CHAPTER FOUR

Information Privacy

Prof. Hatem Abd-Elkader

Dr. Sherif M. Tawfik
1
 Learning Objectives
1. Introduction
2. Defining privacy
3. Information privacy
4. Information privacy aspects
5. ICT - Information privacy
6. The Fair Information Principles
7. Chief Privacy Officer
8. Chief Privacy Officer – Organization structure
9. Examples

2
 Introduction
• Perhaps modern life is actually more private
than life centuries ago
– Most people don’t live with extended
families
– Automobile allows us to travel alone
– Television v. public entertainment
• Challenge: we now live among strangers

3
 Introduction
• Collection, exchange, combination, and
distribution of information easier than ever.
• This leads to reduce privacy.
• Scott McNealy: “You have zero privacy anyway.
Get over it.”
• We will consider how we leave an “electronic
trail” of information behind us and what others
can do with this info

4
 Defining Privacy

• Privacy related to notion of access

• Access
– Physical proximity to a person
– Knowledge about a person
• Privacy is a “zone of inaccessibility”

5
Do People Have the Right to Be Left Alone?

PhamousFotos / Splash News/Newscom

6
 Information Privacy
• Information privacy in the information age

• Organizations and government are asking for and

collecting more private information about people than ever
before.
• Most people are sharing more private information than
ever before
• Government departments and agencies around the world are
facing increasing pressure to provide more access to data
they have collected. This pressure is accompanied by
demands that data access be interactive and meet the needs
of end users, rather than the reporting requirements of the
7
organization releasing the data.
 Information Privacy
• There are three aspects to information privacy:
1. Disclosure control
2. Sensitive Data
3. Affected parties

8
 Information Privacy Aspects
1. Disclosure control
• The extent to which control can be exercised over the
disclosure of information.
• Disclosure control refers to the measures taken to
protect data in accordance with confidentiality
requirements. The goal is to ensure that the
confidentiality protection provisions are met while
preserving the usefulness of the data outputs to the
greatest extent possible.

9
 Information Privacy Aspects
2. Sensitive data
• Sensitive information is data that must be protected from
unauthorized access to safeguard the privacy or security of
an individual or organization.
• There are three main types of sensitive information:
1. Personal information: Such information includes
biometric data, medical information, personally identifiable
financial information (PIFI) and unique identifiers such as
passport or Social Security numbers. Threats include not only
crimes such as identity theft but also disclosure of personal
information that the individual would prefer remained
private. Sensitive PII should be encrypted both in transit
10
and
at rest.
 Information Privacy Aspects
2. Bussiness information: It includes anything that poses a risk to
the company in question if discovered by a competitor or the
general public. Such information includes trade secrets, financial
data and supplier and customer information, among other
possibilities. With the ever-increasing amount of data generated
by businesses, methods of protecting corporate information from
unauthorized access are becoming integral to corporate security.
These methods include metadata management and document
sanitization

3. Classified information: Classified information pertains to a

government body and is restricted according to level of sensitivity
(for example, restricted, confidential, secret and top secret).
Information is generally classified to protect security. Once the
risk of harm has passed or decreased, classified information may11
be declassified and, possibly, made public.
 Information Privacy Aspects
3. Affected parties
• The party or parties that would be negatively impacted by
the disclosure of private information.
• As an example, let’s say company A is developing a phone and
company B is helping with a design component. If company B is
breached, company A is vulnerable to having sensitive information
exposed—which could be catastrophic.

12
 Information and Communication
Technology
• widespread adoption of information and communication
technologies (ICTs) has been adopted in the recent years.

