Week 6 slides - CUPS - Carnegie Mellon University

Download Report

Transcript Week 6 slides - CUPS - Carnegie Mellon University 

Intellectual Property / Privacy
Week 6 - February 21, 23
Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/
1
Class debate #3

Google should not be permitted to scan
and index library books and make short
snippets from them available without
permission of each book's copyright holder.
Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/
2
“Willfull Infringement”
Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/
3
Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/
4
Homework 3 discussion
http://cups.cs.cmu.edu/courses/compsocsp06/hw3.html
Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/
5
Administrivia
Reminder, paper topic and abstract due
next Thursday
• Please submit them via the homework email
address
Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/
6
What does privacy mean to you?
Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/
7
What is privacy?
“Being alone.”
- Shane (age 4)
Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/
8
Westin “Privacy and Freedom” 1967
“Privacy is the claim of individuals, groups
or institutions to determine for themselves
when, how, and to what extent information
about them is communicated to others”
Privacy is not an absolute
Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/
9
Privacy as process
“Each individual is continually engaged in a
personal adjustment process in which he
balances the desire for privacy with the
desire for disclosure and
communication….”
- Alan Westin, 1967
Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/
10
Westin’s four states of privacy
 Solitude
• individual separated from the group and freed from the
observation of other persons
 Intimacy
• individual is part of a small unit
 Anonymity
• individual in public but still seeks and finds freedom
from identification and surveillance
 Reserve
• the creation of a psychological barrier against
unwanted intrusion - holding back communication
Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/
11
Westin’s four functions of privacy
Personal autonomy
• control when you go public about info
Emotional release
• be yourself
• permissible deviations to social or institutional
norms
Self-evaluation
Limited and protected communication
Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/
12
Different views of privacy
Privacy as limited access to self
• the extent to which we are known to others and
the extent to which others have physical
access to us
Privacy as control over information
• not simply limiting what others know about you,
but controlling it
• this assumes individual autonomy, that you can
control information in a meaningful way (not
blind click through, for example)
Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/
13
Privacy as animal instinct
Is privacy necessary for species survival?
Eagles eating a deer carcass http://www.learner.org/jnorth/tm/eagle/CaptureE63.html
Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/
14
Multiple facets of privacy
How can posting personal information
about myself on my web site result in a
reduction of my privacy? How can it result
in an increase in my privacy?
Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/
15
Privacy surveys find concerns
 Increasingly people say they are concerned
about online privacy (80-90% of US Net users)
 Improved privacy protection is factor most likely
to persuade non-Net users to go online
 27% of US Net users have abandoned online
shopping carts due to privacy concerns
 64% of US Net users decided not to use a web
site or make an online purchase due to privacy
concerns
 34% of US Net users who do not buy online
would buy online if they didn’t have privacy
concerns
Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/
16
Beyond concern
 April 1999 Study: Beyond Concern:
Understanding Net Users' Attitudes About Online
Privacy by Cranor, Ackerman and Reagle (US
panel results reported)
http://www.research.att.com/projects/
privacystudy/
• Internet users more likely to provide info when they are
not identified
• Some types of data more sensitive than others
• Many factors important in decisions about information
disclosure
• Acceptance of persistent identifiers varies according to
purpose
• Internet users dislike automatic data transfer
Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/
17
Few read privacy policies
 3% review online privacy policies carefully most
of the time
• Most likely to review policy before providing credit card
info
• Policies too time consuming to read and difficult to
understand
 70% would prefer standard privacy policy format
 Most interested in knowing about data sharing
and how to get off marketing lists
 People are more comfortable at sites that have
privacy policies, even if they don’t read them
Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/
18
Survey references

Mark S. Ackerman, Lorrie Faith Cranor and Joseph Reagle, Beyond Concern: Understanding
Net Users’ Attitudes About Online Privacy, (AT&T Labs, April 1999),
http://www.research.att.com/projects/privacystudy/

Mary J. Culnan and George R. Milne, The Culnan-Milne Survey on Consumers & Online
Privacy Notices: Summary of Responses, (December 2001),
http://www.ftc.gov/bcp/workshops/glb/supporting/culnan-milne.pdf.

