Online Privacy Issues Overview
Download
Report
Transcript Online Privacy Issues Overview
Fair Information Practice Principles
and Privacy Laws
Week 3 - September 12, 14
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2005 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa05/
1
More homework 1 review
Web cams
Privacy in the news
Issues privacy groups are working on
Any questions about plagiarism?
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2005 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa05/
2
Using Library Resources
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2005 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa05/
3
Research and Communication Skills
CMU Libraries
(http://www.library.cmu.edu)
Engineering and Science (a.k.a. E&S)
• Location: Wean Hall, 4th floor
• Subjects: Computer Science, Engineering, Mathematics,
Physics, Science, Technology
Hunt (CMU’s main library)
• Location: Its own building (possibly 2nd ugliest on campus
behind Wean), between Tepper and Baker
• Subjects: Arts, Business, Humanities, Social Sciences
Software Engineering Institute (a.k.a. SEI)
• Location: SEI Building (4500 Fifth Avenue), 3rd floor
• Subjects: Security, Software, Technology
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2005 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa05/
4
Research and Communication Skills
START HERE: Cameo
Cameo is CMU’s online library catalog
• http://cameo.library.cmu.edu/
Catalogs everything CMU has: books,
journals, periodicals, multimedia, etc.
Search by key words, author, title,
periodical title, etc.
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2005 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa05/
5
CAMEO: Search Result for “Cranor”
Number of
copies and
status
Library
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2005 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa05/
6
CAMEO: Search Result for “Solove”
Due date
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2005 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa05/
7
Research and Communication Skills
If it’s not in Cameo, but you need it
today: Local Libraries
Carnegie Library of Pittsburgh
• Two closest locations
Oakland: Practically on campus (4400 Forbes Ave.)
Squirrel Hill: Forbes & Murray (5801 Forbes Ave.)
• http://www.carnegielibrary.org/index.html
University of Pittsburgh Libraries
• 16 libraries! Information science, Engineering, Law,
Business, etc.
• http://pittcat.pitt.edu/
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2005 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa05/
8
Research and Communication Skills
If it’s not in Cameo, and you can wait:
ILLiad and E-ZBorrow
ILLiad and E-ZBorrow are catalogs of resources available
for Interlibrary Loan from other libraries nationwide
(ILLiad) and in Pennsylvania (E-ZBorrow)
Order items online (almost always free)
Wait for delivery – average 10 business days
Find links to ILLiad and E-ZBorrow online catalogs at
http://www.library.cmu.edu/Services/ILL/
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2005 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa05/
9
Research and Communication Skills
Other Useful Databases
Links to many more databases, journal collections
• Must be accessed on campus or through VPN
• http://www.library.cmu.edu/Search/AZ.html
Lexis-Nexis
• Massive catalog of legal sources – law journals, case law,
news stories, etc.
IEEE and ACM journal databases
• IEEE Xplore and ACM Digital Library
INSPEC database
• Huge database of scientific and technical papers
JSTOR
• Arts & Sciences, Business, Mathematics, Statistics
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2005 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa05/
10
Research and Communication Skills
And of course…
Reference librarians are available at all
CMU libraries, and love to help people find
what they need – just ask!
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2005 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa05/
11
OECD fair information principles
http://www.datenschutzberlin.de/gesetze/internat/ben.htm
Collection limitation
Data quality
Purpose specification
Use limitation
Security safeguards
Openness
Individual participation
Accountability
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2005 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa05/
12
US FTC simplified principles
Notice and disclosure
Choice and consent
Data security
Data quality and access
Recourse and remedies
US Federal Trade Commission, Privacy Online: A Report to
Congress (June 1998),
http://www.ftc.gov/reports/privacy3/
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2005 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa05/
13
Privacy laws around the world
Privacy laws and regulations vary widely throughout the
world
US has mostly sector-specific laws, with relatively minimal
protections - often referred to as “patchwork quilt”
• Federal Trade Commission has jurisdiction over fraud and
deceptive practices
• Federal Communications Commission regulates
telecommunications
European Data Protection Directive requires all European
Union countries to adopt similar comprehensive privacy
laws that recognize privacy as fundamental human right
• Privacy commissions in each country (some countries have
national and state commissions)
• Many European companies non-compliant with privacy laws (2002
study found majority of UK web sites non-compliant)
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2005 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa05/
14
US law basics
Constitutional law governs the rights of
individuals with respect to the government
Tort law governs disputes between private
individuals or other private entities
Congress and state legislatures adopt
statutes
Federal agencies can adopt regulations
which are equivalent to statutes, as long as
they don’t conflict with statute
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2005 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa05/
15
US Constitution
No explicit privacy right, but a zone of privacy recognized
in its penumbras, including
•
•
•
•
•
1st amendment (right of association)
3rd amendment (prohibits quartering of soldiers in homes)
4th amendment (prohibits unreasonable search and seizure)
5th amendment (no self-incrimination)
9th amendment (all other rights retained by the people)
Penumbra: “fringe at the edge of a
deep shadow created by an object
standing in the light”
(Smith 2000, p. 258, citing Justice William O. Douglas in Griswold v.
