Slides from Class 3 -


30 Νοε 2013 (πριν από 4 χρόνια και 7 μήνες)

116 εμφανίσεις

Class 3

April 6, 2012

Part 1: IT


Part 2: IT Policies


Personally Identifiable Information

Privacy concerns

National Association of State Chief Information
Officers (NASCIO):

Privacy is a particularly daunting challenge for state
governments, because citizens have an expectation of
openness and transparency. Yet, at the same time,
states must foster citizens' trust by ensuring that their
private information remains that way.

Privacy concerns

Privacy issues are pervasive in e

Governments gather large amount of private data (e.g.
social security information, health information, driver

Data once collected can be mined (i.e. patterns or habits
could be identified)

most common for security
(terrorism threats)

Reports of local governments losing data on private
citizens (or unknowingly publishing the data) exist

104 military and government breaches in 2010

1.9 million
personal records released.


79.4 million records released!!!

Privacy concerns

Business still accounted for most breaches:



Medical and healthcare facilities


Federal/State agencies and military


Educational institutions


Banking industry


Source at:

Computer Surveillance

Mass surveillance was once impossible due to the cost
and practical impossibility of carrying it out

The central issue of electronic surveillance is how the
laws governing surveillance are used and enforced.

Do law enforcement agencies follow the traditional
model of investigation after a crime, or do they use
technology for surveillance in an attempt to prevent

Traditional model:

Evidence of crime obtained

Investigation ensues

Warrant sought from judge for surveillance of particular
individuals for good cause

Computer Surveillance

Traditional model altered by electronic surveillance

Lyon (2002)

“surveillance as social sorting”

online profiling,
smart cards, biometrics, closed circuit television creating a new
model of law enforcement.

New model:

Law enforcement with no evidence of a crime but have an interest
in a particular type of crime and knowledge of indicators

Mass surveillance looking for indicators

no warrant required

Social sorting (filtering and profiling) to identify specific
suspects who become targets of more intensive surveillance

warrant still may not be required under Patriot Act

Computer Surveillance

Technological Determinists

warranted surveillance
replaced by mass unwarranted surveillance through the
force of technology alone.

Panopticon concept

complete compliance with rules
due to total surveillance

Ideal prison where compliance guaranteed by inescapable

clear view of every inmate

Jeremy Bentham
and Michael Foucault

Privacy is an issue because people have good reason to
believe that data collected on them for one purpose may
be appropriated and used for altogether different

Computer Surveillance

Employees generally do not have privacy rights at work

Agency policies clearly define the employees rights and
the lack of privacy with respect to activities conducted
on agency computer systems

Splash screens are used to remind employees at each

Privacy Legislation

Katz v. United States (1967)

Long term surveillance was a violation of the Fourth Amendment

Short term generally met the test of Constitutionality if prior
judicial approval obtained

Privacy Act, 1974 [amended: Computer Matching and Privacy
Protection Act, 1988]

Regulates Federal agencies’ record keeping and disclosure practices.

Individuals can seek access to Federal agency records about

Stated purpose: Requires that agencies obtain information directly
from the subject and that information gathered for one purpose
may not be used for another purpose

Civil remedies for individuals whose rights may have been violated.

Provides that the subject may challenge the accuracy of

Privacy Legislation

Privacy Act, 1974 [amended: Computer Matching and Privacy
Protection Act, 1988] (continued)

Requires that each Federal agency publish a description of each system of
records maintained by the agency that contains personal information.

Restricts the disclosure of personally identifiable information

Case of Terry Dean Rogan. Identity stolen by state prison escapee.
Arrested 5 times because his identity associated with criminal. Not unique.
Quite a few similar situations. Ultimately sued and was compensated.
National Crime Information Center database updated with field to indicate
use of stolen identities to prevent future occurrences. Lesson

too little information is the problem rather than too much.

Some agencies specifically prohibited from dissemination of individual
level information by law, such as IRS, Census, and Social Security. On state
level, same with DOR.

