510 likes | 665 Views
Privacy. Chapter 5. Topics. The right to privacy – Laws and regulations Public records – the role of The Data Inspectorate - ’Datatilsynet’ (Norway) Public and Private Information Data collection Wiretapping and surveillance. Philosophical perspectives on privacy.
E N D
Privacy Chapter 5 Kirsten Ribu - MS008A - Ethics - Hio 2004
Topics • The right to privacy – Laws and regulations • Public records – the role of The Data Inspectorate - ’Datatilsynet’ (Norway) • Public and Private Information • Data collection • Wiretapping and surveillance Kirsten Ribu - MS008A - Ethics - Hio 2004
Philosophical perspectives on privacy • 5.2.1: Defining privacy: • Edmund Byrne: Privacy = ”a zone of inaccessibility” that surrounds a person • Example: Locking the door when you go to the toilet • You do not give away your identification number (perosonnummer) to everybody • Privacy is not the same as being alone: • Intellectual or personal relationships are for instance private • Harms: • Violence in the family • Too great a burden on the family to care for its members • Modern society: loneliness Kirsten Ribu - MS008A - Ethics - Hio 2004
Benefits • Privacy is neccessary for the individual growth and development • Development as a unique person • Fostering intellectual activities and creativity • Development of close relationships Kirsten Ribu - MS008A - Ethics - Hio 2004
What is private and what is public? • Public = known to all • Public information: information you have provided to an organisation that has a right to share it with other organisations • Example: Telephone directory • Personal information: not part of a public record • Example: Your religion, what you vote for • If you disclose it to an organisation with the right to inform other organisations, it becomes public information Kirsten Ribu - MS008A - Ethics - Hio 2004
Is there a Natural Right to Privacy? • 5.2.3: Privacy rights evolve from property rights • ”A man’s home is his castle” • No one can enter without probable cause (remember the discussion in class?) Kirsten Ribu - MS008A - Ethics - Hio 2004
Principles for data collection and use • The first principle for ethical treatment of personal information is informed consent: • Business and organisations must inform about what information they are collecting and how they will use it • Give people a choice whether data collected about them can be distributed to other businesses or organisations Kirsten Ribu - MS008A - Ethics - Hio 2004
Privacy principles for personal data • 1. Collect only data needed • Inform people when data is collected, what is collected and how it will be used • Offer a way for people to opt out from mailing lists and from transfer of their data to other parites • Provide stronger protection for sensitive data (example medical data, religion ….etc) • Keep data only so long as needed • Maintain accuracy and security of data • Provide a way for people to access and correct data stored about them Kirsten Ribu - MS008A - Ethics - Hio 2004
Laws and regulations • The Data Inspectorate • Personal Data Act – Norway • European law • US law – Privacy Act of 1974 Kirsten Ribu - MS008A - Ethics - Hio 2004
The Data Inspectorate • The Data Inspectorate, an independent administrative body under the Norwegian Ministry of Labour and Government Administration, was set up in 1980 to ensure enforcement of the Data Register Act of 1978, now made obsolete by the commencement of the Personal Data Act of 2000. • The purpose of this Act is to protect persons from violation of their right to privacy through the processing of personal data. • The Act shall help to ensure that personal data are processed in accordance with fundamental respect for the right to privacy, including the need to protect personal integrity and private life and ensure that personal data are of adequate quality. Kirsten Ribu - MS008A - Ethics - Hio 2004
Section 2 Definitions Sensitive information • For the purposes of this Act, the following definitions shall apply: • personal data: any information and assessments that may be linked to a natural person, • processing of personal data: any use of personal data, such as collection, recording, alignment, storage and disclosure or a combination of such uses, • personal data filing system: filing systems, records, etc. where personal data is systematically stored so that information concerning a natural person may be retrieved. Kirsten Ribu - MS008A - Ethics - Hio 2004
Cont…. • controller: the person who determines the purpose of the processing of personal data and which means are to be used, • processor: the person who processes personal data on behalf of the controller, • data subject: the person to whom personal data may be linked, • consent: any freely given, specific and informed declaration by the data subject to the effect that he or she agrees to the processing of personal data relating to him or her, • sensitive personal data: information relating to a) racial or ethnic origin, or political opinions, philosophical or religious beliefs, b) the fact that a person has been suspected of, charged with, indicted for or convicted of a criminal act, c) health, d) sex life, e) trade-union membership. Kirsten Ribu - MS008A - Ethics - Hio 2004
