Professional Development (300578)
Lecture 5 – Security and Privacy of Information
Security and Privacy of Information
Session 1 2021
Professional Development (300578)
Lecture 5 – Security and Privacy of Information
Google fined $7m over Street View privacy breach (12/03/2013)
2
Professional Development (300578)
Lecture 5 – Security and Privacy of Information
Outline
• Importance of Security and Privacy in the modern information age • Privacy at work
• Legal framework in IT
• Intellectual Property (IP) – laws
3
Professional Development (300578)
Lecture 5 – Security and Privacy of Information
Information Age and Privacy
“If Privacy isn’t already the first road kill on the information superhighway, then it’s about to be.”
– Brock Meeks (Wired Magazine)
4
Professional Development (300578)
Lecture 5 – Security and Privacy of Information
What is Privacy?
5
Professional Development (300578)
Lecture 5 – Security and Privacy of Information
What is Privacy?
• An individuals right to be free from intrusion or interference by others (Gavison, 1980):
• Secrecy: Control of information about oneself
• Anonymity: Freedom of the attention of others
• Solitude: Freedom from surveillance and observation
6
Professional Development (300578)
Lecture 5 – Security and Privacy of Information
Benefits of Privacy?
• Individual Freedom • Food Habits
• Work Habits
• Shopping Habits
• Autonomy
• Job opportunity
• Not an absolute right!
• For instance, if your break the law you loose certain rights.
7
Professional Development (300578)
Lecture 5 – Security and Privacy of Information
Security and Privacy of Information
• http://docusearch.com
• “We find people and information about them. Now any internet savvy can locate lost friends, track down debtors and deadbeats, or discover secrets of the people with whom you associate. It’s totally professional, completely legal and entirely confidential.”
8
Professional Development (300578)
Lecture 5 – Security and Privacy of Information
Security and Privacy of Information
• “DigDirt” and “WeSpy4u”:
• Unlisted telephone numbers for US$69 • Bank account numbers for US$55
• Finding out a person’s salary US$75
• Stocks, bonds and mutual funds $200
9
Professional Development (300578)
Lecture 5 – Security and Privacy of Information
Security and Privacy of Information
10
Professional Development (300578)
Lecture 5 – Security and Privacy of Information
Importance of Privacy
Issues that are of importance to the public
Percentage of re sponse s
100% 80% 60% 40% 20% 0%
Protecting privacy
Controlling the cost of medical insurance Staying out of excessive debt Reducing insurance fraud
Controlling false advertising
11
Professional Development (300578)
Lecture 5 – Security and Privacy of Information
The Limits of Privacy (Etzioni 1999)
• Within out society (more so than others) privacy is a privileged value
• Should parents be provided with knowledge of criminal backgrounds of child
care workers?
• Should law enforcement be able to determine whether drivers of school buses, pilots, or police officers are under influence of illegal drugs?
• Should security forces be allowed to screen electronic communications for indications of planned terrorist attacks?
• Under what moral, legal, and social condition should the right to privacy be limited?
12
Professional Development (300578)
Lecture 5 – Security and Privacy of Information
The Limits to Privacy
• Organisational efficiency
• Organisation need information to make effective decisions
• Public Interest
• Government agencies need information to protect the public from threats
13
Professional Development (300578)
Lecture 5 – Security and Privacy of Information
Privacy and Technology
• Information gathering
• Cookies
• How does Google Display Network use Cookies?
• Checkouthttp://www.google.com/settings/ads • EU Cookie Directive (2002)
• Web Searches
• Point of sale (POS) transaction data • Mobile Technologies
• Data matching and data merging
14
Professional Development (300578)
Lecture 5 – Security and Privacy of Information
In Australia do you have a right to privacy?
15
Professional Development (300578)
Lecture 5 – Security and Privacy of Information
No*
16
Professional Development (300578)
Lecture 5 – Security and Privacy of Information
Legal Protection of Privacy
• In Australia, there is *no constitutional right to privacy
• A patchwork of laws exist though to protect privacy
• Specific privacy protection laws focus on protection of information privacy
• Privacy protection laws vary across states
• State and Federal Laws are not identical
• However, where coverage exists, laws are typically complementary and their obligations similar
• Legislation based on principles set down by the Organisation for Economic Co-operation and Development (OECD)
• Recent recognition of privacy in common law
17
Professional Development (300578)
Lecture 5 – Security and Privacy of Information
How are we protected in Australia?