Exceptions for publicizing tax cheats, pedophiles, sex offenders, criminal
records, etc. Some not necessarily statutory, but accepted as exceptions

Privacy Legislation

Communications Assistance for Law Enforcement Act of
1994 (CALEA)

Intended to preserve the ability of law enforcement to conduct electronic
surveillance by requiring that telecommunications carriers and
manufacturers modify and design their equipment, facilities, and services
to ensure they have the necessary surveillance capabilities.

Conduct lawfully
authorized electronic surveillance while preserving
public safety, right to privacy, and telecom competitiveness

Requires Telecommunications carriers to ensure:

Expeditious isolation and interception of communications content;

Expeditious isolation and access to call
identifying information;

Delivery of communications content and call
identifying information;

Unobtrusive interception and access to call
identifying information

Protection of the privacy and security of communications not
authorized to be intercepted.

Telecom carriers: Common carriers, broadband providers, and VOIP

Privacy Legislation

Patriot Act, 2001

Enables governments to monitor telephone, e
mail communications,
medical, financial, and other records

Also partially repealed laws against domestic spying and allowed
government to monitor Web surfing, obtain records from ISPs, and the use
of roving wiretaps to monitor phone calls. NOT limited to terrorism:

Can monitor legitimate protest groups

Monitor computer network traffic without court order

Take DNA from anyone convicted of a crime of violence (e.g. scuffling in a
protest march)

Wiretapping anyone SUSPECTED of violating the Computer Fraud and
Abuse Act

Authorizes “sneak and peak’” search warrants for any federal crime,
including misdemeanors. Officers can enter private premises without
informing occupants or obtaining permission, and do not have to inform
absent occupants that a search was conducted.

Essentially, Patriot Act applies lower standards of privacy under the Foreign
Intelligence Surveillance Act domestically to U.S. citizens

Privacy Legislation

Patriot Act, 2001


763 sneak and peek warrants in 2008

3 issued in relation to alleged terrorist offenses

62% to investigate drug
trafficking offenses

Agency Data Sharing and Matching

Some agencies are specifically prohibited from disclosing individual
level data (US Census Bureau and IRS)

Organization for Economic Co
operation and Development Code of
Information Practices

Collection Limitation Principle

Limits on collection of personal data;
should be obtained by lawful and fair means; where possible with consent
of subject.

Data Quality Principle

personal data should be relevant to purpose for
which it is collected, and should be accurate, complete, and kept up to date.

Purpose Specification Principle

Purpose of personal data collection
should be specified at time of data collection and subsequent use limited to
those purposes or compatible purposes as specified on each change of

Use Limitation Principle

Personal data should not be disclosed, made
available or used or otherwise used for purposes other than those specified
in the Purpose Specification Principle unless consent of the subject is
obtained or unless required under authority of law.

Agency Data Sharing and Matching

Organization for Economic Co
operation and Development
Code of Information Practices (continued)

Security Standards Principle

Personal data should be protected by
reasonable security safeguards

Openness Principle

Policy of openness about developments,
practices, and policies related to personal data. Ability to easily
establish existence and nature of personal data, purpose of use, and
identity and residence of individual responsible for control of the

Individual Participation Principle

Individual should be able to
obtain confirmation whether or not controller has data relating to
him; have the data provided to him at reasonable cost; be able to
challenge any denial; and be able to challenge data related to him.

Accountability Principle

Data controller should be accountable for
complying with above measures.

Privacy Impact Statements

Federal agencies are required to post a privacy impact statement

Some countries require privacy impact studies and statements in
conjunction with creation of new IT projects

Canada is a leader in this effort

OMB Guidelines for Privacy Impact

What information is to be collected?

Why is the information collected and who will be affected?

What notice of opportunities for consent is provided?

What security protocols are in place?

Does this program create a new system of records under Privacy

What is the intended use of the information?

Privacy Impact Statements

OMB Guidelines for Privacy Impact (continued)

Will the information be retained and for what period?

How will the public be able to seek redress?

What databases will names be run against?

Privacy effects and mitigation measures?

FY 2005 all federal agencies required to submit privacy
assessments of major IT systems with annual business
case submissions.

