1

CS 305Social, Ethical, and Legal

Implications of Computing

Chapter 5Privacy

Herbert G. Mayer, PSU CSHerbert G. Mayer, PSU CSStatus 8/13/2012Status 8/13/2012

Slides derived from prof. Wu-Chang Feng Slides derived from prof. Wu-Chang Feng

2

Syllabus Key Messages Privacy Case Study Information Explosion Terminology Public Records, Information In-Class Exercise Privacy Act 1974 Covert Government Surveillance USA Patriot Act Privacy and Internet REAL ID

3

Key Messages

1.1. Information AggregationInformation Aggregation

2.2. Leaking InformationLeaking Information

3.3. Public Records vs. Public Information vs. Personal Public Records vs. Public Information vs. Personal InformationInformation

4.4. Code of Fair Information PracticesCode of Fair Information Practices

5.5. USA Patriot Act: USA Patriot Act: PProviding roviding AAppropriate ppropriate TTools ools RRequired to equired to IIntercept and ntercept and OObstruct bstruct TTerrorismerrorism

6.6. In-Class Exercise on AnonymityIn-Class Exercise on Anonymity

4

PrivacyTwo basic concepts: Physical and LogicalTwo basic concepts: Physical and Logical

Physical: Zone of inaccessibility near a personDiscussion in school with other CS studentGoing to the bathroomPublic phone privacyStepping across violates a person’s dignity and treats the

person as a means to an end

Logical: Personal information gathered about individual IncomePatient dataPhone recordsTaxesNOT property taxes: that is public

Basic conflict:Basic conflict: Rights of privacy vs. access to information

5

Harm Enabled by Right to PrivacyAllows people to plan illegal / immoral activitiesAllows people to plan illegal / immoral activities

Drug trafficking Domestic violence

Allows for abuse of power Allows for abuse of power Hide information to someone else’s net harm

Allows for cover-upsAllows for cover-ups Enron Corp. Rampart Scandal: 1990s LA cops planted evidence Iran/Contra affair 1980s: Weapons for hostages

Can encourage social and economic inequalities by creating Can encourage social and economic inequalities by creating cliques of informationcliques of information

Private club with business dealings discriminating against others who should have same information for decisions

6

Benefits of PrivacyCan have public from private life separatedCan have public from private life separated

Allows someone to be himself/herself Example: professional athletes, actors, politicians

Allows creation / discussion of new ideasAllows creation / discussion of new ideas Can protect IP, e.g. new algorithm discovery Allows for secret plans –meaning here: good ones

Allows people to be at peace to be creative and to develop Allows people to be at peace to be creative and to develop spirituallyspiritually

Praying at place of worship Write love letter

Allows for separation of data into spheres of accessAllows for separation of data into spheres of access Student grades

7

Right to Privacy

Grew out of property rightsGrew out of property rights

English common law: “The Englishman's home is his English common law: “The Englishman's home is his castle"castle" Not even the king may enter an Englishman’s home without

probable cause of criminal activity Could king and police enter an English woman’s home?

Reaction to Quartering Act of 1765 allowing soldiers to Reaction to Quartering Act of 1765 allowing soldiers to reside in homes of citizensreside in homes of citizens 3rd Amendment: “No Soldier shall, in time of peace, be

quartered in any house, without the consent of the owner, nor in time of war, but in a manner to be prescribed by law”

8

Right to Privacy

U.S.U.S. Derived right 1890’s Warren and Brandeis argued for “rights of privacy”

Combat the abuses of newspapersPrivacy rights had already been granted in France

Eventually, numerous court cases have helped define the limitations and rights of privacy for individuals

Rosenberg: “privacy is a prudential right”Rational agents agree to recognize some privacy rights because

granting such rights will benefits society overallWhat ethical framework?Example: TelemarketingSee ref: http://www.jstor.org/pss/2220399

9

Aspects of PrivacyInvasionInvasion

Intruding on someone’s daily life, interrupting solitude --spam, pop-up windows, marketer phone calls at dinnertime

Information collectionInformation collection DVD rental records Computer Science homework grades at PSU Surveillance cameras on street lights –consider use!

