger systems, improved load balancing by allowing designers to replicate services across multiple machines
71
Describe peer-to-peer architecture
An extreme alternative to client-server architectures whereby each peer is both a client and a server
72
What are design patterns?
Design patterns describe recurring problems through a shared solution that can be repeatedly reused to solve the problem
73
List the 4 elements of a design pattern
1. Pattern name
2. Problem description
3. Solution
4. Consequences
74
List the 8 privacy design strategies that have been defined to date
```
Minimize
Hide
Separate
Aggregate
Inform
Control
Enforce
Demonstrate
```
75
What are dark patterns?
Techniques to de-emphasize, obscure or make ambiguous more privacy-preserving response options (making opt-out buttons smaller or lower contrast, not clearly differentiating between required and optional information...)
76
What are trade-spaces?
Important tools for helping engineers, including privacy engineers, think through design trade-offs
77
What is a commonly known trade-space?
Juxtaposing the extent of data sanitization (aka de-identification) with the utility of the sanitized data
78
What are quality attributes in software engineering?
Crosscutting concerns that cannot be addressed by a single function
79
Define identifiability
The extent to which a person can be identified within a system
80
What are the 4 stages in Sarah Spiekermann and Lorrie Faith Cranor's framework for privacy-friendly system design (degrees of identifiability)
Stage 0 - Identified
Stage 1 - Pseudonymous (linkable with reasonable effort)
Stage 2 - Pseudonymous (not linkable with reasonable effort)
Stage 3 - Anonymous
81
What is network centricity?
The extent to which personal information remains local to the client - for example, a designer may choose to retain personal information on the client side and transfer this information only for the limited purpose of completing a transaction
82
Define confidentiality
Refers to the extent to which personal information is accessible by others
83
Define availability
The need to ensure that information is available to satisfy business needs, typically thought of as a security property
84
Define integrity
The extent that the system maintains a reliable state, including the quality of data as being free from error
85
List 3 concerns related to integrity
Accuracy
Completeness
Currency
86
Define mobility
Extent to which a system is able to track movement from one location to another (laptop, smart phone...)
87
What privacy risks does mobility introduce
Location tracking
| Possibility of devices being lost or stolen
88
How can we mitigate mobility related risks
Increase security
| Minimize the amount of data stored locally
89
List the NIST Privacy Engineering Objectives
Predictability
Manageability
Disassociability
90
What is Predictability according to NIST
Aims to enable reliable assumptions about a system, particularly its data and the processing of that data, by all stakeholders
91
What is Manageability according to NIST
The ability to granularly administer personal information, including modification, disclosure and deletion
92
What is Disassociability according to NIST
Minimization of connections between data and individuals to the extent compatible with system operational requirements
93
What are the 2 activities included in testing
Verification
| Validation
94
In testing, what is the verification activity?
Ensures that a resultant system performs according to its requirements
95
In testing, what is the validation activity?
Ensures that requirements satisfy the original needs of the user base for whom the system was developed
96
What does unit testing cover?
Individual functions and system components
97
What does integration testing cover?
Interactions between groups of components
98
What does system testing cover?
Completed portions of the whole system
99
What does acceptance testing cover?
Requirements validation
100
What does regression testing cover?
Ensuring that changes made to an existing system do not affect other components within the system
101
What activities are typically included in system testing?
Security
Performance
Stress
Privacy requirements that relate to the gross behaviour of the system can also be tested at this time
102
What is synthetic data?
Data generated for the purposes of testing - aims to mimic the desired attributes of the real data
103
What is the drawback of synthetic data?
May not adequately represent the variety and messiness of real data
104
What are the characteristics of Alpha testing?
* Is performed on feature-incomplete systems
* Occurs on a small scale, with tens to hundreds of users, rather than thousands or tens of thousands
* Is seldom open to the public
* Is intended to determine major bugs and offer early requirements validation
* Is conducted in-house or through a third-party testing service that will also conduct tests “behind closed doors”
* Will feature extensive means of data collection, given the low number of users involved in the test
105
What are the privacy concerns specific to Alpha testing?
Incomplete and underdeveloped systems
Absence of proper data handling may not be obvious to users (transparency issue)
Data may not be fully protected
106
What are the characteristics of Beta testing?
* Performed on feature-complete systems
* Occurs on a large scale and are often open to the public
* Intended to identify bugs and issues that may interfere with live deployment of the system
* Often conducted on users’ personal or employer-owned machines, which may feature a variety of configurations and states
* Officiated by the organization developing the system
* Rely on user issue reporting and other means of data collection that may continue to be available once the system goes live
107
What are the privacy concerns specific to Beta testing?
First time the system will be so widely available or public
