Chap 10: Privacy in Computing.  Privacy as an aspect of security  Authentication effects on privacy  Privacy and the Internet  Privacy implications.

Slides:



Advertisements
Similar presentations
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
Advertisements

1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
Voice over the Internet Protocol (VoIP) Technologies… How to Select a Videoconferencing System for Your Agency Based on the Work of Watzlaf, V.M., Fahima,
Addressing spam and enforcing a Do Not Registry using a Certified Electronic Mail System Information Technology Advisory Group, Inc.
The Data Protection (Jersey) Law 2005.
Data Protection.
Week 12 - Friday.  What did we talk about last time?  Modeling cybersecurity  Block cipher modes.
What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.
Data Protection and Records Management
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can.
1 Pertemuan 7 Points of Exposure Matakuliah:A0334/Pengendalian Lingkungan Online Tahun: 2005 Versi: 1/1.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
INTERNET and CODE OF CONDUCT
Property of Common Sense Privacy - all rights reserved THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.
Taking Steps to Protect Privacy A presentation to Hamilton-area Physiotherapy Managers by Bob Spence Communications Co-ordinator Office of the Ontario.
Privacy in Computing Legal & Ethical Issues in Computer …Security Information Security Management …and Security Controls Week-9.
Audiences NI Data Protection Workshop
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Data Protection Overview
The Data Protection Act
Privacy and Encryption The threat of privacy due to the sale of sensitive personal information on the internet Definition of anonymity and how it is abused.
Data Protection for Church of Scotland Congregations
CENTRAL SCOTLAND POLICE Data Protection & Information Security Stuart Macfarlane Information Governance Unit Police Service of Scotland.
Lawyer at the Brussels Bar Lecturer at the University of Strasbourg Assistant at the University of Brussels Data Protection & Electronic Communications.
By: Andrew Dahlinger, Ben Wenker, and Travis Weisenborn.
UNIT 3C Security of Information. SECURITY OF INFORMATION Firms use passwords to prevent unauthorised access to computer files. They should be made up.
6th CACR Information Security Workshop 1st Annual Privacy and Security Workshop (November 10, 2000) Incorporating Privacy into the Security Domain: Issues.
HIPAA PRIVACY AND SECURITY AWARENESS.
Understanding the Fair and Accurate Credit Transaction Act, the “Red Flag” Regulations, and their impact on Health Care Providers Raising a “Red Flag”
Electronic Use Policies.   Social Media  Internet.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
OHT 11.1 © Marketing Insights Limited 2004 Chapter 9 Analysis and Design EC Security.
7-Oct-15 Threat on personal data Let the user be aware Privacy and protection.
Smart Machines, Smart Privacy: Rules of the Road and Challenges Ahead The views expressed are those of the speaker and not necessarily those of the FTC.
Part 6 – Special Legal Rights and Relationships Chapter 35 – Privacy Law Prepared by Michael Bozzo, Mohawk College © 2015 McGraw-Hill Ryerson Limited 34-1.
Managing Risks Associated With Privacy Alison Baker- Senior Associate Hall & Wilcox 24 November
OCR Nationals Level 3 Unit 3.  To understand how the Data Protection Act 1998 relates to the data you will be collecting, storing and processing  To.
Privacy in computing Material/text on the slides from Chapter 10 Textbook: Pfleeger.
Data Protection Corporate training Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.
The Data Protection Act What Data is Held on Individuals? By institutions: –Criminal information, –Educational information; –Medical Information;
Why the Data Protection Act was brought in  The 1998 Data Protection Act was passed by Parliament to control the way information is handled and to give.
Regulation of Personal Information Sally Brierley & Emma Harvey.
IT Applications Theory Slideshows By Mark Kelly Vceit.com Privacy Laws.
PROTECTION OF PERSONAL DATA. OECD GUIDELINES: BASIC PRINCIPLES OF NATIONAL APPLICATION Collection Limitation Principle There should be limits to the collection.
12/12/2015 Data Protection Act /12/2015 The DP Act A law that protects personal privacy and upholds individual’s rights Anyone who handles personal.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Information Technology & Ethics. Impact The impact of IT on information and communication can be categorized into 4 groups: privacy, accuracy, property,
Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Chapter 3 Privacy, Confidentiality, and Security.
DATA ACCURACY- one of the issues of computer ethics. Providing inaccurate data input results in erroneous information & decision making. Information on.
LESSON 5-2 Protecting Your Computer Lesson Contents Protecting Your Computer Best Practices for Securing Online and Network Transactions Measures for Securing.
Computer Laws Data Protection Act 1998 Computer Misuse Act 1990.
1 Law, Ethical Impacts, and Internet Security. 2 Legal Issues vs. Ethical Issues Ethics — the branch of philosophy that deals with what is considered.
GCSE ICT Data and you: The Data Protection Act. Loyalty cards Many companies use loyalty cards to encourage consumers to use their shops and services.
Data protection—training materials [Name and details of speaker]
Unit 2- Privacy and Cyberspace Kaizen MIDTERM Definition of Terms How is Technology eroding our privacy and anonymity? Protecting privacy online.
Yes, it’s the holidays... A time of joy, a time of good cheer, a time of celebration... From the Office of the Chief Human Capital Officer (CHCO ) Privacy.
POLICIES & PROCEDURES FOR HANDLING CONFIDENTIAL INFORMATION NOVEMBER 5 TH 2015.
Students’ Unions 2011 Data Protection and Students’ Unions Mairead O’Reilly 19 July 2011.
IT Applications Theory Slideshows
Information Security 101 Richard Davis, Rob Laltrello.
CHAPTER 33 Cyberlaw.
Data Protection & Freedom of Information- An Introduction
Red Flags Rule An Introduction County College of Morris
G.D.P.R General Data Protection Regulations
Disability Services Agencies Briefing On HIPAA
Data Protection principles
Security in Computing, Fifth Edition
Presentation transcript:

