Fluency with Information Technology Lawrence Snyder

1
Fluency with Information TechnologyLawrence
Snyder
Chapter 17 Privacy Digital Security Security
Privacy
2
Privacy Whose Information Is It?

• How your purchase of an item can link you to the
  product (which you may or may not want)
• How can the information be used?
• Book merchant collecting information is ordinary
  business practice
• Book merchant sending advertisements to customer
  is ordinary business practice
• What about merchant selling information to other
  businesses?

3
Modern Devices and Privacy

• Modern devices make it possible to violate
  people's privacy without their knowledge
• In 1890, Supreme Cour Justice Brandeis wrote
  that individuals deserve "sufficient safeguards
  against improper circulation" of their images
• New type of camera allowed pictures to be taken
  without persons knowledge and/or consent

4
Controlling the Use of Information

• Spectrum of control spans four main
  possibilities
• No uses. Information should be deleted when the
  store is finished with it
• Approval or Opt-in. Store can use it for other
  purposes with customer's approval
• Objection or Opt-out. Store can use it for other
  purposes if customer does not object
• No limits. Information can be used any way the
  store chooses
• Fifth possibility is internal usestore can use
  information to continue conducting business with
  you

5
A Privacy Definition

• Privacy The right of people to choose freely
  under what circumstances and to what extent they
  will reveal themselves, their attitude, and their
  behavior to others
• Threats to Privacy Government and business
• Voluntary Disclosure
• We choose to reveal information in return for
  real benefits (doctor, credit card company).
  Employers are allowed to read e-mail sent by
  employees at work. We provide the government with
  a great deal of personal information.

6
US Laws Protecting Privacy

• Privacy Act of 1974 covers interaction with
  government
• Interactions with business
• Electronic Communication Privacy Act of 1986
• Video Privacy Protection Act of 1988
• Telephone Consumer Protection Act of 1991
• Driver's Privacy Protection Act of 1994
• These all deal with specific business sectors
  not an omnibus solution

7
US Privacy Act 1974

• One of the more significant influences on the
  Privacy Act was the Report of the Secretary's
  Advisory Committee on Automated Data Systems
  commissioned by the Department of Health,
  Education and Welfare.  This report, entitled
  Records, Computers, and the Rights of Citizens,
  recommended a "Code of Fair Information Practice"
  consisting of five basic principles
• 1. "There must be no data record-keeping systems
  whose very existence is secret."  This has been
  reflected in the Privacy Act by provisions
  requiring the publication of an annual public
  notice in the Federal Register, as well as public
  notices for changes to an existing system of
  records or the establishment of a new system of
  records.
• 2. "There must be a way for an individual to find
  out what information about him is in a record and
  how it is used." Provisions of the Act permit an
  individual to view and receive a copy of any
  record(s) about him contained in a system of
  Federal records whose disclosure is not exempted
  by a provision of the Act. In addition, an
  individual may request to see a disclosure
  accounting for his record(s) in order to
  determine how information about him has been
  used.

8
US Privacy Act 1974

• 3. "There must be a way for an individual to
  prevent information about him obtained for one
  purpose from being used or made available for
  other purposes without his consent."  Agencies
  are prohibited by the Act from disclosing
  information for uses not compatible with the
  purposes for which the information was collected
  unless prior written consent of the individual
  has been obtained.
• 4. "There must be a way for an individual to
  correct or amend a record of identifiable
  information about him." Embodied in the Act are
  provisions specifying procedures which must be
  implemented by agencies for handling requests
  from an individual to amend his record or to
  review an initial adverse decision on a request
  to amend his record.
• 5. "Any organization creating, maintaining, using
  or disseminating records of identifiable personal
  data must assure the reliability of the data for
  their intended use and must take reasonable
  precautions to prevent misuse of the data." Under
  the Act, agencies are required to ensure that
  information is accurate, relevant, timely, an

9
Fair Information Practices

• OECD (Organization of Economic Cooperation and
  Development) in 1980 developed the standard
  eight-point list of privacy principles (29
  countries)
• Limited Collection Principle
• Quality Principle
• Purpose Principle
• Use Limitation Principle
• Security Principle
• Openness Principle
• Participation Principle
• Accountability Principle

