Week 6 slides - CUPS - Carnegie Mellon University
Download
Report
Transcript Week 6 slides - CUPS - Carnegie Mellon University
Intellectual Property / Privacy
Week 6 - February 21, 23
Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/
1
Class debate #3
Google should not be permitted to scan
and index library books and make short
snippets from them available without
permission of each book's copyright holder.
Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/
2
“Willfull Infringement”
Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/
3
Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/
4
Homework 3 discussion
http://cups.cs.cmu.edu/courses/compsocsp06/hw3.html
Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/
5
Administrivia
Reminder, paper topic and abstract due
next Thursday
• Please submit them via the homework email
address
Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/
6
What does privacy mean to you?
Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/
7
What is privacy?
“Being alone.”
- Shane (age 4)
Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/
8
Westin “Privacy and Freedom” 1967
“Privacy is the claim of individuals, groups
or institutions to determine for themselves
when, how, and to what extent information
about them is communicated to others”
Privacy is not an absolute
Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/
9
Privacy as process
“Each individual is continually engaged in a
personal adjustment process in which he
balances the desire for privacy with the
desire for disclosure and
communication….”
- Alan Westin, 1967
Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/
10
Westin’s four states of privacy
Solitude
• individual separated from the group and freed from the
observation of other persons
Intimacy
• individual is part of a small unit
Anonymity
• individual in public but still seeks and finds freedom
from identification and surveillance
Reserve
• the creation of a psychological barrier against
unwanted intrusion - holding back communication
Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/
11
Westin’s four functions of privacy
Personal autonomy
• control when you go public about info
Emotional release
• be yourself
• permissible deviations to social or institutional
norms
Self-evaluation
Limited and protected communication
Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/
12
Different views of privacy
Privacy as limited access to self
• the extent to which we are known to others and
the extent to which others have physical
access to us
Privacy as control over information
• not simply limiting what others know about you,
but controlling it
• this assumes individual autonomy, that you can
control information in a meaningful way (not
blind click through, for example)
Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/
13
Privacy as animal instinct
Is privacy necessary for species survival?
Eagles eating a deer carcass http://www.learner.org/jnorth/tm/eagle/CaptureE63.html
Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/
14
Multiple facets of privacy
How can posting personal information
about myself on my web site result in a
reduction of my privacy? How can it result
in an increase in my privacy?
Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/
15
Privacy surveys find concerns
Increasingly people say they are concerned
about online privacy (80-90% of US Net users)
Improved privacy protection is factor most likely
to persuade non-Net users to go online
27% of US Net users have abandoned online
shopping carts due to privacy concerns
64% of US Net users decided not to use a web
site or make an online purchase due to privacy
concerns
34% of US Net users who do not buy online
would buy online if they didn’t have privacy
concerns
Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/
16
Beyond concern
April 1999 Study: Beyond Concern:
Understanding Net Users' Attitudes About Online
Privacy by Cranor, Ackerman and Reagle (US
panel results reported)
http://www.research.att.com/projects/
privacystudy/
• Internet users more likely to provide info when they are
not identified
• Some types of data more sensitive than others
• Many factors important in decisions about information
disclosure
• Acceptance of persistent identifiers varies according to
purpose
• Internet users dislike automatic data transfer
Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/
17
Few read privacy policies
3% review online privacy policies carefully most
of the time
• Most likely to review policy before providing credit card
info
• Policies too time consuming to read and difficult to
understand
70% would prefer standard privacy policy format
Most interested in knowing about data sharing
and how to get off marketing lists
People are more comfortable at sites that have
privacy policies, even if they don’t read them
Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/
18
Survey references
Mark S. Ackerman, Lorrie Faith Cranor and Joseph Reagle, Beyond Concern: Understanding
Net Users’ Attitudes About Online Privacy, (AT&T Labs, April 1999),
http://www.research.att.com/projects/privacystudy/
Mary J. Culnan and George R. Milne, The Culnan-Milne Survey on Consumers & Online
Privacy Notices: Summary of Responses, (December 2001),
http://www.ftc.gov/bcp/workshops/glb/supporting/culnan-milne.pdf.
Cyber Dialogue, Cyber Dialogue Survey Data Reveals Lost Revenue for Retailers Due to
Widespread Consumer Privacy Concerns, (Cyber Dialogue, November 7, 2001),
http://www.cyberdialogue.com/news/releases/2001/11-07-uco-retail.html.
Forrester Research, Privacy Issues Inhibit Online Spending, (Forrester, October 3, 2001).
Louis Harris & Associates and Alan F. Westin, Commerce, Communication and Privacy
Online (Louis Harris & Associates, 1997),
http://www.privacyexchange.org/iss/surveys/computersurvey97.html
Louis Harris & Associates and Alan F. Westin. E-Commerce and Privacy, What Net Users
Want, (Sponsored by Price Waterhouse and Privacy & American Business. P & AB, June
1998). http://www.privacyexchange.org/iss/surveys/ecommsum.html
Opinion Research Corporation and Alan F. Westin. “Freebies” and Privacy: What Net Users
Think. Sponsored by Privacy & American Business. P & AB, July 1999.
http://www.privacyexchange.org/iss/surveys/sr990714.html
Privacy Leadership Initiative, Privacy Notices Research Final Results, (Conducted by Harris
Interactive, December 2001),
http://www.ftc.gov/bcp/workshops/glb/supporting/harris%20results.pdf
An extensive list of privacy surveys from around the world is available from
http://www.privacyexchange.org/iss/surveys/surveys.html.
Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/
19
Privacy laws and self-regulation
Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/
20
Terminology
Data subject
• The person whose data is collected
Data controller
• The entity responsible for collected data
Primary use of personal information (primary
purpose)
• Using information for the purposes intended by the
data subjects when they provided the information
Secondary use of personal information
(secondary purpose)
• Using information for purposes that go beyond the
primary purpose
Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/
21
OECD fair information principles
http://www.datenschutzberlin.de/gesetze/internat/ben.htm
Collection limitation
Data quality
Purpose specification
Use limitation
Security safeguards
Openness
Individual participation
Accountability
Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/
22
US FTC simplified principles
Notice and disclosure
Choice and consent
Data security
Data quality and access
Recourse and remedies
US Federal Trade Commission, Privacy Online: A Report to
Congress (June 1998),
http://www.ftc.gov/reports/privacy3/
Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/
23
Laws and regulations
Privacy laws and regulations vary widely throughout the
world
US has mostly sector-specific laws, with relatively minimal
protections
• Federal Trade Commission has jurisdiction over fraud and
deceptive practices
• Federal Communications Commission regulates
telecommunications
European Data Protection Directive requires all European
Union countries to adopt similar comprehensive privacy
laws
• Privacy commissions in each country (some countries have
national and state commissions)
• Many European companies non-compliant with privacy laws (2002
study found majority of UK web sites non-compliant)
• Safe Harbor allows US companies to self-certify compliance
Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/
24
US law basics
Constitutional law governs the rights of
individuals with respect to the government
Tort law governs disputes between private
individuals or other private entities
Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/
25
US Constitution
No explicit privacy right, but a zone of privacy recognized in its
penumbras, including
•
•
•
•
•
1st amendment (right of association)
3rd amendment (prohibits quartering of soldiers in homes)
4th amendment (prohibits unreasonable search and seizure)
5th amendment (no self-incrimination)
9th amendment (all other rights retained by the people)
Penumbra: “fringe at the edge of a
deep shadow create by an object
standing in the light”
(Smith 2000, p. 258, citing Justice William O. Douglas in Griswold v. Connecticut)
Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/
26
Federal statutes and state laws
Federal statutes
• Tend to be narrowly focused
State law
• State constitutions may recognize explicit right to
privacy (Georgia, Hawaii)
• State statutes and common (tort) law
• Local laws and regulations (for example: ordinances
on soliciting anonymously)
Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/
27
Four aspects of privacy tort
You can sue for damages for the following torts
(Smith 2000, p. 232-233)
• Disclosure of truly intimate facts
May be truthful
Disclosure must be widespread, and offensive or objectionable to a
person of ordinary sensibilities
Must not be newsworthy or legitimate public interest
• False light
Personal information or picture published out of context
• Misappropriation (or right of publicity)
Commercial use of name or face without permission
• Intrusion into a person’s solitude
Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/
28
Some US privacy laws
Bank Secrecy Act, 1970
Fair Credit Reporting Act, 1971
Privacy Act, 1974
Right to Financial Privacy Act, 1978
Cable TV Privacy Act, 1984
Video Privacy Protection Act, 1988
Family Educational Right to Privacy Act, 1993
Electronic Communications Privacy Act, 1994
Freedom of Information Act, 1966, 1991, 1996
Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/
29
US law – recent additions
HIPAA (Health Insurance Portability and
Accountability Act, 1996)
• When implemented, will protect medical records and
other individually identifiable health information
COPPA (Children‘s Online Privacy Protection Act,
1998)
• Web sites that target children must obtain parental
consent before collecting personal information from
children under the age of 13
GLB (Gramm-Leach-Bliley-Act, 1999)
• Requires privacy policy disclosure and opt-out
mechanisms from financial service institutions
Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/
30
Safe harbor
Membership
• US companies self-certify adherence to requirements
• Dept. of Commerce maintains signatory list
http://www.export.gov/safeharbor/
• Signatories must provide
notice of data collected, purposes, and recipients
choice of opt-out of 3rd-party transfers, opt-in for sensitive
data
access rights to delete or edit inaccurate information
security for storage of collected data
enforcement mechanisms for individual complaints
Approved July 26, 2000 by EU
• reserves right to renegotiate if remedies for EU citizens
prove to be inadequate
Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/
31
Privacy self-regulation
Since 1995, the US FTC has pressured companies to
“self regulate” in the privacy area
Self regulation may be completely voluntary or mandatory
(or somewhere in between)
Self-regulatory programs and initiatives
•
•
•
•
•
Seals
CPOs
Privacy policies
Platform for Privacy Preferences (P3P) Project
Industry guidelines
Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/
32
Voluntary privacy guidelines
Online Privacy Alliance
http://www.privacyalliance.org
Direct Marketing Association Privacy Promise
http://www.thedma.org/library/
privacy/privacypromise.shtml
Network Advertising Initiative Principles
http://www.networkadvertising.org/
CTIA Location-based privacy guidelines
http://www.wowcom.com/news/press/body.cfm?record_id=907
Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/
33
Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/
34
Chief privacy officers
Companies are increasingly appointing CPOs to
have a central point of contact for privacy
concerns
Role of CPO varies in each company
•
•
•
•
Draft privacy policy
Respond to customer concerns
Educate employees about company privacy policy
Review new products and services for compliance with
privacy policy
• Develop new initiatives to keep company out front on
privacy issue
• Monitor pending privacy legislation
Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/
35
Seal programs
TRUSTe – http://www.truste.org
BBBOnline – http://www.bbbonline.org
CPA WebTrust –
http://www.cpawebtrust.org/
Japanese Privacy Mark
http://privacymark.org/
Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/
36
Seal program problems
Certify only compliance with stated policy
• Limited ability to detect non-compliance
Minimal privacy requirements
Don’t address privacy issues that go
beyond the web site
Nonetheless, reporting requirements are
forcing licensees to review their own
policies and practices and think carefully
before introducing policy changes
Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/
37