Everyone seems to think that Big Social has made privacy a thing of the past. Think again. It's a human right and it's on the Endangered Species list, but there are ways to save it. Find out how.
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
The 3 Secrets of Online Privacy
1. Secret Truths about Privacy
1. Privacy is subject to the Law of Unintended
Consequences
2. Knowledge is Power: Consumers should know what
privacy Faustian pacts they’re signing
3. Privacy requires technical and policy standards!
Laurent Liscia, CEO OASIS Open
1
3. The
Westchester
Gun Map
Harmless,
right?
Do the maps show everyone in my neighborhood who owns a gun?
No. New York law does not require a permit to own a long gun such as a rifle or shotgun.
How was this information obtained?
Through requests to the individual county clerks under New York’s Freedom of Information Law.
Isn’t that private information?
No. There is no right to privacy regarding handgun ownership in New York.
[Source: The Journal News]
3
5. The Gun Map Proved Quite Harmful
• Interactive map included names and addresses of police officers and prison
guards: inmates used the map to find out where they lived and threaten them.
• Former thieves said criminals could use map either to target houses with no guns
(to avoid getting shot) or take the risk and steal the weapons themselves.
• Democratic legislator: “I never owned a gun but now have no choice. I have been
exposed as someone that has no gun. And I’ll do anything to protect my family.”
• Resident feared her ex, who tried to kill her in past, might find her with the map
• Journalists received death threats, stationed an armed guard outside their offices.
5
6. Lesson From The Gun Map
• If you juxtapose two perfectly legit data sources: online maps and gun ownership
information for instance, you can enter scary privacy territory
• That’s the Law of Unintended Consequences
6
9. Potentially Harmful Implications
“Imagine if you could figure out what town a
criminal’s ancestors were likely from based
on DNA alone?” Razib Khan, Discover Magazine
You can’t stop ideas that threaten
privacy from popping up: yet another
instance of the Law of Unintended
Consequences
9
17. Big Social Can Make Great Things Better …
Tahriri Square
17
18. • Audrie Pott and Rehtaeh Parsons both committed suicide after photos
documenting how they had been sexually assaulted were circulated on
social media
• In both cases, many sided with the assailants rather than victims, calling
them “sluts”
And Bad Things Worse
18
22. Is Privacy In Big Social’s Business Model ?
• Nope
• “Google to pay record $22.5 million fine for Safari
privacy evasion” [2012]
• Twitter agreed to settle charges that it "deceived
customers" and failed to protect their personal
information [FTC fine, 2010]
22
23. Is Privacy Even Possible in Big Social?
“Just remember when you post something,
the computers remember forever”
“Every young person one day will be entitled
automatically to change his or her name on
reaching adulthood in order to disown
youthful hijinks stored on their friends’ social
media sites.”
Eric Schmidt, when he was CEO of Google
23
24. 2nd Takeaway: It’s OK for you to be the
product when you’re not paying … if
you know what you’re signing up for
?
24
26. Privacy Regulation in Europe
EU Data Protection Regulation will cover
everything from consent to data portability
and the right to be forgotten and will apply to
any company storing EU resident data
whether it’s HQ’d in the EU or not
26
27. Privacy Regulation in the US
27
The US approach is more laissez-faire, but
also more unpredictable. To wit: the Do Not
Track proposal from Sen. Jay Rockefeller
following 2012 White House "Consumer
Privacy Bill of Rights" asking industry to give
consumers control over their personal
information and Congress to pass laws.
28. Memorable Privacy Quotes
"I do not believe that companies with business models based on the collection and monetization of
personal information will voluntarily stop those practices if it negatively impacts their profit margins.“
Jay Rockefeller
“Consumers are very pragmatic people. They want free content. They understand there's a value
exchange. And they're OK with it.”
Lou Mastria, director of the Digital Advertising Alliance
““You are the product!” Oh, fuck, off! For many people it wasn’t the new T&C that was the problem, it
was that Instagram was no longer a service we felt comfortable making our “we’re the product deal”
with.”
Rev Dan Catt, blogger
28
You’re the consumer: how do YOU feel
about it?
