Privacy October 2006 Overview I. Definition II. Basic Privacy - - PDF document

Privacy

Simone Fischer-Hübner October 2006

Overview

I. Definition II. Basic Privacy Principles

• III. Privacy Issues (LBS, RFID,...)

IV. European Privacy Legislation/ Directives

• I. Definition

Warren & Brandeis 1890

“The right to be let alone”

Definition- Alan Westin 1967

“Privacy is the claim of individuals, groups and institutions to determine for themselves, when, how and to what extent information about them is communicated to others”

Privacy Dimensions

Informational self-

determination

Spatial privacy

• II. Basic Privacy principles

(implemented in EU-Directive 95/46/EC)

Legitimisation by law, informed consent (Art.

7 EU Directive)

Purpose specification and purpose binding

(Art. 6 I b)

• ”Non-sensitive” data do not exist !

Data minimisation and avoidance (Art. 6 I c,

• Art. 7)

No processing of ”special categories of

data” (Art. 8)

Basic privacy principles (II)

Transparency, rights of data subjects

to be informed (Art.10) to be notified, if data have not been obtained

from the data subject (Art.11)

• f access to data (Art.12 a)
• f correction of incorrect data / erasure or

blocking of illegally stored data (Art.12b)

to object to direct marketing (Art.14)

Basic privacy principles (III)

Supervision (Art. 28): Supervisory authorities

monitor compliance act upon complaints be consulted when drawing up data protection

regulations

draw up regularly reports

Supervisory Authority in Sweden:

Datainspektionen

Fleminggatan 14, plan 9, Stockholm Tel: + 46 8 657 61 00 http://www.datainspektionen.se/

Basic privacy principles (IV)

Sanctions (Art.24) Requirement of security mechanisms

(Art.17)

I I I . Privacy I ssues Location Based Services (LBS)

Mobile user Provider of LBS application Wireles operator

Location data provided by

• communication network
• or special hardware at user terminal (e.g., GPS receiver)

LBS - Applications

Example Applications:

City Guide/Price comparision

”Find the nearest cheap gasoline station,

restaurant, hotel, catholic church,...”

Friend Finder Disaster management Child control service

LBS - Risks

Privacy Risks:

Unsolicited Profiling (-> blackmailing of

politicians, ”digging in the past”)

Unsolicited tracking of users’ position,

movements (-> burglary, kidnapping)

Disclosure of the user’s current context

(e.g., John is currently in a night club)

Disclosure of social networks

Airline Bonus Cards / Customer Databases

Benefits:

Better service adapted to

customer needs

• Awards for frequent flyers

Risks:

Extensive customer profiles Access requests to airline

customer databases by USA after 9/11

Tag

RFID Technology

RFID Reader

RFI D tags in the supply chain

RFID tags in packages - Benefits

Real-Time access to inventory

information (”smart shelves”)

Fast payment without barcode scanning Prevent shop lifting (Anti-Theft tags) ”Added value” for customers

(information about product freshness, cooking instructions, warranty claims)

RFID tags in packages -

Methods of personal data collection

RFID used to

Store personal data Collect information linked to personal data

(e.g., customer database)

Track persons without ”traditional”

identifiers being available (e.g., RFID number of a customer’s watch)

RFID tags in packages – Privacy Threats

Monitoring of customer habits inside the

shops

Scanning of goods that customers are

carrying/wearing

No transparancy-> hidden data

collection

Lacking user control

1500 Euros in wallet

Serial numbers: 597387,389473 …

Wig

model #4456

(cheap polyester)

30 items

• f lingerie

Das Kapital and Communist- party handbook Replacement hip

medical part #459382

The consumer privacy problem

Here’s

• Mr. Jones

in 2020…

Source:Ari Juels, RSA Laboratories

Wig

serial #A817TS8

…and the tracking problem

• Mr. Jones pays with a credit card; his RFID tags now linked to

his identity

• Mr. Jones attends a political rally; law enforcement scans his

RFID tags

• Mr. Jones wins Turing Award; physically tracked by paparazzi

via RFID

...RFIDs even used as Implants

Enhanced risks: Biometrics on RFIDs in new EU passports

Biometrics – sensitive personal

data, e.g.:

retina scan reveals information on

consumption of alcohol, fingerprint might reveal data on homosexuality or ethnicity

Processing of personal data without the

data subject getting to know of it, e.g.

face recognition

RFI Ds integrated into passports

support allows

creation of movement profiles identification of persons in crowds building I D-document specific bombs

detonating exactly when (the holder of) the ID-document is in close proximity

• IV. Privacy Legislation

Problem of International Harmonisation

• f Privacy Legislation

Is a common harmonised approach to privacy possible due to cultural/ historical/ political differences ? Example:

no data protection commissioner no omnibus privacy legislation

Public Sector: U.S. Privacy Act (1974)

& Privacy acts of the states

Private Sector: ”patchwork”: Fair Credit

Reporting Act, etc. & self-regulation ( -> codes of conducts)

EU Data Protection Directive 95/46/EC

EU Directive 2002/58/EC on Privacy and

Electronic Communications

USA: Europe: Safe Harbour principles as a solution ?

EU Data Protection Directive 95/46/EC

Objective:

Protection of fundamental rights, freedom of individuals Harmonsation of privacy legislation in Europe

Scope: Does not apply for data processing for

defense, public/state security, criminal law enforcement (Art.3)

Enforces basic privacy principles (see above) Restricts personal data transfer from EU to third

countries (Art. 25)

EU Directive 2002/ 58/ EC on privacy and electronic communications

Confidentiality of communications

(Art.5):

• No interception/ surveillance without the

data subject’s consent

• Protection against cookies, spyware,

web-bugs

EU Directive 2002/ 58/ EC on privacy and electronic communications (cont.)

Traffic data (Art.6):

• Must be erased or made anonymous upon

completion of transmission

• Processing for billing purposes permissible
• Processing for the purposes of value added

services/marketing with the consent of the subscriber/user

EU Directive 2002/ 58/ EC on privacy and electronic communications (cont.)

Location data other than Traffic data

(Art.9):

• May only be processed when made anonymous, or

with the informed consent of the user/subscriber

• Where consent has been obtained, the user/subscriber

must still have possibility of temporarily refusing the processing of location data

Problem: Also Location Data within Traffic Data

can be very sensitive

EU Directive 2002/ 58/ EC on privacy and electronic communications (cont.)

Unsolicited communications (Art.13):

Opt-in system for electronic mail for direct marketing (so-called “spam”)

Problem: US American CAN-SPAM Act of 2003

requires only Opt-out system, no SPAM legislation in most countries

Data Retention according to EU

Directives 2002/ 58/ EC and 2006/ 24/ EC

Art.15 of EU-Directive 2002/ 58/ EC:

allows member states to adopt laws for data retention for

safeguarding security, defence, law enforcement

Data Retention Directive 2006/ 24/ EC:

Requires telco companies to retain traffic and location data for 6-24

months

Problems/ Questions:

Appropriate ?

Threat to online privacy: Traffic data contains mainly ”fingerprints”

• f non-criminal users

Criminals find ways ”around”

Will anonymisation service providers be forced to collect

more data than they would normally collect ?

Need for Privacy-Enhancing Technologies (PET)

Minimizing/ avoiding personal data

(providing Anonymity, Pseudonymity, Unobservability)

• Mix nets
• Crowds

Control of data collection/ processing

according to legislation

• P3P (Platform for Privacy Preferences

Protocol)

• Privacy-enhanced Identity Management