Connecticut)
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2005 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa05/
16
Federal statutes and state laws
Federal statutes
• Tend to be narrowly focused
State law
• State constitutions may recognize explicit right
to privacy (Georgia, Hawaii)
• State statutes and common (tort) law
• Local laws and regulations (for example:
ordinances on soliciting anonymously)
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2005 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa05/
17
Four aspects of privacy tort
You can sue for damages for the following
torts (Smith 2000, p. 232-233)
• Disclosure of truly intimate facts
May be truthful
Disclosure must be widespread, and offensive or
objectionable to a person of ordinary sensibilities
Must not be newsworthy or legitimate public interest
• False light
Personal information or picture published out of
context
• Misappropriation (or right of publicity)
Commercial use of name or face without permission
• Intrusion into a person’s solitude
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2005 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa05/
18
How does the law regulate privacy?
Law may require waiving privacy interests
Law may enforce privacy interests
Typically, the law identifies relevant privacy
interests to protect, identifies relevant
interests supporting disclosure, and tries to
balance both sets of issues in a single
resolution
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2005 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa05/
19
Difficult legal problems
Can an individual “own” (and therefore sell)
his or her own privacy rights?
Should the default assumption be “protect
the privacy interest” or “compel waiver of
the privacy interest”?
When should the law defer to informal or
social norms, or to technological barriers or
solutions?
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2005 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa05/
20
Some US privacy laws
Bank Secrecy Act, 1970
Fair Credit Reporting Act, 1971
Privacy Act, 1974
Right to Financial Privacy Act, 1978
Cable TV Privacy Act, 1984
Video Privacy Protection Act, 1988
Family Educational Right to Privacy Act, 1993
Electronic Communications Privacy Act, 1994
Freedom of Information Act, 1966, 1991, 1996
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2005 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa05/
21
US law – recent additions
HIPAA (Health Insurance Portability and
Accountability Act, 1996)
• When implemented, will protect medical records and
other individually identifiable health information
COPPA (Children‘s Online Privacy Protection Act,
1998)
• Web sites that target children must obtain parental
consent before collecting personal information from
children under the age of 13
GLB (Gramm-Leach-Bliley-Act, 1999)
• Requires privacy policy disclosure and opt-out
mechanisms from financial service institutions
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2005 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa05/
22
Safe harbor
Membership
• US companies self-certify adherence to requirements
• Dept. of Commerce maintains signatory list
http://www.export.gov/safeharbor/
• Signatories must provide
notice of data collected, purposes, and recipients
choice of opt-out of 3rd-party transfers, opt-in for sensitive data
access rights to delete or edit inaccurate information
security for storage of collected data
enforcement mechanisms for individual complaints
Approved July 26, 2000 by EU
• reserves right to renegotiate if remedies for EU citizens prove to
be inadequate
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2005 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa05/
23
Data protection agencies
Australia: http://www.privacy.gov.au/
Canada: http://www.privcom.gc.ca/
France: http://www.cnil.fr/
Germany: http://www.bfd.bund.de/
Hong Kong: http://www.pco.org.hk/
Italy: http://www.privacy.it/
Spain: http://www.ag-protecciondatos.es/
Switzerland: http://www.edsb.ch/
UK: http://www.dataprotection.gov.uk/
… And many more
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2005 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa05/
24
Writing a Literature Review
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2005 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa05/
25
Research and Communication Skills
Writing a literature review
What is a literature review?
• A critical summary of what has been published on a topic
What is already known about the topic
Strengths and weaknesses of previous studies
• Often part of the introduction or a section of a research paper,
proposal, or thesis
A literature review should
• be organized around and related directly to the thesis or research
question you are developing
• synthesize results into a summary of what is and is not known
• identify areas of controversy in the literature
• formulate questions that need further research
Dena Taylor and Margaret Procter. 2004. The literature
review: A few tips on conducting it.
http://www.utoronto.ca/writing/litrev.html
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2005 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa05/
26
Research and Communication Skills
Literature review do’s and don’ts
Don’t create a list of article summaries or quotes
Do point out what is most relevant about each
article to your paper
Do compare and contrast the articles you review
Do highlight controversies raised or questions left
unanswered by the articles you review
Do take a look at some examples of literature
reviews or related work sections before you try to
create one yourself
• For an example, of a literature review in a CS
conference paper see section 2 of
http://cs1.cs.nyu.edu/~waldman/publius/paper.html
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2005 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa05/
27
Homework 2
http://lorrie.cranor.org/courses/fa05/hw2.html
Privacy laws
Technologies that raise privacy concerns
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2005 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa05/
28
Homework 3
http://lorrie.cranor.org/courses/fa05/hw3.html
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2005 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa05/
29
Announcements
Don’t forget that project brainstorming is
due by Monday
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2005 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa05/
30