Personal Privacy
Ross Anderson
Professor of Security Engineering
Cambridge University
Privacy Engineering
• Engineering for privacy, as for security or
dependability, involves
– computer science – for matters like scalability
– economics – systems often fail when the people who
maintain them have the wrong incentives
– psychology – the feeling and the reality are often
different
• Privacy is particularly hard because all three of
these factors are often pushing the wrong way
Privacy and Business
• It’s economically efficient to charge different
prices to different customers
• The falling costs of collecting and processing data
make this easier
• The move if businesses online makes them more
like the software business (with low marginal
costs, network effects and lock-in) which makes
price discrimination more profitable
• However price discrimination annoys people –
especially those who end up paying more
Example – Facebook
• A newsworthy conflict of interest
– Facebook wants to sell user data
– Users want feeling of intimacy, small group, social
control
•
•
•
•
Complex access controls – 60+ settings on 7 pages
Privacy almost never salient (deliberately!)
Over 90% of users never change defaults
This lets Facebook blame the customer when
things go wrong
How Privacy Scales
• Main privacy threat is usually insiders
• Traditional GP: 12 staff have access to
10,000 records. Can cope with that!
• What happens if we let 45,000 GPs plus
40,000 staff see 50,000,000 records?
• Lesson from Scotland
• Effect of pervasive malware
• What’s done in intelligence agencies
‘Database State’
• The Joseph Rowntree Reform Trust sponsored a
systematic study of all government systems that
hold information on at least a substantial minority
of us
• Authors: me, Ian Brown, Terri Dowty, Philip
Ingelsant, William Heath, Angela Sasse
• Are these databases legal, and effective?
• Which systems should the next Government,
scrap, keep or fix?
Database State (2)
• Of 46 systems, we found that 11 were almost
certainly illegal
• Health: SUS, DCR – fall foul of I v Finland
judgement
• Kids: eCAF, ONSET, ContactPoint
• Home Office: NDNAD, NIR, IMP
• DWP data sharing, National Fraud Initiative
• The EU Prüm framework
Database State (3)
• We also found 29 ‘amber’ databases with
significant problems including
–
–
–
–
National Childhood Obesity Database (why?)
NHS Summary Care record (almost useless)
National Pupil Database (mission creep)
Police National Database (federating much stuff that
used to be local, like the NHS)
• Only 6 of 46 databases got a green light (and one
of those was an error)!
Where Are We Now?
• Three ‘red’ systems were closed down (NIR,
ContactPoint, NAO)
• Other red systems being spun/renamed (IMP)
• Two new ‘red’ systems – SCR and YJCMS
• A number of ‘amber’ systems that harm privacy
while providing no benefit are spared (NCOD,
NPD, Learner Records Service)
• In short: no real change, despite Coalition
Agreement and the parties’ pre-election pitches
Statistical Security
• The Department of Health wants to keep its
databases but protect privacy by stripping out
patients’ names and addresses
• But this doesn’t in general work!
• Example: find the salary of the female professor in
the computer lab as (average salary professors) (average salary male professors) x (number of
professors)
• With health it’s even harder – especially as
researchers want longitudonal records that link up
care episodes
Economics of Privacy
• Economics of security has been a rapidly
growing field since 2001
• The economics of privacy are perplexing!
• People say they value privacy, but usually
act otherwise
• Is this due to ignorance, externalities, social
effects, …?
• Will people suddenly become militant?
Conclusion
• Privacy online is hard!
• The economics, psychology and computer science
often push in the wrong direction
• The private sector is motivated by price
discrimination
• The public sector is somewhat similar with a drive
to ‘personalised service’ or ‘transformation
government’
• What sets the boundary? European law? A public
reaction against ‘creepy’ organisations? Rational
rejection of surveillance by richer citizens?
Europe to the Rescue?
•
•
•
•
The I v Finland case, 2008
Ms “I” was a nurse in Helsinki, HIV+
Her hospital systems let everyone see everything
Her colleagues found out about her HIV and
hounded her out of her job
• ECHR: she had a right to restrict her health
records to clinicians involved directly in her care
• Now, so do we all!