Privacy Enhancing Technologies – A Review of Tools and Techniques

Report prepared by the Technology Analysis Division of the Office of the Privacy Commissioner of Canada

November 2017

Introduction

A number of (relatively) recent developments have contributed to an increased level of awareness of the need for security and privacy (especially of online activity)^{Footnote 1}, notably:

the continued evolution of technologies that permit individuals to connect and communicate (e.g., e-mail, instant messaging, chat, online social networks, and so on), resulting in an increasing amount of personal information (generated by and about individuals) being available online;
the increased interest that corporations^{Footnote 2} have in collecting this information and making use of it in some fashion (e.g., reduced auto insurance rates, targeted advertising, personalization, and so on);
revelations about the extent of government surveillance of individual communications and other online activities, including those of law-abiding citizens, (e.g., the Snowden revelations, which began in June 2013, about the activities of the US National Security Agency (NSA))^{Footnote 3}; and
continuing headlines about major breaches at both government organizations and corporations^{Footnote 4}, resulting in the compromise of millions upon millions of records containing personal information^{Footnote 5}.

These developments bring with them potential or real risks of identity disclosure, linking data traffic with identity, location disclosure in connection with data content transfer, user profile disclosure or information disclosure itself. Privacy Enhancing Technologies (PETs)^{Footnote 6} can help address these risks.

PETs are a category of technologies that have not previously been systematically studied by the Office of the Privacy Commissioner of Canada (OPC). As a result, there were some gaps in our knowledge of these tools and techniques. In order to begin to address these gaps, a more systematic study of these tools and techniques was undertaken, starting with a (non-exhaustive) review of the general types of privacy enhancing technologies available. This paper presents the results of that review.

Scope

While many traditional security technologies (e.g., encryption) can be considered privacy-protective, this review focuses on PETs primarily used by law-abiding consumers and citizens seeking to protect their personal information online. This project was further limited in scope to those technologies that protect information in transit (i.e., communicated / transmitted by information and communications technologies (ICT)). Technologies that protect information at rest (e.g., when stored on mobile devices) are not included, nor are descriptions of the ICT systems to which PETs may be applied (unless required for a proper understanding of PET functionality).

Further, this report does not include:

a description of the security and privacy implications , weaknesses or limitations of the identified products or services;
verification, by the Office of the Privacy Commissioner of Canada, of the assertions made by PET developers / vendors with respect to PET functionality, either through literature research or testing of any kind^{Footnote 7};
a comparative analysis of PETs in any given category (e.g., anonymization) to determine which PET is “better”; or
the development of specific guidance or recommendations for implementation or use of any particular PET.

A Taxonomy of Privacy Enhancing Technologies

Taxonomy is defined as “the practice and science of classification of things or concepts, including the principles that underlie such classification”^{Footnote 8}. Just as there is no universally agreed definition, there is also no universally agreed taxonomy for PETs^{Footnote 9}. For example, the European Union Agency for Network and Information Security (ENISA), in its work on a PETs controls matrix, identifies four major categories of technology: secure messaging, virtual private networks, anonymizing networks and anti-tracking tools for online browsing^{Footnote 10}. Other researchers have characterized PETs “according to their technical contributions” (e.g., anonymous communication, and privacy preserving data mining)^{Footnote 11}.

For the purposes of this paper, the taxonomy for privacy-enhancing technologies (PETs) described below^{Footnote 12} is a way of classifying these technologies based on the functionality/capabilities that they provide to an end user. This particular taxonomy has been chosen because it provides a fairly granular way of categorizing the various tools and techniques that have been identified during our review, using terms that often appear in common usage or in the media. It also helps identify areas where additional research and development is required. The principal drawback is that some tools and techniques provide more than one capability, making it somewhat difficult to neatly categorize them.

PETs are intended to allow users to protect their (informational) privacy by allowing them to decide, amongst other things, what information they are willing to share with third parties such as online service providers, under what circumstances that information will be shared, and what the third parties can use that information for. They do this by providing one or more of the following functions/capabilities.

Informed Consent

When an individual discloses his or her personal information to commercial and other entities, he or she also grants, sometimes explicitly, sometimes implicitly, consent for it to be used for one or more purposes. Consent is a key principle of most data protection/privacy legislation. Although the specific language varies, a key element of consent is that it be informed (i.e., based on a clear understanding of what the individual is consenting to). Subsequent control over the storage, use, and onward sharing of that information relies on the notion of trust that the given consent will be respected. Unfortunately, the reality is that, given the complexity of the policy language, the complexity of the business ecosystem behind the organization with whom the individual is dealing, and similar factors, this trust is sometimes misplaced.

As discussed in the OPC’s 2017 Annual Report^{Footnote 13}, one way for this trust to be restored is through the use of a technique known as “data tagging”. In data tagging, a user’s personal information is labeled or tagged with instructions or preferences specifying how the data should be treated by service providers. These preferences can be expressed in a machine readable format using a privacy policy language, and automatic mechanisms have been proposed to ensure that service providers follow the instructions.

Sticky policies are an example of data tagging. Sticky policies technically enforce preferences when personal data is shared across multiple parties. One way to enforce this is through the use of encryption. The EnCoRe (Ensuring Consent and Revocation) project proposed an architecture^{Footnote 14} where encrypted personal data, with a machine-readable policy stuck on, can only be decrypted and read by entities that abide by the policy rules. A trust authority enforces this by verifying compliance and only distributing decryption keys to those services that adhere to the policies^{Footnote 15}.

Sticky policies are an integral part of certain privacy policy language proposals such as PPL (PrimeLife Policy Language)^{Footnote 16} and E-P3P (Platform for Enterprise Privacy Practices)^{Footnote 17}. PPL is based on XACML^{Footnote 18} and is used to grant service providers access to data as long as the organization’s policy is compatible with the user’s privacy preferences. The use of XACML for tagging data was suggested during the OPC’s recent consent consultations. E-P3P is a privacy-specific access control language that allows organizations to design and deploy machine-readable privacy policies, including identifying opt-in or opt-out choices (depending on the nature of the information) and placing restrictions on access to personal information, and design access control policies to give effect to the privacy policies.

