CT218-L6-Privacy Issues - pkl.net

sweetlipscasteSecurity

Nov 2, 2013 (3 years and 9 months ago)

57 views

© M. Scheurer, 2002

CT218 Professional Issues

1

CT218 Lecture 6

14
th

March

Privacy Issues

M. Scheurer, 2002

CT218 Professional Issues / Lecture

2

What is privacy?


It

is

common

to

distinguish

four

kinds

of

privacy
:



physical

privacy



mental

privacy


decisional

privacy



informational

privacy


Definitions


M. Scheurer, 2002

CT218 Professional Issues / Lecture

6

Infringements of Information Privacy

Concern for activities of


Commercial organisations


mailing lists and marketing data


credit references


Government agencies


interests of law enforcement versus rights to
non
-
interference


collation of information


monitoring of telecommunications

M. Scheurer, 2002

CT218 Professional Issues / Lecture

7

Privacy Protection

Privacy protection can be achieved by:


Privacy and Data Protection Laws


Self Regulation
(Codes of Conduct)


Privacy Enhancing Technologies


Privacy Education

(of consumers and IT professionals)

Source:
Fischer
-
Hubner, S. “IT
-
Security and Privacy: Design and
Use of Privacy
-
Enhancing Security Mechanisms”, LNCS 1958,
ISBN 3
-
540
-
42142, Springer, 2001

M. Scheurer, 2002

CT218 Professional Issues / Lecture

8

Privacy Enhancing Technologies

PETs are software based mechanisms that help to
protect the privacy of web users

2 Categories:


Products which provide consumer choice, such as


P3P (Platform for Privacy Preference Project) from W3C


Products which protect User Identity through


Anonymity


Pseudonymity


Unlinkability


Unobservability

Source: Fischer
-
Hubner

M. Scheurer, 2002

CT218 Professional Issues / Lecture

9

PETs vs PITs

PETS provide an answer to

“Privacy Invasive Technologies” (PITS) such as


Data mining (customer profiling)


“Spyware”


Cookies


Web Bugs


Intelligent Agents used in E
-
commerce

and M
-
commerce applications

(AKA “shopbots”, “buybots”, “pricebots”, “bots”)

M. Scheurer, 2002

CT218 Professional Issues / Lecture

11

Cookies

A cookie is a small data file that websites can
store on the hard drive of the computer of
people who visit their sites.



may contain information, such as a unique user ID,
that websites use to track the pages visited


can track and maintain the identity of the web site
visited immediately prior to and after visiting the
website which set the cookie


can keep information on Registered Users which
allows them to access account information or other
information relating to their use of the site

M. Scheurer, 2002

CT218 Professional Issues / Lecture

12

Web Bugs


AKA “Web Beacons”


Web bugs hide computer codes behind
invisible images only a pixel in size to gather
information about surfing habits


The bugs work best in conjunction with
cookies and can interrogate them to find out
more about the surfer


From BBC Article on Web Bugs:


http://news.bbc.co.uk/hi/english/sci/tech/newsid_842000/842624.stm

M. Scheurer, 2002

CT218 Professional Issues / Lecture

13

Web Bugs / what they can do

Data web bugs can gather


IP address of your computer


Web location of bug


Web page bug is attached to


Time the bug was viewed


Which browser you are using


Any cookies already on your computer

SOURCE:

BBC Article on Web Bugs


http://news.bbc.co.uk/hi/english/sci/tech/newsid_842000/842624.stm

M. Scheurer, 2002

CT218 Professional Issues / Lecture

14

Spyware?


"They are a secret way of gathering
information about someone," said David
Banisar, a civil liberties expert from the
Electronic Privacy Information Centre (Epic).


Privacy experts say the hidden images are
the first of a new generation of "spyware"
designed to watch what people do on the
web without them knowing.


(BBC article)


M. Scheurer, 2002

CT218 Professional Issues / Lecture

15

Legitimate business Practice?