Cyber Dialogue, Cyber Dialogue Survey Data Reveals Lost Revenue for Retailers Due to
Widespread Consumer Privacy Concerns, (Cyber Dialogue, November 7, 2001),
http://www.cyberdialogue.com/news/releases/2001/11-07-uco-retail.html.

Forrester Research, Privacy Issues Inhibit Online Spending, (Forrester, October 3, 2001).

Louis Harris & Associates and Alan F. Westin, Commerce, Communication and Privacy
Online (Louis Harris & Associates, 1997),
http://www.privacyexchange.org/iss/surveys/computersurvey97.html

Louis Harris & Associates and Alan F. Westin. E-Commerce and Privacy, What Net Users
Want, (Sponsored by Price Waterhouse and Privacy & American Business. P & AB, June
1998). http://www.privacyexchange.org/iss/surveys/ecommsum.html

Opinion Research Corporation and Alan F. Westin. “Freebies” and Privacy: What Net Users
Think. Sponsored by Privacy & American Business. P & AB, July 1999.
http://www.privacyexchange.org/iss/surveys/sr990714.html

Privacy Leadership Initiative, Privacy Notices Research Final Results, (Conducted by Harris
Interactive, December 2001),
http://www.ftc.gov/bcp/workshops/glb/supporting/harris%20results.pdf
An extensive list of privacy surveys from around the world is available from
http://www.privacyexchange.org/iss/surveys/surveys.html.
Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/
19
Privacy laws and self-regulation
Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/
20
Terminology
 Data subject
• The person whose data is collected
 Data controller
• The entity responsible for collected data
 Primary use of personal information (primary
purpose)
• Using information for the purposes intended by the
data subjects when they provided the information
 Secondary use of personal information
(secondary purpose)
• Using information for purposes that go beyond the
primary purpose
Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/
21
OECD fair information principles
http://www.datenschutzberlin.de/gesetze/internat/ben.htm
 Collection limitation
 Data quality
 Purpose specification
 Use limitation
 Security safeguards
 Openness
 Individual participation
 Accountability
Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/
22
US FTC simplified principles
 Notice and disclosure
 Choice and consent
 Data security
 Data quality and access
 Recourse and remedies
US Federal Trade Commission, Privacy Online: A Report to
Congress (June 1998),
http://www.ftc.gov/reports/privacy3/
Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/
23
Laws and regulations
 Privacy laws and regulations vary widely throughout the
world
 US has mostly sector-specific laws, with relatively minimal
protections
• Federal Trade Commission has jurisdiction over fraud and
deceptive practices
• Federal Communications Commission regulates
telecommunications
 European Data Protection Directive requires all European
Union countries to adopt similar comprehensive privacy
laws
• Privacy commissions in each country (some countries have
national and state commissions)
• Many European companies non-compliant with privacy laws (2002
study found majority of UK web sites non-compliant)
• Safe Harbor allows US companies to self-certify compliance
Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/
24
US law basics
Constitutional law governs the rights of
individuals with respect to the government
Tort law governs disputes between private
individuals or other private entities
Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/
25
US Constitution
 No explicit privacy right, but a zone of privacy recognized in its
penumbras, including
•
•
•
•
•
1st amendment (right of association)
3rd amendment (prohibits quartering of soldiers in homes)
4th amendment (prohibits unreasonable search and seizure)
5th amendment (no self-incrimination)
9th amendment (all other rights retained by the people)
 Penumbra: “fringe at the edge of a
deep shadow create by an object
standing in the light”
(Smith 2000, p. 258, citing Justice William O. Douglas in Griswold v. Connecticut)
Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/
26
Federal statutes and state laws
 Federal statutes
• Tend to be narrowly focused
 State law
• State constitutions may recognize explicit right to
privacy (Georgia, Hawaii)
• State statutes and common (tort) law
• Local laws and regulations (for example: ordinances