Information processingInformation processing Identity theft from aggregating information -- Key Message Collecting financial records to detect criminal activity What happened to Al Capone? Surveying foreign cell-phone conversations to track terrorists

Information disseminationInformation dissemination Spreading private personal information (e.g. e-mail, texts) Rumor spreading

10

Case Study, Students Discuss

Parents covertly installing a security camera to monitor Parents covertly installing a security camera to monitor a nanny babysitting their childa nanny babysitting their child Act utilitarian evaluation Rule utilitarian evaluation Social contract theory Kantian evaluation

11

Information Explosion

With modern technology, we are With modern technology, we are producing, copying, producing, copying, sharing, publicizing, leaking informationsharing, publicizing, leaking information everywhere everywhere

E.g. Credit card transactions e-mail Cell phone records Public cell phone calls

I personally overheard a person in the PDX airport lounge to give detail of an encounter to lover, detail I did not wish to hear; so I had to leave the area

Easy to store, easy to gain access to, easy to do bad Easy to store, easy to gain access to, easy to do bad things with some informationthings with some information

12

Terminology

Public Record:Public Record: Is information about an act reported to a government

agency for the purpose of informing the public Examples: birth certificates, marriage licenses, motor

vehicle records, criminal records, deeds to property

Public Information:Public Information: Is information you provide to an organization that has the

right to share it with others Usually given because of perceived benefit Example: phonebooks Simpler example: your name in CS class

13

Terminology

Personal Information:Personal Information: Information that is not public information or part of a public

record, and you may have reasons to keep such information personal, i.e. you may rightfully choose not to disclose

Examples:Preferred movie topicsFavorite eating habitsLiking/disliking political candidates, parties, opinions

Once given away, such personal information becomes public information!

14

Public RecordsGovernment has billions of records on the country’s citizensGovernment has billions of records on the country’s citizens

Some examples:Some examples: Census records

Information to be kept confidential except in national emergencies Used to round up ethnic Japanese, US citizens included, after attack on

Pearl Harbor

Internal Revenue Service records Information about income, assets, charitable organizations that you

support, medical expenses, etc. IRS information has been misused / lost / stolen over time H&R Block’s use of cross-marketing on users of Free File service

FBI National Crime Information Center 2000 39 million records More than 80,000 law enforcement agencies have access to these files 2 million information requests per day, average response time < 1 sec. Abuses and errors have occurred; key question: Are such abuses

systemic? Or are they accidents caused by process shortcomings?

15

Public Information

We often give away our rights to our privacy in We often give away our rights to our privacy in exchange for some benefit, however smallexchange for some benefit, however small

Club cards – used as an index into a database of purchases TiVos – record information about user’s viewing

preferences, times, how/when they watch, etc.Some information sold to advertisers!

Car black box – record the last several minutes of usage for “diagnostic” purposes

Enhanced 911 and cell phone GPS Cookies on personal computer

16

In-Class Exercise 1

Most modern cars have a Most modern cars have a black box black box that records that records important vehicle data such as speed, engine RPM, important vehicle data such as speed, engine RPM, braking, throttle, (sometimes GPS), etc.braking, throttle, (sometimes GPS), etc.

Argue whether or not such data should be privateArgue whether or not such data should be private Some points to consider:

Who owns the information in the black box? Car owner? DMV?What happens in case of an accident? --e.g. 2010 Toyota issues

with brake systemShould car owner have the right to “remove” the information

before a warrant is issued for black box data?

17

In-Class Exercise 2

Critics of grocery club cards give examples of card-Critics of grocery club cards give examples of card-member prices being equal to the regular product member prices being equal to the regular product price at stores without customer loyalty programs.price at stores without customer loyalty programs.

In other words, customers who want to get food at the In other words, customers who want to get food at the regular price must use the card. Customers pay regular price must use the card. Customers pay extra if they don’t want to use the card. extra if they don’t want to use the card.

Is it fair for a store to charge us more if we don’t want to use its loyalty card?

Is it ethical to give bogus information or to switch cards with others to confuse loyalty programs?

18

Some U.S. Legislation

Federal Communications Act (1934) limits warrantless wire tappingFederal Communications Act (1934) limits warrantless wire tapping

Fair Credit Reporting Act (1970, 1995) – Privacy and accuracy of Fair Credit Reporting Act (1970, 1995) – Privacy and accuracy of your bill paying record, credit cards, etc.your bill paying record, credit cards, etc.

