560 likes | 804 Views
Privacy. Prepared by: Behrang Parhizkar. hani.parhizkar@nottingham.edu.my. Privacy Protection. Privacy Key concern of Internet users Top reason why nonusers still avoid the Internet
E N D
Privacy Prepared by: BehrangParhizkar hani.parhizkar@nottingham.edu.my
Privacy Protection • Privacy • Key concern of Internet users • Top reason why nonusers still avoid the Internet • to being able to keep certain information to ourselves and to control what happens to our personal information
Privacy Issues • Anytime you submit information on the Internet, it is possible for it to be gathered by many individuals and used for various situations. Information can also be gathered from online data regarding: • School • Banking • Hospitals • Insurance • Credit History, etc. • If a company provides you with e-mail, the information you send is available to the company. The company can also monitor Internet logs to determine web sites that have been visited.
Privacy Protection and the Law • Systems collect and store key data from every interaction with customers. • Many object to data collection policies of government and business. • Reasonable limits must be set • Historical perspective on the right to privacy • Fourth Amendment - reasonable expectation of privacy
The Right of Privacy • Definition • “The right to be left alone—the most comprehensive of rights, and the right most valued by a free people” “The right of individuals to control the collection and use of information about themselves”
The Right of Privacy • Legal aspects • Protection from unreasonable intrusion upon one’s isolation Protection from appropriation of one’s name or likeness
Summary of the 1980 OECD Privacy Principles Organization for Economic Cooperation and Development
Legal Overview: The Privacy Act • Secure Flight airline safety program (2009) • Compares the names and information of 1.4 million daily U.S. airline passengers with data on known or suspected terrorists. • Is the latest proposed government system for running database checks on Americans who travel by air. • Secure Flight will match passenger information against blacklists maintained by the federal government. • Violation of Privacy Act
Governmental Electronic Surveillance • Judge must issue a court order based on probable cause • Almost never deny government requests • Federal Wiretap Act • Outlines processes to obtain court authorization for surveillance of all kinds of electronic communications “Roving tap” authority • Does not name specific telephone lines or e-mail accounts • Get access to all accounts are tied to a specific person
Governmental Electronic Surveillance • Electronic Communications Privacy Act of 1986 (ECPA) • Sets standards for access to stored e-mail and other electronic communications and records. • Prosecutor does not have to justify requests • Judges are required to approve every request • Highly controversial • Especially collection of computer data sent over the Internet
Governmental Electronic Surveillance • Foreign Intelligence Surveillance Act of 1978 (FISA) • Allows wiretapping of aliens and citizens in the United States • Against FBI, CIA & NSA for some illegal surveillance • Based on finding of probable cause that a target is • Member of a foreign terrorist group • Agent of a foreign power • Executive Order 12333 • Legal authority for electronic surveillance outside the United States
Governmental Electronic Surveillance • Communications Assistance for Law Enforcement Act (CALEA) • Requires the telecommunications industry to build tools into its products so that federal investigators can eavesdrop on conversations • After getting court approval • Contains a provision covering radio-based data communication • Includes voice over Internet (VoIP) technology
Governmental Electronic Surveillance • USA Patriot Act of 2001 • Gives sweeping new powers to • Domestic law enforcement against terrorism • International intelligence agencies
Identity Theft • Theft of key pieces of personal information to gain access to a person’s financial accounts • Information includes: • Name • Address • Date of birth • Social Security number • Passport number • Driver’s license number • Mother’s maiden name
Identity Theft • Fastest growing form of fraud in the United States • Lack of initiative in informing people whose data was stolen • Phishing • Attempt to steal personal identity data • By tricking users into entering information on a counterfeit Web site • Spear-phishing - a variation in which employees are sent phony e-mails that look like they came from high-level executives within their organization https://www.chase.com/index.jsp?pg_name=ccpmapp/privacy_security/fraud/page/fraud_examples
Phising and privacy • For a demonstration of how a real phishing scheme works, visit www.identitytheftsecrets.com The Privacy Rights Clearinghouse (PRC) is warning consumers about another form of fraud that can happen when online users reply to phishing emails. • The personal information they provide might be used to register web site domains that bilk unwitting online users out of funds they believe are being used for legitimate transactions.
