“Informational Privacy”privacy notes, set 2

CS 340

Buying a Batman toy, in 1970 & 2010

Information as a commodity

• Current technology makes it feasible, practical and worth economic sense to gather more information about each and every purchase.

• This information has value to– Manufacturers– Merchants– Similar sellers– Other customers

• From Nonchalant to Outrage– Double click– Facebook

Privacy and Cyberspace

Are any privacy issues unique to cyber-technology?– Spokeo.com

Privacy concerns have been exacerbated by cyber-technology in at least four ways, i.e., by the:

1. amount of personal information that can now be collected;2. speed at which personal information can now be transferred and

exchanged; 3. duration of time in which personal information can now be retained;4. kind of personal information (such as transactional information) that

can be acquired.

Misc. Ex. of Disclosing Information

• Reward & loyalty programs

• Using a search engine• 3rd party cookies

– networked affiliates sharing clickstream data

• Body scans• DVRs• Spyware• biometrics

• Blackboxes• Enhanced 911• RFID & implanted chips• Online shopping:– The ToySmart case

Who owns info about a transaction?The Toysmart Case

• Background: Toysmart.com was an online toy seller. Although it entered the market early, it never became profitable, and the company filed for bankruptcy in 2000. In order to pay off as much debt as possible, the company began to sell assets, both physical and intangible. One intangible asset was the customer data that they had collected through the course of operations. Near the end of their operations, Toysmart published a privacy policy and acquired a TRUSTe seal. (As a TRUSTe company several provisions were req: Toysmart only used the data to personalize shopping experience, and would not share data with 3rd party.)

Toysmart Cont’d

• Consumer data included:– names– addresses– billing info– purchases– shopping pref– family information (children's names and bdays and wish list

toys)

Toysmart put their data up for sale. Toysmart was sued by the FTC which claimed that the attempt to sell consumer data violated the COPPA.

Toysmart concluded

• Results: Toysmart agreed not to share OR sell this information as a stand-alone asset.– Only would give to a court approved qualified

buyer AND– Consumers would have to opt in– Toysmart would destroy data that violated COPA

• More info:– http://www.ftc.gov/opa/2000/07/toysmart2.htm– Truste.org

What we do to ourselves

• Use of:– Texting:

• http://blog.nielsen.com/nielsenwire/online_mobile/u-s-teen-mobile-report-calling-yesterday-texting-today-using-apps-tomorrow/

– social network– Youtube– Blogs– genealogy sites

• Child events, strangers & pedophiles

• Idea of privacy as old-fashioned

Profiling definition

• “the gathering, assembling, and collating of data about individuals in databases which can be used to identify, segregate, categorize and generally make decisions about individuals known to the decision maker only through their computerized profile.”

• Objective:– Better targeted advertising

Profiling: Transactions that disclose info:

1. Consider the information about us that can be acquired from our commercial transactions in a bank or in a store.

2. The privacy of users who navigate the Web solely for recreational purposes is also at risk. – Personal data about a user’s interests can be

acquired by organizations whose need for this information is not always clear.

– A user’s personal data acquired via his/her online activities can be sold to third parties.

Sara Baase A Gift of Fire:

Disclosing information: • In privacy analysis "(t)he critical point is

whether the user is told and thus can make an informed choice”

• Secondary use of information occurs when information is used "for a purpose other than the one for which it was supplied.“

The danger of Re-identification

• Re-identification: identifying the individual from a set of anonymous data– Identification based on searches performed.• Self, hobbies, cars, sports teams, health

Data mining

• searching and analyzing masses of data to find patterns and develop new info– Computer matching: combining info from different

db using an identifier each has in common– Computer profiling: analyzing data to determine

common characteristics of people likely to engage in a behavior. Uses:• Find new customers• ID terror suspects

Privacy

As consumers:• Most European countries have specific laws and

regulations aimed at protecting an individual’s (consumer) privacy.

• In the US, historically consumer privacy has relied on – social norms and – market forces

• laws are typically a last resort or response to an event– highly reactive and unsystematic

Misc. Privacy Laws

• Fair Credit Reporting Act, 1970– Right to Financial Privacy

Act, 1978

• Cable Communications Policy Act, 1984– Video Protection Privacy

Act, 1988

• Driver’s Protection Privacy Act, 1994

• Children’s Online Privacy Protection Act (COPPA), 1998– Info on kids under 13

• Financial Services Modernization Act, 1999

• Health Insurance Portability and Accountability Act (HIPAA), 2001

Disclosure of Information

• “Private” information that becomes a part of the public record– Examples:

• 911 calls become part of the public record– Urban Meyer’s wife’s call after the SEC game

» http://www.youtube.com/watch?v=HfMFeQYDznY » Compare & Contrast this with HIPAA, dr. & patient confidentiality,

hospital policies

• Marriage, birth, death, divorce, wills

• Government Databases of info: ranging from tax info, census, NCIC– Public record

1974 Privacy Act

Codified 5 principles related to gov’t handling of information:

1. Notice/Awareness2. Choice/Consent3. Access Participation4. Integrity/Security5. Enforcement/Redress• http://www.ftc.gov/reports/privacy3/fairinfo

.shtm

Limitations of the Privacy Act

From William Petrocelli Low Profile: How to avoid the Privacy Invaders:

1. Applies only to gov’t db not private ones2. Applies only to records that use a personal

identifier (name, number)3. No agency is in charge of enforcement,

individual agencies choose what is exempt4. Inter-agency sharing of info for “routine use”

Patriot Act• Provided:

– More monitoring authority for law enforcement and intelligence agencies • aims at Internet use and email• created nationwide system for search warrants and wire tapping• Allows for roving surveillance• Expands search warrant exceptions

– Sec. of Treasury has greater powers related to banks to prevent foreign money laundry

– Admission to US harder for– Codified new crimes and punishments

• Act has been subject to lots of criticism because of the privacy concerns it impacts

• Act is subject to periodic renewal

TSA machines