Privacy in a Digital World

Privacy in a Privacy in a Digital WorldDigital World

CSCI327Privacy, Part One

Why should I even care about Privacy?Why should I even care about Privacy? Why I should not care about privacy:

I am not doing anything wrong. I have nothing to hide. It's just too hard to change all those default privacy settings. I am safe with all these other zebras. That lion will not attack me.

Why you should care about privacy: I would not give a company a blank check to do whatever they want

with my money. Why should I let them take my information? Bi-Lo and my ice cream eating habits:

Sell that info to Byers. Hence, more annoying advertising. Sell that info to Blue Cross, hence a higher insurance premium. Give that info to Police. The serial killer appears to be fat, so tell us

everyone that eats lots of junk food in this town so we can get warrants to search their houses.

Initial Questions Is privacy a right?

inalienable right? e.g. life, liberty, pursuit of happiness

legal (civil) right? e.g. right to vote, no taxation without representation

not a right

What do privacy rights have to do with computing?

Digital Privacy in the NewsWarrant Needed for GPS Tracking, High Court Says

By JESSE J. HOLLAND and PETE YOST Associated Press WASHINGTON January 23, 2012 (AP)

In a rare defeat for law enforcement, the Supreme Court unanimously agreed on Monday to bar police from installing GPS technology to track suspects without first getting a judge's approval. The justices made clear it wouldn't be their final word on increasingly advanced high-tech surveillance of Americans.

Indicating they will be monitoring the growing use of such technology, five justices said they could see constitutional and privacy problems with police using many kinds of electronic surveillance for long-term tracking of citizens' movements without warrants.

While the justices differed on legal rationales, their unanimous outcome was an unusual setback for government and police agencies grown accustomed to being given leeway in investigations in post-Sept. 11 America, including by the Supreme Court. The views of at least the five justices raised the possibility of new hurdles down the road for police who want to use high-tech surveillance of suspects, including various types of GPS technology.

Digital Privacy in the NewsYahoo, Like Google, Demands Warrants for User E-Mail

www.wired.com, by David Kravets, January 25, 2013

Yahoo demands probable-cause, court-issued warrants to divulge the content of messages inside its popular consumer e-mail brands — Yahoo and Ymail, the web giant said Friday.

The Sunnyvale, California-based internet concern’s exclusive comments came two days after Google revealed to Wired that it demands probable-cause warrants to turn over consumer content stored in its popular Gmail and cloud-storage Google Drive services — despite the Electronic Communications Privacy Act not always requiring warrants.

“Yes, we require a probable cause warrant for e-mail content,” said Yahoo spokeswoman Lauren Armstrong, in an e-mail interview. “That is more than ECPA requires.”

The nation’s other major consumer-facing e-mail provider — Microsoft — which markets the Hotmail and Outlook brands, declined comment for this story.

In short, Yahoo and Google are granting their customers more privacy than the four corners of the ECPA. There’s been a string of conflicting court opinions on whether warrants are required for data stored on third-party servers longer than 180 days.

The Supreme Court has never ruled on the issue. Federal and state law enforcement officials are seemingly abiding by Yahoo’s and Google’s own rules to avoid a showdown before the Supreme Court.

Digital Privacy in the NewsU.S. Relaxes Some Data Disclosure Rules

www.nytimes.com -- by Matt Apuzzo and Nicole Perlroth -- Jan 27, 2014

WASHINGTON — The Obama administration says it will allow Internet companies to give customers a better idea of how often the government demands their information, but will not allow companies to disclose what is being collected or how much.The new rules — which have prompted Google, Microsoft, Yahoo and Facebook to drop their respective lawsuits before the nation’s secret surveillance court — also contain a provision that bars start-ups from revealing information about government requests for two years. The companies’ dispute began last year after a former government contractor, Edward J. Snowden, revealed that F.B.I. and National Security Agency surveillance programs rely heavily on data from United States email providers, video chat services and social networking companies.Sometimes, F.B.I. agents demand data with administrative subpoenas known as national security letters. Other times, the Justice Department makes the demand under the authority of the surveillance court but without a specific warrant. Either way, the justification is typically secret and companies are prohibited from saying much.The companies wanted to be able to say how many times they received court orders, known as FISA orders, for the Foreign Intelligence Surveillance Act. The government opposed that.Companies say that has hurt their businesses. Forrester Research projected the fallout from Mr. Snowden’s disclosures could cost the so-called cloud computing industry as much as $180 billion — a quarter of its revenue — by 2016.

Security gaps still exist 4 months after S.C. data breachThe Greenville News -- February 27, 2013

COLUMBIA, S.C. — Four months after a massive data breach at the South Carolina Department of Revenue exposed millions of state taxpayers to identity theft, state government's response to the hacking is incomplete and uncertain. Full encryption of the department's data files is months away from being finished, …And nervous taxpayers who have had 3.8 million Social Security numbers, 3.3 million bank account numbers and information for nearly 700,000 businesses stolen have no assurance that the credit monitoring service offered to them free last year in response to the breach will continue after a year.

