fluency with information technology info100 and cse100 katherine deibel 2012-05-11katherine deibel,...
TRANSCRIPT
Privacy and SecurityShh… be very very quiet
Fluency with Information Technology
INFO100 and CSE100
Katherine Deibel
2012-05-11 Katherine Deibel, Fluency in Information Technology 1
Two Related Ideas
Privacy: controlling who has access to specific information
Security: ensuring availability and privacy of access to specific information This is all about data management
What is the data?
Where is it stored?
Who can access it?
How can you access it?
2012-05-11 Katherine Deibel, Fluency in Information Technology 2
Security in Brief
Two aspects to security Controlling who has access
Ensuring that they have access Ensuring access is often overlooked
What would you do if you lost your cellphone and its phonebook?
What if your hard drive crashes?
2012-05-11 Katherine Deibel, Fluency in Information Technology 3
Backing Up
It is always a good idea to make backups of important data
Rules for backing up: Do it frequently
Back up only recent changes (saves more space than copying everything)
Keep the backups physically separate from the originals
Choose mediums that you will continue to have technology access for
2012-05-11 Katherine Deibel, Fluency in Information Technology 4
The Cloud
The idea of the cloud Move computation off of local machines
to the Internet
Applications provided as web services by cloud providers
Provides access wherever and whenever one can get online
2012-05-11 Katherine Deibel, Fluency in Information Technology 5
Security, Privacy, and the Cloud
Is the cloud a good place to store your personal data? Is it secure?
Does it guarantee your privacy?
Is it reliable?
2012-05-11 Katherine Deibel, Fluency in Information Technology 6
We will come back to these questions later
Information and PrivacyShocking stories of Victorian intrigue!
2012-05-11 Katherine Deibel, Fluency in Information Technology 7
Mother is secretly half-
Welsh?!?
Information Society
We live in an information society Easy to collect, store, search, and manipulate
data on record scales Every action we do generates information
Using a library
Purchasing from a store
Flying on a plane
Doing homework
Paying taxes
2012-05-11 Katherine Deibel, Fluency in Information Technology 8
The BIG QUESTIONS
Who owns the information? What can you/they do with it? How do you manage and protect your
information? Who and what are you protecting it from?
What needs to be protected?
What needs to be managed?
2012-05-11 Katherine Deibel, Fluency in Information Technology 9
The Bookstore Example
You buy a book: Cooking with Red Meat, Cheese, Lard & Beer
The store has a record of the purchase How they may use it:
Ignore it
Recommend books to you
Target advertising
Give this information to others (your health insurance company)
2012-05-11 Katherine Deibel, Fluency in Information Technology 10
Implications
What if the book was a gift? Recommendations become poorer
Advertising will reach the wrong market Interpretation of the book's meaning
Do I want to eat fatty foods?
Am I studying high fat-cuisines?
2012-05-11 Katherine Deibel, Fluency in Information Technology 11
One scenario….
Pizza Palacehttp://aclu.org/pizza/images/screen.swf
2012-05-11 Katherine Deibel, Fluency in Information Technology 12
Ask yourself…
Did that video bother you? Is it a realistic future?
If yes, do you want that future?
If no, how much do you think could become a reality and do you want it?
Most importantly, what do we mean when say we want some information to remain private?
2012-05-11 Katherine Deibel, Fluency in Information Technology 13
Katherine Deibel, Fluency in Information Technology 14
Portable Cameras of 1890s
Cheaper cameras Faster film speeds Less sitting time
2012-05-11
What Is Privacy?
S. D. Warren & L. D. Brandeis (1890). The Right to Privacy. Harvard Law Review, 4(5), pp. 193-220.
"The common law secures to each individual the right of determining, ordinarily, to what extent his thoughts, sentiments and emotions shall be communicated to others. Under our system of government he can never be compelled to express them (except upon the witness stand); and even if he has chosen to give them expression, he generally retains the power to fix the limits of the publicity that shall be given them."
2012-05-11 Katherine Deibel, Fluency in Information Technology 15
What Is Privacy?