Data tagging and sticky policy research has been ongoing since 2002, but the work remains at the proof of concept stage with few commercial deployments. In general, machine-readable, automated policy languages have had very limited success, perhaps due to complexity, a lack of interoperability^{Footnote 19} and little demand for their capabilities. Most recently, Microsoft has discontinued all support for P3P in their Windows 10 browsers^{Footnote 20}.

Data minimization^{Footnote 21}

Data minimization is a fundamental privacy design principle which requires that services and applications only process the minimum amount of information strictly necessary for the service or for a particular transaction. The objective is to minimize the amount of personal information collected and used by online service providers (e.g., to mitigate the risk of profiling based on user behaviour). PETs in this category include websites that deliberately choose not to collect and store personal information such as search terms, search history, IP addresses^{Footnote 22} and so on. Examples include DuckDuckGo^{Footnote 23}, Ixquick (now StartPage)^{Footnote 24}, Disconnect^{Footnote 25} and Unbubble^{Footnote 26}.

Other tools that could fall within this category include those designed to protect privacy by deleting browsing history and other computer activities. An example of such a tool is Privacy Eraser^{Footnote 27}. Privacy Eraser claims that it will erase all digital footprints - web browser cache, cookies, browsing history, address bar history, typed URLs, autocomplete form history, saved passwords, search history, recent documents, temporary files, recycle bin, and more.

As individuals browse the web, their web browser will record information about the browsing activity (e.g., the sites you’ve visited, the date and time of each visit, search terms used, and so on). There may be times, however, when an individual might not want that kind of information to be accessible to anyone else who uses that computer. All of the major browsers now support a mode sometimes referred to as private browsing^{Footnote 28}.

It should be noted, however, that there are limitations to the protection provided by private browsing modes:

if the computer used is connected to a corporate network, the network administrator could potentially see what sites have been visited;
if the computer used has been infected by malware, your online activities could still be tracked;
if the computer used has Internet protection software (e.g., parental control programs such as Qustodio^{Footnote 29}), they can track private browsing sessions; and
the user’s Internet Service Provider can access the user’s online history (e.g., in response to a lawful access request).

Another category of tools or techniques used to implement data minimization is that of ephemeral communications. These tools have been developed in response to the permanence of Internet conversation, which arose once computers began to mediate our online communications. Computers naturally produce conversation records, and these data were often saved and archived. These tools, on the other hand, claim to automatically expire messages, videos, and other content^{Footnote 30}. Examples of these tools include Snapchat^{Footnote 31}, Wickr^{Footnote 32}, Confide^{Footnote 33} and Firechat^{Footnote 34}.

Data Tracking

In order for individuals to properly manage their digital privacy, it helps if they have a way to log, archive and look up (data tracking) the information that they have already disclosed, when, to whom, and under what circumstances. This includes allowing an individual to track what information a single site or service provider (e.g., Google) possesses about them, which can be done via a dashboard (see discussion under the heading “Control”), but also allowing individuals to track data disclosure across multiple sites.

One way of doing this is through a tool called Data Track, developed as part of the European Union’s Privacy and Identity Management for Europe (PRIME) project^{Footnote 35}. Data Track was intended to provide a history of all online transactions, storing for the user information regarding which personal information has been disclosed to whom. Data Track was also intended to provide transparency to users of their online transactions and to enable them to later question data controllers over whether they really treated their personal information as promised. Work on Data Track was suspended in 2011.

Anonymity^{Footnote 36}

There are a number of identity/identification “states” that are possible, ranging from fully anonymous to fully identified (sometimes referred to as “verified”)^{Footnote 37}. There is also a range of information that can be used to identify individuals online, from name to IP address. PETs can allow users to choose the degree of anonymity they desire (e.g., by using pseudonyms, anonymizers, or anonymous data credentials).

Communication anonymizers hide the real online identity (e.g., email address, IP address, etc.) of a user and replace it with a non-traceable identity (e.g., disposable / one-time email address, random IP address of hosts participating in an anonymizing network, pseudonym, etc.). They can be applied to email, Web browsing, peer-to-peer (P2P) networking, VoIP, chat, instant messaging, and so on^{Footnote 38}.

One of the best known communications anonymizers is Tor^{Footnote 39}. Tor is a free, world-wide network of relays on the Internet that individuals and groups can use to keep websites from tracking them, to connect to news sites, instant messaging services, or similar network services when these are blocked by their Internet service providers or may be sensitive in nature. Also, a feature known as ‘hidden services’ lets users publish web sites and other services without needing to reveal the location of the site. For example, journalists use Tor to communicate more safely with whistleblowers and dissidents.

Control^{Footnote 40}

PETs in this category allow users to exercise more control over what personal information is sent to, and used by, online service providers and merchants (or other online users). They do so, for example, by allowing individuals to limit the type or quantity of information that they disclose to third parties. These are sometimes referred to as “selective disclosure techniques” or “selective disclosure technologies”.

Almost every day, we are asked to identify ourselves, whether it is to obtain a service (e.g., health care) or purchase some good (e.g., alcohol or cigarettes) that is restricted in some way (e.g., only available to individuals over a certain age). To do this, we typically rely on government-issued identification (e.g., a driver’s license). This results in the revelation of more information than is strictly necessary for the transaction in question. In many cases, we merely need to be able to demonstrate that we meet certain criteria, or possess certain attributes (e.g., that we are residents of a particular place, or that we are of legal age)^{Footnote 41}.

One way to limit the amount of information we disclose in identity-related transactions is through the use of techniques known as attribute-based credentials (sometimes abbreviated ABCs)^{Footnote 42}. These credentials are an important building block of privacy-respecting identity management systems. Among the privacy features of ABCs are the ability of credential holders “to disclose a minimal set of credential attributes to services, or to perform anonymous proofs of possession of certain credentials or attribute values matching certain criteria, while limiting the linkability of identity-related transactions”^{Footnote 43}. Examples of ABCs include Microsoft’s UProve^{Footnote 44} and IBM’s Identity Mixer^{Footnote 45}.

Other “control” technologies that have been identified during the course of our review include:

Self-sovereign identity: a concept that puts the user at the centre of the administration of their identity. To achieve this, the user’s identity must be interoperable across multiple locations, with the user’s consent, but also subject to true user control of that digital identity, creating user autonomy. A self-sovereign identity must also be transportable and it must also allow ordinary users to make claims about themselves, which could include personally identifying information or facts about personal capability or group membership. It must also meet a series of guiding principles^{Footnote 46}. An example of this technology is UPort^{Footnote 47};
Personal Information Management Systems (PIMS)^{Footnote 48}: The basic idea behind the PIMS concept is that individuals should be able to decide with whom they share their personal information, for what purposes, and for how long, to be able to keep track of all the information shared, and to be able to retract that information if circumstances warrant and permit. This category of technology encompasses several other components, including personal data ecosystems^{Footnote 49}, personal data dashboards^{Footnote 50}, and personal data stores^{Footnote 51}; and
Other (Miscellaneous): a number of other “control” technologies were identified, including Sieve^{Footnote 52}, TACYT^{Footnote 53}, and Privacy Box^{Footnote 54}, that don’t easily fit into any of the previous categories.

Negotiate Terms and Conditions

In many cases, the privacy policies established and published by online service providers are of the “take-it-or-leave-it” variety – there is no customization or personalization. However, consumers view privacy differently and are increasingly concerned about the implications of sharing information in light of complex, hard to understand privacy policies. This frequently results in individuals abandoning (not completing) an online transaction. If individuals could negotiate privacy policies as personalized agreements, and if they could trust that online service providers would honour those agreements, this would be a step in the right direction.

The Platform for Privacy Preferences Project (P3P)^{Footnote 55}, developed by the World Wide Web Consortium (W3C), was intended to enable websites to express their privacy practices in a standard machine-readable format that could be retrieved automatically and interpreted easily by user agents. Individuals could use P3P to set their own privacy preferences. P3P user agents, built into web browsers, were then to inform users of site practices (in both machine- and human-readable formats), allow users to screen and search for sites that offer certain privacy protections, and automate decision-making based on these practices when appropriate. As mentioned previously, P3P was never widely adopted and support for it has largely been discontinued.

Our review identified some initiatives that were intended to make P3P more usable, including the Policy Aware Web^{Footnote 56} and the Transparent Accountable Datamining Initiative^{Footnote 57}, but neither of these appear to have progressed much beyond theory. There have also been some efforts to develop alternatives to P3P^{Footnote 58}, but these do not appear to have made much headway either.

Technical Enforcement

In those instances where individuals are able to negotiate the terms and conditions of a service, PETs in this category provide individuals with the possibility of having these terms and conditions technically enforced by the infrastructures of online service providers and merchants (i.e., not just having to rely on promises, but being confident that it is technically impossible for service providers to violate the agreed upon data handling conditions). Technical enforcement of negotiated terms and conditions can be accomplished in a number of different ways, many of which are currently in use, albeit for different purposes (this list is not intended to be exhaustive):

network monitoring: passive or active monitoring of network activity to compare the activity against the agreed terms and conditions (e.g., Wireshark^{Footnote 59}, Fiddler^{Footnote 60}, and so on). Some tools provide real-time prevention of privacy leaks^{Footnote 61};
endpoint event detection^{Footnote 62}: a category of tools and solutions that focus on detecting, investigating, and mitigating suspicious activities and issues on hosts and endpoints (e.g., McAfee Active Response^{Footnote 63}, Symantec Endpoint Protection^{Footnote 64}, and so on);
web transparency tools^{Footnote 65}: these tools are primarily intended to provide a user with information about the intended collection, storage and/or data processing of their personal information, or to help the user determine the potential impact of data profiling. Such tools include ad blockers (e.g., Adblock Plus^{Footnote 66} and Ghostery^{Footnote 67}), and tracking blockers (e.g., Privacy Badger^{Footnote 68}); and
enterprise digital rights management: access control technologies that try to control the use, modification, and distribution of copyrighted works (such as software and multimedia content), as well as systems within devices that enforce these policies (e.g., ContentGuard^{Footnote 69}, Digimarc^{Footnote 70}, and so on).

Remote Audit of Enforcement

PETs in this category provide individuals with the ability to remotely audit the enforcement of the terms and conditions offered by online service providers and merchants. While the term is most frequently applied to audits of an organization’s financial information, other areas which can be audited include governance, compliance and risk (GRC) and internal controls. An audit involves the gathering and analysis of information relevant to specified objectives, scope and criteria. While this information has traditionally been gathered in the form of onsite interviews, document reviews and through observation of processes or people, some of this information gathering can now be done remotely.

One way to facilitate the auditing of an organization is for that organization to pre-emptively publish information concerning their policies, procedures and practices. For example, timely, accurate statistical information from private sector firms on government requests for and access to personal information – in the form of clear transparency reports^{Footnote 71} at regular intervals – can form the basis for rational consumer choices and build consumer confidence in a growing digital economy and its interface with the state for law enforcement and security purposes.

Another way for individuals to “audit” an organization is for the organization to undergo certification against a trust mark^{Footnote 72}, defined as “electronic labels or visual representations indicating that an e-merchant has demonstrated its conformity to standards regarding, e.g., security, privacy and business practice”^{Footnote 73}. Organizations that offer certification against a trust mark often make information about the trust mark, and the criteria an organization needs to satisfy to obtain the mark, available on their website.^{Footnote 74} Individuals can then research the trust mark, as well as the trust mark provider, and decide if they are prepared to share their personal information with the website in question.

As useful as trust marks might be in helping establish trust in an organization, trust marks have their limitations. For example, a privacy trust mark (e.g., such as the ones issued by TRUSTe, now TrustArc^{Footnote 75}) does not necessarily guarantee that the organization has implemented specific technical security standards or processes (such as basic traffic encryption or infrastructure vulnerability testing)^{Footnote 76} as there may be more than one way to meet the requirements of the trust mark.

Use of Legal Rights

Many data protection/privacy laws provide individuals with certain rights, including the right to access the information about them that an organization holds, the right to challenge the accuracy and completeness of that information, and the right to have it amended as appropriate^{Footnote 77}. Typically, exercising these rights requires individuals to send a written request to an organization and then wait for the organization to respond. One way to assist individuals in exercising their right is to automate the request process for them.

