Is Privacy Obsolete?

Is Privacy Obsolete?

Introduction

Scope

Approach

This HL7 study group on the question, “Is Privacy Obsolete?” was undertaken to explore the state of privacy throughout the world and to identify how privacy is being both eroded and protected.

The global view focuses on privacy within the countries of Australia, China, European Union, Japan, United Kingdom, India, and the United States as representative. Detailed descriptions and comparisons of privacy practice among all countries are readily available online.

Our approach examines trends in law and regulation, privacy breaches, privacy standards, privacy advocacy groups, online privacy, technology, as well as evolving attitudes toward privacy. These benchmarks provide quantitative and qualitative evaluation criteria to measure the current state of privacy and possibly allow a glimpse of privacy’s future course.

The project is proposed to proceed, within a loosely organized collaboration of interested parties as follows:

Establishment of the Study Group. Definition of areas of investigation. Research and Collection of relevant data. Discussion online and during HL7 Working Group Meetings. Collation of findings and preliminary conclusions. Publication of Results.

What is Privacy?

"When I withhold information, it is privacy; when you withhold information, it is secrecy." 1

Presumably, we should know something about the thing that we are studying before we study it. A definition seems like a good starting point, however, privacy has proven difficult to define precisely, and its general meaning does not translate well between cultures. Instead, privacy is often discussed as a list of qualities, practices, and concepts, for example:2

1. the right to be let alone1 See WikipediA “ Privacy” for a general background of the term and use https://en.wikipedia.org/wiki/Privacy#CITEREFSolove2008

2 Solove, Daniel J. (2008). Understanding Privacy. Cambridge, Mass.: Harvard University Press. ISBN 9780674027725.

Is Privacy Obsolete?

2. the option to limit the access others have to one's personal information3. secrecy, or the option to conceal any information from others4. control over others' use of information about oneself5. states of privacy6. personhood and autonomy7. self-identity and personal growth8. protection of intimate relationships

Note that ISO 29100 Information technology — Security techniques — Privacy framework 2011-12-15 does not define privacy but does define useful terms around policy. Recent discussions in ISO SC27 WG5 have not resulted in agreement on a clean privacy definition. There is, however, general and wide-spread understanding and capability to provide definitions for personally identifiable information (PII), a PII principle, how PII should be handled, privacy breaches involving PII and legal consequences.

Until a standards-based or legal definition are found, the assumption is that dictionary definitions of privacy apply.

Discussion

 Changing attitudes

In the midst of the current opioid epidemic we cannot afford to provide outdated, siloed addiction treatment governed by antiquated privacy laws. 42 CFR Part 2 has outlived its usefulness.https://www.healthaffairs.org/do/10.1377/hblog20170301.058969/full/

What do we stand to lose?

“Privacy is important for a number of reasons. Some have to do with the consequences of not having privacy. People can be harmed or debilitated if there is no restriction on the public's access to and use of personal information. Other reasons are more fundamental, touching the essence of human personhood. Reverence for the human person as an end in itself and as an autonomous being requires respect for personal privacy. To lose control of one's personal information is in some measure to lose control of one's life and one's dignity.”3

The protection of privacy is important in order to:

Provide protection from the misuse of personal information

3 Michael McFarland, S.J., June 1, 2012, “Why We Care About Privacy,” Markkula Center for Applied Ethics, Santa Clara University, https://www.scu.edu/ethics/focus-areas/internet-ethics/resources/why-we-care-about-privacy/, Accessed Jan 22, 2018.

Is Privacy Obsolete?

o The revelation o f sensitive personal information, such as Medical records, psychological tests and interviews, court records, financial records, welfare records, sites visited on the Internet, can leave the subjects vulnerable to many abuses.

Protect our ability to form relationships with other individualso The degree of intimacy in a relationship is determined in part by how much personal

information is revealed. 4

Preserve personal freedoms and autonomyo "To recognize an individual as an autonomous being, an end in himself, entails letting

that individual live his life as he chooses. Of course, there are limits to this, but one of the critical ways that an individual controls his life is by choosing with whom he will have relationships and what kind of relationships these will be.... Information mediates relationships. Thus when one cannot control who has information about one, one loses considerable autonomy."5

Preserve human dignityo Human dignity includes treating people not merely as means, to be bought and sold and

used, but as valuable and worthy of respect in themselves. When personal information is taken and sold or distributed against the person's will it is as if some part of the person has been alienated and turned into a commodity. In that way the person is treated merely as a thing, a means to be used for some other end.