29. Do the Right Thing: Learn & Participate
• Big Data and Privacy discussions of OECD’s ITAC
http://www.internetac.org/wp-content/uploads/2012/10/UPDATE-ITAC-WPISP-v02.pdf
• NSTIC’s Privacy Evaluation Methodology
http://www.idecosystem.org/filedepot?fid=404
• European Data Protection & Privacy Conference
http://www.eu-ems.com/summary.asp?event_id=123&page_id=983
• Kuppinger Cole’s EIC – premier event for Privacy
• Listen to all sides! EPIC, EFF, Project VRM
http://epic.org/privacy/intl/eu_data_protection_directive.html
http://cyber.law.harvard.edu/projectvrm/Main_Page
29
30. Do the Right Thing: Scour the Web for Cool Big Data & Privacy Stuff!
• Drummond Reed’s RESPECT network puts data control
back into each user’s hands: http://respectnetwork.com/
• Kaliya Hamlin’s Personal Data Ecosystem reminds
companies to put the user back at the center of their
own data - http://pde.cc/
• Read Kord Davis’s “Ethics of Big Data: Balancing Risk and
Innovation”
http://www.goodreads.com/book/show/13230994-ethics-of-big-data
30
31. Do the Right Thing: Play in Standards
– If you thought XACML was not relevant yet, you’d better think ahead to
2014: http://j.mp/oasisXACML
– PMRM's model for translating & mapping privacy policies into a service
architecture: http://j.mp/oasisPMRM
– PbD-SE: Privacy by Design for Software Engineers: http://j.mp/PbDoasis
31
Help MAKE and IMPLEMENT open privacy standards, for access control,
policy enforcement and impact assessment!
32. What To Do About The 3 Privacy Truths
1. You can’t dodge the Law of Unintended Consequences
but when you’re processing several data sets, remind
yourself that YOU are one of the people whose privacy
is at risk and use the Golden Rule.
32
33. 2. Knowledge is Power: Give the power to your
customers to opt in and opt out at every
possible turn
33
34. 3. Standards make privacy easier to preserve.
Get involved, NOW.
http://www.oasis-open.org
34
The authors note thatthey're able to distinguish with some confidence individuals that are from the German, Italian, and French-speaking parts of Switzerland. With full re-sequencing data, it's likely that even the precise village of origin of an individual will be predictable from genetics alone.
EU Data Protection Regulation [From Wikipedia] ScopeThe regulation applies if the data controller or processor (organization) or the data subject (person) is based in the EU. Furthermore (and unlike the current Directive) the Regulation also applies to organizations based outside the European Union if they process personal data of EU residents. According to the European Commission "personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address."Single Set of RulesOne single set of rules applies to all EU member states and there will be one Single Data Protection Authority (DPA) responsible for each company depending on where the Company is based or which DPA it chooses. A European Data Protection Board will coordinate the DPAs. There is an exception for employee data that still might be subject to individual country regulations.Responsibility & AccountabilityThe notice requirements remain and are expanded. They must include the retention time for personal data and contact information for data controller and data protection officer has to be provided. Privacy by Design and by Default (Article 23) require that data protection is designed into the development of business processes for products and services privacy settings are set at a high level by default. Data Protection Impact Assessments (Article 33) have to be conducted when specific risks occur to the rights and freedoms of data subjects. Risk assessment and mitigation is required and an prior approval of the DPA for high risks. Data Protection Officers (Articles 35-37) are to ensure compliance within organizations. They have to be appointed for all public authorities and for enterprises with more than 250 employees.ConsentValid consent must be explicit for data collected and purposes data used (Article 7; defined in Article 4). Consent for children under 13 must be given by child’s parent or custodian, and should be verifiable (Article 8). Data controllers must be able to prove “consent” (opt-in) and consent may be withdrawn.Data breachesThe data controller has to notify the DPA without undue delay and, where feasible, not later than 24 hours after having become aware of the data breach (Article 31). Individuals have to be notified if adverse impact is determined (Article 32).FinesThe following fines can be imposedUp to €250K or up to 0.5% of the annual global sales for intentionally or negligently not responding to requests by the data subject or the DPA,Up to €500K or up to 1% of annual global sales for intentionally or negligently not complying with GDPRUp to €1,000K or up to 2% of annual global sales for intentionally or negligently not complying with specific GDPR regulationsRight to be ForgottenPersonal data has to be deleted when the individual withdraws consent or the data is no longer necessary and there is no legitimate reason for an organization to keep it. (Article 17)Data PortabilityA user shall be able to request a copy of personal data being processed in a format usable by this person and be able to transmit it electronically to another processing system. (Article 18)
