Privacy

1
Privacy

• Chapter 5

2
Topics

• The right to privacy Laws and regulations
• Public records the role of The Data
  Inspectorate - Datatilsynet (Norway)
• Public and Private Information
• Data collection
• Wiretapping and surveillance

3
Philosophical perspectives on privacy

• 5.2.1 Defining privacy
• Edmund Byrne Privacy a zone of
  inaccessibility that surrounds a person
• Example Locking the door when you go to the
  toilet
• You do not give away your identification number
  (perosonnummer) to everybody
• Privacy is not the same as being alone
• Intellectual or personal relationships are for
  instance private
• Harms
• Violence in the family
• Too great a burden on the family to care for its
  members
• Modern society loneliness

4
Benefits

• Privacy is neccessary for the individual growth
  and development
• Development as a unique person
• Fostering intellectual activities and creativity
• Development of close relationships

5
What is private and what is public?

• Public known to all
• Public information information you have provided
  to an organisation that has a right to share it
  with other organisations
• Example Telephone directory
• Personal information not part of a public record
• Example Your religion, what you vote for
• If you disclose it to an organisation with the
  right to inform other organisations, it becomes
  public information

6
Is there a Natural Right to Privacy?

• 5.2.3 Privacy rights evolve from property rights
• A mans home is his castle
• No one can enter without probable cause (remember
  the discussion in class?)

7
Principles for data collection and use

• The first principle for ethical treatment of
  personal information is informed consent
• Business and organisations must inform about what
  information they are collecting and how they will
  use it
• Give people a choice whether data collected about
  them can be distributed to other businesses or
  organisations

8
Privacy principles for personal data

• 1. Collect only data needed
• Inform people when data is collected, what is
  collected and how it will be used
• Offer a way for people to opt out from mailing
  lists and from transfer of their data to other
  parites
• Provide stronger protection for sensitive data
  (example medical data, religion .etc)
• Keep data only so long as needed
• Maintain accuracy and security of data
• Provide a way for people to access and correct
  data stored about them

9
Laws and regulations

• The Data Inspectorate
• Personal Data Act Norway
• European law
• US law Privacy Act of 1974

10
The Data Inspectorate

• The Data Inspectorate, an independent
  administrative body under the Norwegian Ministry
  of Labour and Government Administration, was set
  up in 1980 to ensure enforcement of the Data
  Register Act of 1978, now made obsolete by the
  commencement of the Personal Data Act of 2000.
• The purpose of this Act is to protect persons
  from violation of their right to privacy through
  the processing of personal data.
• The Act shall help to ensure that personal data
  are processed in accordance with fundamental
  respect for the right to privacy, including the
  need to protect personal integrity and private
  life and ensure that personal data are of
  adequate quality.

11
Section 2 Definitions Sensitive information

• For the purposes of this Act, the following
  definitions shall apply
• personal data any information and assessments
  that may be linked to a natural person,
• processing of personal data any use of personal
  data, such as collection, recording, alignment,
  storage and disclosure or a combination of such
  uses,
• personal data filing system filing systems,
  records, etc. where personal data is
  systematically stored so that information
  concerning a natural person may be retrieved.

12
Cont.

• controller the person who determines the purpose
  of the processing of personal data and which
  means are to be used,
• processor the person who processes personal data
  on behalf of the controller,
• data subject the person to whom personal data
  may be linked,
• consent any freely given, specific and informed
  declaration by the data subject to the effect
  that he or she agrees to the processing of
  personal data relating to him or her,
• sensitive personal data information relating to
  a) racial or ethnic origin, or political
  opinions, philosophical or religious beliefs, b)
  the fact that a person has been suspected of,
  charged with, indicted for or convicted of a
  criminal act, c) health, d) sex life, e)
  trade-union membership.

13
Section 33 Obligation to obtain a licence
(konsesjonsplikt)

• A licence from the Data Inspectorate is required
  for the processing of sensitive personal data.
  This does not apply, however, to the processing
  of sensitive personal data which have been
  volunteered by the data subject.
• The Data Inspectorate may decide that the
  processing of data other than sensitive personal
  data shall also be subject to licensing, if such
  processing otherwise will clearly violate weighty
  interests relating to protection of privacy. In
  assessing whether a licence is necessary, the
  Data Inspectorate shall, inter alia take account
  of the nature and quantity of the personal data
  and the purpose of the processing.

