Rina Steenkamp - Privacy and technology
[SURVEILLE paper adressing surveillance in the context of preventing a terrorist act | Watching me - The war on crime, privacy, and the state | U.S. Attitudes toward the 'right to be forgotten' | Statement of the WP29 on the impact of the development of big data on the protection of individuals with regard to the processing of their personal data in the EU | Opinion 8/2014 on the recent developments on the Internet of Things | Security collapse in the HTTPS market | Is your company ready for a big data breach? The second annual study on data breach preparedness | Data breaches in Europe - Reported breaches of compromised personal records in Europe, 2005-2014 | NIST Privacy engineering objectives and risk model discussion draft | Myth-busting - The Court of Justice of the EU and the "right to be forgotten" | Data protection and journalism - a guide for the media | What do we worry about when we worry about price discrimination? The law and ethics of using personal information for pricing | The internet of things and wearable technology - addressing privacy and security concerns without derailing innovation | An international legal framework for surveillance | Global network interference detection over the RIPE Atlas network]
A paper by Prof. Tom Sorell et al.
From the Summary:
"Various kinds of Internet monitoring techniques are applied side by side with more traditional surveillance techniques. We find most of the Internet monitoring applications both ethically and legally impermissible, assessing them poorly in comparison with traditional, non-technology based surveillance methods. Furthermore, the Internet monitoring techniques compare poorly with the traditional techniques also in terms of usability. [...] Internet monitoring techniques, with the exception of targeted social networking analysis, represent an unacceptable interference with fundamental rights to privacy and data protection, the deepest ethical risks of chill and damage to trust, intrusion and discrimination, while also violating moral norms of proportionality of methods and consent of the policed. Meanwhile these high moral and legal costs reflect a mostly middling to poor usability benefit, performing worse with regard to cost, efficiency and privacy-by-design than lower tech alternatives. The case for a mass Internet monitoring system is found wanting. "
Read more:
See also:
An article by Kimberley D. Bailey (UC Davis Law Review).
From the Abstract:
"The war on crime exemplifies how the deprivation of privacy makes one vulnerable to oppressive state social control. Scholars have severely criticized the war on crime's subordinating effects on poor urban people of color. The role that privacy deprivation plays in this subordination, however, has been under-theorized. This Article takes an initial step in addressing this gap in the literature. It argues that one important reason why the war on crime is so abusive is because it oppressively invades individuals' privacy; poor people of color have limited opportunities in the creation of their life plans, participation in mainstream political discourse, and access to social capital in part because they have limited privacy. These privacy invasions also have an expressive aspect because they send the message that the state does not trust these individuals to engage in valued activities in legitimate ways; therefore, they must constantly be watched. As a result, the deprivation of privacy also results in serious dignitary harms."
Read more:
A report by Daniel Humphries (Software Advice).
From the report:
"When Europe's highest court ruled in May that individuals had a 'right to be forgotten' - i.e., they have the right to request that outdated or 'irrelevant' information about them be removed from search results - the shockwaves were heard around the world. Given the First Amendment and the traditionally strong emphasis on the public's right to know in American culture, it may be difficult to imagine such a ruling happening stateside. But American culture is also traditionally strong on protecting privacy - and in fact, in January 2015, variant legislation applicable only to minors will become law in California. What if U.S. citizens start demanding the right to be forgotten, too? We at Software Advice were intrigued by the possibility, so we surveyed 500 adults in the U.S. to find out how they felt about the right to be forgotten and the problems the law seeks to address. We then quizzed a panel of experts for their opinions on this complex issue."
Read more:
A publication by the Article 29 Data Protection Working Party (WP29).
From the text:
"Some stakeholders assert that the application of some data protection principles and obligations under EU law should be substantially reviewed to enable promising forthcoming developments in big data operations to take place. The application of the principles of purpose limitation and data minimisation are presented as core concerns in this respect, as they require that data controllers collect personal data only for specified, explicit and legitimate purposes, and do not further process such data in a way incompatible with those purposes. They also require that personal data must be adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed. In this regard, some voices argue that the focus should be only on the use of personal data, linking this to the level of risk of harm to individuals. The Working Party acknowledges that the challenges of big data might require innovative thinking on how some of these and other key data protection principles are applied in practice. However, at this stage, it has no reason to believe that the EU data protection principles, as they are currently enshrined in Directive 95/46/EC, are no longer valid and appropriate for the development of big data, subject to further improvements to make them more effective in practice. It also needs to be clear that the rules and principles are applicable to all processing operations, starting with collection in order to ensure a high level of data protection. In fact, the Working Party strongly believes that complying with this framework is a key element in creating and keeping the trust which any stakeholder needs in order to develop a stable business model that is based on the processing of such data."