S. D. Warren & L. D. Brandeis (1890). The Right to Privacy. Harvard Law Review, 4(5), pp. 193-220.
"The narrower doctrine [of privacy] may have satisfied the demands of society at a time when the abuse to be guarded against could barely have arisen without violating a contract or a special confidence; but modern devices afford abundant opportunities for the perpetration of wrongs without the participation of the injured party."
2012-05-11 Katherine Deibel, Fluency in Information Technology 16
Implications
Warren & Brandeis's argument is a critical observation about society and new technologies: The adoption of new technologies affects
the interactions of people in society and therefore necessitates reviewing laws and rights in regards to the new technologies.
2012-05-11 Katherine Deibel, Fluency in Information Technology 17
Eyeglasses and NerdsA historical diversion
2012-05-11 Katherine Deibel, Fluency in Information Technology 18
History of Eyeglasses
China, ≈1 CE: As eye protection Italy, 1260s: For farsightedness Europe, 1500s: For nearsightedness Britain, 1725: Modern frame invented U.S.A, 1780s: Bifocals invented Britain, 1825: For astigmatisms
2012-05-11 Katherine Deibel, Fluency in Information Technology 19
Katherine Deibel, Fluency in Information Technology 20
Historical Eyeglasses
“Glasses are very disfiguring to women and girls.” From a 1901 optician journal
Glasses not for public use Used only for brief moments Led to quick use optics
monocle
lady’s lorgnette
pince-nez
scissor glasses
2012-05-11
Except…
Scholars and academics The clergy The Spanish
THUS… THE ASSOCIATION OF GLASSES WITH INTELLECTUAL PURSUITS!!!
2012-05-11 Katherine Deibel, Fluency in Information Technology 21
Spain?
Glasses were popular Higher classes wore
larger lenses
2012-05-11 Katherine Deibel, Fluency in Information Technology 22
Portrait of a Cardinal, Probably Cardinal Don Fernando Niño de Guevara (1541–1609)
by El Greco
Clergy MemberPoor Vision
Reading Latin Texts
+ EyeglassesContinuous Use
AristocratPoor VisionReading a
Playbill+ Eyeglasses
Brief Use+ In SpainContinuous Use
+ In SpainContinuous Use
Think about it…
2012-05-11 Katherine Deibel, Fluency in Information Technology 23
Point of Historical Sidetrack
Technology usage shapes people’s perceptions of the users
Culture and society shapes how, when, and if a technology is used
2012-05-11 Katherine Deibel, Fluency in Information Technology 24
Defining PrivacyI want to tell you but…
2012-05-11 Katherine Deibel, Fluency in Information Technology 25
A Definition
What does “privacy” mean in the modern world? The right of people to choose freely under
what circumstances and to what extent they will reveal themselves, their attitude, and their behavior to others
Privacy is a right You control when & how much is revealed
Point of this lecture: You can and should have a lot of privacy by using this control
2012-05-11 Katherine Deibel, Fluency in Information Technology 26
Using Collected Information
The collector can’t use after business purpose over
The collector can use it, if you approve (OPT-IN)
The collector can use it, unless you object (OPT-OUT)
The collector can use information no matter what
2012-05-11 Katherine Deibel, Fluency in Information Technology 27
Katherine Deibel, Fluency in Information Technology 28
Fair Information Practices
Limited Collection
Quality
Purpose
Use Limitation
Security
Openness
Participation
Accountability
2012-05-11
Organization for Economic Cooperation and Development (OECD) defined the “gold standard” for fair information practices
Principles
Limited Collection Principle
There should be limits to the personal data collected about anyone Collect data by fair and lawful means;
Collect data with the knowledge and consent of the person whenever appropriate and possible
2012-05-11 Katherine Deibel, Fluency in Information Technology 29
Katherine Deibel, Fluency in Information Technology 30
Quality Principle
Personal data gathered should be Relevant to the purposes for which it is used
Should be accurate, complete, and up-to-date
2012-05-11
Katherine Deibel, Fluency in Information Technology 31
Purpose Principle
The purposes for collecting personal data should be stated at the time it is collected
The uses should be limited to only those purposes
2012-05-11
Use Limitation Principle
Personal data should not be disclosed or used for purposes other than stated in the Purpose Principle