Safeguard freedom and the balance of power in the relationships between individuals and groups6

o Privacy, as protection from excessive scrutiny, is necessary if individuals are to be free to be themselves. Surveillance and publicity are powerful instruments of social control.7

The explosion of the Internet of Things and Big Data is resulting in an erosion of privacy, where individuals are surrendering their privacy, bit-by-bit, without even realizing it. Personal information on individuals is being collected with a lack of transparency regarding what is being collected, where it is stored, for how long it is stored, how the information is used and by whom.8

Measuring the Health of Privacy

Law

4 James Rachels, "Why Privacy is Important," Philosophy and Public Affairs, 4(4), (Summer, 1975): 323-333.5 Deborah G. Johnson, Computer Ethics, Englewood Cliffs, NJ: Prentice-Hall (1985): 65.6 Michael McFarland, S.J., June 1, 2012, “Why We Care About Privacy,” Markkula Center for Applied Ethics, Santa Clara University, https://www.scu.edu/ethics/focus-areas/internet-ethics/resources/why-we-care-about-privacy/, Accessed Jan 22, 2018.7 Alan F. Westin, Privacy and Freedom, New York: Atheneum (1967).8 Bannon, Chritine, Aug 14, 2016, “The IoT Threat to Privacy,” https://techcrunch.com/2016/08/14/the-iot-threat-to-privacy/, Accessed Jan 23, 2018.

Is Privacy Obsolete?

Observation: There is a worldwide trend in developing, updating and adopting privacy laws and regulations9

Australia:

Privacy in Australian law is not an absolute right and there is no clearly recognized tort of invasion of privacy or similar remedy available to people who feel their privacy has been violated. Privacy is, however, affected and protected in limited ways by the Australian common law and a range of Commonwealth, state and territorial laws, and administrative arrangements. 10

o Privacy Act (1988)o Australia Announces Plans to Participate in APEC Cross-Border Privacy Rules (Nov 2017)

China:

China policy seems to assume that security is enhanced if consumer data is kept within a host country’s geographical borders.

o Final Cybersecurity Law enacted June 2017o Guidelines on De-Identification of Personal Information comment closed October 2017o Draft Regulations on the Protection of Consumer Rights comment closed Sep 2016o Measures for Security Assessments of Data Transfers comment closed May 2017o E-Commerce Law comment closed Nov 2017

India:

Part of Indian constitution. In August of 2017, India’s Supreme Court ruled that privacy is a “fundamental right.” 11 Recent changes to Information Technology Act 2008 provides for fines and imprisonment for up to 3 years.

First Analysis of the Personal Data protection Law in India, Final Report

o Constitution of Indiao Information Technology Act, 2000o Supreme Court ruling on Right to Privacy, 2017

European Union:

Keeping pace with technology evolution and development. Gold standard.

o General Data Protection Regulation (In effect as of May 25, 2018)

9 Proceedings of the CHI2006 Workshop on Privacy-Enhanced Personalization http://isr.uci.edu/pep06/papers/Proceedings_PEP06.pdf#page=4410 < https://en.wikipedia.org/wiki/Privacy_in_Australian_law >

11 Rishi Iyengar, August 29, 2017, “Privacy is now a right in India. Here's what that means for the tech industry,” http://money.cnn.com/2017/08/29/technology/india-right-to-privacy-tech-industry-aadhaar/index.html?sr=twCNN082917india-right-to-privacy-tech-industry-aadhaar0250PMStory, Accessed 1/24/2018

Is Privacy Obsolete?

o Regulation on Privacy and Electronic Communication January 2017

Japan:

More stringent than EU, applies to large companies, smaller may be exempt.

o Act on Protection of Personal Information (APPI) 2005o Act on the Protection of Personal Information Held by Administrative Organso Act on the Protection of Personal Information Held by Independent Administrative

Agencies

United Kingdom:

Data protection legislation in the UK is primarily based upon Directives from the European Union.

o 1990 United Kingdom Computer Misuse Acto Data Protection Act 1998o Privacy and Electronic Communications (EC Directive) Regulations 2003, as amended, which

implemented European Directives 2002/58/EC[18] and 2009/136/EC[19] into the national law of the UK.[20]

United States:

Privacy laws and regulations in the U.S. is a potpourri of industry-specific legislation, state and federal regulation and industry/organization self-regulation.

o House of Representatives Passes Bill to Permit Broader Use and Disclosure of Protected Health Information for Research Purposes 2017

o Supreme Court grapples with cellphone privacy in age of technologyo Privacy Act 1974. Applies to system of records maintained by the Federal Government.o Children’s Online Privacy Protection Act (COPPA).12 o Health Insurance Portability and Accountability Act (HIPAA) 1996o Fair Credit Reporting Act applies the principles of the Code of Fair Information Practice to

credit reporting agencies. The FCRA allows individuals to opt out of unwanted credit offers.o Fair Debt Collection Practices Act limits dissemination of information about a consumer's

financial transactions.o Bankruptcy Abuse Prevention and Consumer Protection Act of 2005 (which actually gutted

consumer protections, for example in case of bankruptcy resulting from medical cost) limited some of these controls on debtors.

o Electronic Communications Privacy Act (ECPA) establishes criminal sanctions for interception of electronic communication

12 15 U.S.C. §§ 6501 –6506 (Pub.L. 105–277, 112 Stat. 2681-728, enacted October 21, 1998). applies to the online collection of personal information by persons or entities under U.S. jurisdiction about children under 13 years of age. It details what a website operator must include in a privacy policy, when and how to seek verifiable consent from a parent or guardian, and what responsibilities an operator has to protect children's privacy and safety online including restrictions on the marketing of those under 13. https://en.wikipedia.org/wiki/Children%27s_Online_Privacy_Protection_Act

Is Privacy Obsolete?

