Online Privacy Issues Overview

Download Report

Transcript Online Privacy Issues Overview 

Fair Information Practice Principles
and Privacy Laws
Week 3 - September 14, 16
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2004 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa04/
1
Research and Communication Skills
CMU Libraries
(http://www.library.cmu.edu)
 Engineering and Science (a.k.a. E&S)
 Location: 4th floor, Wean Hall
 Subjects: Computer Science, Engineering, Mathematics,
Physics, Science, Technology
 Hunt (CMU’s main library)
 Location: its own building (possibly 2nd ugliest on campus
behind Wean), between Tepper and Baker
 Subjects: Arts, Business, Humanities, Social Sciences
 Software Engineering Institute (a.k.a. SEI)
 Location: 4500 5th Avenue
 Subjects: “Security, Software, Technology”
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2004 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa04/
2
Research and Communication Skills
Coolest Thing in CMU Libraries
Posner Memorial Collection at Posner
Center
Rare books
Early prints of famous works
Original copy of the Bill of Rights – WOW!
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2004 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa04/
3
Research and Communication Skills
START HERE: Cameo
Cameo is CMU’s online library catalog
Catalogs everything CMU has – books,
journals, periodicals, multimedia, etc.
Search Cameo online at
http://cameo.library.cmu.edu
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2004 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa04/
4
Research and Communication Skills
If it’s not in Cameo, but you need it
today: Local Libraries
Carnegie Library of Pittsburgh
http://www.carnegielibrary.org/index.ht
ml
University of Pittsburgh Libraries
http://pittcat.pitt.edu/
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2004 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa04/
5
Research and Communication Skills
If it’s not in Cameo, and you can wait:
ILLiad and E-ZBorrow
 ILLiad and E-ZBorrow are catalogs of resources
available for Interlibrary Loan from other
libraries nationwide (ILLiad) and in Pennsylvania
(E-ZBorrow)
 Order items online (almost always free)
 Wait for delivery – average 10 business days
 Find links to ILLiad and E-ZBorrow online
catalogs at
http://www.library.cmu.edu/Services/ILL/
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2004 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa04/
6
Research and Communication Skills
Special needs: Other Useful
Databases
 Links to these and many more databases
available at
http://www.library.cmu.edu/Search/AZ.htm
l
 Lexis-Nexis
Massive catalog of legal sources – law journals,
case law, news stories, etc.
 IEEE and ACM journal databases
IEEE Xplore and ACM Digital Library
 INSPEC database
Huge database of scientific and technical papers
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2004 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa04/
7
Research and Communication Skills
And of course…
Reference librarians are available at all
CMU libraries, and love to help people find
what they need – just ask!
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2004 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa04/
8
Research and Communication Skills
Writing a literature review
 What is a literature review?
 A critical summary of what has been published on a topic
• What is already known about the topic
• Strengths and weaknesses of previous studies
 Often part of the introduction or a section of a research paper,
proposal, or thesis
 A literature review should
 be organized around and related directly to the thesis or
research question you are developing
 synthesize results into a summary of what is and is not known
 identify areas of controversy in the literature
 formulate questions that need further research
Dena Taylor and Margaret Procter. 2004. The literature review: A few tips on
conducting it. http://www.utoronto.ca/writing/litrev.html
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2004 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa04/
9
Research and Communication Skills
Literature review do’s and don’ts
 Don’t create a list of article summaries or quotes
 Do point out what is most relevant about each article to
your paper
 Do compare and contrast the articles you review
 Do highlight controversies raised or questions left
unanswered by the articles you review
 Do take a look at some examples of literature reviews or
related work sections before you try to create one
yourself
 For an example, of a literature review in a CS conference paper
see section 2 of
http://cs1.cs.nyu.edu/~waldman/publius/paper.html
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2004 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa04/
10
OECD fair information principles
http://www.datenschutzberlin.de/gesetze/internat/ben.htm
 Collection limitation
 Data quality
 Purpose specification
 Use limitation
 Security safeguards
 Openness
 Individual participation
 Accountability
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2004 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa04/
11
US FTC simplified principles
 Notice and disclosure
 Choice and consent
 Data security
 Data quality and access
 Recourse and remedies
US Federal Trade Commission, Privacy Online: A Report to
Congress (June 1998),
http://www.ftc.gov/reports/privacy3/
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2004 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa04/
12
Privacy laws around the world
 Privacy laws and regulations vary widely throughout the
world
 US has mostly sector-specific laws, with relatively
minimal protections
 Federal Trade Commission has jurisdiction over fraud and
deceptive practices
 Federal Communications Commission regulates
telecommunications
 European Data Protection Directive requires all European
Union countries to adopt similar comprehensive privacy
laws that recognize privacy as fundamental human right
 Privacy commissions in each country (some countries have
national and state commissions)
 Many European companies non-compliant with privacy laws
(2002 study found majority of UK web sites non-compliant)
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2004 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa04/
13
US law basics
Constitutional law governs the rights of
individuals with respect to the
government