Exceptions: With the consent of the individual
By the authority of law
2012-05-11 Katherine Deibel, Fluency in Information Technology 32
Security Principle
Personal data should be protected by reasonable security measures against Risks of disclosure
Unauthorized access
Misuse
Modification
Destruction
Loss
2012-05-11 Katherine Deibel, Fluency in Information Technology 33
Openness Principle
There should be a general openness of the policies and practices about personal data collection Should be possible to know of its existence,
kind, and purpose of use,
Should be able to identity and contact information for the data controller
2012-05-11 Katherine Deibel, Fluency in Information Technology 34
Katherine Deibel, Fluency in Information Technology 35
Participation Principle
An individual should be able to Determine whether the data controller has
information about him or her,
Discover what it is in an understandable form, in a timely manner, and at a reasonable charge
Request data to erased, completed, or changed If any of the inquiries above are denied, the
individual should be able to Learn about the reasons for the denial
Challenge the denial if so desired
2012-05-11
Accountability Principle
The data controller should be accountable for complying with these principles
Policies, legislation, and laws to back up the need to be held accountable
2012-05-11 Katherine Deibel, Fluency in Information Technology 36
Europe vs America
EU, much of non-EU Europe, NZ, Hong Kong, Australia, and Canada use OECD Both government and private purposes
U.S. privacy law does not use the OECD U.S. privacy law for government information
is generally strong
U.S. privacy law for business is “sectoral”, meaning it is limited to sectors and specific business practices
2012-05-11 Katherine Deibel, Fluency in Information Technology 37
U.S. Businesses and Privacy
Very few industries/practices have explicit privacy rules Almost anything goes
Opting-out is the general approach Recent federal law for medical data
HIPPA: Health Insurance Portability and Accountability Act of 1996
PSQIA: The Patient Safety and Quality Improvement Act of 2005
2012-05-11 Katherine Deibel, Fluency in Information Technology 38
Think About It
EU law says, “Info on EU citizens must comply with OECD on leaving EU” U.S. privacy is so bad, EU information
cannot come here
U.S.-EU are in constant negotiations
2012-05-11 Katherine Deibel, Fluency in Information Technology 39
Some Info is Protected
Family Educational Rights & Privacy Act As a general rule the University will not
release a student’s educational records to a third party without written consent of the student. This includes tuition account information.
Even includes practices of returning homework and reporting grades
2012-05-11 Katherine Deibel, Fluency in Information Technology 40
Some Info is Protected
UW Libraries Privacy Policy The University of Washington Libraries
values the privacy of library users. The Libraries seeks to minimize the collection and retention of personally identifiable information.
When information is not kept, it cannot be abused.
2012-05-11 Katherine Deibel, Fluency in Information Technology 41
Digital Privacy
Most reputable online business post privacy statements on their sites Should be understandable to you
Say what info they collect,
Say what they will do with it
How to "opt-out" or "opt-in"
2012-05-11 Katherine Deibel, Fluency in Information Technology 42
Digital Privacy
Unfortunately, there is Little if any government policing
Lack of resources for filing complaints
Few penalties for violations
2012-05-11 Katherine Deibel, Fluency in Information Technology 43
Katherine Deibel, Fluency in Information Technology 44
Independent Auditors
Private firms organizations monitor and report privacy violations TRU.S.Te
Better Business Bureau
Social networking and public opinion can force companies to comply
2012-05-11
Real Networks in 1999
What they did: Secretly gathered data on people’s
personal music tastes
Encrypted the info so no one would know
Didn’t mention it in their privacy statement They were caught
Changed privacy statement
Major loss in usage
Permanent marring of public trust2012-05-11 Katherine Deibel, Fluency in Information Technology 45
Further Privacy IssuesCookies and grocery shopping
2012-05-11 Katherine Deibel, Fluency in Information Technology 46
Cookies