In 2014 the Citizen Lab^{Footnote 78}, in partnership with Open Effect^{Footnote 79} and Open Media^{Footnote 80}, launched the original version of the Access My Info (AMI)^{Footnote 81} tool. AMI is a step-by-step wizard that results in the generation of a personalized formal letter requesting access to the information a provider stores and utilizes about a person. The original version only allowed users to generate a letter to telecommunications companies. An improved tool, relaunched in June 2016^{Footnote 82}, provides individuals with the ability to send formal requests to a broader range of organizations, including those that provide fitness trackers and dating applications.

The "Failure" of PETs

Our review has shown that there does not seem to be any shortage of good ideas for protecting individual privacy – the PETs listed earlier in this paper only scratch the surface of technologies that are available. A wide range of PETs have been proposed, but few seem to have made their way out of the research environment and into the marketplace or people’s lives in any meaningful way. There are a number of possible reasons for this “failure” of PETs to go mainstream.

The current economic and regulatory environments provide little incentive for deploying promising consent technologies, so further development of technology alone is not likely to lead to significant changes. Much of the online world bases its revenue streams on the collection and processing of personal information, particularly for targeted advertising. At the same time, industry most often relies on implied, opt-out consent where the lack of action is interpreted as permission for the processing of personal information. Consent technologies that make it easier for consumers to take actions, particularly for opting out, would likely reduce revenue streams.

The examples reviewed above illustrate that there is no shortage of good ideas and viable technologies for improving the consent process. There is a shortage of incentives for organizations, mostly commercial companies, to use technology to provide a better ability to consent or not consent. The economics of the current highly competitive environment, dominated by self-regulation and opt-out consent models, may dissuade companies from offering effective consent mechanisms.

The tools may sometimes fail because they are considered by average individuals as too complex. They may not have been intuitive, requiring specialized knowledge or skills to operate, which the average consumer may not have. They might fail because there is no consumer demand for privacy protections (which may stem, in part, from a lack of knowledge of what tools are available to them) or government might be unwilling to regulate privacy protections for fear of inhibiting innovation.

Potential users may not trust the tools (i.e., that they will provide the protections they claim to). There is some basis for this skepticism. Many PETs only ever seem to be lab prototypes, or used in limited trials, so there is little to no experience of their practical use and their impact on the processing of personal information. Some PETs may involve third parties who are unknown to, and therefore untrusted by, individuals.

Some tools fail because they are unable to overcome the “network effect” (a phenomenon whereby a good or service becomes more valuable when more people use it). Existing powerful or dominant undertakings (e.g., Facebook) are able to exploit “economies of aggregation” and create barriers to entry through their control of huge personal data sets alongside proprietary software which organizes the data^{Footnote 83}.

So Now What?

As our preliminary review has shown, there is no shortage of good ideas for protecting individual privacy. There are, however, some categories of PETs (e.g., data tracking) that do not seem to have attracted the same degree of research interest as others. It is not clear whether this is due to lack of interest on the part of researchers, or whether the issues the technologies are intended to address are difficult to resolve.

The discussion in the previous section of this report identified a number of possible barriers to the implementation or adoption of PETs including, but not limited to, lack of awareness of the existence of these tools, their lack of usability, and a lack of incentive for organizations to offer or implement these tools. This review did not examine adoption rates of the different technologies identified so it is not clear which specific barrier(s) are most responsible for the low uptake of PETs. Similarly, where a PET has been successful in terms of adoption, it is not clear what factors contributed to that success.

It is clear from this preliminary review that additional research is needed to assess the relative strengths and weaknesses of PETs, develop new PETs or improve the effectiveness of existing ones, and better understand the barriers to deployment and adoption of PETs in the online marketplace. Individuals also need to be better educated about the existence of PETs and supported to make more use of them, should they so wish, to protect their personal information online and give them greater control over its potential use (or not) by others.

Notes

Footnote 1

See, for example, “2016 Survey of Canadians on Privacy”, Office of the Privacy Commissioner of Canada, public opinion research report dated December 2016, accessed 26 September 2017

Return to footnote 1

Footnote 2

See, for example, “DATA BROKERS: A Call for Transparency and Accountability”, online report from the US FTC, dated May 2014, accessed 18 September 2017.

Return to footnote 2

Footnote 3

See, for example, the Snowden Surveillance Archive, accessed 7 September 2017.

Return to footnote 3

Footnote 4

Recent breaches include: Ashley Madison (July 2015), VTech (November 2015), Yahoo (December 2016) and Equifax (September 2017). See, for example, “World’s Biggest Data Breaches”, infographic, accessed 26 September 2017.

Return to footnote 4

Footnote 5

Personal information is the term used in the Personal Information Protection and Electronic Documents Act and is defined as “information about an identifiable individual” (see Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5), Section 2(1), Definitions). A much fuller definition of personal information, including numerous examples of what constitutes personal information, can be found in the Privacy Act (R.S.C., 1985, c. P-21), Section 3, Definitions. Other terms that are sometimes used synonymously with personal information include personal data (see, for example, GDPR, Article 4(1)) or personally identifiable information (see, for example, National Institute of Standards and Technology (NIST) Special Publication 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), dated April 2010).

Return to footnote 5

Footnote 6

There is no commonly accepted definition of Privacy Enhancing Technologies (PETs), although all of the definitions seem to embody certain common characteristics. Specifically, a PET is something that: a) reduces or eliminates the risk of contravening privacy principles and legislation; b) minimises the amount of data held about individuals; and c) empowers individuals to retain control of information about themselves at all times. See, for example, “Privacy by Design - An Overview of Privacy Enhancing Technologies”, prepared by Enterprise Privacy Group on behalf of the UK Information Commissioner’s Office, dated 26 November 2008, accessed 26 September 2017. For a list of example PETs, see Stanford Law School, Center for Internet and Society (CIS), Wiki on Privacy-Enhancing Technologies, accessed 29 September 2017. See also the list of tools and techniques available at PRISM Break, Electronic Frontier Foundation (EFF), Me and My Shadow, or Electronic Privacy Information Center (EPIC), accessed 10 October 2017.

Return to footnote 6

Footnote 7

The European Union Agency for Network and Information Security (ENISA) has done work on developing a methodology for systematically assessing online and mobile privacy tools. See “PETs controls matrix: A systematic approach for assessing online and mobile privacy tools”, Final Report dated December 2016, accessed 26 September 2017.

