PrivacyPrivacyCSC385CSC385
Kutztown UniversityKutztown UniversityFall 2009Fall 2009
Oskars J. RiekstsOskars J. Rieksts
2009 Kutztown University 2
Notes on PrivacyNotes on Privacy Based on Lawrence SnyderBased on Lawrence Snyder Fluency in Information TechnologyFluency in Information Technology Augmented with my notesAugmented with my notes See also: See also:
http://faculty.kutztown.edu/rieksts/385/topics/privacy/notes.html
2009 Kutztown University 3
OutlineOutline Privacy basicsPrivacy basics Threats to privacyThreats to privacy Personal information controlPersonal information control FIP principlesFIP principles Privacy practicesPrivacy practices CookiesCookies CryptographyCryptography Data miningData mining
2009 Kutztown University 4
Privacy BasicsPrivacy Basics Definition – “The right of people to choose freely Definition – “The right of people to choose freely
under what circumstances and to what extent under what circumstances and to what extent they will reveal themselves to others.” – p. 481they will reveal themselves to others.” – p. 481
Rieksts: Privacy is the cornerstone of selfhoodRieksts: Privacy is the cornerstone of selfhood Modern devices & privacyModern devices & privacy Chief Justice, Louis BrandeisChief Justice, Louis Brandeis
2009 Kutztown University 5
Basis of Privacy ConflictBasis of Privacy Conflict
Modern life requiresModern life requiresRevelation of informationRevelation of information
Financial transactionsFinancial transactions ApplicationsApplications Medical servicesMedical services Etc.Etc.
2009 Kutztown University 6
Basic Privacy IssueBasic Privacy Issue
Ownership of informationOwnership of information Related IT ownership issueRelated IT ownership issue
Your machineYour machine Contents of your machineContents of your machine
FilesFiles SoftwareSoftware
2009 Kutztown University 7
Threats to PrivacyThreats to Privacy Criminal elementCriminal element
Identity theftIdentity theft Cyber-stalkingCyber-stalking Organized crimeOrganized crime
Business & industryBusiness & industry MarketingMarketing EmploymentEmployment
2009 Kutztown University 8
Threats to PrivacyThreats to Privacy Enemies of public safetyEnemies of public safety GovernmentsGovernments
Totalitarian regimesTotalitarian regimes Overzealous public servantsOverzealous public servants
Social engineersSocial engineers
2009 Kutztown University 9
Spectrum of Personal Information Spectrum of Personal Information ControlControl
The lensThe lens Transaction produces informationTransaction produces information
Basic categoriesBasic categories No usesNo uses Opt-In or ApprovalOpt-In or Approval Opt-Out or ObjectionOpt-Out or Objection Internal use onlyInternal use only No limitsNo limits
2009 Kutztown University 10
Storage & UseStorage & Usebeyond transactional necessitybeyond transactional necessity
No usesNo uses Delete informationDelete information Upon completion of transactionUpon completion of transaction
Opt-InOpt-In Permission must be requestedPermission must be requested Explicit approval requiredExplicit approval required
2009 Kutztown University 11
Storage & UseStorage & Usebeyond transactional necessitybeyond transactional necessity
Opt-OutOpt-Out S&U is OKS&U is OK Unless specifically objected toUnless specifically objected to
Internal use onlyInternal use only S&U OKS&U OK Only for business itselfOnly for business itself
No limitsNo limits
2009 Kutztown University 12
FIP PrinciplesFIP Principles FIP = fair information practicesFIP = fair information practices Standard 8 point listStandard 8 point list Developed in 1980 by OECDDeveloped in 1980 by OECD OECD = Organization of Economic OECD = Organization of Economic
Cooperation and DevelopmentCooperation and Development
2009 Kutztown University 13
Eight FIP PrinciplesEight FIP Principles Limited CollectionLimited Collection QualityQuality PurposePurpose Use LimitationUse Limitation SecuritySecurity OpennessOpenness ParticipationParticipation AccountabilityAccountability
2009 Kutztown University 14
Limited Collection PrincipleLimited Collection Principle
Limits to data collectedLimits to data collected Collection byCollection by
Fair meansFair means Lawful meansLawful means
Knowledge & consent requiredKnowledge & consent required If possibleIf possible When appropriateWhen appropriate
2009 Kutztown University 15
Quality PrincipleQuality Principle
RelevanceRelevance Data must be relevantData must be relevant to collection purposeto collection purpose
Data must beData must be AccurateAccurate CompleteComplete Up to dateUp to date
2009 Kutztown University 16
Purpose PrinciplePurpose Principle
Purpose of collection statedPurpose of collection stated Use limitationUse limitation
Use limited to . .Use limited to . . stated purposestated purpose
2009 Kutztown University 17
Use Limitation PrincipleUse Limitation Principle
Data not to be disclosedData not to be disclosed No use for other purposesNo use for other purposes Unless . . Unless . .
