
Explore data privacy
◦ Examples, issues and surveys
◦ Answer the question: Is data privacy a legal or ethical
issue?
◦ Ethical context and background
◦ Analysis of data privacy issues
◦ Decision making about data privacy

What is privacy?
◦ Privacy is the ability of an individual or group to keep their
lives and affairs out of public view.
◦ To control the flow of information about oneself and
thereby reveal oneself selectively.
◦ The boundaries and content of what is considered private
differs between cultures and individuals, but shares basic
common themes.
◦ Privacy is sometimes related to anonymity, the wish to
remain unnoticed or unidentified in the public realm.

Balance between privacy and public good.


The U.S. Constitution contains no express right
to privacy.
The Bill of Rights “implies” certain rights to
privacy depending on area:
◦ Privilege against self-incrimination;
◦ Privacy of the person and possessions against unreasonable
searches;
◦ Privacy of beliefs.


U.S. Law has been vague about the extent of an
individual’s right to privacy.
U.S. culture is somewhat libertarian and
incorporates a fairly large personal zone/space.

The “right” to privacy in data collection and
dissemination.
◦ What is the public expectation of privacy in the collection
and sharing of data?
◦ Who has the right to view data?
◦ Who has the right to combine data collected in different
venues?
◦ Who owns “you”?

A data breach is the release of data to an
untrusted environment.
◦ Usually unintentional.
◦ Maybe against the law (relatively few laws protecting data).
◦ Protected by security software and procedures.
◦ People actively pursue data breaches.

Data privacy is a policy issue.
◦ Who owns data, how can it be used, etc.
◦ More confusion because it deals with the intended use of
data.





Target: Data collected from magnetic stripes on
credit card. 40 million credit cards.
JPMorgan Chase: 465,000 prepaid cash card
holders were compromised.
Sony’s Play Station Network: 77 million
accounts/12 million with unencrypted credit
cards.
South Carolina: Credit card, debit card and 3.6
million social security numbers.
Maricopa Community Colleges: 2.4 million
students, former students, vendors and
employees. Personal information compromised.

Sears Holding Corporation (SHC Community)
◦ Sears collects data on all purchases made by Sears customers
◦ Sears offers a web site with a “tailored” shopping experience
◦ ManageMyHome web site displays purchase information
◦ It was relatively easy to see purchases made by others

Health Information Exchange
◦ Data once available in restricted locations may be collected
and integrated
◦ Very personal data; data about health is considered
synonymous with the individual him or herself
◦ Subject to HIPAA, but the regulations are rarely enforced

Google’s gmail
◦ When you use gmail, Google’s servers automatically record
information such as account activity, data displayed or clicked
on, browser type, IP-address, cookie ID and referrer URL.
◦ Google scans the text of all email sent via gmail for various
purposes, including formatting, delivering advertisements and
related links, and other purposes.

Amazon.com
◦ Tracks all purchases.
◦ Tailors format of site depending on past searches and
purchases.
◦ Customer data is viewed as an asset
◦ Provides customer data to “affiliates”

Edward Snowden: Disclosed classified
documents to media. He obtained those
documents while working for a consulting firm.
Disclosures include:
◦ U.S. NSA works closely with partners in Australia, UK and
Canada to conduct extensive global surveillance.
◦ Global surveillance includes such things as access to Yahoo
and Google accounts for both email and instant messaging;
reading/analyzing email and instant messages; tracking
Internet usage of search engines; tracking perusal of
sexually-related sites; tracking and mapping location of cell
phones; tracking users of game sites such as World of
Warcraft; de-encryption of encrypted messages; and direct
online surveillance of other governmental leaders.






Public records are public.
Data is recorded on virtually every transaction made.
Credit card companies, banks, insurance companies
and brokerage firms may share their respective
databases with one another without notification. This
is referred to as “affiliate sharing”.
Medical information can be shared for treatment,
payment, or health care operations. It can be used
for marketing and may be disclosed to
pharmaceutical companies.
Email, video, voice, instant messages are all digitized,
collected and stored. All forms of communication
can be shared.
Who owns data about you?

250 IT professionals (2012).
◦ 67% say they depend on their company’s code of conduct
for determining business practices; they follow company
policy.
◦ 80% say their company gathers, stores and processes
detailed customer data.
◦ 60% say their company has a publicly displayed policy on
the privacy of customer data that they collect.
◦ 92% say their company gathers data about employee’s
computer usage.