The Family Educational Rights and Privacy Act (1974) – students > The Family Educational Rights and Privacy Act (1974) – students > 18 yrs old can review educational records and change errors18 yrs old can review educational records and change errors

Employee Polygraph Protection Act (1988) – Prohibits most private Employee Polygraph Protection Act (1988) – Prohibits most private employers from using lie detector testemployers from using lie detector test

Video Privacy Protection Act (1988) – rental companies can’t Video Privacy Protection Act (1988) – rental companies can’t disclose rental records without consentdisclose rental records without consent

Children’s Online Privacy Protection Act (2000) – limit amount of Children’s Online Privacy Protection Act (2000) – limit amount of public information gathered from children using the Internetpublic information gathered from children using the Internet

Health Insurance Portability and Accountability Act (1996) – Health Insurance Portability and Accountability Act (1996) – provides guidelines for protecting privacy of patients and their provides guidelines for protecting privacy of patients and their recordsrecords

19

Code of Fair Information Practices of Health and Code of Fair Information Practices of Health and Human ServicesHuman Services

1. There must be no personal data record-keeping systems whose very existence is secret

2. There must be a way for an individual to find out what information is on file and how the information is being used

3. There must be a way for an individual to prevent personal information obtained for one purpose from being used for another purpose without consent

4. There must be a way for an individual to correct false information in the records

5. Any organization creating, maintaining, using, or disseminating records of personally identifiable information must assure the reliability of the data for its intended use and must take precautions to prevent misuse

U.S. Dept. of Health, Education and Welfare (now HHS) “Bill of Rights”

20

Privacy Act 1974Codified the principles of the Department of Health, Codified the principles of the Department of Health,

Education, and Welfare in the U.S.Education, and Welfare in the U.S.

Problems:Problems: Only applies to government databases Only covers records indexed by personal id No government agency or person in government is in charge

of enforcing the provisions Allows information to be shared between agencies as long as

it is “routine use”

21

Privacy & Information Collection

Wiretapping – interception of a telephone conversationWiretapping – interception of a telephone conversation

Does the 4Does the 4thth Amendment apply? Amendment apply? “The right of the people to be secure in their persons,

houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized”

Tension between government and privacy advocatesTension between government and privacy advocates

22

Covert Government Surveillance

Olmstead vs. U.S. (1928)Olmstead vs. U.S. (1928) Olmstead had bootlegging (alcohol) business U.S. wiretapped Used evidence to convict Supreme court said it was neither search nor seizure since

only tangible items covered under the 4th amendment Note: Upon conviction Olmstead served 4 years in prison,

then was pardoned by FDR, dedicated the rest of his life to community services and control of alcohol

23

Covert Government Surveillance

1934 – Federal Communications Act made it illegal to 1934 – Federal Communications Act made it illegal to intercept and reveal wire communicationsintercept and reveal wire communications Privacy advocates happy However, during WWII, FBI wanted to reinstate wiretapping

J. Edgar Hoover - “Intercept but do not reveal” loopholeLed to decades of covert wiretapping

24

More Government SurveillanceCharles Katz vs. U.S. (1967)Charles Katz vs. U.S. (1967)

Bug – hidden microphone U.S. “bugged” outside of public phone booth Convicted Katz of illegal gambling Supreme court ruled in favor of Katz

“the 4th Amendment protects people, not places”

Led to Omnibus Crime Control and Safe Streets Act (1968)Led to Omnibus Crime Control and Safe Streets Act (1968) Allows police through court order to tap a phone for 30 days Government still argued for warrantless wiretapping for national

security purposes Supreme court rejected this in 1972, ruling that 4th Amendment

forbids warrantless wiretapping

Message:Message: Strength of 4th Amendment increased over time

25

More Government Surveillance

Electronic Communications Privacy Act (1986)Electronic Communications Privacy Act (1986) Allows police to attach pen register (displays number dialed)

for outgoing –detail on Pen registers later! And trap and trace device (displays caller’s number) for

incoming Court order needed, but not probable cause! Allows roving wiretaps (moving phone to phone) if target

actively attempts to evade a wiretap

26

More Government SurveillanceChallenges of Internet communicationChallenges of Internet communication