Chap 10: Privacy in Computing

 Privacy as an aspect of security  Authentication effects on privacy  Privacy and the Internet  Privacy implications for emerging technologies SE571 Security in Computing Dr. Ogara 2

 Is the right to control who knows certain aspects about you, your communications, and your activities  Information privacy has three aspects: sensitive data affected parties controlled disclosure SE571 Security in Computing Dr. Ogara 3

 personal identity information  finances, credit, bank details  medical information  school records  communications: mail, , telephone calls, spam  illegal activities, criminal records SE571 Security in Computing Dr. Ogara 4

 Organizations need to protect personal information and sensitive data  Companies product plans key customers profit margins newly discovered technologies  Hospitals and Schools Personal data for students and patients SE571 Security in Computing Dr. Ogara 5

 Information collection: Data are collected only with knowledge and explicit consent  Information usage: Data are used only for certain specified purposes  Information retention: Data are retained for only a set period of time  Information disclosure: Data are disclosed to only an authorized set of people SE571 Security in Computing Dr. Ogara 6

 Information security: Appropriate mechanisms are used to ensure the protection of the data  Access control: All modes of access to all forms of collected data are controlled  Monitoring: Logs are maintained showing all accesses to data  Policy changes: Less restrictive policies are never applied after-the-fact to already obtained data SE571 Security in Computing Dr. Ogara 7

 Examples: Job applicants asked to turn over their Facebook passwords Job applicants asked to turn over their Facebook passwords Some employers are asking job applicants for Facebook username Some employers are asking job applicants for Facebook username Fork over your Facebook log-on or you don't get hired. What? Fork over your Facebook log-on or you don't get hired. What? Facebook Warns Employers Not to Ask Job Applicants for Log-in Facebook Warns Employers Not to Ask Job Applicants for Log-in SE571 Security in Computing Dr. Ogara 8

 All of the mobile phone companies keep details about the location of cell towers used by every phone, for a year or longer.  All of the mobile phone companies keep records about voice calls and text messages received and sent for a year or longer. Verizon stores the contents of every text message for three to five days. (The others don't keep the text.)  IP session information -- tying your phone to an IP address -- is kept for a year by Verizon and 60 days on Sprint and Nextel.  IP destination information -- which IP addresses you connected to -- is stored for 90 days at Verizon and 60 days on Sprint and Nextel Source: records-longer-you-think SE571 Security in Computing Dr. Ogara 9

 Fair information policies  U.S. Privacy laws  Controls on U.S. government Websites  Controls on commercial Websites  Non- U.S. privacy principles  Anonymity, multiple identities  Govern and privacy  Identity theft SE571 Security in Computing Dr. Ogara 10

