fluency with information technology info100 and cse100 katherine deibel 2012-05-11katherine deibel,...

Privacy and SecurityShh… be very very quiet

Fluency with Information Technology

INFO100 and CSE100

Katherine Deibel

2012-05-11 Katherine Deibel, Fluency in Information Technology 1

Two Related Ideas

Privacy: controlling who has access to specific information

Security: ensuring availability and privacy of access to specific information This is all about data management

What is the data?

Where is it stored?

Who can access it?

How can you access it?


Security in Brief

Two aspects to security Controlling who has access

Ensuring that they have access Ensuring access is often overlooked

What would you do if you lost your cellphone and its phonebook?

What if your hard drive crashes?


Backing Up

It is always a good idea to make backups of important data

Rules for backing up: Do it frequently

Back up only recent changes (saves more space than copying everything)

Keep the backups physically separate from the originals

Choose mediums that you will continue to have technology access for


The Cloud

The idea of the cloud Move computation off of local machines

to the Internet

Applications provided as web services by cloud providers

Provides access wherever and whenever one can get online


Security, Privacy, and the Cloud

Is the cloud a good place to store your personal data? Is it secure?

Does it guarantee your privacy?

Is it reliable?


We will come back to these questions later

Information and PrivacyShocking stories of Victorian intrigue!


Mother is secretly half-

Welsh?!?

Information Society

We live in an information society Easy to collect, store, search, and manipulate

data on record scales Every action we do generates information

Using a library

Purchasing from a store

Flying on a plane

Doing homework

Paying taxes


The BIG QUESTIONS

Who owns the information? What can you/they do with it? How do you manage and protect your

information? Who and what are you protecting it from?

What needs to be protected?

What needs to be managed?


The Bookstore Example

You buy a book: Cooking with Red Meat, Cheese, Lard & Beer

The store has a record of the purchase How they may use it:

Ignore it

Recommend books to you

Target advertising

Give this information to others (your health insurance company)


Implications

What if the book was a gift? Recommendations become poorer

Advertising will reach the wrong market Interpretation of the book's meaning

Do I want to eat fatty foods?

Am I studying high fat-cuisines?


One scenario….

Pizza Palacehttp://aclu.org/pizza/images/screen.swf


Ask yourself…

Did that video bother you? Is it a realistic future?

If yes, do you want that future?

If no, how much do you think could become a reality and do you want it?

Most importantly, what do we mean when say we want some information to remain private?


Katherine Deibel, Fluency in Information Technology 14

Portable Cameras of 1890s

Cheaper cameras Faster film speeds Less sitting time

2012-05-11

What Is Privacy?

S. D. Warren & L. D. Brandeis (1890). The Right to Privacy. Harvard Law Review, 4(5), pp. 193-220.

"The common law secures to each individual the right of determining, ordinarily, to what extent his thoughts, sentiments and emotions shall be communicated to others. Under our system of government he can never be compelled to express them (except upon the witness stand); and even if he has chosen to give them expression, he generally retains the power to fix the limits of the publicity that shall be given them."


What Is Privacy?

S. D. Warren & L. D. Brandeis (1890). The Right to Privacy. Harvard Law Review, 4(5), pp. 193-220.

"The narrower doctrine [of privacy] may have satisfied the demands of society at a time when the abuse to be guarded against could barely have arisen without violating a contract or a special confidence; but modern devices afford abundant opportunities for the perpetration of wrongs without the participation of the injured party."


Implications

Warren & Brandeis's argument is a critical observation about society and new technologies: The adoption of new technologies affects

the interactions of people in society and therefore necessitates reviewing laws and rights in regards to the new technologies.


Eyeglasses and NerdsA historical diversion


History of Eyeglasses

China, ≈1 CE: As eye protection Italy, 1260s: For farsightedness Europe, 1500s: For nearsightedness Britain, 1725: Modern frame invented U.S.A, 1780s: Bifocals invented Britain, 1825: For astigmatisms



Historical Eyeglasses

“Glasses are very disfiguring to women and girls.” From a 1901 optician journal

Glasses not for public use Used only for brief moments Led to quick use optics

monocle

lady’s lorgnette

pince-nez

scissor glasses

2012-05-11

Except…

Scholars and academics The clergy The Spanish

THUS… THE ASSOCIATION OF GLASSES WITH INTELLECTUAL PURSUITS!!!


