Privacy and Cybertechnology Privacy concerns affect many

aspects of an individual’s life – from commerce to healthcare to work.

We have categories such as: consumer privacy, medical/healthcare privacy, employee/workplace privacy.

1

Privacy and Cybertechnology (Continued) Privacy issues involving

cybertechnology affect each of us, whether or not we have ever owned or even used a networked computer.

Consider the information about us that can be acquired from our commercial transactions in a bank or in a store.

2

Privacy and Cybertechnology (Continued) The privacy of users who navigate the

Web solely for recreational purposes is also at risk.

Personal data about a user’s interests can be acquired by organizations whose need for this information is not always clear.

A user’s personal data acquired via his/her online activities can be sold to third parties.

3

Privacy and Cyberspace Are any privacy issues unique to

cybertechnology? Privacy concerns have been exacerbated by

cybertechnology in at least four ways, i.e., by the:1. amount of personal information that can now be

collected;2. speed at which personal information can now be

transferred and exchanged; 3. duration of time in which personal information

can now be retained;4. kind of personal information (such as

transactional information) that can be acquired.

4

What is Personal Privacy Privacy is a concept that is difficult to

define. We sometimes speak of an individual’s

privacy as something that can be: lost, diminished, intruded upon, invaded, violated, breached.

5

What is Privacy (continued)? Privacy is sometimes viewed as an

"all-or-nothing" concept (i.e., something that one either has (totally) or does not have).

Privacy is also sometimes viewed as something that can be diminished (i.e., as a repository of personal information that can be eroded gradually).

6

Classic Theories of Privacy Three classic theories have tended

to view privacy in terms of either: non-intrusion (accessibility privacy), non-interference (decisional privacy), control over/restricting access to one’s

personal information (Informational privacy ).

7

Non-intrusion Theory of Privacy

The non-intrusion theory views privacy as either:

being let alone, being free from government intrusion.

This view is also sometimes referred to as accessibility privacy.

8

Non-intrusion Theory of Privacy (Continued)

The rationale for the non-intrusion theory can be found in both:

the Fourth Amendment to the U.S. Constitution (i.e., search and seizure);

a seminal article on the right to privacy by Warren and Brandeis in the Harvard Law Review (1890).

9

Non-interference Theory of Privacy The non-interference theory views

privacy as freedom from interference in making decisions.

This theory emerged in the 1960s, following the Griswold v. Connecticut U.S. Supreme Court case in 1965.

This view of privacy is also sometimes referred to as decisional privacy.

10

The Control and Limited Access Theories of Informational Privacy Many people wish to control who has

access to their personal information. Many also wish to set up zones that can

restrict access to their personal data. Informational privacy concerns arose

because of issues involving personal information in computer databases.

11

Table 5-1: Three Views of Privacy

Accessibility Privacy Privacy is defined in terms of one's physically "being let alone," or freedom from intrusion into one's physical space.

Decisional Privacy Privacy is defined in terms of freedom from interference in one's choices and decisions.

Informational Privacy Privacy is defined as control over the flow of one's personal information, including the transfer and exchange of that information.

12

A Comprehensive Account of Privacy James Moor (2004) has framed a

theory of privacy that incorporates key elements of the three classic theories:

non-intrusion, non-interference, control over/restricted access to

personal information.

13

Moor’s Comprehensive Theory of Privacy

According to Moor: …an individual has privacy in a

situation if in that particular situation the individual is protected from intrusion, interference, and information access by others.

14

Moor’s Theory of Privacy (continued) A key element in Moor’s definition

is his notion of a situation, which can apply to a range of contexts or “zones.”

A situation can be an “activity,” “relationship,” or the “storage and access of information” in a computer or on the Internet.

15

Moor’s Privacy Theory (continued) Moor distinguishes between

“naturally private” (descriptive) and “normatively private” situations required for having:

(a) natural privacy (in a descriptive sense);

(b) a right to privacy (in a normative sense).

