Fair Information Practice Principles and Privacy Laws

Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2005 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa05/ 1

Fair Information Practice Fair Information Practice Principles and Privacy LawsPrinciples and Privacy Laws

Week 3 - September 12, 14


More homework 1 reviewMore homework 1 reviewWeb cams

Privacy in the news

Issues privacy groups are working on

Any questions about plagiarism?


Using Library ResourcesUsing Library Resources


CMU Libraries (CMU Libraries (http://www.library.cmu.eduhttp://www.library.cmu.edu))

Engineering and Science (a.k.a. E&S) • Location: Wean Hall, 4th floor• Subjects: Computer Science, Engineering, Mathematics,

Physics, Science, Technology

Hunt (CMU’s main library) • Location: Its own building (possibly 2nd ugliest on campus

behind Wean), between Tepper and Baker• Subjects: Arts, Business, Humanities, Social Sciences

Software Engineering Institute (a.k.a. SEI) • Location: SEI Building (4500 Fifth Avenue), 3rd floor • Subjects: Security, Software, Technology

Research and Communication Skills


START HERE: CameoSTART HERE: CameoCameo is CMU’s online library catalog• http://cameo.library.cmu.edu/

Catalogs everything CMU has: books, journals, periodicals, multimedia, etc.

Search by key words, author, title, periodical title, etc.



CAMEO: Search Result for CAMEO: Search Result for “Cranor”“Cranor”

Number of copies and status

Library


CAMEO: Search Result for CAMEO: Search Result for “Solove”“Solove”

Due date


If it’s not in Cameo, but you If it’s not in Cameo, but you need it today: Local Librariesneed it today: Local Libraries

Carnegie Library of Pittsburgh• Two closest locations

Oakland: Practically on campus (4400 Forbes Ave.) Squirrel Hill: Forbes & Murray (5801 Forbes Ave.)

• http://www.carnegielibrary.org/index.html

University of Pittsburgh Libraries• 16 libraries! Information science, Engineering, Law,

Business, etc. • http://pittcat.pitt.edu/



If it’s not in Cameo, and you If it’s not in Cameo, and you can wait: ILLiad and E-ZBorrowcan wait: ILLiad and E-ZBorrow ILLiad and E-ZBorrow are catalogs of resources available

for Interlibrary Loan from other libraries nationwide (ILLiad) and in Pennsylvania (E-ZBorrow)

Order items online (almost always free)

Wait for delivery – average 10 business days

Find links to ILLiad and E-ZBorrow online catalogs at http://www.library.cmu.edu/Services/ILL/


Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2005 • Lorrie Cranor • http://lorrie.cranor.org/courses/fa05/10

Other Useful DatabasesOther Useful Databases

Links to many more databases, journal collections• Must be accessed on campus or through VPN • http://www.library.cmu.edu/Search/AZ.html

Lexis-Nexis• Massive catalog of legal sources – law journals, case law,

news stories, etc.

IEEE and ACM journal databases• IEEE Xplore and ACM Digital Library

INSPEC database• Huge database of scientific and technical papers

JSTOR• Arts & Sciences, Business, Mathematics, Statistics



And of course…And of course…Reference librarians are available at all

CMU libraries, and love to help people find what they need – just ask!



OECD fair information OECD fair information principlesprinciples

http://www.datenschutz-berlin.de/gesetze/internat/ben.htm

Collection limitation

Data quality

Purpose specification

Use limitation

Security safeguards

Openness

Individual participation

Accountability


US FTC simplified principlesUS FTC simplified principles Notice and disclosure

Choice and consent

Data security

Data quality and access

Recourse and remedies

US Federal Trade Commission, Privacy Online: A Report to Congress (June 1998), http://www.ftc.gov/reports/privacy3/


Privacy laws around the worldPrivacy laws around the world Privacy laws and regulations vary widely throughout the

world

US has mostly sector-specific laws, with relatively minimal protections - often referred to as “patchwork quilt”• Federal Trade Commission has jurisdiction over fraud and

deceptive practices• Federal Communications Commission regulates

telecommunications

European Data Protection Directive requires all European Union countries to adopt similar comprehensive privacy laws that recognize privacy as fundamental human right• Privacy commissions in each country (some countries have

national and state commissions)• Many European companies non-compliant with privacy laws

(2002 study found majority of UK web sites non-compliant)


US law basicsUS law basicsConstitutional law governs the rights of

individuals with respect to the government

Tort law governs disputes between private individuals or other private entities

Congress and state legislatures adopt statutes

Federal agencies can adopt regulations which are equivalent to statutes, as long as they don’t conflict with statute


US ConstitutionUS Constitution No explicit privacy right, but a zone of privacy recognized

in its penumbras, including • 1st amendment (right of association)• 3rd amendment (prohibits quartering of soldiers in homes)• 4th amendment (prohibits unreasonable search and seizure)• 5th amendment (no self-incrimination)• 9th amendment (all other rights retained by the people)

