CMPS 200

Privacy

Lecture 3
Fall 2023
 Objectives
• What is the right of privacy, and what is the basis for
protecting personal privacy under the law?
• What are some of the laws that provide protection for the
privacy of personal data, and what are some of the
associated ethical issues?
• What are the key privacy issues?
• What are the various strategies for consumer profiling, and what
are the associated ethical issues?
• Why and how are employers increasingly using workplace
monitoring?
• What are the capabilities of advanced surveillance technologies,
and what ethical issues do they raise?

(Chapter 4 in your textbook, 5th edition)

2
 Information Privacy
• Definition of privacy
– “The right to be left alone—the most comprehensive of rights,
and the right most valued by a free people”
• Information privacy is a combination of:
– Communications privacy
• Ability to communicate with others without being
monitored by other persons or organizations
– Data privacy
• Ability to limit access to one’s personal data by other
individuals and organizations in order to exercise a
substantial degree of control over that data and its use.

Question: Give example for each of these two: Communications privacy,

data privacy
3
 Privacy Example
• Privacy means sensitive information must not be identified with the
individual or the owner of the information
– Examples of privacy
• Example 1:10, Hamad Street, Doha-1205
– (it is a public information, not private)
– Ahmed lives in 10, Hamad Street, Doha-2015 (it is now a private
information, not public)
• Example 2:
– The hospital has said that Fatima is suffering from disease X
(privacy violation)
– The hospital has said that someone is suffering from from
disease X (no privacy violation)
• Privacy violation is more a legal issue
• Privacy is closely related or similar to confidentiality
• However, privacy can be preserved or protected using security
mechanisms.
Question: Why disclosing of private data is an issue?
 Privacy Protection and the Law
Web
browsing
behavior Associates
Work history and
affiliations

Police Driving
record Who are records

you?
Medical Educational
history Records

Location Financial
data data

Children’s Fair Access to

Financial Health Electronic
Personal Information Government
Data Information Data Surveillance Practices Records

Organizations gather a variety of data about people in order to make better decisions
 Financial data
• Regulates operations of credit-reporting institutions
• Fair Credit Reporting Act (1970)
• Allows consumers to request and obtain a free credit report once each year
from each of the primary consumer credit reporting companies
• Right to Financial Privacy Act (1978)
• Protects the financial records of financial institution customers from
unauthorized inspection by the government
• Protects the records of financial institutions customers
• Gramm-Leach-Bliley Act (1999)
• Personal data collection
– Opt-out policy
» Financial Privacy Rules Assume that consumers approve of
companies collecting and storing their personal information
– Opt-in policy
» Must obtain specific permission from consumers before
collecting any data

Question: Give one example for each: Opt-out and Opt-in policies
6
 Health information

• Included strong privacy provisions for electronic health records

• Interlinking and transferring of electronic health data among different
organizations
• Intrusion into health data by employers, law enforcement authorities,
• Health Insurance Portability and Accountability Act (HIPPA) (1996)
• Offers protection for victims of health data breaches
• To improve privacy
• Reduce fraud, Stop abusing healthcare services, Accountability of
data breaches, Control on cross-boarder data movement.
• Children’s personal data
• Web sites providing to children must offer
• Comprehensive privacy policies,
• Notify parents or guardians about its data-collection practices, and
• Receive parental permission before collecting personal information
from children under 13 years old.
7
 Data Breach: Identity Theft
• Theft of key pieces of personal information to impersonate a
person, including:
– Name
– Address
– Date of birth
– Social Security number
– Passport number
– Driver’s license number
– Mother’s name

8
 Identity Theft (cont’d.)
• Fastest-growing form of fraud in the United States
• Four approaches used by identity thieves:
– Create a data breach
– Purchase personal data
– Use phishing to induce users to give up data
– Install spyware to capture keystrokes of victims

Question: Why hackers try to steal identities of others? What benefits are
they getting?

