• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
priv4.ppt
 

priv4.ppt

on

  • 2,061 views

 

Statistics

Views

Total Views
2,061
Views on SlideShare
2,061
Embed Views
0

Actions

Likes
0
Downloads
11
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Video Privacy Protection Act: when journalists got Robert Bork’s video rental records during his Supreme Court confirmation hearings, congress responded with this act, which forbids rental store proprietors from disclosing the viewing habits of their customers. (interestingly, the act does not appear to cover the online delivery of content, such as DIVX films)
  • 52
  • 52
  • 52
  • 52
  • 52
  • 52
  • Privacy policies often change, and most of the time users have know way of knowing about changes unless they check the privacy policy every time they visit a site. A P3P user agent can do this check automatically to make sure a policy continues to match a user’s preferences. P3P user agents can also identify objects embedded in web pages that may have different privacy policies.
  • Example 3.1 of the spec

priv4.ppt priv4.ppt Presentation Transcript

  • Lecture 4: Privacy
  • Outline
    • Proliferation of data
    • What is privacy?
    • Driver’s License Data
    • Privacy Laws
    • De-identification
    • Medical privacy
    • P3P
    • European Union approach
  • What is Privacy?
    • Many different concepts all collected under the single word “privacy”
    • Protection against intrusion into one’s “space”
      • Protection from Government (4 th Amendment)
      • Freedom from publicity, disclosure of embarrassing facts (“Invasion of Privacy”)
      • Protection from telemarketers
    • Protection in cyberspace
      • Anti-spam
      • Web data collection
  • What is Privacy?
    • Bodily privacy ( Roe v. Wade )
    • Communications privacy
      • Against eavesdropping, wiretapping
      • Electronic Communications Privacy Act
    • Identity privacy
      • Anonymity
    • Data privacy
      • Right to control collection, use and dissemination of non-public personal information
  • Data Privacy
    • Who “owns” data about you? Can data be owned?
      • Facts (residence, phone #, age) e.g. Allegheny County Property
      • Sales information
      • Habits, personal preferences
      • Message traffic
    • Problem: electronic collections are subject to greater abuse than paper ones
    • Problem: having everything on line is different from just having records be public
    • Policy: is it the data or its use that requires protection?
  • U.S. Privacy Law
    • No definition of “privacy”; few legal principles
    • Federally protected categories: financial, educational, medical
    • State: limited, usually embarrassing facts or photos
    • Constitutional basis?
      • 4th amendment: government searches
      • “ liberty” as right of privacy
    • State constitutions
      • California Const. Art. I, §1 : “All people are by nature free and independent and have inalienable rights. Among these are ... pursuing and obtaining safety, happiness, and privacy.” (Not in the 1849 Constutution)
      • Hawaii Const. Art. 1, §6 : “The right of the people to privacy is recognized and shall not be infringed without the showing of a compelling state interest.” (Added in 1978)
  • Sample Federal Privacy Statutes
    • Gramm-Leach-Bliley (financial privacy)
    • Health Insurance Portability and Accountability Act of 1996 (medical)
    • Children’s Online Privacy Protection Act of 1998
    • Privacy Act of 1974 (covers U.S. government)
    • Driver’s Privacy Protection Act of 1994 (driver’s license info)
    • Video Privacy Protection Act of 1998 (videotape rental and sale records)
    • Electronic Communications Privacy Act of 1986
    • Family Education Rights and Privacy Act of 1974 (academic)
    • Fair Credit Reporting Act of 1970
    • Cable Communications Policy Act of 1984 . . .
  • Driver’s Privacy Protection Act of 1994
    • Deals with release of information obtained by a State department of motor vehicles
    • Designed to prevent sale of driver’s license information
    • “ personal information” means information that identifies an individual, including an individual's photograph, social security number, driver identification number, name, address (but not the 5-digit zip code), telephone number, and medical or disability information, but does not include information on vehicular accidents, driving violations, and driver's status
    • “ highly restricted personal information” means an individual's photograph or image, social security number, medical or disability information;
  • Driver’s Privacy Protection Act of 1994
    • A State department of motor vehicles, and any officer, employee, or contractor thereof, shall not knowingly disclose or otherwise make available to any person or entity:
      • personal information … about any individual obtained by the department in connection with a motor vehicle record, except [lots of exceptions]; or
      • highly restricted personal information … without the express consent of the person to whom such information applies, except [small list of exceptions]
    • Statute makes it a crime. Penalty: fine + prison
      • For a State Department of Motor Vehicles, $5000/day
    • Is this constitutional?
    • Where does Congress get the power to regulate state drivers’ licenses?
  • Reno v. Condon
    • South Carolina made driver’s license information available to anyone (except telephone solicitors)
    • Charlie Condon was the Attorney General of South Carolina
    • When the DPPA was passed, Condon sued the U.S. Attorney General to prevent enforcement (or he would become a criminal)
    • Claimed it makes “state officials the unwilling implementors of federal policy”
    • U.S. Constitution, Art. 1, Sec. 8, Clause 3: “The Congress shall have Power … To regulate Commerce with foreign Nations, and among the several States, and with the Indian Tribes”
    • “ sale or release of … information in interstate commerce is … a proper subject of congressional regulation”
    • Information as an article of commerce
    • Reno v. Condon , 528 U.S. 666 (2000)
  • Data Collection
    • Public birth records now contain 226 fields of information, including name, DOB, gender, ZIP, parents’ race, level of education, genetic risk factors
    • Voter registration data contains name, address, gender
    • Public hospital discharge records contain 50 fields, including DOB, gender, ZIP, diagnosis, treatments, medical bills (no name)
    • Grocery store data include name, address, bank account, SSAN, weekly spending
    • Linking produces huge dossiers
  • Data Anonymity
    • Data is “anonymous” if it cannot be associated with a a specific individual
    • Data that includes a name, SSAN, address, etc. is not anonymous.
    • Data can be made anonymous by abridging or modifying it, e.g. change ZIP from 20011 to 200** (de-identifying)
    • Problem: abridging data affects its integrity
    • How much data must be eliminated to make it anonymous? Is it ever possible?
  • Methods of De-Identification
    • Quasi-identifier, profile {Birth 0.5 , ZIP 0.7 , Sex 0.3 }
    • Generalization 10/27/59  1959
    • Suppression 02139  
    • Encryption 3245123  2168582
    SOURCE: LATANYA SWEENEY Idea: one becomes many
  • Data Anonymity
    • Problem: de-identifying data does not necessarily make it anonymous. It can often be re-identified :
    SOURCE: LATANYA SWEENEY Ethnicity Visit date Diagnosis Procedure Medication Total bill ZIP Birth date Sex Medical Data Name Address Date registered Party Date last voted Voter Lists ZIP Birth date Sex
  • Date of birth, gender + 5-digit ZIP uniquely identifies 87.1% of U.S. population SOURCE: LATANYA SWEENEY = one ZIP code ZIP 60623 has 112,167 people, 11%, not 0% uniquely identified. Insufficient # over 55 living there.
  • Privacy Act of 1974 5 U.S.C. §552a
    • Deals with disclosure of Federal Government records on individuals
    • “ No agency shall disclose any record … to any person, or to another agency, except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains [except … ]”
      • … the record is to be transferred in a form that is not individually identifiable;
      • authorized law enforcement
      • heath or safety
      • Congress
      • court order
  • Privacy Act of 1974
    • “ No agency shall disclose any record … to any person, or to another agency, except … with the prior written consent of, the individual to whom the record pertains, unless disclosure of the record would be --
      • … used solely as a statistical research or reporting record, and the record is to be transferred in a form that is not individually identifiable” (not a defined term)
    • Restriction on “matching programs”
      • any computerized comparison of -- (i) two or more automated systems of records … [certain exceptions]
  • Privacy on the Web
    • Posted privacy policies are legal representations
    • Violation of privacy policy by a website is deceptive advertising and an unfair trade practice
    • The Federal Trade Commission acts on behalf of consumers
    • Vigorous enforcement
      • Example: In the Matter of Microsoft Corporation
    • FTC is the leading U.S. government privacy watchdog
      • Is this good? (It was never intended.)
  • Electronic Communications Privacy Act 18 U.S.C. §§ 1367 , 2232 , 2510 , 2701 , 3117 , 3121
    • Defines “oral communication” as
    • “ any oral communication uttered by a person exhibiting an expectation that such communication is not subject to interception under circumstances justifying such expectation”
    • Prohibits
      • interception of wire, oral, or electronic communication
      • use or disclosure of intercepted communication
    • Complicated exceptions
      • Inadvertently overhearing evidence of a crime
    • Chat rooms?
  • Health Insurance Portability and Accountability Act of 1996 ( HIPAA )
    • A “covered entity” may not use or disclose protected health information, except as permitted or required …
      • p ursuant to … a consent … to carry out treatment, payment, or health care operations
      • p ursuant to … an authorization
      • p ursuant to … an agreement (opt-in)
      • [other provisions] 45 CFR §164.502
    • Health information that meets … specifications for de-identification … is considered not to be individually identifiable health information 45 CFR §164.502(d)
  • What HIPAA Protects
    • “ Individually identifiable health information” is information that is a subset of health information, including demographic information collected from an individual, and: …
      • relates to … physical or mental health or condition of an individual; … provision of health care to an individual; or … payment for … health care to an individual; and
      • identifies the individual; or
      • w ith respect to which there is a reasonable basis to believe the information can be used to identify the individual 45 CFR §164.501
  • De-Identification
    • A covered entity may determine that health information is not individually identifiable only if: … the following identifiers of the individual or of relatives, employers, or household members of the individual are removed:
    • Names;
    • All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, …, except for the initial three digits of a zip code if …
    • All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89…
    • Telephone numbers; Fax numbers; email addresses; URLs; IP addresses
    • Social security numbers; Medical record numbers; Health plan beneficiary numbers; Account numbers;
    • Certificate/license numbers; vehicle identifiers, serial numbers, plate numbers;
    • Device identifiers and serial numbers;
    • Biometric identifiers, including finger and voice prints;
    • Full face photographic images and any comparable images; and
    • Any other unique identifying number, characteristic, or code; and
    • The covered entity does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information.
    • 45 CFR §164.514
  • Employer Surveillance
    • In general, surveillance by the employer is legal if
      • the computer being monitored belongs to the employer; or
      • the computer is connected to the employer’s network; and
      • even if communications are encrypted
    • McLaren v. Microsoft Corp ., No. 05-97-00824 (Tex. Ct. App. May 28, 1999).
      • Employee used private password to encrypt email messages stored on office computer.
      • Company decrypted and viewed files.
      • Email account and workstation were provided for business use, so Microsoft could legitimately access data stored there.
    • Notice of Electronic Monitoring Act (CT)
      • Versions introduced in other states and Congress
  • Platform for Privacy Preferences
    • P3P
    • Developed by World Wide Web Consortium
    • Protocol allowing users to interrogate websites about privacy
    • P3P-enabled site posts machine-readable privacy policy summary ( IBM P3P editor , PrivacyBot )
    • User sets up his privacy preferences in his browser
    • User’s browser examines the summary; does not allow access to non-compliant sites
    • Compliance is voluntary . Validator available.
  • Anonymity (U.S.)
    • Freedom to publish anonymously is guaranteed by the First Amendment. McIntyre v. Ohio Elections Comm’n , 514 U.S. 334 (1995). Basis: Federalist Papers (1787-1788)
    • Are you anonymous if your ISP can be forced to identify you?
    • Currenty a VERY HOT topic because of efforts of the recording industry to identify file swappers
      • Not strictly a privacy rights matter because the Digital Millennium Copyright Act specifically authorizes such subpoenas
  • Subpoenas to Identify
    • No privilege between a user and and ISP. But ISP may have standing to assert user’s rights, especially First Amendment rights
    • In re Subpoena Duces Tecum to America Online, Inc. (Anonymous Publicly Traded Co. v. Doe), Va. Cir. Ct., Fairfax Cty., Misc. Law No. 40570 , 2/7/00
    • Company alleged it was defamed by an anonymous AOL subscriber
    • Company did not want to identify itself, but demanded in a subpoena that AOL identify the subscriber
    • (Underlying case was in Ohio; AOL is in Virginia)
  • Subpoenas to Identify
    • Lower court allowed the subpoena
    • Gave a test for subpoenas to identify a user:
      • are pleadings and evidence supplied to the court satisfactory?
      • does the party requesting the subpoena have a legitimate, good faith basis that it may be the victim of actionable conduct?
      • is identifying the subscribers central to advancing the claim?
  • America OnLine , Inc. v. Record No. 000974 Anonymous Publicly Traded Company
    • Appeals court REVERSED the decision to allow the anonymous subpoena (2001 Va. LEXIS 38; 29 Media L. Rep. 1442) HTML version
    • HELD, anonymous plaintiff could be given subpoena power only if it would suffer exceptional harm, such as social stigma, or extraordinary economic retaliation, as a result of exposing its identity
    • Company subsequently dropped the lawsuit
  • Korean Privacy Law
    • Constitution of the Republic of Korea
      • Article 17 [Privacy] The privacy of no citizen may be infringed.
      • Article 18 [Secrecy of Correspondence] The secrecy of correspondence of no citizen may be infringed.
    • Act on the Protection of Personal Information Maintained by Public Agencies (1995)
    • Act on Promotion of Information and Communication Network Utilization and Data Protection (“DP Act,” 2001)
    • Korea Personal Data Protection Center
  • European Union Privacy Approach
    • Total contrast to U.S.
    • Europeans fear their neighbors, not the government
    • Americans fear the government, not their neighbors
    • “ Public” information highly restricted
    • No notion of personal data as a commodity to be bought and sold
    • Concept:
      • prior notice and consent by individual
      • use restricted to disclosed use
      • right of access and correction
      • onward transfer restricted
  • EU Privacy Structure European Parliament UK Government Information Commissioner Registered DataControllers , e.g. Shell French Government German Government Privacy Commissioner Privacy Commissioner Individuals
  • European Union Privacy Directive
    • Member States shall provide that personal data may be processed only if: (a) the data subject has given his consent unambiguously; or (b) processing is necessary for
      • performance of a contact to which the data subject is party;
      • compliance with a legal obligation to which the controller is subject;
      • protecting the vital interests of the data subject; or
      • legitimate interests of parties to whom the data are disclosed, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject
    • EU claims this also applies to U.S. companies who use cookies
  • Remote Data Collection
    • Where the data have not been obtained from the data subject … the controller must at the time of undertaking the recording of personal data provide the data subject with at least:
      • identity of the controller and his representative,
      • purposes of the processing
      • categories of data concerned
      • recipients or categories of recipients;
      • existence of the right of access and rectification
    • Subject may object, but not refuse
  • European Union Privacy Directive
    • Member States shall grant the right to every person not to be subject to a decision which produces legal effects concerning him … based solely on automated processing of data … such as
      • performance at work
      • creditworthiness
      • reliability
      • conduct, etc.
    • Member States shall provide that the transfer to a third country of personal data ... may take place only if ... the third country in question ensures an adequate level of protection.
      • big problem with respect to U.S.
  • US/EU Agreement on Data Privacy and Safe Harbor
    • 7 Principles to which a US company may voluntarily agree
    • Safe harbor companies deemed to protect data adequately and data flows to them from the EU may occur
    • Member State requirements for prior approval of data transfers either will be waived or approval will be automatically granted; and
    • Claims brought by European citizens against U.S. companies will be heard in the U.S. subject to limited exceptions
    • Enforcement in the US by the Federal Trade Commission and Department of Transportation, 49 U.S.C. § 41712
    • Does not include financial institutions
  • Seven US/EU Safe Harbor Principles
    • Notice
      • “ clear and conspicuous” first time data is collected
      • purpose of collection
      • how to complain
      • types of third parties with whom data will be shared
    • Choice (opt-out always, opt-in for “sensitive” information)
    • Onward Transfer (ascertain status of transferee)
    • Security
    • Data Integrity (reliability + use consistent with purpose)
    • Access (+ right to correct)
    • Enforcement (recourse + obligation to remedy)
  • Major Ideas
    • Privacy is important
    • No accepted definition of privacy
    • Federal legislation in medical, financial, educational
    • Many state laws, few dealing with data
    • Anonymizing databases is difficult
    • Privacy policies are contracts
    • FTC is the main U.S. privacy enforcement body
    • Complying with privacy policies and laws is not easy
  • Q A &
  • A simple HTTP transaction Web Server SOURCE: LORRIE CRANOR GET /index.html HTTP/1.1 Host: www.att.com . . . Request web page HTTP/1.1 200 OK Content-Type: text/html . . . Send web page
  • … with P3P 1.0 added Web Server SOURCE: LORRIE CRANOR GET /w3c/p3p.xml HTTP/1.1 Host: www.att.com Request Policy Reference File Send Policy Reference File GET /index.html HTTP/1.1 Host: www.att.com . . . Request web page HTTP/1.1 200 OK Content-Type: text/html . . . Send web page Request P3P Policy Send P3P Policy
  • P3P increases transparency
    • P3P clients can check a privacy policy each time it changes
    • P3P clients can check privacy policies on all objects in a web page, including ads and invisible images
    http://adforce.imgis.com/?adlink|2|68523|1|146|ADFORCE http://www.att.com/accessatt/ SOURCE: LORRIE CRANOR
  • P3P in IE6 Privacy icon on status bar indicates that a cookie has been blocked – pop-up appears the first time the privacy icon appears Automatic processing of compact policies only; third-party cookies without compact policies blocked by default SOURCE: LORRIE CRANOR
  • Users can click on privacy icon for list of cookies; privacy summaries are available at sites that are P3P-enabled SOURCE: LORRIE CRANOR
  • Privacy summary report is generated automatically from full P3P policy SOURCE: LORRIE CRANOR
  • P3P/XML encoding <POLICIES xmlns=&quot;http://www.w3.org/2002/01/P3Pv1&quot;> <POLICY discuri=&quot;http://p3pbook.com/privacy.html&quot; name=&quot;policy&quot;> <ENTITY> <DATA-GROUP> <DATA ref=&quot;#business.contact-info.online.email&quot;>privacy@p3pbook.com </DATA> <DATA ref=&quot;#business.contact-info.online.uri&quot;>http://p3pbook.com/ </DATA> <DATA ref=&quot;#business.name&quot;>Web Privacy With P3P</DATA> </DATA-GROUP> </ENTITY> <ACCESS><nonident/></ACCESS> <STATEMENT> <CONSEQUENCE>We keep standard web server logs.</CONSEQUENCE> <PURPOSE><admin/><current/><develop/></PURPOSE> <RECIPIENT><ours/></RECIPIENT> <RETENTION><indefinitely/></RETENTION> <DATA-GROUP> <DATA ref=&quot;#dynamic.clickstream&quot;/> <DATA ref=&quot;#dynamic.http&quot;/> </DATA-GROUP> </STATEMENT> </POLICY> </POLICIES> SOURCE: LORRIE CRANOR P3P version Location of human-readable privacy policy P3P policy name Site’s name and contact info Access disclosure Statement Human-readable explanation How data may be used Data recipients Data retention policy Types of data collected