Introduction to Privacy Todd Ritchie
1
What is Privacy? “[T]he content of privacy cannot be captured if we focus exclusively on either information, access, or intimate decisions because privacy involves all three areas. . . privacy’s content covers intimate information, access, and decisions.” – Julie Inness 2
What is Privacy? • Control over access to personal, intimate information • Control over what is personal, intimate information • Control over decisions made based on this information
3
Modernizing Privacy Todd Ritchie
4
Privacy concerns ... • SIN, medical records, tax records … these are personal but not intimate • Sexuality, religion, relationships … these are personal and intimate • Why are these concerns? 5
Dangers • Monetary: Blackmail, fraud • Social: Embarrassment • Physical: Threats
6
Monetary dangers • Blackmail: Paying money to avoid information leaking with likely negative consequence. • For example: Pay someone to prevent them from publishing embarassing photos
7
Monetary dangers • Fraud: Illicit use of information or misrepresentation • In privacy's scope: Identity theft • Not in privacy's scope: Lying on your taxes
8
Social dangers • Embarrassment • For example: Taboo relationships (interracial, interreligious) • Taboo behaviours (intoxicated photos on Facebook) 9
Physical dangers • Threat to person • For example: FindARat.com exposing undercover agents to threats from criminals using publicly accessible court documents
10
Privacy Laws • Two kinds: Privacy law dealing with the government, privacy law dealing with private entities • Privacy Act deals with federal government, PIPEDA deals with private entities • In general, you can only collect information you need 11
Control • Privacy is about control: You can manage risk. We all decide on risk vs. privacy tradeoff in security matters. • Airmiles takes your purchase history, Facebook takes your date of birth • Once information is no longer needed, it has to be made anonymous • Sexual predator registry is a tradeoff 12
Problems with Privacy Laws • Not enough investigative authority • Doesn't deal with cross-border leak concerns at the private level • Only deals with information at a “personal level” • No breach notification
13
Not enough authority • Could not investigate Abika.com • Abika.com did not break US law, but broke Canadian law • Required presence in Canada but did not have power investigate
14
Cross-border information leak • Comparatively relaxed wiretap laws in US and UK • Tax records and e-mail are often stored in United States • Bell Nexxia outsources Deep Packet Inspection management to India
15
“Individual level” • Aggregate data is considered safe • AOL taught us it is not always • Oversight is needed
16
Breach notification • What if an e-merchant is broken into and millions of credit card records are stolen? • It happened to HBC • HBC did not have to tell anyone, they did but waited too long, thousands were victimized
17