Read more:
See also:
A publication by the Article 29 Data Protection Working Party (WP29).
From the Summary:
"[...] this opinion identifies the main data protection risks that lie within the ecosystem of the IoT before providing guidance on how the EU legal framework should be applied in this context. The Working Party supports the incorporation of the highest possible guarantees for individual users at the heart of the projects by relevant stakeholders. In particular, users must remain in complete control of their personal data throughout the product lifecycle, and when organisations rely on consent as a basis for processing, the consent should be fully informed, freely given and specific. To help them meet this end, the Working Party designed a comprehensive set of practical recommendations addressed to the different stakeholders concerned (device manufacturers, application developers, social platforms, further data recipients, data platforms and standardisation bodies) to help them implement privacy and data protection in their products and services."
Read more:
See also:
An article by Axel Arnbak, Hadi Asghari, Michel van Eeten, and Nico van Eijk (ACM).
From the Abstract:
"HTTPS (Hypertext Transfer Protocol Secure) has evolved into the de facto standard for secure Web browsing. However, widely reported security incidents - such as DigiNotar's breach, Apple's #gotofail, and OpenSSL's Heartbleed-have exposed systemic security vulnerabilities of HTTPS to a global audience. The Edward Snowden revelations-notably around operation BULLRUN, MUSCULAR, and the lesser-known FLYING PIG program to query certificate metadata on a dragnet scale-have driven the point home that HTTPS is both a major target of government hacking and eavesdropping, as well as an effective measure against dragnet content surveillance when Internet traffic traverses global networks. HTTPS, in short, is an absolutely critical but fundamentally flawed cybersecurity technology. To evaluate both legal and technological solutions to augment the security of HTTPS, our article argues that an understanding of the economic incentives of the stakeholders in the HTTPS ecosystem, most notably the CAs, is essential. We outline the systemic vulnerabilities of HTTPS, map the thriving market for certificates, and analyze the suggested regulatory and technological solutions on both sides of the Atlantic. Our findings show existing yet surprising market patterns and perverse incentives: not unlike the financial sector, the HTTPS market is full of information asymmetries and negative externalities, as a handful of CAs dominate the market and have become 'too big to fail.' Unfortunately, proposed E.U. legislation will reinforce systemic vulnerabilities, and the proposed technological solutions that mostly originate in the U.S. are far from being adopted at scale. The systemic vulnerabilities in this crucial technology are likely to persist for years to come."
Read more:
A study conducted by Ponemon Institute LLC.
From 'Part 1. Introduction':
"With data breaches making headlines the world over, awareness about the importance of having technologies and governance practices in place to respond to such incidents should be at an alltime high. In this study sponsored by Experian® Data Breach Resolution, we surveyed 567 executives in the United States about how prepared they think their companies are to respond to a data breach. In 2013 a similar study was conducted.1 A comparison of those findings to this research reveals that companies are making some positive changes. However, many companies are deficient in governance and security practices that could strengthen their data breach preparedness. These include: keeping the data breach response plan up-to-date, conducting risk assessments of areas vulnerable to a breach, continuous monitoring of information systems to detect unusual and anomalous traffic and investing in technologies that enable timely detections of a security breach."
Read more:
A paper by Philip N. Howard (Central European University).
From 'I. Executive Summary':
"The total population of the countries covered in this study is 524 million, and the total population of internet users in these countries is 409 million. Expressed in ratios, this means that for every 100 people in the study countries, 43 personal records have been compromised. For every 100 internet users in the study countries, 56 records have been compromised. Fully 51 percent of all the breaches involved corporations and 89 percent of all the breached records were from compromised corporations. Among all the kinds of organizations from which personal records have been compromised, 41 percent of the incidents involved clear acts of theft by hackers, but 57 percent of the incidents involved organizational errors, insider abuse, or other internal mismanagement (2 percent unspecified)."
Read more:
A publication by the National Institute of Standards and Technology (NIST).
