Protecting privacy: Building in safeguards for personal data

by Jamie Beckett

• June 16, 2005: More than 40 million credit card accounts are exposed to potential fraud after thieves steal data from an Arizona credit-card processing company.

• June 23, 2005: British tabloid ‘The Sun’ reports that an undercover reporter was able to buy the names, addresses, account and credit-card numbers of 1,000 UK bank customers from a New Delhi call center for a few dollars each.

• June 23, 2005: The U.S. Defense Department says it will hire a private marketing firm to create a database of social security numbers, ethnicity and other personal information of high school and college students to help identify potential military recruits.

Worried yet?

With security breaches and online fraud on the rise, consumers, businesses and government organizations are growing more concerned about protecting individuals' privacy. A team at HP Labs is working on tools to make it easier for businesses to do just that.

"What we mean by privacy is the ability of individuals to retain control over their personal information," says Pete Bramhall, who manages HP Labs' privacy and identity research.

Many privacy advocates’ long-term vision is to allow consumers to conduct even complex transactions anonymously. But, he says, "the reality now is that enterprises have a lot of personal data, and we want to make it easier for them to manage it according to best privacy principles and practices -- and the wishes of the individuals it relates to."

Good privacy, good business

Such protections are more than just doing the right thing. Increasingly, governments are requiring stronger controls on individuals' personal information. Plus, it's just good business sense; dealing correctly and honestly with privacy matters can pay off in terms of branding, trust, customer satisfaction and business opportunities.

"Making privacy a strategic priority creates a reputation in the marketplace that cascades to our customers and their preference to buy HP products," says Barb Lawler, HP's chief privacy officer.

Conversely, worries about poor protections of personal data can hurt business. In June, Gartner Inc. reported results of a study of U.S. consumers showing that security concerns are eroding Internet users' confidence to such a degree that they are curtailing their online purchases and their use of online banking.

Consumers had plenty of worries, Gartner said. But what really unnerved them was the prospect of unauthorized access to their personal and financial information that could result in identity theft and possibly serious damage to their finances and credit.

Built-in privacy protection

The HP Labs team's goal is to build into systems stronger protections for private data – how it's accessed, processed, managed, transferred and eventually deleted. Currently, this is handled on an application-by-application basis. The researchers want to put these policies and controls into middleware that works with many applications and different computing systems.

"That way, you do it only once and then have only one set of policies to manage," says Bramhall. "If you can express these policies in a format that a machine can execute, you can potentially provide more rigorous and more reliable management of private data and so reduce dependencies on unreliable, unpredictable, sometimes malicious humans for the execution of personal data-management processes."

It's an incredibly complex task. Enterprises store vast amounts of confidential data about their customers, their employees and their partners. People have different needs and expectations about how that data will be handled. Most large companies operate in many nations and may need to comply with many different sets of privacy laws, deployed across different applications and computing systems, and many different databases.

Proposed solution

The researchers, based in HP's Bristol, UK lab, are developing solutions that perform three key tasks involved in handling private information:

• Access control – a common approach to enforcing an enterprise’s privacy policies, as well as the preferences that customers and/or employees have regarding access to personal data

• Obligation management -- automating a consistent approach to handling private information according to government regulations, corporate policies and individuals' preferences

• IT system policy compliance check -- evaluating the trustworthiness of a corporation's data-processing applications, services, hardware and software platforms, and networks to assess if these are strong enough to be relied upon for automatic execution of privacy policies and preferences

For some aspects of these, they are working within the PRIME (Privacy and Identity Management for Europe) consortium. PRIME is a four-year effort, partly funded by the European Union, that researches and develops solutions for people to better manage their cyberspace privacy.

Access control

Most businesses already have some way of controlling access to private data, but they lack technology that takes into account the wishes of the person who provided the data. Existing access control software typically operates in a coarse-grained fashion to perform functions like preventing employees from accessing co-workers' personal data. But it doesn't take account any further preferences individuals may have.

Researchers have created a prototype system that integrates the management and enforcement of security and privacy policies into the same framework. Building on HP Select Access software, which manages access rights across large networks, the researchers' privacy-aware access control tool adds plug-ins that represent privacy constraints, executing ‘allow access’ or ‘deny access’ decisions based on them.

