Return to flip book view

EP3 Foundation Privacy Networks

Page 1

EP3 Foundation Privacy NetworksEmpowering People with Data, Privacy, and PersonalizationMarsali Hancock.CEO & PresidentSandra Elliott Ph.D.Chief Education Officer Elinela Pérez, LL.M, CIPP/E.VP, Global Privacy

Page 2

Why it matters: Private Data Sharing The internet we haveMoving to the trusted internet experience we wantWho we are: About EP3 FoundationWhat we doHow we do itAreas of ImpactResults Start today!GlossaryEndnotes CONTENTS245101112131519202122

Page 3

3

Page 4

Data and the information that is derived from its attributes are the lifeblood of our successes and failures as individuals, businesses, organizations and governments; making better protection a top priority for all. In today's connected world, data flow is more than a central theme of the global economy, it is a source of wellbeing and public value.Leveraging data leads us to better health treatments, better opportunities for students across their educational journey, more organized cities, higher understanding of our society, and greater economic growth and social development.As organizations continue to retain as much information as possible, data is now the new raw material of business, an economic input almost on a par with capital and labour1. Just in the United States, the data economy contributes more than $1 trillion to the country’s economy per year2. This is a trend that continues growing at the same pace as the conflict between the value of data and individual privacy and security.Data potential is enormous, but to unleash those benefits, it is necessary to reshape data protections. Security breaches and attacks chip away at our trust in the accuracy of the data that we use, the people who can access it, and the devices that send it. Today, individuals are at the mercy of enterprises to protect their privacy while political and commercial purposes lay behind entities that find in data-related technologies the perfect instrument to capitalize people’s information and influence individuals’ behaviours and decisions. The legal landscape is also insufficient and difficult to navigate. Companies need to comply with increasingly growing, wide range of strict security and privacy rules that come from multiple and unfamiliar jurisdictions. This fragmented regulatory framework varies fundamentally, creates obstacles to guaranteeing privacy across the world, and imposes heavy burdens on businesses.For this reason and despite the benefits of accessing and aggregating data, information is at risk, disjointed, and stove piped on different architectures leaving organizations and individuals unable to benefit from new ideas, research, technologies, and best practices that accompany privacy-preserving data flows. People and organizations disagree on what is required to verify individuals, their roles, and the requirements to share sensitive information as they continue relying on “all or nothing” policies for information sharing. A scenario where everybody loses. Leveraging data leads us to better health treatments, better opportunities for students , more organized cities, higher understanding of our society, and greater economic growth and social development.Building trust and confidence in the online world is a fundamental challenge to ensure that the opportunities emerging from the flow of information can be fully leveraged allowing individuals, organizations and technologies to protect information without affecting the possibility to analyze, link, and use the data needed to create growth and value.EXECUTIVE SUMMARYWhy It matters: Private Data Sharing4

Page 5

THE INTERNET WE HAVEThe Internet is a design philosophy and an architecture expressed in a set of protocols.3 This design was to ensure resilient communication networks, even during natural or manmade disasters. It was never designed to be private. It began as a government-funded project to build decentralized-communication networks. The design has brilliantly scaled and enabled rapid growth and global expansion.It was not until the late 1980s that the web was commercialized. The internet has evolved substantially, fueled by new innovations and business models based on commercial interests and financial returns on investments. Now, commercial and government platforms dominate infrastructures, services, and applications and consolidate their power, controlling choices and online experiences through a data-driven model focused on users’ segmentation and online advertising.As more and more people go online, data about them makes it easier for web companies to target ads improving the likelihood of purchasing products and services or remaining longer on a web platform. The more industries know about our individual hopes, fears, and desires, the better they are able to serve content and ads that people find interesting or relevant, turning highly sensitive personal dataThe internet was designed to keep communication lines openinto cashflow.Our society is producing data at a pace that is unprecedented in human history. Just in the last two years, 90% of all data was created, and there are 2.5 quintillion bytes of data generated each day4; a rate that continues accelerating given the growth in new users, connected devices and technologies. Banks, schools, public agencies, smart objects, traffic monitoring systems, doctors, pharmacies and insurance companies, among many others, are also creating data about us, when we commute to work, go to school, get a medical treatment or even when we sleep.This data tells and commercializes our life story as individuals and communities. It identifies the important people in our lives; with whom we communicate, the people we call or text, our school records and even our chances to succeed in life. Under this model, individuals remain unaware of how - and for what purposes- their personal data is sold, collected, stored, and used; or whether they have the right to demand changes, erase personal data or prevent further data collection and use.5

