Explore data privacy ◦ Examples, issues and surveys ◦ Answer the question: Is data privacy a legal or ethical issue? ◦ Ethical context and background ◦ Analysis of data privacy issues ◦ Decision making about data privacy What is privacy? ◦ Privacy is the ability of an individual or group to keep their lives and affairs out of public view. ◦ To control the flow of information about oneself and thereby reveal oneself selectively. ◦ The boundaries and content of what is considered private differs between cultures and individuals, but shares basic common themes. ◦ Privacy is sometimes related to anonymity, the wish to remain unnoticed or unidentified in the public realm. Balance between privacy and public good. The U.S. Constitution contains no express right to privacy. The Bill of Rights “implies” certain rights to privacy depending on area: ◦ Privilege against self-incrimination; ◦ Privacy of the person and possessions against unreasonable searches; ◦ Privacy of beliefs. U.S. Law has been vague about the extent of an individual’s right to privacy. U.S. culture is somewhat libertarian and incorporates a fairly large personal zone/space. The “right” to privacy in data collection and dissemination. ◦ What is the public expectation of privacy in the collection and sharing of data? ◦ Who has the right to view data? ◦ Who has the right to combine data collected in different venues? ◦ Who owns “you”? A data breach is the release of data to an untrusted environment. ◦ Usually unintentional. ◦ Maybe against the law (relatively few laws protecting data). ◦ Protected by security software and procedures. ◦ People actively pursue data breaches. Data privacy is a policy issue. ◦ Who owns data, how can it be used, etc. ◦ More confusion because it deals with the intended use of data. Target: Data collected from magnetic stripes on credit card. 40 million credit cards. JPMorgan Chase: 465,000 prepaid cash card holders were compromised. Sony’s Play Station Network: 77 million accounts/12 million with unencrypted credit cards. South Carolina: Credit card, debit card and 3.6 million social security numbers. Maricopa Community Colleges: 2.4 million students, former students, vendors and employees. Personal information compromised. Sears Holding Corporation (SHC Community) ◦ Sears collects data on all purchases made by Sears customers ◦ Sears offers a web site with a “tailored” shopping experience ◦ ManageMyHome web site displays purchase information ◦ It was relatively easy to see purchases made by others Health Information Exchange ◦ Data once available in restricted locations may be collected and integrated ◦ Very personal data; data about health is considered synonymous with the individual him or herself ◦ Subject to HIPAA, but the regulations are rarely enforced Google’s gmail ◦ When you use gmail, Google’s servers automatically record information such as account activity, data displayed or clicked on, browser type, IP-address, cookie ID and referrer URL. ◦ Google scans the text of all email sent via gmail for various purposes, including formatting, delivering advertisements and related links, and other purposes. Amazon.com ◦ Tracks all purchases. ◦ Tailors format of site depending on past searches and purchases. ◦ Customer data is viewed as an asset ◦ Provides customer data to “affiliates” Edward Snowden: Disclosed classified documents to media. He obtained those documents while working for a consulting firm. Disclosures include: ◦ U.S. NSA works closely with partners in Australia, UK and Canada to conduct extensive global surveillance. ◦ Global surveillance includes such things as access to Yahoo and Google accounts for both email and instant messaging; reading/analyzing email and instant messages; tracking Internet usage of search engines; tracking perusal of sexually-related sites; tracking and mapping location of cell phones; tracking users of game sites such as World of Warcraft; de-encryption of encrypted messages; and direct online surveillance of other governmental leaders. Public records are public. Data is recorded on virtually every transaction made. Credit card companies, banks, insurance companies and brokerage firms may share their respective databases with one another without notification. This is referred to as “affiliate sharing”. Medical information can be shared for treatment, payment, or health care operations. It can be used for marketing and may be disclosed to pharmaceutical companies. Email, video, voice, instant messages are all digitized, collected and stored. All forms of communication can be shared. Who owns data about you? 250 IT professionals (2012). ◦ 67% say they depend on their company’s code of conduct for determining business practices; they follow company policy. ◦ 80% say their company gathers, stores and processes detailed customer data. ◦ 60% say their company has a publicly displayed policy on the privacy of