Transcript Privacy

[email protected]
Privacy Protection
 Privacy
 Key concern of Internet
users
 Top reason why nonusers
still avoid the Internet
 to being able to keep
certain information to
ourselves and to control
what happens to our
personal information
Privacy Issues
 Anytime you submit information on the Internet, it is
possible for it to be gathered by many individuals and used
for various situations. Information can also be gathered
from online data regarding:
-
-
School
Banking
Hospitals
Insurance
Credit History, etc.
 If a company provides you with e-mail, the information you
send is available to the company. The company can also
monitor Internet logs to determine web sites that have been
visited.
Privacy Protection and the Law
 Systems collect and store key data from every interaction
with customers.
 Many object to data collection policies of government
and business.
 Reasonable limits must be set
 Historical perspective on the right to privacy
 Fourth Amendment - reasonable expectation of privacy
4
The Right of Privacy
 Definition
 “The right to be left
alone—the most
comprehensive of rights,
and the right most valued
by a free people”
“The right of individuals to control
the collection and use of information
about themselves”
5
The Right of Privacy
 Legal aspects
 Protection from
unreasonable intrusion
upon one’s isolation
Protection from appropriation of
one’s name or likeness
6
Summary of the 1980 OECD Privacy
Principles Organization for Economic
Cooperation and Development
7
Legal Overview: The Privacy Act
 Secure Flight airline safety program (2009)
 Compares the names and information of 1.4 million daily
U.S. airline passengers with data on known or suspected
terrorists.
 Is the latest proposed government system for running
database checks on Americans who travel by air.
 Secure Flight will match passenger information
against blacklists maintained by the federal government.

Violation of Privacy Act
8
Governmental Electronic
Surveillance
 Federal Wiretap Act
 Outlines processes to
obtain court
authorization for
surveillance of all
kinds of electronic
communications
• Judge must issue a court order based on
probable cause
• Almost never deny government requests
“Roving tap” authority
• Does not name specific
telephone lines or e-mail
accounts
• Get access to all accounts are
tied to a specific person
9
10
Governmental Electronic
Surveillance
 Electronic Communications Privacy Act of 1986 (ECPA)
 Sets standards for access to stored e-mail and other
electronic communications and records.
 Prosecutor does not have to justify requests
 Judges are required to approve every request
 Highly controversial

Especially collection of computer data sent over the Internet
11
Governmental Electronic
Surveillance
 Foreign Intelligence Surveillance Act of 1978 (FISA)
 Allows wiretapping of aliens and citizens in the United
States
 Against FBI, CIA & NSA for some illegal surveillance
 Based on finding of probable cause that a target is


Member of a foreign terrorist group
Agent of a foreign power
 Executive Order 12333
 Legal authority for electronic surveillance outside the
United States
12
Governmental Electronic
Surveillance
 Communications Assistance for Law Enforcement Act
(CALEA)
 Requires the telecommunications industry to build tools
into its products so that federal investigators can eavesdrop
on conversations

After getting court approval
 Contains a provision covering radio-based data
communication
 Includes voice over Internet (VoIP) technology
13
Governmental Electronic
Surveillance
 USA Patriot Act of 2001
 Gives sweeping new powers to


Domestic law enforcement against terrorism
International intelligence agencies
14
Key Provisions of the USA Patriot Act Subject to Sunset
15
Key Provisions of the USA Patriot Act Subject to Sunset
16
Identity Theft
 Theft of key pieces of personal information to gain access
to a person’s financial accounts
 Information includes:
 Name
 Address
 Date of birth
 Social Security number
 Passport number
 Driver’s license number
 Mother’s maiden name
17
Identity Theft
18
Identity Theft
 Fastest growing form of fraud in the
United States
 Lack of initiative in informing people
whose data was stolen
 Phishing