Page 6

The initial internet design philosophy prioritizes open communications. This has proven year after year that we are unable to keep information safe and secure. 2017 was the worst year recorded in history for data breaches.5 These attacks undermine not only online trust, but also the institutions and political processes that rule our society6.From hacking networks to steal personal information, to security breaches, and attacks that impact democratic processes, the scope and severity of cyber attacks is steadily growing. These breaches chip away at our trust in the accuracy of the data that we use, the people who can access it, and the devices that send it.Today, the highest risks to privacy and security are at the ends of the network, the places where people access and authorize data use. For the first time since 2007, human mistakes caused more data loss than malicious intrusions into networks, compromising 5.4 billion records7. Humans, even those with cyber savvy skills and competencies are at the mercy of the security systems on the technology they use.The constant connectivity and the user linked-data sharing model also creates greater risks for information to be abused and compromised. Children, adolescents and new web users are at the center of these risks8. as technologies are continuously employed in online scams, child exploitation, cyberbullying, sexual harassment and peer agressions that often target the least tech savvy.These challenges increase exponentially in a society that is being shaped by the internet of things (IoT). 6These devices create multiple connection points for hackers to gain entry into IoT ecosystems, access customer information, and even penetrate manufacturers’ back-end systems.The monetary costs of the attacks are also enormous. In 2017, the global cost of ransomware attacks exceed $5 billion. And, according to recent studies , these attacks as a whole, are projected to cost the world more than $6 trillion by the end 2021 9.Despite the rapidly evolving security risks and staggering costs, stakeholders are unable to identify the risks and put into practice the adequate mechanisms needed to prevent attacks. Insufficient attention to security undermines trust in the internet and increases vulnerabilities. Safeguarding the information and privacy of individuals is the obligation of any person, organization, or technology accessing personal information, regardless of the source. The status quo no longer works.However, this design is unable to keep information protectedIndividuals are surrounded by a broad range of connectable devices, such as smartphones or home hubs, through which they constantly leave a digital trail and share not only more information about themselves but also more sensitive information. DATA Breaches chip away at our trust in the accuracy of the data that we use, the people who can access it, and the devices that send it.

Page 7

Given the amount of data collected and the lack of individual control, privacy and security; privacy regulations are becoming more complex and comprehensive. Failing to protect sensitive data can lead to regulatory investigations, sanctions, and lawsuits.In our modern, interconnected global economy, being compliant with one jurisdiction is not sufficient. And the legal landscape is complex, fragmented, and imposes heavy burdens to organizations7Companies need to comply with an increasingly growing, wide range of strict security and privacy rules that come from multiple and unfamiliar jurisdictions and accommodate different rights and multiple standards.This fragmented regulatory landscape creates obstacles to guaranteeing privacy across the world and imposes heavy burdens on businesses that affect their chance to grow and compete.

Page 8

As a result, data is held in multiple records and lost among regulations, contracts, and policies that build fragmented islands of informationPolicy, Proprietary, and Legacy Data SilosDespite the significant benefits that arise from the ability to share information, people and organizations are unable to unleash its true potential. People cannot find, access, and use their own information; while service providers continue missing out on powerful competitive tools.Policies, proprietary, and legacy systems have formed an array of barriers that impede the free flow of data. Information is commonly disjointed and stove piped on different architectures leaving organizations and individuals unable to benefit not just from new ideas, research, technologies, and best practices that accompany quality, privacy ensured data flows but also the day to day goods and services that rely on data.“All or None” restrictionsCurrent policies allow “all or nothing” information sharing. Today, we lack a universally accepted process to allow for only partial sharing. This “all or nothing” flow of attributes, data, and information drives our world and generates significant privacy and security challenges that must be addressed. For example, when we “check-the-box- to agree” using connected devices and applications we give our permission to all of the data uses listed on the company's privacy notice. We cannot agree to some of the terms and not others.Lack of individual controlLegitimate concerns over privacy and confidentiality affect data flow as a source of wellbeing.Now, perhaps more than ever before, consumer anxiety about privacy is intensified when people realize that they do not know which organizations have their data, what is known about them, and how they are using - or misusing- their information.Moreover, the traditional enterprise-centric system and its mechanisms for enforcing security policies have failed to keep information safe and interconnected. Companies control the access to data and survey user activity to reliably implement security policies. Yet despite these actions, they are still unable to protect information and worse, unwilling to provide or enforce meaningful individual control.Lack of TrustWidespread “all or nothing” data sharing as a driver of wellbeing is not sustainable without trust and transparency. People and organizations disagree on what is required to verify individuals, their roles, and the requirements to share sensitive information. As a consequence of the latter, individuals and organizations are kept from linking and sharing the data needed to advance research, innovation, and wellbeing.8