NAI Definition of Web Beacons

“Web Beacons are a tool that can be used online to
deliver a cookie in a third party context. This allows
companies to perform many important tasks
-

including unique visitor counts, web usage patterns,
assessments of the efficacy of ad campaigns, delivery
of more relevant offers, and tailoring of web site
content. The web beacon's cookie is typically
delivered or read through a single pixel on the host
site”
(http://www.networkadvertising.org/aboutnai_news_pr100401.asp)


M. Scheurer, 2002

CT218 Professional Issues / Lecture

16

Email Surveillance Issues


The standard technology of email is anything
but private


ISP’s have been asked to archive all
transactions for 7 years by UK police


Ownership of ‘private’ email


Courts agree with employers that on
company computers, it belongs to the
employer

M. Scheurer, 2002

CT218 Professional Issues / Lecture

18

Amazon.co.uk


Like many commercial organisations, uses
customer information for marketing purposes.


Uses
data mining

techniques for sophisticated
customer profiling


Privacy International, a lobby group, is pursuing
a complaint of non
-
compliance with UK data
protection legislation

http://www.privacyinternational.org/issues/compliance/

M. Scheurer, 2002

CT218 Professional Issues / Lecture

19

Personal data held by Amazon
(1)


Records of book titles purchased


Clickstream data such as URLs viewed,

IP addresses, cookies, timestamps


Search queries


Items placed in shopping carts but removed
prior to checkout


Data purchased by Amazon from other sources
or gathered from public records

M. Scheurer, 2002

CT218 Professional Issues / Lecture

20

Personal data held by Amazon
(2)


Demographic and psychographic data


Any estimates of propensity to purchase
particular products


Any information relating to credit risk


Estimates of lifetime value


Any clustering or segmentation data


Any estimates of price elasticity

M. Scheurer, 2002

CT218 Professional Issues / Lecture

21

Doubleclick

The Doubleclick Saga


DC’s online profiling service carried out through Banner
Adverts attracted the wrath of the Privacy Lobby


http://www.nytimes.com/library/tech/00/02/cyber/commerce/07commerce.html

Junkbusters President Jason Catlett claimed that “Doubleclick has more
than a trillion clickstream records and billions of personally identified
records on about 90 million Americans”. He also claimed that
Doubleclick’s computer had been the victim of hackers
-

http://www.junkbusters.com/new.html#dclk


DoubleClick has always maintained that any information collected in
such a way is merely aggregated data that cannot be traced to
individual users. Several court cases have been dismissed.

http://www.doubleclick.com/us/corporate/privacy/



M. Scheurer, 2002

CT218 Professional Issues / Lecture

22

Network Advertising Initiative


NAI (Network Advertising Initiative), a cooperative
group of network advertisers have developed a set
of privacy principles, in conjunction with the
Federal Trade Commission, in order to improve its
self
-
regulatory approach to addressing consumer's
privacy concerns



It offers an on
-
line service which provides
consumers with the ability to opt
-
out of ads from
major companies (including DoubleClick and 24/7
Media) through its website
http://www.networkadvertising.org


M. Scheurer, 2002

CT218 Professional Issues / Lecture

23

Intel

The saga of Intel Pentium III and PSN


(Processor Serial Number)

Original chips had embedded technology which enabled
the identification of individual computers

Dropped by Intel in April 2000 following adverse publicity


“Pretty poor privacy may lurk inside processors”



New Scientist

6 Feb 1999


http://www.epic.org/


(Electronic Privacy Information Center)
-
US watchdog


http://www.bigbrotherinside.com/



http://zdnet.com.com/2100
-
11
-
520265.html?legacy=zdnn

M. Scheurer, 2002

CT218 Professional Issues / Lecture

25

Next Week

The Data Protection Act


Advanced Study (recommended):

The Office of the Information Commission
(OIC) website
:



http://www.dataprotection.gov.uk


Legal Guidance


Notification Handbook

© M. Scheurer, 2002

CT218 Professional Issues

26

End of Privacy Issues