Читать книгу Privacy Risk Analysis - Sourya Joyee De - Страница 12
ОглавлениеCHAPTER 3
Processing System
The first step of a privacy risk analysis is the definition of its scope, which requires a detailed and comprehensive description of the processing system under consideration. This description should include all personal data flows between the components of the system and communications with the outside world. This information is necessary for the privacy risk analysis, in particular for the identification of the privacy weaknesses and the capacities of the risk sources to get access to the personal data.
To summarize, the description should be sufficient to ensure that all potential privacy problems arising out of the system can be detected [106]. In most cases (at least for systems developed following a rigorous methodology), a detailed documentation about the system should already be available and it should be sufficient to supplement it with some additional information to meet the requirements of a privacy risk analysis.
In this chapter, we present a set of attributes useful to characterize a processing system with a view to privacy risk analysis (Section 3.1) and introduce the running example used throughout this book (the BEMS System) with its attributes (Section 3.2).
3.1 SYSTEM ATTRIBUTES
In order to meet the needs of the subsequent steps of the privacy risk analysis, the description of the system should include at least the following attributes:
1. The functional specification describing the functionalities that the system is supposed to provide, including the potential use cases or scenarios. The functional specification should be consistent with the declared purpose of the system. It is also useful during the analysis to check compliance with the data minimization principle (personal data should be collected only if necessary to achieve the purpose).
2. The controls including all existing measures (technical and organizational) to protect personal data. Precise knowledge of existing controls is necessary to detect potential privacy weaknesses.
3. The interface including all interactions of the system with the external world, including users and other systems, and the possibility or not to collect the consent of the user. The interface is useful, inter alia, to detect potential risks related to data dissemination, transfers to third parties and lack of control from the users.
4. The data flows describing the internal view of the system, including the basic components, their locations, supporting assets, the access rights and the data flows between them. The analysis of the data flows is instrumental in the search for privacy weaknesses.
5. The supporting assets consisting of all software, hardware and networks on which the system relies and the stakeholders controlling them. Supporting assets, in conjunction with data flows and actors, are useful to analyze the capacities of the risk sources to get access to personal data.
6. The actors having access to the system or interacting with it, including roles inside the organization of the data controller and the access rights of each actor.
This set of attributes is inspired by previous work on privacy risk analysis. For example, the view-based approach proposed by Oetzel and Spiekermann [106] includes:
1. The system view, which takes into account applications, system components, hardware, software, interfaces and the network topology.
2. The functional view, which consists of generic business processes, use cases, technical controls, roles and users.
3. The data view, which consists of categories of data processed by the system, data flow diagrams, actors and data types.
4. The physical environment view, which includes physical security and operational controls such as backup and contingency measures.
A whole chapter (Chapter 4) is dedicated to personal data in this book. The other components presented in [106] overlap with the above list of attributes.
The definition of the data flows is a key part of the characterization of a system. A standard approach is to resort to data flow diagrams (DFD), which are structured, graphical representations based on four main types of building blocks: external entities, data stores, data flows and processes [166]. Deng et al. [40] propose an enhanced representation of data flows with trust boundaries to separate trustworthy and untrustworthy elements of the system. These boundaries are used to identify the potential risk sources. As argued in [166], the definition of the DFD is a crucial step in a privacy risk analysis and an incorrect DFD is likely to result in erroneous conclusions about privacy risks. Moreover, the granularity of the DFD dictates the level of detail at which the analysis can be conducted.
3.2 ILLUSTRATION: THE BEMS SYSTEM
In this section, we introduce the BEMS1 System used to illustrate the concepts discussed throughout this book. The BEMS System includes the billing and the energy management functionalities of a hypothetical smart grid system. This choice is not insignificant: smart grid initiatives, which are now under deployment in many countries, already face a large number of privacy related questions. As utility providers promise benefits in terms of home energy management, researchers [20, 36, 64, 88, 95, 98, 122, 159] warn against the potential privacy harms posed by the collection of highly granular energy consumption data. Many potential privacy harms of various levels of likelihood and severity have already been identified, including surveillance by governments and law enforcing bodies [25, 43, 88, 94, 96], burglary [88, 94, 122] and targeted advertising [19, 25, 88, 93, 94, 122]. Utility providers are facing the task of taking appropriate measures and convincing both their consumers and regulatory bodies that these measures are sufficient to handle potential harms. Carrying out privacy impact assessments is therefore inevitable for the smart grid industry [36]. Needless to say, our goal is not to provide a full scale privacy risk analysis for a smart grid system here but, more modestly, to use some of its features as a working example to illustrate the notions presented in this book.
The system attributes introduced in the previous section are defined as follows for the BEMS System:
1. Functional specification.
– The User Registration System is used to register new consumers with the utility provider.
– The Consumer Information System stores and manages all consumer identification, contact, billing and energy management information. It consists of the Consumer Data Store and the Consumer Information Management Application. The latter implements security functions for the protection of the Consumer Data Store. In particular, it is involved in ensuring that only authorized applications, sub-systems and actors get access to the data. It also performs other functions such as the creation of the meter ID and the user portal account number.
