An Evaluation Methodology with Assurance Levels for Privacy-by-Design (M22a)
The rapid development of the Internet of Things is putting the quest for privacy on center stage. For example, the Dutch First Chamber blocked smart metering roll-out in 2009 due to privacy issues. In this context, Privacy-by-Design was proposed as a novel paradigm whereby the privacy issue is addressed at the very early phase of the system development. Comprised of seven foundational principles (i.e. prevention instead of remedy, privacy as the default setting, privacy embedded in the design, full functionality, user-orientation, visibility and transparency, full life-cycle protection), privacy-by-design is a promising approach and hence, it is strongly recommended by the regulation authorities.
Regarding the assessment, whilst security certification scheme has been well-established with the Common Criteria standard, privacy certification schemes are still at the early development stage and are usually defined by national or regional initiatives (e.g. EuroPrise in Schleswig-Holstein region, Privacy Impact Assessment by the BSI in Germany and by the CNIL in France). However, the EU general data protection regulation (GDPR) require that all enterprises providing services in Europe comply with the same privacy requirements in 2018.
In this presentation, we will first discuss how privacy is currently managed by the Common Criteria. Then, some privacy-oriented assessment methods (e.g. two methods proposed by the BSI and the CNIL) will be analyzed. Finally, we will describe a proposal for privacy evaluation and certification. Our method is built to deal with Privacy-by-Design systems. In addition, it provides different levels of assurance: from documentation-based assurance to privacy-by-formal-design. With this approach, we aim to encourage system designers not only to integrate the privacy goal throughout the entire engineering process, but to also apply rigorous techniques (e.g. formal methods) to correctly enforce this goal.