Ethics and Privacy in CyberspaceEthics and Privacy in Cyberspace

Lesson 20

Privacy and Other Personal RightsPrivacy and Other Personal Rights

Thomas J. Watson, Chairman of the Board for IBM, once stated:

Today the Internal Revenue Service has our tax returns. The Social Security Administration keeps a running record on our jobs and our families. The Veterans Administration has medical records on many of us, and the Pentagon our records of military service. So, in this scatteration lies our protection. But put everything in one place, computerize it, and add to it without limit, and a thieving electronic blackmailer would have just one electronic safe to crack to get a victim’s complete dossier, tough as that job may be. And a malevolent Big Brother would not even have to do that: he could sit in his office, punch a few keys, and arm himself with all he needed to know to crush any citizen who threatened his power. Therefore, along with the bugged olive in the martini, the psychological tests, and the spiked microphone, the critics have seen “data surveillance” as an ultimate destroyer of the individual American citizen’s right to privacy – his right to call his soul his own.

Privacy and Other Personal RightsPrivacy and Other Personal Rights

“Security has sometimes been defined as protecting the computer against people, and privacy as protecting people against the computer.”

From our perspective, we must be concerned with protecting information we may have on clients/customers from unauthorized access or inappropriate use.

Privacy and Other Personal RightsPrivacy and Other Personal Rights The Federal Privacy Act

There is a basic rule that government files are open to the public, unless there is a specific reason, enacted by the legislature, saying that certain files are not available.– Freedom of Information Act

Agencies can maintain information about individuals only when it is relevant and necessary to accomplish the agency’s purpose.Prohibits the disclosure of any record except within the agency maintaining it unless the individual makes a written request for the data.

Privacy and Other Personal RightsPrivacy and Other Personal Rights

Employee rights– With respect to e-mail, the company should have a clearly

stated policy as to the use of the system for personal communications.

– It should explicitly state that supervisory personnel have the right to read all e-mail communications if the company intends to monitor.

Motivation -- Individual RightsMotivation -- Individual Rights

Rights to Privacy & Free speechWhere do these rights come from?Are they universal?

Privacy, who “owns” the info about you?Check a company’s privacy statement

Privacy – ToysmartPrivacy – Toysmart

PrivacyPrivacy

LawsLaws Electronic Communications Privacy Act (ECPA)

(1986) was adopted to address the legal privacy issues that were evolving with the growing use of computers and other new innovations in electronic communications. The ECPA updated legislation passed in 1968.extended privacy protection outlined in the earlier legislation to apply to radio paging devices, electronic mail, cellular telephones, private communication carriers, and computer transmissions.

GLBGLB Requires clear disclosure by all financial institutions of their

privacy policy regarding the sharing of non-public personal information with both affiliates and third parties.

Requires a notice to consumers and an opportunity to "opt-out" of sharing of non-public personal information with nonaffiliated third parties subject to certain limited exceptions.

Clarifies that the disclosure of a financial institution's privacy policy is required to take place at the time of establishing a customer relationship with a consumer and not less than annually during the continuation of such relationship.

HIPAAHIPAA Organizations involved in the maintenance or

transmissions of health information pertaining to individuals must:

Assess risks to and vulnerabilities in their systemsDevelop, implement, and maintain appropriate security measures to safeguard the recordsMeasures taken should be documented and kept current

Addressed four categories of requirementsAdministrative proceduresPhysical safeguardsTechnical security servicesTechnical mechanisms

Criminal ActsCriminal Acts

Interception of Communication Intrusion and Trespass Destruction of Property (web defacement) Denial of Service Fraud Extortion

Motivation -- Individual Rights

Rights to Privacy & Free speechWhere do these rights come from?Are they universal?

Privacy, who “owns” the info about you?Check a company’s privacy statement

Conflicts between free speech and harmful or disturbing speechflaming -vs- defamation

Conflicts over censorshipsome countries restrict satellite and Internet access for national interests or religious reasonssome restrict to protect groups such as children

Conflicts over government surveillanceCarnivore

CarnivoreCarnivore

CarnivoreCarnivore

Ethical BehaviorEthical Behavior

An example from the Unix worldA person has a file in their home directory with protection bits set to “777”. Have they– Granted you Permission to view the file (i.e. they are

permission bits).– Granted you the Capability to view the file (in which case

what mechanism is used to grant permission)?

Societal norms, expectations, perceptionsSocietal norms, expectations, perceptions

Do they affect our view?Think Perception Management!

How are “hackers” portrayed in the press?

How are they portrayed in things such as editorials or cartoons?

Be Aware!

Stay Informed!

YOU DO MAKE A DIFFERENCE!

© 2003 Center for Infrastructure Assurance and Security (CIAS)

SummarySummary

What is the Importance and Significance of this material?

How does this topic fit into the subject of “Voice and Data Security”?