Attempt to steal personal identity data
By tricking users into entering information
on a counterfeit Web site
 Spear-phishing - a variation in which
employees are sent phony e-mails that
look like they came from high-level
executives within their organization
https://www.chase.com/index.jsp?pg_name=ccpmapp/privacy_se
curity/fraud/page/fraud_examples
19
Phising and privacy
 For a demonstration of how a real phishing scheme works,
visit www.identitytheftsecrets.com The Privacy Rights
Clearinghouse (PRC) is warning consumers about another form
of fraud that can happen when online users reply to phishing
emails.
 The personal information they provide might be used to
register web site domains that bilk unwitting online users out
of funds they believe are being used for legitimate
transactions.
E-mail Used by Phishers
21
Identity Theft
 Spyware
 Keystroke-logging software
 Enables the capture of:




Account usernames
Passwords
Credit card numbers
Other sensitive information
 Operates even if an infected computer is not connected to
the Internet
 Identity Theft and Assumption Deterrence Act of 1998
was passed to fight fraud
22
Top 5 Examples Of Spyware
 CoolWebSearch: based on bugs of IE
 Internet Optimizer (DyFuCa)
 Zango
 Transmits detailed information to advertisers about the
Web sites which you visit.
 HuntBar (WinTools)
 ActiveX msg pop up, once installed, steal the information
 Zlob trojan
 Download itself into your pc via ActiveX
23
Consumer Profiling
 Companies openly collect personal information about
Internet users
 Cookies
 Text files that a Web site puts on a user’s hard drive so
that it can remember the information later
 Tracking software
 Similar methods are used outside the Web
environment
 Databases contain a huge amount of consumer
behavioral data
24
Cookies
 The web site might offer you products or ads tailored
to your interests, based on the contents of the cookie
data.
 Some, called third-party cookies, communicate data
about you to an advertising clearinghouse which in
turn shares that data with other online marketers.
25
Consumer Profiling
 Affiliated Web sites
 Group of Web sites served by a single advertising network
 Customized service for each consumer
 Types of data collected while surfing the Web
 GET data
 POST data
 Click-stream data
26
Consumer Profiling
 Four ways to limit or even stop the deposit of cookies on
hard drives
 Set the browser to limit or stop cookies
 Manually delete them from the hard drive
 Download and install a cookie-management program
 Use anonymous browsing programs that don’t accept
cookies
 Cookie Monster 3.47
27
Consumer Profiling
 Platform for Privacy Preferences (P3P)
 Is a protocol allowing websites to declare their intended
use of information they collect about web browser users
28
Manager’s Checklist for Treating
Consumer Data Responsibly
29
Privacy in Workplace
 Employers will have access to personal information about
employees and this information may be sensitive and
employees may wish to keep this information private.
This means that employers will need to
think about the way in which they collect,
use and disclose information they obtain
from employees.
30
Privacy in Workplace
 It is good privacy practice that the employer tell the
employee why they are collecting the information and
who the employer might pass that information on to.
 Best practice:
 employers allow employees to access personal information
about themselves which is held by their employer.
31
Workplace Monitoring
 Employers monitor workers
 Ensures that corporate IT
usage policy is followed
 Fourth Amendment cannot
Privacy advocates want federal legislation
To keeps employers from infringing upon
privacy rights of employees
be used to limit how a private
employer treats its
employees
 Public-sector employees
have far greater privacy
rights than in the private
industry
32
Advanced Surveillance Technology
 Camera surveillance
 U.S. cities plan to expand surveillance systems
 “Smart surveillance system”
 Facial recognition software
 Identifies criminal suspects and other undesirable
characters
 Yields mixed results
 Global Positioning System (GPS) chips
 Placed in many devices
 Precisely locate users
33
Privacy Protection: Ten guidelines
1. Remove personally identifiable data from storage
2.
3.
4.
5.
media
Store an identical copy of any evidentiary media given
to law enforcement
Limit search to goal of investigation
Handle time stamped events in strictest confidence
On networks, packet acknowledgement be via the use
of tokens than IP addresses
34
Privacy Protection: Ten guidelines
6.
7.
8.
9.
10.
Safe storage of all internal logs
Preservation of event logs in external nodes
Put policies in place for actionable items related to
attacks
Put policies in place for safeguarding backed up
data related to an investigation
Handle disposal of sensitive data in a secure
manner
35
Can online services track and record my activity?
 Yes. Many people expect that their online activities are
anonymous. They are not. It is possible to record virtually all
online activities
 This information can be collected by a subscriber's own ISP
and by web site operators.
DATA PROFILING