Penumbra: “fringe at the edge of a deep shadow created by an object standing in the light”

(Smith 2000, p. 258, citing Justice William O. Douglas in Griswold v. Connecticut)


Federal statutes and state lawsFederal statutes and state lawsFederal statutes• Tend to be narrowly focused

State law• State constitutions may recognize explicit right

to privacy (Georgia, Hawaii)• State statutes and common (tort) law• Local laws and regulations (for example:

ordinances on soliciting anonymously)


Four aspects of privacy tortFour aspects of privacy tortYou can sue for damages for the following

torts (Smith 2000, p. 232-233)• Disclosure of truly intimate facts

May be truthful Disclosure must be widespread, and offensive or

objectionable to a person of ordinary sensibilities Must not be newsworthy or legitimate public interest

• False light Personal information or picture published out of

context

• Misappropriation (or right of publicity) Commercial use of name or face without permission

• Intrusion into a person’s solitude


How does the law regulate How does the law regulate privacy?privacy?

Law may require waiving privacy interests

Law may enforce privacy interests

Typically, the law identifies relevant privacy interests to protect, identifies relevant interests supporting disclosure, and tries to balance both sets of issues in a single resolution


Difficult legal problemsDifficult legal problemsCan an individual “own” (and therefore sell)

his or her own privacy rights?

Should the default assumption be “protect the privacy interest” or “compel waiver of the privacy interest”?

When should the law defer to informal or social norms, or to technological barriers or solutions?


Some US privacy lawsSome US privacy laws Bank Secrecy Act, 1970

Fair Credit Reporting Act, 1971

Privacy Act, 1974

Right to Financial Privacy Act, 1978

Cable TV Privacy Act, 1984

Video Privacy Protection Act, 1988

Family Educational Right to Privacy Act, 1993

Electronic Communications Privacy Act, 1994

Freedom of Information Act, 1966, 1991, 1996


US law – recent additionsUS law – recent additions HIPAA (Health Insurance Portability and

Accountability Act, 1996)• When implemented, will protect medical records and

other individually identifiable health information

COPPA (Children‘s Online Privacy Protection Act, 1998)• Web sites that target children must obtain parental

consent before collecting personal information from children under the age of 13

GLB (Gramm-Leach-Bliley-Act, 1999)• Requires privacy policy disclosure and opt-out

mechanisms from financial service institutions


Safe harborSafe harbor Membership

• US companies self-certify adherence to requirements• Dept. of Commerce maintains signatory list http://www.export.gov/safeharbor/

• Signatories must provide notice of data collected, purposes, and recipients choice of opt-out of 3rd-party transfers, opt-in for sensitive data access rights to delete or edit inaccurate information security for storage of collected data enforcement mechanisms for individual complaints

Approved July 26, 2000 by EU• reserves right to renegotiate if remedies for EU citizens prove to

be inadequate


Data Data protectionprotection agenciesagencies Australia: http://www.privacy.gov.au/

Canada: http://www.privcom.gc.ca/

France: http://www.cnil.fr/

Germany: http://www.bfd.bund.de/

Hong Kong: http://www.pco.org.hk/

Italy: http://www.privacy.it/

Spain: http://www.ag-protecciondatos.es/

Switzerland: http://www.edsb.ch/

UK: http://www.dataprotection.gov.uk/

… And many more


Writing a Literature ReviewWriting a Literature Review


Writing a literature reviewWriting a literature review What is a literature review?

• A critical summary of what has been published on a topic What is already known about the topic Strengths and weaknesses of previous studies

• Often part of the introduction or a section of a research paper, proposal, or thesis

A literature review should• be organized around and related directly to the thesis or research

question you are developing• synthesize results into a summary of what is and is not known• identify areas of controversy in the literature• formulate questions that need further research

Dena Taylor and Margaret Procter. 2004. The literature review: A few tips on conducting it. http://www.utoronto.ca/writing/litrev.html



Literature review do’s and Literature review do’s and don’tsdon’ts Don’t create a list of article summaries or quotes

Do point out what is most relevant about each article to your paper

Do compare and contrast the articles you review

Do highlight controversies raised or questions left unanswered by the articles you review

Do take a look at some examples of literature reviews or related work sections before you try to create one yourself• For an example, of a literature review in a CS

conference paper see section 2 of http://cs1.cs.nyu.edu/~waldman/publius/paper.html



Homework 2Homework 2 http://lorrie.cranor.org/courses/fa05/hw2.html

Privacy laws

Technologies that raise privacy concerns


Homework 3Homework 3 http://lorrie.cranor.org/courses/fa05/hw3.html


AnnouncementsAnnouncementsDon’t forget that project brainstorming is

due by Monday

Documents

Fair Information Practice Principles and Privacy Laws