• The Federal Privacy Act contains 11 Information Privacy Principles (IPP), which apply to Commonwealth and ACT government agencies.
• It also has Australian Privacy Principles (APPs) which apply to parts of the private sector and all health service providers.
• Part IIIA of the Privacy Act regulates credit providers and credit reporting agencies
18
Professional Development (300578)
Lecture 5 – Security and Privacy of Information
How are we protected in Australia?
• The Federal Privacy Commissioner also has some regulatory functions under other enactments, including:
• Telecommunications Act 1977 (Cth)
• National Health Act 1953 (Cth)
• Data Matching Program (Assistance and Tax) Act 1990 (Cth) • Crimes Act 1914 (Cth)
Cth = Commonwealth
19
Professional Development (300578)
Lecture 5 – Security and Privacy of Information
Australian Privacy Principles
https://www.oaic.gov.au/agencies-and-organisations/guides/app-quick- reference-tool
1. Open and transparent management of personal information
2. Anonymity and pseudonymity – allows people to deal with an entities
anonymously with a pseudonym
3. Collection of solicited personal information – standards for information collection
4. Dealing with unsolicited personal information – standards for detail with unsolicited personal information
5. Notification of the collection of personal information – when and in what circumstances to notify an individual
6. Use or disclosure of personal information – when an entity can disclose personal information that it holds
20
Professional Development (300578)
Lecture 5 – Security and Privacy of Information
Australian Privacy Principles
https://www.oaic.gov.au/agencies-and-organisations/guides/app-quick-reference- tool
7. Direct marketing – can only use or disclose information for direct marketing under certain conditions
8. Cross-border disclosure of personal information – how an entity is to deal with personal information before it transfers to another nation (overseas)
9. Adoption, use or disclosure of government related identifiers – the use of government identifiers for an individual
10. Quality of personal information – accuracy of information collected and held
11. Security of personal information – protecting the information from misuse,
interference and loss
12. Access to personal information – entities responsibility to an individual when they ask for their information
13. Correction of personal information – obligations on when correcting inaccurate information
21
Professional Development (300578)
Lecture 5 – Security and Privacy of Information
Privacy in Action
• Do you really have a private life online?
• https://www.youtube.com/watch?v=-e98hxHZiTg
22
Professional Development (300578)
Lecture 5 – Security and Privacy of Information
Workplace Monitoring
• Employers monitor you. Does it breach your privacy?
23
Professional Development (300578)
Lecture 5 – Security and Privacy of Information
Workplace Monitoring
• Employers monitor you. Does it breach you privacy?
• Depends on what they monitor
• If you are using their resources on their network, even a VPN from home, it may be part of the terms and conditions of use so everything can be monitored
• If it is your resource on their network, anything transferred over the network can be monitored. They are not allowed to access the information on your personal device unless it is part of the terms and conditions of network use
• Customers and call centre operators may both be polite to each other if monitored. (Who has asked not to be recorded?)
• Discovery of misuse of the internet from monitoring can result in employment termination
24
Professional Development (300578)
Lecture 5 – Security and Privacy of Information
What do employers monitor/limit?
• Email traffic (stored) – why?
• Attachments (sent/received) – why? • Instant messaging – why?
• Website access – why?
• Phone conversations – why?
• Database access – why?
25
Professional Development (300578)
Lecture 5 – Security and Privacy of Information
Company Policies
• Information Privacy Policy • Information Security Policy
• Difference?
26
Professional Development (300578)
Lecture 5 – Security and Privacy of Information
Company Policies
• Information Privacy Policy – The Use
• Information Security Policy – The Access
27
Professional Development (300578)
Lecture 5 – Security and Privacy of Information
Computer Security & Ethics
• Hacking – Loves beating the system
• Hacker (before): loves the computer challenge
• Hacker (now): accesses unauthorised computers
• Employer, Employee & Union Rights – Aim for: • Property, access, privacy, accuracy
• Policies and regulations
28
Professional Development (300578)
Lecture 5 – Security and Privacy of Information
What is Intellectual Property?
