Tuesday, 21 July 2015

Privacy Engineering Tutorial at TrustCom 2015

Privacy Engineering Tutorial
Held in Conjunction with TrustCom 2015 Helsinki, Finland

Friday 21, August 2015

10h05-11h50 – Session I

The Privacy Engineer’s Manifesto
Jonathan Fox, Michelle Dennedy, Intel/McAfee

“The Privacy Engineer's Manifesto: Getting from Policy to Code to QA to Value is the first book of its kind, offering industry-proven solutions that go beyond mere theory and adding lucid perspectives on the challenges and opportunities raised with the emerging "personal" information economy”

In this session you will learn the guiding principles of privacy engineering; how legal, management, business and process interact, and gain the foundational knowledge for implementation of a privacy engineering programme.

13h10-14h55 – Session II

Invited Talk: Software Engineering Aspects of Privacy
Antti Vähä-Sipiliä, F-Secure

Software security initiatives are becoming more common. We'll cover how privacy engineering can be supported by real-life security practices, and how a modern software development organisation can integrate privacy engineering in both requirements and delivery activities

In this session you will obtain a deep insight into how privacy engineering practices have been applied in a real-world scenario.

15h15-17h00 – Session III

Privacy Engineering
Ian Oliver, Nokia

To construct information systems from small mobile 'apps' to huge, heterogeneous, cloudified systems requires merging together skills from software engineering, legal, security and many other disciplines - including some outside of these fields! Only through properly modelling the system under development can we fully appreciate the complexity of where personal data and information flows; and more importantly, effectively communicate this.

In this session aspects of modeling systems and terminology/ontologies for privacy are presented. This will enable you to better understand, communication and reason about the privacy (and security) aspects of your systems. This session also presents how models of a system, requirements and risk analysis fit together. The session concludes with an overview of analysis techniques such as FMEA, RCA and process integration and auditing will also be presented.

Supporting Material

The tutorials draw upon the material presented in the following books:
  • Ian Oliver (2014). Privacy Engineering: A Dataflow and Ontological Approach. CreateSpace Independent Publishing. 978-1497569713, www.privacyengineeringbook.net
  • Michelle Dennedy, Jonathan Fox, Thomas Finneran (2014). The Privacy Engineer's Manifesto: Getting from Policy to Code to QA to Value. APress. 978-1430263555

Warning: Coffee Might Kill You

So, I found out recently that coffee might kill you. Seriously, it is a dangerous substance - almost as dangerous as a 110ml bottle of water is to your safety on an aircraft (but a 1 litre bottle of something alcoholic bought at duty free isn't) - and here's the proof (seen in a Starbucks in San Jose, CA):

Proposition 65 Warning Notice: "Coffee Might Kill You"

I'm not actually sure whether that has stopped anyone from buying coffee (or tea for that matter), ever. I suppose you could switch to that decaf muck, but you're probably going to die of something equally horrible then too.

I guess some lawyers and/or politicians need to cover their asses...

Monday, 20 July 2015

International Workshop on 5G Security - Programme

The 1st IEEE International Workshop on 5G Security held in conjunction with IEEE TrustCom-15

There is a fast on-going change in the technical architectures and topologies of the Internet: in the near future 5G and next generation 4G/LTE network architectures will be based on or migrated to Software Defined Networking (SDN) and Network Functions Virtualization (NFV). These create new virtual network elements each affecting the logic of the network operation, traffic management and introducing new and novel security challenges. Aspects such as security of orchestration, management functionality as well as surveillance and privacy are brought to the fore. At the same time they introduce new ways of dealing with attack prevention, management and recovery.

The one-day workshop will consist of papers, presentations and demonstrations on the subject of advanced network security. While primarily related to 5G networks, experiences from 4G/LTE, 3G and earlier, including case studies on practicalities of known attacks and novel attack vectors will be considered for acceptance. An invited keynote speech will be given setting out the overall area of security in network development and operations.

