Privacy Cards for Software Developers
Welcome to Elevation of Privacy, an unofficial extension set to Microsoft’s Elevation of Privilege threat modelling card game.
These playing cards portray privacy and data protection compliance risks that have been identified in the real world. The simplest way to use these cards is to draw a Data Flow Diagram or a Message Sequence Chart, and discuss the aspects in the context of each of the data flows and data stores.
You can play this game with or without the original Elevation of Privilege deck. It extends the STRIDE model with TRIM:
- Transport of personal data across geopolitical or contractual boundaries
- Retention and Removal of personal data
- Inference of personal data from other personal data, for example, through correlation
- Minimisation of personal data and its use
Those suites that have been extended beyond the normal A-K cards in the original game have hexadecimal values starting from E.
We recommend you use these cards in conjunction with a security threat modelling session. Privacy cannot exist without security. If you use data flow analysis for your threat modelling, it usually provides a very good basis for the analysis of personal data flows as well.
These cards do not fully cover EU General Data Protection Regulation compliance, but are a useful safety net to catch many of the related risks and problematic design decisions and may form a part of a Privacy Impact Assessment (PIA) activity.
For best results, discuss privacy and data protection both during service design and technical design.
Elevation of Privacy is © 2018 F-Secure Corporation. This work is licenced under the Creative Commons Attribution 4.0 International license (https://creativecommons.org/licenses/by/4.0/). Card templates based on the Elevation of Privilege card game (https://www.microsoft.com/en-us/SDL/adopt/eop.aspx), which is © 2010 Microsoft Corporation, licensed under the Creative Commons Attribution 3.0 United States license (https://creativecommons.org/licenses/by/3.0/us/). The original work has been modified.
Working group: Marko Hämäläinen, Laura Noukka, Hiski Ruhanen, Ilona Varis, Antti Vähä-Sipilä.