Privacy

[email protected]

Privacy ProtectionPrivacy

Key concern of Internet users

Top reason why nonusers still avoid the Internet

to being able to keep certain information to ourselves and to control what happens to our personal information

Privacy IssuesAnytime you submit information on the Internet, it is possible

for it to be gathered by many individuals and used for various situations. Information can also be gathered from online data regarding:

- School- Banking- Hospitals- Insurance- Credit History, etc.

If a company provides you with e-mail, the information you send is available to the company. The company can also monitor Internet logs to determine web sites that have been visited.

Privacy Protection and the Law

Systems collect and store key data from every interaction with customers.

Many object to data collection policies of government and business.

Reasonable limits must be set

Historical perspective on the right to privacyFourth Amendment - reasonable expectation of privacy

4

The Right of PrivacyDefinition

“The right to be left alone—the most comprehensive of rights, and the right most valued by a free people”

5

“The right of individuals to control the collection and use of information about themselves”

The Right of Privacy

Legal aspectsProtection from

unreasonable intrusion upon one’s isolation

6

Protection from appropriation of one’s name or likeness

Summary of the 1980 OECD Privacy Principles

7

Organization for Economic Cooperation and Development

Legal Overview: The Privacy ActSecure Flight airline safety program (2009)

Compares the names and information of 1.4 million daily U.S. airline passengers with data on known or suspected terrorists.

Is the latest proposed government system for running database checks on Americans who travel by air.Secure Flight will match passenger information

against blacklists maintained by the federal government. Violation of Privacy Act

8

Governmental Electronic Surveillance

Federal Wiretap ActOutlines processes to

obtain court authorization for surveillance of all kinds of electronic communications

9

• Judge must issue a court order based on probable cause

• Almost never deny government requests

“Roving tap” authority• Does not name specific telephone lines or e-mail accounts• Get access to all accounts are tied to a specific person


Electronic Communications Privacy Act of 1986 (ECPA)Sets standards for access to stored e-mail and other

electronic communications and records.Prosecutor does not have to justify requestsJudges are required to approve every requestHighly controversial

Especially collection of computer data sent over the Internet

11


Foreign Intelligence Surveillance Act of 1978 (FISA)Allows wiretapping of aliens and citizens in the United

StatesAgainst FBI, CIA & NSA for some illegal surveillanceBased on finding of probable cause that a target is

Member of a foreign terrorist group Agent of a foreign power

Executive Order 12333Legal authority for electronic surveillance outside the

United States

12


Communications Assistance for Law Enforcement Act (CALEA)Requires the telecommunications industry to build tools

into its products so that federal investigators can eavesdrop on conversations After getting court approval

Contains a provision covering radio-based data communication

Includes voice over Internet (VoIP) technology

13


USA Patriot Act of 2001Gives sweeping new powers to

Domestic law enforcement against terrorism International intelligence agencies

14

Key Provisions of the USA Patriot Act Subject to Sunset

15

Key Provisions of the USA Patriot Act Subject to Sunset

16

Identity TheftTheft of key pieces of personal information to gain access

to a person’s financial accountsInformation includes:

NameAddressDate of birthSocial Security numberPassport numberDriver’s license numberMother’s maiden name

17

Identity Theft

18

Identity TheftFastest growing form of fraud in the

United StatesLack of initiative in informing people

whose data was stolenPhishing

Attempt to steal personal identity data By tricking users into entering information

on a counterfeit Web siteSpear-phishing - a variation in which

employees are sent phony e-mails that look like they came from high-level executives within their organization

19

https://www.chase.com/index.jsp?pg_name=ccpmapp/privacy_security/fraud/page/fraud_examples

Phising and privacyFor a demonstration of how a real phishing scheme works,

visit www.identitytheftsecrets.com The Privacy Rights Clearinghouse (PRC) is warning consumers about another form of fraud that can happen when online users reply to phishing emails.

The personal information they provide might be used to register web site domains that bilk unwitting online users out of funds they believe are being used for legitimate transactions.

E-mail Used by Phishers

21

Identity TheftSpyware

Keystroke-logging softwareEnables the capture of:

Account usernames Passwords Credit card numbers Other sensitive information

Operates even if an infected computer is not connected to the Internet

Identity Theft and Assumption Deterrence Act of 1998 was passed to fight fraud

22

Top 5 Examples Of Spyware

CoolWebSearch: based on bugs of IEInternet Optimizer (DyFuCa)Zango

Transmits detailed information to advertisers about the Web sites which you visit.

