n-kai
commented
2 years ago Privacy (more precisely PII (Personally Identifiable Information) Protection) is different from Security. PII is defined as information that directly or indirectly identifies a user and PII is information for a user who generate the PII, not for IT operators or developers who collect the PII. So the CMFA needs to meet particular requirements to respect user’s privacy, for example, solicit explicit permission from a user before collecting the PII, delete the PII when it becomes unnecessary and minimize the volume of PII etc, in addition to protect PII from malicious user.
PII protection requirements for the IT products are defined in ISO/IEC 19608 “Guidance for developing security and privacy functional requirements based on ISO/IEC 15408”. I extracted some requirements from it that are relevant to the CMFA below. We can assume that the PII is processed in the SEE and securely protected by the SEE so security requirements of PII (e.g. encryption or data protection of PII) are not included below.
- The user shall be able to turn on/off the CMFA and the CMFA shall show the list of PII that is being collected when the user requires.
- The CMFA shall stop collecting the PII and delete all PII collected in the past if the user turns off the CMFA. If the previously collected PII cannot be deleted completely, the CMFA shall notify the user about the limitations in deleting PII.
- The CMFA shall minimize retention of PII. For example, if the CMFA store the PII for five years but seldom use such old data, the CMFA should delete such old PII.
- The CMFA shall not share the PII with third parties without permission from a user in any case.
Similar or same requirements can be added to PPM.
Should privacy SFRs be added in addition to data protection requirements (meaning that all the CMFA data is maintained locally)
FDP requirements should handle this, but should review again at a later time.