Digital Personal Privacy

1
Digital Personal Privacy

• Legal/Policy Issues group
• Jody R. Shaw - Thomas E. Litchfield - Italo I.
  Dacosta
• Khalid M. Alzarouni - Matthew E. Winters
• CS4235 B Fall 2005

2
Outline

• Introduction
• Government pro-privacy initiatives
• Government threats to privacy
• Private pro-privacy initiatives
• Private threats to privacy
• Conclusions

3
Definition

• Privacy definition
• Protection of our secrets and our personal space
• Digital Personal Privacy
• Protection of our information in digital format
  from unauthorized access, collection, and misuse

4
Importance

• The U.S. Constitution
• Fourth Amendment (1789-1791)
• The Right to Privacy
• Warren and Brandaris (1890)
• Universal Declaration of Human Rights
• Article 12 (UN 1948)

5
The problem

• Digital information is more difficult to protect
  or control
• Threats
• Technology
• Government
• Private sector

6
The problem

• CBS News Poll Privacy Rights Under Attack
• 52 percent think the right to privacy is under
  serious threat
• Annenberg Public Policy Center Survey
• Most Americans who use the Internet have little
  idea how vulnerable they are to abuse by online
  and offline marketers
• the majority of adults who use the internet do
  not know where to turn for help if their personal
  information is used illegally online or offline

7
Our project

• Digital Personal Privacy Website
• A reference website
• Actors-based approach
• Serve to any individual who maintains an interest
  in personal digital privacy and the policies
  related to it

8
Outline

• Introduction
• Government pro-privacy initiatives
• Government threats to privacy
• Private pro-privacy initiatives
• Private threats to privacy
• Conclusions

9
Government Pro-Privacy Initiatives

• Public education, policy enforcement
• FTC
• Legislation
• GLBA
• HIPPA
• FCRA
• FERPA
• Identity Theft and Deterrence Act

10
FTC

• Public education
• Maintains several websites for consumers
• Part of overall consumer advocate mission
• Policy enforcement
• Stems from section five of 1914 law
• Bans unfair or deceptive practices
• Ensures companies comply with self-made privacy
  policies

11
GLBA

• Targets financial institutions
• Safeguards rule
• Requires creation of security plan
• Privacy rule
• Requires companies to disclose information
  sharing policy
• Differentiates between consumers and
  customers
• Based on opt out principle

12
HIPAA

• Protects health information
• Security rule
• Requires implementation of administrative,
  physical, and technical safeguards
• Privacy rule
• Allows patients access to records
• Requires issuance of privacy policies

13
FCRA

• Regulates consumer reporting agencies (CRAs)
• Limits use of credit information
• Sets standards for security of such information
• Recently amended by FACTA (2003)

14
FERPA

• Limits disclosure of educational records
• Students can access, correct, and restrict
  records
• Institutions cannot disclose personally
  identifiable information
• Makes no distinction between physical and
  electronic records
• Recent incident at Tech

15
Identity Theft

• ..and Deterrence Act of 1998
• Makes ID theft a federal crime
• Charges several federal and state agencies with
  task of enforcement
• College students especially at risk
• Many resources available

16
Outline

• Introduction
• Government pro-privacy initiatives
• Government threats to privacy
• Private pro-privacy initiatives
• Private threats to privacy
• Conclusions

17
Government Threats to Privacy

• Discussion Outline
• Topic Introduction
• United States Patriot Act
• Controversial Sections of the Patriot Act
• Total Information Awareness Program
• National I.D. Card Program

18
United States Patriot Act

• Uniting and Strengthening America by Providing
  Appropriate Tools Required to Intercept and
  Obstruct Terrorism
• Signed into law by President Bush on October 26,
  2001
• Direct response to September 11th terrorist
  attacks
• An extension of powers granted to the Government
  by three previous Acts
• Foreign Intelligence Surveillance Act of 1978
  (FISA)
• Uniting and Strengthening America Act
• Financial Anti-Terrorism Act

