A Framework for Identifying Privacy Threats

Dec 23, 2010

One of the courses I particularly enjoyed last semester was Technology and Delegation. We looked at how technology impacts society, especially in relation to law and policy. One of the major themes was information privacy, and we looked at problems posed by technologies from geolocation APIs to body scanners. For my final reflection piece, I chose to take some of the ideas from Threat Modeling and see how they could be applied in a privacy threat assessment. This is a bolder approach than a standard Privacy Impact Assessment, which assumes the privacy concerns associated with a technology can be easily enumerated. Instead, I suggest a thorough approach to issue spotting by systematically examining all of the information flows in a system, similar to how a threat model attempts to elicit all of the paths from an attacker to an asset. From the paper:

People are troubled by… threats to a widely recognized expectation of privacy, yet there are few tools available to technologists who want to consider the privacy impact of their innovations. Existing approaches, codified in documents like privacy impact assessments, tend to rely on coarse distinctions between private and public information and fail to distinguish information with varying levels of sensitivity. They offer little guidance to the assessor in the practice of surfacing issues, which often requires creativity and antagonistic modeling. The following discussion of a new framework for privacy assessments builds on the Fair Information Principles and template for privacy impact assessments but includes a more detailed and nuanced view of information privacy. Additionally, the framework will borrow techniques from the field of security and threat modeling. Link