HuntBar (WinTools)ActiveX msg pop up, once installed, steal the information

Zlob trojan Download itself into your pc via ActiveX

23

Consumer ProfilingCompanies openly collect personal information

about Internet usersCookies

Text files that a Web site puts on a user’s hard drive so that it can remember the information later

Tracking softwareSimilar methods are used outside the Web

environmentDatabases contain a huge amount of consumer

behavioral data24

CookiesThe web site might offer you products or ads tailored

to your interests, based on the contents of the cookie data.

Some, called third-party cookies, communicate data about you to an advertising clearinghouse which in turn shares that data with other online marketers.

25

Consumer ProfilingAffiliated Web sites

Group of Web sites served by a single advertising networkCustomized service for each consumerTypes of data collected while surfing the Web

GET dataPOST dataClick-stream data

26

Consumer ProfilingFour ways to limit or even stop the deposit of cookies on

hard drivesSet the browser to limit or stop cookiesManually delete them from the hard driveDownload and install a cookie-management program Use anonymous browsing programs that don’t accept

cookies

Cookie Monster 3.47

27

Consumer ProfilingPlatform for Privacy Preferences (P3P)

Is a protocol allowing websites to declare their intended use of information they collect about web browser users

28

Manager’s Checklist for Treating Consumer Data Responsibly

29

Privacy in WorkplaceEmployers will have access to personal information about

employees and this information may be sensitive and employees may wish to keep this information private.

30

This means that employers will need to think about the way in which they collect, use and disclose information they obtain from employees.

Privacy in WorkplaceIt is good privacy practice that the employer tell the

employee why they are collecting the information and who the employer might pass that information on to.

Best practice: employers allow employees to access personal information

about themselves which is held by their employer.

31

Workplace Monitoring

Employers monitor workers Ensures that corporate IT

usage policy is followedFourth Amendment cannot

be used to limit how a private employer treats its employeesPublic-sector employees

have far greater privacy rights than in the private industry

32

Privacy advocates want federal legislation To keeps employers from infringing upon privacy rights of employees

Advanced Surveillance TechnologyCamera surveillance

U.S. cities plan to expand surveillance systems“Smart surveillance system”

Facial recognition softwareIdentifies criminal suspects and other undesirable

charactersYields mixed results

Global Positioning System (GPS) chipsPlaced in many devicesPrecisely locate users

33

Privacy Protection: Ten guidelines

1. Remove personally identifiable data from storage media

2. Store an identical copy of any evidentiary media given to law enforcement

3. Limit search to goal of investigation4. Handle time stamped events in strictest confidence5. On networks, packet acknowledgement be via the use

of tokens than IP addresses

34

Privacy Protection: Ten guidelines6. Safe storage of all internal logs7. Preservation of event logs in external nodes8. Put policies in place for actionable items related to

attacks9. Put policies in place for safeguarding backed up

data related to an investigation10. Handle disposal of sensitive data in a secure

manner

35

Can online services track and record my activity?

Yes. Many people expect that their online activities are

anonymous. They are not. It is possible to record virtually all

online activities

This information can be collected by a subscriber's own ISP

and by web site operators.

DATA PROFILING As we make our way through everyday life, data is collected from each of

us, frequently without our consent and often without our realization. We pay our bills with credit cards and leave a data trail consisting of

purchase amount, purchase type, date, and time. Data is collected when we pay by check. Our use of supermarket discount cards creates a comprehensive database

of everything we buy. When our car, equipped with a radio transponder, passes through an

electronic toll booth, our account is debited and a record is created of the location, date, time, and account identification.

We leave a significant data trail when we surf the Internet and visit websites.

When we subscribe to a magazine, sign up for a book or music club, join a professional association, fill out a warranty card, give money to charities, donate to a political candidate, tithe to our church or synagogue, invest in mutual funds, when we make a telephone call, when we interact with a government agency . with all of these transactions we leave a data trail that is stored in a computer.

Browsers..It's important to be aware of the information transmitted to

remote computers by the software you use to browse web sites. The major browsers are Netscape Navigator and Microsoft Internet Explorer. Internet Explorer has P3P –platform for Privacy Preferences.

Most web browsers invisibly provide web site operators with information about your ISP as well as information about other web sites you have visited. Some web browsers, particularly if they have not been updated with security fixes, may be tricked into reporting the user's default e-mail address, phone number, and other information in the "address book" if the browser also handles your e-mail.

Privacy policies and web seals

. The Federal Trade Commission urges commercial web site operators to spell out their information collection practices in privacy policies posted on their web sites. Most commercial web sites now post policies about their information-collection practices. Look for a privacy "seal of approval," such as TRUSTe (www.truste.org), on the first page of the web site. TRUSTe participants agree to post their privacy policies and submit to audits of their privacy practices in order to display the logo.

Other seals of approval are offered by the Council of Better Business Bureaus (BBB), www.bbbonline.org, the American Institute of Certified Public Accountants, WebTrust, www.cpawebtrust.org, and the Entertainment Software Rating Board, www.esrb.org/privacy.

