Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chap 10: Privacy in Computing.  Privacy as an aspect of security  Authentication effects on privacy  Privacy and the Internet  Privacy implications.

Published byJeffrey Fitzgerald Modified over 9 years ago

Similar presentations

Presentation on theme: "Chap 10: Privacy in Computing.  Privacy as an aspect of security  Authentication effects on privacy  Privacy and the Internet  Privacy implications."— Presentation transcript:

1 Chap 10: Privacy in Computing

2  Privacy as an aspect of security  Authentication effects on privacy  Privacy and the Internet  Privacy implications for emerging technologies SE571 Security in Computing Dr. Ogara 2

3  Is the right to control who knows certain aspects about you, your communications, and your activities  Information privacy has three aspects: sensitive data affected parties controlled disclosure SE571 Security in Computing Dr. Ogara 3

4  personal identity information  finances, credit, bank details  medical information  school records  communications: mail, e-mail, telephone calls, spam  illegal activities, criminal records SE571 Security in Computing Dr. Ogara 4

5  Organizations need to protect personal information and sensitive data  Companies product plans key customers profit margins newly discovered technologies  Hospitals and Schools Personal data for students and patients SE571 Security in Computing Dr. Ogara 5

6  Information collection: Data are collected only with knowledge and explicit consent  Information usage: Data are used only for certain specified purposes  Information retention: Data are retained for only a set period of time  Information disclosure: Data are disclosed to only an authorized set of people SE571 Security in Computing Dr. Ogara 6

7  Information security: Appropriate mechanisms are used to ensure the protection of the data  Access control: All modes of access to all forms of collected data are controlled  Monitoring: Logs are maintained showing all accesses to data  Policy changes: Less restrictive policies are never applied after-the-fact to already obtained data SE571 Security in Computing Dr. Ogara 7

8  Examples: Job applicants asked to turn over their Facebook passwords Job applicants asked to turn over their Facebook passwords Some employers are asking job applicants for Facebook username Some employers are asking job applicants for Facebook username Fork over your Facebook log-on or you don't get hired. What? Fork over your Facebook log-on or you don't get hired. What? Facebook Warns Employers Not to Ask Job Applicants for Log-in Facebook Warns Employers Not to Ask Job Applicants for Log-in SE571 Security in Computing Dr. Ogara 8

9  All of the mobile phone companies keep details about the location of cell towers used by every phone, for a year or longer.  All of the mobile phone companies keep records about voice calls and text messages received and sent for a year or longer. Verizon stores the contents of every text message for three to five days. (The others don't keep the text.)  IP session information -- tying your phone to an IP address -- is kept for a year by Verizon and 60 days on Sprint and Nextel.  IP destination information -- which IP addresses you connected to -- is stored for 90 days at Verizon and 60 days on Sprint and Nextel Source: http://www.infoworld.com/t/internet-privacy/mobile-phone-companies-keep-your- records-longer-you-think-175466 SE571 Security in Computing Dr. Ogara 9

10  Fair information policies  U.S. Privacy laws  Controls on U.S. government Websites  Controls on commercial Websites  Non- U.S. privacy principles  Anonymity, multiple identities  Govern and privacy  Identity theft SE571 Security in Computing Dr. Ogara 10

11  Collection limitation. Data should be obtained lawfully and fairly.  Data quality. Data should be relevant to their purposes, accurate, complete, and up-to-date.  Purpose specification. The purposes for which data will be used should be identified and the data destroyed if no longer necessary to serve that purpose.  Use limitation. Use for purposes other than those specified is authorized only with consent of the data subject or by authority of law. SE571 Security in Computing Dr. Ogara 11

12  Openness. It should be possible to acquire information about the collection, storage, and use of personal data systems.  Individual participation. The data subject normally has a right to access and to challenge data relating to her.  Security safeguards. Procedures to guard against loss, corruption, destruction, or misuse of data should be established  Accountability. A data controller should be designated and accountable for complying with the measures to give effect to the principles. SE571 Security in Computing Dr. Ogara 12

13  Problem Above principles describe right of individuals and NOT protection of data collected  Solution Reduce data exposure – ask for what is necessary Reduce data sensitivity by interchanging data items Anonymize data - remove/modify identifying information Encrypt the data SE571 Security in Computing Dr. Ogara 13

14  Covers data protection  Applies to all personal data held anywhere in the government  Examples Fair Credit Reporting Act – consumers credit Health Insurance Portability and Accountability Act (HIPAA) Gramm–Leach–Bliley Act (GLBA) – financial services Children’s Online Privacy Protection Act (COPPA) Federal Educational Rights and Privacy Act SE571 Security in Computing Dr. Ogara 14

15  Problems  Target areas of the laws overlap e.g. Which law (if any) would require privacy protection of a university student’s health center bills paid by credit card?  Gaps between laws e.g. evolving technologies SE571 Security in Computing Dr. Ogara 15

