Data Privacy and Law

CS 590: PRIVACY
EDWIN DAUBER
Administrivia

 Midterm due this Sunday

 Differential Privacy homework due on Friday
 New homework goes out this week
 Due next Friday
 Make sure to continue with readings and discussion
Recap

 Differential Privacy measures privacy loss from data

publication
 Mechanisms provide deniability
Lecture Part 1 DATA PRIVACY
Today’s Topic

 Data Privacy…
 How do you control your data?
 Today is also likely to be short
 In the first half, we’ll discuss areas
 And in some cases some technical considerations
 In the second half, we’ll discuss laws
Opt-In Vs. Opt-Out

 We’ve discussed this before

 Opt-In: privacy invasive components must be explicitly
allowed
 Opt-Out: privacy invasive components can be explicitly
disallowed
Data Breach

 We’ve all heard about them

 Equifax?

 Major organizations store lots of data

 When their data gets stolen…
 Your data goes on the dark web
 There are web services that can tell you if you’ve been
exposed
TV Privacy

 When you watch TV, the provider can know what you are
watching
 This information should not be shared except in aggregate
 We may not be able to prevent them from knowing what
we watching…
 But we can watch what they do with it
Educational Privacy

 Educational information must private

 Why?

 Should not be published except in anonymous, aggregate

form
 Records should be kept on need-to-know basis
 But educators need this data
Financial Privacy

 Financial information must be private

 Transactions may reveal sensitive information
 Certain data can lead to identity theft
 Could expose accounts to use by others
 Leading to financial cost
 But banks need this data
Medical Privacy

 Medical data must be private

 Medical conditions can be embarrassing
 Medical discrimination can cost money/jobs
 But healthcare providers need the data
Political Privacy

 Secret ballot is an essential part of a democracy

 Political threats/intimidation
 Disenfranchisement

 Every citizen should be able to vote

 Once and only once
 How do we enable this?
Location Privacy

 Location information must be private

 Can result in physical danger
 Can lead to burglary
 Our devices keep track of where we are
 How do we get services without revealing our location?
Phishing & Social Networking Attacks

 A class of side-channel attack

 Treat humans as the weak link in security/privacy
 Often true
 Some are offers to good to refuse
 Others rely on fear
 Be careful about what messages you respond to
Man-On-The-Inside Attacks

 Related to the previous

 Sometimes a willing accomplice
 Sometimes previously compromised
 Trusted email address hacked to send you a message
People Search

 Spokeo, Nuwber, Truthfinder, Intelius, Whitepages, etc.

 Look up people with full background check
 Do have to pay for it
 Not always accurate
 May include other people with the same name
 Better Future – free (currently suspended due to COVID)
Social Media Privacy

 Social networks are public by design

 As a result, information posted becomes public
 Once public, it can be used by anyone for any purpose
 There are exceptions
 Some are built with more privacy in mind
 Still not perfect
Social Media Privacy

 Best thing: have no social media

 Almost like me
I do have a rarely updated LinkedIn
I used to have a Google Plus
 Nothing else
 Not practical for everyone
Social Media Privacy

 Sometimes can restrict content to friends only

 Can be careful about what you say
 Be careful about location tagging
 Manage privacy settings
Social Network Analysis

 Applies graph theory to social networks

 People/accounts are nodes
 Relationships are edges
 On social media, identify your friends
 Use your friends to learn about you
Targeted Advertising

 Advertising can be targeted by a variety of features

 Can use things like demographic information
 Can also use other features
 Behavioral

 Psychographic
Targeted Advertising

 Traditionally can make any combination

 Even specific enough to target a single person
 Policies can place limitations
 Cannot combine certain types of features
 Cannot get set smaller than n
Lecture Part 2 PRIVACY LAW
Privacy Law History

 Physical privacy has long been codified in law

 The constitution does not reference privacy
 But some of the amendments introduce related ideas
 1890: “Right to be let alone” introduced
 1914: FTC introduced
 1917: protections for sealed mail
Privacy Law History

