Researchers in dal's e-Privacy Lab are working on ways to uplift privacy
“Without security and privacy, consumers will not trust…We are counting on the digital economy for jobs and growth in EU,” said Paul Timmers, Director of the Sustainable and Secure Society Directorate DG CONNECT, European Commission, in Athens 2014.
Dr. Peter Bodorik (Dalhousie Faculty of Computer Science), Dr. Dawn Jutla (Saint Mary’s Sobey School of Business and adjunct professor to Dalhousie’s Faculty of Computer Science) and graduate research students in the e-Privacy Lab are working on research that has an international impact on the emerging field of privacy engineering. Their work is helping inform the nascent privacy engineering field from technical, organizational, user, and governance perspectives. Privacy not only enables online commerce, but it protects the human right to be left alone and to control the dissemination of information. Privacy engineering is important in its promise to help shape increasingly online civil societies as well as support economic renewal from digital economies.
In the e-Privacy Lab, research and development is conducted on the architectures, methods, methodologies, and management building blocks for privacy and e-commerce. The team is translating their know-how into tools for privacy-enabling start-ups and larger businesses.
Privacy Engineering and Big Data
The digitization of vast quantities of information leads to the collaboration of many stakeholders to develop shared standards-based interoperable platforms. This convergence supports the efficient analysis and flow of information to accelerate new discoveries. But significant discipline-based communication gaps exist among policymakers, businesses and software engineers. Where policymakers leverage rich textual language, software engineers communicate cryptically with code snippets or pseudocode and visually with things like flow charts and sketches. Their partially standardized visual diagrams, screenshots and associated metadata are literally worth thousands of words. These provide rich sources of documentation that can be put to many good uses including closing communication gaps among multidisciplinary stakeholders and facilitating systematic audits. New standards-based approaches are required to help make the output of big data algorithms more secure and protected. The e-Privacy Lab specifically examines how they can aid software engineers to embed privacy using new tools and services to visualize complex stakeholder interaction with software systems (see figure 1).
Figure 1: One software engineer’s visual for embedding privacy into IBM Watson’s Sloan Kettering Cancer Treatment applications.
Visualizing and Documenting
The primary purpose of documentation is to communicate. Organizations of all sizes employ good documentation for rapid onboarding of employees on a project. With high turnover rates, ensuring quality documentation is an essential operational item requiring strict management. Primary software engineering methodologies (for example: traditional and agile) recommend frequent quality documentation as a best practice. Agile modeling methodologies cite documenting as late as possible and storing one version of documentation. In practice, software engineers have started using tools such as JIRA to tag, document and store software requirements as security and/or privacy related in one place. Software engineering documentation may be used to demonstrate proof of compliance at an auditing level.
Moving Privacy R&D into International Standards
The vision behind years of R&D in privacy engineering and e-commerce work at Dalhousie University and Saint Mary’s University translates to thought leadership that is currently informing a major emerging international privacy standard from the OASIS Privacy by Design Documentation for Software Engineers Technical Committee (OASIS TC). Dr. Jutla, who is also Director of the Master of Technology Entrepreneurship and Innovation (MTEI) program at Saint Mary’s University, co-chairs the OASIS TC with Dr. Ann Cavoukian, Executive Director of the Privacy and Big Data Institute at Ryerson University, and former Information and Privacy Commissioner of Ontario.
“We require more successful university and private sector partnerships like these for a meaningful international impact of privacy R&D on commerce, healthcare, and governments,” says Dr. Bodorik, also a former director of the Master of Electronic Commerce program and Associate Dean at Dalhousie.
Research Examples
Personal Context Agent Network (PeCAN)
The Personal Context Agent Network (PeCAN) platform provides common privacy services for users and businesses from the client-side. It uses information-providing approaches to enhance user control over personally identifiable information. Building on standardized XML-based vocabulary, PeCAN allows users to manage their own private data online. This includes services to log what data has been given to which organizations, under what terms, and what the user believes to be true about the organization. Users may also customize their privacy preferences according to different situations. The platform provides sophisticated information-providing services intended to help users avoid giving out information that can be used by others to harm their privacy.
PeCAN’s common service provides customized privacy preferences according to use context (for example: space, time, country, organization). PeCAN supports multiple privacy services including: services to maintain privacy contexts and user control mechanisms, sixteen enumerated services consisting of comparisons of government privacy regulations, business privacy policies, and user data handling preferences
Privacy Architecture for Web Services (PAWS)
A number of graduate students have been working on the research project, Privacy Architecture for Web Services (PAWS), under the supervision of Dr. Bodorik and Dr. Jutla.
Web services have emerged as a leading technology for exposing information, services, and resources over the web. Web services have become the main technology for integration of software and are employed in most new IT startups. Any business requiring a layering of privacy on their web services can use PAWS (see figure 2) to provide monitoring of their access to —and use of—private data stored in an organization’s database (DB) servers. Web service requests and replies are intercepted by the request and reply monitors who check the data that is provided in a web service request and also check what is returned as a response of executing the service. The monitors consult the knowledge base, which contains information on private data stored in the organization’s DB servers, to ensure that a user who has appropriate rights accesses the private data. Furthermore, the monitors also check that any use of private data is only for purposes that the data subject permits by consent. When the organization obtains private data, it also obtains consent on the use of that private data either directly from the data subject, the person described by the private data, or indirectly from the source of the private data.
The knowledge base contains a wealth of privacy related information. It contains information on which web pages collect or provide private data, which applications and web services access private data and for what purposes, and also what users invoke which applications and web services. The architecture provides a privacy engineer a toolbox to manage the PAWS’ operation and the content of the knowledge base. For example, it provides the engineer with a tool to inject various privacy services into software, such as a service for obtaining consent from the data subjects when private data is being collected from them or a service for authenticating a user seeking access to private data. A software privacy information agent, which audits the log records of access to DB servers and log records of web service requests and replies in order to ensure that the knowledge base is up to date, assists the engineer. Currently, these various tools are being integrated together to form a privacy toolbox or a tool suite in order to provide the privacy engineer with a consistent user interface to control the request and reply monitors, guide the privacy agent, and to manage the content of the knowledge base.
Figure 2: The PAWS architecture
Recent News
- Beyond the books: This year's Dalhousie Impact Awards winners lead with purpose
- Where experience meets impact: Introducing Dalhousie’s 2023 Top Co‑op Students of the Year
- Alicia Wong: Empowering Women in Tech through Mentorship
- On International Women’s Day, an opportunity to reflect on the state of gender equity in academia
- Dal's 2024 OpenThinkers forge new frontiers in research
- Building community connections for Women in STEM
- Dal builds momentum in Nova Scotia’s growing ocean‑tech sector with new role
- Snowball Gala celebrates the computer science community