The European Union approach to privacy is
based on comprehensive legislation.
◦ EU has detailed laws regarding collection, processing, and
distribution of personal data.
◦ Privacy Electronic Communications Directive prohibits
secondary uses of data without informed consent.
◦ Data Protection Directive requires all entities that maintain
records must register with the Data Protection
Commissioner.
◦ EU requires all member countries to have an independent
enforcement body.
◦ Uses an “opt-in” default.

Federal Trade Commission (FTC) guidelines.
◦ Notice/awareness: Must notify consumer.
◦ Consent/choice: Consumer must agree.
◦ Access/participation: Data collectors must allow
consumer access to the stored data.
◦ Security/Integrity: Data collectors must “take steps” to
ensure the safety, confidentiality and integrity of the data.
◦ Enforcement/Redress: Data collectors must have an
enforcement protocol to ensure that their stakeholders
align with their principles.
◦ Collection limitation: Can only collect what is directly
pertinent.


Combination of federal laws, some state laws, case law, and selfregulation.
Federal laws
◦ HIPAA, Children’s Online Privacy Protection Act, FERPA, GLB Act, Sarbanes-Oxley, FISA

Much pending and never-to-be-approved legislation. Most
focusing on privacy “breaches” and at most using “opt-out”
method for privacy protection (but not even that for most).
◦ Federal Internet Privacy Act
◦ Consumer Internet Privacy Protection Act (Privacy Bill of Rights)
◦ Protecting Children from Internet Pornographers Act
◦ GPS Act
◦ Electronic Mailbox Protection Act
◦ Netizens Protection Act
◦ Unsolicited Commercial Electronic Mail Choice Act
◦ Cyber-Security Enhancement and Consumer Data Protection Act

A framework for global electronic commerce
(as seen by the U.S.) announced in 1997:
◦ The private sector should lead.
◦ Governments should avoid undue restrictions on electronic
commerce.
◦ Where governmental involvement is needed, its aim should
be to support and enforce a predictable, minimalist,
consistent and simple legal environment for commerce.
◦ Governments should recognize the unique qualities of the
Internet.
◦ Electronic commerce over the Internet should be facilitated
on a global basis.





People are responsible for protecting
themselves within the cyber-domain.
The default is “opt-out” within the U.S.
A few groups are protected, but the majority
are not.
Even of the protected groups, there is very
little actual enforcement of the laws.
Organizations are left mainly to make “good”
rather than “bad” choices and monitor
themselves.

Ethics: A field of philosophy that examines
concepts related to right and wrong behavior.
It encompasses such concepts as:
◦ Determining what is “right” conduct;
◦ Defining the good life, the life that is satisfying and worth
living;
◦ Conceptualizing the greatest good for the greatest number;
◦ Determining the origination of human rights;
◦ Defining what is and is not human right(s);
◦ Clarifying what might be best addressed by law.

Metaethics: Investigates where our ethical
principles come from and what they mean.
◦ Universal truths
◦ Social inventions
◦ Divine right

Normative ethics: Determining moral standards
that regulate right and wrong conduct.
◦ Virtue and duty theories
◦ Consequence theories

Applied ethics: Examines controversial subjects
using metaethics and normative ethics for
analytical reasons to guide conduct.

Big questions:
◦ Moral relativism vs. moral absolutism: Beauty is in the eye of
the beholder vs. beauty is always beautiful.
◦ Individual actions vs. group actions: If it is not OK for an
individual, is it OK for a group?




Hedonism: Maximize pleasure and minimize
pain.
Utilitarianism: The greatest good for the greatest
number.
Consequentialism: The ends justify the means.
Deontology: There are unbreakable moral rules,
such as “do not kill.” Described as rule-based
ethics.

The extent to which an action:
◦ Produces benefit for an individual.
◦ Produces benefit for society.
◦ Helps those in need.
◦ Does not harm others.
◦ Does not deceive others.
◦ Does not violate a law.
◦ Assists others in pursuing their best interests when they cannot do so
themselves.
◦ Acknowledges a person’s right to fair process, fair compensation for
harm done, and fair distribution of benefits.
◦ Acknowledges a person’s freedom over his/her actions or physical
body.

When analyzing the two cases we will:
◦ Highlight whether individual privacy will be or is
compromised with the systems described in the case.
◦ Identify either the legal or ethical issues with the case.
Analyze whether the company is exhibiting good conduct.
◦ Identify whether any security safeguards should be taken to
facilitate privacy protection.
◦ Recommend any laws or other protection that should be
enacted to facilitate privacy protection.