Fair Information Practice Principles and Privacy Laws

1
Fair Information Practice Principles and Privacy
Laws

• Week 3 - September 14, 16

2
CMU Libraries (http//www.library.cmu.edu)
Research and Communication Skills

• Engineering and Science (a.k.a. ES)
• Location 4th floor, Wean Hall
• Subjects Computer Science, Engineering,
  Mathematics, Physics, Science, Technology
• Hunt (CMUs main library)
• Location its own building (possibly 2nd ugliest
  on campus behind Wean), between Tepper and Baker
• Subjects Arts, Business, Humanities, Social
  Sciences
• Software Engineering Institute (a.k.a. SEI)
• Location 4500 5th Avenue
• Subjects Security, Software, Technology

3
Coolest Thing in CMU Libraries
Research and Communication Skills

• Posner Memorial Collection at Posner Center
• Rare books
• Early prints of famous works
• Original copy of the Bill of Rights WOW!

4
START HERE Cameo
Research and Communication Skills

• Cameo is CMUs online library catalog
• Catalogs everything CMU has books, journals,
  periodicals, multimedia, etc.
• Search Cameo online at http//cameo.library.cmu.ed
  u

5
If its not in Cameo, but you need it today
Local Libraries
Research and Communication Skills

• Carnegie Library of Pittsburgh http//www.carnegie
  library.org/index.html
• University of Pittsburgh Libraries
  http//pittcat.pitt.edu/

6
If its not in Cameo, and you can wait ILLiad
and E-ZBorrow
Research and Communication Skills

• ILLiad and E-ZBorrow are catalogs of resources
  available for Interlibrary Loan from other
  libraries nationwide (ILLiad) and in Pennsylvania
  (E-ZBorrow)
• Order items online (almost always free)
• Wait for delivery average 10 business days
• Find links to ILLiad and E-ZBorrow online
  catalogs at http//www.library.cmu.edu/Services/IL
  L/

7
Special needs Other Useful Databases
Research and Communication Skills

• Links to these and many more databases available
  at http//www.library.cmu.edu/Search/AZ.html
• Lexis-Nexis
• Massive catalog of legal sources law journals,
  case law, news stories, etc.
• IEEE and ACM journal databases
• IEEE Xplore and ACM Digital Library
• INSPEC database
• Huge database of scientific and technical papers

8
And of course
Research and Communication Skills

• Reference librarians are available at all CMU
  libraries, and love to help people find what they
  need just ask!

9
Writing a literature review
Research and Communication Skills

• What is a literature review?
• A critical summary of what has been published on
  a topic
• What is already known about the topic
• Strengths and weaknesses of previous studies
• Often part of the introduction or a section of a
  research paper, proposal, or thesis
• A literature review should
• be organized around and related directly to the
  thesis or research question you are developing
• synthesize results into a summary of what is and
  is not known
• identify areas of controversy in the literature
• formulate questions that need further research
• Dena Taylor and Margaret Procter. 2004. The
  literature review A few tips on conducting it.
  http//www.utoronto.ca/writing/litrev.html

10
Literature review dos and donts
Research and Communication Skills

• Dont create a list of article summaries or
  quotes
• Do point out what is most relevant about each
  article to your paper
• Do compare and contrast the articles you review
• Do highlight controversies raised or questions
  left unanswered by the articles you review
• Do take a look at some examples of literature
  reviews or related work sections before you try
  to create one yourself
• For an example, of a literature review in a CS
  conference paper see section 2 of
  http//cs1.cs.nyu.edu/waldman/publius/paper.html

11
OECD fair information principles

• http//www.datenschutz-berlin.de/gesetze/internat/
  ben.htm
• Collection limitation
• Data quality
• Purpose specification
• Use limitation
• Security safeguards
• Openness
• Individual participation
• Accountability

12
US FTC simplified principles

• Notice and disclosure
• Choice and consent
• Data security
• Data quality and access
• Recourse and remedies
• US Federal Trade Commission, Privacy Online A
  Report to Congress (June 1998),
  http//www.ftc.gov/reports/privacy3/

13
Privacy laws around the world

• Privacy laws and regulations vary widely
  throughout the world
• US has mostly sector-specific laws, with
  relatively minimal protections
• Federal Trade Commission has jurisdiction over
  fraud and deceptive practices
• Federal Communications Commission regulates
  telecommunications
• European Data Protection Directive requires all
  European Union countries to adopt similar
  comprehensive privacy laws that recognize privacy
  as fundamental human right
• Privacy commissions in each country (some
  countries have national and state commissions)
• Many European companies non-compliant with
  privacy laws (2002 study found majority of UK web
  sites non-compliant)

14
US law basics

• Constitutional law governs the rights of
  individuals with respect to the government
• Tort law governs disputes between private
  individuals or other private entities

