This document provides an overview of privacy concerns related to social media and online data collection. It discusses how privacy has evolved from concerns over government surveillance ("Big Brother") to concerns over mutual and lateral surveillance between individuals online ("Big Other"). It outlines key definitions in data privacy law, including personal data, processing, consent, and the rights and obligations of data controllers and processors. Overall, the document examines how privacy norms and expectations have changed online and some of the ongoing challenges around data sharing, collection and use on social platforms.
15. The person who took the photo
is a real friend
15
http://cdn.motinetwork.net/motifake.com/image/demotivational-poster/1202/reality-drunk-reality-fail-drunkchicks-partyfail-demotivational-posters-1330113345.jpg
32. 'personal data' shall mean any information relating to
an identified or identifiable natural person ('data
subject'); an identifiable person is one who can be
identified, directly or indirectly, in particular by
reference to an identification number or to one or
more factors specific to his physical, physiological,
mental, economic, cultural or social identity
33. 'processing of personal data' ('processing') shall mean
any operation or set of operations which is performed
upon personal data, whether or not by automatic means,
such as collection, recording, organization, storage,
adaptation or alteration, retrieval, consultation, use,
disclosure by transmission, dissemination or otherwise
making available, alignment or combination, blocking,
erasure or destruction
34. personal data filing system' ('filing system') shall
mean any structured set of personal data which are
accessible according to specific criteria, whether
centralized, decentralized or dispersed on a
functional or geographical basis
35. 121
controller shall mean the natural or legal person, public authority,
agency or any other body which alone or jointly with others
determines the purposes and means of the processing of personal
data; where the purposes and means of processing are
determined by national or Community laws or regulations, the
controller or the specific criteria for his nomination may be
designated by national or Community law;
36. 36
'the data subject's consent' shall
mean any freely given specific
and informed indication of his
wishes by which the data subject
signifies his agreement to
personal data relating to him
being processed
37. 37
Member States shall provide that personal data must be:
(a) processed fairly and lawfully;
(b) collected for specified, explicit and legitimate purposes and not
further processed in a way incompatible with those purposes. Further
processing of data for historical, statistical or scientific purposes shall
not be considered as incompatible provided that Member States
provide appropriate safeguards;
(c) adequate, relevant and not excessive in relation to the purposes
for which they are collected and/or further processed;
(d) accurate and, where necessary, kept up to date; every reasonable
step must be taken to ensure that data which are inaccurate or
incomplete, having regard to the purposes for which they were
collected or for which they are further processed, are erased or
rectified;
(e) kept in a form which permits identification of data subjects for no
longer than is necessary for the purposes for which the data were
collected or for which they are further processed. Member States
shall lay down appropriate safeguards for personal data stored for
longer periods for historical, statistical or scientific use.
38. 38
Member States shall provide that personal data may be processed
only if:
(a) the data subject has unambiguously given his consent; or
(b) processing is necessary for the performance of a contract to
which the data subject is party or in order to take steps at the
request of the data subject prior to entering into a contract; or
(c) processing is necessary for compliance with a legal obligation
to which the controller is subject; or
(d) processing is necessary in order to protect the vital interests of
the data subject; or
(e) processing is necessary for the performance of a task carried
out in the public interest or in the exercise of official authority
vested in the controller or in a third party to whom the data are
disclosed
39. 39
Member States shall prohibit the processing of
personal data revealing racial or ethnic origin,
political opinions, religious or philosophical beliefs,
trade-union membership, and the processing of data
concerning health or sex life
40. 125
Member States shall provide that the controller or his representative must
provide a data subject from whom data relating to himself are collected
with at least the following information, except where he already has it:
(a) the identity of the controller and of his representative, if any;
(b) the purposes of the processing for which the data are intended;
(c) any further information such as
- the recipients or categories of recipients of the data,
- whether replies to the questions are obligatory or voluntary, as well as the
possible consequences of failure to reply,
- the existence of the right of access to and the right to rectify the data
concerning him
in so far as such further information is necessary, having regard to the
specific circumstances in which the data are collected, to guarantee fair
processing in respect of the data subject
41. 41
Right of access
Member States shall guarantee every data subject the right to obtain from the
controller:
(a) without constraint at reasonable intervals and without excessive delay or
expense:
- confirmation as to whether or not data relating to him are being processed and
information at least as to the purposes of the processing, the categories of data
concerned, and the recipients or categories of recipients to whom the data are
disclosed,
- communication to him in an intelligible form of the data undergoing processing
and of any available information as to their source,
- knowledge of the logic involved in any automatic processing of data concerning
him at least in the case of the automated decisions referred to in Article 15 (1);
(b) as appropriate the rectification, erasure or blocking of data the processing of
which does not comply with the provisions of this Directive, in particular because of
the incomplete or inaccurate nature of the data;
(c) notification to third parties to whom the data have been disclosed of any
rectification, erasure or blocking carried out in compliance with (b), unless this
proves impossible or involves a disproportionate effort
47. Sub-contractor
129
The Member States shall provide that the controller must, where
processing is carried out on his behalf, choose a processor
providing sufficient guarantees in respect of the technical security
measures and organizational measures governing the processing
to be carried out, and must ensure compliance with those
measures
48. 48
The carrying out of processing by way of a processor must be
governed by a contract or legal act binding the processor to the
controller and stipulating in particular that:
- the processor shall act only on instructions from the controller,
- the obligations as defined by the law of the Member State in
which the processor is established, shall also be incumbent on the
processor
54. Article 16
Confidentiality of processing
Any person acting under the authority of the controller or of the
processor, including the processor himself, who has access to
personal data must not process them except on instructions from
the controller, unless he is required to do so by law
55. Member States shall provide that the controller must implement
appropriate technical and organizational measures to protect
personal data against accidental or unlawful destruction or
accidental loss, alteration, unauthorized disclosure or access, in
particular where the processing involves the transmission of data
over a network, and against all other unlawful forms of processing.