IW5GS Programme
TrustCom 2015 Helsinki, Finland
Friday 21, August 2015

10h05-11h50 – Session I
  • Ian Oliver, Silke Holtmanns, Workshop Opening
  • Günther Horn and Peter Schneider, Towards 5G Security
  • Siddharth Prakash Rao, Silke Holtmanns, Ian Oliver and Tuomas Aura. Unblocking stolen mobile devices using SS7-MAP vulnerabilities
  • Vikramajeet Khatri and Joerg Abendroth, Mobile Guard Demo - Network Based Malware Detection
13h10-14h55 – Session II
  • Ian Oliver, Aspects of 5G Security
  • Nicolae Paladi and Christian Gehrmann. Towards Secure SDN-based Multi-tenant Virtualized Networks
  • Elena Dubrova, Mats Näslund and Göran Selander. CRC-Based Message Authentication for 5G Mobile Technology
  • Prajwol Kumar Nakarmi, Oscar Ohlsson and Michael Liljenstam. An Air Interface Signaling Protection Function for Mobile Networks: GSM Experiments and Beyond
15h15-17h00 – Session III
  • Bengt Shalin, keynote talk
  • Mingjun Wang and Zheng Yan. Security in D2D Communications: A Review
  • Karl Norrman, Mats Näslund, Bengt Sahlin and Jari Arkko. A USIM compatible 5G AKA protocol with perfect forward secrecy
  • Silke Holtmanns,Ian Oliver, Workshop Closing

Friday, 17 July 2015

Privacy Engineering Book, 1 Year since publication

On the 18th of July, 2014 I published my first book: Privacy Engineering, a dataflow and ontological approach.

So, happy birthday to my book and the story of its writing can be found on this blog (here!). :-)

Since then I've been privileged to have invited talks at the IAPP's DP Intensive, IWPE 2015, various university lectures, an EIT SIG on Privacy, a semi-regular column on the IAPP's Privacy Tech blog and many other unexpected places - all to talk about the ideas in this book. Next up is a tutorial session at TrustCom 2015 in Helsinki in August with the authors of my "rival" book, The Privacy Engineer's Manifesto: Michelle Dennedy and Jonathan Fox of McAfee/Intel.

And it does feel good to call oneself "an author" ...gives one an air of gravitas...maybe I should start drinking absinthe and discuss philosophy while smoking a pipe?

So what's next? Well, a second book concentrating more on the modelling analysis should appear later this year - tentatively in December. Here's a preview of the cover:

Privacy Engineering is available on Amazon UKAmazon US (as well as where ever else Amazon has sites), Barnes and Noble, CDON (Finland) and CreateSpace itself

* * *

Privacy Engineering: A Data Flow and Ontological Approach by Ian Oliver, 18 July 2014 (CreateSpace Independent Publishing). ISBN-13: 978-1497569713 ISBN-10: 1497569710 264 Pages, B/W on White Paper

Tuesday, 14 July 2015


Finally :-)  Not a lot to say about this one except this fantastic picture from NASA:

Pluto (C)2015 NASA

How not to collect data

Would you give your personal details to someone without knowing what they're going to be used for? How about if I said, "give me your name, email address and post code" and I'll make you a member of our exclusive most-favoured customer club? But, I'm not going to hell you what the terms and conditions are, how I'll use the data or even who I am except by vague implication in the latter case?

How about if I wrote the above on a piece of paper and left it on an official looking stand in a shop...yes?

Seen in a shop in Finland:

The text says:

Join now as a favoured customer and you'll hear always as the first about our fantastic offers and wonderful happenings. 
If you want to join as our favoured customer just fill this form with the needed information and hand it to the staff and we will take care of the rest. 

I tried asking the store staff but they say it is a different company's problem and they have no idea of how the forms will be used. So far I've had no luck in contacting the company to which the forms probably belong...

Wednesday, 8 July 2015


Edward Tufte is well known for his work on textual and graphic presentations. His books, starting with The Visual Display of Quantitative Information are written with a very specific style, particularly in the way the pages are organised. Tufte uses wide margins which enforce the writing of side nodes.
For users of LaTeX there is a very good package called tufte-latex for emulating this style. I used this for the writing of the Privacy Engineering book [1], as an example page below shows:
Extract from book: Privacy Engineering -
showing the Tufte style of page layout

There is a Google group for the discussion of the tufte-latex package, but I'll reproduce here my experiences of using this package so maybe a wider audience gets to know about this and how they might too use this excellent LaTeX package.

Originally written 20 July 2014, tufte-latex Google Group

Just a few experiences on self-publishing and the Tufte-LaTeX style - I noticed a few questions and after going through this process successfully (yay!) I'll offer some thoughts here.

Firstly, I looked at a number of self-publishers, Lulu, CreateSpace etc. Of these CreateSpace gives the best options from book styles (colour, B/W, sizes), ISBN options, marketing etc. YMMV of course.