 Collection limitation. Data should be obtained lawfully and fairly.  Data quality. Data should be relevant to their purposes, accurate, complete, and up-to-date.  Purpose specification. The purposes for which data will be used should be identified and the data destroyed if no longer necessary to serve that purpose.  Use limitation. Use for purposes other than those specified is authorized only with consent of the data subject or by authority of law. SE571 Security in Computing Dr. Ogara 11

 Openness. It should be possible to acquire information about the collection, storage, and use of personal data systems.  Individual participation. The data subject normally has a right to access and to challenge data relating to her.  Security safeguards. Procedures to guard against loss, corruption, destruction, or misuse of data should be established  Accountability. A data controller should be designated and accountable for complying with the measures to give effect to the principles. SE571 Security in Computing Dr. Ogara 12

 Problem Above principles describe right of individuals and NOT protection of data collected  Solution Reduce data exposure – ask for what is necessary Reduce data sensitivity by interchanging data items Anonymize data - remove/modify identifying information Encrypt the data SE571 Security in Computing Dr. Ogara 13

 Covers data protection  Applies to all personal data held anywhere in the government  Examples Fair Credit Reporting Act – consumers credit Health Insurance Portability and Accountability Act (HIPAA) Gramm–Leach–Bliley Act (GLBA) – financial services Children’s Online Privacy Protection Act (COPPA) Federal Educational Rights and Privacy Act SE571 Security in Computing Dr. Ogara 14

 Problems  Target areas of the laws overlap e.g. Which law (if any) would require privacy protection of a university student’s health center bills paid by credit card?  Gaps between laws e.g. evolving technologies SE571 Security in Computing Dr. Ogara 15

 Federal Trade Commission (FTC) has jurisdiction over web sites  5 privacy factors government Websites must address in order to obey the Privacy Act Notice. Data collectors must disclose their information practices before collecting personal information from consumers. Choice. Consumers must be given a choice as to whether and how personal information collected from them may be used. Access. Consumers should be able to view and contest the accuracy and completeness of data collected about them. Security. Data collectors must take reasonable steps to ensure that information collected from consumers is accurate and secure from unauthorized use. Enforcement. A reliable mechanism must be in place to impose sanctions for noncompliance with these fair information practices. SE571 Security in Computing Dr. Ogara 16

 Federal government agencies post privacy policies on their web sites to disclose: information collected reason for collecting information intended use of the information whom the information will be shared with notice or opportunities for consent security of information the rights of the individual under the Privacy Act SE571 Security in Computing Dr. Ogara 17

 Some companies display solid and detailed privacy statements while others may not  Privacy outside government is protected by other laws: Credit Banking Education healthcare SE571 Security in Computing Dr. Ogara 18

 FTC can sue companies that engage in deceptive practices  Example 2005 CartManager International – runs web shopping cart software was sued by FTC because they sold customer data SE571 Security in Computing Dr. Ogara 19

 1981 Council of Europe adopted Convention 108 to protect individual data  1995 European Union adopted Directive 95/46/EC, also called European Privacy Directive SE571 Security in Computing Dr. Ogara 20

 Individual data should be: processed fairly and lawfully collected for specified, explicit and legitimate purposes adequate, relevant, and not excessive in relation to the purposes for which they are collected accurate kept in a form that permits identification of data subjects for no longer than is necessary SE571 Security in Computing Dr. Ogara 21

 Also individuals have the right to: access data collected about them correct inaccurate or incomplete data have those corrections sent to those who have received the data SE571 Security in Computing Dr. Ogara 22

 Three more principles to the Fair Information Policies Greater restrictions on data collection and processing that involves “sensitive data - racial or ethnic origin, political opinions, religious beliefs, philosophical or ethical persuasion Authorized users restricted from transferring information to third parties without the permission of the data subject Entities that process personal data should not only be accountable but should also be subject to independent oversight SE571 Security in Computing Dr. Ogara 23

 Following September 11 terrorist attack, U.S collects data from Passenger Name Record (PRN) – maintained by airlines  U.S asked Europe to supply PNR data within 15 minutes of plane departure to the U.S.  In 2004, European Commission and European Council accepted the request  In 2006, European Parliament and European Court of Justice objected on privacy grounds  U.S could deny landing rights to airlines that refuse SE571 Security in Computing Dr. Ogara 24

 Anonymity Heath issue Sexual orientation Etc SE571 Security in Computing Dr. Ogara 25