16

Moor’s Natural vs. Normative Privacy Distinction

Using Moor’s natural/normative privacy distinction, we can further differentiate between a:

loss of privacy, and a violation of privacy.

17

Two Scenarios Scenario 1: Someone walks into the

computer lab (at 11:30 PM when no one else is around) and sees you. Here, your privacy is lost but not

violated. Scenario 2: Someone peeps through

the keyhole of your apartment door and sees you using a computer. Your privacy is not only lost but is

violated.

18

Why is Privacy Important? What kind of value is privacy? Is it universally valued? Or is privacy valued mainly in

Western industrialized societies, where greater importance is placed on individuals?

19

Is Privacy an Intrinsic or Instrumental Value?

Is privacy something that is valued for its own sake – i.e., an intrinsic value?

Is it valued as a means to an end, in which case it has only instrumental worth?

20

Privacy as an Intrinsic vs. an Instrumental Value (Continued)

Privacy does not seem to be valued for its own sake, and thus is not an intrinsic value.

But privacy also seems to be more than an instrumental value because it is necessary (rather than merely contingent) for achieving important human ends.

21

Privacy as an Intrinsic or Instrumental Value (Continued)

Charles Fried (1990) notes that privacy is necessary for important human ends such as trust and friendship.

James Moor (2004) views privacy as an expression of a “core value” – viz., security, which is essential for human flourishing.

22

Privacy as a Universal Value Privacy has at least some value in all

societies, but it is not valued the same in all cultures.

It is less valued in non-Western nations, as well as in many rural societies.

It is also less valued in some democratic societies where security and safety are important (such as in Israel).

23

The Value of Privacy as a “Shield”

Judith DeCew (2006) notes that privacy acts as a “shield” by providing for freedom and independence.

Privacy also shields us from pressures that preclude self-expression and the development of relationships.

24

Privacy as a “Shield” (Continued)

DeCew believes that the loss of privacy leaves us vulnerable and threatened because we are likely to become:

more conformist, and less individualistic.

25

Privacy as a “Shield” (Continued)

DeCew notes that privacy also protects (i.e., shields) us from:

scrutiny, interference, coercion, pressure to conform.

26

Privacy as an Important Social Value James Rachels (1995) argues that

privacy is important for a diversity of relationships (from intimate to casual).

Priscilla Regan (1995) notes that we tend to underestimate the importance of privacy as an important social value (as well as an individual value).

27

Three Cybertechology-related Techniques that Threaten Privacy (1) data-gathering techniques used to collect

and record personal information, often without the knowledge and consent of users.

(2) data-exchanging techniques used to transfer and exchange personal data across and between computer databases, typically without the knowledge and consent of users.

(3) data-mining techniques used to search for patterns implicit in large databases in order to generate consumer profiles based on behavioral patterns discovered in certain groups.

28

Cybertechnology Techniques Used to Gather Personal Data Personal data has been gathered at

least since Roman times (census data). Roger Clarke (1994) uses the term

dataveillance to capture two techniques made possible by cybertechnology:

(a) surveillance (data-monitoring), (b) data-recording.

29

Dataveillance One’s physical movements while shopping

at a department store are monitored by video cameras.

Motorists are subject to highway surveillance because of scanning devices such as E-ZPass.

The number of "clickstreams" – i.e., key strokes and mouse clicks – entered by a Web site visitor can be monitored and recorded.

30

Internet Cookies as a Monitoring/ Surveillance Technique “Cookies” are files that Web sites send to

and retrieve from the computers of Web users.

Cookies technology enables Web site owners to collect data about those who access their sites.

With cookies, information about one’s online browsing preferences can be “captured” whenever a person visits a Web site.

31

Cookies (Continued) The data recorded via cookies is stored

on a file placed on the hard drive of the user's computer system.

The information can then be retrieved from the user's system and resubmitted to a Web site the next time the user accesses that site.

The exchange of data typically occurs without a user's knowledge and consent.

32

Can the Use of Cookies be Defended? Many Web sites that use cookies

maintain that they are performing a service for repeat users of a Web site by customizing a user's means of information retrieval.

Some also point out that, because of cookies, they are able to provide a user with a list of preferences for future visits to that Web site.

33

Arguments Against Cookies Some privacy advocates argue that

activities involving the monitoring and recording an individual's activities while visiting a Web site violates privacy.

Some also worry that information gathered about a user via cookies can eventually be acquired by or sold to online advertising agencies.

34

RFID Technology as a Surveillance Technique RFID (Radio Frequency IDentification)

consists of a tag (microchip) and a reader. The tag has an electronic circuit, which stores

data, and antenna that broadcasts data by radio waves in response to a signal from a reader.

The reader contains an antenna that receives the radio signal, and demodulator that transforms the analog radio into suitable data for any computer processing that will be done (Lockton and Rosenberg, 2005).

35

RFID Technology (Continued) RFID transponders in the form of “smart

labels” make it much easier to track inventory and protect goods from theft or imitation.

RFID technology also poses a significant threat to individual privacy.

Critics worry about the accumulation of RFID transaction data by RFID owners and how that data will be used in the future.

36

RFID Technology (Continued) Simpson Garfinkel (2004) notes that

roughly 40 million Americans carry some form of RFID device every day.

Privacy advocates note that RFID technology has been included in chips embedded in humans, which enables them to be tracked.

Review the VeriChip controversy (described in the textbook).

37

RFID Technology (Continued) Like Internet cookies (and other online

data gathering and surveillance techniques), RFID threatens individual privacy.

Unlike cookies, which track a user’s habits while visiting Web sites, RFID technology can track an individual’s location in the off-line world.

RFID technology introduces concerns involving “locational privacy.”

38

Cybertechnology and Government Surveillance As of 2005, cell phone companies are

required by the FCC to install a GPS (Global Positioning System) locator chip in all new cell phones.

This technology, which assists 911 operators, enables the location of a cell phone user to be tracked within 100 meters.

Privacy advocates worry that this information can also be used by the government to spy on individuals.

39

Computerized Merging and Matching Operations Computer merging is a technique of

extracting information from two or more unrelated databases and incorporating it into a composite file.

Computer merging occurs whenever two or more disparate pieces of information contained in separate databases are combined.

40

Computer Merging Suppose that you voluntarily give

information about yourself to three different organizations, by giving information about your:

1. income and credit history to a lending institution in order to secure a loan;

2. age and medical history to an insurance company to purchase life insurance;

3. views on certain social issues to a political organization you wish to join.

41

Computer Merging (continued) Each organization has a legitimate

need for information to make decisions about you, for example:

insurance companies have a legitimate need to know about your age and medical history before agreeing to sell you life insurance;

lending institutions have a legitimate need to know information about your income and credit history before agreeing to lend you money to purchase a house or a car.

42

Computer Merging (continued) Suppose that information about you in the

insurance company's database is merged with information about you in the lending institution's database or in the political organization's database.

When you gave certain information about yourself to three different organizations, you authorized each organization to have specific information about you.

However, it does not follow that you thereby authorized any one organization to have some combination of that information.

43

Computer Merging (continued) Review the case (in the textbook)

involving Double-Click (an online advertising company that attempted to purchase Abacus, Inc., an off-line database company).

Double-Click would have been able to merge on- and off-line records.

44

Computer Matching Computer matching is a variation

of computer merging. Matching is a technique that cross-

checks information in two or more databases that are typically unrelated to produce "matching records" or "hits."

45

Computer Matching (continued) In federal and state government

applications, computerized matching has been used by various agencies and departments to identify:

potential law violators; individuals who have actually broken

the law or who are suspected of having broken the law (welfare cheats, deadbeat parents, etc.).

46

Computer Matching (continued) Income tax records could be matched

against state motor vehicle registration records (looking for individuals reporting low incomes but owning expensive automobiles).

Consider an analogy in physical space where your mail is matched (and opened) by authorities to catch criminals suspected of communicating with your neighbors.