Page 9

In a nutshell: The current Data Systems impact our privacy and securityData-driven decision-making systems increasingly impact our lives. Data used in machine learning and AI are established by the devices and networks that we use combined with the networks and devices used by others who process information about us or for us. These personal identifiers are duplicated and used by many types of organizations including governments, financial institutions, and schools.The Hancock Privacy Pattern10 provides use-case frameworks to foster ethical data governance, standards and accreditations needed for data models that protect privacy, comply with privacy laws, and improve our ability to personalize.Hancock Privacy Pattern9

Page 10

connected to the flow of data without sacrificing their privacy and security. This is a great challenge that requires improving current data paradigms and embracing innovation as the only path to satisfy the demand for trusted data flow. At the end, the power of the web resides on users’ willingness to trust it.The new EP3 Privacy Networks respond to this challenge and automate and enforce privacy frameworks. These networks enable attribute-level data sharing, enhanced security, and decision intelligence. For the first time comprehensive real-time data will be available to determine how to create healthy, sustainable communities while also respecting the security and privacy of individuals.Human skills alone cannot protect individuals’ privacy and security. Safe digital environments require new privacy paradigms11 combined with critical digital skills and competencies.It is vital to establish new systems to turn data flows into successes and ensure the internet serves as a driver for innovation, scientific research, economic growth and social development. How we manage the internet and the deployment of IoT, AI, blockchain and other technologies will determine whether our society is able to move toward an internet that benefits all people around the world.The main goal is not just to respond to the biggest privacy threats, but enable people to benefit from the enormous opportunitiesMOVING TO THE TRUSTED INTERNET EXPERIENCE WE WANT10

Page 11

WHO WE ARE: About EP3 FoundationEP3 Foundation, a 501(c)3 nonprofit, is a multi-sector community of standards organizations, industry leaders, researchers, and government agencies committed to privacy-preserving data sharing. Our mission is to improve health, education, and wellness by empowering people with data privacy and personalization.11

Page 12

Develop new trust models expressed in data protocolsThe EP3 Foundation builds and certifies trust models - the rules and standards required for individuals and organizations to send and receive data. EP3 “Trust Models” are expressed in web protocols, the rules that automate privacy, ensure data security and improve personalization. They bind, hash, and commit usage rules to your data at the smallest attribute-level. Each attribute is digitally signed by its established global and regional issuing trust authority, and then cryptographically bound together. Automating privacy protocols exponentially reduces and eliminates identity theft, fraud, and cybersecurity breaches.We enable Privacy Networks and Trust Models to:● Find, access, link, and safely share data at the attribute-level protecting sensitive information.● Automate data governance and comply with policies, licensing, privacy and cybersecurity requirements.● Control policies for privacy, security, and personalization.● Compute comprehensive, pseudonymized, obfuscated, crypto-hashed, distributed and partitioned data.WHAT WE DO:We build trusted privacy networks based on collaborative efforts to protect information and improve the ability to analyze, link and use the data needed to help individuals to thrive. The Foundation works to: Convene global policy authoritiesThe EP3 Foundation convenes global, national, and regional policy authorities to set the rules and governance for new credentials and certifications that establish vendor-neutral, privacy networks.Provide Accreditations and CertificationsTrust Criteria, or the rules, and Trust Credentials, which certify that the rules have been met are the issued by trust authorities; allowing diverse resources published by disparate organizations to be interoperable, easily shared and trusted across the ecosystem.The EP3 Foundation has developed Accreditation and Certification Programs that verify the Criteria and Credentials. These in turn enable interoperable digital exchange based on privacy, security, identity verification, and authentication. These programs also provide third- party credibility via their ability to grant accreditation for stakeholders to achieve a trusted environment where privacy and security requirements are maintained.Social Norming and ScaleIn addition, the EP3 Foundation serves policy leaders looking for solutions to protect their communities from privacy and security risks. We provide leadership outreach, education, and PR campaigns to help policy leaders social norm or confirm community expectations for new data governance practices.To that end, the EP3 Foundation, a founding member of the Trusted Network Accreditation Program (TNAP), addresses the requirements to provide third-party accreditation for healthcare stakeholders, data registers, Labs, providers, payers, vendors, and suppliers.12