 1948: Orwell writes 1984

 1948: UN Declaration of Human Rights
 Explicitly names privacy a basic human right
 1960: Article “Privacy” outlines torts which can be used
to sue over privacy violations
 1960s and 1970s supreme court rules on privacy
FERPA

 Passed in 1974
 One of first modern privacy laws
 Protects student educational records
I cannot release any information about your education
without your express consent
 Neither can Drexel
Privacy Act of 1974

 Codifies ideas of PII

 Codifies protections for PII
 Amended in 1988 to include digital records
 Also allows requesting copies of records on yourself
TCPA and Do Not Call Registry

 Passed in 1984
 Attempt to provide phone privacy
 Attempt to allow opt-out of telemarketing
 Not very enforceable
 Due in large part to globalization
 And, ironically, PETs
EU Data Protection Directive

 Passed in 1995
 Eventually replaced by GDPR
 We’ll come back to this later
 Much more defined concepts of privacy than in the US
HIPPA

 Passed in 1996
 Protects healthcare information privacy
 Defines who can access healthcare info
 Defines how healthcare information is stored
 Defines how healthcare info is transmitted
 Defines both civil and criminal violations
COPPA

 Passed in 1998
 Specifically protects children under 13
 Requires parental/guardian consent
 Which must be verifiable
 Compliance is expensive
 A lot of sites just disallow users under 13
Gramm Leach Bliley Act

 Passed in 1999
 One of many laws concerning financial privacy
 Requires disclosure of how financial institutions share
customer data
E-Government Act

 Passed in 2002
 Proscribes how to digitize government data
 Must be publicly accessible and privacy preserving
APEC

 Adopted a privacy framework in 2004

 Has 9 principles:
 Preventing harm, Notice, Collection limitation
 Use of personal information, Choice
 Integrity of personal information, Security safeguards
 Access and correction, Accountability
EU Right to be Forgotten

 Passed in 2012
 Allows EU citizens to request search engines to delink pages
with information about them from search results
 While data on the web is forever…
 This is a reasonable attempt to provide protection
GDPR

 Passed in 2018
 Major overhaul of privacy law in the EU
 Applies if controller, processor, or subject of data is based
in the EU
 Personal data may not be processed unless there is at least
one legal basis
 Consent can be granted and withdrawn
GDPR Legal Processing Purposes

 Subject has consented

 Required to fulfil obligations to subject
 Or tasks requested by subject
 Comply with legal obligations
 Protect vital interests of an individual
 Perform task in public interest
 Legitimate interests of controller unless overridden by
interests of subject
GDPR Subject Rights

 Transparency
 Access
 Erasure
 Objection
GDPR Requirements

 Pseudonymity
 Records of processing activities
 Security
 Clear information as to the extent of collection, retention,
transfer, automated decision-making, as well as individual
rights
CCPA

 Passed in 2018, effective in 2020

 Extensive privacy regulation for the state of California
Privacy Law Around the World

 There are many more privacy laws than these

 But these give a good sampling of the laws
 There are also many countries with no privacy laws
 About 2/3 of countries have laws
 Another 1/10 have draft legislations
 But about 2/10 have none
Privacy Law in the Americas

 Most countries have privacy laws

 Some have draft laws
 Some countries in Central America don’t
 Some countries in the northern parts of South America
don’t
 Such as Venezuela
Privacy Law in Europe

 Europe has very good privacy laws

 Some countries have draft legislation
Privacy Law in Asia

 Most of Asia has good privacy laws

 Some parts of the Middle East do not
 Some parts of Southeast Asia do not
Privacy Law in and Near Australia

 Australia has good privacy laws

 Papua New Guinea does not
Privacy Law in Africa

 About half of Africa has good privacy law

 More have draft legislation
 But about 25% of Africa has no privacy law
Discussion WEB PRIVACY
 Reminders

 Reading 15 due Sunday 11:59 PM

 Project Paper + Artifacts due Sunday 11:59 PM
 Final Exam due next Saturday 11:59 PM
 Project Presentation + Review due next Saturday 11:59 PM
 All of these are available Week 9 & Finals Week on Blackboard
 Slack discussion will continue