Return to footnote 7

Footnote 8

Taken from Taxonomy article in Wikipedia, accessed 26 September 2017.

Return to footnote 8

Footnote 9

There is also no single agreed taxonomy of PETs functionality. See, for example, “Useful Privacy Enhancing Technologies”, a Network of Centres of Excellence of Canada research project. Other taxonomies can be found, for instance, at “A critical review of 10 years of Privacy Technology”, Danezis, G. and Guerses, S., Department of Electrical Engineering, KU Leuven, 12 August 2010, accessed 29 June 2017 or “Study on the economic benefits of privacy‐enhancing technologies (PETs)”, Final Report to The European Commission, DG Justice, Freedom and Security, prepared by London Economics, July 2010, pages 8 to 14, accessed 12 October 2017.

Return to footnote 9

Footnote 10

ENISA PETs Controls Matrix report, Table of Contents, Chapter 4.

Return to footnote 10

Footnote 11

“Privacy Enhancing Technologies: A Review”, Shen, Y. and Pearson, S., HP Laboratories, 6 August 2011, accessed 26 September 2017.

Return to footnote 11

Footnote 12

This taxonomy is based, in part, on the “Goals of PETs” described in the Privacy-Enhancing Technologies article in Wikipedia, accessed 29 June 2017. It has been augmented by including the goals of unlinkability and undetectability described in “A terminology for talking about privacy by data minimization: Anonymity, Unlinkability, Undetectability, Unobservability, Pseudonymity and Identity Management”, Pfitzmann, A. and Hansen, M., version 0.34, dated 10 August 2010, Privacy and Data Security site, TU Dresden, Faculty of Computer Science, Institute of Systems Architecture, accessed 2 October 2017.

Return to footnote 12

Footnote 13

See “Real fears, real solutions: A plan for restoring confidence in Canada’s privacy regime”, 2016-17 Annual Report to Parliament on the Personal Information Protection and Electronic Documents Act and the Privacy Act, Office of the Privacy Commissioner of Canada, report tabled 21 September 2017, page 13, accessed 12 October 2017.

Return to footnote 13

Footnote 14

For more information, see the EnCoRe (Ensuring Consent and Revocation) project, “Technical Architecture for the first realized Case Study”, dated 10 February 2010, and related documents, accessed 1 April 2016.

Return to footnote 14

Footnote 15

An example of this technology is HIPAAT’s Privacy eSuite. HIPAAT stands for Health Information Protection and Associated Technologies. Privacy eSuite consists of two service-oriented architecture (SOA)-based web services: a Consent Management Service which enables consumer, organizational and jurisdictional privacy policies to be administered and processed into computable access rules and a Consent Validation Service, which determines if a user’s access to a patient’s PHI is allowed based on the rules of the existing privacy policies.

Return to footnote 15

Footnote 16

The PrimeLife Policy Language (PPL) was developed by the PrimeLife Consortium as part of the European Commission’s 7^th Framework Project. For an overview of PPL, see “PrimeLife – Privacy and Identity Management in Europe for Life: Policy Languages”, January 2011. More detailed information on PPL is available in the PrimeLife document H.5.2.3, entitled “Draft 2^nd Design for Policy Languages and Protocols”, 7 July 2009. PrimeLife documents accessed 16 August 2017. See also “PrimeLife Policy Language”, Ardagna, C.A., et al, undated.

Return to footnote 16

Footnote 17

For more information on the Platform for Enterprise Privacy Practices (E-P3P), see, for example, “Platform for Enterprise Privacy Practices: Privacy-enabled Management of Customer Data”, Karjoth, G., Schunter, M., and Waidner, M., presented at the 2^nd Symposium on Privacy Enhancing Technologies, San Francisco, 14 – 15 April 2002, accessed 2 October 2017.

Return to footnote 17

Footnote 18

See OASIS XACML Technical Committee, accessed 2 October 2017.

Return to footnote 18

Footnote 19

See, for example, “Privacy Languages: Are we there yet to enable user controls?”, Zhao, J., et al, presented at the 25^th World Wide Web Conference, held in Montreal, Canada 11 – 15 April 2016, accessed 2 October 2017.

Return to footnote 19

Footnote 20

See, for instance, “P3P is no longer supported”, accessed 29 September 2017.

Return to footnote 20

Footnote 21

Definitions for some of the terms used in this document are taken from “A terminology for talking about privacy by data minimization: Anonymity, Unlinkability, Undetectability, Unobservability, Pseudonymity and Identity Management”, Pfitzmann, A. and Hansen, M., version 0.34, dated 10 August 2010, accessed 2 October 2017. Data minimization can be defined/described as minimizing the possibility of collecting personal data in the first place; minimizing the amount of personal information that is collected; and minimizing the amount of processing (e.g., use, transfer, disclosure, retention, etc.) that the personal information is subject to (see page 6, footnote 2).

Return to footnote 21

Footnote 22

It is not just websites that decline to collect IP addresses. Services such as ProtonMail (see specifically security details), Scryptmail, and Onion Mail also opt out of metadata collection.

Return to footnote 22

Footnote 23

See DuckDuckGo generally and specifically the site’s privacy policy, accessed 16 August 2017. Also included on this page is an explanation of what information is collected and shared by more traditional search engines, why this is potentially problematic and why DuckDuckGo opted not to collect or store this information.

Return to footnote 23

Footnote 24

See StartPage generally and specifically the site’s privacy policy, accessed 16 August 2017.

Return to footnote 24

Footnote 25

See Disconnect generally and specifically the site’s privacy policy, accessed 17 October 2017.

Return to footnote 25

Footnote 26

See Unbubble generally and specifically the site’s privacy policy, accessed 16 August 2017.

Return to footnote 26

Footnote 27

For more information, see Privacy Eraser, accessed 16 August 2017.

Return to footnote 27

Footnote 28

Private Browsing, sometimes referred to as “privacy mode” or “incognito mode”, allows users to browse the Internet without saving any information (e.g., entries in online forms or search bars, passwords, cookies, or temporary files (such as those saved for offline viewing of web pages)) about which sites and pages you’ve visited on your computer. Some browsers also implement Tracking Protection in Private Browsing, which prevents companies from tracking your browsing history across multiple sites. For further discussion of tracking protection, see, for example, “Tracking Protection Lists: A privacy enhancing technology that complements Do Not Track”, EFF website, dated 16 March 2011, accessed 12 October 2017.