Computer security, privacy and criminal law https://en.wikipedia.org/wiki/Information_privacy_law#HIPAA

o 1970 U.S. Fair Credit Reporting Acto 1970 U.S. Racketeer Influenced and Corrupt Organization (RICO) Acto 1974 Family Educational Rights and Privacy Act (FERPA)o 1974 U.S. Privacy Acto 1980 Organization for Economic Cooperation and Development (OECD) Guidelineso 1984 U.S. Medical Computer Crime Acto 1984 U.S. Federal Computer Crime Act (strengthened in 1986 and 1994)o 1986 U.S. Computer Fraud and Abuse Act (amended in 1986, 1994, 1996 and 2001)o 1986 U.S. Electronic Communications Privacy Act (ECPA)o 1987 U.S. Computer Security Act (Repealed by the Federal Information Security

Management Act of 2002)o 1988 U.S. Video Privacy Protection Acto 1991 U.S. Federal Sentencing Guidelineso 1992 OECD Guidelines to Serve as a Total Security Frameworko 1994 Communications Assistance for Law Enforcement Acto 1995 Council Directive on Data Protection for the European Union (EU)o 1996 U.S. Economic and Protection of Proprietary Information Acto 1996 Health Insurance Portability and Accountability Act (HIPAA) (requirement added in

December 2000)o 1998 U.S. Digital Millennium Copyright Act (DMCA)o 1999 U.S. Uniform Computer Information Transactions Act (UCITA)o 2000 U.S. Congress Electronic Signatures in Global National Commerce Act ("ESIGN")o 2001 U.S. Provide Appropriate Tools Required to Intercept and Obstruct Terrorism

(PATRIOT) Acto 2002 Homeland Security Act (HSA)o 2002 Federal Information Security Management Act of 2002

o Constitution of the United States. Although the word "privacy" is actually never used in the text of the United States Constitution,[18] there are Constitutional limits to the government's intrusion into individuals' right to privacy. This is true even when pursuing a public purpose such as exercising police powers or passing legislation. The Constitution, however, only protects against state actors. Invasions of privacy by individuals can only be remedied under previous court decisions.

o The Fourth Amendment to the Constitution of the United States ensures that "the right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized".

o The First Amendment protects the right to free assembly, broadening privacy rights. The Ninth Amendment declares that the fact that a right is not explicitly mentioned in the Constitution does not mean that the government can infringe on that right. The Supreme

Is Privacy Obsolete?

Court recognized the Fourteenth Amendment as providing a substantive due process right to privacy. This was first recognized by several Supreme Court Justices in Griswold v. Connecticut, a 1965 decision protecting a married couple's rights to contraception. It was recognized again in 1973 Roe v. Wade, which invoked the right to privacy to protect a woman's right to an abortion, and in the 2003 with Lawrence v. Texas, which invoked the right to privacy regarding the sexual practices of same-sex couples. 13

o 2009 HITECH Acto ONC State Health IT Privacy and Consent Laws and Policies Sep 2006-

07/12/2017 covering: 1) State Health Information Exchange (HIE) Consent Policies; 2) State-Sponsored HIE Consent Policies; 3) State Laws Requiring Authorization to Disclose Mental Health Information for Treatment, Payment, and Health Care Operations (TPO); and 4) State Laws that Apply a Minimum Necessary Standard to Treatment Disclosures of Mental Health Information.[.csv]

Privacy Breeches

Google:

Google must undergo regular privacy audits mandated by the FTC for the next 20 years as the result of a settlement over improper privacy disclosures in its now-defunct Buzz social media service.

Online Advertising Services:

A new area of concern for privacy advocates is behavioral targeting by online advertising services. These services create behavioral profiles based on anonymous data of how computer users surf the web and then serve up targeted ads based on these profiles. The FTC ruled in 2009 that these services must provide consumers with notice about the collecting of behavioral data and provide them with the ability to opt out. In March 2011, the FTC reached its first behavioral profiling settlement with advertising network Chitika for deceptive opt-out practices. Chitika said it mistakenly programmed the opt-out setting for 10 days, instead of the intended 10 years.