10
Fair Information Practices

• Collection Limitation Principle
• 1. There should be limits to the collection of
  personal data and any such data should be
  obtained by lawful and fair means and, where
  appropriate, with the knowledge or consent of the
  data subject.
• Data Quality Principle
• 2. Personal data should be relevant to the
  purposes for which they are to be used, and, to
  the extent necessary for those purposes, should
  be accurate, compete and kept up-to-date.
• Purpose Specification Principle
• 3. The purposes for which personal data are
  collected should be specified not later than at
  the time of collection and the subsequent use
  limited to the fulfillment of those purposes or
  such others as are not incompatible with those
  purposes and as are specified on each occasion of
  change of purpose.

11
Fair Information Practices

• Use Limitation Principle
• 4. Personal data should not be disclosed, made
  available or otherwise used for purposes other
  than those specified in accordance with
  Principle 3 except
• (a) with the consent of the data subject or
• (b) by the authority of law.
• Security Safeguards Principle
• 5. Personal data should be protected by
  reasonable security safeguards against such risks
  as loss or unauthorized access, destruction, use,
  modification or disclosure of data.
• Openness Principle
• 6. There should be a general policy of openness
  about developments, practices and policies with
  respect to personal data. Means should be readily
  available of establishing the existence and
  nature of personal data, and the main purposes of
  their use, as well as the identity and usual
  residence of the data controller.

12
Fair Information Practices

• Individual Participation Principle
• 7. An individual should have the right-
• (a) to obtain from the a data controller, or
  otherwise, confirmation of whether or not the
  data controller has data relating to him
• (b) to have communicated to him, data relating to
  him
• (i) within a reasonable time
• (ii) at a charge, if any, that is not excessive
• (iii) in a reasonable manner and
• (iv) in a form that is readily intelligible to
  him
• (c) to be given reasons if a request made under
  sub-paragraphs (a) and (b) is denied, and to be
  able to challenge such denial and
• (d) to challenge data relating to him and, if the
  challenge is successful, to have the data erased,
  rectified, completed or amended.
• Accountability Principle
• 8. A data controller should be accountable for
  complying with measures which give effect to the
  principles stated above.

13
Comparing Privacy Across the Atlantic

• U.S. has not adopted OECD principles
• China does not protect privacy
• European Union has European Data Protection
  Directive (OECD principles)
• EU Directive requires data on EU citizens to be
  protected at same standard even when it leaves
  their country

14
Privacy Principles European Union

• Two points of disagreement between FTC (US) and
  OECD (Europe)
• Opt-in/Opt-out
• When can an organization use information it
  collects for one purpose, for a different
  purpose?
• Opt-out is US standard except for highly
  sensitive data Opt-in is European standard
• Compliance/Enforcement
• US has "voluntary compliance," EU has offices to
  control data

15
A Privacy Success Story

• Do-Not-Call List
• Telemarketing industry's "self-policing"
  mechanism required individuals to write a letter
  or make an on-line payment to stop telemarketing
  calls
• US government set up Do Not Call List. 80,000,000
  households are on the list and telemarketing
  industry has largely collapsed

16
The Cookie Monster

• Cookie Record containing a serial number chosen
  by the server to identify the client uniquely.
  Cookie is stored on customer's hard drive and
  each time a server is visited, the server gets
  its cookie from the client and can connect the
  latest visit with any information gathered and
  saved from earlier visits
• Abuse Third party cookie
• Third party advertisers on web site enter
  client/server relationship with customer as page
  loads
• A contracts with B and C to place ads on its web
  site. Each places a cookie on the PC with the
  same serial number as A. A can then find out
  about B and C and link all the information
  together
• Advertiser can set cookies, and can access
  cookies when user views other websites that
  advertiser uses

17
The Cookie Monster (Cont'd)

• Browser options
• Turn off cookies
• Ask each time a server wants to set a cookie
• Accept all cookies

