Catalyst Conference, Day 3 (Friday, July 31)
By identity on Jul 31, 2009
Here are the high points for me:
Privacy: Principles Yield Practice
Bob Blakley (Burton Group)
- Privacy is not about data, it is about people
- Protecting privacy means putting oneself in the place of another and understand the consequences of your actions
- Privacy means different things in different contexts
- Privacy principles:
- meaningful choice
- minimal collection and disclosure
- constrained use
- data quality and accuracy
- validated access
- Put principles into context - then derive set of rules
- IdM systems have much personal data in them. Are we protecting the dignity of the people I know things about?
Privacy Issues Related to Healthcare and Identity
Speaker: David Miller (Covisint)
- IAM is not a security thing. It is a privacy thing.
- Security is about keeping people out; privacy is about letting the right people in.
- Electronic Medical Records (EMR) are being dictated by legislation, but have challenges to overcome, including:
- data exists in many places
- patient access to records depends on many factors
- many organizations want access to information
- regulatory issues
- legal/tort issues
- One solution is a central Health Information Exchange (HIE).
- Several different organizations at the national, state and health care organization level approach HIE's differently.
Privacy - how to have a productive multi-stakeholder discussion
Robin Wilton (Future Identity Ltd.)
- Privacy is usually a multi-stakeholder discussion
- It is difficult for stakeholders to articulate their view of privacy problems in a way that other stakeholders understand
- Use the "Onion Model" to explore and use levels of importance of personal information
- Use the "Ladder Model" to facilitate different viewpoints about privacy
- We are doing all this technical interaction in online networking as if it works the same way as face to face interaction, but it does not.
- "Privacy management" implies being aware of relationships and contexts, and acting accordingly.
- Technology is not an automatic answer to privacy.
A Dual Mission: Identity Management and Privacy Protection in the Federal Government
Bob Mocny, Director, DHS-VISIT Program - Department of Homeland Security
- Identity management is critical to national security
- US VISIT - check credentials for visitors into
- 100 million biometric records used for authentication, 200K transactions/day - largest in the world
- Built privacy into architecture of system
- Secure facilities and networks are in place to protect privacy
- Redress process to correct personal information in the system is essential
- No more important condition between the government and the people it protects than trust
- US VISIT built trust into the biometric system
Bob Blakley (Burton Group)
Bob Mocny (Department of Homeland Security)
Robin Wilton (Future Identity Ltd)
David Miller (Covisint)
- Privacy-enhancing governance is difficult (e.g. if you request that your PII be deleted from a list, is your PII still on the audit trail?)
- Much explicit effort and systems are necessary to avoid unitended consequences of amassing large amounts of personal information.
- People who have grown upon in a hyper-connected, pervasive-surveillance world have tend to have different perspectives of privacy than older people for whom personal information was secret by default.
Partnering via Privacy
Ian Glazer (Burton Group)
- Increased regulatory action, higher penalties, more people looking at privacy - all increase the attention companies must focus on privacy.
- Increased reliance on partners requires companies to understand privacy practices of partners.
- Preform Privacy Impact Assessments (PIA) to determine where we are, how we got here, and how changes can impact risks.
- PIA - opportunity to look at mission goals, design goals and privacy principles - are they in alignment?
- Reduce privacy risk by "cleaning your basement"
- Scary basements (something might be illegal)
- Messy basements (policy in place, but not well-applied)
- Procurement process is the best place to ask tough questions about partner privacy practices.
The Watchmen: UCLA & Georgetown Protect and Defend Privacy and Data Security
Heidi Wachs (Georgetown University)
- Both suffered significant privacy breaches
- Response depends on what data is actually "acquired" vs. how much was "exposed"
- Privacy breaches triggered much public press and discussion
- New policies implemented quickly as a result of the breach have been difficult to implement
How Google Protects the Privacy of Our Users
Shuman Ghosemajumder (Google)
- Google global design principles: transparency, choice, security.
- End to end security is an essential part of every Google Service.
- Google Latitude: make privacy choices very visible and easily assessible, with opt-out at multiple levels.
- Street view: blur faces and license plates automatically, but allow individuals to request blurring if automated process fails.
- Interest base advertising: give users control over categories and opt out at different levels of granularity.
- Gmail: contextual ads caused concern - because of its proximity to and dependence on personal email.
- Data retention: Google anonymizes IP addresses in logs after 9 months.
- Google chose paradigm of "opt-in after the fact", rather than offering "opt-in beforehand" to not disrupt the user experience or advertising ecosystem.
Technorati Tags: Identity, IdentityManagement, DigitalIdentity, Catalyst09, CatalystConference, BurtonGroup, Privacy