From 'Scope':
"NIST’s privacy engineering work is focused on providing guidance to developers and designers of information systems that handle personal information. This guidance may be used to decrease risks related to privacy harms, and to make purposeful decisions about resource allocation and the effective implementation of controls. Privacy engineering as defined in this discussion draft is primarily directed at mitigating risks arising from unanticipated consequences of normal system behavior. Risks to privacy arising from malicious actors or attacks can continue to be mitigated by following standard security standards and frameworks."
Read more:
See also:
A factsheet by the European Commission.
The introduction to the document:
"On 13 May 2014, the Court of Justice of the European Union acknowledged that under existing European data protection legislation, EU citizens have the right to request internet search engines such as Google, to remove search results directly related to them. This landmark ruling has sparked a lively and timely debate on the rights and wrongs of the so-called right to be forgotten. It is important to make sure the discussion is based on facts. A sober reading of the judgment shows that the concerns that have emerged in this debate are exaggerated or simply unfounded."
Read more:
Guidelines by the ICO.
From 'About this guide':
"This guide explains how the Data Protection Act (DPA) applies to journalism, advises on good practice, and clarifies the role of the Information Commissioner's Office (ICO). It does not have any formal legal status and cannot set any new rules, but it will help those working in the media understand and comply with existing law in this area."
Read more:
A paper by Akiva A. Miller.
Abstract:
"New information technologies have dramatically increased sellers’ ability to engage in price discrimination in retail consumer markets. Debates over using personal information for price discrimination frequently treat it as a single concern, and are not sufficiently sensitive to the variety of price discrimination practices, the different kinds of information they require in order to succeed, and the different concerns they raise. This paper explores the ethical aspects of the debate over regulating price discrimination facilitated by personal information. By drawing distinctions between various pricing practices and the motivations behind them, this paper seeks to clarify the ethical principles that should guide legal and regulatory efforts to control the use of personal information for pricing."
Read more:
A paper by Adam D. Thierer.
From the Abstract:
"This paper highlights some of the opportunities presented by the rise of the so-called 'Internet of Things' and wearable technology in particular, and encourages policymakers to allow these technologies to develop in a relatively unabated fashion. As with other new and highly disruptive digital technologies, however, the Internet of Things and wearable tech will challenge existing social, economic, and legal norms. In particular, these technologies raise a variety of privacy and safety concerns. [...] The better alternative to top-down regulation is to deal with these concerns creatively as they develop using a combination of educational efforts, technological empowerment tools, social norms, public and watchdog pressure, industry best practices and self-regulation, transparency, and targeted enforcement of existing legal standards (especially torts) as needed."
Read more:
A paper by Ashley Deeks.
From the Abstract:
"Edward Snowden's leaks laid bare the scope and breadth of the electronic surveillance that the U.S. National Security Agency and its foreign counterparts conduct. Suddenly, foreign surveillance is understood as personal and pervasive, capturing the communications not only of foreign leaders but also of private citizens. Yet to the chagrin of many state leaders, academics, and foreign citizens, international law has had little to say about foreign surveillance. Until recently, no court, treaty body, or government had suggested that international law, including basic privacy protections in human rights treaties, applied to purely foreign intelligence collection. This is now changing: several U.N. bodies, judicial tribunals, U.S. corporations, and victims of foreign surveillance are pressuring states to bring that surveillance under tighter legal control. This article tackles three key, interrelated puzzles associated with this sudden transformation. First, it explores why international law has had so little to say about how, when, and where governments may spy on other states' nationals. Second, it draws on international relations theory to argue that the development of new international norms regarding surveillance is both likely and essential. Third, it identifies six process-driven norms that states can and should adopt to ensure meaningful privacy restrictions on international surveillance without unduly harming their legitimate national security interests. These norms, which include limits on the use of collected data, periodic reviews of surveillance authorizations, and active oversight by neutral bodies, will increase the transparency, accountability, and legitimacy of foreign surveillance."
Read more:
A paper by Colin Anderson, Philipp Winter and Roya.
Abstract:
"Existing censorship measurement platforms frequently suffer from poor adoption, insufficient geographic coverage, and scalability problems. In order to outline an analytical framework and data collection needs for future ubiquitous measurements initiatives, we build on top of the existent and widely-deployed RIPE Atlas platform. In particular, we propose methods for monitoring the reachability of vital services through an algorithm that balances timeliness, diversity, and cost. We then use Atlas to investigate blocking events in Turkey and Russia. Our measurements identify under-examined forms of interference and provide evidence of cooperation between a well-known blogging platform and government authorities for purposes of blocking hosted content."
Read more:
See also: