Privacy

Privacy

• Definition: privacy is the power to control what other people know about you. More specifically, it's about controlling personal information that is true. It's illegal for others to spread false information about you (defamation).
• There are two categories of private truths.
  1. Those things we voluntarily give out (name, age, address, phone number, salary, tastes in books, tastes in movies, etc)
  2. Those things we choose to keep private (What we say in private telephone conversations, what we do in the privacy of our homes, etc)
• Why are we talking about privacy in a computer class? Computers make category #1 above much more vulnerable. With little effort it's easy to find information about a person over the Internet. If you're willing to bend a few laws other information is readily available.
• How much control of information that you willingly give to others do you have? Not much. There is the Video Privacy Protection Act of 1988 that makes it a crime to pass along the video rental records of an individual, but much of the other information you willing give out can be bought and sold. Why the video law? (Judge Robert Bork) There are few laws that protect information you voluntarily give out.
• The law has not caught up with technology. Historically, it has been hard to collect and organize this public data.
• Sometimes data can be combined to reveal new information. (It is illegal to record a phone call without a warrant. But, what if someone recorded who you called, the frequency of the calls, the duration of the calls, the time of day, etc. All those together may be just as revealing as a wire tap.)
• You are entitled by law to a "reasonable expectation" of privacy.
  • 1968 it was decided you have a reasonable expectation of privacy when talking on the phone.
  • 1986 the Electronic Communications Privacy Act (ECPA) broadened the protection to private electronic communications.
  • Now covers all forms of digital communications
  • Now prohibits unauthorized eavesdropping by all persons and businesses, not only the government
  • Now prohibits unauthorized access to messages stored in a computer and transmission of messages
  • Operators can't intercept messages during transmissions but can read stored messages
  •  
• ECPA makes it illegal (with some exceptions) for an individual or the government to intercept or disclose private electronic communications.
• ECPA extends privacy protection provided in earlier legislation to apply to radio paging devices, electronic mail, cellular telephones, private communication carriers, and computer transmissions.
• Wiretapping without a warrant is considered unreasonable search and seizure. (1968 Omnibus Crime Control and Safe Streets Act)
• ECPA:
  • Covers all forms of communication
  • Prohibits unauthorized eavesdropping by all persons and businesses, not only the government
  • Prohibits unauthorized access to messages in storage on a computer system
  • Transactional information is not covered
• You are not covered if your employer demonstrates that a business use was the reason for the interception and that monitoring was conducted within the ordinary course of business.
• Electronic Communications Privacy Act (ECPA), Timothy McVeigh (no relation to Oklahoma City Bombing suspect) and AOL. AOL disclosed screen name for McVeigh and this information was used to justify a Discharge from the Navy. ECPA prevents government agencies from obtaining private information without going through the legal system. (ECPA doesn't address nongovernment entities in this regard). AOL and others have strong privacy policies that prevent giving out users' information. It's not, however, required by law.
• Three types of information related to Internet communication that raises privacy concerns:
  1. Private messages
  2. Personal information you share with Internet service provider
  3. Information about your habits online. ie what web sites you visit, what news groups you read, etc
• ECPA addresses #1 above
• Laws protecting information of type #2 apply based on the type of service provider. For example, cable and phone companies can't reveal type #2 information. AOL and "private" ISP's can do what they want.
• Cable and phone companies are restricted from revealing type #3 information. No laws covering ISP's on type 3 information.
• Laws restrict cable operators the most. Phone companies are a close second. Today there is little regulation and few laws that apply to ISP's.
• (Ref for info above.)
• No explicit right to privacy in the U.S. Constitution
• First Amendment - right to anonymity = the right to withhold speech identifying oneself. Right to free assemblage, organizations don't have to give out member lists.
• The Fourth Amendment applies when we have a reasonable expectation of privacy. The text of the amendment reads: "The right of people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath and affirmation, and particularly describing the place to be searched, and the persons or things to be seized." Applying the fourth amendment to computer discovery is problematic because it is difficult to describe with particularity the thing to be seized.
• Some state constitutions grant individuals an explicit right to privacy.
• Constitution protects you from government. Common law protects you from others.
  • Tort law involves wrongs committed by one person to another (invasion of privacy)
  • Contract law involves agreements between parties (explicit and implicit)
•  
• Discuss anonymity, pseudonymity, and traceability. Anonymity - your activities can't be traced back to you. You make up a name each time you initiate a correspondence. Pseudonymity - You use one persona for all your communications. This persona can't be traced back to you.  Traceability - if necessary is it possible to trace an anonymous communication or one that occurred under a pseudonym. Can you recognize the subtlety here? There is less accountability with an anonymous communication. You might be more careful when communicating under a pseudonym so as not to bias your online persona.
• Value of privacy:
  1. Vulnerability - privacy is important because you could be vulnerable if someone found out something about you you wanted to keep private.
  2. Chilling Effect - Without privacy there would be no freedom to experiment with things that are out of the mainstream or unpopular. Without this freedom, there is social pressure towards the middle. There is value in unconventional thought.
• Danny Lee Kyllo case (Kyllo vs. US). Government can't use infrared cameras to look into your home without a search warrant. It's an unreasonable search barred by the 4th amendment. They used information from infrared cameras to get a search warrant. Danny had the expectation of privacy because this equipment wasn't readily available. Also, the details revealed by the camera would have been otherwise unknowable without a physical search. (They probably couldn't have gotten a warrant to search because there wasn't enough evidence.) These cases hinge on the question of if there is a "subjective expectation of privacy?"
• Can't listen in on a phone call by measuring the vibrations of the glass from the outside. Drug sniffing dogs don't violate someone's privacy.
•  

