1 / 75

Introduction to Privacy

Introduction to Privacy. January 28, 2007. Administrivia. Collect homework and human subjects certificates Student survey forms. Outline. What is privacy? Privacy laws and self-regulation Privacy risks from personalization Reducing privacy risks. What is privacy?.

quinto
Télécharger la présentation

Introduction to Privacy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Introduction to Privacy January 28, 2007

  2. Administrivia • Collect homework and human subjects certificates • Student survey forms

  3. Outline • What is privacy? • Privacy laws and self-regulation • Privacy risks from personalization • Reducing privacy risks

  4. What is privacy?

  5. What does privacy mean to you? • How would you define privacy? • What does it mean to you for something to be private?

  6. Concept versus right • Privacy as concept • What is it • How and why it is valued • Privacy as right • How it is (or should be) protected • By law • By policy • By technology

  7. Hard to define “Privacy is a value so complex, so entangled in competing and contradictory dimensions, so engorged with various and distinct meanings, that I sometimes despair whether it can be usefully addressed at all.” Robert C. Post, Three Concepts of Privacy, 89 Geo. L.J. 2087 (2001).

  8. Some definitions from the literature • Personhood • Intimacy • Secrecy • Contextual integrity • Limited access to the self • Control over information

  9. Limited access to self • “the right to be let alone” • Samuel D. Warren and Louis D. Brandeis, The Right to Privacy, 4 Harv. L. Rev. 193 (1890) • “our concern over • our accessibility to others: the extent to which we are known to others, the extent to which others have physical access to us, and the extent to which we are the subject of others attention. • - Ruth Gavison, “Privacy and the Limits of the Law,” Yale Law Journal 89 (1980) “Being alone.” - Shane (age 4)

  10. Control over information “Privacy is the claim of individuals, groups or institutions to determine for themselves when, how, and to what extent information about them is communicated to others.” “…each individual is continually engaged in a personal adjustment process in which he balances the desire for privacy with the desire for disclosure and communication….” Alan Westin, Privacy and Freedom, 1967

  11. Realizing limited access and control • Limited access • Laws to prohibit or limit collection, disclosure, contact • Technology to facilitate anonymous transactions, minimize disclosure • Control • Laws to mandate choice (opt-in/opt-out) • Technology to facilitate informed consent, keep track of and enforce privacy preferences

  12. Westin’s four states of privacy • Solitude • individual separated from the group and freed from the observation of other persons • Intimacy • individual is part of a small unit • Anonymity • individual in public but still seeks and finds freedom from identification and surveillance • Reserve • the creation of a psychological barrier against unwanted intrusion - holding back communication

  13. Britney Spears: “We just need privacy” “You have to realize that we're people and that we need, we just need privacy and we need our respect, and those are things that you have to have as a human being.” — Britney Spears15 June 2006NBC Dateline http://www.cnn.com/2006/SHOWBIZ/Music/06/15/people.spears.reut/index.html

  14. Only a goldfish can live without privacy… Is this true? Can humans live without privacy?

  15. Privacy as animal instinct • Is privacy necessary for species survival? Eagles eating a deer carcass http://www.learner.org/jnorth/tm/eagle/CaptureE63.html

  16. Privacy laws and self-regulation

  17. OECD fair information principles http://www.datenschutz-berlin.de/gesetze/internat/ben.htm • Collection limitation • Data quality • Purpose specification • Use limitation • Security safeguards • Openness • Individual participation • Accountability

  18. US FTC simplified principles • Notice and disclosure • Choice and consent • Data security • Data quality and access • Recourse and remedies US Federal Trade Commission, Privacy Online: A Report to Congress (June 1998), http://www.ftc.gov/reports/privacy3/

  19. Privacy laws around the world • Privacy laws and regulations vary widely throughout the world • US has mostly sector-specific laws, with relatively minimal protections - often referred to as “patchwork quilt” • Federal Trade Commission has jurisdiction over fraud and deceptive practices • Federal Communications Commission regulates telecommunications • European Data Protection Directive requires all European Union countries to adopt similar comprehensive privacy laws that recognize privacy as fundamental human right • Privacy commissions in each country (some countries have national and state commissions) • Many European companies non-compliant with privacy laws (2002 study found majority of UK web sites non-compliant)

  20. Some US privacy laws • Bank Secrecy Act, 1970 • Fair Credit Reporting Act, 1971 • Privacy Act, 1974 • Right to Financial Privacy Act, 1978 • Cable TV Privacy Act, 1984 • Video Privacy Protection Act, 1988 • Family Educational Right to Privacy Act, 1993 • Electronic Communications Privacy Act, 1994 • Freedom of Information Act, 1966, 1991, 1996

  21. US law – recent additions • HIPAA (Health Insurance Portability and Accountability Act, 1996) • When implemented, will protect medical records and other individually identifiable health information • COPPA (Children‘s Online Privacy Protection Act, 1998) • Web sites that target children must obtain parental consent before collecting personal information from children under the age of 13 • GLB (Gramm-Leach-Bliley-Act, 1999) • Requires privacy policy disclosure and opt-out mechanisms from financial service institutions

  22. Voluntary privacy guidelines • Direct Marketing Association Privacy Promise http://www.thedma.org/library/privacy/privacypromise.shtml • Network Advertising Initiative Principles http://www.networkadvertising.org/ • CTIA Location-based privacy guidelineshttp://www.wow-com.com/news/press/body.cfm?record_id=907

  23. Chief privacy officers • Companies are increasingly appointing CPOs to have a central point of contact for privacy concerns • Role of CPO varies in each company • Draft privacy policy • Respond to customer concerns • Educate employees about company privacy policy • Review new products and services for compliance with privacy policy • Develop new initiatives to keep company out front on privacy issue • Monitor pending privacy legislation

  24. Seal programs • TRUSTe – http://www.truste.org • BBBOnline – http://www.bbbonline.org • CPA WebTrust – http://www.cpawebtrust.org/ • Japanese Privacy Mark http://privacymark.org/

  25. Seal program problems • Certify only compliance with stated policy • Limited ability to detect non-compliance • Minimal privacy requirements • Don’t address privacy issues that go beyond the web site • Nonetheless, reporting requirements are forcing licensees to review their own policies and practices and think carefully before introducing policy changes

  26. Privacy policies • Policies let consumers know about site’s privacy practices • Consumers can then decide whether or not practices are acceptable, when to opt-in or opt-out, and who to do business with • The presence of privacy policies increases consumer trust What are some problems with privacy policies?

