INF529: Security and Privacy
In Informatics
Expectations of Privacy
Prof. Clifford Neuman
Lecture 58 February 2019OHE 100C
Course Identification
• INF 529– Information Privacy
– 4.0 units
– Website http://ccss.usc.edu/529
• Class meeting schedule– Noon to 3:20PM Friday’s
– Room OHE 100C
• Class communication– [email protected]
1
Course Outline
• What data is out there and how is it used
• Technical means of protection
• Identification, Authentication, Audit
• The right of or expectation of privacy
• Government and Policing access to data – Feruary15th
• Social Networks and the social contract – March 1st
• Criminal law, National Security, and Privacy – March 22nd
• Big data – Privacy Considerations – March 8th
• Civil law and privacy – March 29th (also Measuring Privacy)
• International law and conflict across jurisdictions – April 5th
• The Internet of Things – April 12th
• Technology – April 19th
• The future – What can we do – April 26th
Semester Project
All students are expected to prepare and present a 30 minute
lesson on a topic related to privacy that is of interest to them.– If on a topic that is already in the syllabus, your presentation will be made
in the week that the topic is covered in class. The next slide shows some
possible topics that align with lectures (your title should be more specific).
– If on a topic that is not already in the syllabus, I will assign a week from
your presentation, based on available time in lecture, and based on
relevance.– Please send me proposed topics for your class presentation by Thursday the
25th. You can suggest multiple topics if you like... if so let me know your order
of preference. All that you need is a short title and a one sentence description.
Topics may be chosen from among the topics listed in the syllabus for the
class, or you may propose topics around any particular problem domain (e.g.
type of system, type of business, type of activity) for which you will provide a
thorough discussion of privacy (or privacy invading) technology and policy.
Tentative – Social Networks – March 1
Social Networks
• Chloe Choe
• Nitya Mohini Harve
• Deepti Rajashekharaiah Siddagangappa
Tentative: Big Data, March 8th
Big Data
• Jacqueline Dobbas - Location Data
• Kavya Sethuraman
Monetization of PII
• Ahmed Qureshi
• Faris Almathami - Privacy vs. Marketers and
Advertisers
Tentative: March 22 - Policing, National Security
• Dewaine Redish – National Security and Privacy
• Andrew Carmer - History of Government Surveillance
Tentative – March 29 - Civil Law and Privacy
• Arjun Raman – CCPA and related
Also Measuring Privacy
• Sevanti Nag – Measurement of Pivacy in Social Media
Tentative: April 5th – International Privacy Regulations
Mindy Huang
Abdulla Alshabanan
Anupama Abhay Sakhalkar – International
legal issues
Tentative: April 12 Internet of Things
• Lance Aaron - Smart Assistants
• Brianna Tu
• Yulie Felice - Amazon Alexa Security
• Sophia Choi – RFID, USN, M2M
• Jairo Hernandez - Security and Privacy of
NFC
• Ann Bailleul - Implication of IoT on
Privacy
April 19th Medical IoT and Technology
Security, Privacy and Safety of Medical Devices and
technology.
• Fumiko Uehara
• Joseph Mehltretter
• Abdullah Altokhais
Facial Recognition and related technologies
• Louis Uuh – Facial Recognition
Security and Privacy in Messaging Technologies
• Aaron Howland
April 26th – The Future of Privacy
Technology, Training, Legislation
• Charlene Chen – Right to be Forgotten and the future of privacy
• Kate Glazko
Expectation of Privacy
4th amendment to US Constitution– The right of the people to be secure in their persons,
houses, papers, and effects, against unreasonablesearches and seizures, shall not be violated, and no
Warrants shall issue, but upon probable cause,
supported by Oath or affirmation, and particularly
describing the place to be searched, and the persons
or things to be seized.
– This statement applies to actions by Government
Today’s discussion is not about the 4th amendment, but
rather the meaning of the term “Unreasonable”.And thus the topic is neither US, nor government centric
When do we not have an expectation
• 3rd Party Doctrine– Holds that people who voluntarily give information to
third parties are not protected by a reasonable
expectation of privacy
From Slide by Matthew Jackoski
Reasonable Expectation of Privacy
• To have a reasonable expectation of privacy you
need 2 things:
– Individual needs to exhibit an actual expectation of
privacy, meaning “he seeks to preserve something as
private” • “plain view test”
– Is the individual’s expectation of privacy one that
society is prepared to recognize as ‘reasonable’?
14
From Slide by Matthew Jackoski
3rd Party Doctrine
• Also known as the “Privacy Doctrine”
• Many court rulings uphold the idea that right to privacy is
waived when signing up for a service.
• Original purpose was to allow police to question gang
members without needing a warrant.
• Over time, the doctrine grew to allow warrantless
searches of telephone metadata and financial bank
records.
15
From Slide by Matthew Jackoski
Standing
• The right of an individual to contest the illegality
of a search and seizure
• Almost like a “catch 22”. – Only the person whose rights are being violated has
“standing”. Therefore, to challenge an alleged
governmental constitutional violation, you have to
claim ownership of the evidence being submitted.