18
Identity Theft

• Identity theft the forging of someones
  identity for the purpose of fraud
• 82 year old woman had 12 credit cards stolen.
  Thief was in a four car accident and woman was
  being sued for hospital bills. Took 7 years to
  clear her name
• Number of victims keeps growing
• 2001 1 million victims
• 2002 3 million victims
• 2003 10 million victims
• The Federal Trade Commission estimates that 3.2
  million citizens are victims of ID theft each
  year and every 10 seconds another American is
  victimized
• ID Theft Top 5 States ranked by number of
  thefts per capita in 2004
•  
• State  Victims per 100,000 people  of victims
• 1 Arizona  142.5   8,186 
• 2 Nevada  125.7  2,935 
• 3 California  122.1  43,839 
• 4 Texas  117.6  26,454 
• 5 Colorado   95.8  4,409        

19
Identity Theft by Age of Victims
Half the victims are between the ages of 30 and 50
20
Identity Theft

• Phishing (carding, brand spoofing) a technique
  to gain personal information for the purpose of
  identity theft
• An e-mail that looks legitimate directs you to a
  website where you are required to enter personal
  data, credit card information, passwords, etc.
  for auditing purposes or because your account
  has been compromised. It is really a scam.
• NEVER
• Reply without question to an e-mail asking for
  personal information
• Click directly on a Web site provided in such an
  e-mail

21
Identity Theft

• LexisNexis, which compiles and sells personal and
  financial data on U.S. consumers, said Tuesday
  (April 12, 2005) that personal information on
  310,000 people nationwide may have been stolen.
• The thieves, who obtained information including
  addresses and Social Security numbers
• The company says it is not certain how the
  passwords were acquired as the thieves did not
  hack into the computer system
• ChoicePoint, an information clearinghouse, was a
  victim of a similar scheme earlier in the year
  (140,000 consumer records)
• Thieves posed as real estate agents and the
  company then gave them access to personal
  information in its database.
• ChoicePoints database contains over 19 billion
  public records including driving records,
  sex-offender lists and FBI lists of wanted
  criminals and suspected terrorists

22
Spam, Adware, Spyware

• Spam unsolicited e-mail from businesses
  advertising goods and services
• Requires resources of an individual and/or
  company to get rid of unwanted mail
• In 2003, 66 of worldwide e-mail was spam and
  cost 20 billion. One spammer can send 80 million
  spams/day
• Spam filters can help by checking the subject
  line or content but they can be fooled
• Inserting blanks and/or non-printing characters
• Inserting HTML tags that do nothing
• Replying usually increases, rather than
  decreases, amount of spam
• Adware software to generate ads that installs
  itself when you download another program such as
  a free game
• Spyware (sneakware, stealthware) software that
  comes hidden in downloaded software and helps
  itself to your computer resources
• Tracks online movements, mines the information
  you stored on your computer and uses your CPU
  and harddrive for its own purposes

23
Trojan Horse Software

• Trojan horse software software you dont want
  inside software you do want
• Some ways to detect Trojan horse software
• AdAware at www.lavasoftUSA.com
• The Cleaner at www.moosoft.com
• Spybot Search Destroy at www.spybot.info
• Trojan First Aid Kit (TFAK) at www.wilders.org
• Check it out before you download at
  www.spychecker.com

24
Managing Your Privacy

• Purchase up-to-date virus checking software
• Adjust your cookie preferences to match your
  comfort level
• Read the privacy statement of any website you
  give information to
• Review protections against phishing scams
• Patronize reputable companies for music,
  software, etc.
• Be skeptical
• Stay familiar with current assaults on privacy
• Lobby for US adoption of Fair Information
  Practices

25
Privacy and Security

• email also raises privacy concerns
• when a message is received it is commonly stored
  in a file on the recipients computer
• there is a danger that unauthorized users might
  get access to that file
• few laws apply directly to electronic privacy
• courts overwhelmingly favor employers over
  employees in privacy suits
• unless explicitly stated, it is generally
  accepted that employers may access any content on
  company-owned machines
• privacy is closely linked with security
• email messages travel through numerous routers,
  and each router represents a security risk,
  because someone could gain access to a router and
  eavesdrop on a relayed message
• with online transactions, credit card numbers or
  other personal information can be intercepted and
  subsequently result in identity theft
• encryption methods are commonly used to secure
  information transmissions, but online fraud is
  still a continuing problem