Embed Size (px)
Citation preview
Threats to Privacy• The initial concerns over the computer’s threat to our
privacy started in the 1960s with the collection of data for databases– its not so much that information is gathered about us
• there has always been data gathering since we had a census
– but rather the ease by which a database can take disparate forms of data and join them together through record matching
• for instance, creating a profile on an individual is merely a matter of joining multiple databases using a person’s unique identifier (presumably, social security #)
– if a company or individual can access multiple databases, they can begin to build a profile about individuals in the databases
Example• Back in 1992, 20/20 did a special on this
– so this was prior to the Internet being commonly available, prior to wireless networks and cell phones, etc
• a reporter copied down a person’s license plate number and then used open records at the DVM to find out the person’s name and address
• from there, the reporter was able use open records to find out the person’s marital status and other pieces of information
• then, the reporter was able to obtain private records that included the social security # because the reporter was able to demonstrate that he “knew” the person and so others were more willing to be open with data
• Consider someone who has access to medical, school, insurance, employment, banking data, given your ss#, someone can find out – are you accident prone? are you irresponsible with money? – such information might help a company decide whether to hire you or offer
you a loan
• The ease of record matching opened up a market for data from databases leading to data vendors and selling data as a commodity
Privacy Legislature• The US government early on decided to protect citizens’
privacy as much as it could with respect to data stored on computers– the Privacy Act of 1974 was one of the first and most
important pieces of legislature, it says that• no [federal] agency shall disclose any record which is contained in a
system of records by any means of communication to any person, or to another agency, except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains, unless disclosure of the record would be to those officers and employees of the agency which maintains the record who have a need for the record in the performance of their duties
• also, records can be disclosed for specific purposes (census, National Archives, federal criminal law enforcement agencies, persons involved in public safety, or as the result of a court order)
– see http://www.usdoj.gov/oip/privstat.htm for the entire act
Other Legislature• Fair Credit Reporting Act
– promotes accuracy, fairness, and privacy of information in the files of every “consumer reporting agency,” the credit bureaus that gather and sell information about consumers to creditors, employers, landlords and other businesses
• Driver’s Privacy Protection Act of 1994– limits on disclosures of personal information in records
maintained by departments of motor vehicles • Electronic Communications Privacy Act of 1986
– amends the federal wiretap law to cover specific types of electronic communications, such as e-mail, radio-paging devices, cell phones, private communications carriers, and computer transmissions
• Family Education Rights and Privacy Act of 1974– limits on disclosure of educational records maintained by
agencies and institutions that receive federal funding
More• Financial Services Modernization Act
– also known as the Gramm-Leach-Billey law, 1999– permits the consolidation of financial services companies
and requires financial institutions to issue privacy notices to their customers, giving them the opportunity to opt-out of some sharing of personally identifiable financial information with outside companies
• Video Privacy Protection Act of 1988– limits the conditions under which a video rental or sales
outlet may reveal information about the outlet's patrons, and requires such an outlet to give patrons the opportunity to opt out of any sale of mailing lists
• Others include the Fair Debt Collection Practices Act, Health Insurance Portability and Accountability Act of 1996, and the Federal Identity Theft Assumption and Deterrence Act of 1998
Medical Records• Medical records are supposed to be private and
organizations that deal with our records are supposed to maintain this privacy– hospitals, doctors, insurance companies
• As it turns out, there are some specific laws against sharing of personal information, but it only extends so far– it is legal for doctors to share information about patients with
respect to treatments or for insurance companies to share information about patients when it comes to billing
• Privacy laws regarding patient consent have been rolled back to allow for easier and greater cooperation between doctors, insurance companies, hospitals– of greater concern though is genetic information and how this
might eventually be used (did you see Gattaca?)