19
Controversial Sections of the United States
Patriot Act

• Section 215
• Allows the Government to conduct a search and
  seizure without your knowledge and without
  probable cause
• Any tangible thing Medical, financial,
  library, church, travel, phone
• The Fourth Amendment does not protect you
• Section 213
• The Sneak and Peek Section Allows the
  Government to conduct secret searches on people
  in any criminal investigation
• Not just linked to terrorism anymore

20
Controversial Sections of the United States
Patriot Act

• Section 214
• Pen Registers and Tap and Trace on telephone
  calls
• Any criminal investigation with no need for
  probable cause
• Section 216 is the same concept, applied to the
  Internet and email
• Section 206
• Roving Wire Taps
• Allows the Government to tap any phone or
  computer the suspect may use, not just what they
  are currently using
• Tap a neighborhood not just one phone
• Potential for abuse when non-suspects use the
  device

21
Controversial Sections of the United States
Patriot Act

• Sunsets on the Patriot Act
• Sunset provision to the Act that could terminate
  sixteen of the most controversial sections on
  December 31, 2005
• Voted on by Congress in the Summer of 2005
• Fourteen sections written into permanent law
• Two sections (215 and 206) extended for 10
  additional years

22
Total Information Awareness

• Created in 2002 by the Defense Advanced Research
  Projects Agency (DARPA)
• Program headed up by John Poindexter
  (Iran-Contra)
• Intent was to create a data warehouse that
  collected massive amounts of data on US Citizens
• Human analysis and mathematical algorithms looked
  for patterns in the data that could identify
  terrorists
• Compared to East Germanys secret police and
  Cubas block watch system
• Program was doomed from the start and negative
  public reaction ended the program in 2003

23
National I.D. Card Program

• Every US Citizen required to carry a national ID
  Card
• Cards would be linked to a centralized database
  similar to the Total Information Awareness
  Program
• Developed as a way to quickly identify
  citizenship and a method for tracking terrorists
• Opponents to program argue one stop shopping
  for criminals
• Many terrorists are not US Citizens and their
  home country may or may not have a similar ID
  card program
• Program is still being pursued in the form of
  incremental additions such as the trusted
  traveler card

24
Outline

• Introduction
• Government pro-privacy initiatives
• Government threats to privacy
• Private pro-privacy initiatives
• Private threats to privacy
• Conclusions

25
Private Pro-privacy Initiatives

• Raise consumers' awareness of how technology
  affects personal privacy
• Provide reports, testimony speeches for public,
  media and policy makers
• Respond to privacy-related issues provide tools
  on privacy protection

26
Private Pro-privacy Initiatives

• Non-profit Organizations
• US-based
• Digital Privacy-focused
• Privacy Issues and Actions
• Threats risks that technology/policy can pose
  to personal privacy
• Practical supports for individuals
• Online Resources
• Up-to-dated information and analysis
• Technical and privacy guides

27
Private Pro-privacy Initiatives Major Non-profit
Organizations

• Privacy Rights Clearinghouse
• Focus on consumer information and advocacy
• Online investing frauds
• Electronic Privacy Information Center
• Defending civil liberties on digital world
• Rights of Internet users P3P protocol

28
Private Pro-privacy Initiatives Major Non-profit
Organizations

• Center for Democracy and Tech
• Educating public on Internet privacy
• Legislative center, and policy news
• Focus on public policy solutions
• Protecting consumers against adware companies
• E-mail privacy and new act for personal
  information protection

29
Private Pro-privacy Initiatives Privacy Issues
and Actions

• Phishing and Identity Theft
• Identity Theft Resource Center (ITRC)
• Identify prevent Phishing scams Techniques
• E.g. Western Union Scam
• Financial Privacy
• GLB Act (Financial Services Modernization)
• E.g. www.zabasearch.com and Opt-out

30
Private Pro-privacy Initiatives Privacy Issues
and Actions

• Spam Scam
• Spoof websites
• Trojan Emails

31
Private Pro-privacy Initiatives

• Online Resources
• Privacy Survival Guide by PRC
• To become best privacy protector
• More than 20 privacy tips
• Practical Privacy Tools by EPIC
• Snoop Proof Email, Personal Firewalls
• HTML Filters, Password Security
• APWG Phishing Activity Trends Report
• Phishing reports sites received
• Vulnerable, hijacked brands and sites
• Sites host Identity theft attacks

