Towards a Privacy Scorecard – Initial Design Exemplified on an Intelligent Transport Systems Service

Aida Omerovic, Marit Kjøsnes Natvig, Isabelle C. R. Tardy

Abstract

Increasingly many services depend on access to data that are traceable to individuals, the so-called "personally identifiable information" (PII). The ecosystem of PII-dependent services is growing, becoming highly complex and dynamic. As a result, a wide variety of PII is constantly collected, stored, exchanged, and applied by all kinds of services. Practice of PII handling among service providers varies, as does the insight and influence of the end-users on how their own PII is treated. For a user, privacy represents a condition for his/her trust and service adoption. It is moreover essential for a service provider to be able to claim privacy awareness over time. This is particularly important as the new EU privacy regulation is about to become operative, thus enforcing strict privacy requirements on the service providers and giving new rights to the users. In order to preserve user trust and manage the technical and legal privacy requirements, a practically usable support to continuously and transparently plan and follow-up privacy compliance, is needed. To this end, we propose an initial version of a so-called "Privacy Scorecard", that is, a decision support for a service provider aimed to facilitate identification, specification, measurement and follow-up of fulfilment of privacy goals in a relatively transparent and comprehensible manner. In this position paper, we present initial design and intended usage of the Privacy Scorecard. We also exemplify how it can be applied to a concrete service. The initial findings indicate feasibility of the approach and suggest directions for further work, including refinement of the scorecard design and usage guidelines, tool support for visualization, as well as further empirical evaluation.

References

  1. Altbeacon. http://altbeacon.org/ Last accessed: Nov. 2, 2016.
  2. European Parliament, Council of the European Union. Regulation (EU) 2016/679 - Protection of natural persons with regard to the processing of personal data and on the free movement of such data, 2016.
  3. Erdogan, G., Omerovic, A., Natvig, M. K., Tardy, I.C.R., 2016. Technical report A27830. Needs and challenges concerning privacy risk management within Intelligent Transport Systems - Problem analysis in project PrivacyAssessment@SmartCity. SINTEF.
  4. Friginal, J., Guiochet, J., Killijian, M.-O. Towards a Privacy Risk Assessment Methodology for LocationBased Systems. In Proc. 10th International Conference on Mobile and Ubiquitous Systems: Computing, Networking and Services, pages 748-753. Springer, 2014.
  5. Hietanen, S.. Mobility as a Service - the new transport model? Eurotransport Magazine, 12(2):2-4, 2014.
  6. ISO/IEC 27005:2011(E), International Organization for Standardization. Information technology - Security techniques - Information security risk management, 2011.
  7. ISO/IEC 29100:2011(E), International Organization for Standardization. Information technology - Security techniques - Privacy framework, 2011.
  8. ISO 22307:2008(E), International Organization for Standardization. Financial services - Privacy impact assessment, 2008.
  9. Kaplan, R.S., Norton, D.P. Putting the balanced scorecard to work. Performance measurement, management, and appraisal sourcebook, 66, p.17511. 1995.
  10. Knirsch, F., Engel, D., Neureiter, C., Frincu, M. Prasanna, V. Model-driven Privacy Assessment in the Smart Grid. In Proc. 1st International Conference on Information Systems Security and Privacy, pages 173- 181. SCITEPRESS, 2015.
  11. Mylonas, A., Theoharidou, M., Gritzalis, D. Assessing Privacy Risks in Android: A User-Centric Approach. In Proc. 1st International Workshop on Risk Assessment and Risk-driven Testing (RISK'13), pages 21-37. Springer, 2014.
  12. NIST SP 800-30,National Institute of Standards and Technology. Guide for Conducting Risk Assessment, 2012.
  13. Psaraki, V., Pagoni, I. Schafer, A. Techno-economic assessment of the potential of intelligent transport systems to reduce CO2 emissions. IET Intelligent Transport Systems, 6(4):355-363, 2012.
  14. Place Tips, https://www.facebook.com/business/news/place-tipsfor-businesses Last accessed: Nov. 2, 2016.
  15. Ren, D., Du, S., Zhu, H. A Novel Attack Tree Based Risk Assessment Approach for Location Privacy Preservation in the VANETs. In Proc. IEEE International Conference on Communications (ICC'11), pages 1-5. IEEE Computer Society, 2011.
  16. Tancock, D. Pearson, S. Charlesworth, A. A Privacy Impact Assessment Tool for Cloud Computing, pages 73-123. Springer, 2013.
  17. Theoharidou, M., Papanikolaou, N., Pearson, S. Gritzalis, D. Privacy Risk, Security, Accountability in the Cloud. In Proc. 5th International Conference on Cloud Computing Technology and Science, pages 177-184. IEEE Computer Society, 2013.
  18. Vandezande, N., Janssen, K. The ITS Directive: More than a timeframe with privacy concerns and a means for access to public data for digital road maps? Computer Law & Security Review, 28(4):416-428, 2012.
Download


Paper Citation


in Harvard Style

Omerovic A., Natvig M. and Tardy I. (2017). Towards a Privacy Scorecard – Initial Design Exemplified on an Intelligent Transport Systems Service . In Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, ISBN 978-989-758-209-7, pages 585-593. DOI: 10.5220/0006284405850593


in Bibtex Style

@conference{icissp17,
author={Aida Omerovic and Marit Kjøsnes Natvig and Isabelle C. R. Tardy},
title={Towards a Privacy Scorecard – Initial Design Exemplified on an Intelligent Transport Systems Service},
booktitle={Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,},
year={2017},
pages={585-593},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0006284405850593},
isbn={978-989-758-209-7},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,
TI - Towards a Privacy Scorecard – Initial Design Exemplified on an Intelligent Transport Systems Service
SN - 978-989-758-209-7
AU - Omerovic A.
AU - Natvig M.
AU - Tardy I.
PY - 2017
SP - 585
EP - 593
DO - 10.5220/0006284405850593