The Internet• Unfortunately, the government has not enacted
legislature to protect one’s privacy on the Internet– they have instead preferred to have companies self
regulate how they use data collected via the Internet– there are laws that restrict companies to apply their
own privacy policies • for instance, if a company has a stated policy and violates
that policy, that company is then open to legal and civil action
– unfortunately, there are a lot of companies that either have no privacy policy, or maintain very weak policies – its up to the user/consumer to explore the privacy policy and decide whether to do business with such a company
Available Laws• Computer Fraud and Abuse Act of 1984
– unauthorized access to “protected computers” illegal, protecting computers of the U.S. government, computers used in interstate commerce and computers used by financial institutions, it also prohibits trafficking in computer passwords and damaging a protected computer
• Children’s Online Privacy Protection Act– covered in the notes on censorship
• http://www.ftc.gov/bcp/conline/edcams/kidzprivacy/index.html
• Computer Matching and Privacy Protection Act of 1988 – which amends the Privacy Act of 1974 providing rules by
which federal agencies can perform record matching
Privacy Concerns• Most of the concern regarding privacy and the Internet is
the naivety of most Internet users – people may not understanding what the information they
provide might be used for nor understanding the technology• information includes browsing habits accumulated through cookies, and
forms filled out
– what people may not realize is that cookies can be shared and that third party sites can place cookies on your machine
• in fact, most cookies today are from advertising sites that accompany primary sites as banner ads – the primary sites permit (possibly even encourage) the use of information gathering under their umbrella and the users are often unaware of this
– how can we make the general public aware of the issues?– how can we teach them about the technology?– should web sites have to announce up-front what cookies
might be placed on a viewer’s computer?
Technology and Problems• Internet browsing
– cookies– personalizing browser web pages– transaction logging
• Downloads – viruses– spyware– filling out on-line forms
• Search engines– recommendation sites/pages
• Data mining as a tool– to generate rules that might harm
people in society (whether physically, monetarily or emotionally)
• E-commerce– gathering of data– fraud made available
because of E-commerce (e.g., identity theft)
• E-mail– IP spoofing and
intercepting messages that are not encrypted
– spam
• IRC, message boards, usenet news– cyberstalking – gathering of data on
individuals who post– false and misleading
information posted
Data Mining• Should we be concerned about data mining? What can it
tell us?– consider collecting the receipts of several thousand customers
at a grocery store – for each shopper, we know what items they bought, when they made their purchases, how they paid for their purchases, but not who they are
– with data mining, we find such pieces of information as• people who shop early in the morning seldom buy beer• people who buy beer often buy snack food• people who buy frozen beef also tend to buy potatoes• people who charge to their credit card are the ones who usually spend
more money– the store might decide to move the beer by the snack food and
move the potatoes near the frozen meat aisle– the store may also decide to offer their own credit card with a
discount to those credit card users• Is this a threat to your privacy?
Other Issues• Surveillance
– digital cameras have become commonplace because of their low cost
– its easy to monitor nearly any site (all that is needed is manpower)
– as recognition software improves, even the manpower requirement will not be needed
– other forms of surveillance exists including chemical detectors, fingerprint identification, etc through biometric technologies
• airports are now using such technologies to locate “most wanted” individuals
• Workplace monitoring– employees have files suits against employers who adopt forms
of monitoring and while employees have won in some cases, the majority of the cases have been decided in the employee’s favor
More Threats• Wireless communications, eavesdropping, and tracking
– industry representatives are taking measures to develop privacy guidelines so that wireless technologies are not used in these ways but the federal government thus far has turned down requests for any privacy legislature with respect to wireless communication
• Data profiling– data mining can lead to data profiling– usually data mining is used in relatively harmless ways –
trends to support business decisions, but it might lead to specific threats such as a national no-fly list that was generated not by a most-wanted list, but by data mining rules
• Identity theft– through eavesdropping on insecure lines and unencrypted
messages, through phishing, through hacking, etc• Cyberstalking
– already discussed
Threats Using the Internet• Sites that leave cookies and spyware behind
– You never know if a site will do this– You can disabled cookies but that prevents you from being
able to shop or log into membership-only sites• Entering form information
– As with any personal information, this information becomes somewhat “public” in that it can be shared with others
• Entering information in unsecure pages– Anyone who wants to “eavesdrop” on your communication
can intercept this data• Responding to spam and clicking on links sent to you by
email from unknown sources– This lets the spammers know that your email address is a
correct address– You can also be tricked into visiting spoof sites and
inadvertently giving them personal information that otherwise you wouldn’t
Governmental Records on the Internet• In recent years, more and more agencies and placing
their records on the Internet– most governmental records are “public record” so there are no
laws against this– privacy information (such as ss#) are often omitted
• But there is a concern nonetheless that these open records are even more open because of the ease by which someone can access them over the Internet– such records include
• marriage and divorce records• criminal records and sentences• bankruptcy information
– should someone who committed a misdemeanor decades ago have such information made available?
How Concerned Should You Be?• Is big brother watching you?
– Probably not
• Do you care if your name is on mailing lists?– Are you part of the don’t call list?– Do you only use a cell phone?– Do you use free email addresses and then discard
them? – Do you have an adequate spam filter?
• Do you place secure information in forms? – If so, do you make sure that the page is secure?– Do you read a company’s privacy policy before
entering your private data?