Return to footnote 28

Footnote 29

See, for example, “The best free parental control software 2017”, Marshall, G., TechRadar, article dated 29 September 2017, accessed 2 October 2017.

Return to footnote 29

Footnote 30

In some instances, the communications content was not as ephemeral as promised. See, for example, “Snapchat, Kik, and 6 More Iffy Messaging Apps Teens Love”, Elgersma, C., Common Sense Media, 26 February 2016. See also “Ephemeral Apps”, Schneier, B., Schneier on Security Blog, 2 April 2014, accessed 28 September 2017.

Return to footnote 30

Footnote 31

For more information, see Snapchat, accessed 29 September 2017.

Return to footnote 31

Footnote 32

For more information, see Wickr. The app allows users to set an expiration time for their encrypted communications. It also strips metadata from all content transmitted through the network. For further discussion of the sensitivity of communications metadata see, for example, “Metadata and Privacy: A Technical and Legal Overview”, OPC Research Paper, dated October 2014, accessed 29 September 2017. See also “Evaluating the privacy properties of telephone metadata”, Mayer, J., et al, Proceedings of the National Academy of Sciences of the United States of America, dated 17 May 2016, accessed 2 October 2017.

Return to footnote 32

Footnote 33

For more information, see Confide, accessed 29 September 2017.

Return to footnote 33

Footnote 34

For more information, see FireChat, accessed 29 September 2017.

Return to footnote 34

Footnote 35

For more information, see PRIME project, accessed 16 August 2017.

Return to footnote 35

Footnote 36

Anonymity is defined as the quality or state of being unacknowledged or unknown. See, for example, American Heritage Dictionary of the English Language, Fifth Edition, 2011, Houghton Mifflin Harcourt Publishing Company, accessed 9 May 2017. Pfitzmann and Hansen define anonymity as “anonymity of a subject means that the subject is not identifiable within a set of subjects, the anonymity set” (Pfitzmann and Hansen, page 9).

Return to footnote 36

Footnote 37

For an easy-to-read description of the range of identity states that are possible, see “The Identity Spectrum”, Hamlin, K., IdentityWoman blog, 27 May 2010, accessed 29 September 2017. See also “The Inglis Jane ID Attribute Spectrum”, 17 November 2015, accessed 29 September 2017.

Return to footnote 37

Footnote 38

Anonymous Web-browsing and e-mailing services are available from companies such as Anonymizer, Hushmail, Guerilla Mail, and Mailinator, among others. See, for example, “16 Online Services to Send / Receive Anonymous Emails”, accessed 10 October 2017. Other anonymous communications services include Yik Yak, which was recently shut down (see “Yik Yak social media app shutting down”, CBC News, Business, 1 May 2017); Secret (shut down in April 2015), Whisper, and SnapChat. The article “Your Favourite Anonymous App Is Not Anonymous At All”, Estes, A.C., Gizmodo.com, 12 September 2014, points out that the anonymous apps really weren’t anonymous. All sites accessed September 2017.

Return to footnote 38

Footnote 39

There are other services available that provide similar services to Tor. See, for example, Freenet, I2P (The Invisible Internet Project), and Orbot (Tor for Android).

Return to footnote 39

Footnote 40

Other examples of “control” PETs include Sieve from the Massachusetts Institute of Technology (MIT) and Harvard University, aimed at allowing users to control how and when their data is accessed by applications. See, for example, “Secure, user-controlled data”, MIT news release dated 18 March 2016, accessed 28 July 2017. For a similar initiative, see the EnCoRe (Ensuring Consent and Revocation) project, accessed 28 July 2017.

Return to footnote 40

Footnote 41

For a more in-depth, yet accessible, discussion of identity, identification and other related concepts, see “Identity, Privacy and the Need of Others to Know Who You Are: A Discussion Paper on Identity Issues”, published in September 2007 by the Office of the Privacy Commissioner of Canada, accessed 27 September 2017.

Return to footnote 41

Footnote 42

These tools may also be considered data minimization tools.

Return to footnote 42

Footnote 43

See, for example, the discussion in the Introduction (page 7) of “Privacy-ABC Technologies, Personal Data Ecosystem, and Business Models: A feasibility study report”, prepared for the ABC4Trust Project, edited by Veseli, F. and Tesfay, W, dated January 2015, accessed 26 September 2017.

Return to footnote 43

Footnote 44

For more information, see U-Prove, accessed 26 September 2017.

Return to footnote 44

Footnote 45

For more information, see Identity Mixer. See also Privacy by Design Foundation and in particular, the discussion regarding the IRMA (I Reveal My Attributes) card. The claim is that the IRMA card is the only open source and practical implementation of Idemix. See “Efficient implementation of AND, OR and NOT operators for ABCs”, de la Piedra, A., published 2015. See also “Efficient Selective Disclosure on Smart Cards Using Idemix”, Vullers, P. and Alpar, G., published in the Proceedings of the 3rd IFIP WG 11.6 Working Conference on Policies and Research in Identity Management, IDMAN 2013, London, UK, 8 – 9 April 2013. This paper notes that both Idemix and UProve have been implemented on smart cards. All links accessed 26 September 2017.

Return to footnote 45

Footnote 46

For a more detailed discussion of this concept, and how it evolved, see “The Path to Self-Sovereign Identity”, Allen, C., dated 25 April 2016. The guiding principles appear towards the end of the article. See also “A gentle introduction to self-sovereign identity”, posted to the Bits on Block blog 17 May 2017. Both articles accessed 26 September 2017.

Return to footnote 46

Footnote 47

For more information, see “UPORT: A PLATFORM FOR SELF-SOVEREIGN IDENTITY”, Lundkvist, Dr. C., et al, draft paper dated 21 February 2017. See also “Ethereum identity system uPort working with Brazil’s Ministry of Planning” which describes a pilot implementation of UPort.

