A Gift of Fire

Fourth edition

Sara Baase

Chapter 2: Privacy
 What We Will Cover
• Privacy and Computer Technology
• Privacy Topics
• Protecting Privacy
• Communications
 Privacy and Computer Technology
• Computer technology is not necessary for the invasion of
privacy. However, the use of digital technology has made new
threats possible and old threats more potent. Computer
technologies—databases, digital cameras, the Web,
smartphones, and global positioning system (GPS) devices,
among others—have profoundly changed what people can
know about us and how they can use that information.
Understanding the risks and problems is a first step towards
protecting privacy.
• For computer professionals, understanding the risks and
problems is a step towards designing systems with built-in
privacy protections and less risk.
 Privacy and Computer Technology
Key Aspects of Privacy:
• Freedom from intrusion (being left alone)
• Control of information about oneself
• Freedom from surveillance (being tracked,
followed, watched)
Privacy threats come in several categories
• Intentional, institutional uses of personal information (in the
government sector primarily for law enforcement and tax
collection, and in the private sector primarily for marketing
and decision making)
• Unauthorized use or release by “insiders,” the people who
maintain the information
• Theft of information
• Inadvertent leakage of information through negligence or
carelessness
• Our own actions (sometimes intentional trade-offs and
sometimes when we are unaware of the risks)
 Privacy and Computer Technology (cont.)

New Technology, New Risks:

• Government and private databases
• Sophisticated tools for surveillance and data
analysis
• Vulnerability of data
Government and private databases
• Today there are thousands (probably millions) of databases,
both government and private, containing personal
information about us. In the past, there was simply no record
of some of this information, such as our specific purchases of
groceries and books. Government documents like divorce and
bankruptcy records have long been in public records, but
accessing such information took a lot of time and effort. When
we browsed in a library or store, no one knew what we read or
looked at. It was not easy to link together our financial, work,
and family records.
Government and private databases
• Now, large companies that operate video, email, social network, and
search services can combine information from a member’s use of all
of them to obtain a detailed picture of the person’s interests,
opinions, realtionships, habits, and activities.
• Even if we do not log in as members, software tracks our activity on
the Web. In the past, conversations disappeared when people finished
speaking, and only the sender and the recipient normally read
personal communications.
• Now, when we communicate by texting, email, social networks, and
so on, there is a record of our words that others can copy, forward,
distribute widely, and read years later.
 Sophisticated tools for surveillance and data
analysis
• Miniaturization of processors and sensors put tiny cameras in
cellphones that millions of people carry everywhere. Cameras in
some 3-D television sets warn children if they are sitting too
close. What else might such cameras record, and who might see
it?
• The wireless appliances we carry contain GPS and other
location devices. They enable others to determine our location
and track our movements.
• Patients refill prescriptions and check the results of medical
tests on the Web. They correspond with doctors by email.
Sophisticated tools for surveillance and data
analysis
• We store our photos and videos, do our taxes, and
create and store documents and financial spreadsheets
in a cloud of remote servers instead of on our own
computer.
• Law enforcement agencies have very sophisticated tools
for eavesdropping, surveillance, and collecting and
analyzing data about people’s activities, tools that can
help reduce crime and increase security—or threaten
privacy and liberty.
 Vulnerability of data
• Combining powerful new tools and applications can have
astonishing results. It is possible to snap a photo of someone
on the street, match the photo to one on a social network, and
use a trove of publicly accessible information to guess, with
high probability of accuracy, the person’s name, birth date, and
most of his or her Social Security number.
• This does not require a supercomputer; it is done with a
smartphone app. We see such systems in television shows and
movies, but to most people they seem exaggerated or way off
in the future. All these gadgets, services, and activities have
benefits, of course, but they expose us to new risks. The
implications for privacy are profound.
 Stolen and Lost Data
• Hackers
• Physical theft (laptops, thumb-drives, etc.)
• Requesting information under false pretenses
• Bribery of employees who have access
 Stolen and lost data

