Title: Digital Personal Privacy
1Digital Personal Privacy
- Legal/Policy Issues group
- Jody R. Shaw - Thomas E. Litchfield - Italo I.
Dacosta - Khalid M. Alzarouni - Matthew E. Winters
- CS4235 B Fall 2005
2Outline
- Introduction
- Government pro-privacy initiatives
- Government threats to privacy
- Private pro-privacy initiatives
- Private threats to privacy
- Conclusions
3Definition
- Privacy definition
- Protection of our secrets and our personal space
- Digital Personal Privacy
- Protection of our information in digital format
from unauthorized access, collection, and misuse
4Importance
- The U.S. Constitution
- Fourth Amendment (1789-1791)
- The Right to Privacy
- Warren and Brandaris (1890)
- Universal Declaration of Human Rights
- Article 12 (UN 1948)
5The problem
- Digital information is more difficult to protect
or control - Threats
- Technology
- Government
- Private sector
6The problem
- CBS News Poll Privacy Rights Under Attack
- 52 percent think the right to privacy is under
serious threat - Annenberg Public Policy Center Survey
- Most Americans who use the Internet have little
idea how vulnerable they are to abuse by online
and offline marketers - the majority of adults who use the internet do
not know where to turn for help if their personal
information is used illegally online or offline
7Our project
- Digital Personal Privacy Website
- A reference website
- Actors-based approach
- Serve to any individual who maintains an interest
in personal digital privacy and the policies
related to it
8Outline
- Introduction
- Government pro-privacy initiatives
- Government threats to privacy
- Private pro-privacy initiatives
- Private threats to privacy
- Conclusions
9Government Pro-Privacy Initiatives
- Public education, policy enforcement
- FTC
- Legislation
- GLBA
- HIPPA
- FCRA
- FERPA
- Identity Theft and Deterrence Act
10FTC
- Public education
- Maintains several websites for consumers
- Part of overall consumer advocate mission
- Policy enforcement
- Stems from section five of 1914 law
- Bans unfair or deceptive practices
- Ensures companies comply with self-made privacy
policies
11GLBA
- Targets financial institutions
- Safeguards rule
- Requires creation of security plan
- Privacy rule
- Requires companies to disclose information
sharing policy - Differentiates between consumers and
customers - Based on opt out principle
12HIPAA
- Protects health information
- Security rule
- Requires implementation of administrative,
physical, and technical safeguards - Privacy rule
- Allows patients access to records
- Requires issuance of privacy policies
13FCRA
- Regulates consumer reporting agencies (CRAs)
- Limits use of credit information
- Sets standards for security of such information
- Recently amended by FACTA (2003)
14FERPA
- Limits disclosure of educational records
- Students can access, correct, and restrict
records - Institutions cannot disclose personally
identifiable information - Makes no distinction between physical and
electronic records - Recent incident at Tech
15Identity Theft
- ..and Deterrence Act of 1998
- Makes ID theft a federal crime
- Charges several federal and state agencies with
task of enforcement - College students especially at risk
- Many resources available
16Outline
- Introduction
- Government pro-privacy initiatives
- Government threats to privacy
- Private pro-privacy initiatives
- Private threats to privacy
- Conclusions
17Government Threats to Privacy
- Discussion Outline
- Topic Introduction
- United States Patriot Act
- Controversial Sections of the Patriot Act
- Total Information Awareness Program
- National I.D. Card Program
18United States Patriot Act
- Uniting and Strengthening America by Providing
Appropriate Tools Required to Intercept and
Obstruct Terrorism - Signed into law by President Bush on October 26,
2001 - Direct response to September 11th terrorist
attacks - An extension of powers granted to the Government
by three previous Acts - Foreign Intelligence Surveillance Act of 1978
(FISA) - Uniting and Strengthening America Act
- Financial Anti-Terrorism Act
19Controversial Sections of the United States
Patriot Act
- Section 215
- Allows the Government to conduct a search and
seizure without your knowledge and without
probable cause - Any tangible thing Medical, financial,
library, church, travel, phone - The Fourth Amendment does not protect you