1. Developments in information technology

2. Internet
3. Social media
4. Big Data
5. Mobile devices
6. The Internet of Things
7. E-Government

13
 ICT - Information Privacy
• (ICTs) has created several critical and serious threats to
individual privacy:
1. Data collection
2. Lack of informed contest
3. Loss of control
4. Ownership of data

14
 Privacy and the Law
• Privacy laws differ from country to country. This situation is
problematical in the information age because private data can easily
cross geographic or political boundaries.
• Privacy law in the united states
• The privacy act regulates how data are collected by the government
• Additional laws regulate the collection and maintenance of
personal data by other organization
• Privacy law outside the united states
• The EU’s European privacy directive requires that both
governments and organizations maintain information collection
practices noted previously be strictly adhered to.

15
 Commercial Website Privacy
Control
• Commercial website in the united states are not bound
by the same privacy standards as government websites.
• Many commercial website establish and make a privacy
policy which details the way in which personal
information is collected and how that information will be
used and shared

16
 The Fair Information Principles
• Fair Information Practices are a set of principles and
practices that describe how an information-based society
may approach information handling, storage, management,
and flows with a view toward maintaining fairness, privacy,
and security in a rapidly evolving global technology
environment.
• The first steps toward formally codifying Fair Information
Practices began in July 1973, when an advisory committee
of the U.S. Department of Health, Education and Welfare
proposed a set of information practices to address a lack of
protection under the law at that time.
• The resulting HEW report, Records, Computers and the 17
Rights of Citizens: report of the Secretary’s Advisory
 The Fair Information Principles
1. Notice/Awareness
• The most fundamental principle is notice.
• Persons should be given notice of an entity's
information practices before any personal information is
collected from them.
• Without notice, a Person cannot make an informed
decision as to whether and to what extent to disclose
personal information.
• Moreover, three of the other principles discussed below
-- choice/consent, access/participation, and enforcement
-- are only meaningful when a person has notice of
an entity's policies, and his or her rights. 18
 The Fair Information Principles
• Notice of some or all of the following have been recognized as
essential to ensuring that persons are properly informed before giving
personal information:
• Identification of the entity collecting the data;
• Identification of the uses to which the data will be put;
• Identification of any potential recipients of the data;
• The nature of the data collected and the means by which it is
collected.
 Passively, by means of electronic monitoring.
 Actively, by asking the person to provide the information.
• Whether the provision of the requested data is voluntary or required,
and the consequences of a refusal to provide the requested
information; and the steps taken by the data collector to ensure the
confidentiality, integrity and quality of the data.
19
 The Fair Information Principles
• Some information practice codes state that the notice
should also identify any available person rights,
including:
• Any choice respecting the use of the data.
• Whether the person has been given a right of access to the
data.
• The ability of the person to contest inaccuracies.
• The availability of redress for violations of the practice
code
• How such rights can be exercised.
20
 The Fair Information Principles
• In the Internet context, notice can be accomplished easily by
the posting of an information practice disclosure describing
an entity's information practices on a company's site on the
Web.
• To be effective, such a disclosure should be clear and
conspicuous, posted in a prominent location, and readily
accessible from both the site's home page and any Web page
where information is collected from the person.
• It should also be unavoidable and understandable so that it
gives persons meaningful and effective notice of what will
happen to the personal information they are asked to provide.
21
 The Fair Information Principles
2. Choice/Consent
• Choice means giving persons options as to how any
personal information collected from them may be used.
• Specifically, choice relates to secondary uses of
information -- i.e., uses beyond those necessary to
complete the contemplated transaction. Such secondary
uses can be:
• Internal, such as placing the consumer on the collecting
company's mailing list in order to market additional
products or promotions
• External, such as the transfer of information to third
parties. 22
 The Fair Information Principles
• Two types of choice/consent regimes have been considered: opt-in or
opt-out.
 Opt-in regimes require affirmative steps by the person to allow the
collection and/or use of information.
 Opt-out regimes require affirmative steps to prevent the collection
and/or use of such information.
• Choice can also involve more than a binary yes/no option. Entities
can, and do, allow persons to tailor the nature of the information they
reveal and the uses to which it will be put.
• Thus, for example, persons can be provided separate choices as to
whether they wish to be on a company's general internal mailing list or
a marketing list sold to third parties. In order to be effective, any
choice regime should provide a simple and easily-accessible way for
23
consumers to exercise their choice.
 The Fair Information Principles
3. Access/Participation
• Access refers to an individual's ability both to access
data about him or herself
• To view the data in an entity's files
• To contest that data's accuracy and completeness.
• Both are essential to ensuring that data are accurate and
complete.
• To be meaningful, a mechanism by which the data
collector can verify the information, and the means by
which corrections and/or person objections can be added
to the data file and sent to all data recipients. 24
 The Fair Information Principles
4. Integrity/Security
• To assure data integrity, collectors must take reasonable steps,
such as using only reputable sources of data and cross-
referencing data against multiple sources, providing consumer
access to data, and destroying untimely data or converting it to
anonymous form.
• Security involves both managerial and technical measures to
protect against loss and the unauthorized access, destruction, use,
or disclosure of the data.
• Managerial measures include internal organizational measures that limit
access to data and ensure that those individuals with access do not utilize
the data for unauthorized purposes.
• Technical security measures to prevent unauthorized access include
encryption in the transmission and storage of data; limits on access 25
 The Fair Information Principles
5. Enforcement
• It is generally agreed that the core principles of
privacy protection can only be effective if there is a
mechanism in place to enforce them.
• Absent an enforcement mechanism, a fair information
practice code is merely suggestive rather than
prescriptive, and does not ensure compliance with core
fair information practice principles.