Increasing use of data networks to carry on illegal activity Led to technology and laws to bring wiretapping statutes to

the Internet

CarnivoreCarnivore FBI system from late 1990s that monitored Internet traffic Tried to force ISPs to install it (Earthlink) Earthlink filed legal challenge, but lost

Communications Assistance for Law Enforcement Act Communications Assistance for Law Enforcement Act (CALEA) (1994)(CALEA) (1994) Require networking equipment vendors to support wiretapping

on digital calls, i.e. VoIP Extends (warranted) wiretapping to digital domain

27

More Government Surveillance9/11 Act of Terrorism9/11 Act of Terrorism

Loosened many of the precedents for wiretapping and surveillance

For a defined period of time

Warrantless wiretapping after 9/11Warrantless wiretapping after 9/11 CIA intercepts cell phone numbers being used by top al-

Qaeda members Wanted to wiretap them Bush signed order to allow warrantless wiretapping as long

as one end point was outside the USA Led to the USA Patriot Act

28

USA Patriot Act

Enacted after the September 11Enacted after the September 11thth 2001 bombing of the 2001 bombing of the World Trade Center by Muslim terrorists with two World Trade Center by Muslim terrorists with two hijacked passenger planeshijacked passenger planes

Congress passed:Congress passed: Uniting and Strengthening America by Providing Appropriate

Tools Required to Intercept and Obstruct Terrorism, PATRIOT Act of 2001

29

USA Patriot Act

Patriot Act amended more than 15 existing lawsPatriot Act amended more than 15 existing laws

Provisions fell into 4 primary categoriesProvisions fell into 4 primary categories1. Providing federal law enforcement and intelligence officials

with greater authority to monitor communications

2. Giving the Secretary of the Treasury greater powers to regulate banks, preventing them from being used to launder foreign money

3. Making it more difficult for terrorists to enter the U.S.

4. Defining new crimes and penalties for terrorist activity

30

Patriot Act Fine Print

Allows:Allows: Police to install Internet pen registers without demonstrating probable

cause (reveals URLs and web sites) Warrants can be issued if police can show that the information to be

gained could be “relevant” to an ongoing criminal investigation Roving surveillance loosened so police do not have to

Show that a target uses a particular device being tapped Report the devices that were monitored

Law enforcement, under certain circumstances, allowed to search homes and seize evidence without first serving a search warrant

If there is reasonable cause that notification will have an adverse effect

FBI can obtain warrants authorizing the seizure of business, medical, educational, and library records of suspects if related to an ongoing investigation

No need for probable cause

31

And What Are Pen Registers

Originally, a Originally, a Pen Register Pen Register was an electronic device that could record was an electronic device that could record all numbers called from a particular number. Nowadays this all numbers called from a particular number. Nowadays this includes computer tools performing similar functions, and is not includes computer tools performing similar functions, and is not restricted to phone calls. Instead, internet searches are includedrestricted to phone calls. Instead, internet searches are included

Pen Register, related to Pen Register, related to Trap and Trace DevicesTrap and Trace Devices

Less powerful than a wire-tap, but requires way weaker legal controlLess powerful than a wire-tap, but requires way weaker legal control

Wiki: http://en.wikipedia.org/wiki/Pen_registerWiki: http://en.wikipedia.org/wiki/Pen_register

Or visit Surveillance Self-Defense: https://ssd.eff.org/wire/govt/pen-Or visit Surveillance Self-Defense: https://ssd.eff.org/wire/govt/pen-registersregisters

32

Patriot Act Success & FailureCharges brought against 361 individualsCharges brought against 361 individuals

191 convicted and/or pled guilty

Visible failureVisible failure In our own backyard: Beaverton, Oregon Brandon Mayfield and the phantom fingerprint

Bombing in Madrid, Spain 3/11/2004Partial matching fingerprint from bag of detonators that

supposedly belonged to MayfieldSpanish police informed FBI that the fingerprints did NOT matchFBI ignored that feedbackFBI warrantless search and seizure and eventual arrest as a

material witness in May 2004Formal apology and $2 million awarded in November 2006