As we make our way through everyday life, data is collected from each
of us, frequently without our consent and often without our realization.
We pay our bills with credit cards and leave a data trail consisting of
purchase amount, purchase type, date, and time.
Data is collected when we pay by check.
Our use of supermarket discount cards creates a comprehensive
database of everything we buy.
When our car, equipped with a radio transponder, passes through an
electronic toll booth, our account is debited and a record is created of
the location, date, time, and account identification.
We leave a significant data trail when we surf the Internet and visit
websites.
When we subscribe to a magazine, sign up for a book or music club, join
a professional association, fill out a warranty card, give money to
charities, donate to a political candidate, tithe to our church or
synagogue, invest in mutual funds, when we make a telephone call,
when we interact with a government agency . with all of these
transactions we leave a data trail that is stored in a computer.
Browsers..
 It's important to be aware of the information transmitted to
remote computers by the software you use to browse web
sites. The major browsers are Netscape Navigator and
Microsoft Internet Explorer. Internet Explorer has P3P –
platform for Privacy Preferences.
 Most web browsers invisibly provide web site operators with
information about your ISP as well as information about other
web sites you have visited. Some web browsers, particularly if
they have not been updated with security fixes, may be tricked
into reporting the user's default e-mail address, phone
number, and other information in the "address book" if the
browser also handles your e-mail.
Privacy policies and web
seals
 . The Federal Trade Commission urges commercial web site operators to spell out
their information collection practices in privacy policies posted on their web sites.
Most commercial web sites now post policies about their information-collection
practices. Look for a privacy "seal of approval," such as TRUSTe (www.truste.org),
on the first page of the web site. TRUSTe participants agree to post their privacy
policies and submit to audits of their privacy practices in order to display the logo.
 Other seals of approval are offered by the Council of Better Business Bureaus (BBB),
www.bbbonline.org, the American Institute of Certified Public Accountants,
WebTrust, www.cpawebtrust.org, and the Entertainment Software Rating Board,
www.esrb.org/privacy.
 Workplace monitoring. Individuals who access the Internet from work should know
that employers are increasingly monitoring the Internet sites that an employee
visits. Be sure to inquire about your employer's online privacy policy.
Can an online service access information stored
in my computer without my knowledge?
 Yes. Many of the commercial online services such as AOL automatically
download graphics and program upgrades to the user's home computer.
 Companies typically explain that they collect information such as users'
hardware, software and usage patterns to provide better customer service.
 It is difficult to detect these types of intrusions. You should be aware of this
potential privacy abuse and investigate new services thoroughly before
signing on.
 Always read the privacy policy and the service agreement of any online
service you intend to use.
What about cybercafes, airports, and other publicly-available
Internet terminals?
 You should avoid using public terminals to access your bank
account, check your credit card statement, pay bills, or access
any other personally or financially sensitive information.
 Publicly-available Internet terminals are not likely to be closely
supervised to ensure online privacy and security. They are
used by many individuals every day.
 Find out if they have installed a program that clears Internet
caches, deletes cookies, erases surfing history, and removes
temporary files.
What can I do to protect my privacy in
cyberspace?
 password change
 Look for the privacy policy of the online services you use. Most Internet Service
Providers (ISP) have adopted privacy policies that they post on their web sites and
other user documentation. When you surf the web, look for the privacy policies
posted on the web sites you visit. Also look for a privacy "seal" such as TRUSTe or
BBBOnline.
 Check your browser's cookie settings. you may accept or reject all cookies, or you
may allow only those cookies generated by the website you are visiting. You may
want to set a security level for trusted websites while blocking cookie activity for all
others.
 Shop around. Investigate new services before using them. Post a question about a
new service in a dependable forum or newsgroup. Use a search engine such as
http://groups.google.com to find archived discussions and newsgroup postings
about the service that you are considering.
 Don’t post your private contents in the social networks.
 Don’t use location-based social networks application for all of your individual work.
Notes of Caution…
 Assume that your online communications are not private unless you use
encryption software. But most encryption programs are not user-friendly and can
be inconvenient to use. If you do not use encryption, at least take the following
precautions: Do not provide sensitive personal information (phone number,
password, address, credit card number, Social Security number, your health
information, date of birth, vacation dates, etc.) in chat rooms, forum postings, email messages, or in your online biography
 Be cautious of "start-up" software that registers you as a product user and makes
an initial connection to the service for you. Typically, these programs require you to
provide financial account data or other personal information, and then upload this
information automatically to the service. These programs may be able to access
records in your computer without your knowledge. Contact the service for
alternative subscription methods.
 Use a pseudonym and a non-descriptive e-mail address when you participate in
public forums. Consider obtaining an e-mail address from one of the free webbased e-mail services such as www.hotmail.com or www.yahoo.com
Notes of Caution…