- Section 213
- The Sneak and Peek Section Allows the
Government to conduct secret searches on people
in any criminal investigation - Not just linked to terrorism anymore
20Controversial Sections of the United States
Patriot Act
- Section 214
- Pen Registers and Tap and Trace on telephone
calls - Any criminal investigation with no need for
probable cause - Section 216 is the same concept, applied to the
Internet and email - Section 206
- Roving Wire Taps
- Allows the Government to tap any phone or
computer the suspect may use, not just what they
are currently using - Tap a neighborhood not just one phone
- Potential for abuse when non-suspects use the
device
21Controversial Sections of the United States
Patriot Act
- Sunsets on the Patriot Act
- Sunset provision to the Act that could terminate
sixteen of the most controversial sections on
December 31, 2005 - Voted on by Congress in the Summer of 2005
- Fourteen sections written into permanent law
- Two sections (215 and 206) extended for 10
additional years
22Total Information Awareness
- Created in 2002 by the Defense Advanced Research
Projects Agency (DARPA) - Program headed up by John Poindexter
(Iran-Contra) - Intent was to create a data warehouse that
collected massive amounts of data on US Citizens - Human analysis and mathematical algorithms looked
for patterns in the data that could identify
terrorists - Compared to East Germanys secret police and
Cubas block watch system - Program was doomed from the start and negative
public reaction ended the program in 2003
23National I.D. Card Program
- Every US Citizen required to carry a national ID
Card - Cards would be linked to a centralized database
similar to the Total Information Awareness
Program - Developed as a way to quickly identify
citizenship and a method for tracking terrorists - Opponents to program argue one stop shopping
for criminals - Many terrorists are not US Citizens and their
home country may or may not have a similar ID
card program - Program is still being pursued in the form of
incremental additions such as the trusted
traveler card
24Outline
- Introduction
- Government pro-privacy initiatives
- Government threats to privacy
- Private pro-privacy initiatives
- Private threats to privacy
- Conclusions
25Private Pro-privacy Initiatives
- Raise consumers' awareness of how technology
affects personal privacy - Provide reports, testimony speeches for public,
media and policy makers - Respond to privacy-related issues provide tools
on privacy protection
26Private Pro-privacy Initiatives
- Non-profit Organizations
- US-based
- Digital Privacy-focused
- Privacy Issues and Actions
- Threats risks that technology/policy can pose
to personal privacy - Practical supports for individuals
- Online Resources
- Up-to-dated information and analysis
- Technical and privacy guides
27Private Pro-privacy Initiatives Major Non-profit
Organizations
- Privacy Rights Clearinghouse
- Focus on consumer information and advocacy
- Online investing frauds
- Electronic Privacy Information Center
- Defending civil liberties on digital world
- Rights of Internet users P3P protocol
28Private Pro-privacy Initiatives Major Non-profit
Organizations
- Center for Democracy and Tech
- Educating public on Internet privacy
- Legislative center, and policy news
- Focus on public policy solutions
- Protecting consumers against adware companies
- E-mail privacy and new act for personal
information protection
29Private Pro-privacy Initiatives Privacy Issues
and Actions
- Phishing and Identity Theft
- Identity Theft Resource Center (ITRC)
- Identify prevent Phishing scams Techniques
- E.g. Western Union Scam
- Financial Privacy
- GLB Act (Financial Services Modernization)
- E.g. www.zabasearch.com and Opt-out
30Private Pro-privacy Initiatives Privacy Issues
and Actions
- Spam Scam
- Spoof websites
- Trojan Emails
31Private Pro-privacy Initiatives
- Online Resources
- Privacy Survival Guide by PRC
- To become best privacy protector
- More than 20 privacy tips
- Practical Privacy Tools by EPIC
- Snoop Proof Email, Personal Firewalls
- HTML Filters, Password Security
- APWG Phishing Activity Trends Report
- Phishing reports sites received
- Vulnerable, hijacked brands and sites
- Sites host Identity theft attacks
32Outline
- Introduction
- Government pro-privacy initiatives
- Government threats to privacy
