Transcript Lysbilde 1

Privacy
Chapter 5
Kirsten Ribu - MS008A - Ethics - Hio 2004
1
Topics





The right to privacy – Laws and
regulations
Public records – the role of The Data
Inspectorate - ’Datatilsynet’ (Norway)
Public and Private Information
Data collection
Wiretapping and surveillance
Kirsten Ribu - MS008A - Ethics - Hio 2004
2
Philosophical perspectives on privacy


5.2.1: Defining privacy:
Edmund Byrne: Privacy = ”a zone of
inaccessibility” that surrounds a person



Privacy is not the same as being alone:


Example: Locking the door when you go to the toilet
You do not give away your identification number
(perosonnummer) to everybody
Intellectual or personal relationships are for instance
private
Harms:



Violence in the family
Too great a burden on the family to care for its
members
Modern society:
loneliness
Kirsten Ribu - MS008A - Ethics - Hio 2004
3
Benefits
Privacy is neccessary for the individual
growth and development
 Development as a unique person
 Fostering intellectual activities and
creativity
 Development of close relationships

Kirsten Ribu - MS008A - Ethics - Hio 2004
4
What is private and what is public?


Public = known to all
Public information: information you have
provided to an organisation that has a
right to share it with other organisations


Example: Telephone directory
Personal information: not part of a public
record


Example: Your religion, what you vote for
If you disclose it to an organisation with the
right to inform other organisations, it
becomes public information
Kirsten Ribu - MS008A - Ethics - Hio 2004
5
Is there a Natural Right to Privacy?
5.2.3: Privacy rights evolve from property
rights
 ”A man’s home is his castle”
 No one can enter without probable cause
(remember the discussion in class?)

Kirsten Ribu - MS008A - Ethics - Hio 2004
6
Principles for data collection and use
The first principle for ethical treatment of
personal information is informed
consent:
 Business and organisations must inform
about what information they are collecting
and how they will use it
 Give people a choice whether data
collected about them can be distributed to
other businesses or organisations

Kirsten Ribu - MS008A - Ethics - Hio 2004
7
Privacy principles for personal data







1. Collect only data needed
Inform people when data is collected, what is
collected and how it will be used
Offer a way for people to opt out from mailing
lists and from transfer of their data to other
parites
Provide stronger protection for sensitive data
(example medical data, religion ….etc)
Keep data only so long as needed
Maintain accuracy and security of data
Provide a way for people to access and correct
data stored about them
Kirsten Ribu - MS008A - Ethics - Hio 2004
8
Laws and regulations




The Data Inspectorate
Personal Data Act – Norway
European law
US law – Privacy Act of 1974
Kirsten Ribu - MS008A - Ethics - Hio 2004
9
The Data Inspectorate



The Data Inspectorate, an independent administrative body
under the Norwegian Ministry of Labour and Government
Administration, was set up in 1980 to ensure enforcement
of the Data Register Act of 1978, now made obsolete by the
commencement of the Personal Data Act of 2000.
The purpose of this Act is to protect persons from violation
of their right to privacy through the processing of personal
data.
The Act shall help to ensure that personal data are
processed in accordance with fundamental respect for the
right to privacy, including the need to protect personal
integrity and private life and ensure that personal data are
of adequate quality.
Kirsten Ribu - MS008A - Ethics - Hio 2004
10
Section 2 Definitions
Sensitive information

For the purposes of this Act, the following
definitions shall apply:



personal data: any information and assessments that
may be linked to a natural person,
processing of personal data: any use of personal data,
such as collection, recording, alignment, storage and
disclosure or a combination of such uses,
personal data filing system: filing systems, records, etc.
where personal data is systematically stored so that
information concerning a natural person may be
retrieved.
Kirsten Ribu - MS008A - Ethics - Hio 2004
11
Cont….





