Privacy is a process, not a PET: a theory for effective privacy practice

Privacy research has not helped practitioners -- who struggle to reconcile users' demands for information privacy with information security, legislation, information management and use -- to improve privacy practice. Beginning with the principle that information security is necessary but not sufficient for privacy, we present an innovative layered framework - the Privacy Security Trust (PST) Framework - which integrates, in one model, the different activities practitioners must undertake for effective privacy practice. The PST Framework considers information security, information management and data protection legislation as privacy hygiene factors, representing the minimum processes for effective privacy practice. The framework also includes privacy influencers - developed from previous research in information security culture, information ethics and information culture - and privacy by design principles. The framework helps to deliver good privacy practice by providing: 1) a clear hierarchy of the activities needed for effective privacy practice; 2) delineation of information security and privacy; and 3) justification for placing data protection at the heart of those activities involved in maintaining information privacy. We present a proof-of-concept application of the PST Framework to an example technology -- electricity smart meters.

[1]  Prashant J. Shenoy,et al.  Private memoirs of a smart meter , 2010, BuildSys '10.

[2]  B. Schneier Liars and Outliers: Enabling the Trust that Society Needs to Thrive , 2012 .

[3]  Brian Detlor,et al.  Information culture and information use: An exploratory study of three organizations , 2008, J. Assoc. Inf. Sci. Technol..

[4]  M. Lisovich,et al.  Privacy Concerns in Upcoming Residential and Commercial Demand-Response Systems , 2008 .

[5]  H. Jeff Smith,et al.  Ethics and Information Systems: The Corporate Domain , 1999, MIS Q..

[6]  R. Solms,et al.  Cultivating an organizational information security culture , 2006 .

[7]  Ross Anderson,et al.  Who Controls the off Switch? , 2010, 2010 First IEEE International Conference on Smart Grid Communications.

[8]  Nathaniel Good,et al.  Usability and privacy: a study of Kazaa P2P file-sharing , 2003, CHI '03.

[9]  Rino Falcone,et al.  Trust, Reputation, and Security: Theories and Practice , 2003, Lecture Notes in Computer Science.

[10]  Kimberley Lamarche,et al.  Take the Challenge: Strategies to Improve Support for Parents of Chronically Ill Children , 2012, Home healthcare nurse.

[11]  A. Cavoukian,et al.  SmartPrivacy for the Smart Grid: embedding privacy into the design of electricity conservation , 2010 .

[12]  Abigail Sellen,et al.  Design for Privacy in Ubiquitous Computing Environments , 1993, ECSCW.

[13]  Elaine Toms,et al.  Information displays for managing shared files , 2008, CHiMiT '08.

[14]  Anne Adams,et al.  Users' perceptions of privacy in multimedia communications , 2001 .

[15]  Carmela Troncoso,et al.  Engineering Privacy by Design , 2011 .

[16]  Mary J. Culnan,et al.  How Ethics Can Enhance Organizational Privacy: Lessons from the ChoicePoint and TJX Data Breaches , 2009, MIS Q..

[17]  Ning Lu,et al.  Smart-grid security issues , 2010, IEEE Security & Privacy.

[18]  Jeff Smith,et al.  Privacy policies and practices: inside the organizational maze , 1993, CACM.

[19]  Elias Leake Quinn,et al.  Smart Metering and Privacy: Existing Laws and Competing Policies , 2009 .

[20]  Marc Langheinrich,et al.  Privacy by Design - Principles of Privacy-Aware Ubiquitous Systems , 2001, UbiComp.

[21]  John Leubsdorf,et al.  Privacy and Freedom , 1968 .

[22]  Detmar W. Straub,et al.  Trust and TAM in Online Shopping: An Integrated Model , 2003, MIS Q..

[23]  Eijiroh Ohki,et al.  Information security governance framework , 2009, WISG '09.

[24]  James A. Landay,et al.  Personal privacy through understanding and action: five pitfalls for designers , 2004, Personal and Ubiquitous Computing.

[25]  L. Jean Camp,et al.  Designing for Trust , 2002, Trust, Reputation, and Security.

[26]  Thomas H. Davenport,et al.  Information Ecology: Mastering the Information and Knowledge Environment , 1997 .

[27]  Gérard Lacoste,et al.  Security in the Information Society , 1998, Intelligence and Services in Networks.

[28]  Pauline Ratnasingam,et al.  Technology Trust in Internet-Based Interorganizational Electronic Commerce , 2003, J. Electron. Commer. Organ..

[29]  Ian Richardson,et al.  Smart meter data: Balancing consumer privacy concerns with legitimate applications , 2012 .

[30]  Mark C. Paulk,et al.  Capability Maturity Model for Software , 2001 .

