Transcript privacy

What We Will Cover
 Privacy and Computer Technology
 “Big Brother is Watching You”
 Privacy Topics
 Protecting Privacy
USA PATRIOT Act
 Provisions
 Greater authority to monitor communications
 Greater powers to regulate banks
 Greater border controls
 New crimes and penalties for terrorist activity
 Tighter Internet surveillance
 Searches and seizures without warrants
 Warrants issued without need for showing probable
cause
1-3
Dana Summers / Tribune Media Services TMS Reprints
1-4
Patriot Act Initial Successes
 Charges against 361 individuals
 Guilty pleas or convictions for 191 people
 Shoe-bomber Richard Reid
 John Walker Lindh
 More than 500 people removed from United States
 Terrorist cells broken up in Buffalo, Seattle,
Tampa, and Portland (“the Portland Seven”)
1-5
Patriot Act Failure
 March 11, 2004 bombings in Madrid Spain
 FBI makes Brandon Mayfield a suspect
 Claims partial fingerprint match
 Conducts electronic surveillance
 Enters home without revealing search warrant
 Copies documents and computer hard drives
 Spanish authorities match fingerprint with an
Algerian
 Judge orders Mayfield released
 FBI apologizes
 U.S. government settled part of the lawsuit with
1-6
Mayfield for a reported $2 million.
Syndromic Surveillance System
 Created by New York City
 Analyzes more than 50,000 pieces of information
every day
 911 calls
 Visits to emergency rooms
 Purchases of prescription drugs
 Looks for patterns that might indicate an
epidemic, bioterrorism, or an environmental
problem
 In the fall of 2002, the system detected a surge in
people seeking treatment for vomiting and
1-7
diarrhea.
Telecommunications Records Database
 Created by National Security Agency after 9/11
 Contains phone call records of tens of millions of Americans
 NSA analyzing calling patterns to detect terrorist networks
 Phone records voluntarily provided by several major




1-8
telecommunications companies
USA Today revealed existence of database in May 2006
Several dozen class-action lawsuits filed
August 2006: Federal judge in Detroit ruled program illegal and
unconstitutional
July 2007: U.S. Court of Appeals overturned ruling, saying
plaintiffs did not have standing to bring suit forward
Privacy and Computer Technology
Key Aspects of Privacy:
 Freedom from intrusion (being left alone)
 Control of information about oneself
 Freedom from surveillance (being tracked, followed,
watched)
Privacy and Computer Technology
(cont.)
New Technology, New Risks:
 Government and private databases
 Sophisticated tools for surveillance and data analysis
 Vulnerability of data
Privacy and Computer Technology
(cont.)
Terminology:
 Invisible information gathering - collection of
personal information about someone without the
person’s knowledge
 Secondary use - use of personal information for a
purpose other than the one it was provided for
Privacy and Computer Technology
(cont.)
Terminology (cont.):
 Data mining - searching and analyzing masses of data
to find patterns and develop new information or
knowledge
 Computer matching - combining and comparing
information from different databases (using social
security number, for example, to match records)
Privacy and Computer Technology
(cont.)
Terminology (cont.):
 Computer profiling - analyzing data in computer files
to determine characteristics of people most likely to
engage in certain behavior
 Businesses use these techniques to find likely new
customers. Government agencies use them to detect
fraud, to enforce other laws, and to find terrorist
suspects or evidence of terrorist activity.
Privacy and Computer Technology
(cont.)
Principles for Data Collection and Use:
 Informed consent
 Opt-in and opt-out policies
 Opt-in: consumer must explicitly give permission for the
organization to share info
 Opt-out: consumer must explicitly forbid an organization
from sharing info
 Fair Information Principles (or Practices)
 Data retention
Fair Information Policies
 Inform people when personally identifiable information about them is






collected, what is collected, and how it will be used. .
Collect only the data needed. .
Offer a way for people to opt out from mailing lists, advertising,
transfer of their data to other parties, and other secondary uses. .
Provide stronger protection for sensitive data, for example, an opt- in
policy for disclosure of medical data. .
Keep data only as long as needed. .
Maintain accuracy of data. Where appropriate and reasonable, provide
a way for people to access and correct data stored about them. . Protect
security of data ( from theft and from accidental leaks). .
Develop policies for responding to law enforcement requests for data.
Facebook Beacon
 Fandango, eBay, and 42 other online businesses
paid Facebook to do “word of mouth” advertising
 Facebook users surprised to learn information
about their purchases was shared with friends
 Beacon was based on an opt-out policy
 Beacon strongly criticized by various groups
 Facebook switched to an opt-in policy regarding
Beacon
 Terminated this initiative and paid $9.5 million in
lawsuit
1-16
Privacy and Computer Technology
Discussion Questions
 Have you seen opt-in and opt-out choices? Where?
How were they worded?
 Were any of them deceptive?
 What are some common elements of privacy
policies you have read?
"Big Brother is Watching You"
Databases:
 Government Accountability Office (GAO) - monitors
government's privacy policies
 Data mining and computer matching to fight
terrorism
 Is the information it uses or collects accurate and useful?
Will less intrusive means accomplish a similar result?
Will the system inconvenience ordinary people while
being easy for criminals and terrorists to thwart? How
significant are the risks to innocent people?
Sample Government Database
Privacy Act of 1974
US constitution –
th
4
amendment
 “The right of the people to be secure in their persons,
houses, papers, and effects, against unreasonable
searches and seizures, shall not be violated, and no
Warrants shall issue, but upon probable cause,
supported by Oath or affirmation, and particularly
describing the place to be searched, and the persons or
things to be seized.”
"Big Brother is Watching You"
(cont.)
The Fourth Amendment, Expectation of Privacy and
Surveillance Technologies:
 Weakening the Fourth Amendment
 Patriot Act
 Modern surveillance techniques are redefining
expectation of privacy
"Big Brother is Watching You"
(cont.)
Video Surveillance:
 Security cameras
 Increased security
 Decreased privacy
 It is estimated that there are four million surveillance
cameras in Britain, many outdoors in public places to
deter crime. A Londoner is likely to be recorded dozens
of times a day.
In 2005, photos taken by the surveillance cameras
helped identify terrorists who planted bombs in the
London subway.
"Big Brother is Watching You"
(cont.)
Discussion Questions
 What data does the government have about you?
 Who has access to the data?
 How is your data protected?
 Is Privacy a fundamental right in Pakistan as per
constitution?
 What are the Privacy Issues in Pakistan from legal,
social and cultural perspective?
Diverse Privacy Topics
Marketing, Personalization and Consumer Dossiers:
 Targeted marketing
 Data mining
 Paying for consumer information
 Data firms and consumer profiles
 Personalization of data to attract customers
When someone consents to a company’s use of his or her
consumer information, the person probably has no idea how
extensive the company is and how far the data could travel. Many
companies that maintain huge consumer databases buy ( or
merge with) other companies, combining data to build more
detailed databases and dossiers.
Diverse Privacy Topics (cont.)
Location Tracking:
 Global Positioning Systems (GPS) -computer or
communication services that know exactly where a
person is at a particular time
 Cell phones and other devices are used for location
tracking
 Pros and cons
Examples of Location Based
Services
 Providing information about nearby restaurants of a