16  Federal Trade Commission (FTC) has jurisdiction over web sites  5 privacy factors government Websites must address in order to obey the Privacy Act Notice. Data collectors must disclose their information practices before collecting personal information from consumers. Choice. Consumers must be given a choice as to whether and how personal information collected from them may be used. Access. Consumers should be able to view and contest the accuracy and completeness of data collected about them. Security. Data collectors must take reasonable steps to ensure that information collected from consumers is accurate and secure from unauthorized use. Enforcement. A reliable mechanism must be in place to impose sanctions for noncompliance with these fair information practices. SE571 Security in Computing Dr. Ogara 16

17  Federal government agencies post privacy policies on their web sites to disclose: information collected reason for collecting information intended use of the information whom the information will be shared with notice or opportunities for consent security of information the rights of the individual under the Privacy Act SE571 Security in Computing Dr. Ogara 17

18  Some companies display solid and detailed privacy statements while others may not  Privacy outside government is protected by other laws: Credit Banking Education healthcare SE571 Security in Computing Dr. Ogara 18

19  FTC can sue companies that engage in deceptive practices  Example 2005 CartManager International – runs web shopping cart software was sued by FTC because they sold customer data SE571 Security in Computing Dr. Ogara 19

20  1981 Council of Europe adopted Convention 108 to protect individual data  1995 European Union adopted Directive 95/46/EC, also called European Privacy Directive SE571 Security in Computing Dr. Ogara 20

21  Individual data should be: processed fairly and lawfully collected for specified, explicit and legitimate purposes adequate, relevant, and not excessive in relation to the purposes for which they are collected accurate kept in a form that permits identification of data subjects for no longer than is necessary SE571 Security in Computing Dr. Ogara 21

22  Also individuals have the right to: access data collected about them correct inaccurate or incomplete data have those corrections sent to those who have received the data SE571 Security in Computing Dr. Ogara 22

23  Three more principles to the Fair Information Policies Greater restrictions on data collection and processing that involves “sensitive data - racial or ethnic origin, political opinions, religious beliefs, philosophical or ethical persuasion Authorized users restricted from transferring information to third parties without the permission of the data subject Entities that process personal data should not only be accountable but should also be subject to independent oversight SE571 Security in Computing Dr. Ogara 23

24  Following September 11 terrorist attack, U.S collects data from Passenger Name Record (PRN) – maintained by airlines  U.S asked Europe to supply PNR data within 15 minutes of plane departure to the U.S.  In 2004, European Commission and European Council accepted the request  In 2006, European Parliament and European Court of Justice objected on privacy grounds  U.S could deny landing rights to airlines that refuse SE571 Security in Computing Dr. Ogara 24

25  Anonymity Heath issue Sexual orientation Etc SE571 Security in Computing Dr. Ogara 25

26  What are the implications to government access to data? Misuse and violation of privacy rights through access to personal information Data access risks – data errors, inaccurate linking of data, incorrect data and many more SE571 Security in Computing Dr. Ogara 26

27  Data minimization - Obtain least data necessary  Data anonymization  Audit trail  Security and controlled access  Training  Quality – determine usefulness of data  Restricted usage – uses should be consistent with purpose of collecting data  Leave data in place with original owner  Policy SE571 Security in Computing Dr. Ogara 27

28 SE571 Security in Computing Dr. Ogara 28  Taking another person’s identity Credit card Drivers license

29  Authentication takes three forms Individual – birth certificate, passport/national ID Identity – credit card, meal plan card, magnetic access card Attributes – age to take alcohol or drive SE571 Security in Computing Dr. Ogara 29

30  Data mining threatens privacy  We can derive do data mining without sacrificing privacy  How? Swapping data fields to prevent linking records Limited swapping balances accuracy and privacy SE571 Security in Computing Dr. Ogara 30

31  Internet is the greatest threat to privacy  Sophisticated web applications can know a lot about a user  How do users loose privacy on the Internet?  User uncertain about authenticity of the server  Payments over the Web  Credit card payments SE571 Security in Computing Dr. Ogara 31

32  Payment schemes e.g. PayPal  Third party ads – mortgages, banking, loans, etc  Site and portal registrations  Contests and offers – to get private information  Technologies Cookies - text file stored on the user’s computer and passed by the user’s browser to the web site when the user goes to that site Cookie may contain users ID, password, a credit card number, the customer name and shipping address, the date of the last visit to the site, the number of items purchased or the dollar volume of purchases SE571 Security in Computing Dr. Ogara 32

33  Spyware is a program or code designed to spy on a user, collecting data (including anything the user types)  Keystroke loggers are programs that reside in a computer and record every key pressed.  Keystroke loggers sometimes record only web sites visited or, even more serious, only the keystrokes entered at a particular web site (for example, the login ID and password to a banking site.) SE571 Security in Computing Dr. Ogara 33