Section 33 Obligation to obtain a licence (konsesjonsplikt) • A licence from the Data Inspectorate is required for the processing of sensitive personal data. This does not apply, however, to the processing of sensitive personal data which have been volunteered by the data subject. • The Data Inspectorate may decide that the processing of data other than sensitive personal data shall also be subject to licensing, if such processing otherwise will clearly violate weighty interests relating to protection of privacy. In assessing whether a licence is necessary, the Data Inspectorate shall, inter alia take account of the nature and quantity of the personal data and the purpose of the processing. Kirsten Ribu - MS008A - Ethics - Hio 2004
Cont……… • The controller may demand that the Data Inspectorate decide whether processing will be subject to licensing. • The obligation to obtain a licence pursuant to the first and second paragraphs shall not apply to the processing of personal data in central government or municipal bodies when such processing is authorized by special statute. • The King may prescribe regulations to the effect that certain processing methods are not subject to licensing pursuant to the first paragraph. As regards processing methods which are exempt from licensing, regulations may be prescribed to limit the disadvantages which processing may otherwise entail for the data subject. Kirsten Ribu - MS008A - Ethics - Hio 2004
Section 8 - Conditions for the processing of personal data • Personal data may only be processed if the data subject has consented thereto, or there is statutory authority for such processing, or the processing is necessary in order • a) to fulfil a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering into such a contract, • b) to enable the controller to fulfil a legal obligation, • c) to protect the vital interests of the data subject, • d) to perform a task in the public interest, • e) to exercise official authority, or • f) to enable the controller or third parties to whom the data are disclosed to protect a legitimate interest, except where such interest is overridden by the interests of the data subject. Kirsten Ribu - MS008A - Ethics - Hio 2004
Section 9 Processing of sensitive personal data • Sensitive personal data (cf. section 2, no.8) may only be processed if the processing satisfies one of the conditions set out in section 8 and a) the data subject consents to the processing, b) there is statutory authority for such processing, c) the processing is necessary to protect the vital interests of a person, and the data subject is incapable of giving his or her consent, d) the processing relates exclusively to data which the data subject has voluntarily and manifestly made public, e) the processing is necessary for the establishment, exercise or defence of a legal claim, Kirsten Ribu - MS008A - Ethics - Hio 2004
Continued------- f) the processing is necessary to enable the controller to fulfil his obligations or exercise his rights in the field of employment law, g) the processing is necessary for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment or the management of health care services, and where the data are processed by health professionals subject to the obligation of professional secrecy, or h) the processing is necessary for historical, statistical or scientific purposes, and the public interest in such processing being carried out clearly exceeds the disadvantages it might entail for the natural person. Kirsten Ribu - MS008A - Ethics - Hio 2004
Example • Statkraft - Software • If you publish the information yourself, and decide who can see it, this i perfectly legal! Kirsten Ribu - MS008A - Ethics - Hio 2004
European Convention for the Protection of Human Rights and fundamental Freedoms - - • Link • ARTICLE 8: • Everyone has the right to respect for his private and family life, his home and his correspondence. • There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others. Kirsten Ribu - MS008A - Ethics - Hio 2004
Universal Declaration of Human Rights (1948) Article 12 • No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks. • http://www.un.org/Overview/rights.html Kirsten Ribu - MS008A - Ethics - Hio 2004
Article 18 • Everyone has the right to freedom of thought, conscience and religion; this right includes freedom to change his religion or belief, and freedom, either alone or in community with others and in public or private, to manifest his religion or belief in teaching, practice, worship and observance. Kirsten Ribu - MS008A - Ethics - Hio 2004
International Covenant on Civil and Political Rights - 1966 Article 17 1. No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation. 2. Everyone has the right to the protection of the law against such interference or attacks. http://www.unhchr.ch/html/menu3/b/a_ccpr.htm Kirsten Ribu - MS008A - Ethics - Hio 2004
EU • The European Union passed a privacy directive processing of personal data • EU Directive 95/46/EC • Processing= collection, use, storage, retrieval, transmission, destruction and other actions • General principles that the EU memebers were required to implement in their own laws Kirsten Ribu - MS008A - Ethics - Hio 2004
EU Directive 95/46/ECThe Data Protection Directive • The right to privacy is a highly developed area of law in Europe. All the member states of the European Union are also signatories of the European Convention on Human Rights(ECHR). • Article 8 of the ECHR provides a right to respect for one's "private and family life, his home and his correspondence", subject to certain restrictions. Kirsten Ribu - MS008A - Ethics - Hio 2004