The "delete" command does not make your e-mail messages disappear. They can still be retrieved
from back-up systems. Software utility programs can retrieve deleted messages from your hard drive.
If you are concerned about permanently deleting messages and other files on your program, you
should use a file erasing program such as the freeware program at http://cleanup.stevengould.org or
the cleanup features of general utility software such as Norton's
(http://www.symantec.com/sabu/ncs/) CleanSweep.
Your online biography, if you create one, may be searched system-wide or remotely "fingered" by
anyone. If for any reason you need to safeguard your identity, don't create an online "bio." Ask the
system operator of your ISP to remove you from its online directory.
If you publish information on a personal web page, note that marketers and others may collect your
address, phone number, e-mail address and other information that you provide. If you are concerned
about your personal privacy, be discreet in your personal web site
Be aware that online activities leave electronic footprints for others to see. Your own ISP can
determine what search engine terms you use, what web sites you visit, and the dates, times, and
durations of your online sessions. Web site operators can often track the activities you engage in by
placing "cookies" on your computer. They can learn additional information if they ask you to register
on their site. Your web browser also can transmit information to web sites.
Your Policy for Online Obtaining
Information
 If you obtain personally identifiable information through
online application forms, online surveys, interest lists, inquiry
forms, and e-mail subscription forms, your policy must also
describe what you use that information for, how long it is
retained, how it can be updated or removed, and how it is
protected from illegitimate access.
 Your policy should explain who will have access to any
information that is collected such as your web site
administrator, organization staff, and board members.
 The policy should explain if information is shared with third
parties or other members and for what purpose or under what
circumstances.
Privacy issues of Social
Networks
 ’If you feel like someone is watching you, you're right. If you're worried
about this, you have plenty of company. If you're not doing anything about
this anxiety, you’re just like almost everyone else.’ (Bob Sullivan, 2011)
Every minute of the day:
• 100,000 tweets are sent
• 684,478 pieces of content are shared on Facebook
• 2 million search queries are made on Google
• 48 hours of video are uploaded to YouTube
• 47,000 apps are downloaded from the App Store
• 3,600 photos are shared on Instagram
• 571 websites are created
• $272,000 is spent by consumers online (source: AllTwitter)
(Source: thesocialskinny.com)
46
Types of Social Networks
Social
Networking Sites
Social Media
Sharing Sites
Location Based
Networks
• Facebook, Twitter, LinkedIn, Google+, MySpace
• Photo sharing: Instagram, Flickr, Photobucket, Picasa
• video sharing: Youtube, Vimeo, iMemories, audio
sharing: SoundCloud
• Foursquare, Gowalla, Loopt
Posting Content such as picture and video arise new
privacy concerns due to their context revealing details
about the physical and social context of the subject.
if you’re using Gmail or Yahoo mail or Flickr or. YouTube or
belong to Facebook … you’ve given up complete control of
your personal information’
47
Few cases …
 Certain pictures or videos shared online have cost a number of
people their jobs or ruined their job opportunities.
 There is no rules or regulations to protect individuals from
accidentally having an embarrassing photo or video taken of
them and then posted on the web for others to see.
 Adults are concerned about invasion of privacy, while teens
freely give up personal information. This occurs because often
teens are not aware of the public nature of the Internet.
 More info : http://social-networks-privacy.wikidot.com/
48
Privacy issues on Facebook
 Facebook has met criticism on a range of issues, including
online privacy, child safety and hate speech.