Home Depot facing dozens of data breach lawsuitsForbes.com -- by John Kell -- November 25, 2014

Home Depot is facing at least 44 lawsuits related to a data breach at the home-improvement retailer that involved the theft of payment card information and customer e-mail addresses. The retailer warned it was facing dozens of civil lawsuits in the U.S. and Canada, according to a filing with the Securities and Exchange Commission, as well as investigations by a number of state and federal agencies.

Locations of secret US military bases revealed through jogging app

Posted Jan 28, 2018, 6:30 PMBy The Washington Post

BEIRUT - An interactive map posted on the internet that shows the whereabouts of people who use fitness devices such as Fitbit also reveals highly sensitive information about the location and activities of soldiers at U.S. military bases, in what appears to be a major security oversight.

The Global Heat Map, published by the GPS tracking company Strava, uses satellite information to map the location and movements of subscribers to the company's fitness service over a two-year period, by illuminating areas of activity.

In warzones and deserts such as Iraq and Syria, the heatmap becomes almost entirely dark - except for a few scattered pinpricks of activity. Zooming in on those brings into focus the locations and outlines of known U.S. military bases, as well as of other unknown and potentially sensitive sites - presumably because U.S. soldiers and other personnel are using fitness trackers as they move around.

But the data also offers a mine of information to anyone who wanted to attack or ambush U.S. troops in or around the bases, including patterns of activity inside the bases. Lines of activity extending out of bases and back may indicate the routes of patrols. The map of Afghanistan appears as a spiderweb of lines connecting bases, showing supply routes, as does northeast Syria, where the United States maintains a network of mostly unpublicized bases. Concentrations of light inside a base may indicate where concentrations of troops live, eat or work, suggesting possible targets for enemies who wished to target the base.

ChoicePoint to pay $15M to settle chargesThe data warehouser will settle charges that it failed to protect

consumers' personal financial information, the FTC says.www.cnn.com - January 26, 2006

WASHINGTON (Reuters) - ChoicePoint Inc. has agreed to pay $15 million to settle charges that it failed to adequately protect consumers' personal financial information, the Federal Trade Commission said Thursday.

The company has agreed to pay a $10 million civil penalty, provide $5 million to compensate consumers, and take steps to better safeguard personal information so it is used only for legitimate purposes, the agency said.

The company last year admitted that more than 163,000 personal records had been compromised, the agency said.

The FTC charged ChoicePoint illegally gave credit histories to people who were not authorized to obtain them and failed to have reasonable procedures to verify the identities of those who requested the information and how the data was to be used.

The company also made false and misleading statements about its privacy policies, the FTC charged.

A representative for the company was not immediately available for comment.

Types of Privacy Freedom from Unwarranted Intrusion

Freedom from Interference in One's Personal Affairs

Control over the Flow of Personal Information

Tech's Impact on Privacy

duration of data storage

variety of data that can be shared

amount of data gathered

speed of data movement

Is online shopping different fromin-store shopping?Q: Does shopping online at home give you more

or less privacy? more privacy - your neighbors will not see you there less privacy - online shopping gives the company much more

info about you

Q: Is the data the company gathers different? online, they know every item you looked at, how long you spent

looking, etc

Sources of Personal Data web cookies social media phone book public records credit card statements rewards programs spyware TiVo RFID …

Data Mining definition: analyzing large data sets to discover patterns and relationships

usually used for prediction example:

company XYZ operates toll booths and collects data about which car IDs pass and when

company ABC buys XYZ's data and data from credit card companies. ABC now knows the addresses of frequent drivers along with credit limits

ABC sells this secondary data to banks "We see that your car has 100,000 miles. Need a car loan?"

Info Security How safe is that cookie data? Example: Toysmart.com

privacy statement said that the personal info of users would not be sold or exchanged

the company went bankrupt in 2000 Toysmart sold its assets, including the

customer database

DoubleClick.comDoubleClick.com gathers data from cookies from banners placed

on a large number of web sites

DC can cross-reference data to build profiles of individual users

cookie data can be used to manage which ads individuals see and how many times the ads are seen. For example, using frequency capping, as I surf from

website to website they can make sure I only see the same car ad 10 times per day

In 1999, DC announced that it planned to purchase Abacus Direct for $1.7B, a consumer database company containing the names, addresses, phone numbers, etc of 90% of American Households.

Google bought DC for $3.1B in cash in April 2007. congress held hearings to investigate the privacy and monopoly

implications of the merger Microsoft complained about this creating a monopoly