Main principles • Personal data may be collected only for specified explicit purposes: Kirsten Ribu - MS008A - Ethics - Hio 2004
Principles • Personal data should not be processed at all, except when certain conditions are met. • These conditions fall into three categories: • transparency, • legitimate purpose • proportionality. Kirsten Ribu - MS008A - Ethics - Hio 2004
Transparency • The data subject has the right to be informed when his personal data are being processed. The controller must provide his name and address, the purpose of processing, the recipients of the data and all other information required to ensure the processing is fair. (art. 10 and 11) Kirsten Ribu - MS008A - Ethics - Hio 2004
Legitimate Purpose • Personal data can only be processed for specified, explicit and legitimate purposes and may not be processed further in a way incompatible with those purposes. (art. 6 b) Kirsten Ribu - MS008A - Ethics - Hio 2004
Proportionality • Personal data may be processed only insofar as it is adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed. • The data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified; • The data shouldn't be kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the data were collected or for which they are further processed […..]0 Kirsten Ribu - MS008A - Ethics - Hio 2004
EU vs USA • The EU has much stricter regulations than the US on collection and use of personal information • The EU data Privacy Directive prohibits transfer of personal data to countries outside The EU that do not have an adequate protection of the use of personal data • Has caused serious problems • Example: in 2001, the EU decided that Australia did not have adequate privacy protection • Australia allows businesses to create their own privacy codes Kirsten Ribu - MS008A - Ethics - Hio 2004
The US • The US has laws covering specific areas such as • Medical information • Video rentals • Driver licence records • Does not have comprehensive privacy laws covering all personal data • Many Europeans describe the US as ’behind Europe’ because the US does not have federal legislation regulating personal data collection and use • Others say that there are different cultures and traditions • Europe puts more stress on centralisation and regulations • US put more emphasis on the flexibility and freedom of the market Kirsten Ribu - MS008A - Ethics - Hio 2004
THE PRIVACY ACT OF 1974 ( US)SECTION 2 • The Congress finds that -- • (1) the privacy of an individual is directly affected by the collection, maintenance, use, and dissemination of personal information by Federal agencies; • (2) the increasing use of computers and sophisticated information technology, while essential to the efficient operations of the Government, has greatly magnified the harm to individual privacy that can occur from any collection, maintenance, use, or dissemination of personal information; • (3) the opportunities for an individual to secure employment, insurance, and credit, and his right to due process, and other legal protections are endangered by the misuse of certain information systems Kirsten Ribu - MS008A - Ethics - Hio 2004
continued (4) the right to privacy is a personal and fundamental right protected by the Constitution of the United States; and (5) in order to protect the privacy of individuals identified in information systems maintained by Federal agencies, it is necessary and proper for the Congress to regulate the collection, maintenance, use, and dissemination of information by such agencies. Kirsten Ribu - MS008A - Ethics - Hio 2004
Crime, terrorism and wiretapping • Wiretapping: Traditional interception of telephone conversations • Affects innocent people • Is it acceptable in the combat against crime? Discuss • Voice over IP – new technology – does this influence the view on wiretapping? • Discuss Kirsten Ribu - MS008A - Ethics - Hio 2004
Search and surveillance tools • Security cameras • Banks, shops, prisons …. • Who’s got your picture? • Have cameras reduced crime? • Electronic body searches • Airports use x-ray devices • Some devices display an image of the person without clothes – originally used to detect drug smuggling • After 9/11 these machines are used for airport security Kirsten Ribu - MS008A - Ethics - Hio 2004
More…………….. • Satellite surveillance and thermal imaging • Satellites use computer technologies to take detailed photos of the earth • In the US: use them to catch people growing • marijuana)? • Growing cotton without permits • Can be used to find people who build illegally …. • Automated toll collection and purchase records • Sensors read a device in the car (Fjellinjen) • Databases contain a record of where the person travels • Can the information be used to track people? • The system does not provide anonymity • Records of our shopping Kirsten Ribu - MS008A - Ethics - Hio 2004
The Center for Democracy and Technology • Works to promote democratic values and constitutional liberties in the digital age. • With expertise in law, technology, and policy, CDT seeks practical solutions to enhance free expression and privacy in global communications technologies. • CDT is dedicated to building consensus among all parties interested in the future of the Internet and other new communications media. http://www.cdt.org/mission/ Kirsten Ribu - MS008A - Ethics - Hio 2004