  27. Privacy policy problems • BUT policies are often • difficult to understand • hard to find • take a long time to read • change without notice

  28. Identification of site, scope, contact info Types of information collected Including information about cookies How information is used Conditions under which information might be shared Information about opt-in/opt-out Information about access Information about data retention policies Information about seal programs Security assurances Children’s privacy Privacy policy components There is lots of informationto convey -- but policyshould be brief andeasy-to-read too! What is opt-in? What is opt-out?

  29. Short Notices • Project organized by Hunton & Williams law firm • Create short version (short notice) of a human-readable privacy notice for both web sites and paper handouts • Sometimes called a “layered notice” as short version would advise people to refer to long notice for more detail • Now being called “highlights notice” • Focus on reducing privacy policy to at most 7 boxes • Standardized format but only limited standardization of language • Proponents believe highlights format may eventually be mandated by law • Alternative proposals from privacy advocates focus on check boxes • Interest Internationally • http://www.privacyconference2003.org/resolution.asp • Interest in the US for financial privacy notices • http://www.ftc.gov/privacy/privacyinitiatives/ftcfinalreport060228.pdf

  30. Checkbox proposal WE SHARE [DO NOT SHARE] PERSONAL INFORMATION WITH OTHER WEBSITES OR COMPANIES. Collection:YES NO We collect personal information directly from you  We collect information about you from other sources:  We use cookies on our website  We use web bugs or other invisible collection methods  We install monitoring programs on your computer  Uses: We use information about you to:With Your Without YourConsent Consent Send you advertising mail  Send you electronic mail  Call you on the telephone  Sharing: We allow others to use your information to: With Your Without Your Consent Consent Maintain shared databases about you  Send you advertising mail  Send you electronic mail  Call you on the telephone N/AN/A Access: You can see and correct {ALL, SOME, NONE} of the information we have about you. Choices: You can opt-out of receiving from Us Affiliates Third Parties Advertising mail  Electronic mail  Telemarketing N/A Retention: We keep your personal data for: {Six Months Three Years Forever} Change: We can change our data use policy {AT ANY TIME, WITH NOTICE TO YOU, ONLY FOR DATA COLLECTED IN THE FUTURE}

  31. Platform for Privacy Preferences Project (P3P) • Developed by the World Wide Web Consortium (W3C) http://www.w3.org/p3p/ • Final P3P1.0 Recommendation issued 16 April 2002 • Offers an easy way for web sites to communicate about their privacy policies in a standard machine-readable format • Can be deployed using existing web servers • Enables the development of tools (built into browsers or separate applications) that • Summarize privacy policies • Compare policies with user preferences • Alert and advise users

  32. Basic components • P3P provides a standard XML format that web sites use to encode their privacy policies • Sites also provide XML “policy reference files” to indicate which policy applies to which part of the site • Sites can optionally provide a “compact policy” by configuring their servers to issue a special P3P header when cookies are set • No special server software required • User software to read P3P policies called a “P3P user agent”

  33. What’s in a P3P policy? • Name and contact information for site • The kind of access provided • Mechanisms for resolving privacy disputes • The kinds of data collected • How collected data is used, and whether individuals can opt-in or opt-out of any of these uses • Whether/when data may be shared and whether there is opt-in or opt-out • Data retention policy

  34. GET /index.html HTTP/1.1 Host: www.att.com . . . Request web page HTTP/1.1 200 OK Content-Type: text/html . . . Send web page A simple HTTP transaction WebServer

  35. GET /w3c/p3p.xml HTTP/1.1 Host: www.att.com Request Policy Reference File Send Policy Reference File Request P3P Policy Send P3P Policy GET /index.html HTTP/1.1 Host: www.att.com . . . Request web page HTTP/1.1 200 OK Content-Type: text/html . . . Send web page … with P3P 1.0 added WebServer

  36. P3P increases transparency • P3P clients can check a privacy policy each time it changes • P3P clients can check privacy policies on all objects in a web page, including ads and invisible images http://www.att.com/accessatt/ http://adforce.imgis.com/?adlink|2|68523|1|146|ADFORCE

  37. P3P in IE6 Automatic processing of compact policies only; third-party cookies without compact policies blocked by default Privacy icon on status bar indicates that a cookie has been blocked – pop-up appears the first time the privacy icon appears

  38. Users can click on privacy icon forlist of cookies; privacy summariesare available atsites that are P3P-enabled

  39. Privacy summary report isgenerated automaticallyfrom full P3P policy

  40. P3P in Netscape 7 Preview version similar to IE6, focusing, on cookies; cookies without compact policies (both first-party and third-party) are “flagged” rather than blocked by default Indicates flagged cookie

  41. Privacy Bird • Free download of beta from http://privacybird.com/ • Origninally developed at AT&T Labs • Released as open source • “Browser helper object” for IE6 • Reads P3P policies at all P3P-enabled sites automatically • Bird icon at top of browser window indicates whether site matches user’s privacy preferences • Clicking on bird icon gives more information

  42. Chirping bird is privacy indicator

More Related