U.S. Web sites that target children for subscriptions or sales must comply with special rules aimed at gathering permission from parents under the Children's Online Privacy Protection Act (COPPA). In May, 2011, Disney's Playdom, Inc. had the dubious honor of paying the largest-ever COPPA fine, which was a $3 million civil penalty from the FTC for gathering and sharing personal information about hundreds of thousands of children without parental consent. Playdom, which runs the popular Pony Stars site, collected kids' ages and email addresses and allowed them to post their full names and locations. Other sites that have run afoul of COPPA rules include blogging outlet Xanga.com and mobile app developer Broken Thumbs.

Vehicle On-board Personal Assistants

General Motors has run into privacy issues with its OnStar GPS-based system, which may continue to track vehicles even after a customer cancels the service. General Motors changed its OnStar privacy policy in December 2011, indicating that it reserves the right to share data it has collected - such as a vehicle's speed, location, odometer reading, seat belt usage and airbag deployment - with other companies. This is true even for customers who have cancelled the OnStar service unless they explicitly

13 https://en.wikipedia.org/wiki/Privacy_laws_of_the_United_States

Is Privacy Obsolete?

ask for the two-way communications link to be disabled. General Motors says the data would be anonymous and aggregated before being sold. Vehicle-based telematics systems like OnStar are an emerging area for privacy concerns, with new worries about the possibility of misuse of data.

Sony CD Spyware https://www.networkworld.com/article/2185187/security/15-worst-internet-privacy-scandals-of-all-time.html

Craig’s list Experiment https://www.networkworld.com/article/2185187/security/15-worst-internet-privacy-scandals-of-all-time.html

AOL Search Leak https://www.networkworld.com/article/2185187/security/15-worst-internet-privacy-scandals-of-all-time.html

Google Street View https://www.networkworld.com/article/2185187/security/15-worst-internet-privacy-scandals-of-all-time.html

Hotmail https://www.networkworld.com/article/2185187/security/15-worst-internet-privacy-scandals-of-all-time.html

Webcamgate https://www.networkworld.com/article/2185187/security/15-worst-internet-privacy-scandals-of-all-time.html

Facebook Apps https://www.networkworld.com/article/2185187/security/15-worst-internet-privacy-scandals-of-all-time.html

Patient Data Exposed https://www.networkworld.com/article/2185187/security/15-worst-internet-privacy-scandals-of-all-time.html

Behavior Targeting is Targeted

https://www.networkworld.com/article/2185187/security/15-worst-internet-privacy-scandals-of-all-time.html

iPhone Tracking https://www.networkworld.com/article/2185187/security/15-worst-internet-privacy-scandals-of-all-time.html

Playstation Network Hacked https://www.networkworld.com/article/2185187/security/15-worst-internet-privacy-scandals-of-all-time.html

Disney Violated Kid Data Rule https://www.networkworld.com/article/2185187/security/15-worst-internet-privacy-scandals-of-all-time.html

Carrier IQ https://www.networkworld.com/article/2185187/security/15-worst-internet-privacy-scandals-of-all-time.html

GM to Sell Vehicle Data https://www.networkworld.com/article/2185187/security/15-worst-internet-privacy-scandals-of-all-time.html

Voicemail Hacking https://www.networkworld.com/article/2185187/security/15-worst-internet-privacy-scandals-of-all-time.html

E-Sport Entertainment Associatioin

https://www.identityforce.com/blog/2017-data-breaches

Xbox 360 ISO https://www.identityforce.com/blog/2017-data-breaches

Is Privacy Obsolete?

InterContinental Hotels Group

https://www.identityforce.com/blog/2017-data-breaches

Arby's https://www.identityforce.com/blog/2017-data-breaches

River City Media https://www.identityforce.com/blog/2017-data-breaches

Verifone https://www.identityforce.com/blog/2017-data-breaches

Dun and Bradstreet https://www.identityforce.com/blog/2017-data-breaches

Saks Fifth Avenue https://www.identityforce.com/blog/2017-data-breaches

UNC Health Care https://www.identityforce.com/blog/2017-data-breaches

America's JobLink https://www.identityforce.com/blog/2017-data-breaches

FAFSA: IRS Data Retrieval Tool

https://www.identityforce.com/blog/2017-data-breaches

InterContinental Hotels Group (IHG) – UPDATE

https://www.identityforce.com/blog/2017-data-breaches

Chipotle https://www.identityforce.com/blog/2017-data-breaches

Sabre Hospitality Solutions https://www.identityforce.com/blog/2017-data-breaches

Gmail https://www.identityforce.com/blog/2017-data-breaches

Bronx Lebanon Hospital Center

https://www.identityforce.com/blog/2017-data-breaches

Brooks Brothers https://www.identityforce.com/blog/2017-data-breaches

DocuSign https://www.identityforce.com/blog/2017-data-breaches

OneLogin https://www.identityforce.com/blog/2017-data-breaches

Kmart https://www.identityforce.com/blog/2017-data-breaches

University of Oklahoma https://www.identityforce.com/blog/2017-data-breaches

Washington State University https://www.identityforce.com/blog/2017-data-breaches

Deep Root Analytics https://www.identityforce.com/blog/2017-data-breaches

Blue Cross Blue Shield / Anthem

https://www.identityforce.com/blog/2017-data-breaches

California Association of Realtors

https://www.identityforce.com/blog/2017-data-breaches

Verizon https://www.identityforce.com/blog/2017-data-breaches

Online Spambot https://www.identityforce.com/blog/2017-data-breaches

Is Privacy Obsolete?