33

Patriot Act II

Congress reauthorized Act in 2006 with some civil liberty Congress reauthorized Act in 2006 with some civil liberty protections protections Some provisions made permanent 4 year sunset clause on roving wiretaps associated with

people (not phone numbers) and on seizing records without probable cause

Unclear what the impact is. See:Unclear what the impact is. See: http://www.alternet.org/story/15541 For wikipedia people:

http://en.wikipedia.org/wiki/USA_PATRIOT_Act

34

Privacy & Information Processing

Data mining of records databases to find patterns and Data mining of records databases to find patterns and relationshipsrelationships Secondary use of data Collaborative filtering algorithms synthesize

“recommendations” from e.g. Netflix, Amazon, etc. Identifying taxpayers who need to pay more to the IRS

Discriminant Function (DIF) Syndromic Surveillance System

NYC system for detecting epidemics and/or environmental problems

Total Information Awareness programDARPA project to identify personal behavior patterns Finanical, medical, communication, travel, and other records in

one super-database

35

In-Class Exercise on AnonymityPromise of anonymity for the innocentPromise of anonymity for the innocent

Many intelligence-gathering systems have been proposed that mine the data and transaction records of an entire population

Some examples are bank transactions and email exchanges During the scans, no personal identifiers are specifically accessed

or stored If a pattern is seen that represents highly suspicious activity, the

person is at that point identified and an investigation is started Ignoring the question of the accuracy of the pattern-matching

algorithms and the ethics of monitoring law-abiding citizens: how comfortable are you with a promise from the organizations involved that they will scan your data anonymously and never identify the owner of such data without reasonable cause?

36

Controlling Data MiningWho owns the data of a business transaction?Who owns the data of a business transaction?

The buyer or the seller?

Opt-in versus opt-outOpt-in versus opt-out Opt-in policy requires customer to explicitly give permission

for an organization to share information with anotherPreferred by privacy advocatesShould be treated similarly to patient-doctor relationshipHippocratic databases that have explicit rules on how long

records are stored and who is allowed to obtain records

Opt-out policy allows the customer to explicitly forbid an organization from sharing information with another

Preferred by direct marketing associationsPreferred by Facebook

37

Privacy And Internet?CookiesCookies

Allows tracking of users visit to the web site Stores user information elsewhere

Problems with cookiesProblems with cookies Ads and cookies

Many sites have linkages to 3rd party advertisers that coordinate your visits to multiple sites

Allows directed advertising ISPs tracking of web sites visited to: “provide better service”

AOL database made available Web bugs / beacons

Usually invisible object that allows checking if a user has viewed a particular page, or exchanged email

38

Facebook’s Beacon

Facebook data-mining application launched Facebook data-mining application launched on November 6, 2007on November 6, 2007 Partner Sites:

Blockbuster, Fandango, eBay, Hotwire, Overstock.com, Gamefly, Zappos, and more.

User’s internet activity monitored, stored, and published on Facebook

Triggered controversy over user privacy Resulted in a class-action law suit Shut down in September 2009 While Facebook IPO’ed in 2012!

39

The Process

40

Privacy Issues

Lack of explicit notice to usersLack of explicit notice to users

Lack of consent from usersLack of consent from users

Unauthorized transfers of personal informationUnauthorized transfers of personal information

Opt-out as opposed to opt-inOpt-out as opposed to opt-in

Program found to be active despite user opt-outsProgram found to be active despite user opt-outs

Program active despite users being signed out Program active despite users being signed out Data always sent and stored regardless of user authorization

Violated numerous state and federal lawsViolated numerous state and federal laws Electronic Communications Privacy Act Computer Fraud and Abuse Act California Computer Crime Law California Consumer Legal Remedies Act

41

Critics

MoveOn.org started a Facebook group/petition MoveOn.org started a Facebook group/petition regarding Beacon’s privacy problemsregarding Beacon’s privacy problems Cited lack of user authorization as the most pressing issue Gained 50,000 members within 10 days Forced Facebook to switch to an opt-in policy

Class-action law suitClass-action law suit

Settlement agreement:Settlement agreement: Shut down Beacon program Pay $9.5 million into a settlement fund --most went to the

lawyers; don’t be surprised! Facebook to start a foundation for increasing online privacy

and security

42

My Information & the Internet

Almost everyone with a computer has purchased Almost everyone with a computer has purchased something onlinesomething online

Requires a login id of some type plus password Need address and other things (birthdate, etc.) What are your rights to this information?