The National ID Controversy

National ID cards have been suggested as a solution to better
security at airports and other public facilities, reduction of voter
fraud, and identity theft

There has traditionally been resistance to the idea due to negative
historical connotations associated with totalitarian regimes

Real ID Act, 2005

Uniform federal guidelines on driver license/ identification (DL/ID)
standards and issuance procedures

DL/ID standards: At a minimum, a state shall include the following:
(1) person’s full legal name, (2) person’s date of birth, (3) person’s
gender, (4) DL/ID number, (5) digital photograph, (6), person's
address of legal residence, (7) person’s signature, (8) physical
security features designed to prevent tampering, counterfeiting or
duplication for fraudulent purposes, and (9) a common machine
readable technology with defined data elements

The National ID Controversy

Real ID Act, 2005 (continued)

DL/ID issuance procedures: ID is issued based on: (1) A
identity document (except that a non
identity document is acceptable if it includes both the
person’s full legal name and date of birth); (2)
Documentation showing the person’s date of birth; (3)
Proof of the person’s social security account number
(SSN) or verification that the person is not eligible for an
SSN; (4) Documentation showing the person’s name
and address of principal residence

The National ID Controversy

Kent and Millett (2002) list numerous policy problems associated
with implementation of a national ID system

How intrusive will national Ids be? Just for authentication or data
retained to track transactions? Required for commercial

Who could use the data? Agencies? Corporations? Individuals?

Would it be mandatory or voluntary?

What rights would exist to see your data and have it corrected?

What penalties would exist for abuse of the system?

How could we prevent forgeries given current forgery capabilities
now (currency and passports)?

Little evidence that national ID cards have an impact in prevention
of attacks where used. Terrorists have used tourist visas (9/11) or
have legitimate ID cards (Madrid bombings).

Other Privacy issues


A major source of loss of privacy comes from the commercial sector

private corporations trade SSNs, purchasing pattern information,
and many other types of personal information gathered from the
Internet and other sources


IT makes the commoditization of personal information relatively

Private sector data mining

Credit card companies and other companies (e.g. Amazon) track
spending behavior.

Rare to see cases against corporations for privacy violations.
Corporations do with impunity what government cannot do.

Class 3

April 6, 2012

Part 2: IT


Personally Identifiable Information

Personally Identifiable Information

Any information about an individual maintained by an agency

Any information that can be used to distinguish or trace an
individual’s identity, e.g., name, SS number

Any information that is linked or linkable to an individual, e.g.,
medical, educational, employment info

“Linked” information is that which is logically associated with
other information about the individual

“Linkable” information is information for which there is a
possibility of logical association

Personally Identifiable Information

Example of linked and linkable:

PII exists on two databases, so someone with access to
both may be able to link the data. If the secondary
information is on the same system or related system and
does not have security to segregate the two databases,
then they are linked. If the secondary data is remote or
available in public records, or is otherwise easily
obtainable, then the information is linkable.

Source of information on PII

NIST Special
Publication 800
122, Guide to Protecting the
Confidentiality of Personally Identifiable Information

Personally Identifiable Information

Examples of PII Data


Personal identification numbers

Address information

Telephone information

Personal characteristics (fingerprints, biometrics)

Information regarding personally owned property

Information that is linkable through the use of any of
the above PII

Aggregating PII

The better ones are not free, but do
require some level of authorization
to use

however, private
investigators and bill collectors can
get access!

Just using free resources can result
in obtaining much of the same
information available through the

Using Accurint (or similar service)
and free resources multiplies data

Information available from data aggregators:

Names (all) used and social security
numbers; names of others using that
social security number

Address summary going back for many
years with demographic data for each

Bankruptcy information, liens and
judgements, and UCC filings

Phones utilized, including cell phones

Companies owned and associates at work

Driver’s license information and history

Possible properties owned

Motor vehicles registered and watercraft

FAA certifications and aircraft owned

Possible criminal records and sexual

Automobile accident details

Professional licenses

Voter registration, hunting permits,
concealed weapons permits

Possible associates

Possible relatives


Services exist that make it very simple
to pull together a tremendous amount
of personally linked data once sufficient
information exists to identify the

PII Impact Levels


limited adverse effect

minor loss to individual
or organization

having to change your phone


serious adverse effect

financial loss or significant harm but not loss of life.
Identity theft, public humiliation


severe or catastrophic adverse effect on
organizational operations, assets or individuals

major financial loss; severe or catastrophic harm to
individuals involving loss of life or life

Factors for Determining PII Confidentiality Impact

Factors will vary by organization based on mission and nature of PII


how easily can PII be linked to an individual? Some
data can directly identify individuals and linked data. Other data can
be used to significantly narrow large datasets and make identification
more likely.

