Potential privacy issues in the Microdesic system (using the Solove taxonomy)
Our first step in the privacy analysis to understand the underlying business concept. For Microdesic, the concept is fairly simple:
- Identity an individual
- Create a token tied to but cryptographically unlinked to the individual identity or to other tokens
- Allow for the unlinkable (to identity) spending of that token offline and online
- Except where the individual attempts to defraud us, in which case we can re-identity them and sanction them.
As mentioned in the previous post, my goal here is not to do Privacy by Design for the Microdesic customer (the business that allows its consumers to use the tokens to pay for goods and services). Microdesic is a tool that those business can use to implement their services in a privacy friendly way. What our aim here is to design privacy into the framework of how Microdesic itself operates. I hope that distinction is clear.
So let us run through Dan Solove’s Taxonomy of Privacy to see what issues might be lurking in the basic concept behind Microdesic. Our goal isn’t, at this stage, to identify any controls or mitigation opportunities, but simply to bring awareness to the issues.
Surveillance (the watching, listening to, or recording of an individual’s activities) – Microdesic could be using surveilled information (IP addresses for instance) to identify individuals.
Interrogation (questioning or probing for information) – Microdesic could be interrogating individuals to identify them (what’s your name?).
Aggregation (the combination of various pieces of information) – Microdesic could link identification information to other data (for instance pulling a credit report).
Identification (the linking of information to a particular individual) – Microdesic will be collecting identifying information, it could attempt to link transaction data to identified information.
Insecurity (carelessness in protecting information from leaks or improper access) – Microdesic could expose identity information about who is using the service.
Secondary Use (information collected for one purpose is used for another purpose) – Microdesic could use the identification information for another purpose (such as to market other pro-privacy services).
Exclusion (failure to let a data subject know about the data that others have about her and participate in its handling or use) – Microdesic will be excluding people based on fraudulent activity. It could exclude people based on information we don’t tell them about.
Breach of Confidentiality (breaking a promise to keep a person’s information confidential) – Since Microdesic is pitching a privacy based service, there could be an implied duty of confidentiality, thus if Microdesic were to reveal information about the information, it might breach that duty.
Disclosure (involves the revelation of truthful information about a person that impacts the ways others judge her character) – Microdesic could reveal users of its service thus causing others to judge those people as having something to hide.
Exposure (involves revealing another’s nudity, grief, or bodily functions) – Microdesic is unlikely to expose anyone’s nudity, grief or bodily functions through this service.
Increased accessibility (amplifying the accessibility of information) – Microdesic is not taking existing information and making it more available.
Blackmail (threat to disclose personal information) – Ashley Madison is a perfect example of where someone’s information could be used for blackmail. Microdesic runs the risk that if data were compromised it could expose their use or payment for a service that could be used to blackmail them.
Appropriation (involves the use of the data subject’s identity to serve the aims and interests of another) – If someone were able to appropriate the identify of an individual through Microdesic they could use services as the victim of the appropriation.
Distortion (consists of the dissemination of false or misleading information about individuals) – Microdesic is not disseminating any information to others. Microdesic could falsely sanction someone as a fraudster, but no outside party would be told this, though a security breach could expose this to others.
Intrusion (invasive acts that disturbs one’s tranquility or solitude) – While Microdesic could spam people, that is not part of the underlying service and would be completely superfluous.
Decisional Interference (incursion into the data subject’s decision regarding her private affairs) – Not likely given the business.
As you can see, there are quite a few possible privacy issues to contend with. In the next part of our series, I’ll explain the mitigating controls that were put in place to avoid some of the above identified issues.