– The Meter Data Management System stores and manages the energy consumption data and the corresponding meter ID. It consists of the Meter Data Store and the Meter Data Management Application. The Meter Data Management Application ensures that only authorized sub-systems, applications and actors can access the data and implements other security-related functions to ensure the protection of the Meter Data Store.
– The Utility Gateway collects energy consumption data (corresponding to meter IDs) from smart meters. It contributes to the implementation of some functionalities of the Meter Data Management Application by ensuring that only the authorized subsystems, applications and actors can access the data.
– The Smart Meter collects energy consumption data from home appliances. It includes a security module to encrypt and sign the data before sending it to the utility gateway.
– The Payment Management System handles all billing, payment and energy management related functions. It consists of three applications: the Billing Application that generates the bills, the Energy Management Application that generates the energy management suggestions and the Payment Application that updates the payment status for each consumer.
– The Price Determination System computes the fees for the different time periods of the billing cycle.
– The User Interface is used by the consumers to get access to their bills and the energy management suggestions as well as to update or correct any identification or contact information whenever necessary. Table 3.2 defines all the abbreviations for the BEMS sub-systems used in this book.
2. Interfaces. The interactions with the consumer take place through the User Interface component. The Smart Meter collects the energy consumption data from the home appliances. The Payment Application interacts with the bank to receive information about payments.
3. Data flows. The data flows between the main components of the system are depicted in Fig. 3.1. The Smart Meter and the Utility Gateway are located in the consumers’ premises. The User Interface can be accessed by the consumer through the Internet from his PC. All other systems are located with the utility provider and cannot be accessed by the consumer.
Each new consumer registers with the utility provider using the User Registration System by providing his identification and contact details. The User Registration System transfers this information to the Consumer Information System which creates a meter ID and a user portal account number for each new registered user.
Within the consumer premises, energy consumption data from home appliances are collected by the smart meter. This communication is based on the Zigbee standard. The smart meter then transfers this data to the utility gateway, along with the meter ID, every 15 minutes. The utility gateway gathers data from several smart meters. These data are then transferred to the utility provider to be stored and managed by the Meter Data Management System.
During each billing cycle,2 the Payment Management System accesses the energy consumption data for each meter ID from the Meter Data Management System and the tariffs per time period from the Price Determination System. The Billing Application within the Payment Management System computes the bills associated with each meter ID, whereas the Energy Management Application creates the energy management suggestions based on the bills and the energy consumption data during each billing cycle. The Payment Application within the Payment Management System updates the payment status for each meter ID based on the bills and the payment information received from the bank, corresponding to the bank account number obtained from the Consumer Information System. The resulting bill, the energy management suggestions and the payment status per meter ID are transferred to the Consumer Information System for storage.
Table 3.1: Supporting assets
| Types of Supporting Assets | Examples |
| Hardware | One database server, application server, load balancers, clients (PC, notebook, tablet, mobile phone, printer etc.), storage media (semiconductor, optical, paper), network components (switch, router, bridge, gateway, firewall, modem), smart meter, security module |
| Applications | Billing Application, Energy Management Application, Meter Data Management Application, Consumer Information Management Application, Payment Application |
| Data stores | Meter Data Store, Consumer Data Store |
| Software environment | Standard software, operating systems, device driver, firmware, services (mail, file etc.) |
Table 3.2: List of abbreviations
| Abbreviation | Meaning |
| URS | User Registration System |
| CIS | Consumer Information System |
| MDMS | Meter Data Management System |
| UG | Utility Gateway |
| SM | Smart Meter |
| PMS | Payment Management System |
| PDS | Price Determination System |
| UI | User Interface |
| BA | Billing Application |
| EMA | Energy Management Application |
| MDMA | Meter Data Management Application |
| CIMA | Consumer Information Management Application |
| PA | Payment Application |
| MDS | Meter Data Store |
| CDS | Consumer Data Store |
Figure 3.1: BEMS data flow diagram.
Each consumer, using his user portal account number, can access the User Interface. The User Interface fetches from the Consumer Information System the bill and energy management suggestions corresponding to his meter ID. The User Interface also displays the contact and the identification details to the user. The user can request updates or corrections of the identification and the contact details through the User Interface.
All the data are stored and transferred encrypted and signed, with the exception of the transfer of the energy consumption data from the home appliances to the smart meter, which is not fully secure.3
4. Supporting assets. The supporting assets are defined in Table 3.1.
5. Actors. The actors of the BEMS System are the following: consumers, system administrators, service technicians (for installation and maintenance of smart meters and utility gateways), developers, operators and other employees under the utility provider.
1Billing and Energy Management System.
2The billing cycle, which is generally one month, is defined by the utility provider.
3Various security vulnerabilities of the Zigbee standard are documented in [155, 170].