EU Data Protection Regulation [From Wikipedia] ScopeThe regulation applies if the data controller or processor (organization) or the data subject (person) is based in the EU. Furthermore (and unlike the current Directive) the Regulation also applies to organizations based outside the European Union if they process personal data of EU residents. According to the European Commission "personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address."Single Set of RulesOne single set of rules applies to all EU member states and there will be one Single Data Protection Authority (DPA) responsible for each company depending on where the Company is based or which DPA it chooses. A European Data Protection Board will coordinate the DPAs. There is an exception for employee data that still might be subject to individual country regulations.Responsibility & AccountabilityThe notice requirements remain and are expanded. They must include the retention time for personal data and contact information for data controller and data protection officer has to be provided. Privacy by Design and by Default (Article 23) require that data protection is designed into the development of business processes for products and services privacy settings are set at a high level by default. Data Protection Impact Assessments (Article 33) have to be conducted when specific risks occur to the rights and freedoms of data subjects. Risk assessment and mitigation is required and an prior approval of the DPA for high risks. Data Protection Officers (Articles 35-37) are to ensure compliance within organizations. They have to be appointed for all public authorities and for enterprises with more than 250 employees.ConsentValid consent must be explicit for data collected and purposes data used (Article 7; defined in Article 4). Consent for children under 13 must be given by child’s parent or custodian, and should be verifiable (Article 8). Data controllers must be able to prove “consent” (opt-in) and consent may be withdrawn.Data breachesThe data controller has to notify the DPA without undue delay and, where feasible, not later than 24 hours after having become aware of the data breach (Article 31). Individuals have to be notified if adverse impact is determined (Article 32).FinesThe following fines can be imposedUp to €250K or up to 0.5% of the annual global sales for intentionally or negligently not responding to requests by the data subject or the DPA,Up to €500K or up to 1% of annual global sales for intentionally or negligently not complying with GDPRUp to €1,000K or up to 2% of annual global sales for intentionally or negligently not complying with specific GDPR regulationsRight to be ForgottenPersonal data has to be deleted when the individual withdraws consent or the data is no longer necessary and there is no legitimate reason for an organization to keep it. (Article 17)Data PortabilityA user shall be able to request a copy of personal data being processed in a format usable by this person and be able to transmit it electronically to another processing system. (Article 18)
EU Data Protection Regulation [From Wikipedia] ScopeThe regulation applies if the data controller or processor (organization) or the data subject (person) is based in the EU. Furthermore (and unlike the current Directive) the Regulation also applies to organizations based outside the European Union if they process personal data of EU residents. According to the European Commission "personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address."Single Set of RulesOne single set of rules applies to all EU member states and there will be one Single Data Protection Authority (DPA) responsible for each company depending on where the Company is based or which DPA it chooses. A European Data Protection Board will coordinate the DPAs. There is an exception for employee data that still might be subject to individual country regulations.Responsibility & AccountabilityThe notice requirements remain and are expanded. They must include the retention time for personal data and contact information for data controller and data protection officer has to be provided. Privacy by Design and by Default (Article 23) require that data protection is designed into the development of business processes for products and services privacy settings are set at a high level by default. Data Protection Impact Assessments (Article 33) have to be conducted when specific risks occur to the rights and freedoms of data subjects. Risk assessment and mitigation is required and an prior approval of the DPA for high risks. Data Protection Officers (Articles 35-37) are to ensure compliance within organizations. They have to be appointed for all public authorities and for enterprises with more than 250 employees.ConsentValid consent must be explicit for data collected and purposes data used (Article 7; defined in Article 4). Consent for children under 13 must be given by child’s parent or custodian, and should be verifiable (Article 8). Data controllers must be able to prove “consent” (opt-in) and consent may be withdrawn.Data breachesThe data controller has to notify the DPA without undue delay and, where feasible, not later than 24 hours after having become aware of the data breach (Article 31). Individuals have to be notified if adverse impact is determined (Article 32).FinesThe following fines can be imposedUp to €250K or up to 0.5% of the annual global sales for intentionally or negligently not responding to requests by the data subject or the DPA,Up to €500K or up to 1% of annual global sales for intentionally or negligently not complying with GDPRUp to €1,000K or up to 2% of annual global sales for intentionally or negligently not complying with specific GDPR regulationsRight to be ForgottenPersonal data has to be deleted when the individual withdraws consent or the data is no longer necessary and there is no legitimate reason for an organization to keep it. (Article 17)Data PortabilityA user shall be able to request a copy of personal data being processed in a format usable by this person and be able to transmit it electronically to another processing system. (Article 18)