Transcript Online Privacy Issues Overview

Fair Information Practice Principles
and Privacy Laws
Week 3 - September 12, 14
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2005 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa05/
1
More homework 1 review
Web cams
Privacy in the news
Issues privacy groups are working on
Any questions about plagiarism?
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2005 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa05/
2
Using Library Resources
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2005 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa05/
3
Research and Communication Skills
CMU Libraries
(http://www.library.cmu.edu)
 Engineering and Science (a.k.a. E&S)
• Location: Wean Hall, 4th floor
• Subjects: Computer Science, Engineering, Mathematics,
Physics, Science, Technology
 Hunt (CMU’s main library)
• Location: Its own building (possibly 2nd ugliest on campus
behind Wean), between Tepper and Baker
• Subjects: Arts, Business, Humanities, Social Sciences
 Software Engineering Institute (a.k.a. SEI)
• Location: SEI Building (4500 Fifth Avenue), 3rd floor
• Subjects: Security, Software, Technology
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2005 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa05/
4
Research and Communication Skills
START HERE: Cameo
Cameo is CMU’s online library catalog
• http://cameo.library.cmu.edu/
Catalogs everything CMU has: books,
journals, periodicals, multimedia, etc.
Search by key words, author, title,
periodical title, etc.
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2005 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa05/
5
CAMEO: Search Result for “Cranor”
Number of
copies and
status
Library
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2005 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa05/
6
CAMEO: Search Result for “Solove”
Due date
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2005 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa05/
7
Research and Communication Skills
If it’s not in Cameo, but you need it
today: Local Libraries
 Carnegie Library of Pittsburgh
• Two closest locations
 Oakland: Practically on campus (4400 Forbes Ave.)
 Squirrel Hill: Forbes & Murray (5801 Forbes Ave.)
• http://www.carnegielibrary.org/index.html
 University of Pittsburgh Libraries
• 16 libraries! Information science, Engineering, Law,
Business, etc.
• http://pittcat.pitt.edu/
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2005 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa05/
8
Research and Communication Skills
If it’s not in Cameo, and you can wait:
ILLiad and E-ZBorrow
 ILLiad and E-ZBorrow are catalogs of resources available
for Interlibrary Loan from other libraries nationwide
(ILLiad) and in Pennsylvania (E-ZBorrow)
 Order items online (almost always free)
 Wait for delivery – average 10 business days
 Find links to ILLiad and E-ZBorrow online catalogs at
http://www.library.cmu.edu/Services/ILL/
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2005 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa05/
9
Research and Communication Skills
Other Useful Databases
 Links to many more databases, journal collections
• Must be accessed on campus or through VPN
• http://www.library.cmu.edu/Search/AZ.html
 Lexis-Nexis
• Massive catalog of legal sources – law journals, case law,
news stories, etc.
 IEEE and ACM journal databases
• IEEE Xplore and ACM Digital Library
 INSPEC database
• Huge database of scientific and technical papers
 JSTOR
• Arts & Sciences, Business, Mathematics, Statistics
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2005 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa05/
10
Research and Communication Skills
And of course…
Reference librarians are available at all
CMU libraries, and love to help people find
what they need – just ask!
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2005 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa05/
11
OECD fair information principles
http://www.datenschutzberlin.de/gesetze/internat/ben.htm
 Collection limitation
 Data quality
 Purpose specification
 Use limitation
 Security safeguards
 Openness
 Individual participation
 Accountability
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2005 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa05/
12
US FTC simplified principles
 Notice and disclosure
 Choice and consent
 Data security
 Data quality and access
 Recourse and remedies
US Federal Trade Commission, Privacy Online: A Report to
Congress (June 1998),
http://www.ftc.gov/reports/privacy3/
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2005 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa05/
13
Privacy laws around the world
 Privacy laws and regulations vary widely throughout the
world
 US has mostly sector-specific laws, with relatively minimal
protections - often referred to as “patchwork quilt”
• Federal Trade Commission has jurisdiction over fraud and
deceptive practices
• Federal Communications Commission regulates
telecommunications
 European Data Protection Directive requires all European
Union countries to adopt similar comprehensive privacy
laws that recognize privacy as fundamental human right
• Privacy commissions in each country (some countries have
national and state commissions)
• Many European companies non-compliant with privacy laws (2002
study found majority of UK web sites non-compliant)
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2005 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa05/
14
US law basics
Constitutional law governs the rights of
individuals with respect to the government
Tort law governs disputes between private
individuals or other private entities
Congress and state legislatures adopt
statutes
Federal agencies can adopt regulations
which are equivalent to statutes, as long as
they don’t conflict with statute
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2005 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa05/
15
US Constitution
 No explicit privacy right, but a zone of privacy recognized
in its penumbras, including
•
•
•
•
•
1st amendment (right of association)
3rd amendment (prohibits quartering of soldiers in homes)
4th amendment (prohibits unreasonable search and seizure)
5th amendment (no self-incrimination)
9th amendment (all other rights retained by the people)
 Penumbra: “fringe at the edge of a
deep shadow created by an object
standing in the light”
(Smith 2000, p. 258, citing Justice William O. Douglas in Griswold v.