14
Cont

• The controller may demand that the Data
  Inspectorate decide whether processing will be
  subject to licensing.
• The obligation to obtain a licence pursuant to
  the first and second paragraphs shall not apply
  to the processing of personal data in central
  government or municipal bodies when such
  processing is authorized by special statute.
• The King may prescribe regulations to the effect
  that certain processing methods are not subject
  to licensing pursuant to the first paragraph. As
  regards processing methods which are exempt from
  licensing, regulations may be prescribed to limit
  the disadvantages which processing may otherwise
  entail for the data subject.

15
Section 8 - Conditions for the processing of
personal data

• Personal data may only be processed if the data
  subject has consented thereto, or there is
  statutory authority for such processing, or the
  processing is necessary in order
• a) to fulfil a contract to which the data subject
  is party, or to take steps at the request of the
  data subject prior to entering into such a
  contract,
• b) to enable the controller to fulfil a legal
  obligation,
• c) to protect the vital interests of the data
  subject,
• d) to perform a task in the public interest,
• e) to exercise official authority, or
• f) to enable the controller or third parties to
  whom the data are disclosed to protect a
  legitimate interest, except where such interest
  is overridden by the interests of the data
  subject.

16
Section 9 Processing of sensitive personal data

• Sensitive personal data (cf. section 2, no.8) may
  only be processed if the processing satisfies one
  of the conditions set out in section 8 and a)
  the data subject consents to the processing, b)
  there is statutory authority for such processing,
  c) the processing is necessary to protect the
  vital interests of a person, and the data subject
  is incapable of giving his or her consent, d)
  the processing relates exclusively to data which
  the data subject has voluntarily and manifestly
  made public, e) the processing is necessary for
  the establishment, exercise or defence of a legal
  claim,

17
Continued-------

• f) the processing is necessary to enable the
  controller to fulfil his obligations or exercise
  his rights in the field of employment law, g)
  the processing is necessary for the purposes of
  preventive medicine, medical diagnosis, the
  provision of care or treatment or the management
  of health care services, and where the data are
  processed by health professionals subject to the
  obligation of professional secrecy, or h) the
  processing is necessary for historical,
  statistical or scientific purposes, and the
  public interest in such processing being carried
  out clearly exceeds the disadvantages it might
  entail for the natural person.

18
Example

• Statkraft - Software
• If you publish the information yourself, and
  decide who can see it, this i perfectly legal!

19
European Convention for the Protection of Human
Rights and fundamental Freedoms - -

• Link
• ARTICLE 8
• Everyone has the right to respect for his private
  and family life, his home and his correspondence.
  
• There shall be no interference by a public
  authority with the exercise of this right except
  such as is in accordance with the law and is
  necessary in a democratic society in the
  interests of national security, public safety or
  the economic well-being of the country, for the
  prevention of disorder or crime, for the
  protection of health or morals, or for the
  protection of the rights and freedoms of others.

20
Universal Declaration of Human Rights (1948)
Article 12

• No one shall be subjected to arbitrary
  interference with his privacy, family, home or
  correspondence, nor to attacks upon his honour
  and reputation. Everyone has the right to the
  protection of the law against such interference
  or attacks.
• http//www.un.org/Overview/rights.html

21
Article 18

• Everyone has the right to freedom of thought,
  conscience and religion this right includes
  freedom to change his religion or belief, and
  freedom, either alone or in community with others
  and in public or private, to manifest his
  religion or belief in teaching, practice, worship
  and observance.

22
International Covenant on Civil and Political
Rights - 1966

• Article 17 
• 1. No one shall be subjected to arbitrary or
  unlawful interference with his privacy, family,
  home or correspondence, nor to unlawful attacks
  on his honour and reputation.
• 2. Everyone has the right to the protection of
  the law against such interference or attacks.
• http//www.unhchr.ch/html/menu3/b/a_ccpr.htm

23
EU

• The European Union passed a privacy directive
  processing of personal data
• EU Directive 95/46/EC
• Processing collection, use, storage, retrieval,
  transmission, destruction and other actions
• General principles that the EU memebers were
  required to implement in their own laws

24
EU Directive 95/46/ECThe Data Protection
Directive

• The right to privacy is a highly developed area
  of law in Europe. All the member states of the
  European Union are also signatories of the
  European Convention on Human Rights(ECHR).
• Article 8 of the ECHR provides a right to respect
  for one's "private and family life, his home and
  his correspondence", subject to certain
  restrictions.

