A general talk on privacy in early 2009, with quite a few slides summarizing the US National Research Council\'s report "Protecting Individual Privacy in the Struggle Against Terrorists: A Framework for Program Assessment" that was issued in late 2008
11. COMMON ELEMENTS IN PRIVACY FRAMEWORKS http://usacm.acm.org/usacm/Issues/Privacy.htm http://www.ftc.gov/reports/privacy3/ http://www.oecd.org/document/18/0,3343,en_2649_34255_1815186_1_1_1_1,00.html http://aspe.hhs.gov/DATACNCL/1973privacy/tocprefacemembers.htm Accountability (4 recommendations) Recourse and Remedies Enforcement, Accountability, Recourse Accountability and Auditing Security (2 recommendations) Data Security Security, Information Quality, and Integrity Data Quality and Integrity Security Access (3 recommendations), Accuracy (4 recommendations) Data Quality and Access Individual Participation and Access Individual Participation Minimization (5 recommendations), Consent (2 recommendations) Choice and Consent Choice and Consent Minimization Use Limitation Openness (6 recommendations) Notice and Disclosure Notice and Awareness Transparency Purpose Specification USACM Policy Recommendations on Privacy (2006) US FTC Simplified Principles (1998) OECD 1980 US Fair Information Practices (HEW 1973)
12.
13.
14. “ Short privacy notices” (Hunton & Williams) Reduce privacy policy to at most seven boxes in standard format Privacy advocates prefer check boxes Idea adopted at 2003 International Conference of Data Protection & Privacy Commissioners USG agencies interested for financial privacy notices HOW TO REACH US SCOPE Dated: May 28, 2002 Acme Company Privacy Notice Highlights For more information about our privacy policy, write to: Consumer Department Acme Company 11 Main Street Anywhere, NY 10100 Or go to the privacy statement on our website at acme.com. We collect information directly from you and maintain information on your activity with us, including your visits to our website. We obtain information, such as your credit report and demographic and lifestyle information, from other information providers. PERSONAL INFORMATION We use information about you to manage your account and offer you other products and services we think may interest you. We share information about you with our sister companies to offer you products and services. We share information about you with other companies, like insurance companies, to offer you a wider array of jointly-offered products and services. We share information about you with other companies so they can offer you their products and services. USES You may opt out of receiving promotional information from us and our sharing your contact information with other companies. To exercise your choices, call (800) 123-1234 or click on “choice” at ACME.com. YOUR CHOICES You may request information on your billing and payment activities. IMPORTANT INFORMATION This statement applies to Acme Company and several members of the Acme family of companies.
15. Checkbox proposal WE SHARE [DO NOT SHARE] PERSONAL INFORMATION WITH OTHER WEBSITES OR COMPANIES. Collection: YES NO We collect personal information directly from you We collect information about you from other sources: We use cookies on our website We use web bugs or other invisible collection methods We install monitoring programs on your computer Uses: We use information about you to: With Your Without Your Consent Consent Send you advertising mail Send you electronic mail Call you on the telephone Sharing: We allow others to use your information to : With Your Without Your Consent Consent Maintain shared databases about you Send you advertising mail Send you electronic mail Call you on the telephone N/A N/A Access: You can see and correct {ALL, SOME, NONE} of the information we have about you. Choices: You can opt-out of receiving from Us Affiliates Third Parties Advertising mail Electronic mail Telemarketing N/A Retention: We keep your personal data for: { Six Months Three Years Forever} Change: We can change our data use policy {AT ANY TIME, WITH NOTICE TO YOU, ONLY FOR DATA COLLECTED IN THE FUTURE} Source: Robert Gellman, July 3, 2003
18. Managing Identity in the Future Much more social networking (too much?) Used without asking permission of (that) Lance Hoffman or his friends Hackers' Latest Target: Social Networking Sites By Brian Krebs Washingtonpost.com Staff Writer Saturday, August 9, 2008; D01 LAS VEGAS -- Social networking sites such as Facebook, MySpace and LinkedIn are fast emerging as some of the most fertile grounds for malicious software, identity thieves and online mischief-makers. And while some of the talks given here at Black Hat, one of the larger hacker conferences in the country, would probably make most people want to avoid the sites altogether, it turns out that staying off these networks may not be the safest option, either. … Paradoxically, there may be a danger in remaining a social networking site Luddite. After all, if you don't claim a space on these networks, someone else may do it for you as a way of scamming or attacking your friends and business contacts. With the permission and good humor of security pioneer Marcus Ranum, Hamiel and Moyer created a LinkedIn profile on Ranum's behalf, including a photo of him and bits from his résumé to make the profile look legit. In less than 24 hours, more than 50 people had joined his LinkedIn network. Among those taken in by the stunt was Ranum's sister.
19.
20.
21.
22. Building a System that Manages Identity Adopt Trust-Enhancing Measures Privacy is in the Security Development Lifecycle for Computer Software So get to know and work with your security people; suggest using something like the following to build security and privacy together.
23.
24.
25. Is this social or professional networking or both, and does it matter, and if so, why? Used with permission of my friend Harriet Pearson USE CDM I