1 The interplay of stopping computer crime while protecting privacy Svein Yngvar Willassen Department of Telematics, Norwegian University of Science and.

Slides:

Advertisements

Similar presentations

TECHNO-TONOMY Privacy & Autonomy in a Networked World Learning Module 2: Legislating Privacy: Your Rights.

Advertisements

Institutional Telecomms and Computer Network Monitoring Andrew Charlesworth University of Bristol 10 June 2002.

ISRCL- Young Lawyers Anthony Gett Barrister & Senior Legal Officer Commonwealth Director of Public Prosecutions (Australia)

I.D. Theft Alaska’s New Protection of Personal Information Act Ed Sniffen Senior Assistant Attorney General Alaska Department of Law.

CIPA Update. FOR SCHOOLS – By July 1, 2012, amend your existing Internet safety policy (if you have not already done so) to provide for the education.

Workshop on Harmonizing Cyberlaw in the ECOWAS region ( Procedural Law in the Budapest Convention ) Ghana, Accra 17 – 21 March 2014, Kofi Annan International.

Jurisdictional issues and international co-operation in combating cybercrime Anne Flanagan Institute for Computer and Communications Law Centre for Commercial.

EXAMINING CYBER/COMPUTER LAW BUSINESS LAW. EXPLAIN CYBER LAW AND THE VARIOUS TYPES OF CYBER CRIMES.

BC Freedom of Information and Protection of Privacy Act

Data Protection and Records Management

Data Retention LIS 550 Winter 2010 Unsworth Tuesday, March 02, 2010.

Developing a Records & Information Retention & Disposition Program:

EU: Bilateral Agreements of Member States

Privacy and Sensor Networks: Do Sensor Networks fit with Fair Information Practices Deirdre K. Mulligan Acting Clinical Professor of Law Director, Samuelson.

Privacy and security: Is Europe going banana? Jean-Marc Van Gyseghem Head of Unit « Liberties in the information society » CRID – University.

EU: Bilateral Agreements of Member States. Formerly concluded international agreements of Member States with third countries Article 351 TFEU The rights.

Chapter 16 Security. 2 Chapter 16 - Objectives u The scope of database security. u Why database security is a serious concern for an organization. u The.

Text Privacy and Data Protection in Sweden Christine Kirchberger.

The Growth of Dual-Use Bioethics Lecture No.13 Further Inf. For further information and video link please click on the right buttons in the following slides.

Transparency in Public Administration – FOI and EIR

Whistleblower Protection Institution Overview of Georgian Legislation and international experience Maia Dvalishvili Deputy Head, Civil Service Bureau of.

Money Laundering 23 September Contents 1 What is money laundering? 2. The ‘primary’ money laundering offences 3. Failure to report and tipping off.

Property of Common Sense Privacy - all rights reserved THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.

Privacy in Computing Legal & Ethical Issues in Computer …Security Information Security Management …and Security Controls Week-9.

Introduction to Data Forensics CIS302 Harry R. Erwin, PhD School of Computing and Technology University of Sunderland.

Legal Aspects of Computer System Security “Security - Protecting Our Resources”

Regulation of Personal Information Daniel Pettitt, Leon Sewell and Matthew Pallot.

Eric J. Pritchard One Liberty Place, 46 th Floor 1650 Market Street Philadelphia, Pennsylvania (215)

Privacy Law for Network Administrators Steven Penney Faculty of Law University of New Brunswick.

Sutton Public Schools Anti-Bullying Law Overview.

Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #6 Forensics Services September 10, 2007.

M. ANGELA JIMENEZ 1 UNIT 5. REGULATION OF EXTERNAL AUDIT IFAC AND E.C.

CSE/ISE 312 Privacy (Part 1). What We Will Cover Privacy risks and principles 4 th Amendment, expectations, and surveillance Business and social sectors.

Ide kerülhet az előadás címe CCTV operation at work Belgrade, 11 th April 2013.

Legal Aid of Cambodia Bangkok, August 2015 Mr. RUN Saray Executiva Director and Lawyer Legal Aid of Cambodia WitnessProtection Presentation by.

Canadian Association for Civilian Oversight of Law Enforcement June 6 - 8, 2010.

Managing Risks Associated With Privacy Alison Baker- Senior Associate Hall & Wilcox 24 November

Computer Forensics Principles and Practices

Lecture 11: Law and Ethics

Data Protection Act AS Module Heathcote Ch. 12.

IBT - Electronic Commerce Privacy Concerns Victor H. Bouganim WCL, American University.