47

Computer Matching (continued) Some who defend matching argue: If you have nothing to hide, you have nothing

to worry about.

Others use the following kind of argument:

1. Privacy is a legal right.2. Legal rights are not absolute.3. When one violates the law (i.e., commits a

crime), one forfeits one's legal rights.

4. Therefore, criminals have forfeited their right to privacy.

48

Computer Matching (continued) At Super Bowl XXXV (January 2001), a

facial-recognition technology was used to scan the faces of individuals entering the stadium.

The digitized facial images were instantly matched against images contained in a centralized database of suspected criminals and terrorists.

This practice was, at the time, criticized by many civil-liberties proponents.

49

Data Mining Data mining involves the indirect

gathering of personal information through an analysis of implicit patterns discoverable in data.

Data-mining activities can generate new and sometimes non-obvious classifications or categories.

Individuals whose data is mined could become identified with or linked to certain newly created groups that they might never have imagined to exist.

50

Data Mining (Continued) Current privacy laws offer individuals no

protection regarding information about them that is acquired through data-mining activities is subsequently used.

Important decisions can be made about those individuals based on the patterns found in the mined personal data.

So some uses of data-mining technology raise special concerns for personal privacy.

51

Data Mining (Continued) Unlike personal data that resides in

explicit records in databases, information acquired about persons via data mining is often derived from implicit patterns in the data.

The patterns can suggest "new" facts, relationships, or associations about that person, such as that person's membership in a newly "discovered" category or group.

52

Data Mining (Continued) Much personal data collected and

used in data-mining applications is generally considered to be neither confidential nor intimate in nature.

So there is a tendency to presume that such data must by default be public data.

53

Data Mining (Continued) Consider a hypothetical scenario

involving Lee, a 35-year old executive: Lee applies for a car loan; Lee has an impeccable credit history; A data-mining algorithm “discovers” that

Lee belongs to a group of individuals likely to start their own business and also likely to declare bankruptcy;

Lee is denied the loan based on data mining.

54

Data Mining on the Internet Traditionally, most data mining was done

in large “data warehouses” (i.e., off-line). Now “intelligent agents,” such as

“softbots,” sift through and analyze the mounds of data on the Internet.

Metasearch engines also “crawl” through the Web to uncover general patterns from information retrieved from search-engine requests across multiple Web sites.

55

Table 5-2: Three Techniques Used to Manipulate Personal Data

Data Merging A data-exchanging process in which personal data from two or more sources is combined to create a "mosaic" of individuals that would not be discernable from the individual pieces of data alone.

Data Matching A technique in which two or more unrelated pieces of personal information are cross-referenced and compared to generate a match or "hit," that suggests a person's connection with two or more groups.

Data Mining A technique for "unearthing" implicit patterns in large databases or "data warehouses," revealing statistical data that associates individuals with non-obvious groups; user profiles can be constructed from these patterns.

56

Public vs. Non-Public Personal Information Non-Public Personal Information (or NPI)

refers to sensitive information such as in one’s financial and medical records.

NPI enjoys some legal protection.

Many privacy analysts are now concerned about a different kind of personal information called Public Personal Information (or PPI).

PPI is non-confidential and non-intimate in character, and is not legally protected.

57

Privacy Concerns Affecting PPI Why does the collection of PPI generate

privacy concerns? Suppose someone finds out that that you

are a student at Technical University, you frequently attend university basketball games, and you are actively involved in your university’s computer science club.

In one sense, the information is personal because it is about you (as a person);but it is also about what you do in the public sphere.

58

PPI (Continued) In the past, it was assumed that there

was no need to protect the kind of information we now call PPI because it is public information.

Helen Nissenbaum (2004) believes that our assumptions about the need to protect “privacy in public” are no longer tenable because of a misleading assumption:  There is a realm of public information about persons

to which no privacy norms apply.

59

PPI (Continued) Consider two hypothetical

scenarios (described in the textbook):

(a) shopping at Supermart; (b) shopping at Nile.com. Both reveal problems of protecting

privacy in public, in an era of cybertechnology and data mining.