Workplace monitoring. Individuals who access the Internet from work should know that employers are increasingly monitoring the Internet sites that an employee visits. Be sure to inquire about your employer's online privacy policy.

Can an online service access information stored in my computer without my knowledge?

Yes. Many of the commercial online services such as AOL automatically download graphics and program upgrades to the user's home computer.

Companies typically explain that they collect information such as users' hardware, software and usage patterns to provide better customer service.

It is difficult to detect these types of intrusions. You should be aware of this potential privacy abuse and investigate new services thoroughly before signing on.

Always read the privacy policy and the service agreement of any online service you intend to use.

What about cybercafes, airports, and other publicly-available Internet terminals?You should avoid using public terminals to access your bank

account, check your credit card statement, pay bills, or access any other personally or financially sensitive information.

Publicly-available Internet terminals are not likely to be closely supervised to ensure online privacy and security. They are used by many individuals every day.

Find out if they have installed a program that clears Internet caches, deletes cookies, erases surfing history, and removes temporary files.

What can I do to protect my privacy in cyberspace? password change Look for the privacy policy of the online services you use. Most Internet Service

Providers (ISP) have adopted privacy policies that they post on their web sites and other user documentation. When you surf the web, look for the privacy policies posted on the web sites you visit. Also look for a privacy "seal" such as TRUSTe or BBBOnline.

Check your browser's cookie settings. you may accept or reject all cookies, or you may allow only those cookies generated by the website you are visiting. You may want to set a security level for trusted websites while blocking cookie activity for all others.

Shop around. Investigate new services before using them. Post a question about a new service in a dependable forum or newsgroup. Use a search engine such as http://groups.google.com to find archived discussions and newsgroup postings about the service that you are considering.

Don’t post your private contents in the social networks. Don’t use location-based social networks application for all of your individual work.

Notes of Caution… Assume that your online communications are not private unless you use encryption

software. But most encryption programs are not user-friendly and can be inconvenient to use. If you do not use encryption, at least take the following precautions: Do not provide sensitive personal information (phone number, password, address, credit card number, Social Security number, your health information, date of birth, vacation dates, etc.) in chat rooms, forum postings, e-mail messages, or in your online biography

Be cautious of "start-up" software that registers you as a product user and makes an initial connection to the service for you. Typically, these programs require you to provide financial account data or other personal information, and then upload this information automatically to the service. These programs may be able to access records in your computer without your knowledge. Contact the service for alternative subscription methods.

Use a pseudonym and a non-descriptive e-mail address when you participate in public forums. Consider obtaining an e-mail address from one of the free web-based e-mail services such as www.hotmail.com or www.yahoo.com

Notes of Caution… The "delete" command does not make your e-mail messages disappear. They can

still be retrieved from back-up systems. Software utility programs can retrieve deleted messages from your hard drive. If you are concerned about permanently deleting messages and other files on your program, you should use a file erasing program such as the freeware program at http://cleanup.stevengould.org or the cleanup features of general utility software such as Norton's (http://www.symantec.com/sabu/ncs/) CleanSweep.

Your online biography, if you create one, may be searched system-wide or remotely "fingered" by anyone. If for any reason you need to safeguard your identity, don't create an online "bio." Ask the system operator of your ISP to remove you from its online directory.

If you publish information on a personal web page, note that marketers and others may collect your address, phone number, e-mail address and other information that you provide. If you are concerned about your personal privacy, be discreet in your personal web site

Be aware that online activities leave electronic footprints for others to see. Your own ISP can determine what search engine terms you use, what web sites you visit, and the dates, times, and durations of your online sessions. Web site operators can often track the activities you engage in by placing "cookies" on your computer. They can learn additional information if they ask you to register on their site. Your web browser also can transmit information to web sites.

Your Policy for Online Obtaining Information

If you obtain personally identifiable information through online application forms, online surveys, interest lists, inquiry forms, and e-mail subscription forms, your policy must also describe what you use that information for, how long it is retained, how it can be updated or removed, and how it is protected from illegitimate access.

Your policy should explain who will have access to any information that is collected such as your web site administrator, organization staff, and board members.

The policy should explain if information is shared with third parties or other members and for what purpose or under what circumstances.