Consent given by individualConsent given by individual Authority granted by lawAuthority granted by law
2009 Kutztown University 18
Security PrincipleSecurity Principle
Data controller must . .Data controller must . . Exercise reasonable security measuresExercise reasonable security measures
2009 Kutztown University 19
Openness PrincipleOpenness Principle
Data collection policies & practices . .Data collection policies & practices . . Open to the publicOpen to the public Public knowledge of . .Public knowledge of . .
Existence of dataExistence of data Kind of dataKind of data Purpose/use of dataPurpose/use of data Identity & contact information ofIdentity & contact information of
Data controllerData controller
2009 Kutztown University 20
Participation PrincipleParticipation Principle
Individual able to determine . .Individual able to determine . . Whether data controller has informationWhether data controller has information What the information isWhat the information is
Denial of access can be challengedDenial of access can be challenged Information can be challengedInformation can be challenged
2009 Kutztown University 21
Accountability PrincipleAccountability Principle
Data controller accountable . .Data controller accountable . . for FIP Principles compliancefor FIP Principles compliance
2009 Kutztown University 22
Privacy Practices – EUPrivacy Practices – EU
European UnionEuropean Union AAccepts OECD FIP principlesccepts OECD FIP principles Has European Data Protection DirectiveHas European Data Protection Directive EU citizen protection standardEU citizen protection standard
Extends beyond EU bordersExtends beyond EU borders
2009 Kutztown University 23
Privacy Practices – U.S.A.Privacy Practices – U.S.A. Sectoral approachSectoral approach Freedom of Information Act – 1966Freedom of Information Act – 1966 Privacy Act of 1974 (wrt government)Privacy Act of 1974 (wrt government) Electronics Communication Privacy Act – Electronics Communication Privacy Act –
19861986 Video Privacy Protection Act – 1988Video Privacy Protection Act – 1988 Telephone Consumer Protection Act – Telephone Consumer Protection Act –
19911991 Drivers Privacy Protection Act – 1994Drivers Privacy Protection Act – 1994
2009 Kutztown University 24
Freedom of Information Act – LinksFreedom of Information Act – Links
One Two Three Four
2009 Kutztown University 26
Electronic Communications Privacy Electronic Communications Privacy ActAct
One Two Three Efforts to updateEfforts to update
2009 Kutztown University 28
Telephone Consumer Protection ActTelephone Consumer Protection Act
OneTwoThreeThree
2009 Kutztown University 29
Driver Privacy Protection ActDriver Privacy Protection Act
OneOne TwoTwo ThreeThree FourFour
2009 Kutztown University 30
Privacy AdvocacyPrivacy Advocacy
EPICEPIC Electronic Privacy Information CenterElectronic Privacy Information Center AboutAbout Home PageHome Page
Privacy Rights ClearinghousePrivacy Rights Clearinghouse Electronic Frontier FoundationElectronic Frontier Foundation
AboutAbout WikipediaWikipedia
2009 Kutztown University 31
CookiesCookies
7-field record7-field record Uniquely identifies . .Uniquely identifies . . customer session on websitecustomer session on website
2009 Kutztown University 32
Cookies – 3Cookies – 3rdrd Party Problem Party Problem
Advertiser on contacted websiteAdvertiser on contacted website Client/server relationship with customerClient/server relationship with customer
Allows 3Allows 3rdrd party cookies party cookies PlacedPlaced AccessedAccessed from various sitesfrom various sites
DiscussionDiscussion