25
Main principles

• Personal data may be collected only for specified
  explicit purposes

26
Principles

• Personal data should not be processed at all,
  except when certain conditions are met.
• These conditions fall into three categories
• transparency,
• legitimate purpose
• proportionality.

27
Transparency

• The data subject has the right to be informed
  when his personal data are being processed. The
  controller must provide his name and address, the
  purpose of processing, the recipients of the data
  and all other information required to ensure the
  processing is fair. (art. 10 and 11)

28
Legitimate Purpose

• Personal data can only be processed for
  specified, explicit and legitimate purposes and
  may not be processed further in a way
  incompatible with those purposes. (art. 6 b)

29
Proportionality

• Personal data may be processed only insofar as it
  is adequate, relevant and not excessive in
  relation to the purposes for which they are
  collected and/or further processed.
• The data must be accurate and, where necessary,
  kept up to date every reasonable step must be
  taken to ensure that data which are inaccurate or
  incomplete, having regard to the purposes for
  which they were collected or for which they are
  further processed, are erased or rectified
• The data shouldn't be kept in a form which
  permits identification of data subjects for
  longer than is necessary for the purposes for
  which the data were collected or for which they
  are further processed ..0

30
EU vs USA

• The EU has much stricter regulations than the US
  on collection and use of personal information
• The EU data Privacy Directive prohibits transfer
  of personal data to countries outside The EU that
  do not have an adequate protection of the use of
  personal data
• Has caused serious problems
• Example in 2001, the EU decided that Australia
  did not have adequate privacy protection
• Australia allows businesses to create their own
  privacy codes

31
The US

• The US has laws covering specific areas such as
• Medical information
• Video rentals
• Driver licence records
• Does not have comprehensive privacy laws covering
  all personal data
• Many Europeans describe the US as behind Europe
  because the US does not have federal legislation
  regulating personal data collection and use
• Others say that there are different cultures and
  traditions
• Europe puts more stress on centralisation and
  regulations
• US put more emphasis on the flexibility and
  freedom of the market

32
THE PRIVACY ACT OF 1974 ( US) SECTION 2

• The Congress finds that --
• (1) the privacy of an individual is directly
  affected by the collection, maintenance, use, and
  dissemination of personal information by Federal
  agencies
• (2) the increasing use of computers and
  sophisticated information technology, while
  essential to the efficient operations of the
  Government, has greatly magnified the harm to
  individual privacy that can occur from any
  collection, maintenance, use, or dissemination of
  personal information
• (3) the opportunities for an individual to secure
  employment, insurance, and credit, and his right
  to due process, and other legal protections are
  endangered by the misuse of certain information
  systems

33
continued

• (4) the right to privacy is a personal and
  fundamental right protected by the Constitution
  of the United States and
• (5) in order to protect the privacy of
  individuals identified in information systems
  maintained by Federal agencies, it is necessary
  and proper for the Congress to regulate the
  collection, maintenance, use, and dissemination
  of information by such agencies.

34
Crime, terrorism and wiretapping

• Wiretapping Traditional interception of
  telephone conversations
• Affects innocent people
• Is it acceptable in the combat against crime?
  Discuss
• Voice over IP new technology does this
  influence the view on wiretapping?
• Discuss

35
Search and surveillance tools

• Security cameras
• Banks, shops, prisons .
• Whos got your picture?
• Have cameras reduced crime?
• Electronic body searches
• Airports use x-ray devices
• Some devices display an image of the person
  without clothes originally used to detect drug
  smuggling
• After 9/11 these machines are used for airport
  security

36
More..

• Satellite surveillance and thermal imaging
• Satellites use computer technologies to take
  detailed photos of the earth
• In the US use them to catch people growing
• marijuana)?
• Growing cotton without permits
• Can be used to find people who build illegally .
• Automated toll collection and purchase records
• Sensors read a device in the car (Fjellinjen)
• Databases contain a record of where the person
  travels
• Can the information be used to track people?
• The system does not provide anonymity
• Records of our shopping

37
The Center for Democracy and Technology

• Works to promote democratic values and
  constitutional liberties in the digital age.
• With expertise in law, technology, and policy,
  CDT seeks practical solutions to enhance free
  expression and privacy in global communications
  technologies.
• CDT is dedicated to building consensus among all
  parties interested in the future of the Internet
  and other new communications media.
• http//www.cdt.org/mission/