Tort law governs disputes between private
individuals or other private entities
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2004 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa04/
14
US Constitution
 No explicit privacy right, but a zone of privacy
recognized in its penumbras, including
 1st amendment (right of association)
 3rd amendment (prohibits quartering of soldiers in homes)
 4th amendment (prohibits unreasonable search and seizure)
 5th amendment (no self-incrimination)
 9th amendment (all other rights retained by the people)
 Penumbra: “fringe at the edge of a
deep shadow create by an object
standing in the light”
(Smith 2000, p. 258, citing Justice William O. Douglas in Griswold
v. Connecticut)
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2004 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa04/
15
Federal statutes and state laws
 Federal statutes
Tend to be narrowly focused
 State law
State constitutions may recognize explicit right to
privacy (Georgia, Hawaii)
State statutes and common (tort) law
Local laws and regulations (for example: ordinances
on soliciting anonymously)
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2004 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa04/
16
Four aspects of privacy tort
You can sue for damages for the following
torts (Smith 2000, p. 232-233)
Disclosure of truly intimate facts
• May be truthful
• Disclosure must be widespread, and offensive or
objectionable to a person of ordinary sensibilities
• Must not be newsworthy or legitimate public interest
False light
• Personal information or picture published out of context
Misappropriation (or right of publicity)
• Commercial use of name or face without permission
Intrusion into a person’s solitude
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2004 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa04/
17
How does the law regulate privacy?
Law may require waiving privacy interests
Law may enforce privacy interests
Typically, the law identifies relevant
privacy interests to protect, identifies
relevant interests supporting disclosure,
and tries to balance both sets of issues in
a single resolution
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2004 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa04/
18
Difficult legal problems
Can an individual “own” (and therefore
sell) his or her own privacy rights?
Should the default assumption be “protect
the privacy interest” or “compel waiver of
the privacy interest”?
When should the law defer to informal or
social norms, or to technological barriers
or solutions?
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2004 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa04/
19
Some US privacy laws
 Bank Secrecy Act, 1970
 Fair Credit Reporting Act, 1971
 Privacy Act, 1974
 Right to Financial Privacy Act, 1978
 Cable TV Privacy Act, 1984
 Video Privacy Protection Act, 1988
 Family Educational Right to Privacy Act, 1993
 Electronic Communications Privacy Act, 1994
 Freedom of Information Act, 1966, 1991, 1996
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2004 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa04/
20
US law – recent additions
 HIPAA (Health Insurance Portability and
Accountability Act, 1996)
When implemented, will protect medical records and
other individually identifiable health information
 COPPA (Children‘s Online Privacy Protection Act,
1998)
Web sites that target children must obtain parental
consent before collecting personal information from
children under the age of 13
 GLB (Gramm-Leach-Bliley-Act, 1999)
Requires privacy policy disclosure and opt-out
mechanisms from financial service institutions
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2004 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa04/
21
Safe harbor
 Membership
 US companies self-certify adherence to requirements
 Dept. of Commerce maintains signatory list
http://www.export.gov/safeharbor/
 Signatories must provide
•
•
•
•
•
notice of data collected, purposes, and recipients
choice of opt-out of 3rd-party transfers, opt-in for sensitive data
access rights to delete or edit inaccurate information
security for storage of collected data
enforcement mechanisms for individual complaints
 Approved July 26, 2000 by EU
 reserves right to renegotiate if remedies for EU citizens prove to
be inadequate
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2004 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa04/
22
Data protection agencies
 Australia: http://www.privacy.gov.au/
 Canada: http://www.privcom.gc.ca/
 France: http://www.cnil.fr/
 Germany: http://www.bfd.bund.de/
 Hong Kong: http://www.pco.org.hk/
 Italy: http://www.privacy.it/
 Spain: http://www.ag-protecciondatos.es/
 Switzerland: http://www.edsb.ch/
 UK: http://www.dataprotection.gov.uk/
… And many more
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2004 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa04/
23
Administrative notes
 Guest speaker next Tuesday
 Project brainstorming returned today
Many interesting ideas
Please review my comments and ask questions if they
are unclear
I suggested to some of you that you think of some
other ideas, feel free to use the suggested project
ideas
 One paragraph project description due with your
homework next Thursday
Please submit it on a separate sheet of paper
Do not staple it to your homework
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2004 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa04/
24
Homework 3 Discussion
 http://lorrie.cranor.org/courses/fa04/hw3.html
 Questions or comments on reading
 (2) Compare the US FTC's five privacy principles to the
fair information practice principles in the OECD
Guidelines. What's missing from the FTC principles? Are
these omissions important?
 (3) Pick one privacy-related court case discussed by
Smith that had an outcome that you disagree with.
Briefly describe the case and explain the court's ruling.
Explain what aspect of privacy was at stake in this case.
Explain why you disagree with the ruling. If the case
were brought today, would you expect a different
outcome? Why or why not?
 (4) Privacy laws you researched
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2004 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa04/
25
Homework 4
 http://lorrie.cranor.org/courses/fa04/hw4.html
Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2004 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa04/
26