400 likes | 613 Views
Privacy & Technology. OUTLINE. Privacy in the Workplace Employee Monitoring Information Ownership Protecting Your Data History. Privacy in the Workplace. Overview. Two standards very little privacy in private industry government workers are protected by the constitution Companies can
E N D
OUTLINE • Privacy in the Workplace • Employee Monitoring • Information Ownership • Protecting Your Data • History
Overview • Two standards • very little privacy in private industry • government workers are protected by the constitution • Companies can • test for drugs • read your e-mail • Monitor internet use • Video • require that you not smoke even at home
Privacy Rights in Industry • As privacy litigation has increased exponentially over the past few years, employers are recognizing the need to play “catch up” with the rapid development of privacy rights. • In fact, workplace privacy issues have created an entirely new post in corporate America – the Chief Privacy Officer (CPO). • US News listed the position of “CPO” as one of its hottest jobs for 2001 and predicts that by 2005 most mid to large sized organizations will have CPOs.
Result • There is a growing conflict between individual privacy rights and the need to maintain a safe working environment • Companies are facing lawsuits on both sides • They are sued if they violate employee privacy • They are sued if they fail to monitor employee behavior
Employee Monitoring Is Growing • January 1998 Los Angeles Times article: • “[g]iven the liabilities employers face, they have little choice but to monitor employee activity on the Internet and even in interoffice communications, and given the technology available to employers, every employee should assume that his or her interaction with a workplace computer is happening in plain view of the boss.” • The American Management Association in April 2000 revealed that 73.5% of the more than 1,000 companies surveyed engage in employee electronic monitoring and surveillance, compared with 55.1% reporting in 1999.
Survey Results • A 2001 survey by the Privacy Foundation found that more than 27 million online workers worldwide had their e-mail or Web usage monitored by employers. Online Workforce e-mail web US 40 million 6.25 million 7.75 million Worldwide 100 million 12 million 15 million
Justification • There are many reasons why employers monitor the activities of their employees. • Employers may be liable for the misconduct of employees. • Additionally, theft is a costly and continuing problem. • Causes of low productivity may be uncovered by surveillance, open or surreptitious • prevention of workplace violence may justify employer intrusion on workplace privacy
Phone Calls • Employers may monitor calls with clients or customers for reasons of quality control. • Federal law, which regulates phone calls with persons outside the state, does allow unannounced monitoring for business-related calls. • An important exception is made for personal calls. Under federal law, when an employer realizes the call is personal, he or she must immediately stop monitoring the call. • However, when employees are told not to make personal calls from specified business phones, the employee then takes the risk that calls on those phones may be monitored. • Privacy Tip: The best way to ensure the privacy of your personal calls made at work is to use a pay phone or a separate phone designated by your employer for personal calls.
e-mail • If an electronic mail (e-mail) system is used at a company, the employer owns it and is allowed to review its contents. • Messages sent within the company as well as those that are sent from your terminal to another company or from another company to you can be subject to monitoring by your employer. • The same holds true for voice mail systems. • Court cases are currently pending in which employees' rights to privacy on electronic mail systems are being considered.
Problems with e-mail • One of the most damaging characteristics of e-mail is its stubborn refusal to “disappear.” • E-mail leaves an electronic trail that can forever reside on an employer’s computer system. In fact every time a user sends a message, he or she creates a digital file that is stored on the employer’s hard drive for months, or even years. • Those files remain on the hard drive until the computer runs out of new (i.e., unused) space. Only when the computer is “full” will it start to fill in (“overwrite”) spaces where deleted files once existed. • So even when we think we have erased a file, it may still reside on the system. New and sophisticated technologies that “sniff out” deleted information are becoming increasingly popular in employment litigation. • For example, systems recently installed in Deloitte & Touche’s San Francisco forensics lab can “dig up just about anything on a hard drive,” in addition to recreating documents from scattered electronic fragments and tracing the identity of an otherwise anonymously typed message by comparing it with documents of a known author.
False e-mail? • It is also possible for employees to falsify evidence using e-mail technology, creating offensive messages that were never in fact sent or received. • hat was the case when Larry Ellison, founder and CEO of Oracle, the world’s second largest software company, was accused of sexually harassing his ex-girlfriend and former Oracle employee, Adeynn Lee. • Lee claimed that Ellison fired her after she stopped having sex with him and then produced damaging e-mail messages from Ellison to support her case. • Ellison settled the claim in 1993 for $100,000, but it was later discovered that Lee had forged the e-mail communications. • She was eventually found guilty of creating false evidence and lying under oath. • In a similar case, Fite vs Digital Equip. Corp. an employee was fired for fabricating e-mail messages in an attempt to support a discrimination claim.
Requirement to Monitor • Once an employer has made the decision to monitor electronic resource use, there may be a corresponding duty to act upon any information that suggests misconduct. • If they do not, employers could be guilty of “negligent supervision.” • A California company that had a policy of monitoring employees’ e-mail was sued for negligent supervision when one of its employees exchanged sexual messages with a child and then arranged to meet with the child using the company’s e-mail system. • A duty to act upon suspicious or inappropriate communications also applies if the messages suggest misconduct toward someone within the organization, or could be viewed as creating a hostile or discriminatory working environment.
