The Broader Picture n Laws Governing Hacking and
The Broader Picture n Laws Governing Hacking and Other Computer Crimes n Consumer Privacy n Employee Workplace Monitoring n Government Surveillance n Cyberwar and Cyberterror n Hardening the Internet Against Attack 1
Figure 12 -2: Consumer Privacy n Introduction ¡ Scott Mc. Nealy of SUN Microsystems: “You have zero privacy now. Get over it!” ¡ But privacy is strong in European Union countries and some other countries 2
Figure 12 -2: Consumer Privacy n Credit Card Fraud and Identity Theft ¡ Widespread Concern (Gartner) n One in 20 consumers had suffered credit card number theft in 2002 n One in 50 consumers had suffered identity theft in 2002 n Only about a fifth of this is online, but online theft is growing the most rapidly 3
Figure 12 -2: Consumer Privacy n Credit Card Fraud and Identity Theft ¡ Carders steal credit card numbers ¡ Many merchants fail to protect credit card numbers ¡ Carders test and sell credit card numbers ¡ Merchants also suffer fraud from consumers and carders ¡ Identity theft: Set up accounts in person’s name n Victim may not discover identity theft until long afterward 4
Figure 12 -2: Consumer Privacy n Tracking Customer Behavior ¡ Within a website and sometimes across websites ¡ Some information is especially sensitive (health, political leanings, etc. ) ¡ Access to data and analysis tools are revolutionizing the ability to learn about people 5
Figure 12 -2: Consumer Privacy n Tracking Customer Behavior ¡ What consumers wish for n Disclosure of policies ¡ What information will be collected? ¡ How the information will be used by the firm collecting customer data? ¡ Whether and with whom the information will be shared 6
Figure 12 -2: Consumer Privacy n Tracking Customer Behavior ¡ What consumers wish for n Ability of consumer to see and correct inaccurate personal information n Limiting collection and analysis to operational business needs ¡ n Limiting these needs Opt in: No use unless customer explicitly agrees 7
Figure 12 -2: Consumer Privacy n Corporate Responses ¡ Privacy disclosure statements ¡ Trust. E certifies corporate privacy behavior ¡ Platform for Privacy Preferences (P 3 P); Standard format for privacy questions ¡ Federal Trade Commission n Enforces privacy statements n Imposes fines and required long-term auditing n Does not specify what should be in the privacy 8 statement
Figure 12 -2: Consumer Privacy n Corporate Responses ¡ Opt out: Customer must take action to stop data collection and sharing ¡ No opt: No way to stop data collection and sharing ¡ Passport and Liberty Alliance n Identity management services n Register once, giving personal information n Give out to merchants selectively 9
Figure 12 -2: Consumer Privacy n Consumer Reactions ¡ Checking privacy disclosure statements (rare) ¡ Not accepting cookies (rarer) ¡ Anonymous websurfing services (extremely rare) 10
Figure 12 -2: Consumer Privacy n U. S. Privacy Laws ¡ No general law ¡ Health Information Portability and Accountability Act (HIPPA) of 1996 n Protects privacy in hospitals and health organizations n Focuses on protected information that identifies a patient 11
Figure 12 -2: Consumer Privacy n U. S. Privacy Laws ¡ Gramm-Leach-Bliley Act (GLBA) of 1999 n Protects financial data n Allows considerable information sharing n Opt out can stop some information sharing 12
Figure 12 -2: Consumer Privacy n U. S. Privacy Laws ¡ Children’s Online Privacy Protection Act of 1998 n Protects the collection of personal data from children under 13 n Applies in child-oriented sites and any site that suspects a user is under 13 n No protection for older children ¡ Registration for Kids. US domain is controlled ¡ State privacy laws vary widely 13
Figure 12 -2: Consumer Privacy n International Laws ¡ European Union Charter of Fundamental Rights n Right to protection of personal information n Personal information must be processed for specific legitimate purposes n Right to see and correct data n Compliance overseen by independent authority 14
Figure 12 -2: Consumer Privacy n International Laws ¡ E. U. Data Protection Directive of 1995 n Opt out with opt in for sensitive information n Access for review and rectification n Independent oversight agency n Data can be sent out of an EU country only to countries with “adequate” protections 15
Figure 12 -2: Consumer Privacy n International Laws ¡ Safe harbor n Rules that U. S. firms must agree to follow to get personal data out of Europe n Are GLBA rules to be considered in financial industries? E. U. is resisting. 16
- Slides: 16