- Private pro-privacy initiatives
- Private threats to privacy
- Conclusions
33 Private Threats to Privacy
- Malware
- Individuals or Companies collect information
about and steal data from end users - Data Theft from Information Warehouses
- Individuals break into database or pose as
legitimite recievers of data - Privacy Violations by Well-Known Companies
- Violations of Privacy Policies
- Compromisation of Anonymity
- Bad Privacy Policies
34Malware
- Actions range from collection of browsing habits
to identity theft - Can return keystrokes, logs, and files from
users computers to the controlling entities - Two main distribution methods
- Bundled with legitimate software
- e.g., Download a useful program, during install a
malware program is also installed, but secretly - Useful program actively spies on you
- Bonzi Buddy is the classic example, one of the
earliest programs to do so
35Recent Spyware Bust
- Enterment Media Inc., Conspy Co. Inc, and
Iwebtunes shut down November 10th for
distributing spyware. - Iwebtunes included the spyware with a program
that plays background music on blogs. - Enterment and Conspy both bundled their software
with music files, song lyrics, and cellular
telephone ring tones offered free on several web
sites.
36ChoicePoint
- Sold between 145 and 400 thousand records to an
identity theft ring. - Incident surfaced this past February.
- The thieves used social engineering to pose as a
legitimate receiver for the data. - Target of various consumer interest groups for
potentially violating the Fair Credit Reporting
Act - ChoicePoint sells dossiers that are extremely
similar to credit reports. - However, the information is sold
restriction-free, unlike credit reports.
37LexisNexis
- 30,000 records reported stolen this March
- Figure raised to 310,000 in April
- Database was breached due to misappropriation by
third parties of IDs and passwords from
legitimate customers. - Various personal data was stolen, but financial
and medical records were not.
38 JetBlue and Torch Concepts
- JetBlues websites privacy policy stated that
information collected on it would never be
shared. - JetBlue ignored their own privacy policy in 2003
when passing approximately five million records
to Torch Concepts, a DoD contractor. - Torch Concepts combined the records from JetBlue
with demographic information from Axicom. - This created a dataset in which gender, home
specifics (renter/owner), years at residence,
income, number of children, SSN, occupations,
vehicles owned, and more for 40 of the
passengers in the JetBlue database.
39Yahoo! In China
- In June 2004, the Chinese Communist party sent
out a message to journalists regarding potential
social unrest related to the 15th anniversery of
the Tienamen Square massacre. - In April, Chinese journalist Shi Tao was jailed
for divulging state secrets. - Tao was found guilty of emailing out parts of the
message to foreign-based websites - The Chinese government got Yahoo! to help out.
- Yahoo linked Shi Tao to the email, which lead to
his conviction.S
40Microsoft Passport
- Passport was hailed as employing a single
sign-on system to facilitate e-commerce and
browsing among different websites that require a
user to identify oneself" by Microsoft. - After sign-in, the user's info is automatically
be passed on to any other site that is part of
the Passport network. - All Hotmail users were automatically signed up
for Passport in 2001, and all who signed up
afterwards are forced to get an MS Passport, with
no ability to opt-out.
41Microsoft Hailstorm
- Microsoft looked into including with Windows XP a
Passport-like service codenamed Hailstorm. - My Address, My Profile, My Contacts, My
Notifications, My Inbox, My Calendar, My
Documents, My Application Settings, My Wallet, My
Usage, and My Location. were to be a part of the
proposed system. - All of this information, for each and every user,
would be stored on a central database, just like
Microsoft Passport information.
42Outline
- Introduction
- Government pro-privacy initiatives
- Government threats to privacy
- Private pro-privacy initiatives
- Private threats to privacy
- Conclusions
43Conclusions
- Education and awareness
- More personal recourse, enforcement
- Additional legislation
- Online personal information
- Data collection
- Public discourse on balance between national
security and privacy