Secret Truths about Privacy1. Privacy is subject to the Law of UnintendedConsequences2. Knowledge is Power: Consumers shou...
Big Data: A Brave New Privacy World2
TheWestchesterGun MapHarmless,right?Do the maps show everyone in my neighborhood who owns a gun?No. New York law does not ...
4
The Gun Map Proved Quite Harmful• Interactive map included names and addresses of police officers and prisonguards: inmate...
Lesson From The Gun Map• If you juxtapose two perfectly legit data sources: online maps and gun ownershipinformation for i...
European Genetic Map, Harmless, right?7
Maybe8
Potentially Harmful Implications“Imagine if you could figure out what town acriminal’s ancestors were likely from basedon ...
3D Map of Vancouver: Harmless, right?10
11
Here’s Why: The Law of Unintended ConsequencesWhat if you could juxtapose twodata sets and target specificoccupants of the...
What About A Beautiful Wind Map?http://hint.fm/wind/13
Pure science Big Data visualizations that provide a usefulservice and don’t rely on personal data are clearly OK14
1st takeaway: Juxtaposing data sets(what Big Data does!) may result inprivacy nightmares15
2. A Detour Through Big Social16
Big Social Can Make Great Things Better …Tahriri Square17
• Audrie Pott and Rehtaeh Parsons both committed suicide after photosdocumenting how they had been sexually assaulted were...
Annoying! Social Media Is Always Asking for More19
Is Privacy a Top Issue for Big Social?Who said: “All these concerns about privacytend to be old-people issues”?? 20
Reid Hoffman21
Is Privacy In Big Social’s Business Model ?• Nope• “Google to pay record $22.5 million fine for Safariprivacy evasion” [20...
Is Privacy Even Possible in Big Social?“Just remember when you post something,the computers remember forever”“Every young ...
2nd Takeaway: It’s OK for you to be theproduct when you’re not paying … ifyou know what you’re signing up for?24
Reactive or Proactive: Your Call25
Privacy Regulation in EuropeEU Data Protection Regulation will covereverything from consent to data portabilityand the rig...
Privacy Regulation in the US27The US approach is more laissez-faire, butalso more unpredictable. To wit: the Do NotTrack p...
Memorable Privacy Quotes"I do not believe that companies with business models based on the collection and monetization ofp...
Do the Right Thing: Learn & Participate• Big Data and Privacy discussions of OECD’s ITAChttp://www.internetac.org/wp-conte...
Do the Right Thing: Scour the Web for Cool Big Data & Privacy Stuff!• Drummond Reed’s RESPECT network puts data controlbac...
Do the Right Thing: Play in Standards– If you thought XACML was not relevant yet, you’d better think ahead to2014: http://...
What To Do About The 3 Privacy Truths1. You can’t dodge the Law of Unintended Consequencesbut when you’re processing sever...
2. Knowledge is Power: Give the power to yourcustomers to opt in and opt out at everypossible turn33
3. Standards make privacy easier to preserve.Get involved, NOW.http://www.oasis-open.org34
Laurent Liscia, CEOOASIS首席执行官[As a reminder that we haven’tcovered Privacy and Big Datain Asia …]http://www.oasis-open.org...
Upcoming SlideShare
Loading in...5
×

The 3 Secrets of Online Privacy

1,151

Published on

Everyone seems to think that Big Social has made privacy a thing of the past. Think again. It's a human right and it's on the Endangered Species list, but there are ways to save it. Find out how.

Published in: Technology, News & Politics
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,151
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Legislation is on your side, right?
  • Wrong.
  • Wrong.
  • The authors note thatthey're able to distinguish with some confidence individuals that are from the German, Italian, and French-speaking parts of Switzerland. With full re-sequencing data, it's likely that even the precise village of origin of an individual will be predictable from genetics alone.
  • EU Data Protection Regulation [From Wikipedia] ScopeThe regulation applies if the data controller or processor (organization) or the data subject (person) is based in the EU. Furthermore (and unlike the current Directive) the Regulation also applies to organizations based outside the European Union if they process personal data of EU residents. According to the European Commission "personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address."Single Set of RulesOne single set of rules applies to all EU member states and there will be one Single Data Protection Authority (DPA) responsible for each company depending on where the Company is based or which DPA it chooses. A European Data Protection Board will coordinate the DPAs. There is an exception for employee data that still might be subject to individual country regulations.Responsibility & AccountabilityThe notice requirements remain and are expanded. They must include the retention time for personal data and contact information for data controller and data protection officer has to be provided. Privacy by Design and by Default (Article 23) require that data protection is designed into the development of business processes for products and services privacy settings are set at a high level by default. Data Protection Impact Assessments (Article 33) have to be conducted when specific risks occur to the rights and freedoms of data subjects. Risk assessment and mitigation is required and an prior approval of the DPA for high risks. Data Protection Officers (Articles 35-37) are to ensure compliance within organizations. They have to be appointed for all public authorities and for enterprises with more than 250 employees.ConsentValid consent must be explicit for data collected and purposes data used (Article 7; defined in Article 4). Consent for children under 13 must be given by child’s parent or custodian, and should be verifiable (Article 8). Data controllers must be able to prove “consent” (opt-in) and consent may be withdrawn.Data breachesThe data controller has to notify the DPA without undue delay and, where feasible, not later than 24 hours after having become aware of the data breach (Article 31). Individuals have to be notified if adverse impact is determined (Article 32).FinesThe following fines can be imposedUp to €250K or up to 0.5% of the annual global sales for intentionally or negligently not responding to requests by the data subject or the DPA,Up to €500K or up to 1% of annual global sales for intentionally or negligently not complying with GDPRUp to €1,000K or up to 2% of annual global sales for intentionally or negligently not complying with specific GDPR regulationsRight to be ForgottenPersonal data has to be deleted when the individual withdraws consent or the data is no longer necessary and there is no legitimate reason for an organization to keep it. (Article 17)Data PortabilityA user shall be able to request a copy of personal data being processed in a format usable by this person and be able to transmit it electronically to another processing system. (Article 18)
  • EU Data Protection Regulation [From Wikipedia] ScopeThe regulation applies if the data controller or processor (organization) or the data subject (person) is based in the EU. Furthermore (and unlike the current Directive) the Regulation also applies to organizations based outside the European Union if they process personal data of EU residents. According to the European Commission "personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address."Single Set of RulesOne single set of rules applies to all EU member states and there will be one Single Data Protection Authority (DPA) responsible for each company depending on where the Company is based or which DPA it chooses. A European Data Protection Board will coordinate the DPAs. There is an exception for employee data that still might be subject to individual country regulations.Responsibility & AccountabilityThe notice requirements remain and are expanded. They must include the retention time for personal data and contact information for data controller and data protection officer has to be provided. Privacy by Design and by Default (Article 23) require that data protection is designed into the development of business processes for products and services privacy settings are set at a high level by default. Data Protection Impact Assessments (Article 33) have to be conducted when specific risks occur to the rights and freedoms of data subjects. Risk assessment and mitigation is required and an prior approval of the DPA for high risks. Data Protection Officers (Articles 35-37) are to ensure compliance within organizations. They have to be appointed for all public authorities and for enterprises with more than 250 employees.ConsentValid consent must be explicit for data collected and purposes data used (Article 7; defined in Article 4). Consent for children under 13 must be given by child’s parent or custodian, and should be verifiable (Article 8). Data controllers must be able to prove “consent” (opt-in) and consent may be withdrawn.Data breachesThe data controller has to notify the DPA without undue delay and, where feasible, not later than 24 hours after having become aware of the data breach (Article 31). Individuals have to be notified if adverse impact is determined (Article 32).FinesThe following fines can be imposedUp to €250K or up to 0.5% of the annual global sales for intentionally or negligently not responding to requests by the data subject or the DPA,Up to €500K or up to 1% of annual global sales for intentionally or negligently not complying with GDPRUp to €1,000K or up to 2% of annual global sales for intentionally or negligently not complying with specific GDPR regulationsRight to be ForgottenPersonal data has to be deleted when the individual withdraws consent or the data is no longer necessary and there is no legitimate reason for an organization to keep it. (Article 17)Data PortabilityA user shall be able to request a copy of personal data being processed in a format usable by this person and be able to transmit it electronically to another processing system. (Article 18)
  • EU Data Protection Regulation [From Wikipedia] ScopeThe regulation applies if the data controller or processor (organization) or the data subject (person) is based in the EU. Furthermore (and unlike the current Directive) the Regulation also applies to organizations based outside the European Union if they process personal data of EU residents. According to the European Commission "personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address."Single Set of RulesOne single set of rules applies to all EU member states and there will be one Single Data Protection Authority (DPA) responsible for each company depending on where the Company is based or which DPA it chooses. A European Data Protection Board will coordinate the DPAs. There is an exception for employee data that still might be subject to individual country regulations.Responsibility & AccountabilityThe notice requirements remain and are expanded. They must include the retention time for personal data and contact information for data controller and data protection officer has to be provided. Privacy by Design and by Default (Article 23) require that data protection is designed into the development of business processes for products and services privacy settings are set at a high level by default. Data Protection Impact Assessments (Article 33) have to be conducted when specific risks occur to the rights and freedoms of data subjects. Risk assessment and mitigation is required and an prior approval of the DPA for high risks. Data Protection Officers (Articles 35-37) are to ensure compliance within organizations. They have to be appointed for all public authorities and for enterprises with more than 250 employees.ConsentValid consent must be explicit for data collected and purposes data used (Article 7; defined in Article 4). Consent for children under 13 must be given by child’s parent or custodian, and should be verifiable (Article 8). Data controllers must be able to prove “consent” (opt-in) and consent may be withdrawn.Data breachesThe data controller has to notify the DPA without undue delay and, where feasible, not later than 24 hours after having become aware of the data breach (Article 31). Individuals have to be notified if adverse impact is determined (Article 32).FinesThe following fines can be imposedUp to €250K or up to 0.5% of the annual global sales for intentionally or negligently not responding to requests by the data subject or the DPA,Up to €500K or up to 1% of annual global sales for intentionally or negligently not complying with GDPRUp to €1,000K or up to 2% of annual global sales for intentionally or negligently not complying with specific GDPR regulationsRight to be ForgottenPersonal data has to be deleted when the individual withdraws consent or the data is no longer necessary and there is no legitimate reason for an organization to keep it. (Article 17)Data PortabilityA user shall be able to request a copy of personal data being processed in a format usable by this person and be able to transmit it electronically to another processing system. (Article 18)
  • The 3 Secrets of Online Privacy

