Privacy & the Government October 1 st , 2018 CS4001: Computing, - PowerPoint PPT Presentation

CS4001: Computing, Society and Professionalism Sauvik Das | Assistant Professor Privacy & the Government October 1 st , 2018

CS4001: Computing, Society and Professionalism Sauvik Das | Assistant Professor But first…let’s finish the previous lecture on Privacy Recap? What is privacy, and how do computers change things?

Privacy and functionality A key difficulty with privacy is that is often something that can be traded for u “functionality” Inconvenient human behavior: hyperbolic time discounting u u Choosing privacy could be better for you in long-term u Choosing free ice cream gets you free ice cream now .

Data Gathering and Privacy Implications Facebook allows you to instantly share and receive feedback on photos you u share about you, your friends and your environment. Can use that data to create highly accurate and sophisticated algorithms that u can reconstruct social and environmental context u Friends (& non-friends) in your pictures u Where you are u What you’re doing

Data Gathering and Privacy Implications Many grocery stores have rewards program that can help customers save u money Can also match your purchases to your identity to send you coupons for u frequently purchased items. Can also sell that information to advertisers. u

Data Gathering and Privacy Implications Google Maps is useful for obvious reasons u But also knows exactly where you’ve been and where you’re going u How fast you’re going u What if Google is subpoenaed for that information? Imagine all the u retrospective speeding tickets.

Class discussion: Privacy is a database correlation problem Jerry Saltzer said “Privacy is a database correlation problem” u What does he mean? u Much of the dangers of internet enabled monitoring is in the merging of different u silos of information: u Grocery store customer loyalty program sold to advertisers u Purchase history linked with social media accounts (Facebook, Twitter) u Social media accounts linked to other online activities (web trackers) u … u Advertisers send a coupon to your home address with coupons to purchase diapers – surprise, we know you’re pregnant!

Class discussion If people value privacy so much, why do they put so much personal u information on social media?

Privacy is not a lost cause Not bringing all this up to say ”You have zero privacy anyway. Get over it” u (actual quote for former CEO of Sun) Much of this fight will be fought by you , when you go on to take jobs. The u decisions we make about privacy today will set the precedent for future generations. Choose to think about the long-term consequences of data collection and u mining. u Not always bad ! Functionality of information technology is a great boon. Just needs to be done responsibly.

Free market vs consumer protection view Free market: it’s your choice how much info to give away u u Privacy as a negative right Consumer protection: People don’t understand implications, consumers can’t u negotiate terms with a business u Privacy as a positive right

Class discussion Ice cream store offers you a free cone on your birthday. u Government buys or subpoenas this birthday list from the store to find men u who haven’t registered with selective services. How would you view this incident from a free market approach vs a consumer u protection approach? Which one do you agree with more? u Would your opinion change if it was genetic information sold by ancestry.com or 23andme?

Governments and Privacy Government policy has a significant impact on individual privacy u Government must balance competing desires: u u Desire to be left alone and free from surveillance u Desire for safety and security Different governments balance these desires differently. u 2007 study by Privacy International found eight countries that were rated as u being ‘endemic surveillance societies’ u China, Malaysia, Russia, Singapore, UK, Taiwan, Thailand and U.S.A.

Show of hands… Who here supports (by the government): u u “expanded camera surveillance on streets and in public places” u ”law enforcement monitoring of Internet discussions in chat rooms and other forums” u “closer monitoring of banking and credit card transactions to trace funding sources” u “expanded governmental monitoring of cell phones and emails to intercept communications”

U.S. Government and Privacy National security concerns significantly outweighed privacy concerns post u 9/11 attacks. 2006 poll showed that: u 70% of Americans supported expanded camera surveillance u 62% supported law enforcement monitoring of Internet discussions u 61% supported closer monitoring of banking and credit card transactions u 52% supported expanded governmental monitoring of cell phones and emails

Solove’s taxonomy of privacy Information collection : Activities that gather personal information u Information processing: Activities that store, manipulate, and use personal u information that has been collected Information dissemination: Activities that spread personal information u Invasion : Activities that intrude upon a person’s daily life, interrupt u someone’s solitude, or interfere with decision-making

U.S. Government and Information Collection Information collection safeguards: u u Employee Polygraph Protection Act : Prohibits employers from use lie detectors u Children’s Online Privacy Protection Act : Online services must gain parental consent before collecting info on children < 12 years old u Genetic Information Non-discrimination Act : Employers and health insurance companies can’t take genes into account Infringements: u u Census records (required to ensure fair representation in Congress, also used to find draft resistors and Japanese Americans in WW2) u IRS records : require a lot of deeply personal information u CCTV cameras (more than 30 million in US)

U.S. Government Privacy Safeguards & Infringements Information processing : u u IRS uses data mining to look for income tax fraud u Syndromic surveillance system : Data mining system that searches for patterns indicating outbreak of an epidemic or bioterrorism (911 calls, Internet searches) u Predictive policing : Law enforcement using data mining to determine areas that are likely to require additional policing

U.S. Government Privacy Safeguards & Infringements Information dissemination related policy: u u FERPA : Students allowed to review educational records, request changes to erroneous records and prevent release of records without permission u HIPAA : Limits how medical institutions can share and use medical info u Freedom of Information Act : ensure public has access to records for the executive branch of the U.S. gov’t

U.S. Government Privacy Safeguards & Infringements Invasion safeguards: u u National Do Not Call Registry : prevents telemarketers from calling numbers in the registry u Advanced Imaging Technology Scanners : Original TSA scanners revealed highly accurate anatomical features. New machines show generic outlines.

Group Activity: The BOSS Homeland Security is developing the Biometric Optical Surveillance System u (BOSS). It’s purpose is to use ubiquitous public video cameras to scan crowds and identify persons of interest with 80-90% accuracy. It’s been used in Iraq and Afghanistan to identify potential suicide bombers. Now, local police departments want to implement it in the U.S. In groups of 2-4, discuss if you support the development and implementation u of BOSS as a crowd surveillance tool for police departments.

Class discussion What does the metaphor of “1984” / big brother mean to you? u

1984 is not the right metaphor Neal Stephenson talk at Computers, Freedom and Privacy conference. u Big Brother Domination Systems One threat Many threats All-encompassing Has edges Abstract Concrete Centralized Networked Irredeemable Redeemable Interesting things happen at the edges (e.g., the government vs Apple in the u San Bernardino case)

Interesting edge: privacy policies of different countries US/EU airline conflict u u US requires info on all international passengers arriving in US u EU allows access to info on a case-by-case basis, based on suspicion. u Airlines handing over this data for EU citizens would be breaking EU law Compromise? u u US reduces the amount of data requested and provides assurances on how data will be used u 2014 EU review found that U.S. DHS not in compliance – reviews records without probable cause

EU-US Privacy Shield In 2000, the U.S/EU agreed on a “safe harbor” policy u u Companies outside EU that agree to EU’s privacy practices may receive data on EU citizens u Ruled to be insufficient by EU court 2016 -- ”Privacy Shield” u u Requires certification (safe harbor was self-certification) u Requires review (external audit or self review) u If EU controller transfers data to a US Privacy Shield org, both parties must enter a written contract

GDPR vs Privacy Shield? In 2018, the EU enacted ”General Data Protection Regulation” (GDPR) u The GDPR has specific requirements regarding the transfer of data out of the u EU. One of these requirements is that the transfer must only happen to countries deemed as having adequate data protection laws. The EU does not list the US as one of the countries that meets this requirement. Privacy Shield allows US companies, or EU companies working with US u companies, to meet this requirement of the GDPR.