TalentPen and TigerSwan https://www.identityforce.com/blog/2017-data-breaches

Equifax https://www.identityforce.com/blog/2017-data-breaches

Equifax 2 https://news.clearancejobs.com/2017/09/21/equifax-and-opm-data-breaches/

U.S. Securities and Exchange Commission (SEC)

https://www.identityforce.com/blog/2017-data-breaches

SVR Tracking https://www.identityforce.com/blog/2017-data-breaches

Deloitte https://www.identityforce.com/blog/2017-data-breaches

Sonic https://www.identityforce.com/blog/2017-data-breaches

Whole Foods Market https://www.identityforce.com/blog/2017-data-breaches

Disqus https://www.identityforce.com/blog/2017-data-breaches

Yahoo! (Update) https://www.identityforce.com/blog/2017-data-breaches

Hyatt Hotels https://www.identityforce.com/blog/2017-data-breaches

Forever 21 https://www.identityforce.com/blog/2017-data-breaches

Maine Foster Care https://www.identityforce.com/blog/2017-data-breaches

Uber https://www.identityforce.com/blog/2017-data-breaches

Imgur https://www.identityforce.com/blog/2017-data-breaches

OPM Breach https://news.clearancejobs.com/2017/09/21/equifax-and-opm-data-breaches/

OPM Breach 2 https://federalnewsradio.com/opm-cyber-breach/2017/09/judge-dismisses-opm-cyber-breach-lawsuits-union-appeals/

OPM Breach 3 http://thehill.com/policy/cybersecurity/347897-fbi-arrests-chinese-national-linked-to-opm-hack-malware-report

OPM Data Breach 4 http://www.cnn.com/2015/07/09/politics/office-of-personnel-management-data-breach-20-million/index.html

OPM Data Breach 5 https://www.washingtonpost.com/world/national-security/chinese-government-has-arrested-hackers-suspected-of-breaching-opm-database/2015/12/02/0295b918-990c-11e5-8917-653b65c809eb_story.html?utm_term=.dcccab951b24

OPM Data Breach 6 https://en.wikipedia.org/wiki/Office_of_Personnel_Management_data_breach

OPM Data Breach 7 https://www.cio.com/article/2947453/data-breach/how-opm-data-breach-could-have-been-prevented.html

Harris Gastroenterology https://www.cyberstreams.com/worst-data-breaches-of-2017/

Is Privacy Obsolete?

Enforcement

Observation: Within the U.S., enforcement actions by States, Federal Government (ONC, FCC, FTC) include fines against offender up to a couple of million dollars. Few legal actions result in actual monetary awards to persons (difficulty in proving harm, legal distinctions between hacking/theft and disclosure). Breaches tend to be viewed as identity theft (credit monitoring) vs loss of privacy (class action lawsuits and monetary awards). Previous breaches tend to insulate later offenders.

United States Office of Personnel Management Breach

In June 2015, the United States Office of Personnel Management (OPM) announced that it had been the target of a data breach targeting the records of as many as four million people. The final estimate of the number of stolen records is approximately 21.5 million. This includes records of people who had undergone background checks, but who were not necessarily current or former government employees. It has been described by federal officials as among the largest breaches of government data in the history of the United States. Information targeted in the breach included personally identifiable information such as Social Security numbers, as well as names, dates and places of birth, and addresses. In the aftermath of the event, Katherine Archuleta, the director of OPM, and the CIO, Donna Seymour, resigned. [OPM 6].

“The recently disclosed data breach at the U.S. government's Office of Personnel Management follows a long history of lax security at the agency, according to the inspector general's office. In testimony before a joint House subcommittee hearing, Michael Esser, OPM's assistant inspector general for audits, told lawmakers that the agency's "long history of systemic failures to properly manage its IT infrastructure" may have invited a pair of related hacking incidents that compromised more than 21 million current and former government employees' personal information. That figure was more than five times larger than the agency initially had estimated the scope of the breach was, which OPM says it first discovered in April. Then late Friday word emerged that the embattled head of the agency was stepping down. Esser says that OPM has made some improvements in its security posture, but at the same time he expresses frustration that many recommendations his office has made over the years -- some dating back to 2007 -- have essentially been ignored within the agency.´[OPM7”.