Institute for Criminal Justice Studies FERPA Family Educational Rights and Privacy Act ©This TCLEOSE approved Crime Prevention Curriculum is the property.

Data Protection Corporate training Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.

The Data Protection Act What Data is Held on Individuals? By institutions: –Criminal information, –Educational information; –Medical Information;

Data Protection and Records Management. Key Responsibilities - Record Management Keep Information Accurate Disclose only if compatible with purpose for.

Shaping healthcare … for you and your family Philip Tremewan, Designated Nurse for Safeguarding Adults Guildford & Waverley CCG Safeguarding Adults & Mental.

Chapter 2 Legal Aspects of Investigation © 2009 McGraw-Hill Higher Education. All rights reserved. LEARNING OBJECTIVES Explain the historical evolution.

2002 Symantec Corporation, All Rights Reserved The EU Regulations and IT security An industry perspective Ilias Chantzos, Government Relations EMEA Terena.

Privacy by Design – Principles of Privacy-Aware Ubiquitous Systems Marc Langheinrich - Swiss Federal Institute of Technology, Zurich Whitney Hess.

Digital evidence in criminal proceedings: legal considerations Arkadiusz Lach Department of Criminal Procedure Faculty of Law University of Nicolaus Copernicus.

PROTECTION OF PERSONAL DATA. OECD GUIDELINES: BASIC PRINCIPLES OF NATIONAL APPLICATION Collection Limitation Principle There should be limits to the collection.

Data protection and compliance in context 19 November 2007 Stewart Room Partner.

Information Security Legislation Moving ahead Information Security 2001 Professional Information Security Association Sin Chung Kai Legislative Councillor.

An Introduction to the Privacy Act Privacy Act 1993 Promotes and protects individual privacy Is concerned with the privacy of information about people.

Protecting Privacy and Freedom of Communication in the Fight against Cybercrime Southeast Europe Cybersecurity Conference Sofia, Bulgaria 8-9 September.

Human Rights Act, Privacy in the context of auditing Phil Huggins Chief Technologist, IRM PLC

James Fox Shane Stuart Danny Deselle Matt Baldwin Acceptable Use Policies.

Privacy Compliance in Schools Darrebin A/P’s Network 7 May 2009.

GCSE ICT Data and you: The Data Protection Act. Loyalty cards Many companies use loyalty cards to encourage consumers to use their shops and services.

Health and Social Care Mental Health Act 2007 Deprivation of Liberty Safeguards (MCA / DoLS) What is Depriving a Person’s Liberty?

[ Direct marketing – an introduction to data protection and privacy] For [insert name of organisation] presented by [insert name of presenter] on [date]

ICT, Communication & related Legislations. Produced by Neil Liggett. Acts of Law – shared data & information.

Freedom of Expression: Freedom of the Press Essential Questions: How have the courts defined citizens rights over time?

Prof. Dr. Lorena Bachmaier, Universidad Complutense Madrid, Spain Section III- Criminal Procedure Information Society and Penal Law Lorena Bachmaier Doha,

Surveillance around the world

Principles of Administrative Law <Instructor Name>

Data protection issues in regulatory investigations

Data Protection Legislation

U.S. Department of Justice

Presentation transcript:

1 The interplay of stopping computer crime while protecting privacy Svein Yngvar Willassen Department of Telematics, Norwegian University of Science and Technology

2 It is already far too late to prevent the invasion of cameras and databases. The djinn cannot be crammed back into its bottle. No matter how many laws are passed, it will prove quite impossible to legislate away the new surveillance tools and databases. They are here to stay. Accountability is the one fundamental ingredient on which liberty thrives. Without the accountability that derives from openness -- enforceable upon even the mightiest individuals and institutions -- how can freedom survive? D. Brin, The transparent society, 1998

3 Definitions: Privacy Privacy is the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others. A. Westin, Privacy and Freedom, 1967

4 Definitions: Computer Crime A crime in which a computer was directly and significantly instrumental J. Taber, One Computer Crime, Computer Law Journal, 1979 Action directed against the confidentiality, integrity and availability of computer systems, networks and computer data as well as misuse of such systems, network and data Preamble, Council of Europe Cybercrime Convention, Budapest 2001

5 Consequence of Definitions Computer crime is a threat against computers and the information stored therein. The rightful owners of information are thereby deprived of their ability to decide for themselves how this information is spread to others. Computer crime is harmful to privacy. Stopping Computer Crime is Preserving Privacy! 3

6 Protecting Privacy from Computer Crime, Options - Protect - Protect, detect and stop - Protect, detect, stop and investigate - Don’t use computers - Protect, detect, stop, investigate and prosecute 4

7 Event Data Stored Retained Presented Seized Investigated Reported Relied on Information flow Detection and investigation of Computer Crime must be based on information about the occurred events. Detection, investigation and prosecution relies on information (evidence) distilled from the pool of data that has been recorded about the events that occured.