26
 The Fair Information Principles
as put into Canadian Law
• These principles are included in the
Personal Information Protection and Electronic Documents
Act
(PIPEDA), Canada’s private-sector privacy law, and called
"Privacy Principles".

 Principle 1 — Accountability
An organization is responsible for personal information under
its control and shall designate an individual or individuals
who are accountable for the organization’s compliance with
the following principles.
27
 The Fair Information Principles
as put into Canadian Law
 Principle 2 — Identifying Purposes
The purposes for which personal information is collected
shall be identified by the organization at or before the time
the information is collected.
 Principle 3 — Consent
The knowledge and consent of the individual are required for
the collection, use, or disclosure of personal information,
except where inappropriate.
 Principle 4 — Limiting Collection
The collection of personal information shall be limited to that
which is necessary for the purposes identified by the
organization. 28
 The Fair Information Principles
as put into Canadian Law
 Principle 5 — Limiting Use, Disclosure, and Retention
Personal information shall not be used or disclosed for
purposes other than those for which it was collected, except
with the consent of the individual or as required by law.
Personal information shall be retained only as long as
necessary for the fulfilment of those purposes.
 Principle 6 — Safeguards
Personal information shall be as accurate, complete, and up-
to-date as is necessary for the purposes for which it is to be
used.
 Principle 7 — Limiting Collection
Personal information shall be protected by security 29
safeguards appropriate to the sensitivity of the information.
 The Fair Information Principles
as put into Canadian Law
 Principle 8 — Openness
An organization shall make readily available to individuals specific
information about its policies and practices relating to the management
of personal information.
 Principle 9 — Individual Access
Upon request, an individual shall be informed of the existence, use, and
disclosure of his or her personal information and shall be given access
to that information. An individual shall be able to challenge the
accuracy and completeness of the information and have it amended as
appropriate.
 Principle 10 — Challenging Compliance
An individual shall be able to address a challenge concerning
compliance with the above principles to the designated individual or
individuals accountable for the organization’s compliance. 30
 Chief Privacy Officer
• The chief privacy officer (CPO) is a senior level
executive within a business or organization.
• Why we need him
– There is legislation in different sectors concerning the use of
personal information. For example, in medical industry, the
protection of patient medical records (e.g. The Health
Insurance Portability and Accountability Act of 1996, or
HIPAA). Another example is in the finance sector with the
safeguarding of consumer financial and banking transactions
(e.g. The Fair Credit Reporting Act and its Disposal Rule, and
the Gramm-Leach-Bliley Act and its Safeguards Rule and
Financial Privacy Rule).
31
 Chief Privacy Officer
• General Purpose: The Privacy Officer is
responsible for the organization's Privacy Program
including but not limited to daily operations of the
program, development, implementation, and
maintenance of policies and procedures, monitoring
program compliance, investigation and tracking of
incidents and breaches and insuring persons' rights in
compliance with federal and state laws.

