Getting to Privacy

1
Getting to Privacy

• A Presentation to

Presented by Mike Gurski
2
Agenda

• Background on IPC
• Privacy whys and whats
• Online Risks (Offline too)
• Online Privacy
• Tasks
• Tools
• P3P

3
Information Privacy Commission/Ontario

• established in 1988
• independent review of government decisions and
  practices concerning access and privacy
• resolve appeals,
• investigate privacy complaints,
• ensure compliance with the Acts,
• research access and privacy issues and
• educate the public about these laws.

4
Whats Drives the Privacy Issue?

• Large organizations disconnected from clients,
  gathering detailed data
• Increasing amounts of personal data, held,
  consolidated, used
• New privacy invasive technologies
• Application of a technology paradigm geared to
  manufactured goods on humans

5
Privacy Security the Difference

• Security ? Privacy

6
Privacy Data Security
7
Privacy Defined

• Informational Privacy The protection and control
  of any recorded information about an identifiable
  individual.

8
Some Headlines

• Stealing cards easy as Web Browsing
• Jan 14, 2000 NSNBC
• Vast online credit card theft revealed Hacker
  hides 485,000 stolen cards on US government
  computer
• March 20, 2000 MSNBC
• CD Universe 300,000 cards hijacked.

9
Some more Headlines

• The Illusion of Privacy
• National Post, Dec. 14, 1999
• Womans one-way trip on information highway
• Toronto Star March 23, 2000
• Web sites can follow a trail of your data,
  recording every move
• Ottawa Citizen, Jan. 18, 2000

10
Online Risks

• Web Bugs
• Web CookiesCookie Synchronization
• Double Clicks
• Malicious code
• Viruses

11
More Online Risks

• Unauthorized Access
• Snooping
• Spoofing
• Identity Theft

12
Remedies

• Become Privacy Literate
• Know the Laws
• International
• National
• Provincial
• Visit the Web Sites
• Read the Books and Articles

13
Privacy Literacy

• Why are you asking?
• collection purpose specification
• How will my information be used?
• primary purpose use limitation
• Who will be able to see my information?
• restricted access third parties
• Will there be any secondary uses?
• notice and consent unauthorized disclosure

14
Who Has What Laws

• E.U.
• Canada
• United States
• Other Countries

15
Current Global Environment

• E.U. Directive on Data Protection
• OECD Guidelines on E-Commerce
• C.S.A. Model Code for the Protection of
• Personal Information
• Canadas Personal Information Protection
• and Electronic Document Act (Bill C-6)
• Principles for Consumer Protection
• in Electronic Commerce- A Canadian Framework
• U.S. Safe Harbor Proposal

16
Canadian Online Privacy Context

• Bill C-6 Personal Information Protection and
  Electronic Documents Act

17
The Canadian Privacy Legislative Framework

• Purpose
• support E-commerce strategy,
• enable business with Europe, and
• domestically to ensure Canadians feel secure in
  delving into e-commerce

18
Bill C-6 CSA Model Codes The Ten Commandments

• Accountability
• for personal information and shall designate an
  individual(s) accountable for compliance of
  principle
• Identifying Purposes
• purpose of collection must be clear and done at
  or before time of collection
• Consent
• individual has to give consent to collection,
  use, disclosure of personal information

19
The Ten Commandments

• Limiting Collection
• collect only information required for the
  identified purpose and information shall be
  collected by fair and lawful means
• Limiting Use, Disclosure, Retention
• consent of individual required for other purposes
• Accuracy
• keep as accurate and up-to-date as necessary for
  identified purpose
• Safeguards
• protection and security required appropriate to
  the sensitivity of the information

20
The Ten Commandments

• Openness
• policies and information about the management of
  personal information should be readily available
• Individual Access
• upon request, an individual shall be informed of
  the existence, use and disclosure of her personal
  information and be given access to that
  information, challenge its accuracy and
  completeness and have it amended as appropriate
• Challenging Compliance
• ability to challenge all practices in accord with
  the above principles to the accountable body in
  the organization.

21
European Union (E.U.)Directive on Data Protection

• Non-E.U. countries must be able to meet the
  test of having an adequate level of data
  protection.
• The absence of private sector privacy
  protection will serve as a non-economic trade
  barrier with E.U. and Asia/Pacific-Rim countries.

22
U.S. Proposed Safe Harbor Privacy Principles

• Notice
• Choice
• Onward Transfer
• Security
• Data Integrity
• Reasonable Access
• Enforcement

23
Other Jurisdictions

• Australia to introduce legislation in the first
  sittings of 2000 to strengthen self-regulatory
  privacy protection in the private sector.
• Asian countries, have developed or are currently
  developing laws in an effort to promote
  electronic commerce.
• Self-regulation is currently the policy promoted
  by the governments of Japan, and Singapore.

24
Other Jurisdictions

• Many countries in the South East region have
  either adopted comprehensive privacylaws or are
  currently in the process. Hong Kong and New
  Zealand already have comprehensive acts in force.
  Taiwans act covers the public sector and eight
  areas of the private sector. The governments of
  Thailand, Malaysia and India are all currently
  developing comprehensive data protection
  legislation. http//www.pco.org.hk/conproceed.
  html

25
More Remedies

• Tasks
• Follow Ben Franklins Key Steps
• Be discreet
• Leave your SIN at home
• Go unlisted and non-published for your phone
• Get a P.O. Box

26
More Tasks

• Check out a Webs Privacy Policy
• Never provide personal information
• over the phone,
• to unfamiliar web sites
• to clerks (be positive and insistent)
• Get encrypted

27
Online Tools

• www.kburra.com (cookie control)
• www.esafe.com ( security sandbox, personal
  firewall, antivirus)
• www.ipc.on.ca (e-mail encryption made easy)
• www.zeroknowledge.com (pseudonymisers)
• www.iprivacy.com (secure financial transactions)
• Marit_at_koehntopp.de

28
Privacy Resources

• www.ipc.on.ca
• www.privacytimes.com
• www.epic.org/privacy/tools.html

29
P3P A Proactive Approach

• Platform for Privacy Preferences
• Consumer sets his/her privacy preference
• Web sites set their privacy policy
• P3P built into Browsers and Web sites
• Allows consumer to be more informed and choose
  whether or not to proceed into a Web site

30
P3P the June 21 Interop

• Invitation for your company to participate.
• www.w3c.org
• http//www.w3.org/P3P/interop
• Interested? Contact Lorrie Faith Cranor
  lorrie_at_research.att.com

31
How to Contact Us
Dr. Ann Cavoukian Ph. D. Commissioner, Information
Privacy Commission Ontario, Canada, M5S
2V1 Phone 1-416-326-3333 Web
www.ipc.on.ca E-mail Info.ipc.on.ca Mike
Gurski mgurski_at_ipc.on.ca