Having regard to the state of the art and the cost of their
implementation, such measures shall ensure a level of security
appropriate to the risks represented by the processing and the
nature of the data to be protected.
60. Where do one steal data?
•Banks
•Hospitals
•Ministries
•Police
•Newspapers
•Telecoms
•...
Which devices are stolen?
•USB
•Laptops
•Hard disks
•Papers
•Binders
•Cars
69. 4
By giving people the power to share, we're
making the world more transparent.
The question isn't, 'What do we want to
know about people?', It's, 'What do
people want to tell about themselves?'
Data privacy is outdated !
Mark Zuckerberg
If you have something that you don’t want
anyone to know, maybe you shouldn’t be
doing it in the first place.
Eric Schmidt
75. 1
Privacy statement confusion
• 53% of consumers consider that a privacy statement
means that data will never be sell or give
• 43% only have read a privacy statement
• 45% only use different email addresses
• 33% changed passwords regularly
• 71% decide not to register or purchase due to a
request of unneeded information
• 41% provide fake info
112
Source: TRUSTe survey
88. Evaluation and Comparison of Privacy Policies-Accessibility/User-Friendliness
Facebook Foursquare Google Buzz LinkedIn Twitter
Number of words 5860 words 2,436 words 1,094 words 5,650 words 1,287 words
Comparison to average Privacy
Policy (based on 2,462 words)
Above average Below average (but very
close to the average)
Below Average Above average Below average
Amount of time it takes one to
read (based on an average
person reading speed--244
words /minute)
Approx. 24 minutes Approx. 10 minutes Approx. 5 minutes Approx. 23 minutes Approx. 5 minutes
Direct link to its actual privacy
policy from the index page
No Yes Yes Yes Yes
Availability in languages other
than English
Yes Yes Yes Yes Yes
Detailed explanation of privacy
control/protection
Yes Yes Yes No No
Trust E-Verified Yes No No Yes No
Linking and/or mentioning to
U.S. Dept. of Commerce “Safe
Harbor Privacy Principles”
Yes No Yes Yes No
Availability of contact
information in case of
questions
Yes Yes No Yes Yes
Coverage of kids privacy Yes Yes No Yes Yes
Containing the clause that it
reserves the right to change the
privacy policy at any time
Yes, but users will be
notified
Yes, but users will be
notified
http://
www.psl.cs.columbia
.edu/classes/cs6125-
Yes, but users will be
notified of material
changes
Yes, but users will be
notified of material
changes
http://www.psl.cs.columbia.edu/classes/cs6125-s11/presentations/2011/Presentation_Joyce_Chen.ppthy don’t we read privacy policies
89. Evaluation and Comparison of Privacy Policies – “Content”
Facebook Foursquare Google Buzz LinkedIn Twitter
Allowance of an opt-
out option
Yes Yes Yes Yes Yes
Allowance of third-
party access to users’
information
Yes/No, depending on
a user’s sharing setting
and the information
shared
Yes Yes Yes Yes
Discussion of the
usage of cookie or
tracking tools
Yes Yes Not specified; but
Google states that it
records users’ use of
their products
Yes Yes
Explicit statement of
what type of
information they
share with third-
parties
Yes Yes Yes Yes Yes
Sharing of users’
location data
Yes Yes Yes Unclear; not mentioned
in the Privacy Policy
Yes
http://www.psl.cs.columbia.edu/classes/cs6125-s11/presentations/2011/Presentation_Joyce_Chen.ppthy don’t we read privacy policies
90. Evaluation and Comparison of Account Creation Process
Facebook Foursquare Google Buzz LinkedIn Twitter
Number of fields
required during the
initial account
creation
9 10 Zero if you have a
Gmail account
4 6
Details that are
required for a user
to create an
account
First name, last
name, email,
password, gender,
birthday
First name, last
name, password,
email, phone,
location, gender,
birthday, photo
None if you have a
Gmail account
First name, last
name, email,
password
First name,
username,
password, email, “let
others find me by my
email,” “I want the
inside scoop”
Availability of
explanation on
required
information
Yes Yes Information on how
Google Buzz works
is available
No Yes, actually
includes the entire
Terms of Service in a
Text area box
http://www.psl.cs.columbia.edu/classes/cs6125-s11/presentations/2011/Presentation_Joyce_Chen.ppthy don’t we read privacy policies
91.