60

Search Engines and Personal Information Search facilities can be used to acquire

personal information about individuals. Search engines can be used to: stalk individuals (as in the Amy Boyer case); reveal which Web sites you have visited (as

in the Google vs. Bush Administration case where users’ search requests were subpoenaed by the U.S. Government).

61

Accessing Public Records via the Internet What are public records, and why do

we have them? In the past, one had to go to municipal

buildings to get public records. In the Amy Boyer case, would it have

made a difference if Youens had to go to a municipal building to get records?

62

Accessing Public Records via the Internet (continued) Some “information merchants” believe

that because public records are, by definition, "public," they should be available online.

They use the following kind of reasoning:1. Public records have always been available to

the public.2. Public records reside in public space.3. Cyberspace is a public space. .4. Therefore, all public records ought to be

made available online.

63

Accessing Public Records via the Internet (continued) Review two case illustrations (in the

textbook): 1) The State of Oregon’s Motor Vehicle Department

(selling information about license plate numbers for state residents to an e-commerce site);

2) The city of Merrimack, NH (making home property records, and layouts of houses, available online).

Should those records have been made available online to the public?

64

Can Technology Be Used to Protect Personal Privacy? Privacy advocates argue for

stronger privacy legislation. E-commerce groups oppose strong

privacy laws and lobby instead for voluntary industry self-regulation.

Do Privacy Enhancing Tools, or PETs, provide a compromise solution?

65

Privacy Enhancing Technologies (PETs)

PETs are tools that users can employ to protect:

(a) their personal identity, while navigating the Web;

(b) the privacy of communications (such as email) sent over the Internet.

66

PETs (Continued) Three challenges involving

PETs include: (1) educating users about the existence

of these tools; (2) adhering to the principle of informed

consent when using these tools; (3) addressing issues of social equity.

67

Educating Users About PETs How are Users supposed to find

about PETs? With PETs, the default is that users

must discover their existence and learn how to use them.

Is that a reasonable expectation?

68

PETS and the Problem of Informed Consent Users can enter into an agreement with Web

site owners who have a privacy policy. Users have to “opt out” of having

information about them collected – the default is that they opt in, unless users specify otherwise.

PETs don’t always protect a user’s personal information from secondary and future uses (e.g., as in the Toysmart case).

69

PETS and Social Equity Poorer people may have fewer options

when it comes to retaining privacy. Some poor people may need to sell

their personal information to purchase items at a discount or get a rebate.

We may someday have two classes: “privacy rich” and “privacy poor.”

70

Privacy Legislation and Industry Self-Regulation Can industry adequately self-

regulate privacy through voluntary controls, instead of strong privacy legislation?

Recall the Toysmart.com case (described in the textbook).

What kinds of assurances do online consumers need regarding their privacy?

71

Privacy Laws and Data Protection

Privacy laws and data-protection principles in Europe and the U.S. include the:

European Union (EU) 1995 Privacy Directive; U.S. Privacy Act of 1974, and HIPAA (Health

Insurance Portability and Accountability Act).

72

Comprehensive Privacy Proposals Roger Clarke (1999) advocates

for a “co-regulatory” privacy scheme, which includes:

strong legislation; a privacy oversight commission; industry self-regulation.

73

Clarke’s Privacy Scheme (Continued)

Clarke believes that his scheme must also be accompanied by:

privacy-enhancing technologies, a “privacy watchdog agency,” sanctions.

74

DeCew’s Comprehensive Privacy Proposal DeCew (2006) has a comprehensive

model, which has three objectives: 1. preserving anonymity of data when at

all possible; 2. establishing fair procedures for

obtaining data, requiring that proposed collections of data have both relevance and purpose;

3. specifying the legitimate conditions of authorized access.

75

DeCew’s Privacy Model (Continued) DeCew’s model would also: (a) require that data collected for one

purpose not be used for another purpose or shared with others without the consent of the subject;

(b) limit the retention time of data to what is necessary for the original purpose of the data collection.

76