34  Display selected ads in pop-up windows or in the main browser window  Often selected according to user’s characteristics  Usually installed as part of another piece of software without notice SE571 Security in Computing Dr. Ogara 34

35  Privacy of an e-mail message can be compromised on either the sender’s or receiver’s side  Interception - E-mail is exposed from sender to receiver, and there are numerous points for interception. Without encryption it is difficult to prevent access along the way SE571 Security in Computing Dr. Ogara 35

36  Email monitoring Companies and organizations Network admin ISP  Anonymous Email and Remailers Employees sending tips or complaints to management People beginning personal relationships SE571 Security in Computing Dr. Ogara 36

37  Simple Remailers A remailer is a trusted third party to whom you send an e-mail message and indicate to whom you want it sent strips off the sender’s name and address, assigns an anonymous pseudonym as the sender, and forwards the message to the designated recipients removes the recipient’s name and address from reply and forwards it to the sender knows both sender and receiver, so it provides pseudonymity SE571 Security in Computing Dr. Ogara 37

38 SE571 Security in Computing Dr. Ogara 38  E-mail has very little authenticity protection  SMTP protocol does not verify the accuracy and legitimacy of the listed sender  This enhances spoofing of source address and hence spam because it is difficult to trace real sender

39 SE571 Security in Computing Dr. Ogara 39  RFID  Electronic voting  VoIP and Skype

40 SE571 Security in Computing Dr. Ogara 40  Uses small, low-power wireless radio transmitters called RFID tags  Tags are tuned to a particular frequency and each has a unique ID number  When a tag receives its signal, it sends its ID number signal in response  Tags are passive – have no power of their own but powered up when they receive signals

41 SE571 Security in Computing Dr. Ogara 41  Uses of RFID Tags toll plaza payments transit system fare cards stock or inventory labels passports and identity cards

42 SE571 Security in Computing Dr. Ogara 42  Privacy Issues Tracking individuals wherever they go Discern sensitive data about people you work for, medical condition (based on medicine bottle), and finances  Solutions Disabling tags Blocking/shield from receivers Reprogramme Encryption

43 SE571 Security in Computing Dr. Ogara 43  Privacy Issues Who has voted for who Internet related privacy issues

44 SE571 Security in Computing Dr. Ogara 44  Voice over IP (VoIP) is a protocol for transmission of voice-grade telephone traffic over the Internet  Privacy Issues Who has voted for who Internet related privacy issues

Download ppt "Chap 10: Privacy in Computing.  Privacy as an aspect of security  Authentication effects on privacy  Privacy and the Internet  Privacy implications."

Similar presentations

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.

1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
Voice over the Internet Protocol (VoIP) Technologies… How to Select a Videoconferencing System for Your Agency Based on the Work of Watzlaf, V.M., Fahima,

Voice over the Internet Protocol (VoIP) Technologies… How to Select a Videoconferencing System for Your Agency Based on the Work of Watzlaf, V.M., Fahima,
Addressing spam email and enforcing a Do Not Email Registry using a Certified Electronic Mail System Information Technology Advisory Group, Inc.

Addressing spam and enforcing a Do Not Registry using a Certified Electronic Mail System Information Technology Advisory Group, Inc.
Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
Data Protection.

Data Protection.
Week 12 - Friday.  What did we talk about last time?  Modeling cybersecurity  Block cipher modes.

Week 12 - Friday.  What did we talk about last time?  Modeling cybersecurity  Block cipher modes.
What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.

What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.
Data Protection and Records Management

Data Protection and Records Management
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can.

 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can.
1 Pertemuan 7 Points of Exposure Matakuliah:A0334/Pengendalian Lingkungan Online Tahun: 2005 Versi: 1/1.

1 Pertemuan 7 Points of Exposure Matakuliah:A0334/Pengendalian Lingkungan Online Tahun: 2005 Versi: 1/1.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.

Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
INTERNET and CODE OF CONDUCT

INTERNET and CODE OF CONDUCT
Property of Common Sense Privacy - all rights reserved 01875340890 THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.

Property of Common Sense Privacy - all rights reserved THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.
Taking Steps to Protect Privacy A presentation to Hamilton-area Physiotherapy Managers by Bob Spence Communications Co-ordinator Office of the Ontario.

Taking Steps to Protect Privacy A presentation to Hamilton-area Physiotherapy Managers by Bob Spence Communications Co-ordinator Office of the Ontario.
Privacy in Computing Legal & Ethical Issues in Computer …Security Information Security Management …and Security Controls Week-9.

Privacy in Computing Legal & Ethical Issues in Computer …Security Information Security Management …and Security Controls Week-9.
Audiences NI Data Protection Workshop

Audiences NI Data Protection Workshop
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Similar presentations

Ads by Google