92. DATA PRIVACY & THE EMPLOYER
45http://i.telegraph.co.uk/multimedia/archive/02183/computer-cctv_2183286b.jpg
93. SO CALLED HIDDEN COSTS
46
http://www.theatlantic.com/technology/archive/2011/09/estimating-the-damage-to-the-us-economy-caused-by-angry-birds/244972/
96. RISKS
SOURCE DE L’IMAGE : http://www.tunisie-news.com/artpublic/auteurs/auteur_4_jaouanebrahim.html
97. Source: The Risks of Social Networking IT Security Roundtable Harvard Townsend
Chief Information Security Officer Kansas State University
98. The new head of MI6 has been left
exposed by a major personal security
breach after his wife published
intimate photographs and family
details on the Facebook website.
Sir John Sawers is due to take over
as chief of the Secret Intelligence
Service in November, putting him in
charge of all Britain's spying
operations abroad.
But his wife's entries on the social
networking site have exposed
potentially compromising details
about where they live and work, who
their friends are and where they
spend their holidays.
http://www.dailymail.co.uk
99. Social Media Spam
Compromised Facebook
account. Victim is now
promoting a shady
pharmaceutical
Source: Social Media: Manage the Security to Manage Your Experience;
Ross C. Hughes, U.S. Department of Education
100. Social Media Phishing
To: T V V I T T E R.com
Now they will have
your username and
password
Source: Social Media: Manage the Security to Manage Your Experience;
Ross C. Hughes, U.S. Department of Education
101. Social Media Malware
Clicking on the
links takes you
to sites that will
infect your
computer
with malware
Source: Social Media: Manage the Security to Manage Your Experience;
Ross C. Hughes, U.S. Department of Education
105. Take my stuff, please!
Source: The Risks of Social Networking IT Security Roundtable Harvard Townsend
Chief Information Security Officer Kansas State University
107. Right to be forgotten
• On 13.05.2014 the European Union Court of
Justice backed a ruling called “the right to be
forgotten,” which allows individuals to control
their data and ask search engines, such as Google,
to remove inadequate personal results from the
Internet.
• However, the decision cannot be interpreted as a
“victory” for the protection of the personal data
of Europeans, according to privacy experts.
108. • In 2010 a Spanish citizen lodged a complaint against a Spanish
newspaper with the national Data Protection Agency and
against Google Spain and Google Inc.
• The citizen complained that an auction notice of his
repossessed home on Google’s search results infringed his
privacy rights because the proceedings concerning him had
been fully resolved for a number of years and hence the
reference to these was entirely irrelevant.
• He requested, first, that the newspaper be required either to
remove or alter the pages in question so that the personal
data relating to him no longer appeared;
• and second, that Google Spain or Google Inc. be required to
remove the personal data
109. • In its ruling of 13 May 2014 the EU Court said :
• a)On the territoriality of EU rules: Even if the physical server of a
company processing data islocated outside Europe, EU rules apply
to search engine operators if they have a branch or a sub sidiary in
a Member State which promotes the selling of advertising space
offered by the search engine;
• b)On the applicability of EU data protection rules to a search
engine : Search engines are controllers of personal data. Google can
therefore not escape its responsibilities before European lawwhen
handling personal data by saying it is a search engine. EU data
protection law applies and so does the right to be forgotten.
• c) On the “Right to be Forgotten” : Individuals have the right -
under certain conditions - to ask search engines to remove links
with personal information about them.This applies where the
information is inaccurate, inadequate, irrelevant or excessive for the
purposes of the data
110. • At the same time, the Court explicitly clarified
that the right to be forgotten is not absolute but
will always need to be balanced against other
fundamental rights, such as the freedom of
expression and of the media
111. • Right to erasure (future rules?)
• 1.The data subject shall have the right to obtain from the
controller the erasure of personal data relating to them and the
abstention from further dissemination of such data, and to
obtain from third parties the erasure of any links to, or copy or
replication of that data, where one of the following grounds
applies:
• (a) the data are no longer necessary in relation to the purposes
for which they were collected or otherwise processed
• (b) the data subject withdraws consent on which the processing
is based according
• (c) when the storage period consented to has expired and
where there is no other legal ground for the processing of the
data
112. New EU Regulation
• right to be forgotten
• no more notification to data privacy authorities
• data privacy officer
• up to 2% turnover penalty
• information of data theft
113. Control by the employer
161SOURCE DE L’IMAGE: http://blog.loadingdata.nl/2011/05/chinese-privacy-protection-to-top-american/
131. 87
“It is not the strongest of the species that survives,
nor the most intelligent that survives.
It is the one that is the most adaptable to change.”
C. Darwin