PrivacyPrivacyCSC385CSC385

Kutztown UniversityKutztown UniversityFall 2009Fall 2009

Oskars J. RiekstsOskars J. Rieksts

2009 Kutztown University 2

Notes on PrivacyNotes on Privacy Based on Lawrence SnyderBased on Lawrence Snyder Fluency in Information TechnologyFluency in Information Technology Augmented with my notesAugmented with my notes See also: See also:

http://faculty.kutztown.edu/rieksts/385/topics/privacy/notes.html

2009 Kutztown University 3

OutlineOutline Privacy basicsPrivacy basics Threats to privacyThreats to privacy Personal information controlPersonal information control FIP principlesFIP principles Privacy practicesPrivacy practices CookiesCookies CryptographyCryptography Data miningData mining

2009 Kutztown University 4

Privacy BasicsPrivacy Basics Definition – “The right of people to choose freely Definition – “The right of people to choose freely

under what circumstances and to what extent under what circumstances and to what extent they will reveal themselves to others.” – p. 481they will reveal themselves to others.” – p. 481

Rieksts: Privacy is the cornerstone of selfhoodRieksts: Privacy is the cornerstone of selfhood Modern devices & privacyModern devices & privacy Chief Justice, Louis BrandeisChief Justice, Louis Brandeis

2009 Kutztown University 5

Basis of Privacy ConflictBasis of Privacy Conflict

Modern life requiresModern life requiresRevelation of informationRevelation of information

Financial transactionsFinancial transactions ApplicationsApplications Medical servicesMedical services Etc.Etc.

2009 Kutztown University 6

Basic Privacy IssueBasic Privacy Issue

Ownership of informationOwnership of information Related IT ownership issueRelated IT ownership issue

Your machineYour machine Contents of your machineContents of your machine

FilesFiles SoftwareSoftware

2009 Kutztown University 7

Threats to PrivacyThreats to Privacy Criminal elementCriminal element

Identity theftIdentity theft Cyber-stalkingCyber-stalking Organized crimeOrganized crime

Business & industryBusiness & industry MarketingMarketing EmploymentEmployment

2009 Kutztown University 8

Threats to PrivacyThreats to Privacy Enemies of public safetyEnemies of public safety GovernmentsGovernments

Totalitarian regimesTotalitarian regimes Overzealous public servantsOverzealous public servants

Social engineersSocial engineers

2009 Kutztown University 9

Spectrum of Personal Information Spectrum of Personal Information ControlControl

The lensThe lens Transaction produces informationTransaction produces information

Basic categoriesBasic categories No usesNo uses Opt-In or ApprovalOpt-In or Approval Opt-Out or ObjectionOpt-Out or Objection Internal use onlyInternal use only No limitsNo limits

2009 Kutztown University 10

Storage & UseStorage & Usebeyond transactional necessitybeyond transactional necessity

No usesNo uses Delete informationDelete information Upon completion of transactionUpon completion of transaction

Opt-InOpt-In Permission must be requestedPermission must be requested Explicit approval requiredExplicit approval required

2009 Kutztown University 11

Storage & UseStorage & Usebeyond transactional necessitybeyond transactional necessity

Opt-OutOpt-Out S&U is OKS&U is OK Unless specifically objected toUnless specifically objected to

Internal use onlyInternal use only S&U OKS&U OK Only for business itselfOnly for business itself

No limitsNo limits

2009 Kutztown University 12

FIP PrinciplesFIP Principles FIP = fair information practicesFIP = fair information practices Standard 8 point listStandard 8 point list Developed in 1980 by OECDDeveloped in 1980 by OECD OECD = Organization of Economic OECD = Organization of Economic

Cooperation and DevelopmentCooperation and Development

2009 Kutztown University 13

Eight FIP PrinciplesEight FIP Principles Limited CollectionLimited Collection QualityQuality PurposePurpose Use LimitationUse Limitation SecuritySecurity OpennessOpenness ParticipationParticipation AccountabilityAccountability

2009 Kutztown University 14

Limited Collection PrincipleLimited Collection Principle

Limits to data collectedLimits to data collected Collection byCollection by

Fair meansFair means Lawful meansLawful means

Knowledge & consent requiredKnowledge & consent required If possibleIf possible When appropriateWhen appropriate

2009 Kutztown University 15

Quality PrincipleQuality Principle

RelevanceRelevance Data must be relevantData must be relevant to collection purposeto collection purpose

Data must beData must be AccurateAccurate CompleteComplete Up to dateUp to date

2009 Kutztown University 16

Purpose PrinciplePurpose Principle

Purpose of collection statedPurpose of collection stated Use limitationUse limitation

Use limited to . .Use limited to . . stated purposestated purpose

2009 Kutztown University 17

Use Limitation PrincipleUse Limitation Principle

Data not to be disclosedData not to be disclosed No use for other purposesNo use for other purposes Unless . . Unless . .