Connecticut)
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2005 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa05/
16
Federal statutes and state laws
Federal statutes
• Tend to be narrowly focused
State law
• State constitutions may recognize explicit right
to privacy (Georgia, Hawaii)
• State statutes and common (tort) law
• Local laws and regulations (for example:
ordinances on soliciting anonymously)
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2005 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa05/
17
Four aspects of privacy tort
You can sue for damages for the following
torts (Smith 2000, p. 232-233)
• Disclosure of truly intimate facts
 May be truthful
 Disclosure must be widespread, and offensive or
objectionable to a person of ordinary sensibilities
 Must not be newsworthy or legitimate public interest
• False light
 Personal information or picture published out of
context
• Misappropriation (or right of publicity)
 Commercial use of name or face without permission
• Intrusion into a person’s solitude
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2005 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa05/
18
How does the law regulate privacy?
Law may require waiving privacy interests
Law may enforce privacy interests
Typically, the law identifies relevant privacy
interests to protect, identifies relevant
interests supporting disclosure, and tries to
balance both sets of issues in a single
resolution
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2005 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa05/
19
Difficult legal problems
Can an individual “own” (and therefore sell)
his or her own privacy rights?
Should the default assumption be “protect
the privacy interest” or “compel waiver of
the privacy interest”?
When should the law defer to informal or
social norms, or to technological barriers or
solutions?
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2005 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa05/
20
Some US privacy laws
 Bank Secrecy Act, 1970
 Fair Credit Reporting Act, 1971
 Privacy Act, 1974
 Right to Financial Privacy Act, 1978
 Cable TV Privacy Act, 1984
 Video Privacy Protection Act, 1988
 Family Educational Right to Privacy Act, 1993
 Electronic Communications Privacy Act, 1994
 Freedom of Information Act, 1966, 1991, 1996
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2005 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa05/
21
US law – recent additions
 HIPAA (Health Insurance Portability and
Accountability Act, 1996)
• When implemented, will protect medical records and
other individually identifiable health information
 COPPA (Children‘s Online Privacy Protection Act,
1998)
• Web sites that target children must obtain parental
consent before collecting personal information from
children under the age of 13
 GLB (Gramm-Leach-Bliley-Act, 1999)
• Requires privacy policy disclosure and opt-out
mechanisms from financial service institutions
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2005 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa05/
22
Safe harbor
 Membership
• US companies self-certify adherence to requirements
• Dept. of Commerce maintains signatory list
http://www.export.gov/safeharbor/
• Signatories must provide





notice of data collected, purposes, and recipients
choice of opt-out of 3rd-party transfers, opt-in for sensitive data
access rights to delete or edit inaccurate information
security for storage of collected data
enforcement mechanisms for individual complaints
 Approved July 26, 2000 by EU
• reserves right to renegotiate if remedies for EU citizens prove to
be inadequate
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2005 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa05/
23
Data protection agencies
 Australia: http://www.privacy.gov.au/
 Canada: http://www.privcom.gc.ca/
 France: http://www.cnil.fr/
 Germany: http://www.bfd.bund.de/
 Hong Kong: http://www.pco.org.hk/
 Italy: http://www.privacy.it/
 Spain: http://www.ag-protecciondatos.es/
 Switzerland: http://www.edsb.ch/
 UK: http://www.dataprotection.gov.uk/
… And many more
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2005 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa05/
24
Writing a Literature Review
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2005 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa05/
25
Research and Communication Skills
Writing a literature review
 What is a literature review?
• A critical summary of what has been published on a topic
 What is already known about the topic
 Strengths and weaknesses of previous studies
• Often part of the introduction or a section of a research paper,
proposal, or thesis
 A literature review should
• be organized around and related directly to the thesis or research
question you are developing
• synthesize results into a summary of what is and is not known
• identify areas of controversy in the literature
• formulate questions that need further research
Dena Taylor and Margaret Procter. 2004. The literature
review: A few tips on conducting it.
http://www.utoronto.ca/writing/litrev.html
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2005 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa05/
26
Research and Communication Skills
Literature review do’s and don’ts
 Don’t create a list of article summaries or quotes
 Do point out what is most relevant about each
article to your paper
 Do compare and contrast the articles you review
 Do highlight controversies raised or questions left
unanswered by the articles you review
 Do take a look at some examples of literature
reviews or related work sections before you try to
create one yourself
• For an example, of a literature review in a CS
conference paper see section 2 of
http://cs1.cs.nyu.edu/~waldman/publius/paper.html
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2005 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa05/
27
Homework 2
 http://lorrie.cranor.org/courses/fa05/hw2.html
 Privacy laws
 Technologies that raise privacy concerns
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2005 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa05/
28
Homework 3
 http://lorrie.cranor.org/courses/fa05/hw3.html
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2005 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa05/
29
Announcements
Don’t forget that project brainstorming is
due by Monday
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2005 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa05/
30