Identity Theft • Spyware • Keystroke-logging software • Enables the capture of: • Account usernames • Passwords • Credit card numbers • Other sensitive information • Operates even if an infected computer is not connected to the Internet • Identity Theft and Assumption Deterrence Act of 1998 was passed to fight fraud
Top 5 Examples Of Spyware • CoolWebSearch: based on bugs of IE • Internet Optimizer (DyFuCa) • Zango • Transmits detailed information to advertisers about the Web sites which you visit. • HuntBar (WinTools) • ActiveX msg pop up, once installed, steal the information • Zlob trojan • Download itself into your pc via ActiveX
Consumer Profiling • Companies openly collect personal information about Internet users • Cookies • Text files that a Web site puts on a user’s hard drive so that it can remember the information later • Tracking software • Similar methods are used outside the Web environment • Databases contain a huge amount of consumer behavioral data
Cookies • The web site might offer you products or ads tailored to your interests, based on the contents of the cookie data. • Some, called third-party cookies, communicate data about you to an advertising clearinghouse which in turn shares that data with other online marketers.
Consumer Profiling • Affiliated Web sites • Group of Web sites served by a single advertising network • Customized service for each consumer • Types of data collected while surfing the Web • GET data • POST data • Click-stream data
Consumer Profiling • Four ways to limit or even stop the deposit of cookies on hard drives • Set the browser to limit or stop cookies • Manually delete them from the hard drive • Download and install a cookie-management program • Use anonymous browsing programs that don’t accept cookies • Cookie Monster 3.47
Consumer Profiling • Platform for Privacy Preferences (P3P) • Is a protocol allowing websites to declare their intended use of information they collect about web browser users
Privacy in Workplace • Employers will have access to personal information about employees and this information may be sensitive and employees may wish to keep this information private. This means that employers will need to think about the way in which they collect, use and disclose information they obtain from employees.
Privacy in Workplace • It is good privacy practice that the employer tell the employee why they are collecting the information and who the employer might pass that information on to. • Best practice: • employers allow employees to access personal information about themselves which is held by their employer.
Workplace Monitoring Privacy advocates want federal legislation To keeps employers from infringing upon privacy rights of employees • Employers monitor workers • Ensures that corporate IT usage policy is followed • Fourth Amendment cannot be used to limit how a private employer treats its employees • Public-sector employees have far greater privacy rights than in the private industry
Advanced Surveillance Technology • Camera surveillance • U.S. cities plan to expand surveillance systems • “Smart surveillance system” • Facial recognition software • Identifies criminal suspects and other undesirable characters • Yields mixed results • Global Positioning System (GPS) chips • Placed in many devices • Precisely locate users
Privacy Protection: Ten guidelines • Remove personally identifiable data from storage media • Store an identical copy of any evidentiary media given to law enforcement • Limit search to goal of investigation • Handle time stamped events in strictest confidence • On networks, packet acknowledgement be via the use of tokens than IP addresses
Privacy Protection: Ten guidelines • Safe storage of all internal logs • Preservation of event logs in external nodes • Put policies in place for actionable items related to attacks • Put policies in place for safeguarding backed up data related to an investigation • Handle disposal of sensitive data in a secure manner
Can online services track and record my activity? • Yes. Many people expect that their online activities are anonymous. They are not. It is possible to record virtually all online activities • This information can be collected by a subscriber's own ISP and by web site operators.
DATA PROFILING • As we make our way through everyday life, data is collected from each of us, frequently without our consent and often without our realization. • We pay our bills with credit cards and leave a data trail consisting of purchase amount, purchase type, date, and time. • Data is collected when we pay by check. • Our use of supermarket discount cards creates a comprehensive database of everything we buy. • When our car, equipped with a radio transponder, passes through an electronic toll booth, our account is debited and a record is created of the location, date, time, and account identification. • We leave a significant data trail when we surf the Internet and visit websites. • When we subscribe to a magazine, sign up for a book or music club, join a professional association, fill out a warranty card, give money to charities, donate to a political candidate, tithe to our church or synagogue, invest in mutual funds, when we make a telephone call, when we interact with a government agency . with all of these transactions we leave a data trail that is stored in a computer.
