Chapter 9 Lecture Slides

Chapter 9: Protecting the Privacy and Confidentiality of Information

Learning Outcomes

  • Threats to Information Privacy: Describe and categorize various threats to information privacy with examples.

  • Technologies and Solutions: Identify technologies and solutions used to protect the confidentiality and privacy of information.

  • PAPA Ethical Framework: Explain how information privacy is a component of the PAPA ethical framework.

  • Relationship with Information Security: Discuss the relationship between information privacy and information security.

What is Privacy?

  • Individual Autonomy: Freedom from surveillance.

  • Data Protection: Safeguarding information from unauthorized access.

  • Personal Space: Respecting the private domain of individuals.

  • Confidentiality: Ensuring information is kept secret from unauthorized parties.

  • Protection from Intrusion: Guarding against unauthorized access.

  • Communication Privacy: Protecting the secrecy of communication.

  • Information Control: The ability to control personal data.

What is PII?

  • Definition: Any information that relates to an identified or identifiable natural person.

  • Direct Identification Examples: Information that can directly identify an individual.

  • Indirect Identification Examples: Information that can identify an individual indirectly.

  • Types: Personal Data, Personally Identifiable Information (PII).

Examples of PII

  • Common Examples:

    • Social Security Number

    • Credit Card Number

    • Geographic Location

    • Medical Records

    • Passport Number

    • Email Address

    • Driver License Number

    • Biometric Data

    • Telephone Number.

Quasi-identifiers

  • Definition: Information that can identify an individual when combined with other data.

  • Examples:

    • Gender

    • Place of Birth

    • Date of Birth

    • Zip Code

    • Education Information

    • Religious or Philosophical Beliefs

    • Race.

Privacy Implications of Quasi-identifiers

  • Statistical Impact: While individual quasi-identifiers (gender, birthday, postal code) may not uniquely identify a person, their combination can identify approximately 87% of individuals in the US.

Information Privacy Overview

  • Definition: The confidentiality of information collected by organizations about individuals.

  • Personal Desire: Individuals' desire to control their own data.

  • Valuable Asset: Information privacy represents significant value in the digital economy.

  • Pervasiveness: Information privacy concerns affect customers, employees, partners, students, and others.

Threats to Information Privacy

  • Data Collection:

    • Use of hidden data collection methods (e.g., cookies).

    • Tracking usage through clickstream data.

    • Proliferation of multiple data sources (e.g., IoT data).

  • Secondary Use of Information:

    • Function creep where data is used beyond its original purpose.

    • Opt-in vs. Opt-out concerns in data sharing practices.

Consequences of Privacy Violations

  • Personal Consequences:

    • Identity Theft

    • Financial Loss

    • Legal Consequences

    • Loss of Reputation

    • Discrimination

    • Security Risks

    • Safety Concerns

    • Harassment and Emotional Distress.

  • Organizational Consequences:

    • Damage to company reputation.

Identity Theft

  • Definition: The unauthorized use of someone else’s personal information for personal gain.

  • Prevalence: One identity theft case every 22 seconds, with 15% of victims being college students.

  • Contributing Factors: Many students are not concerned about identity theft risks.

Statistics of Identity Theft

  • Annual Trends: Reports indicate significant instances of various identity theft types over the years.

Market for PII

  • Value of PII: Understanding how much threat actors are willing to pay for various types of personal identifiable information (PII).

Self-Protection Strategies

  • Use SSN only when necessary.

  • Shred papers with personal information.

  • Use secure services and strong MFA for financial accounts.

  • Regularly check financial statements and reports.

  • Safeguard personal information during communications.

Organizational Reputation Risks

  • Case Studies: Notable data breaches such as First American Financial and Choice Hotels indicating the impact on organizational reputation.

Technologies and Solutions for Information Privacy

  • Tools: Overview of current technologies and strategies to safeguard privacy.

Privacy Tools: Cookie Managers

  • Utilization: Manage cookie settings to enhance privacy, including rejecting unnecessary cookies.

Cookie Management Tools

  • Examples:

    • Cookiebot

    • CookieMetrix

    • Cookie Crawler

    • Cookie-Editor Moustachauve.

Privacy Tools: Anonymous Browsing

  • Practices: Techniques to enhance online anonymity including using privacy settings and search engines (e.g., DuckDuckGo).

Privacy Tools: Privacy Statements

  • Purpose: Statements that outline organizational data privacy practices based on Fair Information Practice Principles (FIPPS).

Privacy and Social Media

  • Considerations: Reflecting on the long-term implications of sharing information on social media.

Privacy Tools: Seals

  • Function: Indicators of an organization’s commitment to data protection (e.g., VeriSign, McAfee Secure).

Government Information Privacy Regulations

  • Notable Acts:

    • HIPAA: Health Information Protection

    • FERPA: Student Records Privacy

    • CCPA: Data Privacy Rights in California

    • GDPR: European Data Protection

    • Others from various countries ensuring personal information protection.

Mobile Information Privacy

  • Challenges: Collection of data without awareness, fewer regulations, and risks associated with downloading untrusted apps.

  • Recommendations: Best practices for application downloads and smartphone security.

Privacy and Ethics: PAPA Framework

  • Components: Privacy, Accuracy, Property, Accessibility to evaluate information use and protection.

Ethical Decision Making: PLUS

  • Framework: Evaluating ethical considerations in online decisions through Policy, Law, Universal values, and personal standards.

Security and Privacy Comparison

  • Data Privacy vs. Data Security: Data privacy governs data handling; data security protects against attacks.