Consent given by individualConsent given by individual Authority granted by lawAuthority granted by law

2009 Kutztown University 18

Security PrincipleSecurity Principle

Data controller must . .Data controller must . . Exercise reasonable security measuresExercise reasonable security measures

2009 Kutztown University 19

Openness PrincipleOpenness Principle

Data collection policies & practices . .Data collection policies & practices . . Open to the publicOpen to the public Public knowledge of . .Public knowledge of . .

Existence of dataExistence of data Kind of dataKind of data Purpose/use of dataPurpose/use of data Identity & contact information ofIdentity & contact information of

Data controllerData controller

2009 Kutztown University 20

Participation PrincipleParticipation Principle

Individual able to determine . .Individual able to determine . . Whether data controller has informationWhether data controller has information What the information isWhat the information is

Denial of access can be challengedDenial of access can be challenged Information can be challengedInformation can be challenged

2009 Kutztown University 21

Accountability PrincipleAccountability Principle

Data controller accountable . .Data controller accountable . . for FIP Principles compliancefor FIP Principles compliance

2009 Kutztown University 22

Privacy Practices – EUPrivacy Practices – EU

European UnionEuropean Union AAccepts OECD FIP principlesccepts OECD FIP principles Has European Data Protection DirectiveHas European Data Protection Directive EU citizen protection standardEU citizen protection standard

Extends beyond EU bordersExtends beyond EU borders

2009 Kutztown University 23

Privacy Practices – U.S.A.Privacy Practices – U.S.A. Sectoral approachSectoral approach Freedom of Information Act – 1966Freedom of Information Act – 1966 Privacy Act of 1974 (wrt government)Privacy Act of 1974 (wrt government) Electronics Communication Privacy Act – Electronics Communication Privacy Act –

19861986 Video Privacy Protection Act – 1988Video Privacy Protection Act – 1988 Telephone Consumer Protection Act – Telephone Consumer Protection Act –

19911991 Drivers Privacy Protection Act – 1994Drivers Privacy Protection Act – 1994

2009 Kutztown University 24

Freedom of Information Act – LinksFreedom of Information Act – Links

One Two Three Four

2009 Kutztown University 25

Privacy Act of 1974 – LinksPrivacy Act of 1974 – Links

One Two Three

2009 Kutztown University 26

Electronic Communications Privacy Electronic Communications Privacy ActAct

One Two Three Efforts to updateEfforts to update

2009 Kutztown University 27

Video Privacy Protection ActVideo Privacy Protection Act

One Two Three

2009 Kutztown University 28

Telephone Consumer Protection ActTelephone Consumer Protection Act

OneTwoThreeThree

2009 Kutztown University 29

Driver Privacy Protection ActDriver Privacy Protection Act

OneOne TwoTwo ThreeThree FourFour

2009 Kutztown University 30

Privacy AdvocacyPrivacy Advocacy

EPICEPIC Electronic Privacy Information CenterElectronic Privacy Information Center AboutAbout Home PageHome Page

Privacy Rights ClearinghousePrivacy Rights Clearinghouse Electronic Frontier FoundationElectronic Frontier Foundation

AboutAbout WikipediaWikipedia

2009 Kutztown University 31

CookiesCookies

7-field record7-field record Uniquely identifies . .Uniquely identifies . . customer session on websitecustomer session on website

2009 Kutztown University 32

Cookies – 3Cookies – 3rdrd Party Problem Party Problem

Advertiser on contacted websiteAdvertiser on contacted website Client/server relationship with customerClient/server relationship with customer

Allows 3Allows 3rdrd party cookies party cookies PlacedPlaced AccessedAccessed from various sitesfrom various sites

DiscussionDiscussion