Privacy International • Privacy International (PI) is a human rights group formed in 1990 as a watchdog on surveillance and privacy invasions by governments and corporations. • PI is based in London, England, and has an office in Washington, D.C. • PI has conducted campaigns and research throughout the world on issues ranging from wiretapping and national security, to ID cards, video surveillance, data matching, police information systems, medical privacy, and freedom of information and expression. • http://www.privacyinternational.org/survey/censorship/ Kirsten Ribu - MS008A - Ethics - Hio 2004
Silenced – an international report • Silenced is an independent research initiative managed jointly by Privacy International and the GreenNet Educational Trust. The twelve-month project was undertaken through a collaboration of more than fifty experts and advocates throughout the world. The work was made possible by a grant from the Open Society Institute. • The Internet has evolved to become an increasingly important platform not just for economic development, but also as a support for advocates who wish to express their opinion freely and to work toward the development of democracy. • The medium has provided opportunities for citizens to participate in forums, and to discuss and debate issues that concern them. Kirsten Ribu - MS008A - Ethics - Hio 2004
Cont………… • Unlike other media where the information flow is unidirectional - from the government to the masses - the Internet allowed a multi-way communication process giving the chance for anybody to air their opinions and views on issues affecting them. • The development of the Internet has lead to more horizontal and less vertical communication. • Control and censorship has a substantial effect on the Internet because it undermines confidence and trust in the medium and inhibits crucial flows of data. Kirsten Ribu - MS008A - Ethics - Hio 2004
Silenced • The report Kirsten Ribu - MS008A - Ethics - Hio 2004
Sage Code of Ethics System Administrators' Guild Kirsten Ribu - MS008A - Ethics - Hio 2004
What is SAGE? • SAGE is a Special Technical Group (STG) of the USENIX Association. • It is organized to advance the status of computer system administration as a profession, establish standards of professional excellence and recognize those who attain them, develop guidelines for improving the technical and managerial capabilities of members of the profession, and promote activities that advance the state of the art or the community. Kirsten Ribu - MS008A - Ethics - Hio 2004
Definition • System administratorn.a system administrator is one who, as a primary job function, manages computer and network systems on behalf of another, such as an employer or client. • http://www.sage.org/field/ Kirsten Ribu - MS008A - Ethics - Hio 2004
SAGE ’vow’ • ’We as professional System Administrators do hereby commit ourselves to the highest standards of ethical and professional conduct, and agree to be guided by this code of ethics, and encourage every System Administrator to do the same.’ Kirsten Ribu - MS008A - Ethics - Hio 2004
Professional Code of Conduct • SAGE code of ethics is not: • a set of enforceable law • a list of procedures • a list of sanctions and punishments • It states the need for SAs to maintain a high standard of professionalism • http://www.sage.org/ethics.mm Kirsten Ribu - MS008A - Ethics - Hio 2004
SAGE Code of Ethics (1/3) • The integrity of a system administrator must be beyond Reproach • SAs come in contact with privileged information regularly • Sas need to protect integrity and privacy of data • Sas must uphold law and policies as established for their system • A system administrator shall not unnecessarily infringe upon the rights of users • No tolerance for discrimination except when required for the job • Must not exercise special powers to access information except when necessary Kirsten Ribu - MS008A - Ethics - Hio 2004
SAGE Code of Ethics (2/3) • Communications of system administrators with all whom they may come in contact shall be kept to the highest standards of professional behavior. • Must keep users informed of computing matters that might affect them • Must give impartial advice, and disclose any potential conflicts of interest • The continuance of professional education is critical to maintaining currency as a system administrator. • Reading, study, training, and sharing knowledge and experiences are requirements Kirsten Ribu - MS008A - Ethics - Hio 2004
SAGE Code of Ethics (3/3) • A system administrator must maintain an exemplary work ethic. • A sysadmin can have a significant impact on an organization – a high level of trust is maintained by exemplary behavior • At all times system administrators must display professionalism in the performance of their duties. • You need to be professional, when dealing with management, vendors, users, or other sysadmins Kirsten Ribu - MS008A - Ethics - Hio 2004
ACM Code of Ethics and Professional Conduct • Association for Computing Machinery • Commitment to ethical professional conduct is expected of every member (voting members, associate members, and student members) of the Association for Computing Machinery (ACM). • http://www.acm.org/constitution/code.html Kirsten Ribu - MS008A - Ethics - Hio 2004