32
 Chief Privacy Officer
• Responsibilities:
– Builds a strategic and comprehensive privacy program that
defines, develops, maintains and implements policies and
processes that enable consistent, effective privacy practices
which minimize risk and ensure the confidentiality of protected
information, paper and/or electronic, across all media types.
Ensures privacy forms, policies, standards, and procedures are
up-to-date.
– Works with organization senior management, security, and
corporate officers to establish governance for the privacy
program.
– Performs or oversees initial and periodic information privacy
risk assessment/analysis, mitigation and remediation. 33
 Chief Privacy Officer
• Responsibilities:
– Establishes, with the information security officer, an ongoing
process to track, investigate and report inappropriate access
and disclosure of protected health information. Monitor
patterns of inappropriate access and/or disclosure of protected
health information.
– Takes a lead role, to ensure the organization has and maintains
appropriate privacy and confidentiality consents, authorization
forms and information notices and materials reflecting current
organization and legal practices and requirements.
– Establishes and administers a process for investigating and
acting on privacy and security complaints
34
 Chief Privacy Officer
• Responsibilities:
– Maintains current knowledge of applicable federal and state
privacy laws and accreditation standards.
– Works with organization administration, legal counsel, and
other related parties to represent the organization's information
privacy interests with external parties (state or local
government bodies) who undertake to adopt or amend privacy
legislation, regulation, or standard.
– Initiates, facilitates and promotes activities to foster
information privacy awareness within the organization and
related entities.

35
 Chief Privacy Officer
• Qualifications:
– Baccalaureate degree in computer science or management
information systems or a related field.
– Recommended privacy certification such as Certified in
Information Privacy and Security.
– Demonstrated organization, facilitation, written and oral
communication, and presentation skills.
– Demonstrated skills in providing excellent service to
customers

36
37
38
 Case Study: New Parents
• Sullivans have a baby girl
• Both work; they are concerned about
performance of full-time nanny
• Purchase program that allows monitoring
through laptop’s camera placed in family
room
• They do not inform nanny she is being
monitored
39
 Public Records
• Public record: information about an incident or action
reported to a government agency for purpose of
informing the public
• Examples: birth certificates, marriage licenses, motor
vehicle records, criminal records, deeds to property
• Computerized databases and Internet have made public
records much easier to access

40
 Records Held by Private Organizations

• Credit card purchases

• Purchases made with loyalty cards
• Voluntary disclosures
• Posts to social network sites

41
 Data Gathering and Privacy Implications

• Facebook tags
• Enhanced 911 services
• Rewards or loyalty programs
• Body scanners
• RFID tags
• Implanted chips
• Mobile apps
• OnStar
• Automobile “black boxes”
• Medical records
• Digital video recorders
• Cookies and flash cookies
42
 Facebook Tags
• Tag: Label identifying a person in a photo
• Facebook allows users to tag people who are on
their list of friends
• About 100 million tags added per day in Facebook
• Facebook uses facial recognition to suggest name
of friend appearing in photo
• Does this feature increase risk of improper
tagging?

43
 Enhanced 911 Services
• Cell phone providers in United States
required to track locations of active cell
phones to within 100 meters
• Allows emergency response teams to reach
people in distress
• What if this information is sold or shared?

44
 Rewards or Loyalty Programs
• Shoppers who belong to store’s rewards program
can save money on many of their purchases
• Computers use information about buying habits to
provide personalized service
– ShopRite computerized shopping carts with pop-up ads
• Do card users pay less, or do non-users get
overcharged?