You create a "Connection" to most of the things that you click a
"Like button" for, and Facebook will treat those relationships as
public information.
If you Like a Page on Facebook, that creates a public connection.
If you Like a movie or restaurant on a non-Facebook website (and
if that site is using Facebook's OpenGraph system), that creates a
public connection
49
Even More Serious Case
 In August 2007, the code used to generate Facebook's home and search
page as visitors browse the site was accidentally made public, according to
leading Internet news sites.
 In November 2009, Facebook launched Beacon, a system where third-party
websites could include a script by Facebook on their sites, and use it to
send information about the actions of Facebook users on their site to
Facebook, prompting serious privacy concerns.
 In June 2011 Facebook enabled an automatic facial recognition feature
called "Tag Suggestions". The feature compares newly uploaded
photographs to those of the uploader's Facebook friends, in order to
suggest photo tags.
 Facebook has defended the feature, saying users can disable it. European
Union data-protection regulators said they would investigate the feature to
see if it violated privacy rules.
50
What Forbes says …
 Facebook has essentially become a worldwide photo
identification database.
 These developments mean that we no longer have to
worry just about what Facebook, Google+, LinkedIn and
other social sites do with our data; we have to worry
about what they enable others to do, too. And it now
seems that others will be able to do a lot.
51
You MUST Know …
 4.7 million “liked” a Facebook page about health conditions or treatments









(details an insurer might use against you);
4.8 million have used Facebook to say where they planned to go on a
certain day (a potential tip-off for burglars);
20.4 million included their birth date, which can be used by identity
thieves;
39.3 million identified family members in their profile;
900K discussed finances on their wall;
1.6 million liked a page pertaining to racial or ethnic affiliations;
2.3 million liked a page regarding sexual orientation;
7.7 million liked a page pertaining to a religious affiliation;
2.6 million discussed their recreational use of alcohol on their wall;
4.6 million discussed their love life on their wall.
52
Privacy issues with Locationbased service
Location-Based Social
Networks (LBSN) derive from
LBSs and are often referred
to as Geosocial Networking.
the connection between
users goes beyond sharing
physical locations but also
involve sharing knowledge
like common interests,
behavior, and activities.
Such pervasive tools represent
a challenge to privacy.
53
A Serious Case about LBSN
 In March 2012 Foursquare had to tackle the discovery of a Russian-built
app called Girls Around Me. As the name suggests, Girls Around Me used
Foursquare’s API to display and filter people by geographical position and
gender, then, once a first list was compiled, the app was able to search in
Facebook for those girls that had the two accounts linked together and,
finally, provided their pictures to the app user. Foursuare replied to the
issue by shutting down the app soon after its discovery, however Girls
around Me, and similar app available on the market, posed serious
questions of the nature of certain apps and their use. and further more it
proved that LBSN offer services and features potentially threatening users
privacy and safety
54
Additional information..
 Several public interest groups have sponsored the online Computer Privacy Guide at
www.consumerprivacyguide.org. This site offers extensive tips, a glossary of terms, and
video tutorials with step-by-step instructions on how to take advantage of privacy
settings for the programs you use online
 Cookies. To learn more about cookies blockers and other types of online filters, visit
www.junkbusters.com, www.consumerprivacyguide.org, www.cookiecentral.com, and
www.spamblocked.com/proxomitron.
 Demonstration. To see a demonstration of the kind of information that can be captured
about your computer via your browser when you surf the web, visit
www.privacy.net/analyze.
 Privacy-enhancing technologies. The EPIC web site provides a section on software
products that you can use to add extra layers of protection when you surf the web,
www.epic.org/privacy/tools.html. Also, visit the Privacy Links page of the Privacy Rights
Clearinghouse for more software tools and products, www.privacyrights.org/links.htm.
 Spam. Find tips on how to reduce unsolicited e-mail messages at www.spamcop.net or
www.stop-spam.org.. To learn about state spam laws, go to www.spamlaws.com.
56