Privacy & the Government October 1 st , 2018 CS4001: Computing, - - PowerPoint PPT Presentation
CS4001: Computing, Society and Professionalism Sauvik Das | Assistant Professor Privacy & the Government October 1 st , 2018 CS4001: Computing, Society and Professionalism Sauvik Das | Assistant Professor But firstlets finish the
October 1st, 2018
CS4001: Computing, Society and Professionalism
Sauvik Das | Assistant Professor
CS4001: Computing, Society and Professionalism
Sauvik Das | Assistant Professor
Recap? What is privacy, and how do computers change things?
u
A key difficulty with privacy is that is often something that can be traded for “functionality”
u
Inconvenient human behavior: hyperbolic time discounting
u Choosing privacy could be better for you in long-term u Choosing free ice cream gets you free ice cream now.
u
Facebook allows you to instantly share and receive feedback on photos you share about you, your friends and your environment.
u
Can use that data to create highly accurate and sophisticated algorithms that can reconstruct social and environmental context
u Friends (& non-friends) in your pictures u Where you are u What you’re doing
u
Many grocery stores have rewards program that can help customers save money
u
Can also match your purchases to your identity to send you coupons for frequently purchased items.
u
Can also sell that information to advertisers.
u
Google Maps is useful for obvious reasons
u
But also knows exactly where you’ve been and where you’re going
u
How fast you’re going
u
What if Google is subpoenaed for that information? Imagine all the retrospective speeding tickets.
u
Jerry Saltzer said “Privacy is a database correlation problem”
u
What does he mean?
u
Much of the dangers of internet enabled monitoring is in the merging of different silos of information:
u Grocery store customer loyalty program sold to advertisers u Purchase history linked with social media accounts (Facebook, Twitter) u Social media accounts linked to other online activities (web trackers) u … u Advertisers send a coupon to your home address with coupons to purchase diapers –
surprise, we know you’re pregnant!
u
If people value privacy so much, why do they put so much personal information on social media?
u
Not bringing all this up to say ”You have zero privacy anyway. Get over it” (actual quote for former CEO of Sun)
u
Much of this fight will be fought by you, when you go on to take jobs. The decisions we make about privacy today will set the precedent for future generations.
u
Choose to think about the long-term consequences of data collection and mining.
u Not always bad! Functionality of information technology is a great boon. Just
needs to be done responsibly.
u
Free market: it’s your choice how much info to give away
u Privacy as a negative right
u
Consumer protection: People don’t understand implications, consumers can’t negotiate terms with a business
u Privacy as a positive right
u
Ice cream store offers you a free cone on your birthday.
u
Government buys or subpoenas this birthday list from the store to find men who haven’t registered with selective services.
u
How would you view this incident from a free market approach vs a consumer protection approach? Which one do you agree with more?
u Would your opinion change if it was genetic information sold by ancestry.com or
23andme?
u
Government policy has a significant impact on individual privacy
u
Government must balance competing desires:
u Desire to be left alone and free from surveillance u Desire for safety and security
u
Different governments balance these desires differently.
u
2007 study by Privacy International found eight countries that were rated as being ‘endemic surveillance societies’
u China, Malaysia, Russia, Singapore, UK, Taiwan, Thailand and U.S.A.
u
Who here supports (by the government):
u “expanded camera surveillance on streets and in public places” u ”law enforcement monitoring of Internet discussions in chat rooms and other
forums”
u “closer monitoring of banking and credit card transactions to trace funding
sources”
u “expanded governmental monitoring of cell phones and emails to intercept
communications”
u
National security concerns significantly outweighed privacy concerns post 9/11 attacks. 2006 poll showed that:
u 70% of Americans supported expanded camera surveillance u 62% supported law enforcement monitoring of Internet discussions u 61% supported closer monitoring of banking and credit card transactions u 52% supported expanded governmental monitoring of cell phones and emails
u
Information collection: Activities that gather personal information
u
Information processing: Activities that store, manipulate, and use personal information that has been collected
u
Information dissemination: Activities that spread personal information
u
Invasion: Activities that intrude upon a person’s daily life, interrupt someone’s solitude, or interfere with decision-making
u
Information collection safeguards:
u Employee Polygraph Protection Act: Prohibits employers from use lie detectors u Children’s Online Privacy Protection Act: Online services must gain parental
consent before collecting info on children < 12 years old
u Genetic Information Non-discrimination Act: Employers and health insurance
companies can’t take genes into account
u
Infringements:
u Census records (required to ensure fair representation in Congress, also used to
find draft resistors and Japanese Americans in WW2)
u IRS records: require a lot of deeply personal information u CCTV cameras (more than 30 million in US)
u
Information processing :
u IRS uses data mining to look for income tax fraud u Syndromic surveillance system: Data mining system that searches for patterns
indicating outbreak of an epidemic or bioterrorism (911 calls, Internet searches)
u Predictive policing: Law enforcement using data mining to determine areas that
are likely to require additional policing
u
Information dissemination related policy:
u FERPA: Students allowed to review educational records, request changes to
erroneous records and prevent release of records without permission
u HIPAA: Limits how medical institutions can share and use medical info u Freedom of Information Act: ensure public has access to records for the executive
branch of the U.S. gov’t
u
Invasion safeguards:
u National Do Not Call Registry:
prevents telemarketers from calling numbers in the registry
u Advanced Imaging Technology
Scanners: Original TSA scanners revealed highly accurate anatomical features. New machines show generic outlines.