A cookie is a record stored on your computer by a Web Server The cookie is usually a unique ID that allows
the server to remember who you are
Improves Web experience
Server
ClientClient
Client
Client
Client Client
4.95.142.16: 210465: Chris, Dating for Total Dummies
Client: 210465
Name:
Book:
Chris
Dating
2012-05-11 Katherine Deibel, Fluency in Information Technology 47
Cookies are Good (and Yummy)
Cookies are used by many sites and they make Web usage much better Many sites use cookies for history and logins
Banking and credit card applications cannot be secure enough without cookies
If all privacy laws met OECD standards Cookies would be all good
No one but computer scientists would know about them
2012-05-11 Katherine Deibel, Fluency in Information Technology 48
Cookies are Bad (too sugary)
Cookies can be stored in your computer by sites you have not visited: 3rd party
▪ 3rd Party Cookies come from a site in business with the site you visit, e.g. for ads
▪ 3rd party cookies allow info to be correlated
Client Chris
ABC site:210465
DEF site:4491027
3rdParty: 666-666
Server ABC
Chirs Cookie: 210465
Server DEF
Chirs Cookie: 4491027
Server 3rd
123 Cookie:666-666
2012-05-11 Katherine Deibel, Fluency in Information Technology 49
Correlating Cookies
The 3rd party cookie becomes the key (literally, in DB sense) to join (in DB sense) the info held by separate co.s
Company ABC Database
Customer Cookie Ad Agcy Data1 Data 2 ...
Chris 210465 666-666 val 1 val 2
Company DEF Database
Customer Cookie Ad Agcy Data1 Data 2 ...
Chris 4491027 666-666 val 3 val 4
It’s the same Chris!!!It’s the same Chris!!!
2012-05-11 Katherine Deibel, Fluency in Information Technology 50
Managing Cookies
You control whether your computer accepts cookies -- look in browser If you don’t care about privacy,
Accept all cookies
If you greatly value your privacy, Accept no cookies
If you want some privacy AND benefit from the useful stuff on the Web,
Accept cookies but reject 3rd party cookies
2012-05-11 Katherine Deibel, Fluency in Information Technology 51
Grocery Cards
Easy to collect information about a customer's eating habits Identity can be validated by credit card
Some privacy experts fear that this knowledge will be passed to health insurance companies Debatable if useful for actuarial purposes
What does the privacy statement say?
2012-05-11 Katherine Deibel, Fluency in Information Technology 52
Grocery Cards
QFC Privacy Statement:
The information gathered by QFC will be used to give you, our valued customer, our very best. You have our word on that! We pledge that QFC will not release your name to any list service or manufacturer, and that such information will be held in the strictest of confidence–even within our company.
2012-05-11 Katherine Deibel, Fluency in Information Technology 53
But QFC is an affiliate of Kroger
Kroger's Privacy Statement:
Kroger and its affiliates may use personal customer information to create merchandising and promotional programs tailored around specific purchases, the frequency of store visits, volume of purchases, and other data…We may share personal customer information with our subsidiaries, affiliates, agents, representatives and trusted partners for the limited purpose of providing services or information to Kroger or our customers at our direction.
2012-05-11 Katherine Deibel, Fluency in Information Technology 54
Conflicting statements?
Yes But…
It is all legal in the United States
We have grown accustomed to the idea that our information is being used
The U.S. is an opt-out society
2012-05-11 Katherine Deibel, Fluency in Information Technology 55
Answers and the CloudAre you there, Google?It's me, Kate
2012-05-11 Katherine Deibel, Fluency in Information Technology 56
Security, Privacy, and the Cloud
Is the cloud a good place to store your personal data? The answer depends on the privacy and
security policies of the cloud service Keep this in mind:
Privacy policies may and do change
Some services go away (e.g., MobileMe)
Will you have network access
2012-05-11 Katherine Deibel, Fluency in Information Technology 57
Summary
You may not think about privacy much, but maybe you should …
You should have a say in whether or not records of your information can be linked to you The U.S. needs better laws, and why not?
Do you care whether Google or Facebook can deliver an ad to you based on your private information?
2012-05-11 Katherine Deibel, Fluency in Information Technology 58