• Criminals steal personal data by hacking into computer systems, by

stealing computers and disks, by buying or requesting records under
false pretenses, and by bribing employees of companies that store
the data.
• Shady information brokers sell data (including cellphone records,
credit reports, credit card statements, medical and work records,
and location of relatives, as well as information about financial and
investment accounts) that they obtain illegally or by questionable
means.
• Criminals, lawyers, private investigators, spouses, ex-spouses, and
law enforcement agents are among the buyers. A private
investigator could have obtained some of this information in the
past, but not nearly so easily, cheaply, and quickly.
 Stolen and lost data
• Another risk is accidental (sometimes quite careless) loss.
Businesses, government agencies, and other institutions lose
computers, disks, memory cards, and laptops containing
sensitive personal data (such as Social Security numbers and
credit card numbers) on thousands or millions of people,
exposing people to potential misuse of their information and
lingering uncertainty.
• They inadvertently allow sensitive files to be public on the
Web. Researchers found medical information, Social Security
numbers, and other sensitive personal or confidential
information about thousands of people in files on the Web that
simply had the wrong access status.
 Stolen and lost data
• The websites of some businesses, organizations, and
government agencies that make account information
available on the Web do not sufficiently authenticate the
person accessing the information, allowing imposters
access.
• Data thieves often get sensitive information by telephone
by pretending to be the person whose records they seek.
They provide some personal information about their
target to make their request seem legitimate. That is one
reason why it is important to be cautious even with data
that is not particularly sensitive by itself.
 A summary of risks
• Anything we do in cyberspace is recorded, at least briefly,
and linked to our computer or phone, and possibly our name.
• With the huge amount of storage space available,
companies, organizations, and governments save huge
amounts of data that no one would have imagined saving in
the recent past.
• People often are not aware of the collection of information
about them and their activities.
• Software is extremely complex. Sometimes businesses,
organizations, and website managers do not even know what
the software they use collects and stores.
 A summary of risks
• Leaks happen. The existence of the data presents a risk.
• A collection of many small items of information can give
a fairly detailed picture of a person’s life.
• Direct association with a person’s name is not essential
for compromising privacy. Re-identification has become
much easier due to the quantity of personal information
stored and the power of data search and analysis tools.
• If information is on a public website, people other than
those for whom it was intended will find it. It is available
to everyone.
 A summary of risks
• Once information goes on the Internet or into a database, it seems to
last forever. People (and automated software) quickly make and
distribute copies. It is almost impossible to remove released
information from circulation.
• It is extremely likely that data collected for one purpose (such as
making a phone call or responding to a search query) will find other
uses (such as business planning, tracking, marketing, or criminal
investigations).
• The government sometimes requests or demands sensitive personal
data held by businesses and organizations.
• We often cannot directly protect information about ourselves. We
depend on the businesses and organizations that manage it to protect it
from thieves, accidental collection, leaks, and government prying.
 Privacy and Computer Technology (cont.)
Terminology:
• Personal information
• In the context of privacy issues, it includes any information relating to, or
traceable to, an individual person. The term does not apply solely to what
we might think of as sensitive information, although it includes that. It
also includes information associated with a particular person’s user
name, online nickname, identification number, email address, or phone
number. Nor does it refer only to text. It extends to any information,
including images, from which someone can identify a living individual.
 Privacy and Computer Technology (cont.)
Terminology:

•Invisible information gathering - collection of personal information about someone

without the person’s knowledge

•The important ethical issue is that if someone is not aware of the collection and use,

he or she has no opportunity to consent or withhold consent.

•Whether or not a particular example of data collection is invisible information

gathering can depend on the level of public awareness. Some people know about

event data recorders in cars; most do not.

 Privacy and Computer Technology (cont.)
•Invisible information gathering
•When our computers and phones communicate with websites, they must provide information
about their configuration (e.g., the Web browser used). For a high percentage of computers,
there is enough variation and detail in configurations to create a “fingerprint” for each
computer. Some companies provide device fingerprinting software for combating fraud and
intellectual property theft and for tracking people’s online activity in order to target
advertising. Both collection of configuration information and building of activity profiles are
invisible. Financial firms that use device fingerprinting for security of customer accounts are
likely to say so in a privacy policy. We are less likely to know when someone is using it to build
marketing profiles.
 Invisible information gathering
• Cookies are files a website stores on a visitor’s computer.
Within the cookie, the site stores and then uses information
about the visitor’s activity. For example, a retail site might
store information about products we looked at and the
contents of our virtual “shopping cart.” On subsequent visits,
the site retrieves information from the cookie. Cookies help
companies provide personalized customer service and target
advertising to the interests of each visitor. They can also track
our activities on many sites and combine the information. At
first, cookies were controversial because the very idea that
websites were storing files on the user’s computer without
the user’s knowledge . Today, more people are aware of
cookies and use tools to prevent or delete them. In response,
some companies that track online activity developed more
sophisticated “supercookies” that recreate deleted cookies
and are difficult to find and remove.
 Privacy and Computer Technology (cont.)
Terminology:
• Secondary use - use of personal information for a purpose
other than the one it was provided for
• Examples include sale of consumer information to marketers
or other businesses, use of information in various databases
to deny someone a job, the Internal Revenue Service
searching vehicle registration records for people who own
expensive cars and boats (to find people with high incomes),
use of text messages by police to prosecute someone for a
crime, and the use of a supermarket’s customer database to
show alcohol purchases by a man who sued the store
because he fell down.
Privacy and Computer Technology (cont.)