Financial Services Modernization Act of 1999

• Banks allowed to merge with insurance companies, etc
• Requires banks to offer "opt-out" of the disclosure of individual's personal information to unaffiliated entities, but provides no protection when banks share customer data with affiliates or with third parties for joint marketing activities.
•  

Notes from handout discussion:

• Why is privacy important? First, there are obvious situations when something is to be gained or loss:
  1. Protect personal interest in competitive situations. Example, high school debating team should be allowed to prepare in private
  2. Avoid embarrassing situations.
  3. Medical records. Could lead to discrimination
  4. Irrelevant information. i.e. political persuasion.
  5. Lack of privacy may have a chilling effect on freedom to experiment outside of mainstream culture or what is considered the norm.
• Privacy is also important in ordinary situations. It's needed to maintain different social relationships. You need to be able to control who has access to what information about you so you can control the patterns of behavior that are necessary to maintain specific relationships.

Other notes:

• Give an example of how technology has conspired to reduce privacy. (1890 newspapers created a market for gossip. Privacy of well-known people were invaded. It's easy to store/transmit/process databases of information. Internet.)
• Name some ways private information about you can be gotten.
  • Motor vehicle registration
  • Voter registration
  • Credit reporting agencies
  • Filling out forms on the Internet

• Needs to be a balance between public's presumed right to know and individual's right to privacy.
• Re-massaged information = information collected for one purpose but used for another
• Also, data base matching or combining information from multiple data bases
• What prevents credit reporting agencies from selling your personal data? (Not legislation.)
• There is a federal law prohibiting states from sharing motor vehicle registration information with certain exceptions. One is the opt-out provisions states may elect. For example, in Missouri all info is shared with the public unless you the driver opt not to have your information shared.
• Why does it take time for privacy laws to catch up with technology? It could be that privacy threats are invisible/subtle, privacy protections are not.
•  

Cryptography and US Cryptography Export Policy

• What is encryption? What is the good and the bad consequences of having access to encryption? Encryption is good when you are using it but bad when someone else is.

• Distributed systems over public networks. Extranets rely on encryption. An Extranet is what is created when you connect two Intranets over the Internet.

• Complex problem and issues.

• Example: Many products you download over the Internet have "40 bit Standard Encryption" and "128 bit Strong Encryption" (strong encryption available in US and Canada only)

• What is strong encryption? (128 bit key length) Longer key length means it takes a longer time to break the code.

• What are key recovery encryption schemes? Keys are held in escro by a trusted third party. Who do you trust?

• Goals: Promotes commerce, supports law enforcement and national security, and protects privacy. Sometimes at odds.

• Those responsible for law enforcement should be able to eavesdrop on communications that support criminal activity.

• Export policy on strong encryption: Was,

  • U.S. companies are restricted from exporting any encryption with a key length over 40-bits.

  • 56-bit encryption may be shipped overseas as long as vendors agree to "backdoor key recovery,"

  • 128-bit encryption allowed for some industries like banking

  • Foreign companies can sell what ever they want. "foreign companies are not just eating our lunch, but all three meals..." --Senator Ron Wyden.

• Now,

  • S/W companies can export strong encryption for key industries without having a provision for key recovery

  • Can export 56-bit encryption without key recovery provisions

• Issues followed by corporate community and the privacy community.

Other

• Communications Assistance for Law Enforcement Act (CALEA) (1994) - attempt to restore ability to intercept communications in the digital age.  CALEA requires telephone firms to make it easy to wiretap the nation's communication system. Deadline extended until year 2000.

• Privacy Act of 1974 - protects records held by U.S. Government agencies, allows disclosure of personal information for "routine use" compatible with the purpose for which it was originally collected.

• Intel Pentium III and processor serial numbers.

• Internet Worm, 1988 -

• IP Logging - Every web site can log the IP address of the computer you are using. Some day you may enter your name or other personal information at a web site. This could tie you to your IP address.

"Enemy of the State" Comparison Points

Resources

• Privacy Rights Clearing House
  • http://www.privacyrights.org/fs/
• Electronic Privacy Information Center (EPIC)
  • http://www.epic.org/
• Class notes from classes on cyberspace law, copyright, civil procedure, and intellectual property.
  • http://www.lclark.edu/~loren/cyberlaw97/index.html
• Electronic Civil Liberties on the Net: Resources and Publications (Jean Camp, Harvard)
  • http://ksghome.harvard.edu/~.jcamp.academic.ksg/civlib.html
• A Framework for Privacy Protection (MIT Student Paper) Nice reference
  • http://www-swiss.ai.mit.edu/6805/student-papers/fall98-papers/privacy/privacy.html
• The Ethics of Information: Protecting Privacy in the Computer Age
  • http://www.cs.uwyo.edu/~rex/privacy.html
• American Rights, know what your rights are as an American
  • Click Here
• Patriot Act: USA Patriot Act Info at Library of Congress
  • http://thomas.loc.gov/cgi-bin/query/z?c107:h.r.2975:
  • http://thomas.loc.gov/cgi-bin/bdquery/z?d107:h.r.03162:
• Patriot Act: ACLU Summary and Comments on USA Patriot Act
  • http://www.aclu.org/SafeandFree/SafeandFree.cfm?ID=12126&c=207&Type=s
• Patriot II Act: Electronic Privacy Information Center (EPIC), Patriot II Draft and related links.
  • http://www.epic.org/privacy/terrorism/patriot2.html
• Patriot II Act: