Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • 52
  • 52
  • 52
  • 52
  • 52
  • 52
  • 52
  • 52
  • 52
  • 52

    1. 1. Data Privacy Michael I. Shamos, Ph.D., J.D. Institute for Software Research School of Computer Science Carnegie Mellon University
    2. 2. What is Privacy? <ul><li>Many different concepts all collected under the single word “privacy” </li></ul><ul><li>Protection against intrusion into one’s “space” </li></ul><ul><ul><li>Protection from Government (4 th Amendment) </li></ul></ul><ul><ul><li>Freedom from publicity, disclosure of embarrassing facts (“Invasion of Privacy”) </li></ul></ul><ul><ul><li>Protection from telemarketers </li></ul></ul><ul><li>Protection in cyberspace </li></ul><ul><ul><li>Anti-spam </li></ul></ul><ul><ul><li>Web data collection </li></ul></ul><ul><ul><li>Protection from data disclosures and leaks </li></ul></ul>
    3. 3. What is Privacy? <ul><li>Bodily privacy ( Roe v. Wade ) </li></ul><ul><li>Communications privacy </li></ul><ul><ul><li>Against eavesdropping, wiretapping </li></ul></ul><ul><ul><li>Electronic Communications Privacy Act </li></ul></ul><ul><li>Identity privacy </li></ul><ul><ul><li>Anonymity </li></ul></ul><ul><li>Data privacy </li></ul><ul><ul><li>Right to control collection, use and dissemination of non-public personal information </li></ul></ul>
    4. 4. What is Privacy? <ul><li>A bundle of rights recognized by the law protecting against various intrusions into one’s existence </li></ul><ul><li>Why do we need privacy? </li></ul><ul><li>It has survival value </li></ul><ul><li>Public desire for privacy is not matched by the law </li></ul><ul><li>Laws are incomplete, inconsistent and in flux </li></ul><ul><li>Differ by state & country </li></ul><ul><li>Difference between legal and ethical standards </li></ul>
    5. 5. What’s a Right? <ul><li>U.S. Declaration of Independence (1776): “We hold these Truths to be self-evident, that all Men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty, and the Pursuit of Happiness” </li></ul><ul><li>U.S. Constitution (1789): “We the People of the United States, in Order to form a more perfect Union … and secure the Blessings of Liberty to ourselves and our Posterity, do ordain and establish this Constitution for the United States of America.” </li></ul>“ That to secure these rights, Governments are instituted among Men, deriving their just Powers from the Consent of the governed”
    6. 6. Data Privacy <ul><li>Who “owns” data about you? Can data be owned? </li></ul><ul><ul><li>Facts (residence, phone #, age) e.g. Allegheny County Property </li></ul></ul><ul><ul><li>Sales information </li></ul></ul><ul><ul><li>Habits, personal preferences </li></ul></ul><ul><ul><li>Message traffic </li></ul></ul><ul><li>Problem: electronic collections are subject to greater abuse than paper ones </li></ul><ul><li>Problem: having everything on line is different from just having records be public </li></ul><ul><li>Policy: is it the data or its use that requires protection? </li></ul>
    7. 7. U.S. Privacy Law <ul><li>No definition of “privacy”; few legal principles </li></ul><ul><li>Federally protected categories: financial, educational, medical </li></ul><ul><li>State: limited, usually embarrassing facts or photos </li></ul><ul><li>Constitutional basis? </li></ul><ul><ul><li>4th amendment: government searches </li></ul></ul><ul><ul><li>“ liberty” as right of privacy </li></ul></ul><ul><li>State constitutions </li></ul><ul><ul><li>California Const. Art. I, §1 : “All people are by nature free and independent and have inalienable rights. Among these are ... pursuing and obtaining safety, happiness, and privacy.” (Not in the 1849 Constitution) </li></ul></ul><ul><ul><li>Hawaii Const. Art. 1, §6 : “The right of the people to privacy is recognized and shall not be infringed without the showing of a compelling state interest.” (Added in 1978) </li></ul></ul>
    8. 8. Privacy Act of 1974 5 U.S.C. §552a <ul><li>Deals with disclosure of Federal Government records on individuals </li></ul><ul><li>“ No agency shall disclose any record … to any person, or to another agency, except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains [except … ]” </li></ul><ul><ul><li>… the record is to be transferred in a form that is not individually identifiable; </li></ul></ul><ul><ul><li>authorized law enforcement </li></ul></ul><ul><ul><li>heath or safety </li></ul></ul><ul><ul><li>Congress </li></ul></ul><ul><ul><li>court order </li></ul></ul>
    9. 9. Privacy Act of 1974 <ul><li>“ No agency shall disclose any record … to any person, or to another agency, except … with the prior written consent of, the individual to whom the record pertains, unless disclosure of the record would be -- </li></ul><ul><ul><li>… used solely as a statistical research or reporting record, and the record is to be transferred in a form that is not individually identifiable” (not a defined term) </li></ul></ul><ul><li>Restriction on “matching programs” </li></ul><ul><ul><li>any computerized comparison of -- (i) two or more automated systems of records … [certain exceptions] </li></ul></ul>
    10. 10. Privacy on the Web <ul><li>Posted privacy policies are legal representations </li></ul><ul><li>Violation of privacy policy by a website is deceptive advertising and an unfair trade practice </li></ul><ul><li>The Federal Trade Commission acts on behalf of consumers </li></ul><ul><li>Vigorous enforcement </li></ul><ul><ul><li>Example: In the Matter of Microsoft Corporation </li></ul></ul><ul><li>FTC is the leading U.S. government privacy watchdog </li></ul><ul><ul><li>Is this good? (It was never intended.) </li></ul></ul>
    11. 11. Family Educational Right to Privacy Act (FERPA, Buckley Amendment) 20 U.S.C. §1232g <ul><li>“ No [federal] funds shall be made available … to any educational agency or institution which has a policy or practice of permitting the release of educational records … of students without the written consent of their parents to any individual, agency, or organization,” [except] </li></ul><ul><ul><li>other school officials (under certain conditions) </li></ul></ul><ul><ul><li>schools to which student has applied </li></ul></ul><ul><ul><li>financial aid </li></ul></ul><ul><ul><li>Comptroller General of the U.S. </li></ul></ul><ul><ul><li>health or safety emergency </li></ul></ul><ul><ul><li>… </li></ul></ul>
    12. 12. Gramm-Leech-Bliley, 15 U.S.C. §6801 <ul><li>“ It is the policy of the Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information.” </li></ul><ul><li>Protects “consumers” </li></ul><ul><ul><li>“ individual who obtains, from a financial institution, financial products or services which are to be used primarily for personal, family, or household purposes </li></ul></ul><ul><li>Applies to “nonpublic personal information” </li></ul><ul><li>Notice </li></ul><ul><ul><li>no disclosure to unaffiliated third party w/o notice to consumer </li></ul></ul><ul><li>Opt-out </li></ul><ul><ul><li>consumer may elect to refuse disclosure </li></ul></ul>
    13. 13. Remedies for Data Leak <ul><li>What happens if a company collects personal data but does not secure it adequately? </li></ul><ul><li>Suppose hackers manage to steal the data (by committing a crime and breaking into the data system? </li></ul><ul><li>Is the data collector liable for negligence? </li></ul><ul><li>What are the damages? </li></ul>
    14. 14. Pisciotta v. Old National Bancorp ( 7th Cir. Aug. 23, 2007) <ul><li>Pisciotta was a customer of ONB </li></ul><ul><li>ONB solicited personal information from Pisciotta online </li></ul><ul><li>The ONB site was hosted by NCR Corporation </li></ul><ul><li>NCR’s facility was hacked through an intrusion that was “sophisticated, intentional and malicious” </li></ul><ul><li>Pisciotta filed a class action suit against ONB for failing to adequately protect personal information.” </li></ul><ul><li>There was no proof that any personal information had actually been stolen </li></ul><ul><li>No evidence of any identity theft </li></ul>
