Transcript Privacy Breeches

Privacy Issues (set 3)
CS 340
Spring 2015
Lotame: Data Management Intelligence
http://www.lotame.com/data-management-solutions/datamanagement-tutorials
Online tracking devices
• Cookies: small text file that stores
information
• Stored client side, on hard drive
• Cookie creator: Lou Montulli
• Originally
• To allow for shopping cart functionality
(online memory)
• Effort made to not allow the sharing of
these between sites
• Now
• Third party cookies: site to site
• Behavioral Targeting: ad network;
relationship with same advertiser
http://live.wsj.com/video/how-advertisers-use-internetcookies-to-track-you/92E525EB-9E4A-4399-817D8C4E6EF68F93.html#!92E525EB-9E4A-4399-817D8C4E6EF68F93
Third Party tracking files
• “The first time a site is visited, it installs a tracking file, which assigns
the computer a unique ID number. Later, when the user visits another
site affiliated with the same tracking company, it can take note of
where that user was before, and where he is now. This way, over time
the company can build a robust profile.”
Online tracking devices cont’d
• Beacons
• a.k.a. pixel tag, web bug
• Invisible image embedded in
webpage
• Image is not place there by
website, but by other company for
ad tracking
• Potentials:
http://www.brighttag.com/resources/tag-101/
• Capture of what is typed on a
website
• Bundles into a profile
WSJ article:
“The Web's New Gold Mine: Your Secrets”
• http://online.wsj.com/n • Info on Ashley HayesBeaty:
ews/articles/SB1000142
• 4c812db292272995e541
40527487039409045753
6a323e79bd37
95073512989404
• Valued at $0.001
The WSJ study findings
• Surreptitious installation of tracking technology
• Not just cookies, but real time logging
• Buying and selling of profiles
Advertisers:
• No longer paying for ad placement on a site
• Paying instead to follow users around Internet with personalized
marketing messages
Online advertiser tracking companies
• “considered anonymous because it identifies web browsers, not
individuals.”
• https://www.privatewifi.com/lotame-online-tracking-and-your-privacy/
• What is tracked:
• http://www.bluekai.com/consumers_privacyguidelines.php
• Opt out options:
• BlueKai http://www.bluekai.com/registry/
• Lotame http://www.lotame.com/privacy
Taking control of the tracking
• Tracking blockers like Ghostery
• https://www.youtube.com/watch?v=EKzyifAvC_U
Which tracking technology is a transparent 1x1 pixel
used to surreptitiously gather what people type?
Th
ir d
Gh
os
te
ry
Pa
rt
yC
oo
ki
e
25% 25% 25% 25%
Be
ac
on
Cookie
Beacon
Third Party Cookie
Ghostery
Co
ok
ie
A.
B.
C.
D.
Privacy
As consumers:
• Most European countries have specific laws and regulations aimed at
protecting an individual’s (consumer) privacy.
• In the US, historically consumer privacy has relied on
• social norms and
• market forces
• laws are typically a last resort or response to an event
• highly reactive and unsystematic
Misc. Privacy Laws
• Fair Credit Reporting Act, 1970
• Children’s Online Privacy
Protection Act (COPPA), 1998
• Right to Financial Privacy Act, 1978
• Info on kids under 13
• Cable Communications Policy
Act, 1984
• Financial Services Modernization
Act, 1999
• Video Protection Privacy Act, 1988
• Health Insurance Portability and
• Driver’s Protection Privacy Act,
Accountability Act (HIPAA), 2001
1994
Texas Infant DNA collection program, p. 96-97
• Routine and often mandatory blood samples collected after birth.
• Reason?
• What happens to the samples after processed?
• Discarded OR
• Stored indefinitely
• See http://www.ncbi.nlm.nih.gov/pmc/articles/PMC3065077/table/T1/
• Motivations?
• Detect important health problems
• Later identification
• Are parents informed? Not always. Raises ethical issues
•
•
•
•
This is not limited to Texas…
Recent issue in Indiana http://www.wthr.com/story/25954821/2014/07/07/your-childs-dna-who-has-it
Alabama policy: http://www.babysfirsttest.org/newborn-screening/states/alabama#second-section
http://www.ncbi.nlm.nih.gov/pmc/articles/PMC3065077/
Texas’ use of the newborn blood test cards to catalogue
information unrelated to that infant’s direct health care is an
example of a secondary use of information.
50%
Fa
lse
Tr
ue
A. True
B. False
50%
Opinion: Suppose a public school provides students with
laptops. Should that school be able to turn on a web cam on
the laptop to check on a student’s off campus behavior?