8 Event Data Stored Retained Presented Seized Investigated Reported Relied on Information flow

9 Event Data Stored Retained Presented Seized Investigated Reported Relied on Information flow The amount of information available in each step is determined by various considerations, among them privacy: - by regulations (statutory requirements, recommendations, standards) - by policy This affects the outcome of the investigation and prosecution. Terminology from [Breaux, Anton et.al 2007]

10 Event Data Stored Retained Presented Seized Investigated Reported Relied on Event Data generation Data about occurring events is generated on computers involved in the occurring events. End users may use Privacy Enhancing Technologies to control the visibility of the event information to others.

11 Event Data Stored Retained Presented Seized Investigated Reported Relied on Event Data generation Anonymization: - Decouples the event data from an individual, so attribution becomes impossible. - Enhances privacy but reduces the investigative value of the data - Examples of statutory provisions outlawing anonymization.

12 Event Data Stored Retained Presented Seized Investigated Reported Relied on Event Data generation Encryption: - Hides data content from anyone not in possession of a key. - Enhances privacy but reduces the investigative value of the data - Examples of government efforts to prevent effective encryption for investigative reasons

13 Event Data Stored Retained Presented Seized Investigated Reported Relied on Storage/Retention Storage and retention of event data is to a very little extent determined by users themselves: - Local storage/retention determined by applications and operating systems - Event data is retained on computers controlled by others than the end user

14 Event Data Stored Retained Presented Seized Investigated Reported Relied on Storage/Retention Privacy provisions: - Provisions that do not allow data processors to store data without “informed consent” from the data owner. (Directive 95/46/EC) - Example: Logs of internet usage shall not be stored or retained unless needed for invoicing. (Effectively anonymization)

15 Event Data Stored Retained Presented Seized Investigated Reported Relied on Storage/Retention Storage/retention requirements: - Provisions that require the storage and retention of specific types of data. - Example: Financial accounts - Example: EU Directive on Data Retention 4

16 Event Data Stored Retained Presented Seized Investigated Reported Relied on Seizure - Seizure of data for investigation purposes is in most jurisdictions restricted to crimes of a certain seriousness - Must be decided by an independent party (court) after having reviewed the information that leads to the seizure request. - Protect the privacy of third parties as well as the accused in cases where the suspicion is too weak. 5

17 Event Data Stored Retained Presented Seized Investigated Reported Relied on Investigation Investigation aims at extracting the information of interest in the case from the seized data. (Evidence) Provisions may disallow investigation of certain material for privacy reasons: - Records from certain professions such as lawyers, physicians - Trade secrets 6

18 Event Data Stored Retained Presented Seized Investigated Reported Relied on Reporting/Presentation The investigator includes in his report what he finds relevant to the case. The results may be presented in public hearings. Thus, details never meant for the public will be publicly disclosed. This has privacy implications for those involved in the case.

19 Event Data Stored Retained Presented Seized Investigated Reported Relied on Evidence relied on by fact finder A fact finder (court) is obliged to comply with statutory requirements. - Evidence admissibility - Unlawfully acquired evidence 7

20 Event Data Stored Retained Presented Seized Investigated Reported Relied on Investigation / Privacy The investigation process is harmful for privacy - Details about individuals will be publicly revealed without consent - The process is to a large extent outside of control by the individual

21 Event Data Stored Retained Presented Seized Investigated Reported Relied on Investigation / Privacy Computer crime is even more harmful for privacy - Investigating and prosecuting crimes prevents crime harmful to privacy. - Legal protection should limit the privacy harm done by investigations, at least to third persons. - Do perpetrators have an expectation of privacy?

22 The interplay of stopping computer crime while protecting privacy Svein Yngvar Willassen Department of Telematics, Norwegian University of Science and Technology

23 A proposed middle ground - Separate knowledge of behavior from knowledge of identity - Privacy is only compromised by knowledge of both behavior and identity - Proposed default rule: knowledge of behavior is visible but knowledge of identify is concealed, and will only be revealed under legal procedures. - Correspond to the Internet (with data retention) C. Demchak, K. Fenstermacher, Balancing Security and Privacy in the 21st century, 2004