    1. 1. Secret Truths about Privacy1. Privacy is subject to the Law of UnintendedConsequences2. Knowledge is Power: Consumers should know whatprivacy Faustian pacts they’re signing3. Privacy requires technical and policy standards!Laurent Liscia, CEO OASIS Open1
    2. 2. Big Data: A Brave New Privacy World2
    3. 3. TheWestchesterGun MapHarmless,right?Do the maps show everyone in my neighborhood who owns a gun?No. New York law does not require a permit to own a long gun such as a rifle or shotgun.How was this information obtained?Through requests to the individual county clerks under New York’s Freedom of Information Law.Isn’t that private information?No. There is no right to privacy regarding handgun ownership in New York.[Source: The Journal News]3
    4. 4. 4
    5. 5. The Gun Map Proved Quite Harmful• Interactive map included names and addresses of police officers and prisonguards: inmates used the map to find out where they lived and threaten them.• Former thieves said criminals could use map either to target houses with no guns(to avoid getting shot) or take the risk and steal the weapons themselves.• Democratic legislator: “I never owned a gun but now have no choice. I have beenexposed as someone that has no gun. And I’ll do anything to protect my family.”• Resident feared her ex, who tried to kill her in past, might find her with the map• Journalists received death threats, stationed an armed guard outside their offices.5
    6. 6. Lesson From The Gun Map• If you juxtapose two perfectly legit data sources: online maps and gun ownershipinformation for instance, you can enter scary privacy territory• That’s the Law of Unintended Consequences6
    7. 7. European Genetic Map, Harmless, right?7
    8. 8. Maybe8
    9. 9. Potentially Harmful Implications“Imagine if you could figure out what town acriminal’s ancestors were likely from basedon DNA alone?” Razib Khan, Discover MagazineYou can’t stop ideas that threatenprivacy from popping up: yet anotherinstance of the Law of UnintendedConsequences9
    10. 10. 3D Map of Vancouver: Harmless, right?10
    11. 11. 11
    12. 12. Here’s Why: The Law of Unintended ConsequencesWhat if you could juxtapose twodata sets and target specificoccupants of the building ?12
    13. 13. What About A Beautiful Wind Map?http://hint.fm/wind/13
    14. 14. Pure science Big Data visualizations that provide a usefulservice and don’t rely on personal data are clearly OK14
    15. 15. 1st takeaway: Juxtaposing data sets(what Big Data does!) may result inprivacy nightmares15
    16. 16. 2. A Detour Through Big Social16
    17. 17. Big Social Can Make Great Things Better …Tahriri Square17
    18. 18. • Audrie Pott and Rehtaeh Parsons both committed suicide after photosdocumenting how they had been sexually assaulted were circulated onsocial media• In both cases, many sided with the assailants rather than victims, callingthem “sluts”And Bad Things Worse18
    19. 19. Annoying! Social Media Is Always Asking for More19
    20. 20. Is Privacy a Top Issue for Big Social?Who said: “All these concerns about privacytend to be old-people issues”?? 20
    21. 21. Reid Hoffman21
    22. 22. Is Privacy In Big Social’s Business Model ?• Nope• “Google to pay record $22.5 million fine for Safariprivacy evasion” [2012]• Twitter agreed to settle charges that it "deceivedcustomers" and failed to protect their personalinformation [FTC fine, 2010]22
    23. 23. Is Privacy Even Possible in Big Social?“Just remember when you post something,the computers remember forever”“Every young person one day will be entitledautomatically to change his or her name onreaching adulthood in order to disownyouthful hijinks stored on their friends’ socialmedia sites.”Eric Schmidt, when he was CEO of Google23
    24. 24. 2nd Takeaway: It’s OK for you to be theproduct when you’re not paying … ifyou know what you’re signing up for?24
    25. 25. Reactive or Proactive: Your Call25
    26. 26. Privacy Regulation in EuropeEU Data Protection Regulation will covereverything from consent to data portabilityand the right to be forgotten and will apply toany company storing EU resident datawhether it’s HQ’d in the EU or not26
    27. 27. Privacy Regulation in the US27The US approach is more laissez-faire, butalso more unpredictable. To wit: the Do NotTrack proposal from Sen. Jay Rockefellerfollowing 2012 White House "ConsumerPrivacy Bill of Rights" asking industry to giveconsumers control over their personalinformation and Congress to pass laws.
    28. 28. Memorable Privacy Quotes"I do not believe that companies with business models based on the collection and monetization ofpersonal information will voluntarily stop those practices if it negatively impacts their profit margins.“Jay Rockefeller“Consumers are very pragmatic people. They want free content. They understand theres a valueexchange. And theyre OK with it.”Lou Mastria, director of the Digital Advertising Alliance““You are the product!” Oh, fuck, off! For many people it wasn’t the new T&C that was the problem, itwas that Instagram was no longer a service we felt comfortable making our “we’re the product deal”with.”Rev Dan Catt, blogger28You’re the consumer: how do YOU feelabout it?
    29. 29. Do the Right Thing: Learn & Participate• Big Data and Privacy discussions of OECD’s ITAChttp://www.internetac.org/wp-content/uploads/2012/10/UPDATE-ITAC-WPISP-v02.pdf• NSTIC’s Privacy Evaluation Methodologyhttp://www.idecosystem.org/filedepot?fid=404• European Data Protection & Privacy Conferencehttp://www.eu-ems.com/summary.asp?event_id=123&page_id=983• Kuppinger Cole’s EIC – premier event for Privacy• Listen to all sides! EPIC, EFF, Project VRMhttp://epic.org/privacy/intl/eu_data_protection_directive.htmlhttp://cyber.law.harvard.edu/projectvrm/Main_Page29
    30. 30. Do the Right Thing: Scour the Web for Cool Big Data & Privacy Stuff!• Drummond Reed’s RESPECT network puts data controlback into each user’s hands: http://respectnetwork.com/• Kaliya Hamlin’s Personal Data Ecosystem remindscompanies to put the user back at the center of theirown data - http://pde.cc/• Read Kord Davis’s “Ethics of Big Data: Balancing Risk andInnovation”http://www.goodreads.com/book/show/13230994-ethics-of-big-data30
    31. 31. Do the Right Thing: Play in Standards– If you thought XACML was not relevant yet, you’d better think ahead to2014: http://j.mp/oasisXACML– PMRMs model for translating & mapping privacy policies into a servicearchitecture: http://j.mp/oasisPMRM– PbD-SE: Privacy by Design for Software Engineers: http://j.mp/PbDoasis31Help MAKE and IMPLEMENT open privacy standards, for access control,policy enforcement and impact assessment!
    32. 32. What To Do About The 3 Privacy Truths1. You can’t dodge the Law of Unintended Consequencesbut when you’re processing several data sets, remindyourself that YOU are one of the people whose privacyis at risk and use the Golden Rule.32
    33. 33. 2. Knowledge is Power: Give the power to yourcustomers to opt in and opt out at everypossible turn33
    34. 34. 3. Standards make privacy easier to preserve.Get involved, NOW.http://www.oasis-open.org34
    35. 35. Laurent Liscia, CEOOASIS首席执行官[As a reminder that we haven’tcovered Privacy and Big Datain Asia …]http://www.oasis-open.org謝謝!35
    1. Gostou de algum slide específico?

      Recortar slides é uma maneira fácil de colecionar informações para acessar mais tarde.

    ×