Privacy by design requires that privacy requirements are taken into account in the early stages of the design of a system. However, the definition of privacy requirements themselves is not an easy task for various reasons. First, privacy can be in tension with other requirements (usability, performances, etc.). In addition, many examples show that it is more and more difficult to draw a clear border between personal data and non-personal data. The same observation can be made about sensitive data. For example, geo-location information, which is not defined as sensitive legally speaking, can be a perfect indicator of many sensitive attributes such as religion or health condition.
Considering that data cannot be easily classified as personal or non-personal, or as sensitive or non-sensitive, the only way forward is to follow a more progressive, nuanced approach based on a rigorous analysis of the potential risks and benefits associated with data processing. However, for the risk-based approach to really improve the protection of individuals, a number of conditions have to be met. First and foremost, the analysis has to be rigorous, both from the technical point of view and from
the procedural point of view. The risk analysis should be traceable and lead to the application of a set of appropriate measures, justified by the identified risks and the potential benefits of the processing.
The goal of this postdoc will be (in collaboration with other researchers of the group) :
To review the state of the art in terms of privacy risk analysis (and Privacy Impact Assessment).
To propose a dedicated framework for privacy risk analysis which can form the input of a privacy by design process.
To apply the above framework to a real case study in the context of the collaboration of the group with several industrial partners.
The postdoc will take place in the Inria PRIVATICS team in Lyon. It will build on ongoing work of the group on the topic (privacy risk analysis, data anonymization, privacy by design, accountability, etc.) and benefit from interactions with partners of different backgrounds.
Minimal knowledge and motivation for security or privacy.
The internship will take place in Lyon, within the new research group PRIVATICS of the Inria Rhône-Alpes research unit. Inria is the French National Institute for Research in Computer Science and Control. Created in December 1992, the Inria Rhône-Alpes research unit provides a strong international research environment with about 700 people, including more than 150 researchers and the same number of PhD students, mostly in Grenoble and Lyon. Strong emphasis is put within Inria on privacy protection research with the creation in 2013 of the PRIVATICS research group and the Inria project Lab CAPPRIS.
Lyon is the second urban area in France. It is close to the French Alps and two hours or less (in TGV) from Paris, Geneva, Turin and the Mediterranean coast. The city is known for its rich cultural life, its gastronomy, its historical and architectural landmarks and is a UNESCO World Heritage Site.
1 or 2 years.
daniel.le-metayer at inria.fr