“U.S. District Judge Amy Jackson delivered a major blow to the federal unions and employees involved in bringing multiple class-action lawsuits against the Office of Personnel Management over its 2015 data breach. Citing the federal government’s immunity from lawsuits and the difficulty of legally proving harm as the result of having personally identifiable information (PII) stolen, she granted the government’s motion to dismiss the case.

Judge Jackson’s ruling argued that, even if the government had waived its sovereign immunity and consented to be sued, there were a number of issues with the suits themselves. First, they sought damages for improper “disclosure” of private information, but disclosure is very different from theft.

Is Privacy Obsolete?

Second, the fact that the attack was directed against a government agency, rather than a retail or financial organization, makes it difficult to project what uses the perpetrators may intend for the data. And third, because of this, plaintiffs cannot prove imminent, or even likely, future harm.

Finally, Jackson argued that due to the increasing frequency of data breaches and threats to PII, ‘those plaintiffs who allege that they have already experienced an actual misuse of their credit card numbers or personal information, they cannot tie those disparate incidents to this breach.’ “ [OPM 2}

Standards activity

ISO SC27 WG5 efforts to define “privacy” – Around Dec 1 2017- Jan 9 2018 WG5’s online binge to define privacy has abated somewhat however without consensus and clear definition of privacy vs data security.

Privacy Advocacy Groups

Evolving Technologing? Privacy online (/Big Data/IoT, Facebook/Google)

Cell phone tracking

Automobile tracking

Cell phone privacy (pass through via providers)

Facebook

Is Privacy Obsolete?

Evolving Attitudes

Is Privacy Obsolete?

FISA Court

Findings

Observation: Within the last three years, many countries throughout the world have created or updated their privacy laws except for the United States which has continued to pass laws eroding privacy .including broader use and disclosure of Protected Health Information for research purposes within healthcare.

o One exception is NIST SP800-53 R5 which has integrated privacy and security controls much the same as HL7.o Legislation is now before Congress that would effectively gut 42 CFR Part 2. o Congress does Diddly https://www.washingtonpost.com/opinions/from-net-neutrality-

to-digital-privacy-congress-does-diddly/2017/11/28/bd2dd442-d44f-11e7-a986-d0a9770d9a3e_story.html?utm_term=.5b5c144b3528

o Our entire lives — not just conversations but also shopping, studying, dating, navigating, playing, dining and documenting our experiences — take place with and through these devices (personal digital property including cell phones), should all of it be public? Yet we have no choice but to use these increasingly indispensable tools.

o Justice Sonia Sotomayor. Writing in 2012, she found existing law “ill suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks.”

o Big Data, IoT and digital currency will make it increasingly difficult for people to have meaningful expectations of privacy. (Cite study comparing us as prisoners under the watchful eyes of the prison guards). Smartdust (micro sensors injected into body which could be used to record information)

o Global companies such as Google and Facebook are reacting to new laws on a country by country basis.

o Breaches by country

Is Privacy Obsolete?

o Fines by countryo Significant areas (financial, espionage, fun)

References:

Death of Privacy links

The death of privacy | World news | The Guardian www.theguardian.com › World › Privacy

Sharing is the norm online, and secrecy is out. But what is the psychological and cultural fallout from the end of privacy, asks Alex Preston

Images of the death of privacy? A “must see” overview

4. [PDF]

The Death of Privacy ? - University of Miami osaka.law.miami.edu/~froomkin/articles/privacy-deathof.pdf

May 2000] THE DEATH OF PRIVACY? 1463 “You have zero privacy. Get over it.” —Sun Microsystems, Inc., CEO Scott McNealy 1 INTRODUCTION Information, as we all know ...

5.   The Birth And Death Of Privacy : 3,000 Years of History ... https://medium.com/the-ferenstein-wire/the-birth-and-death-of...

*This post is part of an online book about Silicon Valley’s Political endgame. See all available chapters here. Cerf suffered a torrent of criticism in the media ...

6.   The Death of Privacy - ABC News abcnews.go.com/2020/story?id=2752636&page=1

Thanks to YouTube and a dozen other Web sites such as Myspace and Facebook, the images can spread, invading your privacy further. CNN …

7.   The Death of Privacy ? by A. Michael Froomkin :: SSRN https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2715617

The rapid deployment of privacy-destroying technologies by governments and businesses threatens to make informational privacy obsolete. The first part of this a

Is Privacy Obsolete?

8.   The death of privacy in America -- Part 1 - Intellihub www.intellihub.com › SCI-TECH

The death of privacy in America — Part 1. The NSA has raked up all of the communications, of all Americans, and those of eighty percent of the rest of the world’s ...

9.   THE DEATH OF PRIVACY - Harvard University https://cyber.harvard.edu/privacy/Module2_Intro.html

In sum, even the consumerist reformers of online profiling must address how much notice must be given, when must it be given, at what level of particularity ...