u
Homeland Security is developing the Biometric Optical Surveillance System (BOSS). It’s purpose is to use ubiquitous public video cameras to scan crowds and identify persons of interest with 80-90% accuracy. It’s been used in Iraq and Afghanistan to identify potential suicide bombers. Now, local police departments want to implement it in the U.S.
u
In groups of 2-4, discuss if you support the development and implementation
u
What does the metaphor of “1984” / big brother mean to you?
u
Neal Stephenson talk at Computers, Freedom and Privacy conference. Big Brother Domination Systems One threat Many threats All-encompassing Has edges Abstract Concrete Centralized Networked Irredeemable Redeemable
u
Interesting things happen at the edges (e.g., the government vs Apple in the San Bernardino case)
u
US/EU airline conflict
u US requires info on all international passengers arriving in US u EU allows access to info on a case-by-case basis, based on suspicion.
u Airlines handing over this data for EU citizens would be breaking EU law
u
Compromise?
u US reduces the amount of data requested and provides assurances on how data will
be used
u 2014 EU review found that U.S. DHS not in compliance – reviews records without
probable cause
u
In 2000, the U.S/EU agreed on a “safe harbor” policy
u Companies outside EU that agree to EU’s privacy practices may receive data on EU
citizens
u Ruled to be insufficient by EU court
u
2016 -- ”Privacy Shield”
u Requires certification (safe harbor was self-certification) u Requires review (external audit or self review) u If EU controller transfers data to a US Privacy Shield org, both parties must enter a
written contract
u
In 2018, the EU enacted ”General Data Protection Regulation” (GDPR)
u
The GDPR has specific requirements regarding the transfer of data out of the
countries deemed as having adequate data protection laws. The EU does not list the US as one of the countries that meets this requirement.
u
Privacy Shield allows US companies, or EU companies working with US companies, to meet this requirement of the GDPR.
u
Started off just as a way to track social security contributions
u Usage spread to other parts of gov’t u Now often used as both identifiers and passwords
u
But: bad identifiers because not unique
u In early days, some people accidentally assigned same SSN because numbers were
assigned by local governments
u
SSN’s aren’t secure
u Not random: First three digits is where you were born, next two indicates age, last
four are random
u Don’t have a checksum or other error correction, so easy to guess fraudulent SSNs
u
Federal standards for diver’s licenses
u More documents needed to get your license u Must be machine readable u Will probably include a biometric
u
Will be needed to fly on a plane, open a bank account, or use government services
u
Passed in 2005. Some states slower to approve than others – TSA pushed back implementation deadline to 2020
u
In groups of 2-4, come up with a compelling argument for why national ID cards are good or bad.
u
One to two people from each group will come up and present their argument.
u
Pros:
u Currently, we have no great mechanism for identifying residents u Would make it difficult for people to enter country illegally and for those people to find
work
u Could reduce crime u Many democratic countries use them (e.g., France, Spain, Germany)
u
Cons
u Can be forged, impossible to make a 100% accurate biometric u No evidence that it reduces crime u Shifts burden from police (need a reason to confront citizens) to citizen (need a reason
to explain presence)
u Makes it easier for the government to data mine citizens
u
What special responsibilities do computer professionals have with respect to understanding and protecting the privacy rights of their fellow citizens?