34 Privacy Concept

Hiteishi Diwanji

epgp books

Privacy Concept

 

Information privacy has 3 aspects.

  1. Sensitive data
  2. Affected parties
  3. Controlled access

Controlled Disclosure

  • Privacy is considered to be the right to have power on who can learn about user, communications conducted by user and activities performed by user.

Sensitive data

Data people may consider private:

  • Identity
  • Finance matters, details of bank account
  • Legal matters
  • Medical reports
  • Voting, opinions
  • Preferences- religion
  • Biometric, physical characteristics
  • Diaries, poems
  • Privileged communication
  • Performance in school reflected in record books
  • Ratings based on performance at work place by employer
  • Activities – reading habits
  • Air travel data
  • Communications
  • History
  • Illegal activities, criminal records

Computer Related Privacy Problems:

 

 

  1. Data Collection  Computer storage stores gigabytes of data or terabytes of data.Google’s stored data is measured in petabytes.Data is never thrown away, Data is moved to slower secondary media.
  2. No informed Consent Data is gathered from public and commercial sources. Data is gathered form data passed for purpose(statement to police after an accident). Data collected without knowledge of user. User has not given consent for data collection. Telephone company’s record Date, time, duration, caller and callee of all telephone calls Internet service provider(ISPs) track sites visited. Sites store IP addresses of visitors.
  3. Loss of ControlThe data passed by user can be distributed to any oneUser has no control or less control over dissemination of data. Someone can post on web about user and user wants to remove it but can not remove as user is not the owner of the content. Archives, Mirror sites and caches ensures that data remains intact. Date exposure – Company’s records are compromised, data is revealed. Company is not responsible for this.
  4. Ownership of data Computers – volumes and sources of data have increased. Subject does not have right.
  5. Fair Information Policies Committee was formed that was an advisor to the secretary of the U.S. Department of Human Services. Committee recommended following on privacy issues.

.

 

Protection of stored data:

 

There are four ways to protect stored data. Suggestion by Turn and Ware. Limit the exposure of data. Use Random sampling . Add errors or interchange data items to reduce data sensitivity. Remove or modify the data elements that identify data items. Anonymize the data.Encrypt the data.

 

U.S. Privacy laws :

 

United States has formed laws that protect collected data that is hold by other organizations. For Consumer credit, Fair Credit Reporting Act is referred. Health Insurance Probability and Accountability Act(HIPAA) addresses health information. Finance related service or organization is referred in the Gramm-Leach-Bliley Act(GLBA). Children’s web access related issues are covered in the children’s Online Privacy Protection Act(COPPA). Student information related records are addressed in Federal Educational Rights and Privacy acts.

 

Policies posted after Health Insurance Probability and Accountability Act(HIPAA) :

 

Statements on data transfer are compact. Consumers have control over exposure and distribution of data. Short and simple statements are formed. For same industry, Statements varied largely within same industry branch, proving hard for comparison of policies. Web page contained only statements related to specific topic.

 

Controls on U.S. Government Web Sites:

  • Notice – Reveal the information practices.
  • Enforcement Mechanism – Mechanism to impose.
  • Security – Ensure that data is secured from unauthorized user.
  • Choice – How collected personal information must be used.
  • Access – check the accuracy and completeness of data.

In 2002, U.S. Congress formed e-Government act. According to that act agencies of Federal Government have to put privacy policies on the web sites disclosing following :

  • Information to be collected
  • Reason behind collecting information
  • Intended use by the agency
  • Sharing of information
  • Notice or consent – information collected is pertaining to which subject and how sharing of information is done
  • Way of securing information
  • Rights of individual under the Privacy Act and other laws.

    The e-Government Act forms strong restrictions on how Data must be collected through web sites. Federal trade commission (FTC) prosecutes companies that employ deceptive trade or unjust business practices. FTC takes action in case, Company advertises in a misleading way or Company says it will protect privacy and it does not.

 

Privacy notices at the bottom of the web site carries meaning because of FTC.

 

Case Study:

 

FTC prosecuted CartManager International. CartManager runs web shopping cart software to collect items of an order, get customer’s name and address, shipping and details related to payment. The software is an add on, runs with retail merchants’ web sites and handles processing of order. Retailers had privacy statement indicating not to sell customer data but CartManager sold the data.Non U.S. Privacy principles :  European Union (E.U.) adopted directive 95/46/EC on processing of personal data.  Directive is called European Privacy Directive. European Privacy Directive directs that data about individual must be

  • Processed fairly and lawfully
  • Purpose must be specific, explicit and legitimate.
  • Concise, and related to purpose only.
  • Format must identify the subjects and must be aligned with subject and further processing.
  • Special protection for sensitive data
  • Data transfer
  • Independent oversight

Anonymity :

  • Anonymity is hiding the identity.
  • Anonymity reduces discrimination.
  • Problems with anonymity – How to pay for something?

Multiple Identities :

  • People have multiple identities.
  • Bank account number, Driving License number, Credit card number – different for same person.

Pseudonymity :

 

Unique identifiers that link records in database maintained at server. These identifiers do not reveal real identity.

 

  • Pseudonyms are registered  with E-mail providers those provide anonymous drop boxes to perform e-mail communication.
  • Pseudonyms are used in chatting.
you can view video on Privacy Concept

Suggested Reading:

  1. Cryptography and Network Security Principles and Practice by William Stallings, sixth Edition, PEARSON.
  2. Security in Computing by Charles Pfleeger & Shari Lawrence Pfleeger, fourth Edition, PEARSON.
  3. Network Security by Charlie Kaufman, Radia Perlman, Mike Speciner, second Edition, PHI.
  4. The Complete Reference – Network Security by Roberta Bragg, Mark Rhodes-Ousley & Keith Strassberg, Tata McGraw Hill
  5. Network Security Bible by Eric Cole, Ronald Krutz, James Conley, Wiley
  6. Hacking 6 Exposed by Stuart McClure, Joel Scambray & George Kurtz , Tata McGraw Hill .
  7. www.snort.org
  8. https://nmap.org