Anything goes!Anything goes! Organizations like TRUSTe provide users some guidance

Privacy seal that is only given if a site adheres to certain policiesYour HW was meant to to assess the effectiveness of TRUSTe

What happens when the organization goes out of business?

43

National ID anyone?

After Sept. 11, 2001, there has been debate regarding a After Sept. 11, 2001, there has been debate regarding a national id system for Americansnational id system for Americans Advantages:

SSN’s are poor IDsStop illegal aliens from working in U.S.Make it more difficult for illegal people to enter countryGive police a way to positively identify people

Disadvantages:No evidence that it would lead to reduced crimeGovernment can do data mining easier

44

Real ID ActFeb. 2005 – REAL ID Act passed by congressFeb. 2005 – REAL ID Act passed by congress

Idea was to make driver’s licenses more reliable form of ID Requires all states to issue new licenses by end of 2008 Needed to open bank account, fly on plane, receive government

service, etc… Could include a biometric (e.g. fingerprint)

Some issuesSome issues Could bring tracking to new level Is basically a national ID card

Status as of August 2012Status as of August 2012 Stalled in most states Not enforced yet

45

Real ID Act

February, 2005: Congress passes the REAL ID actFebruary, 2005: Congress passes the REAL ID act Compels states to design their driver's licenses by 2008 to

comply with federal antiterrorist standards As of 2008, if you live or work in the United States, you will

need a federally approved ID card to travel on an airplane, open a bank account, collect Social Security payments, or take advantage of nearly any government service, including access to national parks and some courthouses

Supporters say it adheres to the recommendations of Supporters say it adheres to the recommendations of the 9/11 Commission and is needed to frustrate both the 9/11 Commission and is needed to frustrate both terrorists and illegal immigrantsterrorists and illegal immigrants

46

Real ID Act

Some fear that it gives unfettered authority to the Department of Some fear that it gives unfettered authority to the Department of Homeland Security to design state ID cards and driver's licenses Homeland Security to design state ID cards and driver's licenses Possibilities include biometric information such as retinal scans,

fingerprints, DNA data and RFID tracking technology

Others fear that this effectively results in a national ID card (or Others fear that this effectively results in a national ID card (or worse).worse). "It's going to result in everyone, from the 7-Eleven store to the bank

and airlines, demanding to see the ID card. They're going to scan it in. They're going to have all the data on it from the front of the card...It's going to be not just a national ID card but a national database."

Barry Steinhardt, Director ACLU technology and liberty program

47

Criticisms of Real ID ActRequires licenses contain actual addressesRequires licenses contain actual addresses

There are no exceptions made for those who fear for their personal safety (e.g., judges, police/undercover officers, domestic violence victims) or do not have a permanent home (e.g., the homeless, who may be urgently in need of Medicare or other benefits)

Prohibits states from issuing driver's licenses to illegal aliensProhibits states from issuing driver's licenses to illegal aliens Results in these illegal aliens driving without licenses

ExpensiveExpensive States are required to verify all information, and redesigning their

driver's licenses to conform with the law ID must include features to thwart counterfeiting and identity theft It's an unfunded mandate: the federal government is forcing the states

to spend their own money to comply with the act. Estimates of the cost to the states for compliance include $120 million

48

Criticisms of Real ID ActConcerns exist about the privacy of such dataConcerns exist about the privacy of such data

All 50 states' DMVs will share information in common database; may verify information given to them against various federal databases

States are required to retain copies of the documentation supporting the IDs (birth certificates, etc.) for 7-10 years, but no requirements are defined for ensuring the security of this information

Possible such data will be sold to commercial entities: some states already allow driver's license data to be sold to third parties

The IDs must include a "common machine-readable technology" that must meet requirements set by Department of Homeland Security, which has indicated a preference for RFID chip use in the past

Private businesses able to use remote scanners to read RFID tags too, for inclusion in customer data files, sharing with other organizations, etc.

