privacy threat categories

The LINDDUN framework provides a rich catalog of privacy-specific threat types to investigate a wide range of complex privacy design issues.

Together, the categories Linking, Identifying, Non-repudiation, Detecting, Disclosure of Information, Unawareness, and Non-compliance form the acronym LINDDUN.

LINKABILITY

WHAT? Data items can be linked, even without knowing the identity of the data subject(s) involved.

  • Data items can be linked because they belong to the same data subject, with a certain probability. E.g., web page visits by the same user, entries in two databases related to the same person, people related through a friendship link.
  • Data items can be linked because they share the same property. E.g., linking people who visit the same restaurant, who suffer a similar disease.

THIS MAY BE AN ISSUE, AS THIS CAN RESULT IN:

  • Inference: deduce information from a set of data items.
  • Singling out / attribution: isolate some or all records which belong to precisely one individual (without necessarily identifying).
  • Identifiability: link data items to identity a data subject.
linkability data flows and data storage

IDENTIFIABILITY

WHAT? A data subject can be identified within a set of subjects.

Data items can be linked to the identity of the data subject, with a certain probability.

E.g., identifying the reader of a web page, the sender of an email, the person to whom an entry in a database relates.

THIS MAY BE AN ISSUE:

When personal data can be identified, it requires even stricter security measures. Identified data can also result in unawareness and non-compliance issues.

identifiability data flows and data storage

NON-REPUDIATION

WHAT? A data subject is unable to deny a claim, i.e. to know, having done, having said something. 

  • There is evidence that can link the data subject to a certain action.
    E.g., unable to deny being a customer of a certain webshop, unable to deny having filed a complaint, a user of an online voting system is unable to deny whom they voted for.
  • Identifiability (and linkability) threats will increase the risk of non-repudiation.
  • Non-repudiation is actually a security goal. This should however not result in any conflicts, as (parts of) a system that requires non-repudiation as a security goal, should not need plausible deniability for the same data.

THIS MAY BE AN ISSUE:

Non-repudiation leads to data subject accountability: when a person is not able to repudiate an action or piece of information, he can be held accountable (e.g. a whistleblower can be prosecuted).

non-repudiation data flows and data storage

DETECTABILITY

WHAT? Being able to distinguish whether an item of interest about a data subject exists.

Without having access to the data, the threat actor knows it exists. Merely knowing that the data exists, is sufficient to infer more (sensitive) information.

E.g., by detecting that a celebrity owns a health record in a rehab facility, one can infer the celebrity has an addiction, even without having access to the actual record.

THIS MAY BE AN ISSUE:

Detectability can lead to the deduction of personal data.
This information can be used to extend a data subject’s profile (linkability) and/or identify the data subject.

detectability data flows and data storage

UNAWARENESS

WHAT? A data subject is unaware of, or unable to intervene in, the collection and further processing of their personal data.

Unawareness relates to data subject rights and therefore focuses on transparency (or predictability) and intervenability (or manageability) threats.

  • Lack of transparency: a data subject is not aware of collection and/or processing of their personal data.
    E.g., no notice is provided before data collection, data subject is not informed of 3rd party sharing.
  • Lack of intervenability: a data subject cannot access or manage their own personal data.
    E.g., data subject cannot access own data or cannot request rectification of data, data subject cannot (easily) update privacy settings.

THIS MAY BE AN ISSUE:

Unawareness leads to a violation of fundamental data subject rights.

unawareness data flows and data storage

NON-COMPLIANCE

WHAT? The system does not comply with data protection principles.

Data protection processing principles include:

  • purpose limitation: only collect and process data for the pre-determined purpose
  • proportionality: only collect and process the minimal set of data required for the purpose
  • storage limitation: only store data for as long as required for the purpose

THIS MAY BE AN ISSUE:

Data protection principles are designed to protect the data subjects’ privacy. They should always be implemented. Violation of these legal obligations can result in large fines and reputation damage.

non-compliance data flows and data storage

DISCLOSURE OF INFORMATION

WHAT? Someone is able to gain access to personal information.

Personal data is disclosed to parties that do not need to have access. These parties can be both legitimate users (e.g. end users or 3rd party systems) and adversaries.
This can range from active attacks (i.e. an attacker purposefully abuses a weakness to gain access to data) to passive disclosure (e.g. lack of access control to restrict access to sensitive data).

Examples: an attacker is able to eavesdrop on unencrypted communication; someone gains unauthorized access to information in a database, someone browsing the web stumbles across sensitive data that should not have been available.

Note that this is a security category in STRIDE. It’s included in LINDDUN because from a privacy perspective, personal data (rather than all data) is the main focus. In addition to a privacy assessment, we recommend a full security assessment.

THIS MAY BE AN ISSUE:

Disclosure of personal data is a privacy problem for the data subjects involved. Privacy solutions (e.g. data minimization) can reduce the risk by limiting the personal data in the system. However, confidentiality remains indispensable to protect the remaining personal data being collected, processed, stored and shared in a system.

Threat category Disclosure of Information is only used in LINDDUN, not in LINDDUN GO.