Return to footnote 47

Footnote 48

See, for example, “EDPS Opinion on Personal Information management Systems”, European Data Protection Supervisor Opinion 9/2016, dated 20 October 2016, accessed 27 September 2017. See also discussion (starting at page 10) of personal data management systems in “Rethinking Personal Data: A New Lens for Strengthening Trust”, World Economic Forum report prepared in collaboration with A.T. Kearney, published May 2014, accessed 10 October 2017.

Return to footnote 48

Footnote 49

A personal data ecosystem is one in which individuals will hold their own data and give permissioned and specific access to the companies they wish to share their information with. See, for example, “Introduction to the Personal Data Ecosystem”, or an illustration of the ecosystem, accessed 2 October 2017. See also Personal Data Ecosystem Consortium, DigiMe, Personal (merging with DigiMe), Datacoup, Sedicii and Meeco, accessed 11 October 2017.

Return to footnote 49

Footnote 50

A personal data dashboard is a way for individuals to track different types of personal information (e.g., calorie intake, activity level, sleep duration, etc.). See TicTrac generally and specifically “TicTrac is a Great Personal Data Aggregation Dashboard and Reporting Service”. Dashboards can also be used to manage privacy settings from one location. Other dashboards are offered by Google, Microsoft (also “Microsoft’s Personal Data Dashboard Gives You Control Over What Happens to Your Information”), and Facebook. The European PRIME and subsequent PrimeLife projects developed “Data Track” and “Personal Information” dashboards. Data Track was intended as a transparency-enhancing tool providing the user with a history function showing which documents what personal data the user has disclosed to whom, under which conditions, as well as with functions for accessing her personal data at remote services online. For more information, see “End User Transparency Tools: UI Prototypes”, edited by Wästlund, E. and Fischer Hübner, S., PrimeLife deliverable D.4.2.2 dated 29 June 2010. The dashboard was an extension for the Firefox browser. Work on the project stopped, however, in 2011 and the dashboards have had little use. All links accessed 29 September 2017.

Return to footnote 50

Footnote 51

These are tools that allow users to collect, store, and give fine-grained access to their data, including personal metadata, all while protecting their privacy. See, for example, OpenPDS/SA (Open Personal Data Store/Safe Answers) at. See also “OpenPDS: Protecting the Privacy of Metadata through SafeAnswers”, de Montjoye, Y-A., et al, published 9 July 2014, accessed 27 September 2017.

Return to footnote 51

Footnote 52

Sieve is intended to provide individuals a way to selectively disclose personal information to web services. Individuals tag the information with attributes such as the date or the individual’s location. Sieve then encrypts the information prior to sending it, along with the attributes, to the storage provider (e.g., the cloud). When a third party requests access to the data, the individual decides which information the third party is allowed to access, and Sieve provides the necessary information that allows the third party to decrypt (only) that information. For more information, see “Sieve: Cryptographically Enforced Access Control for User Data in Untrusted Clouds”, Wang, F. et al, published in the Proceedings of the 13^th USENIX Symposium on Networked Systems Design and Implementation (NSDI ’16), 16 – 18 March 2016, Santa Clara, CA, USA, accessed 28 September 2017.

Return to footnote 52

Footnote 53

Telefónica’s cyber security unit Eleven Paths has developed an application, called TACYT, which maps internet applications against the access and permissions they seek. The operator (Telefonica) will use this database to create a guidance system, in the style of nutritional labelling on food packaging, to warn customers about the services they install. Customers would then be able to use that information to manage app permissions, thereby enhancing their control over the information that the apps collect and share. Accessed 20 September 2017.

Return to footnote 53

Footnote 54

Privacy Box is intended as a standardized set of privacy settings or information which would apply across various platforms, including Internet browsers, tablets and smartphones. It would enable individuals to choose when to share information (e.g., location) and to determine how that information is used or disclosed to other parties. For more information, see “The Privacy Box: Enabling Consumer Choice and meaningful Consent in Online Privacy”, Lau, A., Public Interest Advocacy Centre (PIAC), published June 2017, accessed 20 September 2017.

Return to footnote 54

Footnote 55

For more information, see World Wide Web Consortium (W3C) P3P, accessed 1 April 2016. Unfortunately, P3P is not widely adopted or deployed. See also the Usable Privacy Policy Project, accessed 17 August 2017.

Return to footnote 55

Footnote 56

See, for example, “Creating a Policy-Aware Web: Discretionary, Rule-based Access for the World Wide Web”, Weitzner, D.J., et al, undated, accessed 29 September 2017.

Return to footnote 56

Footnote 57

See the TAMI project. The site does not appear to have been updated since 2008 or 2009. Site accessed 29 September 2017.

Return to footnote 57

Footnote 58

See “Research of User Privacy Negotiation and Protection Architecture based on Semantic Web”, Cai, L., et al, Department of Network Engineering, School of Software, Yunnan University, January 2008; “PPNP: A Privacy Profile Negotiation Protocol for Services in Public Spaces” , Tamaru, S. et al, Keio University,October 2003; or “Enabling Web Services Policy Negotiation with Privacy preserved using XACML”, Cheng, V.S.Y., et al, Department of Computer Science, Hong Kong University of Science and Technology, January 2007. All documents accessed 15 August 2017.

Return to footnote 58

Footnote 59

Wireshark® is a network protocol analyzer. It enables the capture and interactive browsing of traffic running on a computer network. Accessed 17 August 2017.

Return to footnote 59

Footnote 60

Fiddler is a free web debugging proxy which logs all HTTP(s) traffic between a computer and the Internet. It can also be configured to decrypt all HTTPS traffic, or traffic associated with specific sessions. Accessed 17 August 2017.

Return to footnote 60

Footnote 61

Data loss prevention (DLP) tools use business rules to classify and protect confidential and critical information so that unauthorized end users cannot accidentally or maliciously share data whose disclosure could put the organization at risk (e.g., blocking the uploading of corporate files to the cloud). Examples of DLP tools include DLP Monitor (McAfee), and Integrated DLP (Trend Micro). Other solutions are also being proposed. For example, a number of researchers at the University of California (UC) Irvine released a paper describing AntMonitor, an application aimed at preventing apps from leaking private information such as phone numbers, e-mails and device identifiers. See “AntMonitor: Network Traffic Monitoring and Real-Time Prevention of Privacy Leaks in Mobile Devices”, Shuba, A., et al, UC Irvine, July 2015. All documents accessed 17 August 2017.