In the end I chose a 7x9 inch format for an academic text book, B/W printing on white paper. CreateSpace assigned the ISBN and deal with the purchasing and printing, plus the sales channels which are fairly extensive. The main problem is that you don't get an editor nor deadlines :-)   So spelling checking is going to be your responsibility. You also don't get an advance from the publisher either, so no Ferrari while you complete your masterpiece....

My set up is as follows:
  • Sublime and vi editors
  • Bibtex
  • Pdflatex
  • Microsoft Visio Professional
running on Windows, MacOSX, Linux as necessary. Whether you like Visio or not, it is the best diagramming tool. You might also need Gimp for cropping pictures.

Actually, running LaTeX with the Tufte style is no more difficult than anything else in LaTeX but there are a few considerations:

  1. Tufte gives ample room for side notes - great for references and additional comments, marginalia etc

  2. You can no longer say things like "as demonstrated in [34]" because the reference number appears as a superscript. This changes the style of sentence in that you must explain what you're talking about instead of relying on the reader referring to the reference.

  3. Diagrams:  be very careful with figure* and figure.  Most of the time  figure  is fine and try to keep the diagram within the margins of the main body of text. Sometimes it is necessary to use the full width, but sparingly IMHO

  4. Tables: I used the full width unless the table was particularly simple.  So  table*  for most.

  5. Labels: Didn't use as \ref{label name} doesn't give the section number. I suppose you could reference back to page, but (see #2) you can change your style of writing to make everything stand-alone. Actually I did refer back to figures and tables as necessary.

  6. Margins... I actually hacked tufts-common.def (see below)

  7. Tables again: see below for the Latex formatting not to use vertical lines - works well.

  8. Diagrams again: 300dpi minimum. I actually used 600dpi PNG files for inclusion in the text. If you export from PowerPoint this is going to be a big problem, but there are instructions to force PPT to export at 300dpi by adding things to the registry (fun!)

  9. Justified text for the body and sans serif sidenotes looks great!

I should have used \geometry but this was my method. I added between the A4paper and B5paper sections to tufte-common.def:

%%%%%%%%%%%%%%%%% IAN 7.44 by 9.69 inches

Then later in the file (Search for a4paper and put it after there):

%%%%%%%%%%%%%%%%%%%%IANPAPER DEFINITION
%%%% 7.44in x 9.69in  == 18.898cm x 24.613 cm
%Another modification for 300 page manuscript on CreateSpace

You'll need to play with the margins to get CreateSpace's previewer to stop reporting errors regarding the sizes and gutter etc. But you HAVE to do this anyway to get the book published regardless of whether you using Word, LaTeX etc. Now you can use the above as a document style, ie:


When working with margins the showframe package is very, very helpful:



 You need to work with the p{size} options quite a bit to get these perfect...lots of LaTeX recompiling sorry. For example, the following extract gives an idea:

    \begin{tabular}{  p{2.2cm}  p{2.2cm}  p{4.2cm}  p{1.5cm}  p{2.9cm} }
 & \textbf{Adult} &  \textbf{Child} &  \textbf{System} &  \textbf{External} \\ \hline\hline
Collection & Allowed, with consent & As per COPPA, but generally not allowed & Allowed & As per agreements \\ \hline
   \caption[][0.5cm]{Example Policy Level Provenance Classification Requirements}

I found that a double line after the title and single horizontal lines elsewhere looks good IMHO

Citations, Sidenotes, Captions and Marginalia:

This is going to be the biggest headache!!!

Don't fiddle with the layout of these until you've reached your final, final draft. I noticed that various PDF views won't show text outside the margins so things seem to disappear only to reappear in CreateSpace's previewer which tells you about these things. Once the text is finalised then work with moving these elements up and down to make the fit within the vertical margins of the page. Much trial and error. Note that captions take 3 parameters, sidenotes just 2 ... this caught me a few times!

Also, sometimes text in \url{} or unsplittable text exceeds the horizontal margins...YMMV and you'll have to find a work around. Again for these aspects the showframe package is very helpful.

TOC, Indexes:

ToC depth should be 1 otherwise the ToC becomes too long, even though I used subsections, these don't appear in the ToC. The list of tables and figures doesn't follow the ToC style, but given the length of the latter in my case I'm pretty happy about this! This could be moved to the back matter if you want, depending upon what you're writing of course.

makeindex for some reason did not work - I could not get indexes to work at all... :-(   No idea why but in the end writing was more important than typesetting and indexes at that stage.