45
 Body Scanners
• Some department stores have 3-D body
scanners
• Computer can use this information to
recommend clothes
• Scans can also be used to produce custom-
made clothing

46
Body Scanner Takes
Measurements

AP Photo/Richard Drew

47
 RFID Tags
• RFID: Radio frequency identification
• An RFID tag is a tiny wireless transmitter
• Manufacturers are replacing bar codes with
RFID tags
– Contain more information
– Can be scanned more easily
• If tag cannot be removed or disabled, it
becomes a tracking device
48
RFID Tags Speed Inventory
Process

© Marc F. Henning / Alamy

49
 Implanted Chips
• Taiwan: Every domesticated dog must have
an implanted microchip
– Size of a grain of rice; implanted into ear
– Chip contains name, address of owner
– Allows lost dogs to be returned to owners
• RFID tags approved for use in humans
– Can be used to store medical information
– Can be used as a “debit card”
50
 Mobile Apps
• Many apps on Android smartphones and
iPhones collect location information and
sell it to advertisers and data brokers
– Angry Birds
– Brightest Flashlight
• Flurry: a company specializing in analyzing
data collected from mobile apps
– Has access to data from > 500,000 apps
51
 OnStar
• OnStar manufactures communication
system incorporated into rear-view mirror
• Emergency, security, navigation, and
diagnostics services provided subscribers
• Two-way communication and GPS
• Automatic communication when airbags
deploy
• Service center can even disable gas pedal
52
 Automobile “Black Boxes”
• Modern automobiles come equipped with a “black
box”
• Maintains data for five seconds:
– Speed of car
– Amount of pressure being put on brake pedal
– Seat belt status
• After an accident, investigators can retrieve and
gather information from “black box”

53
 Medical Records
• Advantages of changing from paper-based
to electronic medical records
• Quicker and cheaper for information to be
shared among caregivers
– Lower medical costs
– Improve quality of medical care
• Once information in a database, more
difficult to control how it is disseminated
54
 Digital Video Recorders
• TiVo service allows subscribers to record
programs and watch them later
• TiVo collects detailed information about
viewing habits of its subscribers
• Data collected second by second, making it
valuable to advertisers and others interested
in knowing viewing habits

55
 Cookies
• Cookie: File placed on computer’s hard drive by a
Web server
• Contains information about visits to a Web site
• Allows Web sites to provide personalized services
• Put on hard drive without user’s permission
• You can set Web browser to alert you to new
cookies or to block cookies entirely

56
 Flash Cookies
• Flash cookie: File placed on your computer’s hard drive by
a Web server running the Adobe Flash Player
• Flash cookie can hold 25 times as much information as a
browser cookie
• Flash cookies not controlled by browser’s privacy controls
• Some Web sites use flash cookies as a way of backing up
browser cookies. If you delete browser cookie, it can be
“respawned” from the flash cookie
• Half of 100 most popular Web sites use flash cookies

57
 Data Mining Defined
• Searching records in one or more databases,
looking for patterns or relationships
• Can be used to create profiles of individuals
• Allows companies to build more personal
relationships with customers

58
 Google’s Personalized Search
• Secondary use: Information collected for
one purpose use for another purpose
• Google keeps track of your search queries
and Web pages you have visited
– It uses this information to infer your interests
and determine which pages to return
– Example: “bass” could refer to fishing or music
• Also used by retailers for direct marketing
59
Secondary Uses of Information

60
 Collaborative Filtering
• Form of data mining
• Analyze information about preferences of
large number of people to predict what one
person may prefer
– Explicit method: people rank preferences
– Implicit method: keep track of purchases
• Used by online retailers and movie sites

61
 Ownership of Transaction Information

• Who controls transaction information?

