Privacy Issues (set 3)CS 340

Spring 2015

Lotame: Data Management Intelligence

http://www.lotame.com/data-management-solutions/data-management-tutorials

Online tracking devices

• Cookies: small text file that stores information• Stored client side, on hard drive

• Cookie creator: Lou Montulli• Originally

• To allow for shopping cart functionality (online memory)

• Effort made to not allow the sharing of these between sites

• Now• Third party cookies: site to site

• Behavioral Targeting: ad network; relationship with same advertiser

http://live.wsj.com/video/how-advertisers-use-internet-cookies-to-track-you/92E525EB-9E4A-4399-817D-8C4E6EF68F93.html#!92E525EB-9E4A-4399-817D-8C4E6EF68F93

Third Party tracking files

• “The first time a site is visited, it installs a tracking file, which assigns the computer a unique ID number. Later, when the user visits another site affiliated with the same tracking company, it can take note of where that user was before, and where he is now. This way, over time the company can build a robust profile.”

Online tracking devices cont’d

• Beacons• a.k.a. pixel tag, web bug• Invisible image embedded in

webpage• Image is not place there by

website, but by other company for ad tracking

• Potentials:• Capture of what is typed on a

website• Bundles into a profile

http://www.brighttag.com/resources/tag-101/

WSJ article: “The Web's New Gold Mine: Your Secrets”

• http://online.wsj.com/news/articles/SB10001424052748703940904575395073512989404

• Info on Ashley Hayes-Beaty:• 4c812db292272995e541

6a323e79bd37• Valued at $0.001

The WSJ study findings

• Surreptitious installation of tracking technology• Not just cookies, but real time logging• Buying and selling of profiles

Advertisers:• No longer paying for ad placement on a site• Paying instead to follow users around Internet with personalized

marketing messages

Online advertiser tracking companies• “considered anonymous because it identifies web browsers, not

individuals.”• https://www.privatewifi.com/lotame-online-tracking-and-your-privacy/

• What is tracked:• http://www.bluekai.com/consumers_privacyguidelines.php

• Opt out options:• BlueKai http://www.bluekai.com/registry/ • Lotame http://www.lotame.com/privacy

Taking control of the tracking

• Tracking blockers like Ghostery

• https://www.youtube.com/watch?v=EKzyifAvC_U

Which tracking technology is a transparent 1x1 pixel used to surreptitiously gather what people type?

A. CookieB. BeaconC. Third Party CookieD. Ghostery

25% 25%25%25%

Privacy

As consumers:• Most European countries have specific laws and regulations aimed at

protecting an individual’s (consumer) privacy.• In the US, historically consumer privacy has relied on • social norms and • market forces

• laws are typically a last resort or response to an event• highly reactive and unsystematic

Misc. Privacy Laws

• Fair Credit Reporting Act, 1970• Right to Financial Privacy Act,

1978

• Cable Communications Policy Act, 1984• Video Protection Privacy Act, 1988

• Driver’s Protection Privacy Act, 1994

• Children’s Online Privacy Protection Act (COPPA), 1998• Info on kids under 13

• Financial Services Modernization Act, 1999• Health Insurance Portability and

Accountability Act (HIPAA), 2001

Texas Infant DNA collection program, p. 96-97• Routine and often mandatory blood samples collected after birth.

• Reason?

• What happens to the samples after processed?• Discarded OR• Stored indefinitely• See http://www.ncbi.nlm.nih.gov/pmc/articles/PMC3065077/table/T1/

• Motivations?• Detect important health problems• Later identification

• Are parents informed? Not always. Raises ethical issues• This is not limited to Texas… • Recent issue in Indiana http://www.wthr.com/story/25954821/2014/07/07/your-childs-dna-who-has-it • Alabama policy: http://www.babysfirsttest.org/newborn-screening/states/alabama#second-section • http://www.ncbi.nlm.nih.gov/pmc/articles/PMC3065077/

50%50%

Texas’ use of the newborn blood test cards to catalogue information unrelated to that infant’s direct health care is an example of a secondary use of information.