Font size:

I used \small with all the tables but didn't see a huge difference in font size. \tiny works, but that way too small. Otherwise things like \Huge etc work fine. Don't forget \normalsize after you've changed the font size temporarily :-)

So, overall Tufte-LaTeX is fairly easy to use with CreateSpace...thanks to all who gave help and worked on this style: it really does look fantastic in print! If you want to see the book you can go here: www.privacyengineeringbook.net   and navigate to Amazon - I think there might be a preview available. However the conversion to Kindle is always a little problematical from what I've heard but then again not a lot you can do about that. Kindle doesn't like tables and sometimes the sidenotes get mixed in the text.

My preamble looks something like this:

Note I have two documentclass lines so I can swap between A4 for printing on rather obstinate HP laser printer and the 7x9 for the real version. Showframe is commented out here. A few other things I found on these groups such as the paragraph indentations etc. I changed the parskip here.
TOC depth I set to 1 otherwise the ToC becomes too long.





%package to get copyright symbol

% Paragraph indentation and separation for normal text

% Paragraph indentation and separation for marginal text





\title{Privacy Engineering} % Title of the book
\author[I. Oliver]{Ian Oliver} % Author



\tableofcontents \thispagestyle{empty}
\listoffigures \thispagestyle{empty}
\listoftables \thispagestyle{empty}


%lots of skipped chapters!!


* * *


[1] Ian Oliver. Privacy Engineering: a data flow and ontological approach. CreateSpace Independent Publishing.

Wednesday, 1 July 2015


On the 14th of July a small and very fast space probe will fly-by Pluto and its menagerie of moons. In the space of a few hours we'll learn more about Pluto and its companions than we have since its discovery on the 18th of February 1930.

In fact we've learnt huge amounts so far even at the huge distances New Horizons is away from the planet (yes PLANET!).

At the moment, we've four exciting missions on-going and actively producing data: five if you include Cassini which just seems to keep going and going to the point where one could even be quite blase about its constant stream of images. OK, there *are* others but for us that particular like planetary exploration...I'll come back to Mars and Jupiter in a moment....

Of the four I'll pick out Rosetta and Philae circling and sitting on a comet nucleus respectively - I think Philae should be renamed Phoenix after its return from the dead. Then there's Dawn orbiting Ceres tantalising us with better and better resolution of a world that was probably considered no more than a lump of rock to one that is possibly even active. Finally New Horizons itself.

We've also lost two probes this year: Messenger and Venus Express as their missions came to an end. Juno is still on its way and hopefully the mission planners will get us a better look at Europa along the way, and of course a flotilla at and on Mars.

I've probably missed a few from the above list - it is getting difficult to keep track especially when even the Chinese surprise us with things such as a quick visit to a passing asteroid!

But despite all of this excitement, New Horizons brings a little sadness: we'll have completed initial exploration of the nine planets. As a child I watched, sometimes in the middle of the night the Voyager probes, especially when Voyager 2 reached Uranus and Neptune. In both cases returning not just surprises but shocks - the cliffs of Miranda, nitrogen geysers on Triton anyone!

Pluto was left alone, unvisited and somewhat unloved.

Now we get a few weeks of excitement and a day or so of wondrous revelations and New Horizons departs giving us our first and last view for a long time of this mysterious place.

And that will be all nine and it comes to an end the first major milestone of the exploration of our Solar System.

There are silver linings to this cloud: the stream of data from all the probes and years of research of New Horizons' data will hopefully provide more impetus to space exploration. We can't stay rooted to our Blue Marble forever and we must pave the way forward, not just in exploring new worlds but also in understand how the Universe operates and what is out there. These space probes furthermore push technology to unexplored boundaries will many unexpected innovations to even our daily lives.

Finally, New Horizons will look back and Pluto, probably go into hibernation and continue to a possible second target. A world that even until the 1980s and 1990s was purely hypothetical. Considering that until 1989 we expected Neptune's moons to be inert and barren rocks and found something completely different, and now expecting the same - at least in terms of surprises - at Pluto, we should have learnt by now, after the exploration of the first nine planets, that whatever comes next is going to be truly wondrous.

Monday, 29 June 2015

UK Ontology Network 2015 Presentation

I really have been a bit lax here of late - not that I have little to write, but rather time (as always!) and the day job takes me away from privacy into new uncharted, more security research related areas - which I will admit is great fun!

Back in April I attending a fascinating little workshop run by the UK Ontology Network to talk about ontologies for privacy. What makes this workshop fun is the sheer amount of interaction between the participants: the distinction between presenter and audience is completely blurred. As a presenter you get a 5 minute slot then after a number of presenters on similar subjects, a 20 minute panel session where the audience really gets into the conversation.

I'm going to be unfair to all the presenters at UKON 2015 but I'm going to pick out a presentation by Adam Nogradi on Sparqlycode - a tool for semantically annotating source code and establishing compliance against, in this case, certain security guarantees. Of course, to move to a different area all you need is an ontology for your subject area, say, privacy, and you have a tool for privacy compliance...more on this later :-)

So here's my presentation based on the work in the book Privacy Engineering: A Dataflow and Ontological Approach.

And the book containing a much more detailed description can be bought from Amazon, Barnes and Nobles etc etc.

Amazon UK/EUAmazon UK/EU

Saturday, 27 June 2015

An article on The Semantics of PII

A while back I wrote a short article for the IAPP's Privacy Tech Blog. With permission I'll reproduce it here for additional reference. Also,a tip of the hat for the administrator of the blog: Jedidah Bracy of the IAPP for his spell checking, grammar checking and editorial skills!

The Semantics of PII
Privacy Tech | Feb 26, 2015

Last year, Profs. Peter Swire and Annie Antón wrote a compelling piece in Privacy Perspectives about the need for privacy engineers and lawyers to get along. Establishing a common language in which to communicate will be essential to appropriately connect policy with technology.

It’s probably safe to say that the most common terms used in privacy are personally identifiable information (PII) and personal data, depending upon whether you come from a U.S. or European background. I think these terms are more or less self-explanatory.

But what do they really mean?

Take PII, for example. It means a chunk of data that reveals some knowledge about a person that can be unambiguously identified. Sounds more or less about right, doesn’t it? Is a computer's IP address personally identifiable? What if that IP address belongs to a router for a large, multinational corporation? Is it PII then? And what if it belongs to a family using multiple computers, tablets, phones or other devices?

We will soon find ourselves delving into the minutiae of meaning—the what-does-personal-really-mean type questions. Plus, we must ask what isinformation, and what does identifiable denote?

There is a whole area of linguistics, philosophy and mathematics—take your pick—that deals with the meaning of things, otherwise known as semantics, or even semiotics if you want the overall field.

Mathematicians took years to fully understand the semantics of even simple statements such as 1+1=2, which looks obvious until you try to explain what 1 is, what 2 is, what + means, what = means and then what it means to say 1+1. The English philosophers Bertrand Russell and Albert Whitehead spent most of their careers writing Principia Mathematica to answer this question, and after four editions and 300 pages of dense mathematics, they had an answer. That was, until a young German by the name of Kurt Gödel came along and shook mathematics to its foundations with an equally "trivial" result.

So if it took 300 pages by two of the brightest minds in mathematics to give us a semantics for 1+1=2, how many pages—and years of work—will it take to give "PII" a semantics?

Now here's an interesting point: The definition of PII that is used in contemporary privacy is perfectly well defined in the privacy-legal context. I can go to various legal documents and read a formal definition of what PII or personal data means. But as we move between disciplines—in our case from privacy-legal to privacy-engineering disciplines—these definitions no longer hold, or at the very least, they don't work well.

If we move to the other end of the scale from legal to mathematics, we find concepts such as information entropy, which provides a clear, unambiguous and precise definition of what information is as well as the identifiability of a data set with respect to some population and so on. Information entropy, however, is not an easy concept with which to work. We can state now that the legal definition of PII can be defined in terms of the mathematical definition; it's just that this is obscenely difficult to do.

Somewhere between these two extremes lies software engineering, the discipline that actually implements privacy law into our systems, in ostensibly mathematical (programming language) terms.

Software engineers, much to the chagrin of privacy lawyers, do not understand legal terms. Well, ok, they do to a point, but you try coding a statement such as "reasonable privacy" into C++ or Java!

Plus, privacy lawyers don't understand all the subtle ramifications of virtual machines, machine language, object orientation, distributed computing, network protocols, XML, RDF—the list goes on!—again, much to the chagrin of software engineers.

Yet, as we stated earlier, there is a relationship between the terms and language that privacy lawyers use and the terms and language that software engineers use. That link provides the translation mechanism that allows both groups not just to talk but to properly communicate with each other.

We can spend as much time as we’d like writing manifestos and principles, designing processes, inventing new job titles such as privacy officer, privacy compliance tsar, grand chief-overseer-of-the-worshipful-court-of-privacy-dudes and so on, but without grounding semantics into terms such as PII and personal data—terms that will allow us to translate between legal-speak and engineer-speak—all of this work will be in vain.