on soliciting anonymously)
Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/
27
Four aspects of privacy tort
 You can sue for damages for the following torts
(Smith 2000, p. 232-233)
• Disclosure of truly intimate facts
 May be truthful
 Disclosure must be widespread, and offensive or objectionable to a
person of ordinary sensibilities
 Must not be newsworthy or legitimate public interest
• False light
 Personal information or picture published out of context
• Misappropriation (or right of publicity)
 Commercial use of name or face without permission
• Intrusion into a person’s solitude
Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/
28
Some US privacy laws
 Bank Secrecy Act, 1970
 Fair Credit Reporting Act, 1971
 Privacy Act, 1974
 Right to Financial Privacy Act, 1978
 Cable TV Privacy Act, 1984
 Video Privacy Protection Act, 1988
 Family Educational Right to Privacy Act, 1993
 Electronic Communications Privacy Act, 1994
 Freedom of Information Act, 1966, 1991, 1996
Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/
29
US law – recent additions
 HIPAA (Health Insurance Portability and
Accountability Act, 1996)
• When implemented, will protect medical records and
other individually identifiable health information
 COPPA (Children‘s Online Privacy Protection Act,
1998)
• Web sites that target children must obtain parental
consent before collecting personal information from
children under the age of 13
 GLB (Gramm-Leach-Bliley-Act, 1999)
• Requires privacy policy disclosure and opt-out
mechanisms from financial service institutions
Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/
30
Safe harbor
 Membership
• US companies self-certify adherence to requirements
• Dept. of Commerce maintains signatory list
http://www.export.gov/safeharbor/
• Signatories must provide
 notice of data collected, purposes, and recipients
 choice of opt-out of 3rd-party transfers, opt-in for sensitive
data
 access rights to delete or edit inaccurate information
 security for storage of collected data
 enforcement mechanisms for individual complaints
 Approved July 26, 2000 by EU
• reserves right to renegotiate if remedies for EU citizens
prove to be inadequate
Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/
31
Privacy self-regulation
 Since 1995, the US FTC has pressured companies to
“self regulate” in the privacy area
 Self regulation may be completely voluntary or mandatory
(or somewhere in between)
 Self-regulatory programs and initiatives
•
•
•
•
•
Seals
CPOs
Privacy policies
Platform for Privacy Preferences (P3P) Project
Industry guidelines
Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/
32
Voluntary privacy guidelines
 Online Privacy Alliance
http://www.privacyalliance.org
 Direct Marketing Association Privacy Promise
http://www.thedma.org/library/
privacy/privacypromise.shtml
 Network Advertising Initiative Principles
http://www.networkadvertising.org/
 CTIA Location-based privacy guidelines
http://www.wowcom.com/news/press/body.cfm?record_id=907
Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/
33
Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/
34
Chief privacy officers
 Companies are increasingly appointing CPOs to
have a central point of contact for privacy
concerns
 Role of CPO varies in each company
•
•
•
•
Draft privacy policy
Respond to customer concerns
Educate employees about company privacy policy
Review new products and services for compliance with
privacy policy
• Develop new initiatives to keep company out front on
privacy issue
• Monitor pending privacy legislation
Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/
35
Seal programs
 TRUSTe – http://www.truste.org
 BBBOnline – http://www.bbbonline.org
 CPA WebTrust –
http://www.cpawebtrust.org/
 Japanese Privacy Mark
http://privacymark.org/
Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/
36
Seal program problems
Certify only compliance with stated policy
• Limited ability to detect non-compliance
Minimal privacy requirements
Don’t address privacy issues that go
beyond the web site
Nonetheless, reporting requirements are
forcing licensees to review their own
policies and practices and think carefully
before introducing policy changes
Computers and Society • Carnegie Mellon University • Spring 2006 • Cranor/Tongia/Farber • http://cups.cs.cmu.edu/courses/compsoc-sp06/
37