Quantities of PII

very small vs. very large datasets represent differing
levels of risk. You cannot ignore privacy considerations for small data
sets, but impact level will generally be higher for datasets containing
large numbers of records.

Data Field Sensitivity

must evaluate each field separately, plus
sensitivity of all fields together. SSN or financial data more sensitive
than a telephone number. Data can be sensitive in ways other than
intended use, e.g., mother’s maiden name can be used can be used for
authentication for password recovery

Factors for Determining PII Confidentiality Impact

Context of Use

purpose for which information is collected, stored,
used, processed, disclosed, or disseminated.

Examples include eligibility for benefits, tax administration, and law
enforcement. Simple disclosure that information is being collected might
in itself be dangerous. Consider three lists, each containing name, address
and phone number. The first is subscribers to a newsletter; the second
people who have applied for retirement benefits; the third undercover law
enforcement agents. Same information, very different impact levels.

Obligations to protect confidentiality

Obligations vary by
organization based on the laws applicable to that organization’s PII
activity. IRS data, for example, is subject to extremely strict
confidentiality requirements.

Access to and location of PII

How many people have access? Is
information accessible using mobile devices? Is information regularly
transported offsite, say on a laptop? Is information available online?

Operational Safeguards

Policy and Procedure Creation

Access rules for PII within the system

just because the
information exists in an agency database does not mean
everyone within that agency should have access.

PII retention schedules and procedures

Data should
not be kept indefinitely. When it has served its purpose
it should be purged.

PII incident response and data breach notification

Data incidents represent serious problems for an agency.
Response and notification planning is crucial so that any
damage can be contained quickly.

Operational Safeguards

Policy and Procedure Creation (continued)

Privacy in the system development life cycle process

obtained during the development of IT systems may be available to
contractors as well as employees. Protection of data during
development and data conversion activities is just as important as
after the implementation, and data may be easier to steal during

Limitation of collection, disclosure, sharing and use of PII

Do not
collect anything that is not specifically needed; do not disclose or
share any data without proper authorization and demonstrated

Consequences for failure to follow policy

without consequences
there is little to deter sloppy information protection.

Operational Safeguards

Awareness, training, and education

Awareness training designed to change behavior or
reinforce PII practices. Focuses attention on protection
of PII

Training builds knowledge and skills to enable staff to
protect PII

Education builds a common body of knowledge covering
all specialties and aspects of PII protection

Topics for PII Training

The definition of PII

Applicable privacy laws, regulations, and policies

Restrictions on data collection, storage, and use of PII

Roles and responsibilities for using and protecting PII

Appropriate disposal of PII

Sanctions for misuse of PII

Recognition of a security or privacy incident involving PII

Retention schedules for PII

Roles and responsibilities in responding to PII
related incidents
and reporting

Specific Safeguards

Minimizing the use, collection, and retention of PII

Basic privacy principle

What does the organization need to fulfill its mission?
“Minimum necessary principle”

When no longer relevant

dispose of securely

Previously discussed Privacy Impact Assessments

identifying information

e.g., remove identifiers
for researchers using a protected and secured
algorithm that can re
link data when necessary

Specific Safeguards

Anonymizing information

identified information for which
no algorithm for re
identification exists. Anonymizing to insure
inability to re

Generalizing the information

less precise and grouped

Suppressing the data

deleting entire records or parts of records

Introduction of noise

adding small amounts of variation to the

Swapping the data

exchanging certain information from one
record with another, e.g. zip code fields

Replacing the data with an average value

Anonymized data very useful for systems testing and development.
Randomly generated data tends not to share a realistic distribution
and may not represent a proper testing of the system.