10.                   The death of privacy : The internet is always watching , … https://www.androidcentral.com/talk-mobile/the-death-of-privacy...

Android Central. Forums. Ask ... The death of privacy: The internet is always watching, and it never ... and eventual death of overthrown Libyan president Muammar ...

11.                   Could the smart city mean the death of privacy ? | … https://www.networkworld.com/article/3238067/privacy

As the Internet of Things grows and society becomes more interconnected, millions of citizens are beginning to experience a new kind of lifestyle in smart cities.

General World Wide Overviews and Comparisons

The International Comparative Legal Guide to: Data Protection 2017

https://www.huntonprivacyblog.com/2017/08/16/hunton-privacy-team-publishes-several-chapters-international-comparative-

legal-guide-data-protection/ Click on "View the relevant chapters"

GLOBAL DATA PRIVACY SNAPSHOT 2017: How does your organisation compare?

https://www.dlapiper.com/en/us/insights/publications/2017/01/global-data-privacy-snapshot-2017/

Data Protection Laws of the World

https://www.dlapiperdataprotection.com/index.html

Medical privacy standards by country

<https://en.wikipedia.org/wiki/Medical_privacy

2017 Ponemon Cost of Data Breach Study

Is Privacy Obsolete?

https://www-03.ibm.com/security/uk-en/data-breach/

Impacts of Privacy Laws and Regulationson Personalized Systems

http://isr.uci.edu/pep06/papers/Proceedings_PEP06.pdf#page=44

Australia

Privacy Law

https://www.oaic.gov.au/privacy-law/

Australia Announces Plans to Participate in APEC Cross-Border Privacy Rules

<https://www.huntonprivacyblog.com/2017/11/28/australia-announces-plans-participate-apec-cross-border-privacy-rules/>

Privacy in Australian law

< https://en.wikipedia.org/wiki/Privacy_in_Australian_law >

Privacy Act 1988

https://en.wikipedia.org/wiki/Privacy_Act_1988

China

China Releases Draft Guidelines on De-Identification of Personal Information

<https://www.huntonprivacyblog.com/2017/08/30/china-releases-draft-guidelines-de-identification-personal-information/>

China Publishes Draft Measures for Security Assessments of Data Transfers

<https://www.huntonprivacyblog.com/2017/04/11/china-publishes-draft-measures-security-assessments-data-transfers/>

China Publishes Second Draft of E-Commerce Law for Comment

<https://www.huntonprivacyblog.com/2017/11/09/china-publishes-second-draft-e-commerce-law-comment/>

China’s State Administration for Industry and Commerce Publishes Draft Regulations on the Protection of Consumer Rights

<https://www.huntonprivacyblog.com/2016/08/08/chinas-state-administration-for-industry-and-commerce-publishes-draft-

regulations-on-the-protection-of-consumer-rights/>

Final Cybersecurity Law Enacted in China

<https://www.huntonprivacyblog.com/2016/11/08/final-cybersecurity-law-enacted-china/>

Decoding China’s Approach to Data Security

https://thediplomat.com/2016/12/decoding-chinas-approach-to-data-security/

Is Privacy Obsolete?

European Union

What is the GDPR?

<https://www.csoonline.com/article/3202771/data-protection/general-data-protection-regulation-gdpr-requirements-

deadlines-and-facts.html>

GDPR

<https://www.csoonline.com/article/3202771/data-protection/general-data-protection-regulation-gdpr-requirements-

deadlines-and-facts.html>

EU Proposal for Regulation on Privacy

<https://ec.europa.eu/digital-single-market/en/proposal-eprivacy-regulation>

India

Information Technology Act

https://en.wikipedia.org/wiki/Information_Technology_Act,_2000#The_Information_Technology_(Amendment)_Act,_2008

Constitution of India

https://en.wikipedia.org/wiki/Constitution_of_India

India Supreme Court Bench Ruling

http://indianexpress.com/article/india/right-to-privacy-verdict-live-updates-supreme-court-aadhaar-judgment-481

Japan

Online Privacy Law: Japan

<https://www.loc.gov/law/help/online-privacy-law/japan.php>

Global Privacy – Japan Sets its Rules for Personal Data

<http://www.frostbrowntodd.com/resources-524.html>

United Kingdom

Privacy in English Law

https://en.wikipedia.org/wiki/Privacy_in_English_law

Online Privacy Law: United Kingdom

Is Privacy Obsolete?

https://www.loc.gov/law/help/online-privacy-law/uk.php

United States

From net neutrality to digital privacy, Congress does diddly

<https://www.washingtonpost.com/opinions/from-net-neutrality-to-digital-privacy-congress-does-diddly/2017/11/28/

bd2dd442-d44f-11e7-a986-d0a9770d9a3e_story.html?utm_term=.5b5c144b3528>

Supreme Court grapples with cellphone privacy in age of technology

<https://www.washingtontimes.com/news/2017/nov/29/trump-admin-scotus-no-warrant-cellphone-records/>