33%
No
33%
M
ay
be
Ye
s
A. Yes
B. Maybe
C. No
33%
Robbins v. Lower Merion School District, p. 98-99
• US District Court PA (2010)
• School district surreptitiously
activated webcams using LANrev
on laptops provided to students
while students were off campus
• Video:
http://www.cbsnews.com/news/6
10k-settlement-in-schoolwebcam-spy-case/
• Settlement: $610,000
European Union’s Right to be Forgotten
• Check out Google’s page “European privacy requests for
search removals”
• FAQs
• Totals
• Examples
• Sites most impacted
Encryption on phones can make it impossible
to comply with court orders
• FBI director Coney’s criticism: Apple can no longer bypass
smartphone user passwords with iOS 8
• Cannot comply with court orders
• See video http://www.cnn.com/2014/09/25/politics/fbi-apple-googleprivacy/index.html
Opinion: Do you expect that this inability will
create serious problems for law enforcement?
ar
el
es
Ye
s,
bu
tr
im
25%
Ne
ve
r
25%
y
25%
so
m
et
Ye
s,
fr e
qu
en
tly
Yes, frequently
Yes, sometimes
Yes, but rarely
Never
Ye
s,
A.
B.
C.
D.
25%
Google’s Street view issues
1. What is captured by the
cameras
2. Other information was
recorded too
• Info gathered about surrounding
Wi-Fi
• War driving
Google’s Street View
• Issue: does it violate privacy when photos are taken that show people
engaged in activities visible from public property?
• General rule: No, but there are some exceptions
• Dept of Defense: no content from military bases. Complied
• Homeland Security: delay with Baltimore-Washington Metropolitan
area
Street view - Is the elevated camera a
problem?
Opinion: The height of the street view
camera is too tall.
50%
No
Ye
s
A. Yes
B. No
50%
International views on Google Street View
• Some European countries prohibit filming w/o consent even if done
on public property if the filming is for the purpose of public display
• Japan: required lowering cameras to 2.05 meters (6.73 ft) from 3
meters (9.8 feet)
The other problem of Street View:
“war driving”
• Collecting data from unsecure networks as the street view car drives
by:
• “Snippets of e-mails, photographs, passwords, chat messages, postings on
Web sites and social networks” http://www.nytimes.com/2012/05/23/technology/googleprivacy-inquiries-get-little-cooperation.html
• In April 2013, Germany fined Google $189,225 in April for Street
View’s privacy violation
• Amount google makes in 2 minutes. .002% of its $10.7 B profit last year.
• See article http://www.nytimes.com/2013/04/23/business/global/stern-words-and-pea-sizepunishment-for-google.html
Google v. Joffe
• 22 plaintiffs suing google for violating their privacy from war driving
during Street View mapping
• Google argued that the Wi-Fi info is accessible to anyone and as such
does not constitute wiretapping
• 9th Circuit rejected Google’s argument
• In June 2014, the US Supreme Court denied certiorari so class actions against
Google for war driving can continue
• http://www.bloomberg.com/news/2014-06-30/google-rebuffed-by-u-s-high-court-onprivacy-lawsuit.html
Opinion: Do you agree with this statement. Since
unsecure Wi-Fi is accessible to many Google did not
violate privacy with its war driving.
50%
hi
si
sa
gr
ee
,t
Id
isa
Ia
gr
ee
,n
o
vi
ol
at
io
n
by
pr
iv
ac
y
vi
ol
...
Go
og
le
A. I agree, no violation by Google
B. I disagree, this is a privacy
violation by Google
50%
Research study: “Experimental evidence of massivescale emotional contagion through social networks”
• On 689,003 Facebook users
• Manipulated News Feed
• Ethical breach?
http://www.theguardian.com/technology/2014/jun/30/facebook-emotionstudy-breached-ethical-guidelines-researchers-say
• http://www.usatoday.com/story/tech/2014/10/02/facebook-tightens-rules-forresearch-experiments-on-users/16592011/
August 2014 iCloud photo hack
• Targeted attack on specific celebrity accounts, not a software or system
vulnerability.
• Guessed passwords
• Researched and answered security questions
• Found nude photos in celebrities’ iCloud accounts & posted nude photos
on sites like 4chann
• Could have been prevented with two factor authentication. Requiring two
of:
• Something user knows
• Something user has
• Something user is
Supplying a username and password
constitutes two factor authentication.
50%
50%
Fa
lse
Tr
ue
A. True
B. False