controller: the person who determines the purpose of the
processing of personal data and which means are to be
used,
processor: the person who processes personal data on
behalf of the controller,
data subject: the person to whom personal data may be
linked,
consent: any freely given, specific and informed declaration
by the data subject to the effect that he or she agrees to
the processing of personal data relating to him or her,
sensitive personal data: information relating to
a) racial or ethnic origin, or political opinions, philosophical
or religious beliefs,
b) the fact that a person has been suspected of, charged
with, indicted for or convicted of a criminal act,
c) health,
d) sex life,
e) trade-union membership.
Kirsten Ribu - MS008A - Ethics - Hio 2004
12
Section 33 Obligation to obtain a
licence (konsesjonsplikt)


A licence from the Data Inspectorate is required
for the processing of sensitive personal data.
This does not apply, however, to the processing
of sensitive personal data which have been
volunteered by the data subject.
The Data Inspectorate may decide that the
processing of data other than sensitive personal
data shall also be subject to licensing, if such
processing otherwise will clearly violate weighty
interests relating to protection of privacy. In
assessing whether a licence is necessary, the
Data Inspectorate shall, inter alia take account of
the nature and quantity of the personal data and
the purpose of the processing.
Kirsten Ribu - MS008A - Ethics - Hio 2004
13
Cont………



The controller may demand that the Data
Inspectorate decide whether processing will be
subject to licensing.
The obligation to obtain a licence pursuant to the
first and second paragraphs shall not apply to the
processing of personal data in central
government or municipal bodies when such
processing is authorized by special statute.
The King may prescribe regulations to the effect
that certain processing methods are not subject
to licensing pursuant to the first paragraph. As
regards processing methods which are exempt
from licensing, regulations may be prescribed to
limit the disadvantages
which processing may
Kirsten Ribu - MS008A - Ethics - Hio 2004
14
otherwise entail for the data subject.
Section 8 - Conditions for the
processing of personal data

Personal data may only be processed if the data
subject has consented thereto, or there is
statutory authority for such processing, or the
processing is necessary in order






a) to fulfil a contract to which the data subject is party,
or to take steps at the request of the data subject prior
to entering into such a contract,
b) to enable the controller to fulfil a legal obligation,
c) to protect the vital interests of the data subject,
d) to perform a task in the public interest,
e) to exercise official authority, or
f) to enable the controller or third parties to whom the
data are disclosed to protect a legitimate interest,
except where such interest is overridden by the interests
of the data subject.
Kirsten Ribu - MS008A - Ethics - Hio 2004
15
Section 9 Processing of sensitive
personal data

Sensitive personal data (cf. section 2, no.8) may
only be processed if the processing satisfies one
of the conditions set out in section 8 and
a) the data subject consents to the processing,
b) there is statutory authority for such
processing,
c) the processing is necessary to protect the vital
interests of a person, and the data subject is
incapable of giving his or her consent,
d) the processing relates exclusively to data
which the data subject has voluntarily and
manifestly made public,
e) the processing is necessary for the
establishment, exercise or defence of a legal
claim,
Kirsten Ribu - MS008A - Ethics - Hio 2004
16
Continued------f) the processing is necessary to enable the
controller to fulfil his obligations or exercise his
rights in the field of employment law,
g) the processing is necessary for the purposes of
preventive medicine, medical diagnosis, the
provision of care or treatment or the
management of health care services, and where
the data are processed by health professionals
subject to the obligation of professional secrecy,
or
h) the processing is necessary for historical,
statistical or scientific purposes, and the public
interest in such processing being carried out
clearly exceeds the disadvantages it might entail
for the natural person.
Kirsten Ribu - MS008A - Ethics - Hio 2004
17
Example

Statkraft - Software

If you publish the information yourself, and
decide who can see it, this i perfectly legal!
Kirsten Ribu - MS008A - Ethics - Hio 2004
18
European Convention for the Protection of
Human Rights and fundamental Freedoms - 