Spain?

Glasses were popular Higher classes wore

larger lenses


Portrait of a Cardinal, Probably Cardinal Don Fernando Niño de Guevara (1541–1609)

by El Greco

Clergy MemberPoor Vision

Reading Latin Texts

+ EyeglassesContinuous Use

AristocratPoor VisionReading a

Playbill+ Eyeglasses

Brief Use+ In SpainContinuous Use

+ In SpainContinuous Use

Think about it…


Point of Historical Sidetrack

Technology usage shapes people’s perceptions of the users

Culture and society shapes how, when, and if a technology is used


Defining PrivacyI want to tell you but…


A Definition

What does “privacy” mean in the modern world? The right of people to choose freely under

what circumstances and to what extent they will reveal themselves, their attitude, and their behavior to others

Privacy is a right You control when & how much is revealed

Point of this lecture: You can and should have a lot of privacy by using this control


Using Collected Information

The collector can’t use after business purpose over

The collector can use it, if you approve (OPT-IN)

The collector can use it, unless you object (OPT-OUT)

The collector can use information no matter what



Fair Information Practices

Limited Collection

Quality

Purpose

Use Limitation

Security

Openness

Participation

Accountability

2012-05-11

Organization for Economic Cooperation and Development (OECD) defined the “gold standard” for fair information practices

Principles

Limited Collection Principle

There should be limits to the personal data collected about anyone Collect data by fair and lawful means;

Collect data with the knowledge and consent of the person whenever appropriate and possible



Quality Principle

Personal data gathered should be Relevant to the purposes for which it is used

Should be accurate, complete, and up-to-date

2012-05-11


Purpose Principle

The purposes for collecting personal data should be stated at the time it is collected

The uses should be limited to only those purposes

2012-05-11

Use Limitation Principle

Personal data should not be disclosed or used for purposes other than stated in the Purpose Principle

Exceptions: With the consent of the individual

By the authority of law


Security Principle

Personal data should be protected by reasonable security measures against Risks of disclosure

Unauthorized access

Misuse

Modification

Destruction

Loss


Openness Principle

There should be a general openness of the policies and practices about personal data collection Should be possible to know of its existence,

kind, and purpose of use,

Should be able to identity and contact information for the data controller



Participation Principle

An individual should be able to Determine whether the data controller has

information about him or her,

Discover what it is in an understandable form, in a timely manner, and at a reasonable charge

Request data to erased, completed, or changed If any of the inquiries above are denied, the

individual should be able to Learn about the reasons for the denial

Challenge the denial if so desired

2012-05-11

Accountability Principle

The data controller should be accountable for complying with these principles

Policies, legislation, and laws to back up the need to be held accountable


Europe vs America

EU, much of non-EU Europe, NZ, Hong Kong, Australia, and Canada use OECD Both government and private purposes

U.S. privacy law does not use the OECD U.S. privacy law for government information

is generally strong

U.S. privacy law for business is “sectoral”, meaning it is limited to sectors and specific business practices


U.S. Businesses and Privacy

Very few industries/practices have explicit privacy rules Almost anything goes

Opting-out is the general approach Recent federal law for medical data

HIPPA: Health Insurance Portability and Accountability Act of 1996

PSQIA: The Patient Safety and Quality Improvement Act of 2005


Think About It

EU law says, “Info on EU citizens must comply with OECD on leaving EU” U.S. privacy is so bad, EU information

cannot come here

U.S.-EU are in constant negotiations


Some Info is Protected

Family Educational Rights & Privacy Act As a general rule the University will not

release a student’s educational records to a third party without written consent of the student. This includes tuition account information.

Even includes practices of returning homework and reporting grades


Some Info is Protected

UW Libraries Privacy Policy The University of Washington Libraries

values the privacy of library users. The Libraries seeks to minimize the collection and retention of personally identifiable information.

When information is not kept, it cannot be abused.