Court Case • Similarly, in Smyth v. Pillsbury Co the court rejected an invasion of privacy and wrongful discharge claim when Pillsbury terminated one of its employee’s for “inappropriate and unprofessional comments” over the company e-mail system. • Smyth had exchanged highly offensive messages with his supervisor, which included threats to kill members of the sales management team and references to the holiday party as the “Jim Jones Koolaid affair.” • Company executives, who saw a printout of the message, then read all of Smyth’s e-mail communications and fired him. • In rejecting Smyth’s claims, the court held that there was no reasonable expectation of privacy in e-mail messages made voluntarily to a supervisor over a company-wide e-mail system. • Furthermore, even if the court were to find a reasonable expectation of privacy based on the fact that employees had been told by Pillsbury that e-mail messages would not be intercepted by management, a reasonable person would not consider the company’s interception to be a substantial and highly offensive intrusion upon seclusion. • Pillsbury’s interest in preventing conduct like Smyth’s outweighed any corresponding employee privacy interest.
What do you really own? • What information about yourself do you really own? • What does it mean to own information? • Consider • Name & address • Phone number • Signature • DNA & body parts
Data for Profit • Reality • A great deal of information that we consider to be highly personal is now sold on the open market to anyone who believes they might be able to use the information for profit. • This is done without our knowledge or consent. • Types of information sold • name & address • phone numbers • medical records • other . . .
Your Name and Address? • Your name is really owned by several different private companies • It is sold to other companies along with other names to be used for mailing lists. • This forms the basis of the $600 billion dollar direct mail marketing business
Your Phone Number? • Historically, phone companies have viewed the telephone number as belonging to them • they assign them • they publish them • Should they own your number? • What about Caller ID - is it an invasion of privacy?
Direct Mail Companies • When you place an order over the phone you are often asked for your phone number “…just in case we need to call you about your order” • Real reason: phone numbers are used as I.D.s so the next time you call, your file is referenced by the phone number • Move to use phone numbers in a universal I.D. system • assigned at birth • used as part of a Personal Communication System (PCS)
Aside – Phone Privacy • If you use a cordless or cell phone you should be concerned about privacy • In most cases, your cordless or cellular phone conversations are probably overheard only briefly and accidentally. But there are people who make it a hobby to listen to cordless and cellular phone calls by using radio scanners. • Since others may be listening to your conversations, avoid discussing financial or other sensitive personal information on a cordless or cellular phone. For example, if you buy something over the phone and give your credit card number and expiration date, your cordless or cellular call could be monitored and you might end up the victim of credit card fraud.
Your Signature • We are poised on the edge of a new frontier in personal data commerce--signature databases. • We all sign many documents in the course of daily living and it's generally assumed that signatures have some validity as an identifier • And we also usually implicitly assume that our signatures won't be made available to third parties on any kind of routine basis. • the computerized boxes that UPS delivery persons want you to sign when a package is delivered capture your signature electronically, and it’s fed back to UPS headquarters.
Your DNA and Body Parts? • Consider this case • In 1976, John Moore had his cancerous spleen removed at UCLA Med Center • In 1983 he received a call from UCLA asking him to sign a consent form that he had failed to fill out correctly at the time of the surgery allowing UCLA to use his tumor • It turns out that his tumor cells had been used to create a “cell line” • This was a unique cell line because it produced a powerful antibacterial and cancer fighting protein called GM-CSF • UCLA wanted to patent the cell • John Moore refused to sign the consent form and filed a lawsuit seeking all profits from his tumor cells • What did the courts decide?
Decision • He lost his case in the trial court • It was overturned by the appellate court • The final decision by the California Supreme Court went against Mr. Moore • The court ruled saying it was not prepared to create a new property right to our own cells
Protecting Information • Information in the form of names, addresses, phone numbers, credit histories, . . . is available to anyone with a computer • THEME: The major theme of this course is that INFORMATION IS POWER So how can we protect private data? - Don’t give it out - Make sure that it is encrypted
Encryption • The process of disguising a message in such a way as to hide its substance is called encryption a message is calledplaintext the encrypted message is calledciphertext the process of turning ciphertext back into plaintext is called decryption
A Simple Cipher • A substitution cipher is one in which each character in the plaintext is substituted for another character in the ciphertext • EXAMPLE: The Caesar Cipher replaces each plaintext character by the character 3 positions to the right
Example PLAINTEXT: the word privacy does not appear in the united states constitution Put it into 5 character blocks Thewo rdpri vacyd oesno tappe arint heuni tedst atesc onsti tutio n ugsul ydfbg rhvqr wdssh dulqw khxql whgvw dwhvf rqvwl wxwlr q The Caesar Cipher could shift between 1 and 25 characters
History • We will look at how to protect data in several ways History of information Structure of ciphers Weakness of ciphers Information Today
The Start • One of the first recorded uses of “secret writing” occurred in 1900 BC An inscription carved into the rock of the main chamber of the tomb of an Egyptian nobleman uses some unusual symbols in place of standard hieroglyphics Its purpose was (perhaps) to impress the reader by adding dignity and authority to the message.
The Growth • Other transformations began to appear in Egypt (usually in funeral messages) • There initial use was: impress the reader decorative effect reaction against foreign influences on the language
Cryptography • Later, the transformations became more complex and secret to increase the mystery and hence the arcane magical powers of certain religious texts catch the reader’s eye and tempt him into unriddling them so they would read the blessings
Possible Quiz Questions What private information do we own? Define plaintext and ciphertext? How does the Caesar cipher work? Other?
Summary • Privacy in the Workplace • Employee Monitoring • Information Ownership • Protecting Your Data • History