Page 13

We collaborate with stakeholders and trust authorities to set the rules and governance to develop new credentials and accreditations that establish vendor-neutral networks. The critical difference with our networks over previous data paradigms revolves around our current concept of the word “share.” Currently, when data and the information it brings is “shared” it is usually copied. Anyone with access may also create some type of copy that is then hosted in new locations with all of the associated risks that go with sensitive information being used, accessed, or stored. Instead of allowing others to copy the information, EP3 Foundation networks enable authorization networks to access the same data in the protected software-defined perimeter.HOW WE DO IT:Trusted Data Attributes13

Page 14

EP3 Privacy Networks are based on forward-thinking innovations that together with the neutral governance of the EP3 Foundation, create Privacy Networks to allow organizations and individuals to pool, anonymize, share, and analyze sensitive data while complying with privacy and security regulations. Network participants take comprehensive, sensitive information and transform it into pseudonymized, obfuscated data, known as Trust Blocks. These Trust Blocks are then partitioned and distributed across multiple privacy networks managed with keys. Within the software defined perimeter, Trust Blocks receive a variety of aggregates, analytic outputs, and resources from additional privacy networks. The EP3 Privacy Networks cryptographically bind different trust criteria, trust credentials and different resources to the attribute-level Trust Blocks. These Trust Blocks differ from old data packets in that they automate enforcement and verify identities across multiple, participating networks giving people, for the first time, the control over what data is shared, with whom, and the ability to withdraw that permission or delete it across the entire network. The Trust Blocks also exponentially reduce the risk of a breach because the information inside the block is now fully opaque. Even if someone unauthorized were to access the trust blocks, no data breach notifications are required because no information was disclosed. This reduces your risk of creating “honey pots,” or target rich environments. 14

Page 15

AREAS OF IMPACT:Overcome data silos and automate complianceFor the first time, comprehensive real-time data is available to determine how to create healthy, sustainable communities while also respecting the rights and privacy of individuals.Our Privacy Networks ensure the technology experience we want and hope for when we invest in connected technology. We:○ Protect individuals and their data from malicious and criminal use.○ Exponentially reduce waste, fraud, and abuse including identity theft.○ Ensure patient and student safety in a way that also protects their privacy.○ Patient and student permissions are enabled enforced.○ Enable global population and public health with quality data from multiple sources including cross national boards.○ Improve child safety by ensuring their identity is separated from their unique device identifiers and browser fingerprints.○ Improve internet trust and protect our internet infrastructure from denial-of-service attacks and ransomware.○ Bring new value to personal information providing additional financial incentives to new, emerging communities.○ Provide a safe harbor for companies complying with dynamic, global privacy and processing requirements, especially in managing data from children, youth, and education.Access to quality data enables decision intelligence, making evidence-based decisions but not at the expense of individual privacy. Data about an individual can be viewed but not linked back to them and is shared only by specific permission and use. It also enables collaborative innovation in any industry that requires coordination and relies upon privacy- sensitive, proprietary or regulated data.15Allow privacy-protected data exchange