Link
ARTICLE 8:
Everyone has the right to respect for his private
and family life, his home and his correspondence.
There shall be no interference by a public authority
with the exercise of this right except such as is in
accordance with the law and is necessary in a
democratic society in the interests of national
security, public safety or the economic well-being
of the country, for the prevention of disorder or
crime, for the protection of health or morals, or for
the protection of the rights and freedoms of
others.
Kirsten Ribu - MS008A - Ethics - Hio 2004
19
Universal Declaration of Human
Rights (1948) Article 12

No one shall be subjected to arbitrary
interference with his privacy, family,
home or correspondence, nor to attacks
upon his honour and reputation. Everyone
has the right to the protection of the law
against such interference or attacks.

http://www.un.org/Overview/rights.html
Kirsten Ribu - MS008A - Ethics - Hio 2004
20
Article 18

Everyone has the right to freedom of
thought, conscience and religion; this
right includes freedom to change his
religion or belief, and freedom, either
alone or in community with others and in
public or private, to manifest his religion
or belief in teaching, practice, worship
and observance.
Kirsten Ribu - MS008A - Ethics - Hio 2004
21
International Covenant on Civil and
Political Rights - 1966
Article 17
1. No one shall be subjected to arbitrary or unlawful
interference with his privacy, family, home or
correspondence, nor to unlawful attacks on his
honour and reputation.
2. Everyone has the right to the protection of the
law against such interference or attacks.
http://www.unhchr.ch/html/menu3/b/a_ccpr.htm
Kirsten Ribu - MS008A - Ethics - Hio 2004
22
EU
The European Union passed a privacy
directive processing of personal data
 EU Directive 95/46/EC
 Processing= collection, use, storage,
retrieval, transmission, destruction and
other actions
 General principles that the EU memebers
were required to implement in their own
laws

Kirsten Ribu - MS008A - Ethics - Hio 2004
23
EU Directive 95/46/EC
The Data Protection Directive
The right to privacy is a highly developed
area of law in Europe. All the member
states of the European Union are also
signatories of the European Convention on
Human Rights(ECHR).
 Article 8 of the ECHR provides a right to
respect for one's "private and family life,
his home and his correspondence",
subject to certain restrictions.

Kirsten Ribu - MS008A - Ethics - Hio 2004
24
Main principles

Personal data may be collected only for
specified explicit purposes:
Kirsten Ribu - MS008A - Ethics - Hio 2004
25
Principles
Personal data should not be processed at
all, except when certain conditions are
met.
 These conditions fall into three categories:




transparency,
legitimate purpose
proportionality.
Kirsten Ribu - MS008A - Ethics - Hio 2004
26
Transparency

The data subject has the right to be
informed when his personal data are being
processed. The controller must provide his
name and address, the purpose of
processing, the recipients of the data and
all other information required to ensure
the processing is fair. (art. 10 and 11)
Kirsten Ribu - MS008A - Ethics - Hio 2004
27
Legitimate Purpose

Personal data can only be processed for
specified, explicit and legitimate purposes
and may not be processed further in a
way incompatible with those purposes.
(art. 6 b)
Kirsten Ribu - MS008A - Ethics - Hio 2004
28
Proportionality



Personal data may be processed only insofar as it is
adequate, relevant and not excessive in relation to the
purposes for which they are collected and/or further
processed.
The data must be accurate and, where necessary, kept up
to date; every reasonable step must be taken to ensure
that data which are inaccurate or incomplete, having regard
to the purposes for which they were collected or for which
they are further processed, are erased or rectified;
The data shouldn't be kept in a form which permits
identification of data subjects for longer than is necessary
for the purposes for which the data were collected or for
which they are further processed […..]0
Kirsten Ribu - MS008A - Ethics - Hio 2004
29
EU vs USA



The EU has much stricter regulations than the US
on collection and use of personal information
The EU data Privacy Directive prohibits transfer of
personal data to countries outside The EU that do
not have an adequate protection of the use of
personal data
Has caused serious problems


Example: in 2001, the EU decided that Australia did not
have adequate privacy protection
Australia allows businesses to create their own
privacy codes
Kirsten Ribu - MS008A - Ethics - Hio 2004
30
The US