[31]  Eser Kandogan,et al.  Proceedings of the 2nd ACM Symposium on Computer Human Interaction for Management of Information Technology , 2008 .

[32]  M. Angela Sasse,et al.  Privacy Issues in Ubiquitous Multimedia Environments: Wake Sleeping Dogs, or Let Them Lie? , 1999, INTERACT.

[33]  L. Jean Camp,et al.  Trust and Risk in Internet Commerce , 2000 .

[34]  Richard O. Mason,et al.  Applying ethics to information technology issues , 1995, CACM.

[35]  Patrick D. McDaniel,et al.  Security and Privacy Challenges in the Smart Grid , 2009, IEEE Security & Privacy.

[36]  Yolande E. Chan,et al.  Theoretical Explanations for Firms' Information Privacy Behaviors , 2005, J. Assoc. Inf. Syst..

[37]  C. Guarneri Cornell University Press , 1991 .

[38]  Jens Riegelsberger,et al.  The mechanics of trust: A framework for research and design , 2005, Int. J. Hum. Comput. Stud..

[39]  H. Jeff Smith,et al.  Ethics and information systems , 2002, Data Base.

[40]  Paul Jones,et al.  Secrets and Lies: Digital Security in a Networked World , 2002 .

[41]  Antonio Kung,et al.  Privacy-by-design in ITS applications , 2011, 2011 IEEE International Symposium on a World of Wireless, Mobile and Multimedia Networks.

[42]  Deirdre K. Mulligan,et al.  Privacy on the Books and on the Ground , 2011 .

[43]  Rachel Greenstadt,et al.  Why we can't be bothered to read privacy policies models of privacy economics as a lemons market , 2003, ICEC '03.

[44]  Anil Kumar Understanding Privacy , 2010 .

[45]  Gurpreet Dhillon,et al.  Refereed Papers: Violation of Safeguards by Trusted Personnel and Understanding Related Information Security Concerns , 2001 .

[46]  Jan H. P. Eloff,et al.  Information Security Culture , 2002, SEC.

[47]  Victoria Bellotti,et al.  What You Don't Know Can Hurt You: Privacy in Collaborative Computing , 1996, BCS HCI.

[48]  Thomas J. Froehlich,et al.  Ethics of Information Management , 1996, Inf. Process. Manag..

[49]  Peter Schaar,et al.  Privacy by Design , 2010 .

[50]  Jan H. P. Eloff,et al.  A framework and assessment instrument for information security culture , 2010, Comput. Secur..

[51]  Brian Detlor,et al.  Working with information: information management and culture in a professional services organization , 2006, J. Inf. Sci..

[52]  WiedmannKlaus-Peter,et al.  Determinants of consumers' perceived trust in IT-ecosystems , 2010 .

[53]  Gregory D. Abowd,et al.  Ubicomp 2001: Ubiquitous Computing , 2001, Lecture Notes in Computer Science.

[54]  Norman L. Chervany,et al.  What Trust Means in E-Commerce Customer Relationships: An Interdisciplinary Conceptual Typology , 2001, Int. J. Electron. Commer..

[55]  Ross J. Anderson,et al.  On the Security Economics of Electricity Metering , 2010, WEIS.

[56]  Helen Nissenbaum,et al.  Trust: A Collision of Paradigms , 2000, Financial Cryptography.

[57]  J. W. DeCew In Pursuit of Privacy: Law, Ethics, and the Rise of Technology , 1997 .

[58]  Anne Adams,et al.  Privacy in Multimedia Communications: Protecting Users, Not Just Data , 2001, BCS HCI/IHM.

[59]  Adrienne Curry,et al.  Assessing information culture - an exploratory model , 2003, Int. J. Inf. Manag..

[60]  H. Nissenbaum Privacy as contextual integrity , 2004 .

[61]  Herbert Burkert,et al.  Some Preliminary Comments on the DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. , 1996 .

[62]  Robert J. Kauffman,et al.  Proceedings of the ninth international conference on Electronic commerce , 2003, ICEC 2007.

[63]  Stuart S. Shapiro,et al.  Privacy by design , 2010, Commun. ACM.

[64]  G. Boyce Informing Science InSITE- “Where Parallels Intersect ” June 2002 Beyond Privacy: The Ethics of Customer Information Systems , 2022 .

[65]  Suzanne L. Holcombe United States Patent and Trademark Office , 2008 .

[66]  Mark C. Paulk,et al.  Capability Maturity Model for Software, Version 1.1 , 1993 .

[67]  Marcus K. Rogers,et al.  Social Engineering: The Forgotten Risk , 2000 .

[68]  John C. Mitchell,et al.  A Formalization of HIPAA for a Medical Messaging System , 2009, TrustBus.