9
 Identity Theft (cont’d.)

• Data breaches of large databases

– To gain personal identity information
– May be caused by:
• Hackers
• Failure to follow proper security procedures
• Purchase of personal data
– Black market for:
• Credit card numbers in bulk—$40 each
• Logon name and PIN for bank account—$10
• Identity information—including DOB, address, SSN, and
telephone number—$1 to $15

10
 Identity Theft (cont’d.)

• Phishing
– Stealing personal identity data by tricking users into entering
information on a fake Web site
• Spyware
– Keystroke-logging software
– Enables the capture of:
• Account usernames
• Passwords
• Credit card numbers
• Other sensitive information

11
Key Privacy and Anonymity Issues
Consumer
Profiling

Electronic
discovery
Key Privacy
and
Anonymity
Issues
Workplace
Monitoring

Advanced
Surveillance
Technology
 Consumer Profiling
• Companies openly collect personal information about Internet users
• Cookies:
– Text files that a Web site can download to visitors’ hard drives so that
it can identify visitors later
• Tracking software analyzes browsing habits
• Collecting data from Web site visits
– Goal: provide customized service for each consumer
• Criticism - Personal data may be gathered and sold to other companies
without the permission of consumers who provide the data.
• A data breach is the unintended release of sensitive data or the access of
sensitive data
– e.g., credit card numbers, health insurance member IDs, and Social
Security numbers) by unauthorized individuals.

13
 Cookies
• Cookies are text files with small pieces of data — like a username
and password — that are used to identify your computer as you
use a computer network.
• Specific cookies known as HTTP cookies are used to identify specific
users and improve your web browsing experience.
• Accepting cookies will give you the best user experience on the website,
while declining cookies could potentially interfere with your use of the site.
• For example, online shopping.
• Cookies enable the site to keep track of all items that you've placed in your
cart while you continue to browse

14
 Tracking of Data by Cookies
• Cookies can track any kind of data about users, googled earlier, their IP
addresses such as search and browser history, what websites they
previously visited, what they searched, their on-site behavior such as
scrolling speed, where they clicked and where their mouse hovered.
• Click See All Cookies and Site Data to see a list of the cookies actually
installed locally on your computer.
• You can go through them one by one and delete as desired.
• It's not a bad idea to just do a Remove All on cookies every few
months, just to clear things out.

15
 How Cookies Work
• User-specific information file created by server
• Stored on local computer
• Help website remember user information such as
– Items added in the shopping cart
– User's browsing activity
– Whether the user is logged in & which account is used to log in

Source: Wikipedia.com 16
 Cookies and Privacy
• First-party cookie
– Created by the Web site the user is currently viewing
• Third-party cookie
– Often come from Web site advertisers
– Used to tailor advertising to a user
– Can be used to track user’s browsing and buying habits

An advertising company has placed banners

in two websites. By hosting the banner
images on its servers and using third-party
cookies, the advertising company is able to
track the browsing of users across these two
sites.

Source: Wikipedia.com

Blocking 3rd party cookies

can enhance privacy
17
 Consumer Profiling (cont’d.)
• Four ways to limit or stop the deposit of cookies on hard drives:
– Set the browser to limit or stop cookies
– Manually delete them from the hard drive
– Download and install a cookie-management program
– Use anonymous browsing programs that don’t accept cookies

18
 Treating Consumer Data Responsibly
• Strong measures are required to avoid customer relationship
problems
• Companies should adopt Fair Information Practices
• Appoint chief privacy officer (CPO)
– Executive to oversee data privacy policies and initiatives

19
 Electronic Discovery
• Collection, preparation, review, and production of electronically
stored information for use in criminal and civil actions
• E-discovery is complicated and requires extensive time to collect,
prepare, and review data
• Electronically stored information (ESI): Any form of digital
information stored on any form of electronic storage device
• E-discovery software helps:
– Analyze large volumes of ESI quickly
– Simplify and streamline data collection
– Identify all participants in an investigation to determine who
knew what and when

20
 Workplace Monitoring
• Employers monitor workers
– Must protect against employee abuses that reduce worker
productivity
• Public-sector employees have far greater privacy rights than in the
private industry
• Employer may legally monitor your use of any employer-provided
mobile phone or computing device including contact lists, call logs,
email, location, photos, videos, and web browsing.
• Many employers permit their employees to use their own personal
mobile phones or computing devices for work purposes in a policy,
called Bring Your Own Device (BYOD).