Privacy issues of Social Networks

’If you feel like someone is watching you, you're right. If you're worried about this, you have plenty of company. If you're not doing anything about this anxiety, you’re just like almost everyone else.’ (Bob Sullivan, 2011)

46

Every minute of the day:• 100,000 tweets are sent• 684,478 pieces of content are shared on Facebook• 2 million search queries are made on Google• 48 hours of video are uploaded to YouTube• 47,000 apps are downloaded from the App Store• 3,600 photos are shared on Instagram• 571 websites are created• $272,000 is spent by consumers online (source: AllTwitter)(Source: thesocialskinny.com)

Types of Social Networks

47

Posting Content such as picture and video arise new privacy concerns due to their context revealing details about the physical and social context of the subject.

if you’re using Gmail or Yahoo mail or Flickr or. YouTube or belong to Facebook … you’ve given up complete control of your personal information’

Few cases … Certain pictures or videos shared online have cost a number of

people their jobs or ruined their job opportunities.

There is no rules or regulations to protect individuals from accidentally having an embarrassing photo or video taken of them and then posted on the web for others to see.

Adults are concerned about invasion of privacy, while teens freely give up personal information. This occurs because often teens are not aware of the public nature of the Internet.More info : http://social-networks-privacy.wikidot.com/

48

Privacy issues on FacebookFacebook has met criticism on a range of issues, including

online privacy, child safety and hate speech. You create a "Connection" to most of the things that you click a

"Like button" for, and Facebook will treat those relationships as public information.

If you Like a Page on Facebook, that creates a public connection. If you Like a movie or restaurant on a non-Facebook website (and

if that site is using Facebook's OpenGraph system), that creates a public connection

49

Even More Serious Case In August 2007, the code used to generate Facebook's home and search

page as visitors browse the site was accidentally made public, according to leading Internet news sites.

In November 2009, Facebook launched Beacon, a system where third-party websites could include a script by Facebook on their sites, and use it to send information about the actions of Facebook users on their site to Facebook, prompting serious privacy concerns.

In June 2011 Facebook enabled an automatic facial recognition feature called "Tag Suggestions". The feature compares newly uploaded photographs to those of the uploader's Facebook friends, in order to suggest photo tags.

Facebook has defended the feature, saying users can disable it. European Union data-protection regulators said they would investigate the feature to see if it violated privacy rules.

50

What Forbes says …Facebook has essentially become a worldwide photo

identification database.

These developments mean that we no longer have to worry just about what Facebook, Google+, LinkedIn and other social sites do with our data; we have to worry about what they enable others to do, too. And it now seems that others will be able to do a lot.

51

You MUST Know … 4.7 million “liked” a Facebook page about health conditions or treatments

(details an insurer might use against you); 4.8 million have used Facebook to say where they planned to go on a

certain day (a potential tip-off for burglars); 20.4 million included their birth date, which can be used by identity

thieves; 39.3 million identified family members in their profile; 900K discussed finances on their wall; 1.6 million liked a page pertaining to racial or ethnic affiliations; 2.3 million liked a page regarding sexual orientation; 7.7 million liked a page pertaining to a religious affiliation; 2.6 million discussed their recreational use of alcohol on their wall; 4.6 million discussed their love life on their wall.

52

Privacy issues with Location-based service

53

Location-Based Social Networks (LBSN) derive from LBSs and are often referred to as Geosocial Networking.

the connection between users goes beyond sharing physical locations but also involve sharing knowledge like common interests, behavior, and activities.

Such pervasive tools represent a challenge to privacy.

A Serious Case about LBSN In March 2012 Foursquare had to tackle the discovery of a Russian-built

app called Girls Around Me. As the name suggests, Girls Around Me used Foursquare’s API to display and filter people by geographical position and gender, then, once a first list was compiled, the app was able to search in Facebook for those girls that had the two accounts linked together and, finally, provided their pictures to the app user. Foursuare replied to the issue by shutting down the app soon after its discovery, however Girls around Me, and similar app available on the market, posed serious questions of the nature of certain apps and their use. and further more it proved that LBSN offer services and features potentially threatening users privacy and safety

54

Additional information.. Several public interest groups have sponsored the online Computer

Privacy Guide at www.consumerprivacyguide.org. This site offers extensive tips, a glossary of terms, and video tutorials with step-by-step instructions on how to take advantage of privacy settings for the programs you use online

Cookies. To learn more about cookies blockers and other types of online filters, visit www.junkbusters.com, www.consumerprivacyguide.org, www.cookiecentral.com, and www.spamblocked.com/proxomitron.

Demonstration. To see a demonstration of the kind of information that can be captured about your computer via your browser when you surf the web, visit www.privacy.net/analyze.

Privacy-enhancing technologies. The EPIC web site provides a section on software products that you can use to add extra layers of protection when you surf the web, www.epic.org/privacy/tools.html. Also, visit the Privacy Links page of the Privacy Rights Clearinghouse for more software tools and products, www.privacyrights.org/links.htm.

Spam. Find tips on how to reduce unsolicited e-mail messages at www.spamcop.net or www.stop-spam.org.. To learn about state spam laws, go to www.spamlaws.com.

Privacy

Documents

Transcript of Privacy