Browsers.. • It's important to be aware of the information transmitted to remote computers by the software you use to browse web sites. The major browsers are Netscape Navigator and Microsoft Internet Explorer. Internet Explorer has P3P –platform for Privacy Preferences. • Most web browsers invisibly provide web site operators with information about your ISP as well as information about other web sites you have visited. Some web browsers, particularly if they have not been updated with security fixes, may be tricked into reporting the user's default e-mail address, phone number, and other information in the "address book" if the browser also handles your e-mail.
Privacy policies and web seals • .The Federal Trade Commission urges commercial web site operators to spell out their information collection practices in privacy policies posted on their web sites. Most commercial web sites now post policies about their information-collection practices. Look for a privacy "seal of approval," such as TRUSTe (www.truste.org), on the first page of the web site. TRUSTe participants agree to post their privacy policies and submit to audits of their privacy practices in order to display the logo. • Other seals of approval are offered by the Council of Better Business Bureaus (BBB), www.bbbonline.org, the American Institute of Certified Public Accountants, WebTrust, www.cpawebtrust.org, and the Entertainment Software Rating Board, www.esrb.org/privacy. • Workplace monitoring. Individuals who access the Internet from work should know that employers are increasingly monitoring the Internet sites that an employee visits. Be sure to inquire about your employer's online privacy policy.
Can an online service access information stored in my computer without my knowledge? • Yes. Many of the commercial online services such as AOL automatically download graphics and program upgrades to the user's home computer. • Companies typically explain that they collect information such as users' hardware, software and usage patterns to provide better customer service. • It is difficult to detect these types of intrusions. You should be aware of this potential privacy abuse and investigate new services thoroughly before signing on. • Always read the privacy policy and the service agreement of any online service you intend to use.
What about cybercafes, airports, and other publicly-available Internet terminals? • Youshould avoid using public terminals to access your bank account, check your credit card statement, pay bills, or access any other personally or financially sensitive information. • Publicly-available Internet terminals are not likely to be closely supervised to ensure online privacy and security. They are used by many individuals every day. • Find out if they have installed a program that clears Internet caches, deletes cookies, erases surfing history, and removes temporary files.
What can I do to protect my privacy in cyberspace? • password change • Look for the privacy policy of the online services you use. Most Internet Service Providers (ISP) have adopted privacy policies that they post on their web sites and other user documentation. When you surf the web, look for the privacy policies posted on the web sites you visit. Also look for a privacy "seal" such as TRUSTe or BBBOnline. • Check your browser's cookie settings. you may accept or reject all cookies, or you may allow only those cookies generated by the website you are visiting. You may want to set a security level for trusted websites while blocking cookie activity for all others. • Shop around. Investigate new services before using them. Post a question about a new service in a dependable forum or newsgroup. Use a search engine such as http://groups.google.com to find archived discussions and newsgroup postings about the service that you are considering. • Don’t post your private contents in the social networks. • Don’t use location-based social networks application for all of your individual work.