A. TrueB. False

33%33%33%

Opinion: Suppose a public school provides students with laptops. Should that school be able to turn on a web cam on the laptop to check on a student’s off campus behavior?

A. YesB. MaybeC. No

Robbins v. Lower Merion School District, p. 98-99 • US District Court PA (2010)

• School district surreptitiously activated webcams using LANrev on laptops provided to students while students were off campus• Video:

http://www.cbsnews.com/news/610k-settlement-in-school-webcam-spy-case/

• Settlement: $610,000

European Union’s Right to be Forgotten• Check out Google’s page

“European privacy requests for search removals”

• FAQs

• Totals

• Examples

• Sites most impacted

Encryption on phones can make it impossible to comply with court orders• FBI director Coney’s criticism: Apple can no longer bypass smartphone

user passwords with iOS 8 • Cannot comply with court orders

• See video http://www.cnn.com/2014/09/25/politics/fbi-apple-google-privacy/index.html

25% 25%25%25%

Opinion: Do you expect that this inability will create serious problems for law enforcement?

A. Yes, frequentlyB. Yes, sometimesC. Yes, but rarelyD. Never

Google’s Street view issues

1. What is captured by the cameras

2. Other information was recorded too• Info gathered about surrounding

Wi-Fi• War driving

Google’s Street View

• Issue: does it violate privacy when photos are taken that show people engaged in activities visible from public property?

• General rule: No, but there are some exceptions

• Dept of Defense: no content from military bases. Complied• Homeland Security: delay with Baltimore-Washington Metropolitan

area

Street view - Is the elevated camera a problem?

50%50%

Opinion: The height of the street view camera is too tall.

A. YesB. No

International views on Google Street View• Some European countries prohibit filming w/o consent even if done

on public property if the filming is for the purpose of public display

• Japan: required lowering cameras to 2.05 meters (6.73 ft) from 3 meters (9.8 feet)

The other problem of Street View: “war driving” • Collecting data from unsecure networks as the street view car drives

by:• “Snippets of e-mails, photographs, passwords, chat messages, postings on

Web sites and social networks” http://www.nytimes.com/2012/05/23/technology/google-privacy-inquiries-get-little-cooperation.html

• In April 2013, Germany fined Google $189,225 in April for Street View’s privacy violation• Amount google makes in 2 minutes. .002% of its $10.7 B profit last year.• See article

http://www.nytimes.com/2013/04/23/business/global/stern-words-and-pea-size-punishment-for-google.html

Google v. Joffe

• 22 plaintiffs suing google for violating their privacy from war driving during Street View mapping• Google argued that the Wi-Fi info is accessible to anyone and as such

does not constitute wiretapping• 9th Circuit rejected Google’s argument• In June 2014, the US Supreme Court denied certiorari so class actions against

Google for war driving can continue• http://www.bloomberg.com/news/2014-06-30/google-rebuffed-by-u-s-high-court-on-pri

vacy-lawsuit.html

50%50%

Opinion: Do you agree with this statement. Since unsecure Wi-Fi is accessible to many Google did not violate privacy with its war driving.

A. I agree, no violation by GoogleB. I disagree, this is a privacy

violation by Google

Research study: “Experimental evidence of massive-scale emotional contagion through social networks”• On 689,003 Facebook users

• Manipulated News Feed

• Ethical breach? http://www.theguardian.com/technology/2014/jun/30/facebook-emotion-study-breached-ethical-guidelines-researchers-say

• http://www.usatoday.com/story/tech/2014/10/02/facebook-tightens-rules-for-research-experiments-on-users/16592011/

August 2014 iCloud photo hack

• Targeted attack on specific celebrity accounts, not a software or system vulnerability.• Guessed passwords• Researched and answered security questions

• Found nude photos in celebrities’ iCloud accounts & posted nude photos on sites like 4chann

• Could have been prevented with two factor authentication. Requiring two of:• Something user knows• Something user has• Something user is

50%50%

Supplying a username and password constitutes two factor authentication.

A. TrueB. False