The HP Labs prototype supports the creation and execution of fine-grained personal preferences. An online store customer could, for instance, specify controls in this way: "My full address may be accessed only for shipment purposes, only my zip code may be accessed for marketing statistical research purposes and my credit card number may be disclosed only to a supervisor-level person in the accounts receivable department and then only for resolving disputes."

Privacy obligation management

When an organization accepts personally identifiable information, it accepts obligations to manage that data in accordance with its own policies, government regulations and customer preferences. Currently, this can be done within individual applications but not easily across an entire system.

The researchers' prototype is designed to schedule privacy-management actions on personal data – deleting or refreshing personal data at certain intervals, for example. The system triggers these actions and checks to be sure they're performed correctly. In this way, an online store customer could request that credit card details are deleted two days after payment has been received, or that every six months the store asks permission to retain other personal details in its database and checks the accuracy of that information.

Other types of privacy-respecting data management could occur when a transaction is fulfilled; e.g., asking a customer for permission to pass personal data to a business partner in a different country.

The flow of personal data across international borders has already attracted legal scrutiny, says Bramhall, and it's likely to be a more pressing issue in the future as more businesses work with data-processing and customer-support partners across the globe.

"In this environment," he says, "it is imperative for corporations to manage data privacy in a simple, systemic and verifiable manner."

The system is also intended to make it easier to avoid inconsistencies and other problems that occur when personal data is duplicated across a number of applications; e.g., problems like achieving a lasting opt-out from marketing mail.

System policy compliance check

No business can deliver on its privacy promises if its computing systems aren't up to the job. Although it is important to check system integrity, it is also quite difficult because back-end processes that handle personal data are increasingly distributed across dynamically assigned multiple systems within a corporation and among its external partners.

Researchers' prototype solution aims to allow businesses to check the trustworthiness of their system components, as well as those of their business partners to which they may transfer personal data. An application or service may be considered trustworthy if it has been accredited by an independent privacy inspector, such as BBBOnLine or TRUSTe.

Other tests for trustworthy systems could include the presence and use of a TPM chip, a type of microcontroller (used to store cryptographic keys securely) that is compliant with specifications set by the Trusted Computing Group – the not-for-profit standards body for computing security across multiple platforms.

The HP Labs system evaluates computing components by examining distributed system configurations, feeding the findings into a reasoning engine and reporting the resulting measure.Potential uses for the tool include allowing enterprises to determine whether system configurations or processes actually do conform to their assertions about privacy-respecting safeguards, and giving consumers the ability to determine whether unknown merchants on the Web are using IT systems and processes that can be trusted to execute their stated privacy policies.

Future work

In January 2005, HP was named the "most trusted company for privacy" by TRUSTe, the leading online privacy non-profit organization, and the Poneman Institute, a think tank focused on responsible information-management processes. Bramhall says he and his team intend to help HP stay that way. As they continue developing prototypes, they'll be collaborating with others inside HP to design products and services that respect individual privacy.

"When it comes to privacy, we believe you want to build it in, not bolt it on," says Lawler, HP's chief privacy officer. In addition to its internal ‘Design for Privacy’ initiative, HP has built privacy into its business conduct standards. (Read HP's privacy policy here.)

Researchers also plan to work with industry and university partners to standardize the languages used to express policies for privacy-enhanced access control and obligation management.

"Fears about inadequate data privacy are widespread and need to be addressed," says Bramhall, noting the European Union’s concern that losing control of personal information keeps many individuals from participating in the digital world. This could result in the loss of efficiency benefits that universal participation brings.

"Our goal is nothing less than universal participation by citizens and consumers in the digital society and economy," says Bramhall. "We think that can someday be achieved if people are confident that their personal data will be protected and controlled according to their wishes."

Jamie Beckett is managing editor of the HP Labs Web site. Before joining HP in 1999, she was a reporter and editor for the San Francisco Chronicle and a reporter at a number of other newspapers, including USA Today. Jamie is also a published fiction writer.