– Buyer?
– Seller?
– Both?
• Opt-in: Consumer must explicitly give permission before
the organization can share info
• Opt-out: Organization can share info until consumer
explicitly forbid it
• Opt-in is a barrier for new businesses, so direct marketing
organizations prefer opt-out

62
 Targeting Pregnant Women
• Most people keep shopping at the same stores, but
new parents have malleable shopping habits
• Targeting pregnant women a good way to attract new
customers
• Target did data mining to predict customers in second
trimester of pregnancy
– Large amounts of unscented lotion, extra-large bags of
cotton balls, nutritional supplements
• Mailings included offers for unrelated items with
offers for diapers, baby clothes, etc.
63
 Credit Reports
• Example of how information about customers can
itself become a commodity
• Credit bureaus
– Keep track of an individual’s assets, debts, and history
of paying bills and repaying loans
– Sell credit reports to banks, credit card companies, and
other potential lenders
• System gives you more choices in where to
borrow money
• Poor credit can hurt employment prospects
64
 Targeted Direct Mail
• Businesses mail advertisements only to those most likely
to purchase products
• Data brokers provide customized mailing lists created for
information gathered online and offline
• Example of making inferences for targeted direct mail
– Shopping for clothes online + frequent fast-food dining +
subscribing to premium cable TV channels  more likely to be
obese
• Two shoppers visiting same site may pay different prices
based on inferences about their relative affluence

65
 Microtargeting
• Political campaigns determine voters most likely
to support particular candidates
– Voter registration
– Voting frequency
– Consumer data
– GIS data
• Target direct mailings, emails, text messages,
home visits to most likely supporters

66
 Netflix Prize
• Netflix offered $1 million prize to any group that could
come up with a significantly better algorithm for
predicting user ratings (2006)
• Released more than 100 million movie ratings from a half
million customers
– Stripped ratings of private information
• Researchers demonstrated that ratings not truly anonymous
if a little more information from individuals was available
• U.S. Federal Trade Commission complaint and lawsuit
• Netflix canceled sequel to Netflix Prize (2010)

67
 AOL Search Dataset
• AOL researcher Dr. Chowdhury posted three months’
worth of user queries from 650,000 users (2006)
• No names used; random integers used to label all queries
from particular users
• Researchers identified some users from queries; e.g., many
people performed searches on their own names
• New York Times investigation led to public outcry
• AOL took down dataset, but already copied and reposted
• AOL fired Dr. Chowdhury and his supervisor

68
 Marketplace: Households
• Lotus Development Corporation developed CD
with information on 120 million Americans
• Planned to sell CD to small businesses that wanted
to create mailing lists based on various criteria,
such as household income
• More than 30,000 consumers complained to Lotus
about invasion of privacy
• Lotus dropped plans to sell CD

69
 Facebook Beacon
• Fandango, eBay, and 42 other online businesses
paid Facebook to do “word of mouth” advertising
• Facebook users surprised to learn information
about their purchases was shared with friends
• Beacon was based on an opt-out policy
• Beacon strongly criticized by various groups
• Facebook switched to an opt-in policy regarding
Beacon

70
 Malls Track Shoppers’ Cell
Phones
• In 2011 two malls recorded movement of
shopper by tracking locations of cell phones
– How much time people spend in each store?
– Do people who shop at X also shop at Y?
– Are there unpopular areas of mall?
• Small signs informed shoppers of study
• After protest, mall quickly halted study

71
 iPhone Apps Upload Address
Books
• In 2012 a programmer discovered Path was
uploading iPhone address books without
permission
• Internet community pointed out this practice
violated Apple’s guidelines
• CEO of Path apologized; app rewritten
• Twitter, Foursquare, and Instagram also implicated
for same practice

72
 Instagram’s Proposed Change to
Terms of Service
• Late 2012: Instagram announced changes
– Privacy policy
– Terms of service
• Legal experts: Instagram and Facebook would have
right to use photos in ads without permission
• Instagram CEO: New policy misunderstood
• Changed advertising section of terms of service
agreement back to original version

73