customer data that they collect. ◦ 92% say their company gathers data about employee’s computer usage. The European Union approach to privacy is based on comprehensive legislation. ◦ EU has detailed laws regarding collection, processing, and distribution of personal data. ◦ Privacy Electronic Communications Directive prohibits secondary uses of data without informed consent. ◦ Data Protection Directive requires all entities that maintain records must register with the Data Protection Commissioner. ◦ EU requires all member countries to have an independent enforcement body. ◦ Uses an “opt-in” default. Federal Trade Commission (FTC) guidelines. ◦ Notice/awareness: Must notify consumer. ◦ Consent/choice: Consumer must agree. ◦ Access/participation: Data collectors must allow consumer access to the stored data. ◦ Security/Integrity: Data collectors must “take steps” to ensure the safety, confidentiality and integrity of the data. ◦ Enforcement/Redress: Data collectors must have an enforcement protocol to ensure that their stakeholders align with their principles. ◦ Collection limitation: Can only collect what is directly pertinent. Combination of federal laws, some state laws, case law, and selfregulation. Federal laws ◦ HIPAA, Children’s Online Privacy Protection Act, FERPA, GLB Act, Sarbanes-Oxley, FISA Much pending and never-to-be-approved legislation. Most focusing on privacy “breaches” and at most using “opt-out” method for privacy protection (but not even that for most). ◦ Federal Internet Privacy Act ◦ Consumer Internet Privacy Protection Act (Privacy Bill of Rights) ◦ Protecting Children from Internet Pornographers Act ◦ GPS Act ◦ Electronic Mailbox Protection Act ◦ Netizens Protection Act ◦ Unsolicited Commercial Electronic Mail Choice Act ◦ Cyber-Security Enhancement and Consumer Data Protection Act A framework for global electronic commerce (as seen by the U.S.) announced in 1997: ◦ The private sector should lead. ◦ Governments should avoid undue restrictions on electronic commerce. ◦ Where governmental involvement is needed, its aim should be to support and enforce a predictable, minimalist, consistent and simple legal environment for commerce. ◦ Governments should recognize the unique qualities of the Internet. ◦ Electronic commerce over the Internet should be facilitated on a global basis. People are responsible for protecting themselves within the cyber-domain. The default is “opt-out” within the U.S. A few groups are protected, but the majority are not. Even of the protected groups, there is very little actual enforcement of the laws. Organizations are left mainly to make “good” rather than “bad” choices and monitor themselves. Ethics: A field of philosophy that examines concepts related to right and wrong behavior. It encompasses such concepts as: ◦ Determining what is “right” conduct; ◦ Defining the good life, the life that is satisfying and worth living; ◦ Conceptualizing the greatest good for the greatest number; ◦ Determining the origination of human rights; ◦ Defining what is and is not human right(s); ◦ Clarifying what might be best addressed by law. Metaethics: Investigates where our ethical principles come from and what they mean. ◦ Universal truths ◦ Social inventions ◦ Divine right Normative ethics: Determining moral standards that regulate right and wrong conduct. ◦ Virtue and duty theories ◦ Consequence theories Applied ethics: Examines controversial subjects using metaethics and normative ethics for analytical reasons to guide conduct. Big questions: ◦ Moral relativism vs. moral absolutism: Beauty is in the eye of the beholder vs. beauty is always beautiful. ◦ Individual actions vs. group actions: If it is not OK for an individual, is it OK for a group? Hedonism: Maximize pleasure and minimize pain. Utilitarianism: The greatest good for the greatest number. Consequentialism: The ends justify the means. Deontology: There are unbreakable moral rules, such as “do not kill.” Described as rule-based ethics. The extent to which an action: ◦ Produces benefit for an individual. ◦ Produces benefit for society. ◦ Helps those in need. ◦ Does not harm others. ◦ Does not deceive others. ◦ Does not violate a law. ◦ Assists others in pursuing their best interests when they cannot do so themselves. ◦ Acknowledges a person’s right to fair process, fair compensation for harm done, and fair distribution of benefits. ◦ Acknowledges a person’s freedom over his/her actions or physical body. When analyzing the two cases we will: ◦ Highlight whether individual privacy will be or is compromised with the systems described in the case. ◦ Identify either the legal or ethical issues with the case. Analyze whether the company is exhibiting good conduct. ◦ Identify whether any security safeguards should be taken to facilitate privacy protection. ◦ Recommend any laws or other protection that should be enacted to facilitate privacy protection.