32
Outline

• Introduction
• Government pro-privacy initiatives
• Government threats to privacy
• Private pro-privacy initiatives
• Private threats to privacy
• Conclusions

33
Private Threats to Privacy

• Malware
• Individuals or Companies collect information
  about and steal data from end users
• Data Theft from Information Warehouses
• Individuals break into database or pose as
  legitimite recievers of data
• Privacy Violations by Well-Known Companies
• Violations of Privacy Policies
• Compromisation of Anonymity
• Bad Privacy Policies

34
Malware

• Actions range from collection of browsing habits
  to identity theft
• Can return keystrokes, logs, and files from
  users computers to the controlling entities
• Two main distribution methods
• Bundled with legitimate software
• e.g., Download a useful program, during install a
  malware program is also installed, but secretly
• Useful program actively spies on you
• Bonzi Buddy is the classic example, one of the
  earliest programs to do so

35
Recent Spyware Bust

• Enterment Media Inc., Conspy Co. Inc, and
  Iwebtunes shut down November 10th for
  distributing spyware.
• Iwebtunes included the spyware with a program
  that plays background music on blogs.
• Enterment and Conspy both bundled their software
  with music files, song lyrics, and cellular
  telephone ring tones offered free on several web
  sites.

36
ChoicePoint

• Sold between 145 and 400 thousand records to an
  identity theft ring.
• Incident surfaced this past February.
• The thieves used social engineering to pose as a
  legitimate receiver for the data.
• Target of various consumer interest groups for
  potentially violating the Fair Credit Reporting
  Act
• ChoicePoint sells dossiers that are extremely
  similar to credit reports.
• However, the information is sold
  restriction-free, unlike credit reports.

37
LexisNexis

• 30,000 records reported stolen this March
• Figure raised to 310,000 in April
• Database was breached due to misappropriation by
  third parties of IDs and passwords from
  legitimate customers.
• Various personal data was stolen, but financial
  and medical records were not.

38
JetBlue and Torch Concepts

• JetBlues websites privacy policy stated that
  information collected on it would never be
  shared.
• JetBlue ignored their own privacy policy in 2003
  when passing approximately five million records
  to Torch Concepts, a DoD contractor.
• Torch Concepts combined the records from JetBlue
  with demographic information from Axicom.
• This created a dataset in which gender, home
  specifics (renter/owner), years at residence,
  income, number of children, SSN, occupations,
  vehicles owned, and more for 40 of the
  passengers in the JetBlue database.

39
Yahoo! In China

• In June 2004, the Chinese Communist party sent
  out a message to journalists regarding potential
  social unrest related to the 15th anniversery of
  the Tienamen Square massacre.
• In April, Chinese journalist Shi Tao was jailed
  for divulging state secrets.
• Tao was found guilty of emailing out parts of the
  message to foreign-based websites
• The Chinese government got Yahoo! to help out.
• Yahoo linked Shi Tao to the email, which lead to
  his conviction.S

40
Microsoft Passport

• Passport was hailed as employing a single
  sign-on system to facilitate e-commerce and
  browsing among different websites that require a
  user to identify oneself" by Microsoft.
• After sign-in, the user's info is automatically
  be passed on to any other site that is part of
  the Passport network.
• All Hotmail users were automatically signed up
  for Passport in 2001, and all who signed up
  afterwards are forced to get an MS Passport, with
  no ability to opt-out.

41
Microsoft Hailstorm

• Microsoft looked into including with Windows XP a
  Passport-like service codenamed Hailstorm.
• My Address, My Profile, My Contacts, My
  Notifications, My Inbox, My Calendar, My
  Documents, My Application Settings, My Wallet, My
  Usage, and My Location. were to be a part of the
  proposed system.
• All of this information, for each and every user,
  would be stored on a central database, just like
  Microsoft Passport information.

42
Outline

• Introduction
• Government pro-privacy initiatives
• Government threats to privacy
• Private pro-privacy initiatives
• Private threats to privacy
• Conclusions

43
Conclusions

• Education and awareness
• More personal recourse, enforcement
• Additional legislation
• Online personal information
• Data collection
• Public discourse on balance between national
  security and privacy