 What are the implications to government access to data? Misuse and violation of privacy rights through access to personal information Data access risks – data errors, inaccurate linking of data, incorrect data and many more SE571 Security in Computing Dr. Ogara 26

 Data minimization - Obtain least data necessary  Data anonymization  Audit trail  Security and controlled access  Training  Quality – determine usefulness of data  Restricted usage – uses should be consistent with purpose of collecting data  Leave data in place with original owner  Policy SE571 Security in Computing Dr. Ogara 27

SE571 Security in Computing Dr. Ogara 28  Taking another person’s identity Credit card Drivers license

 Authentication takes three forms Individual – birth certificate, passport/national ID Identity – credit card, meal plan card, magnetic access card Attributes – age to take alcohol or drive SE571 Security in Computing Dr. Ogara 29

 Data mining threatens privacy  We can derive do data mining without sacrificing privacy  How? Swapping data fields to prevent linking records Limited swapping balances accuracy and privacy SE571 Security in Computing Dr. Ogara 30

 Internet is the greatest threat to privacy  Sophisticated web applications can know a lot about a user  How do users loose privacy on the Internet?  User uncertain about authenticity of the server  Payments over the Web  Credit card payments SE571 Security in Computing Dr. Ogara 31

 Payment schemes e.g. PayPal  Third party ads – mortgages, banking, loans, etc  Site and portal registrations  Contests and offers – to get private information  Technologies Cookies - text file stored on the user’s computer and passed by the user’s browser to the web site when the user goes to that site Cookie may contain users ID, password, a credit card number, the customer name and shipping address, the date of the last visit to the site, the number of items purchased or the dollar volume of purchases SE571 Security in Computing Dr. Ogara 32

 Spyware is a program or code designed to spy on a user, collecting data (including anything the user types)  Keystroke loggers are programs that reside in a computer and record every key pressed.  Keystroke loggers sometimes record only web sites visited or, even more serious, only the keystrokes entered at a particular web site (for example, the login ID and password to a banking site.) SE571 Security in Computing Dr. Ogara 33

 Display selected ads in pop-up windows or in the main browser window  Often selected according to user’s characteristics  Usually installed as part of another piece of software without notice SE571 Security in Computing Dr. Ogara 34

 Privacy of an message can be compromised on either the sender’s or receiver’s side  Interception - is exposed from sender to receiver, and there are numerous points for interception. Without encryption it is difficult to prevent access along the way SE571 Security in Computing Dr. Ogara 35

 monitoring Companies and organizations Network admin ISP  Anonymous and R ers Employees sending tips or complaints to management People beginning personal relationships SE571 Security in Computing Dr. Ogara 36

 Simple R ers A r er is a trusted third party to whom you send an message and indicate to whom you want it sent strips off the sender’s name and address, assigns an anonymous pseudonym as the sender, and forwards the message to the designated recipients removes the recipient’s name and address from reply and forwards it to the sender knows both sender and receiver, so it provides pseudonymity SE571 Security in Computing Dr. Ogara 37

SE571 Security in Computing Dr. Ogara 38  has very little authenticity protection  SMTP protocol does not verify the accuracy and legitimacy of the listed sender  This enhances spoofing of source address and hence spam because it is difficult to trace real sender

SE571 Security in Computing Dr. Ogara 39  RFID  Electronic voting  VoIP and Skype

SE571 Security in Computing Dr. Ogara 40  Uses small, low-power wireless radio transmitters called RFID tags  Tags are tuned to a particular frequency and each has a unique ID number  When a tag receives its signal, it sends its ID number signal in response  Tags are passive – have no power of their own but powered up when they receive signals

SE571 Security in Computing Dr. Ogara 41  Uses of RFID Tags toll plaza payments transit system fare cards stock or inventory labels passports and identity cards

SE571 Security in Computing Dr. Ogara 42  Privacy Issues Tracking individuals wherever they go Discern sensitive data about people you work for, medical condition (based on medicine bottle), and finances  Solutions Disabling tags Blocking/shield from receivers Reprogramme Encryption

SE571 Security in Computing Dr. Ogara 43  Privacy Issues Who has voted for who Internet related privacy issues

SE571 Security in Computing Dr. Ogara 44  Voice over IP (VoIP) is a protocol for transmission of voice-grade telephone traffic over the Internet  Privacy Issues Who has voted for who Internet related privacy issues

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.