Digital Privacy

Most reputable online business post privacy statements on their sites Should be understandable to you

Say what info they collect,

Say what they will do with it

How to "opt-out" or "opt-in"


Digital Privacy

Unfortunately, there is Little if any government policing

Lack of resources for filing complaints

Few penalties for violations



Independent Auditors

Private firms organizations monitor and report privacy violations TRU.S.Te

Better Business Bureau

Social networking and public opinion can force companies to comply

2012-05-11

Real Networks in 1999

What they did: Secretly gathered data on people’s

personal music tastes

Encrypted the info so no one would know

Didn’t mention it in their privacy statement They were caught

Changed privacy statement

Major loss in usage

Permanent marring of public trust2012-05-11 Katherine Deibel, Fluency in Information Technology 45

Further Privacy IssuesCookies and grocery shopping


Cookies

A cookie is a record stored on your computer by a Web Server The cookie is usually a unique ID that allows

the server to remember who you are

Improves Web experience

Server

ClientClient

Client

Client

Client Client

4.95.142.16: 210465: Chris, Dating for Total Dummies

Client: 210465

Name:

Book:

Chris

Dating


Cookies are Good (and Yummy)

Cookies are used by many sites and they make Web usage much better Many sites use cookies for history and logins

Banking and credit card applications cannot be secure enough without cookies

If all privacy laws met OECD standards Cookies would be all good

No one but computer scientists would know about them


Cookies are Bad (too sugary)

Cookies can be stored in your computer by sites you have not visited: 3rd party

▪ 3rd Party Cookies come from a site in business with the site you visit, e.g. for ads

▪ 3rd party cookies allow info to be correlated

Client Chris

ABC site:210465

DEF site:4491027

3rdParty: 666-666

Server ABC

Chirs Cookie: 210465

Server DEF

Chirs Cookie: 4491027

Server 3rd

123 Cookie:666-666


Correlating Cookies

The 3rd party cookie becomes the key (literally, in DB sense) to join (in DB sense) the info held by separate co.s

Company ABC Database

Customer Cookie Ad Agcy Data1 Data 2 ...

Chris 210465 666-666 val 1 val 2

Company DEF Database

Customer Cookie Ad Agcy Data1 Data 2 ...

Chris 4491027 666-666 val 3 val 4

It’s the same Chris!!!It’s the same Chris!!!


Managing Cookies

You control whether your computer accepts cookies -- look in browser If you don’t care about privacy,

Accept all cookies

If you greatly value your privacy, Accept no cookies

If you want some privacy AND benefit from the useful stuff on the Web,

Accept cookies but reject 3rd party cookies


Grocery Cards

Easy to collect information about a customer's eating habits Identity can be validated by credit card

Some privacy experts fear that this knowledge will be passed to health insurance companies Debatable if useful for actuarial purposes

What does the privacy statement say?


Grocery Cards

QFC Privacy Statement:

The information gathered by QFC will be used to give you, our valued customer, our very best. You have our word on that! We pledge that QFC will not release your name to any list service or manufacturer, and that such information will be held in the strictest of confidence–even within our company.


But QFC is an affiliate of Kroger

Kroger's Privacy Statement:

Kroger and its affiliates may use personal customer information to create merchandising and promotional programs tailored around specific purchases, the frequency of store visits, volume of purchases, and other data…We may share personal customer information with our subsidiaries, affiliates, agents, representatives and trusted partners for the limited purpose of providing services or information to Kroger or our customers at our direction.


Conflicting statements?

Yes But…

It is all legal in the United States

We have grown accustomed to the idea that our information is being used

The U.S. is an opt-out society


Answers and the CloudAre you there, Google?It's me, Kate


Security, Privacy, and the Cloud

Is the cloud a good place to store your personal data? The answer depends on the privacy and

security policies of the cloud service Keep this in mind:

Privacy policies may and do change

Some services go away (e.g., MobileMe)

Will you have network access


Summary

You may not think about privacy much, but maybe you should …

You should have a say in whether or not records of your information can be linked to you The U.S. needs better laws, and why not?

Do you care whether Google or Facebook can deliver an ad to you based on your private information?


fluency with information technology info100 and cse100 katherine deibel 2012-05-11katherine deibel,...

Documents