15
US Constitution

• No explicit privacy right, but a zone of privacy
  recognized in its penumbras, including
• 1st amendment (right of association)
• 3rd amendment (prohibits quartering of soldiers
  in homes)
• 4th amendment (prohibits unreasonable search and
  seizure)
• 5th amendment (no self-incrimination)
• 9th amendment (all other rights retained by the
  people)
• Penumbra fringe at the edge of a deep shadow
  create by an object standing in the light
• (Smith 2000, p. 258, citing Justice William O.
  Douglas in Griswold v. Connecticut)

16
Federal statutes and state laws

• Federal statutes
• Tend to be narrowly focused
• State law
• State constitutions may recognize explicit right
  to privacy (Georgia, Hawaii)
• State statutes and common (tort) law
• Local laws and regulations (for example
  ordinances on soliciting anonymously)

17
Four aspects of privacy tort

• You can sue for damages for the following torts
  (Smith 2000, p. 232-233)
• Disclosure of truly intimate facts
• May be truthful
• Disclosure must be widespread, and offensive or
  objectionable to a person of ordinary
  sensibilities
• Must not be newsworthy or legitimate public
  interest
• False light
• Personal information or picture published out of
  context
• Misappropriation (or right of publicity)
• Commercial use of name or face without permission
• Intrusion into a persons solitude

18
How does the law regulate privacy?

• Law may require waiving privacy interests
• Law may enforce privacy interests
• Typically, the law identifies relevant privacy
  interests to protect, identifies relevant
  interests supporting disclosure, and tries to
  balance both sets of issues in a single
  resolution

19
Difficult legal problems

• Can an individual own (and therefore sell) his
  or her own privacy rights?
• Should the default assumption be protect the
  privacy interest or compel waiver of the
  privacy interest?
• When should the law defer to informal or social
  norms, or to technological barriers or solutions?

20
Some US privacy laws

• Bank Secrecy Act, 1970
• Fair Credit Reporting Act, 1971
• Privacy Act, 1974
• Right to Financial Privacy Act, 1978
• Cable TV Privacy Act, 1984
• Video Privacy Protection Act, 1988
• Family Educational Right to Privacy Act, 1993
• Electronic Communications Privacy Act, 1994
• Freedom of Information Act, 1966, 1991, 1996

21
US law recent additions

• HIPAA (Health Insurance Portability and
  Accountability Act, 1996)
• When implemented, will protect medical records
  and other individually identifiable health
  information
• COPPA (Childrens Online Privacy Protection Act,
  1998)
• Web sites that target children must obtain
  parental consent before collecting personal
  information from children under the age of 13
• GLB (Gramm-Leach-Bliley-Act, 1999)
• Requires privacy policy disclosure and opt-out
  mechanisms from financial service institutions

22
Safe harbor

• Membership
• US companies self-certify adherence to
  requirements
• Dept. of Commerce maintains signatory list
  http//www.export.gov/safeharbor/
• Signatories must provide
• notice of data collected, purposes, and
  recipients
• choice of opt-out of 3rd-party transfers, opt-in
  for sensitive data
• access rights to delete or edit inaccurate
  information
• security for storage of collected data
• enforcement mechanisms for individual complaints
• Approved July 26, 2000 by EU
• reserves right to renegotiate if remedies for EU
  citizens prove to be inadequate

23
Data protection agencies

• Australia http//www.privacy.gov.au/
• Canada http//www.privcom.gc.ca/
• France http//www.cnil.fr/
• Germany http//www.bfd.bund.de/
• Hong Kong http//www.pco.org.hk/
• Italy http//www.privacy.it/
• Spain http//www.ag-protecciondatos.es/
• Switzerland http//www.edsb.ch/
• UK http//www.dataprotection.gov.uk/
• And many more

24
Administrative notes

• Guest speaker next Tuesday
• Project brainstorming returned today
• Many interesting ideas
• Please review my comments and ask questions if
  they are unclear
• I suggested to some of you that you think of some
  other ideas, feel free to use the suggested
  project ideas
• One paragraph project description due with your
  homework next Thursday
• Please submit it on a separate sheet of paper
• Do not staple it to your homework

25
Homework 3 Discussion

• http//lorrie.cranor.org/courses/fa04/hw3.html
• Questions or comments on reading
• (2) Compare the US FTC's five privacy principles
  to the fair information practice principles in
  the OECD Guidelines. What's missing from the FTC
  principles? Are these omissions important?
• (3) Pick one privacy-related court case discussed
  by Smith that had an outcome that you disagree
  with. Briefly describe the case and explain the
  court's ruling. Explain what aspect of privacy
  was at stake in this case. Explain why you
  disagree with the ruling. If the case were
  brought today, would you expect a different
  outcome? Why or why not?
• (4) Privacy laws you researched

26
Homework 4

• http//lorrie.cranor.org/courses/fa04/hw4.html