Abstract

Privacy risk analysis of complex socio-technical systems suffers from an inadequate risk model that focuses primarily on some form of Fair Information Practice Principles (FIPPs). Anonymization as a privacy risk control suffers from an emphasis on risk of failure, neglecting the circumstances surrounding its selection as a risk control in the first place. By interrelating an enhanced privacy risk model that goes beyond FIPPs and an integrated anonymization framework, the selection and implementation of anonymization as a privacy risk control can be more systematically considered and carried out. The Science and Technology Directorate of the U.S. Department of Homeland Security has sponsored development of both an integrated anonymization framework and an enhanced privacy risk model to support more effective privacy risk management. Both of these are described at a high level and their interoperability illustrated by application to the Google Street View controversy.