The US has laws covering specific areas such as








Medical information
Video rentals
Driver licence records
Does not have comprehensive privacy laws covering all
personal data
Many Europeans describe the US as ’behind Europe’
because the US does not have federal legislation regulating
personal data collection and use
Others say that there are different cultures and traditions
Europe puts more stress on centralisation and regulations
US put more emphasis on the flexibility and freedom of the
market
Kirsten Ribu - MS008A - Ethics - Hio 2004
31
THE PRIVACY ACT OF 1974 ( US)
SECTION 2

The Congress finds that -


(1) the privacy of an individual is directly affected by the
collection, maintenance, use, and dissemination of
personal information by Federal agencies;
(2) the increasing use of computers and sophisticated
information technology, while essential to the efficient
operations of the Government, has greatly magnified the
harm to individual privacy that can occur from any
collection, maintenance, use, or dissemination of
personal information;
(3) the opportunities for an individual to secure
employment, insurance, and credit, and his right to due
process, and other legal protections are endangered by
the misuse of certain information systems
Kirsten Ribu - MS008A - Ethics - Hio 2004
32
continued
(4) the right to privacy is a personal and
fundamental right protected by the
Constitution of the United States; and
(5) in order to protect the privacy of
individuals identified in information
systems maintained by Federal agencies,
it is necessary and proper for the
Congress to regulate the collection,
maintenance, use, and dissemination of
information by such agencies.
Kirsten Ribu - MS008A - Ethics - Hio 2004
33
Crime, terrorism and wiretapping





Wiretapping: Traditional interception of
telephone conversations
Affects innocent people
Is it acceptable in the combat against
crime?
Discuss
Voice over IP – new technology – does
this influence the view on wiretapping?
Discuss
Kirsten Ribu - MS008A - Ethics - Hio 2004
34
Search and surveillance tools

Security cameras




Banks, shops, prisons ….
Who’s got your picture?
Have cameras reduced crime?
Electronic body searches



Airports use x-ray devices
Some devices display an image of the person
without clothes – originally used to detect drug
smuggling
After 9/11 these machines are used for airport
security
Kirsten Ribu - MS008A - Ethics - Hio 2004
35
More……………..

Satellite surveillance and thermal imaging


Satellites use computer technologies to take detailed
photos of the earth
In the US: use them to catch people growing




marijuana)?
Growing cotton without permits
Can be used to find people who build illegally ….
Automated toll collection and purchase records





Sensors read a device in the car (Fjellinjen)
Databases contain a record of where the person travels
Can the information be used to track people?
The system does not provide anonymity
Records of our shopping
Kirsten Ribu - MS008A - Ethics - Hio 2004
36
The Center for Democracy and
Technology



Works to promote democratic values and
constitutional liberties in the digital age.
With expertise in law, technology, and policy,
CDT seeks practical solutions to enhance free
expression and privacy in global communications
technologies.
CDT is dedicated to building consensus among
all parties interested in the future of the Internet
and other new communications media.
http://www.cdt.org/mission/
Kirsten Ribu - MS008A - Ethics - Hio 2004
37
Privacy International




Privacy International (PI) is a human rights
group formed in 1990 as a watchdog on
surveillance and privacy invasions by
governments and corporations.
PI is based in London, England, and has an office
in Washington, D.C.
PI has conducted campaigns and research
throughout the world on issues ranging from
wiretapping and national security, to ID cards,
video surveillance, data matching, police
information systems, medical privacy, and
freedom of information and expression.
http://www.privacyinternational.org/survey/cens
orship/
Kirsten Ribu - MS008A - Ethics - Hio 2004
38
Silenced – an international report



Silenced is an independent research initiative
managed jointly by Privacy International and the
GreenNet Educational Trust. The twelve-month project
was undertaken through a collaboration of more than
fifty experts and advocates throughout the world. The
work was made possible by a grant from the Open
Society Institute.
The Internet has evolved to become an increasingly
important platform not just for economic
development, but also as a support for advocates who
wish to express their opinion freely and to work
toward the development of democracy.
The medium has provided opportunities for citizens to
participate in forums, and to discuss and debate
issues that concern them.
Kirsten Ribu - MS008A - Ethics - Hio 2004
39
Cont…………



