ITS 321: Legal and Ethical Issues in Information Technology

Lesson 3 - Privacy

Objectives:

Chapter 4 discusses concepts relating to information privacy. Objectives important to this lesson:

  1. Right of privacy
  2. Legal basis for right of privacy
  3. Identity theft
  4. Consumer profiling
  5. Care of data
  6. Workplace monitoring
  7. Surveillance technologies
Concepts:

Chapter 4 opens with some remarks about privacy rights. The text observes that the US constitution does not contain a provision that specifically addresses privacy with regard to personal information. The fourth amendment to the constitution does grant protection of "papers and effects" from "unreasonable searches and seizures". It also provides that proper searches and seizures must be done under a warrant properly describing what place is to searched and what things may be seized. What does this mean? In part, it means that a warrant must state what a searcher is looking for, and the searcher is constrained to reasonable places to search. On the other hand, courts have also interpreted this to mean that there is no privacy where there is no expectation of it, which explains the right of an employer to access email in a system it owns.

The text defines information privacy as a combination of communications privacy and data privacy. These concepts have been around for a long time, but technology has changed how we communicate and what we communicate. The next section of the chapter review a great many laws that relate to information and privacy.

Laws, Applications, Rulings
  • Fair Credit Reporting Act (1970) - controls the collection, storage, and use of credit information by credit agencies
  • Gramm-Leach-Bliley Act (1999) - deregulated banks and financial services, allowing them to offer banking, investments, and insurance services from each institution
    Included three rules that affect privacy. The Financial Privacy Rule allows people to opt out of having their data shared with partner companies, but it is usually implemented so that it is easier to allow the sharing. The Safeguards Rule requires that companies have data security plans. The Pretexting Rule tells institutions to implement procedures to keep from releasing information to people who are trying to gain information under false pretenses (pretexting). (They had to be told to do that?)
  • Health Insurance Portability and Accountability Act (HIPAA, 1996) - Establishes a large, complicated rule set for storing health information in a common format, making it sharable, and making it a crime to share it with people who should not have it.
  • Children's Online Privacy Protection Act (COPPA, 1998) - makes it a crime in the US to collect information about children under 13 without parental consent; makes it a crime to do this in another country if the information is about a child who is in the United States
  • Communications Act of 1934 - established the Federal Communications Commission (FCC), giving them jurisdiction over interstate telecommunications (among other things) by broadcast, wire, satellite, or cable, and over communications that begin or end in the US
  • Title III of the Omnibus Crime Control and Safe Streets Act (1968, 1986) - related to the court case Katz v. United States (which extended fourth amendment protection to wired communication), established regulation of domestic wiretaps, requiring that they be authorized by a warrant limiting their duration and scope; also called the Wiretap Act
  • Foreign Intelligence Surveillance Act (FISA, 1978) - established a separate court system to approve requests for electronic surveillance on foreign powers and their agents for up to a year; amended by the Patriot Act to include persons involved in terrorism not backed by a foreign government
  • FISA amendment (2008) - added legal protection for communication vendors who are required to provide information under FISA to the NSA and CIA
  • Electronic Communications Privacy Act (1986) - provides the protections of the Wiretap Act to faxes, email, and other messages sent over the Internet; provides protections to stored communications such as social message sites, instant messages, email mailboxes if they are not publicly available; allows the FBI to issue a National Security Letter to an ISP to obtain data about a subscriber if the person is believed to be a spy; provides for court approval to use a pen register (recorder of outgoing call numbers) and trap and trace (recorder of incoming call numbers) and tracking information for email messages
  • Communications Assistance for Law Enforcement Act (CALEA, 1994) - added wireless and Voice over IP aspects to "wiretapping", required that wireless equipment vendors add tools to allow authorities to intercept wireless communications with proper warrants
  • USA PATRIOT Act (2001) - Yes, the first two words are an acronym, but like most acronyms that long, it must have been a pain to make the phrase fit. This act extended the power of government to access electronic information in enough ways that the text discusses it for four pages. Look it over. A particular point the text mentions is the extension of the usage of National Security Letters by the FBI to obtain data without a court being involved. It is done by stating that the data is needed for an ongoing investigation.

The text continues with some standards that state how data will be handled by members of the organization that sets the standard.

  • Fair Information Practices (1980) - Established by the Organisation (yes, that is spelled correctly) for Economic Co-operation and Development (OECD), which is an international group whose goals are stated at the web site behind the link given here.
  • European Union Data Protection Directive (1998) - provides privacy protection for data sent inside and outside the European Union
  • BBBOnline - a site whose goals are for businesses to organize and self-regulate
  • Truste - another site whose goals are for businesses to organize and self-regulate

Many of the laws listed seem to fall on the side of giving law enforcement access to records. Another one that provides access to information for private citizens is the Freedom of Information Act (FOIA 1966, 1974). The purpose of FOIA is to provide a means for citizens to request information from Federal agencies. The request must not be burdensome, wide-ranging, or unreasonable, and it must be made according to agency procedures. FOIA requests may be denied if the response would compromise national security, interfere with an active investigation, or violate someone's privacy (unless the public's need for the response outweighs that violation).

The last law discussed in this section is the Privacy Act of 1974 which prohibits federal agencies from concealing databases of personal information, but the CIA and law enforcement agencies are exempt from the act, so it means less than it might.

Privacy and Anonymity

The next section of the chapter discusses privacy and violation of privacy issues.

Identity theft

The text defines this as impersonating a person by use of stolen personal information. Usually this is done as part of a scheme to obtain goods, credit, services, or money by fraud. Read through the list of suggestions on page 156 to reduce the risk of someone stealing various personal information.

Data Breaches

The text lists several examples of companies who have had database thefts of customer information. This list does not address online accounts, such as those with game companies or ongoing accounts at online stores like Amazon. The text mentions black market web sites that sell such stolen data.

Phishing

As we have already discussed, a phishing scam asks the reader of an email to volunteer personal information by pretending to be someone the reader would normally trust. Most of these scams are obvious, but it would only take a little polish to make them look more realistic.

Spyware

The text describes spyware as key logging software. This is only one type of spyware, but it is powerful in that it captures exactly what was entered on a keyboard. It can be used by investigators as well as by hackers. The text lists a case in which the FBI used such a program to capture data from a student suspected of sending bomb threats.

Consumer Profiling

The text discusses the practice of collecting information about consumers when they visit or purchase from web sites. Cookies are a well known example of data stored on a computer that can identify the user (correctly or incorrectly) as a patron of your own web site or the site of a business partner. Doubts about what vendors and marketers actually do with the data led to the ability to clear your browser of cookies. The text continues with this for a few pages, but there is little content to it.

Workplace Monitoring

There are always ongoing discussions about the amount of time employees waste. Employers typically have reason to monitor their activities, but the text raises some ideas about such monitoring being extended to employee use and abuse of the computer environment. Proper use of an acceptable use policy would be a first step in avoiding the kind of abuses mentioned on page 166.

The text argues that government employees may use the fourth amendment as an argument against some employer intrusions, but that non-government employees do not have the same "protection", because the actions of their employers are not actions of the government. The bottom line is that employees have little right to privacy in the workplace.

The text ends with a short discussion about the use of video surveillance, facial recognition software, and global positioning system location monitoring. Each has its place in making the world safer, in making business run better, and potentially in intruding on our privacy. Students should discuss the ideas in this section.