House of Representatives Passes Bill to Permit Broader Use and Disclosure of Protected Health Information for Research Purposes

https://www.huntonprivacyblog.com/2015/07/17/house-representatives-passes-bill-permit-broader-use-disclosure-protected-health-information-research-purposes/

HIPAA Privacy Rule

The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. www.hhs.gov/hipaa/for-professionals/privacy/index.html

Mass surveillance in the United States

https://en.wikipedia.org/wiki/Mass_surveillance_in_the_United_States

Safe Streets Act Privacy Act of 1974 FISA (1978) ECPA (1986) Patriot Act (2001)/USA Freedom Act (2015) Homeland Security Act Protect America Act of 2007 FISA Amendments Act of 2008 Edward Snowden. Debate over the balance between national security and information privacy.

https://en.wikipedia.org/wiki/Edward_Snowden

Is Privacy Obsolete?

Definitions

Tort claimhttps://www.reference.com/government-politics/tort-claim-65d7a874bf33d974

A tort is a legal claim filed with the intention of providing relief for a civil wrong. The Legal Information institute of Cornell University identifies three main categories of tort: intentional tort, negligent tort and strict liability tort.

Privacy Law

(US) The essence of the law derives from a right to privacy, defined broadly as "the right to be let alone." It usually excludes personal matters or activities which may reasonably be of public interest, like those of celebrities or participants in newsworthy events. Invasion of the right to privacy can be the basis for a lawsuit for damages against the person or entity violating the right. These include the Fourth Amendment right to be free of unwarranted search or seizure, the First Amendment right to free assembly, and the Fourteenth Amendment due process right, recognized by the Supreme Court as protecting a general right to privacy within family, marriage, motherhood, procreation, and child rearing.[2]

In the United States today, "invasion of privacy" is a commonly used cause of action in legal pleadings. Modern tort law includes four categories of invasion of privacy:[6]

Intrusion of solitude: physical or electronic intrusion into one's private quarters Public disclosure of private facts: the dissemination of truthful private information which a

reasonable person would find objectionable False light: the publication of facts which place a person in a false light, even though the facts

themselves may not be defamatory Appropriation: the unauthorized use of a person's name or likeness to obtain some benefits

The Privacy Act of 1974, 5 U.S.C. § 552a, establishes a code of fair information practices that governs the collection, maintenance, use, and dissemination of information about individuals that is maintained in systems of records by federal agencies.

FTC Fair Information Practice

FTC Fair Information Practice Principles are the result of the Commission's inquiry into the manner in which online entities collect and use personal information and safeguards to assure that practice is fair and provides adequate information privacy protection. The FTC has been studying online privacy issues since 1995, and in its 1998 report,[2] the Commission described the widely accepted Fair Information Practice Principles of Notice, Choice, Access, and Security.[1] The Commission also identified Enforcement,

Is Privacy Obsolete?

the use of a reliable mechanism to provide sanctions for noncompliance as a critical component of any governmental or self-regulatory program to protect online privacy. [1]

Information privacy

Information privacy, or data privacy (or data protection), is the relationship between the collection and dissemination of data, technology, the public expectation of privacy, and the legal and political issues surrounding them. https://en.wikipedia.org/wiki/Information_privacy

Privacy concerns exist wherever personally identifiable information or other sensitive information is collected, stored, used, and finally destroyed or deleted – in digital form or otherwise. Improper or non-existent disclosure control can be the root cause for privacy issues. Data privacy issues may arise in response to information from a wide range of sources, such as:

Healthcare records Criminal justice investigations and proceedings Financial institutions and transactions Biological traits, such as genetic material Residence and geographic records Privacy breach Location-based service and geolocation Web surfing behavior or user preferences using persistent cookies Academic research

Data Privacy Challenge

The challenge of data privacy is to utilize data while protecting individual's privacy preferences and their personally identifiable information. The fields of computer security, data security, and information security design and utilize software, hardware, and human resources to address this issue. Since the laws and regulations related to Privacy and Data Protection are constantly changing, it is important to keep abreast of any changes in the law and to continually reassess compliance with data privacy and security regulations.[1] Within academia, Institutional Review Boards function to assure that adequate measures are taken to insure both the privacy and confidentiality of human subjects in research[2]

Personal Data (GDPR)

Article 4(1) reads as follows (full definition ; emphasis added)

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Is Privacy Obsolete?

Recital 26 reads as follows

“The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. […]”

http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679

United States Response to GDPR

This Site is intended for use by residents of the United States of America only. All matters relating to this Site are governed by the laws of the State of Washington in the United States of America. If you are located outside of the United States of America and you contact us, please be advised that any information you provide to us will be transferred to the United States of America and that by submitting information, you explicitly authorize such transfer