Unlike other media where the information flow is
unidirectional - from the government to the
masses - the Internet allowed a multi-way
communication process giving the chance for
anybody to air their opinions and views on issues
affecting them.
The development of the Internet has lead to
more horizontal and less vertical communication.
Control and censorship has a substantial effect on
the Internet because it undermines confidence
and trust in the medium and inhibits crucial flows
of data.
Kirsten Ribu - MS008A - Ethics - Hio 2004
40
Silenced

The report
Kirsten Ribu - MS008A - Ethics - Hio 2004
41
Sage Code of Ethics
System Administrators' Guild
Kirsten Ribu - MS008A - Ethics - Hio 2004
42
What is SAGE?


SAGE is a Special Technical Group (STG) of the
USENIX Association.
It is organized to advance the status of
computer system administration as a profession,
establish standards of professional excellence
and recognize those who attain them, develop
guidelines for improving the technical and
managerial capabilities of members of the
profession, and promote activities that advance
the state of the art or the community.
Kirsten Ribu - MS008A - Ethics - Hio 2004
43
Definition

System administrator n.a system
administrator is one who, as a primary
job function, manages computer and
network systems on behalf of another,
such as an employer or client.

http://www.sage.org/field/
Kirsten Ribu - MS008A - Ethics - Hio 2004
44
SAGE ’vow’

’We as professional System
Administrators do hereby commit
ourselves to the highest standards of
ethical and professional conduct, and
agree to be guided by this code of ethics,
and encourage every System
Administrator to do the same.’
Kirsten Ribu - MS008A - Ethics - Hio 2004
45
Professional Code of Conduct

SAGE code of ethics is not:





a set of enforceable law
a list of procedures
a list of sanctions and punishments
It states the need for SAs to maintain
a high standard of professionalism
http://www.sage.org/ethics.mm
Kirsten Ribu - MS008A - Ethics - Hio 2004
46
SAGE Code of Ethics (1/3)

The integrity of a system administrator must be
beyond Reproach




SAs come in contact with privileged information regularly
Sas need to protect integrity and privacy of data
Sas must uphold law and policies as established for their
system
A system administrator shall not unnecessarily
infringe upon the rights of users


No tolerance for discrimination except when required for the
job
Must not exercise special powers to access information
except when necessary
Kirsten Ribu - MS008A - Ethics - Hio 2004
47
SAGE Code of Ethics (2/3)

Communications of system administrators with
all whom they may come in contact shall be
kept to the highest standards of professional
behavior.



Must keep users informed of computing matters that
might affect them
Must give impartial advice, and disclose any potential
conflicts of interest
The continuance of professional education is
critical to maintaining currency as a system
administrator.

Reading, study, training, and sharing knowledge and
experiences are requirements
Kirsten Ribu - MS008A - Ethics - Hio 2004
48
SAGE Code of Ethics (3/3)

A system administrator must maintain an exemplary
work ethic.


A sysadmin can have a significant impact on an
organization – a high level of trust is maintained by
exemplary behavior
At all times system administrators must display
professionalism in the performance of their duties.

You need to be professional, when dealing with
management, vendors, users, or other sysadmins
Kirsten Ribu - MS008A - Ethics - Hio 2004
49
ACM Code of Ethics and
Professional Conduct



Association for
Computing Machinery
Commitment to ethical professional conduct is
expected of every member (voting members,
associate members, and student members) of
the Association for Computing Machinery
(ACM).
http://www.acm.org/constitution/code.html
Kirsten Ribu - MS008A - Ethics - Hio 2004
50
Next week


Thursday – this week: Consultance on
essays
Lecture Tuesday next week:


Computer Crime
Based on The seminar: Computer crime –
from break-in to trial
Kirsten Ribu - MS008A - Ethics - Hio 2004
51