• Property
• Real Property (land)
• Personal Property
• Choses in Possession (chattels – personal possession) • Choses in Action (the right to sue)
• Shares, debts
• Intellectual Property
29
Professional Development (300578)
Lecture 5 – Security and Privacy of Information
IP: Is it as real as other property?
30
Professional Development (300578)
Lecture 5 – Security and Privacy of Information
IP: Is it as real as other property?
• Digital copyright problem: target work suffers no harm from being infinitely reproduced
• Owner of target work not deprived of original
31
Professional Development (300578)
Lecture 5 – Security and Privacy of Information
Ethical and Practical Problems
• Copier gets benefit to which she/he is not entitled
• Theft as deprivation of possession paradigm not applicable to
intellectual property
• Misappropriation difficult to trace/prove.
• Moral difference between copying for one’s own use and copying for commercial exploitation
32
Professional Development (300578)
Lecture 5 – Security and Privacy of Information
Forms of IP
• Intellectual Property • Copyright
• Trade Marks • Patents
• Designs
• Trade Secrets
33
Professional Development (300578)
Lecture 5 – Security and Privacy of Information
Copyright
• Contained in Copyright Act 1968
• Protects expression of idea not idea itself
• Protected item must be • Original
• Produced in material form
• By a resident or citizen of Australia or by a member of a Berne Convention
country
• Part III covers literary, musical, artistic & dramatic works
• Part IV covers subject matter other than works – recordings, films, videos etc.
• Literary works include computer programs in source and object code. 34
Professional Development (300578)
Lecture 5 – Security and Privacy of Information
Open Source Software
• Argument: computer programming community should be able to freely read, modify and redistribute the source code in computer programs
• Copyright is automatically given to the code owner
• All open source software is copyrighted, the use of license disclose how the software can be redistributed or used based on this copyright.
35
Professional Development (300578)
Lecture 5 – Security and Privacy of Information
Trade marks
• Connect the manufacturer with their goods/services
• Safeguard reputation in goods/services
• Are limited to the marketplace for which the mark has been registered or in which an unregistered mark has acquired a reputation
• Are unique for specific goods/services with that jurisdiction
• Defense mechanism. You have to protect it. The laws for trade marks allow you to protect it. They don’t seek justice.
36
Professional Development (300578)
Lecture 5 – Security and Privacy of Information
Domain Names
• Often incorporate trademarks
• For trademark purposes
• subway.com and subway.com.au are they the same in term of rights?
37
Professional Development (300578)
Lecture 5 – Security and Privacy of Information
Trade marks & Domains
• Top level domains (.com, .net, etc) usually overlap with trade marks.
• Results in cybersquating where someone is waiting for a pay day. They are waiting for the value someone else has created
38
Professional Development (300578)
Lecture 5 – Security and Privacy of Information
Patents
• Since computer programs are protected by copyright, should patents have any application here?
• Patent protection is stronger than copyright but algorithms are specifically excluded from patentability
• Patents are now allowed on computerised business methods (workflows)
• IP Australia:
• A patent is a right that is granted for any device, substance, method or
process that is new, inventive and useful.
• A patent is a legally enforceable right to commercially exploit the invention for the life of the patent.
39
Professional Development (300578)
Lecture 5 – Security and Privacy of Information
Trade Secrets
• The formula for Coca-Cola wasn’t patented so the secret could be kept forever
• KFC’s secret recipe – only a few executives have access to the recipe
• WD-40 – the formula is stored in a bank vault and is only mixed in three facilities to maintain the secret
40
Professional Development (300578)
Lecture 5 – Security and Privacy of Information
Designs
• A design is a unique, shape, feature, configuration of a product which makes it unique.
• Think of unique packaging. This is a design. It is why there isn’t another hour glass shaped drink bottle, because Coke a Cola has the design
41
Professional Development (300578)
Lecture 5 – Security and Privacy of Information
IP Australia
• http://ipaustralia.gov.au/
42
Professional Development (300578)
Lecture 5 – Security and Privacy of Information
Actions
• Read Chapter 3 – The Law and Legal Framework (McDermid)
• Read Chapter 4 – Privacy (McDermid)
• Read Chapter 8 – Computer Law, Ethics and Intellectual Property (McDermid)
• Consider how this will affect you in your current/future daily work and personal lives
43