PRIVACY RISK ASSESSMENT

PRIVACY RISK ASSESSMENT

Contributor

Jeff Stollman

Scope of Work

P3wg can make a valuable contribution to privacy by crafting a Privacy Risk Assessment. To date, this type of assessment has not been done even though it is a fundamental to any privacy risk analysis. Current discussions of risk rely on citing of examples of breaches, but have not evaluated which data items subject a person to the most risk.

To date, the only risk that has been considered in the area of identity is the initial vetting risk to Idenity Providers and the authentication risk to Relying Parties. Because Identity Providers and Relying Parties are commonly large enterprises (commercial and government), they have had resources to invest in assessing their exposures. This has not been the case for the public at large who are typically the Users of services.

Assessing risk at the data item level (e.g., first name, last name, street address, social insurance number) would allow us to prioritize data items according to risk and provide Identity Providers and Relying Parties a basis for optimizing their selection of data items to meet both their needs for assurance and the user's need for privacy. For example, we know from experience that certain data items (e.g., last name, ethnicity, street address) have been used to cause physical harm (e.g., kidnapping, murder, genocide). Other data items (e.g., US social security number) have been used to cause financial harm (e.g., stealing of banking and credit card accounts). Other impacts include reputatoinal harm and national security.

The risk assessment would begin by attempting to identify the impacts associated with each data item and their associated likelihood. Once a method for collecting/measuring these data is devised and the informatoin is collected, we would then need to find ways to categorize/summarize our findings to make them useful. For example, we may find that certain data items should not be used for identification purposes because they pose too great a risk. Having data behind such a conclusion aids in convinving Identity Providers and Relying Parties to use alternative selections.

One of the challenges to this effort is the lack of hard data with which to measure the impact and probability of privacy breaches. But there are techniques to overcome this and still develop ordinal measures of risk which can be replaced by hard numbers as data beome available.

Performing this assessment allows us to answer questions such as:

1. Is the privacy risk of establishing a national ID program in country X, worth the reduction in the risk of terrorism? Does a national ID program in country X actually increase the risk of terrorism through increased risk to privacy?
2. Can the privacy risk exposures to Company Y of holding various Personally Identifiable Information (PII) on its clients be reduced by selecting different data items for authentication and/or marketing purposes?
3. What level of regulatory penalties would be effective in compelling enterprises to better protect employee/customer PII?
4. Will the resulting risk reduction justify Company Z's investment in implementing better PII protection policies?

The scope of work will include the following activities:

1. size and scope the effort

2. identify sponsors

3. obtain funding

4. design methodology

5. conduct research

6. summarize findings

7. identify follow-on work

Desired Output

A detailed analysis that identifies and prioritizes the risks associated with each data item.

Intended Audience

Government regulators, consumers, enterprises that collect PII.

Editor, co-editor, contributors

Jeff Stollman

Target date for completion

This is a massive effort and will not be completed using only voluntary labor. One of the inital tasks will be to identify sponsors to help fund the effort. This alone could take months. Depending on the funding provided, an analysis could be completed within 90 days.