Notes of Caution… • Assume that your online communications are notprivate unless you use encryption software. But most encryption programs are not user-friendly and can be inconvenient to use. If you do not use encryption, at least take the following precautions: Do not provide sensitive personal information (phone number, password, address, credit card number, Social Security number, your health information, date of birth, vacation dates, etc.) in chat rooms, forum postings, e-mail messages, or in your online biography • Be cautious of "start-up" software that registers you as a product user and makes an initial connection to the service for you. Typically, these programs require you to provide financial account data or other personal information, and then upload this information automatically to the service. These programs may be able to access records in your computer without your knowledge. Contact the service for alternative subscription methods. • Use a pseudonym and a non-descriptive e-mail address when you participate in public forums. Consider obtaining an e-mail address from one of the free web-based e-mail services such as www.hotmail.com or www.yahoo.com
Notes of Caution… • The "delete" command does not make your e-mail messages disappear. They can still be retrieved from back-up systems. Software utility programs can retrieve deleted messages from your hard drive. If you are concerned about permanently deleting messages and other files on your program, you should use a file erasing program such as the freeware program at http://cleanup.stevengould.org or the cleanup features of general utility software such as Norton's (http://www.symantec.com/sabu/ncs/) CleanSweep. • Your online biography, if you create one, may be searched system-wide or remotely "fingered" by anyone. If for any reason you need to safeguard your identity, don't create an online "bio." Ask the system operator of your ISP to remove you from its online directory. • If you publish information on a personal web page, note that marketers and others may collect your address, phone number, e-mail address and other information that you provide. If you are concerned about your personal privacy, be discreet in your personal web site • Be aware that online activities leave electronic footprints for others to see. Your own ISP can determine what search engine terms you use, what web sites you visit, and the dates, times, and durations of your online sessions. Web site operators can often track the activities you engage in by placing "cookies" on your computer. They can learn additional information if they ask you to register on their site. Your web browser also can transmit information to web sites.
Your Policy for Online Obtaining Information • If you obtain personally identifiable information through online application forms, online surveys, interest lists, inquiry forms, and e-mail subscription forms, your policy must also describe what you use that information for, how long it is retained, how it can be updated or removed, and how it is protected from illegitimate access. • Your policy should explain who will have access to any information that is collected such as your web site administrator, organization staff, and board members. • The policy should explain if information is shared with third parties or other members and for what purpose or under what circumstances.
Privacy issues of Social Networks • ’If you feel like someone is watching you, you're right. If you're worried about this, you have plenty of company. If you're not doing anything about this anxiety, you’re just like almost everyone else.’ (Bob Sullivan, 2011) Every minute of the day: • 100,000 tweets are sent• 684,478 pieces of content are shared on Facebook• 2 million search queries are made on Google• 48 hours of video are uploaded to YouTube• 47,000 apps are downloaded from the App Store• 3,600 photos are shared on Instagram• 571 websites are created• $272,000 is spent by consumers online (source: AllTwitter)(Source: thesocialskinny.com)
Types of Social Networks Posting Content such as picture and video arise new privacy concerns due to their context revealing details about the physical and social context of the subject. if you’re using Gmail or Yahoo mail or Flickr or. YouTube or belong to Facebook … you’ve given up complete control of your personal information’
Few cases … • Certain pictures or videos shared online have cost a number of people their jobs or ruined their job opportunities. • There is no rules or regulations to protect individuals from accidentally having an embarrassing photo or video taken of them and then posted on the web for others to see. • Adults are concerned about invasion of privacy, while teens freely give up personal information. This occurs because often teens are not aware of the public nature of the Internet. • More info : http://social-networks-privacy.wikidot.com/
Privacy issues on Facebook • Facebook has met criticism on a range of issues, including online privacy, child safety and hate speech. • You create a "Connection" to most of the things that you click a "Like button" for, and Facebook will treat those relationships as public information. • If you Like a Page on Facebook, that creates a public connection. • If you Like a movie or restaurant on a non-Facebook website (and if that site is using Facebook's OpenGraph system), that creates a public connection
Even More Serious Case • In August 2007, the code used to generate Facebook's home and search page as visitors browse the site was accidentally made public, according to leading Internet news sites. • In November 2009, Facebook launched Beacon, a system where third-party websites could include a script by Facebook on their sites, and use it to send information about the actions of Facebook users on their site to Facebook, prompting serious privacy concerns. • In June 2011 Facebook enabled an automatic facial recognition feature called "Tag Suggestions". The feature compares newly uploaded photographs to those of the uploader's Facebook friends, in order to suggest photo tags. • Facebook has defended the feature, saying users can disable it. European Union data-protection regulators said they would investigate the feature to see if it violated privacy rules.