Page 16

Privacy Networks and DashboardsHealth and SafetyUnifying and leveraging data – so what people are experiencing is valuable and personalized cannot continue to be sacrificed. This is especially true in the healthcare area where personalized medicine opens a bright future of opportunities that lead to better care for patients and ultimately benefit low-income communities with high burdens of disease.EP3 Foundation enables health information interoperability by partnering with the leading health and cybersecurity authorities to establish the accreditations for health systems using our data protocols.12In healthcare, we have decision intelligence for personalized networks based on an individual’s location, lifestyle and genome. These improve transparency and accountability across the entire ecosystem. It also provides public and population healthcare providers the ability to detect, intervene and conduct privacy-preserving surveillance. Doctors and providers of care can better coordinate comprehensive, integrated care. For example, the healthcare ecosystem pooled data resources, managed at the attributes level includes: insurers, providers of care, hospital systems, and payees. With comprehensive health data we can discover new models that improve treatment and recovery outcomes. All done, meeting the strict privacy protections for patients.16

Page 17

EducationEducational technology systems collect an enormous amount of data to improve learning outcomes and resource efficiencies. However, the diverse systems where the data is stored, the exponential number of devices, tools, vendors and individuals accessing the data, and the lack of unified standards regarding the protection of students’ data present both privacy and security concerns. The most common cybersecurity incidents or attacks in U.S. schools include phishing, unauthorized entry or disclosures, ransomware, denial-of-service, and other cybersecurity incidents; resulting in school disruptions and unauthorized disclosures.We partner with leading child safety experts and student privacy advocates to create the privacy and security accreditations that enable educational institutions to provide better security for sensitive student and educator information and decrease the security issues.EP3 Education Networks empower students, parents, and educators with easy access to their privacy protected information. Data can be analyzed and personalized. This resolves educational problems, informs academic practices, refines learning approaches, and reaches educational goals, without revealing personal or sensitive information.Our networks connect education systems to give students and teachers the information needed to support learning and personal growth. By supporting privacy-preserving access and analysis of comprehensive records of students, online learning activities and other data, it is possible to provide effective personalization, adaptive learning and superior teaching methods, with more accurate assessment and personalized feedback on student progress, achievement and knowledge gaps, all with the enhanced security needed for data that will be attached to a person for their lifetime- from educational records to teaching certifications.Students and teachers benefit from data analysis as it guides their paths to a better education and secure access to technology-enhanced tools. The research and education community benefit from access to large pools of data that can be used to advance our knowledge of teaching and learning.17

Page 18

EntertainmentOrganizations in the entertainment business are also targets for cybercrime, consumer demands, and regulatory pressures. It is important for these companies to have in place all the necessary mechanisms to protect the confidential information of individuals and affiliated parties, without affecting the access to their content, services , and revenues.Personalized Entertainment Networks encourage creativity and reward the people who create and share their work online, while protecting the identity and rights of consumers and content creators, and reducing unauthorized use.These networks also enable privacy-preserving advertising networks. For the first time Advertising Networks will be able to empower consumers, allow precision anonymous advertising, frictionless e-commerce and expanded markets for personalized messaging using highly sensitive, regulated, and proprietary data.18

Page 19

RESULTS The implementation of EP3 Privacy Networks allow:● Decision intelligence that identifies and enforces data safety policies;● Trust that our data can be protected;● Enforcement of national and international laws for our personal privacy domains;● The means to better protect information;● Data governance that is automated and complies with policies, licensing, privacy and cybersecurity requirements;● Pseudonymized, obfuscated, crypto-hashed, and partitioned data to protect personal information while leaving it computable; and● Decision intelligence for personalized networks based on an individual's location, lifestyle and genome.Everyone can leverage Privacy Networks that use Trust Blocks with current data systems to:19PROTECTprivacy and confidentialityVERIFYidentity & roles across many networksLINKprivacy-protected data at granular levelsSHAREinformation only when allowedENFORCEpolicies automatically

Page 20

START TODAY To address privacy and security; organizations and governments alike must secure information, ensure confidentiality and protect privacy, while also giving individuals the capacity to access and aggregate the information they are authorized to use. It is time for organizations to take greater responsibility on how they protect users’ data and how they can proactively stop harmful practices affecting people’s privacy. Privacy compliance is more than just a legal requirement, it is also an ethical obligation that imposes real business costs to those not taking it seriously.Start today! Participate in networks certified for privacy, security, and regulatory compliance. The foundation has demonstration and pilot initiatives for building privacy networks to be accredited by legacy trust authorities. Email us at info@ep3foundation.org.20