particular kind, the nearest automated teller machine,
hospital, or dry cleaners, based on the location of your cell
phone or laptop.
Navigation aids for blind people on foot.
Devices that enable locating a stolen vehicle.
Navigation systems for cars.
Alerting you ( by cell phone) if any of your friends are
nearby.
Locating people, possibly injured or unconscious and
buried in rubble, after an earthquake or bombing. .
 Tracking children on a school outing at a park or museum.
Diverse Privacy Topics (cont.)
Stolen and Lost Data:
 Hackers
 Physical theft (laptops, thumb-drives, etc.)
 Requesting information under false pretenses
 Bribery of employees who have access
Examples of stolen/lost data
 Student and/ or alumni files from the University of California, Georgia Tech,
Kent State, and several other universities, some with SSNs and birth dates. (
Hackers accessed a University of California, Los Angeles, database with
personal data on roughly 800,000 current and former students, faculty, and
staff members.) . \
 Records of almost 200,000 current and former employees of Hewlett- Packard (
on a laptop stolen from Fidelity Investments) .
 Medical data on more than 20,000 patients in MediCal, Californias state health
insurance system .
 Confidential contact information for more than one million job seekers ( stolen
from Monster. com by hackers using servers in Ukraine)
 A survey of taxi drivers in London found that passengers left almost 5,000
laptops in taxicabs within a six- month period. Many, perhaps, contained only
the personal information of the owner ( and friends, family, and e-mail
correspondents). Most likely were business laptops containing personal and
business information
Diverse Privacy Topics (cont.)
What We Do Ourselves: “Broadcast Yourself”
 Personal information in blogs and online profiles
 Pictures of ourselves and our families
 File sharing and storing
 Is privacy old-fashioned?
 Young people put less value on privacy than
previous generations
 May not understand the risks or you are ok with
it.
Diverse Privacy Topics (cont.)
Public Records: Access vs. Privacy:
 Public Records - records available to general public
(bankruptcy, property, and arrest records, salaries
of government employees, etc.)
 Identity theft can arise when public records are
accessed
 How should we control access to sensitive public
records?
Diverse Privacy Topics (cont.)
Children:
 The Internet
 Not able to make decisions on when to provide
information
 Vulnerable to online predators
 Parental monitoring
 Software to monitor Web usage
 Web cams to monitor children while parents are
at work
 GPS tracking via cell phones or RFID
Diverse Privacy Topics
Discussion Questions
 Is there information that you have posted to the Web
that you later removed? Why did you remove it? Were
there consequences to posting the information?
 Have you seen information that others have posted
about themselves that you would not reveal about
yourself?
Protecting Privacy
Technology and Markets:
 Privacy enhancing-technologies for consumers
 Encryption
 Public-key cryptography
 Business tools and policies for protecting data
Protecting Privacy (cont.)
Rights and laws:
 Theories
 Warren and Brandeis
 Thomson
 Transactions
 Ownership of personal data
 Regulation
 Health Insurance Portability and Accountability
Act (HIPAA)
HIPAA
 Limits how doctors, hospitals, pharmacies, and
insurance companies can use medical information
 Health care providers need signed authorization to
release information
 Health care providers must provide patients with
notice describing how they use medical information
Protecting Privacy (cont.)
Privacy Regulations in the European Union (EU):
 Data Protection Directive
 More strict than U.S. regulations
 Abuses still occur
 Puts requirements on businesses outside the EU
 1. Personal data may be collected only for specified, explicit purposes





and must not be processed for incompatible purposes.
2. Data must be accurate and up to date. Data must not be kept longer
than necessary.
3. Processing of data is permitted only if the person consented
unambiguously, or if the processing is necessary to fulfill contractual or
legal obligations, or if the processing is needed for tasks in the public
interest or by official authorities to accomplish their tasks ( or a few
other reasons).
4. Special categories of data, including ethnic and racial origin,
political and religious beliefs, health and sex life, and union
membership, must not be processed without the subjects explicit
consent. Member nations may outlaw processing of such data even if
the subject does consent.
5. People must be notified of the collection and use of data about them.
They must have access to the data stored about them and a way to
correct incorrect data.
6. Processing of data about criminal convictions is severely restricted.
Protecting Privacy
Discussion Question
 How would the free-market view and the consumer
protection view differ on errors in Credit Bureau
databases?
 Who is the consumer in this situation?
Communication
Wiretapping and E-mail Protection:
 Telephone
 1934 Communications Act prohibited interception of
messages
 1968 Omnibus Crime Control and Safe Streets Act
allowed wiretapping and electronic surveillance by lawenforcement (with court order)
 E-mail and other new communications
 Electronic Communications Privacy Act of 1986 (ECPA)
extended the 1968 wiretapping laws to include
electronic communications, restricts government access
to e-mail
Communication (cont.)
Designing Communications Systems for
Interception:
 Communications Assistance for Law
Enforcement Act of 1994 (CALEA)
 Telecommunications equipment must be
designed to ensure government can intercept
telephone calls
 Rules and requirements written by Federal
Communications Commission (FCC)
Communication (cont.)
Encryption
 Process of transforming a message in order to conceal
its meaning
 Valuable tool for maintaining privacy
Encryption Policy:
 Government ban on export of strong encryption
software in the 1990s (removed in 2000)
 Pretty Good Privacy (PGP)
Identity Theft
 Identity theft: misuse of another person’s identity to
take actions permitted the owner
 Credit card fraud #1 type of identity theft
 Ease of opening accounts online contributes to
problem
 About 10 million U.S. victims in 2008
 Typical for a victim to spend hundreds of hours
cleaning up problem
1-43
Gaining Access to Information
 43% of cases involve stolen wallet, credit card,
checkbook, or other physical document
 13% of cases are “friendly thefts”
 Dumpster diving
 Shoulder surfing
1-44
Phishing and Pharming
 Phishing: gathering personal information via a
fraudulent spam message
 Pharming: creation of an authentic-looking Web site
to fool people into revealing personal information
 Phishing and pharming often linked; spam message
contains link to fraudulent Web site
1-45