Terminology (cont.):
• Data mining - searching and analyzing masses
of data to find patterns and develop new
information or knowledge
• Computer matching - combining and
comparing information from different
databases (using social security number, for
example, to match records)
 Privacy and Computer Technology (cont.)

Terminology (cont.):
•Computer profiling - analyzing data in computer files to
determine characteristics of people most likely to engage in
certain behaviour
• Businesses use these techniques to find likely new customers.
•Government agencies use them to detect fraud, to enforce
other laws, and to find terrorists.
•Data mining, computer matching, and profiling are, in most
cases, examples of secondary use of personal information.
 Privacy and Computer Technology (cont.)

Principles for Data Collection and Use:

• Informed consent
• Opt-in and opt-out policies
• Fair Information Principles (or Practices)
• Data retention
 Principles for Data Collection and Use:
• Informed consent
• There is an extraordinary range to the amount of privacy
different people want. Some blog about their divorce or
illnesses. Some pour out details of their romantic
relationships on television shows or to hundreds of social
network friends. Others use cash to avoid leaving a record of
their purchases, encrypt all their email, and are angry when
someone collects information about them. When a business
or organization informs people about its data collection and
use policies or about the data that a particular device or
application collects, each person can decide, according to his
or her own values, whether or not to interact with that
business or organization or whether to use the device or
application.
 Principles for Data Collection and Use
• Opt in- opt out policies
• Under an opt-out policy, one must check or click a box on a contract,
membership form, or agreement or contact the organization to
request that they not use one’s information in a particular way. If the
person does not take action, the presumption is that the organization
may use the information.
• Under an opt-in policy, the collector of the information may not use it
for secondary uses unless the person explicitly checks or clicks a box or
signs a form permitting the use. (Be careful not to confuse the two.
Under an opt-out policy, more people are likely to be “in,” and under
an opt-in policy, more people are likely to be “out,” because the
default presumption is the opposite of the policy name.)
 Principles for Data Collection and Use
• Opt in- opt out policies
• Opt-out options are now common. Responsible,
consumer-friendly companies and organizations often set
the default so that they do not share personal information
and do not send marketing emails unless the person
explicitly allows it— that is, they use the opt-in policy.
Particularly in situations where disclosing personal
information can have negative consequences and it is not
obvious to a customer that the organization might disclose
it, a default of nondisclosure without explicit permission
(that is, an opt-in policy) is the responsible policy.
 Principles for Data Collection and Use
• Fair Information Principles (or Practices)
• Inform people when you collect information
about them, what you collect, and how you use
it. Some important points are :-
• Collect only the data needed.
• Offer a way for people to opt out from mailing
lists, advertising, and other secondary uses. Offer
a way for people to opt out from features and
services that expose personal information.
Principles for Data Collection and Use:
• Fair Information Principles (or Practices)
• Keep data only as long as needed.
• Maintain accuracy of data. Where appropriate and
reasonable, provide a way for people to access and
correct data stored about them.
• Protect security of data (from theft and from
accidental leaks). Provide stronger protection for
sensitive data.
• Develop policies for responding to law enforcement
requests for data.
 Fair Information Principles (or Practices)
• It can be difficult to apply the fair information principles to some new
technologies and applications. They do not fully address privacy issues that
have arisen with the increase of cameras in public places (such as police camera
systems and Google’s Street View), the enormous amount of personal
information people share in social networks, and the power of smartphones.
For example, when someone puts personal information in a tweet to thousands
of people, how do we determine the purpose for which he or she supplied the
information? Can any recipient use the information in any way? How widely
distributed must information be before it is public in the sense that anyone can
see or use it? Even when people have agreed to share information,
consequences of new Employers search ways of sharing or new categories of
information can be unexpected and problematic. For example, default settings
for features in social networks that have significant consequences.
 Privacy and Computer Technology
Discussion Questions

• Have you seen opt-in and opt-out choices?

Where? How were they worded?
• Were any of them deceptive?
• What are some common elements of
privacy policies you have read?