User:Peter.keller/Sandbox

Privacy Enhancing Technologies (PET) is a general term for a set of computer tools, applications and mechanisms which - when integrated in online services or applications, or when used in conjunction with such services or applications - allow online users to protect the privacy of their personally identifyable information (PII) provided to and handled by such services or applications.

Privacy as a fundamental need
"Knowledge is power" Sir Francis Bacon, 1597

Knowledge about me means power upon me. Knowledge can be abused, power can be used to harm me. Loosing the secrecy of information about me puts me at the mercy of those who know my secrets.

Abuse can be: manipulating, blackmailing, aspersing.

The need for privacy is ultimately the need for safety, safety with respect to minimising the power of others over oneself.

This is why we hesitate to give private information to others without adequate benefits.

Who would tell their salary, their medical problems or their political opinions to any stranger without an adequate benefit in return?

We make this tradeoff instinctively and routinely all the time. We constantly make decisions about how much to disclose to whom about ourselves against what benefit and at what risk.

See this article about the psychology of privacy.

Goals
PETs aim at allowing users to take one or more of the following actions related to their personal data sent to, and used by, online service providers, merchants or other users:
 * increase control over their personal data sent to, and used by, online service providers and merchants (or other online users) (self-determination)
 * minimise the personal data collected and used by service providers and merchants (data minimisation)
 * choose the degree of anonymity (e.g. by using pseudonyms, anonymisers or anonymous data credentials)
 * choose the degree of unlinkability (e.g. by using multiple virtual identities)
 * achieve informed consent about giving their personal data to online service providers and merchants
 * provide the possiblity to negotiate the terms and conditions of giving their personal data to online service providers and merchants (data handling/privacy policy negotiation). As an example, it can be negotiated that personal data mustn't be handed out to third parties or that the data is to be deleted after 3 months following the end of the contract.
 * provide the possibility to have these negotiated terms and conditions technically enforced by the infrastructures of online service providers and merchants (i.e. not just having to rely on promises, but being confident that it is technically impossible for service providers to violate the agreed upon data handling conditions)
 * provide the possibility to remotely audit the enforcement of these terms and conditions at the online service providers and merchants (assurance)
 * allow users to log, archive and look up past transfers of their personal data, including what data has been transferred, when, to whom and under what conditions
 * facilitate the use of their legal rights of data inspection, correction and deletion

Existing privacy enhancing technologies
Examples of existing privacy enhancing technologies are:
 * Communication anonymisers hiding the real online identity (email address, IP address, etc.) and replacing it with a non-traceable identity (disposable / one-time email address, random IP address of hosts participating in an anonymising network, pseudonym, etc.). They can be applied to email, Web browsing, P2P networking, VoIP, Chat, instant messaging, etc.
 * Shared bogus online accounts. One person creates an account for MSN, providing bogus data for Name, address, phone number, preferences, life situation etc. She then publishes her user-ID and password on the Internet. Everybody can now use this account comfortably. Thereby the user is is sure that there is no personal data about him in the account profile. (Moreover, he is freed from the hassle of having to register at the site himself.)

Future privacy enhancing technologies
Examples of privacy enhancing technologies that are being researched or developped are:
 * Wallets of multiple virtual identities; ideally unlinkable. Such wallets allow the efficient and easy creation, management and usage of virtual identities.
 * Anonymous credentials: asserted properties/attributes or rights of the holder of the credential that don't reveal the real identity of the holder and that only reveal so much information as the holder of the credential is willing to disclose. The assertion can be issued by the user herself, by the provider of the online service or by a third party (another service provider, a government agency, etc.). For example:

When ordering a car online, the user, instead of providing the classical name, address and credit card numer, provides the following credentials, all issued to pseudonyms, i.e. not to the real name of the customer:
 * Online car rental. The car rental agency doesn't really need to know the true identity of the customer. It only needs to make sure that the customer is over 23 (as an example), that the customer has a driving licence, that the customer has health insurance for accidents (as an example), and that the customer is paying. Thus no real need to know her real name nor her address nor any other personal information. Anonymous credentials allow both parties to be comfortable: they allow the customer to only reveal so much data which the car rental agency needs for providing its service (data minimisation), and they allow the car rental agency to verify their requirements and get their money.
 * An assertion of minimal age, issued by the state, proving that the holder is older than 23 (i.e. the actual age is not provided)
 * A driving licence, i.e. an assertion, issued by the motor vehicle control agency, that the holder is entitled to drive cars
 * A proof of insurance, issued by the health insurance
 * Digital cash
 * With this data, the car rental agency is in possession of all the data it needs to rent the car, it can thus, as an example, provide the unlocking code to the customer with which she can unlock the closet where the car key is kept.
 * Similar scenarios are buying wine at an Internet wine store or renting a movie at an online movie rental store.

For example:
 * Negotiation of data handling conditions.
 * Online store with state-of-the-art privacy functions. [to be completed]

The business case for PETs
Companies will usually only invest in technologies enhancing the privacy of their customers if they see a financial benefit, i.e. if they anticipate a positive business case. (The other main reason being to comply with legal requirements (which could be considered as coming down to a 'financial benefit' as well; the benefit of avoiding a fine for non-compliance with the law.)) The anticipated financial benefit is the anticipated increase of income due to privacy enhancing technologies, minus the anticipated increased cost of implementing and running privacy enhanced technologies in their infrastructure. This anticipated comparison is usually done over a couple of years, whereby the income and cost of every year is cumulated.

In other words, if the anticipated additional income cumulated over a couple of years is larger than the anticipated additional cost cumulated over the same number of years, then there is a positive business case and it makes sense for the company to consider implementing and deploying the privacy enchanced technologies in question.

The anticipated additional income for an online service due to enhancing it with privacy protecting technologies divide up into the following components:
 * Increased usage of online services by existing customers and increased number of new customers due to
 * fulfilment of the need for privacy of customers (Some customers may only use the service if their privacy needs are fulfilled, other may use the service more often.)
 * higher trust of customers in the service
 * increased public image and trust (especially if the privacy friendly attitude is advertised)
 * competitive advantage (if the competition doesn't have a similar offer)
 * increased customer retention (Customers appreciate the privacy enhancing functions of the service and don't like the idea of not finding them with competing services)
 * lower the risk of being fined for violating legal data protection requirements

The anticipated additional cost components for an online service due to enhancing it with privacy protecting technologies are:
 * additional hardware
 * additional software licences
 * personnel costs for designing, developping, implementing, testing and deploying the privacy enhanced service (project costs)
 * additional personnel costs for
 * running / operating and maintaining the privacy enhanced service (with respect to what it would be if there were no such privacy enhancements)
 * fixing additional system failures or problems due to increased system complexity (more functionality means higher complexity which leads to higher vulnerability)
 * product management of the additional privacy enhancing functions (more functions require more time spent to manage them)
 * more complex new developpments of the infrastructure used to run the service
 * training customer support and supporting customers
 * additional marketing communications costs
 * loss of income as a consequence of additional service downtimes or problems due to increased service / system complexity

Note that the business case just outlined is a 'differential business case', assuming that privacy functions are added to an existing service and taking into account the additional benefits and costs caused by this added functionality. For example, it would be wrong to account all operational costs. Instead, only the additional costs incurring when operating the infrastructure with implemented privacy enhancements must be counted in. If, however, the service in consideration is a pure privacy enhancing service, i.e. if the privacy enhancement is not part of or added to the service but intead is the only component of the service, then the above business cost and benefit factors become absolute (delete "additional" and "increased" in all benefits and cost components.