    15. 15. Pisciotta v. Old National Bancorp <ul><li>Plaintiffs paid for credit monitoring to see whether their information had been misused </li></ul><ul><li>ONB moved for “judgment on the pleadings,” a legal step in which the court is asked to rule that even if everything the Plaintiff is saying is true there can still be no recovery </li></ul><ul><li>The District Court ruled for ONB because no injury had occurred </li></ul><ul><li>Indiana had a statute requiring notification for information breaches, not compensation or any standards of protection </li></ul><ul><li>Pisciotta appealed to the 7 th Circuit </li></ul>
    16. 16. Pisciotta v. Old National Bancorp, <ul><li>Showing negligence requires proving a compensable injury </li></ul><ul><li>The legislature gave no hint that breaches not leading to provable injury should be compensable </li></ul><ul><li>Dismissal affirmed </li></ul>
    17. 17. Employer Surveillance <ul><li>In general, surveillance by the employer is legal if </li></ul><ul><ul><li>the computer being monitored belongs to the employer; or </li></ul></ul><ul><ul><li>the computer is connected to the employer’s network; and </li></ul></ul><ul><ul><li>even if communications are encrypted </li></ul></ul><ul><li>McLaren v. Microsoft Corp ., No. 05-97-00824 (Tex. Ct. App. May 28, 1999). </li></ul><ul><ul><li>Employee used private password to encrypt email messages stored on office computer. </li></ul></ul><ul><ul><li>Company decrypted and viewed files. </li></ul></ul><ul><ul><li>Email account and workstation were provided for business use, so Microsoft could legitimately access data stored there. </li></ul></ul><ul><li>Notice of Electronic Monitoring Act (CT) </li></ul><ul><ul><li>Versions introduced in other states and Congress </li></ul></ul>
    18. 18. Tiberino v. Spokane County 13 P.3d 1104 (2000) <ul><li>Gina Tiberino worked for Spokane County, WA </li></ul><ul><li>She misused her office computer for personal email and was fired </li></ul><ul><li>She threatened to sue; Spokane printed out her email (551 messages; 467 were personal) </li></ul><ul><li>The media requested copies </li></ul><ul><li>Tiberino sued to prevent disclosure </li></ul><ul><li>Held, the emails were “public records” but the contents were exempt from disclosure. The fact of the emails, not their contents, were of public interest </li></ul>
    19. 19. Anonymity (U.S.) <ul><li>Freedom to publish anonymously is guaranteed by the First Amendment. McIntyre v. Ohio Elections Comm’n , 514 U.S. 334 (1995). Basis: Federalist Papers (1787-1788) </li></ul><ul><li>Are you anonymous if your ISP can be forced to identify you? </li></ul><ul><li>Currently a VERY HOT topic because of efforts of the recording industry to identify file swappers </li></ul><ul><ul><li>Not strictly a privacy rights matter because the Digital Millennium Copyright Act specifically authorizes such subpoenas </li></ul></ul>
    20. 20. Subpoenas to Identify <ul><li>No privilege between a user and and ISP. But ISP may have standing to assert user’s rights, especially First Amendment rights </li></ul><ul><li>In re Subpoena Duces Tecum to America Online, Inc. (Anonymous Publicly Traded Co. v. Doe), Va. Cir. Ct., Fairfax Cty., Misc. Law No. 40570 , 2/7/00 </li></ul><ul><li>Company alleged it was defamed by an anonymous AOL subscriber </li></ul><ul><li>Company did not want to identify itself, but demanded in a subpoena that AOL identify the subscriber </li></ul><ul><li>(Underlying case was in Ohio; AOL is in Virginia) </li></ul>
    21. 21. Subpoenas to Identify <ul><li>Lower court allowed the subpoena. Opinion . </li></ul><ul><li>Gave a test for subpoenas to identify a user: </li></ul><ul><ul><li>are pleadings and evidence supplied to the court satisfactory? </li></ul></ul><ul><ul><li>does the party requesting the subpoena have a legitimate, good faith basis that it may be the victim of actionable conduct? </li></ul></ul><ul><ul><li>is identifying the subscribers central to advancing the claim? </li></ul></ul>
    22. 22. America OnLine, Inc. v. Record No. 000974 Anonymous Publicly Traded Company <ul><li>The Virginia Supreme Court REVERSED the decision to allow the anonymous subpoena. See opinion </li></ul><ul><li>HELD, anonymous plaintiff could be given subpoena power only if it would suffer exceptional harm, such as social stigma, or extraordinary economic retaliation, as a result of exposing its identity </li></ul><ul><li>Company subsequently dropped the lawsuit </li></ul>
    23. 23. Tattered Cover, Inc. v. City of Thornton Case 01SA205, Colorado Supreme Court, April 8, 2002 <ul><li>Tattered Cover is bookstore in Denver, CO. Thornton is nearby. </li></ul><ul><li>Police believed a home in Thornton was housing drug operations </li></ul><ul><li>Search by warrant revealed drug equipment, 2 books on drug manufacture and a discarded package from the Tattered Cover </li></ul><ul><li>Police obtained a search warrant for sales records of the bookstore to learn who bought the drug books. Bookstore appealed. </li></ul><ul><li>Colorado Supreme Court held: “ the First Amendment embraces the individual’s right to purchase and read whatever books she wishes to, without fear that the government will take steps to discover which books she buys, reads, or intends to read.” </li></ul><ul><li>Requires “compelling state need” and prior hearing before a warrant may issue against an “innocent” bookstore </li></ul>
    24. 24. Major Ideas <ul><li>There is no general agreement on what data privacy is or ought to be </li></ul><ul><li>Privacy laws are a patchwork of incomplete and inconsistent federal and state statutes </li></ul><ul><li>Most state rights of privacy are very narrow </li></ul><ul><li>Federal law protects medical, financial and educational information </li></ul><ul><li>Failure to follow an announced privacy policy is a deceptive trade practice </li></ul>
    25. 25. Q A &
    26. 26. Health Insurance Portability and Accountability Act of 1996 ( HIPAA ) <ul><li>A “covered entity” may not use or disclose protected health information, except as permitted or required … </li></ul><ul><ul><li>p ursuant to … a consent … to carry out treatment, payment, or health care operations </li></ul></ul><ul><ul><li>p ursuant to … an authorization </li></ul></ul><ul><ul><li>p ursuant to … an agreement (opt-in) </li></ul></ul><ul><ul><li>[other provisions] 45 CFR §164.502 </li></ul></ul><ul><li>Health information that meets … specifications for de-identification … is considered not to be individually identifiable health information 45 CFR §164.502(d) </li></ul>
    27. 27. What HIPAA Protects <ul><li>“ Individually identifiable health information” is information that is a subset of health information, including demographic information collected from an individual, and: … </li></ul><ul><ul><li>relates to … physical or mental health or condition of an individual; … provision of health care to an individual; or … payment for … health care to an individual; and </li></ul></ul><ul><ul><li>identifies the individual; or </li></ul></ul><ul><ul><li>w ith respect to which there is a reasonable basis to believe the information can be used to identify the individual 45 CFR §164.501 </li></ul></ul>
    28. 28. De-Identification <ul><li>A covered entity may determine that health information is not individually identifiable only if: … the following identifiers of the individual or of relatives, employers, or household members of the individual are removed: </li></ul><ul><li>Names; </li></ul><ul><li>All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, …, except for the initial three digits of a zip code if … </li></ul><ul><li>All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89… </li></ul><ul><li>Telephone numbers; Fax numbers; email addresses; URLs; IP addresses </li></ul><ul><li>Social security numbers; Medical record numbers; Health plan beneficiary numbers; Account numbers; </li></ul><ul><li>Certificate/license numbers; vehicle identifiers, serial numbers, plate numbers; </li></ul><ul><li>Device identifiers and serial numbers; </li></ul><ul><li>Biometric identifiers, including finger and voice prints; </li></ul><ul><li>Full face photographic images and any comparable images; and </li></ul><ul><li>Any other unique identifying number, characteristic, or code; and </li></ul><ul><li>The covered entity does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information. </li></ul><ul><li> 45 CFR §164.514 </li></ul>