Privacy Requirements

Definition

A privacy requirement is any security requirement that specifies a required amount of the security quality subfactor privacy.

Objectives

The typical objectives of a privacy requirement are to:

• Ensure that unauthorized individuals and programs do not gain access to sensitive data and communications.
• Provide access to data and communications on a “need to know” basis.
• Ensure that persons understand and have reasonable control over the private information that the business enterprise, application, component, or center keeps about them.
• Thereby minimize potential bad press, loss of user confidence, and legal liabilities.

Measurements

Privacy requirements are typically specified in terms of the following measurements:

• Anonymity:
  • Maximum [number | percentage] of confidential identities compromised per unit time [as a function of threat].
• Confidentiality:
  • Maximum [number | percentage] of confidential [data | messages] compromised per unit time [as a function of threat].

Examples

The following are typical examples of privacy requirements:

• Anonymity.
  “The application shall not allow capture or store any personal information about the users.”
• Communications Privacy.
  • “The application shall not allow unauthorized individuals or programs access to any communications.”
  • “The application shall ensure that confidential communications if intercepted shall not be accessible bfor a minimum of 10 years given the means currently available to the typical private hacker, cracker, or business rival.”
• Data Storage Privacy.
  “The application shall not allow unauthorized individuals or programs access to any stored data.”

Guidelines

The following guidelines have been found to be useful when producing privacy requirements:

• The scope of a privacy requirement can be:
  • A business enterprise
  • An application
  • A component
  • A center
• Intrusion detection requirements can be identified and specified in term of the following:
  
  

  Component of Requirement	Possibile Values
  Target of Privacy Violation	Communications (user or system) Stored Data
  Target Sensitivity	Levels of Confidentiality Classification Level
  State	Normal Processing Degraded Mode Under Attack
  Measurement	Maximum percentage of confidential data compromised Maximum number of confidential data compromised Maximum percentage of confidential messages compromised Minimum time required to compromise confidential data and messages

  
  
• Sensitive data and communications typically falls into the following categories:
  • Personal confidential information, which is private information about a single individual person.
  • Organizational confidential information, which is private information about a business (e.g., trade secrets).
  • Governmental or military confidential information, which is classified.
• Privacy requirements should clearly identify:
  • The specific data and communications that are sensitive, confidential, trade secrets, etc.
  • The specific places where this communication takes place (e.g., over the Internet, outside of a secure data center).
• Privacy requirements are related to, but go beyond, authorization requirements, because people and applications should have access only to the data and communications for which they are authorized.
• Privacy requirements must be consistent with any associated privacy statement.
• Privacy requirements may overlap certain legal constraints such as laws that require certain data (e.g., credit card information, health care information) to be kept private.
• Privacy requirements must be consistent with auditability requirements, identification requirements, and nonrepudiation requirements, which require users to be identified and information about their interactions to be stored.
  For example, consider a privacy-oriented eMarketplace application that acts as an intermediary between buyers, merchants, and a credit card authorization processing gateway. The buyers may not want to provide private personal information (e.g., their name, billing address, credit card number and expiration date) to merchants who do not really need it if they are not going to be the ones to obtain purchase authorizations from the credit card authorization processors. Note that electronic wallets undermine privacy because they make it easy for buyers to supply private information to merchants. Instead, the eMarketplace strongly supports privacy by:
  • Hiding private customer personal information from merchants.
  • Authorizing the credit card purchase for the buyer (which is why the merchant wants the private information).
  • Only suppling the merchant with the non-private information (e.g., delivery address and credit payment information such as credit approval).
  • Strongly encrypting all communications and storage of private information.
• Use misuse cases to perform security threat analysis and security use cases to analyze and specify security requirements.
• Privacy requirements should not be confused with (nor specified in terms of) the architectural security mechanisms that can be used to implement them:
  • Public or private key encryption and decryption.
  • Commercial-off-the-shelf cryptography packages.