Return to footnote 61

Footnote 62

These tools can provide visibility into application access and activity, operating system activity, data interactions (creation, modification, transmission, duplication, etc.) and user access to sensitive data.

Return to footnote 62

Footnote 63

For more information, see “McAfee Endpoint Threat Defense & Response”, accessed September 2017.

Return to footnote 63

Footnote 64

For more information, see Symantec Endpoint Protection 14, accessed September 2017.

Return to footnote 64

Footnote 65

Web transparency tools often take the form of browser plugins that allow users to see what organizations are tracking them. Some tools may only provide information about the trackers, while others have the ability to block or limit the tracking. These tools are gaining popularity among sophisticated users who understand the implications of web tracking and are willing to learn the tools to control their privacy, but their use is limited to a small subset of consumers. Furthermore, many advertising companies treat these tools as threats to their livelihood and actively pursue methods to defeat them. See, for example, “Ad blocking poses a major threat to digital media companies that depend on advertising for revenue”, Business Insider, dated 24 April 2016. For a brief survey of web transparency tools, see “A Survey on Transparency Tools for Enhancing Privacy”, Hedbom, H., undated. Both documents accessed 29 September 2017.

Return to footnote 65

Footnote 66

For more information, see Adblock Plus, accessed September 2017.

Return to footnote 66

Footnote 67

For more information, see Ghostery, accessed September 2017.

Return to footnote 67

Footnote 68

For more information, see Privacy Badger, accessed 2 October 2017.

Return to footnote 68

Footnote 69

For more information, see Content Guard, accessed September 2017.

Return to footnote 69

Footnote 70

For more information, see Digimarc, accessed September 2017.

Return to footnote 70

Footnote 71

Innovation, Science and Economic Development (ISED) Canada published its Transparency Reporting Guidelines on its website 30 June 2015, accessed 30 June 2017. The Guidelines were prepared to help private organizations be open with their customers, regarding the management and sharing of their personal information with government, while respecting the work of law enforcement, national security agencies, and regulatory authorities.

Return to footnote 71

Footnote 72

There are a number of different trust marks offered. See, for example, “Trust marks report 2013: Can I trust the trust mark?”, October 2013, prepared by the European Consumer Centres Network (ECC-Net), accessed 16 August 2017. This report lists 54 different trust marks that consumers might encounter when shopping online within Europe. Other trust mark schemes operate in North America.

Return to footnote 72

Footnote 73

“Trust marks report 2013: Can I trust the trust mark?” page 7, October 2013, prepared by the European Consumer Centres Network (ECC-Net). Trust marks can be for identity/reputation (assurance that there is an actual, legitimate business behind a website that adheres to good business practices), security (assurance that the website is subject to regular security audits and vulnerability scans, uses proper encryption and so on) and privacy (assurance that the organization abides by a set of customer data management practices). Adapted from page 4 of “Trust Marks: What’s Behind the Label Counts”, Hochmuth, P., Yankee Group, February 2009, accessed 16 August 2017.

Return to footnote 73

Footnote 74

See, for instance, TrustArc, accessed 16 August 2017.

Return to footnote 74

Footnote 75

For more information, see TrustArc Enterprise Privacy Certification Standards, accessed 16 August 2017.

Return to footnote 75

Footnote 76

For a discussion of the limitations of trust marks see, for example, “Trust Marks: What’s Behind the Label Counts”, Hochmuth, P., Yankee Group, February 2009, accessed 29 September 2017.

Return to footnote 76

Footnote 77

See, for example, the Personal Information Protection and Electronic Documents Act (PIPEDA), Schedule 1, Principle 4.9, accessed 29 June 2017.

Return to footnote 77

Footnote 78

The Citizen Lab is an interdisciplinary laboratory based at the Munk School of Global Affairs, University of Toronto, Canada focusing on advanced research and development at the intersection of Information and Communication Technologies (ICTs), human rights, and global security.

Return to footnote 78

Footnote 79

Open Effect is a Canadian not-for-profit that conducts research and advocacy focused on ensuring people’s personal data is treated securely and accountably.

Return to footnote 79

Footnote 80

Open Media strives to utilize participatory and community-led processes – modeling the values that should govern government and commercial decision-making – to show the way towards a more connected Canada and brighter digital future Canadians.

Return to footnote 80

Footnote 81

For more information on the tool, see Access My Info, accessed 19 May 2017.

Return to footnote 81

Footnote 82

See, for example, “What are your dating and fitness apps sharing about you?”, Chung, E., CBC News, 21 June 2016, accessed 29 June 2016. See also “Welcome to Access My Info”.

Return to footnote 82

Footnote 83

See, for example, Preliminary Opinion of the European Data Protection Supervisor “Privacy and competitiveness in the age of big data: The interplay between data protection, competition law and consumer protection in the Digital Economy”, dated March 2014, accessed 2 October 2017.

Return to footnote 83

Date modified:: 2017-11-15

Language selection

Search and menus

Search

Privacy Enhancing Technologies – A Review of Tools and Techniques

Table of Contents

Report prepared by the Technology Analysis Division of the Office of the Privacy Commissioner of Canada

Introduction

Scope

A Taxonomy of Privacy Enhancing Technologies

Informed Consent

Data minimization^{Footnote 21}

Data Tracking

Anonymity^{Footnote 36}

Control^{Footnote 40}

Negotiate Terms and Conditions

Technical Enforcement

Remote Audit of Enforcement

Use of Legal Rights

The "Failure" of PETs

So Now What?

Privacy Enhancing Technologies – A Review of Tools and Techniques

Table of Contents

Report prepared by the Technology Analysis Division of the Office of the Privacy Commissioner of Canada

Introduction

Scope

A Taxonomy of Privacy Enhancing Technologies

Informed Consent

Data minimizationFootnote 21

Data Tracking

AnonymityFootnote 36

ControlFootnote 40

Negotiate Terms and Conditions

Technical Enforcement

Remote Audit of Enforcement

Use of Legal Rights

The "Failure" of PETs

So Now What?

Table of Contents

Data minimization^{Footnote 21}

Anonymity^{Footnote 36}

Control^{Footnote 40}