38
Privacy International

• Privacy International (PI) is a human rights
  group formed in 1990 as a watchdog on
  surveillance and privacy invasions by governments
  and corporations.
• PI is based in London, England, and has an office
  in Washington, D.C.
• PI has conducted campaigns and research
  throughout the world on issues ranging from
  wiretapping and national security, to ID cards,
  video surveillance, data matching, police
  information systems, medical privacy, and freedom
  of information and expression.
• http//www.privacyinternational.org/survey/censors
  hip/

39
Silenced an international report

• Silenced is an independent research initiative
  managed jointly by Privacy International and the
  GreenNet Educational Trust. The twelve-month
  project was undertaken through a collaboration of
  more than fifty experts and advocates throughout
  the world. The work was made possible by a grant
  from the Open Society Institute.
• The Internet has evolved to become an
  increasingly important platform not just for
  economic development, but also as a support for
  advocates who wish to express their opinion
  freely and to work toward the development of
  democracy.
• The medium has provided opportunities for
  citizens to participate in forums, and to discuss
  and debate issues that concern them.

40
Cont

• Unlike other media where the information flow is
  unidirectional - from the government to the
  masses - the Internet allowed a multi-way
  communication process giving the chance for
  anybody to air their opinions and views on issues
  affecting them.
• The development of the Internet has lead to more
  horizontal and less vertical communication.
• Control and censorship has a substantial effect
  on the Internet because it undermines confidence
  and trust in the medium and inhibits crucial
  flows of data.

41
Silenced

• The report

42
Sage Code of Ethics

• System Administrators' Guild

43
What is SAGE?

• SAGE is a Special Technical Group (STG) of the
  USENIX Association.
• It is organized to advance the status of computer
  system administration as a profession, establish
  standards of professional excellence and
  recognize those who attain them, develop
  guidelines for improving the technical and
  managerial capabilities of members of the
  profession, and promote activities that advance
  the state of the art or the community.

44
Definition

• System administrator n.a system administrator is
  one who, as a primary job function, manages
  computer and network systems on behalf of
  another, such as an employer or client.
• http//www.sage.org/field/

45
SAGE vow

• We as professional System Administrators do
  hereby commit ourselves to the highest standards
  of ethical and professional conduct, and agree to
  be guided by this code of ethics, and encourage
  every System Administrator to do the same.

46
Professional Code of Conduct

• SAGE code of ethics is not
• a set of enforceable law
• a list of procedures
• a list of sanctions and punishments
• It states the need for SAs to maintain a high
  standard of professionalism
• http//www.sage.org/ethics.mm

47
SAGE Code of Ethics (1/3)

• The integrity of a system administrator must be
  beyond Reproach
• SAs come in contact with privileged information
  regularly
• Sas need to protect integrity and privacy of data
• Sas must uphold law and policies as established
  for their system
• A system administrator shall not unnecessarily
  infringe upon the rights of users
• No tolerance for discrimination except when
  required for the job
• Must not exercise special powers to access
  information except when necessary

48
SAGE Code of Ethics (2/3)

• Communications of system administrators with all
  whom they may come in contact shall be kept to
  the highest standards of professional behavior.
• Must keep users informed of computing matters
  that might affect them
• Must give impartial advice, and disclose any
  potential conflicts of interest
• The continuance of professional education is
  critical to maintaining currency as a system
  administrator.
• Reading, study, training, and sharing knowledge
  and experiences are requirements

49
SAGE Code of Ethics (3/3)

• A system administrator must maintain an exemplary
  work ethic.
• A sysadmin can have a significant impact on an
• organization a high level of trust is
  maintained by
• exemplary behavior
• At all times system administrators must display
• professionalism in the performance of their
  duties.
• You need to be professional, when dealing with
• management, vendors, users, or other sysadmins

50
ACM Code of Ethics and Professional Conduct

• Association for Computing Machinery
• Commitment to ethical professional conduct is
  expected of every member (voting members,
  associate members, and student members) of the
  Association for Computing Machinery (ACM).
• http//www.acm.org/constitution/code.html

51
Next week

• Thursday this week Consultance on essays
• Lecture Tuesday next week
• Computer Crime
• Based on The seminar Computer crime from
  break-in to trial