Page 21

GlossaryThe Privacy Network : A software defined network which can obfuscate (crypto-hash, tokenize, encrypt, randomize and/or partition) any data, provenance, process definitions and trust criteria, transforming them into meaningless gibberish which is simultaneously invulnerable to breach, yet still capable of supporting computation or policy enforcement.The Unified Trust Model (UTM): An extensible information model and software defined network for representing and classifying disparate trust criteria, trust policies, trust credentials, resource descriptions and resource provenance. Elements within the UTM are represented via combinations of metadata, documents and software services, and stored in a distributed ledger. (Webshield)Obfuscation: Obfuscation is the obscuring of the intended meaning of communication by making the message difficult to understand, usually with confusing and ambiguous language. The obfuscation might be either unintentional or intentional(although intent usually is connoted), and is accomplished with circumlocution (talking around the subject), the use of jargon (technical language of a profession), and the use of an argot (ingroup language) of limited communicative value to outsiders. (Wikipedia)21Trust Criteria: Trust Criteria are verifiable claims of requirements for: regulatory compliance, payment & licensing terms, identity assurance, cybersecurity & privacy, semantic interoperability, authorized purpose of use, authorized recipients, trusted provenance, endorsements & ratings, etc.Trust Credentials: Trust Credentials are verifiable claims (metadata and documents) from known Trust Authorities describing each resource’s: APIs and data model, semantics and provenance, audit history, supporting documentation, certifications & assessments, endorsements & ratings, classifications & characteristics, etc.

Page 22

Endnotes1. Future Agenda, The increasing value of Data. Available at https://www.futureagenda.org/insight/the-increasing- value-of-data2. World Bank national accounts data: https://data.worldbank.org/indicator/NY.GDP.MKTP.CD?end=2016&start=1960&view=chart&year_high_desc=true3. Vint Cerf, The Internet IP Addresses and DNS. Available at: https://www.youtube.com/watch?v=5o8CwafCxnU4. Bernard Marr, How Much Data Do We Create Every Day? The Mind-Blowing Stats Everyone Should Read, Available at: https://www.forbes.com/sites/bernardmarr/2018/05/21/how-much-data-do-we-create-every-day-the- mind-blowing-stats-everyone-should-read/#76b8866060ba.5. Daniel Solove, Data Security Is Worsening: 2017 Was the Worst Year Yet (2018) https://teachprivacy.com/data- security-is-worsening-2017-was-the-worst-year-yet/. Accessed 6 Nov. 2018.6. Internet Society, 2017 Internet Society Global Internet Report: Paths to Our Digital Future. (2017). 7. Riskbase Security, Data Breach QuickView Report, 2017 (2017)8. Hancock, Pérez, and Elliott (2018) We will keep Children Safe Online? Government Europa, pp. 1-8. Available at: http://edition.pagesuite-professional.co.uk/html5/reader/production/default.aspx?pubname=&edid=44b47261-83cf-4fae-8214-42d2bf163a04 9. SIA, Data Privacy and Security Trends for 2018, Available at https://www.securityindustry.org/wp-content/uploads/2018/01/SIA_DATA_PRIVACY_WHITEPAPER_WEB.pdf10. This graphic is based on the Hancock Privacy Framework. Hancock (2018) Hancock Privacy Framework: Information Created by Individual Users. Available at: https://midd.me/tbBm11. Hancock, Elliott, and Pérez (2018) How to implement new privacy-preserving data paradigms. Government Europa Quarterly, Issue 27, pp. 36-39. Available at http://edition.pagesuite-professional.co.uk/html5/reader/production/default.aspx?pubname=&edid=7122fbff-5a4c-4dcb-873f-bee2ee4b1cd7&pnum=36 12. Hancock (2019) How to overcome 40 years of obstacles: the road to accessible health information interoperability. Health Europa Quarterly, Issue 8, p. 98. Available at: http://edition.pagesuite-professional.co.uk/html5/reader/production/default.aspx?pnum=98&edid=5ffe2a2a-df10-462e-a709-5910f039b796&isshared=true22

Page 23

Copyright © 2019 EP3 Foundation. All rights reserved.