No safeguards are defined within the Act to prevent this type of use (unlike the requirements in the State Department's addition of RFID to passports)

49

Criticisms of Real ID Act

"The wackiest thing is that none of this is required.""The wackiest thing is that none of this is required." "In October 2004, the Intelligence Reform and Terrorism

Prevention Act of 2004 was signed into law. That law included stronger security measures for driver's licenses, the security measures recommended by the 9/11 Commission Report. That's already done. It's already law.“

Ref: Bruce Schneier, security expert http://www.schneier.com/blog/archives/2005/05/real_id.html http://en.wikipedia.org/wiki/Bruce_Schneier

50

Questions to be Discussed in Class

51

In-Class Exercise: Being Watched

Think about what you do when you get up in the Think about what you do when you get up in the morning!morning!

How would you act differently if you knew that you were How would you act differently if you knew that you were being watched?being watched?

Would you feel uncomfortable?Would you feel uncomfortable?

Do you think you would get used to being watched?Do you think you would get used to being watched?

52

In-Class Exercise: Share Password

In a recent study, people in subway stations were In a recent study, people in subway stations were ordered a cheap pen in return for disclosing their ordered a cheap pen in return for disclosing their passwordspasswords

About 90 percent offered their passwords in return for About 90 percent offered their passwords in return for the pen.the pen.

Do people really value privacy?Do people really value privacy?

Do you?Do you?

53

In-Class ExerciseDept. of Homeland Security is interested in using computers to identify Dept. of Homeland Security is interested in using computers to identify

suspected terrorists operating within the USsuspected terrorists operating within the US It would like to mine databases containing information about purchases

and travel to detect patterns that may identify individuals who are engaged in, or planning, terrorist activities.

The Dept. asks a panel of computer scientists to determine the feasibility of this project. Panel member suggests the most difficult problem will be determining what patterns of transaction to look for.

Further: Possible to construct AI programs to mimic a terrorist organization. Program would determine the actions needed to execute an act of terror: once these actions are identified, possible to search database records to find evidence of these actions.

Debate:Debate: the wisdom of developing a computer program capable of planning the

steps needed to execute an act of terror the ethics of the Department's plan for mining commercial databases for

the purpose of detecting potential terrorists' patterns

54

Information Awareness Office (old logo)

55

Dilbert the Wise

56

More Fun

57

Additional Resources

58

Additional ResourcesRight to privacy:Right to privacy:

http://www.fontanalib.org/Constitutional%20Origin%20of%20the%20Right%20to%20Privacy.htm

http://www.publaw.com/privacy.html http://www.ala.org/ala/washoff/oitp/emailtutorials/privacya/05.htm http://www.epic.org/ http://tinyurl.com/ds77q

Privacy issuesPrivacy issues http://www.postgazette.com/pg/05058/462446.stm http://www.aclu.org/Privacy/Privacylist.cfm?c=130 http://www.privacy.org/ http://www.schneier.com/blog/archives/2004/12/the_digital_per.html http://www.techweb.com/rss/54200987 http://tinyurl.com/86546 http://tinyurl.com/c93en http://action.aclu.org/reformthepatriotact/

59

Additional Resources

Social Security Numbers:Social Security Numbers: http://tinyurl.com/dlmsk (News.com)

Identity theft:Identity theft: http://tinyurl.com/9ymqo http://tinyurl.com/98ldg

RFID-enabled passports:RFID-enabled passports: http://tinyurl.com/e299g (Wired)

BiometricsBiometrics http://tinyurl.com/a4c8y

Secure Flight Program:Secure Flight Program: http://www.schneier.com/crypto-gram-0508.html#12

60

Additional ResourcesNSA telephone monitoring:NSA telephone monitoring:

http://en.wikipedia.org/wiki/NSA_warrantless_surveillance_controversy

http://www.npr.org/news/specials/nsawiretap/legality.html http://www.usatoday.com/news/washington/2006-05-10-

nsa_x.htm http://www.acsblog.org/bill-of-rights-2835-guest-blogger-nsa-

again-violates-the-law.html http://www.darkreading.com/document.asp?

doc_id=96927&WT.svl=column1_1