Question: Why do employers want to monitor workers? List some reasons

21
 Advanced Surveillance Technology
• Camera surveillance
– Many cities plan to expand surveillance activities
– Goal - Deter crime and terrorist activities
– Critics concerned about potential for abuse
• Global positioning system (GPS) chips
– Placed in many devices
– Precisely locate users
– Banks, retailers, airlines eager to launch new services based
on knowledge of consumer location

22
Advanced Surveillance Technology (cont’d)
• Vehicle Event Data Recorder (EDR)
– Records vehicle and occupant data for a few seconds before, during,
and after any vehicle crash severe enough to deploy the vehicle’s air
bags
– Purposes
• To capture and record data to make changes to improve vehicle
performance in the event of a crash
• For use in a court of law to determine what happened during a
vehicle accident
• Stalking App:
– Spy software that can be loaded onto a phone
– Performs location tracking, records calls, views text messages sent or
received, and records the URLs of any Web site visited
– Illegal to install the software on a phone without the permission of the
phone owner

Question: Do you think that law enforcement agencies should be authorized

to install stalking app or EDR in individual’s phones, computers,
cars without their knowledge? Why or why not? 23
 Data Protection and Privacy Law in Qatar
• Law No 13 signed into law in 2016
• The law has provisions related to the rights of individuals to protect
the privacy of their personal data.
• Covers electronically processed, obtained, or extracted data
• Requires organizations to adhere to basic data protection
responsibilities.
– Includes precautions to “protect personal data from loss, damage,
modification, disclosure or being illegally accessed.

24
 Law No. (13) of 2016
on
Protecting Personal Data Privacy
 Article (3)

• Each Individual has the right to the protection of the Personal Data
thereof that shall be processed only within the framework of
transparency, honesty, and respect of human dignity, and
acceptable practices according to provisions hereof.

Article (5)
An individual may, at any time:
• Withdraw the prior consent thereof for Personal Data Processing.
• Object to processing the Personal Data thereof if such processing
is
– not necessary to achieve the purposes for which such Personal
Data have been collected or where such collected Personal
Data are beyond the extent required, discriminatory, unfair or
illegal.
 Data Controller vs. Data Processor
Data Controller
• For instance, Sterling Company has a website that collects data on the
pages their visitors visit.
• This includes the page they enter the site with, the pages that they visited
next, and how long they stayed in each page.
• Sterling Company is the data controller, as they decide how all of this
information is going to be used and processed, and for what purpose.
Data Processor
• Sterling Company uses Google Analytics to find out which of their pages
are most popular and which ones are making Web site visitors leave.
• This helps them plan their content better by knowing exactly how much
time each visitor spends on a particular page.
• Sterling Company needs to share the data that they get to Google in order
to get the insights they want from Google Analytics.
• In this case, Google Analytics is the data processor.
 Article (6)
• An Individual may, at any time, access the
Personal Data thereof and apply to review the
same, in facing any Controller, and an Individual
has, in particular, the right to:

1. Be notified of processing the Personal Data thereof and the

purposes for which such processing is conducted
2. Be notified of any disclosure of inaccurate Personal Data.
3. Obtain a copy of the Personal Data thereof after paying an amount
that shall not exceed the service charge.
 Article (8)

The Controller shall abide by the following:

1. Processing Personal Data honestly and legitimately.
2. Consider the controls related to designing, changing or developing
products, systems and services pertinent to Personal Data
Processing.
3. Taking appropriate administrative, technical and financial
precautions to protect Personal Data, in accordance with what is
determined by the Competent Department.
4. The privacy protecting policies developed by the Competent
Department, and a decision thereon shall be issued by the Min
 Article (9)
The Controller shall, prior to starting processing any Personal Data,
inform the Individual with the following:
1. The Controller’s details or any other party conducting the
processing for the Controller or to be used thereby.
2. The Lawful Purposes that the Controller or any other party wants
to process the Personal Data therefor.
3. Comprehensive and accurate description of the processing
activities and the levels of disclosure of such Personal Data for
the Lawful Purposes, and if the Controller fails to do so, the
Controller shall provide the Individual with a general description
thereof.
4. Any other information that is necessary and required for fulfilling
conditions of Personal Data Processing.
 Article (13)
• Each of the Controller and the Processor shall take the
precautions necessary to protect Personal Data against
• Loss
• Damage
• Change
• Disclosure
• access thereto, or
– the inadvertent or illegal use thereof.
 Videos and References on Privacy
• https://youtu.be/zsboDBMq6vo
• https://youtu.be/ZNEPaGFApX4
• Internet privacy
– https://en.wikipedia.org/wiki/Internet_privacy
• EU General Data Protection Regulation (GDPR)
– https://en.wikipedia.org/wiki/General_Data_Protection_Regulati
on
• Privacy issues of Facebook
– https://en.wikipedia.org/wiki/Criticism_of_Facebook

32