16
From Slide by Matthew Jackoski
Katz v. United States (1967)
• Situation: – Government agents had intercepted the contents of a
telephone conversation of a man suspected of illegal
gambling
– This was done by installing a listening device on the
outside of a public telephone booth.
• Ruling: – Court rejected the argument that a “search” can occur
only when there has been a “physical intrusion” into a
“constitutionally protected area”
17
From Slide by Matthew Jackoski
Implications of Katz v United States
• Refined interpretation of the unreasonable search and
seizure clause of the 4th Amendment to include
immaterial intrusion with technology as a search.
• Extends the 4th Amendment right to “protect people, not
property”
18
From Slide by Matthew Jackoski
Smith v. Maryland (1979)
• Situation:– Man robbed a store and for a couple weeks after, the man would
call the owner of the store and threaten her.
– Police installed a pen register (device that records numbers that
a phone dials), this showed that the man suspected of robbing
the store was the one placing the phone calls
– This data led to a search warrant, where they found more
evidence in the man’s home.
– Smith wanted all evidence thrown out that was a result of the
pen register.
• Court Ruled: – The pen register was not a breach of “reasonable expectation to
privacy”, therefore the evidence remained
– This predated the ECPA
19
From Slide by Matthew Jackoski
Justification for Smith v. Maryland
• Activity in question: – Installing and using the pen register
• Who’s property? – Since the pen register was installed on the telephone
company’s property, the defendant cannot claim his
“property” was invaded or that police intruded.
• What about “protecting the person” not
“protecting the property”?
20
From Slide by Matthew Jackoski
Other Implications of Exposed Metadata
• Think of ISP and Social Media
• What could be determined from our metadata?
• What is being determined from our
metadata?
21
From Slide by Matthew Jackoski
United States v. Knotts (1983)
• Situation: – Officers followed a car containing a beeper, relying on
the beeper signal to determine the car’s final
destination.
• Ruling: – Court unanimously held that since the use of such a
device did not violate a legitimate expectation of
privacy; there was no search and seizure and thus
allowed without a warrant.
22
From Slide by Matthew Jackoski
Implications of United States v. Knotts
• A person traveling in public has no expectation
of privacy in one’s movements.
• Will Google Maps and Apple Maps be allowed to
work in tandem with the police force?
• Again, note that there have been recent laws
and ruling that limit this kind of collections.
23
From Slide by Matthew Jackoski
Bringing Things Up to Date
Real expectations vs legal fictionsNo expectation of privacy for actions performed in public
No expectation of privacy for material in plain sight
But technology changes to nature of the information
Expectation of Privacy from Whom4th amendment US Centric and applies to government.
What about industry, neighbors, etc.
Where else are there laws related to privacy
expectations
Actions Performed in Public
What are our expectations:When our actions can be observed
Then – Witnesses can describe what they saw
Now – ubiquitous surveillance cameras may record us(certain locations have privacy expectations)
We might be identified after the factOnes activities creates the motivation to obtain data
Our loss of privacy/anonymity occurs after the actAnd based on information we expect to be “public”
New Technologies
We are constantly identified and the stream of indivually
“public” data is now invasive.ALPR – Automatic License Pate Readers
Similarly, when location data is centralized, we can track
movement of individual vehicles.
Facial recognitionWhen combined with central clearing of identification
Allows one to track the movements of individuals
Automatic License Plate Readers
ALPR devices are popping up all over the
place, from toll roads to parking garages,
to the entrances to the USC Campus.
Many private ALPR systems are managed
by organizations that aggregate the data
and sell it for commercial purposes such
as repossessions.
We are Part of the Problemhttps://www.eff.org/deeplinks/2015/10/license-plate-readers-exposed-how-public-safety-agencies-responded-massive
University of Southern CaliforniaUSC had far fewer ALPR cameras exposed than those in Louisiana—only four of what is likely a 60-plus camera network. However, these four cameras were even more vulnerable than the Louisiana cameras, since their controls were hosted on public university pages, with obvious URLs such as pipscam9.usc.edu.
Pipscam9 was particularly problematic. Located on “Fraternity Row” (see it here) and directly across from the Pi Kappa Phi house, the ALPR camera was completely unprotected. One could not only see the license plates passing down the street, but also watch a live video feed (below) of people crossing the street.
Texas ALPR to Collect Fineshttps://www.eff.org/deeplinks/2016/01/no-cost-license-plate-readers-are-turning-texas-police-mobile-debt-collectors-and
The problem with License Plate Readers is the aggregation of the data. While the location of our vehicle on a public street is visible and we have no expectation of privacy, when the information is collected over a period of time, it now exposes our transportation history, and we at least EXPECT some level of privacy regarding that.
Surveillance for Hirehttp://www.theblaze.com/news/2014/03/06/surveillance-for-hire-would-you-take-money-to-record-fellow-drivers/
Once again, we see the value to companies of data about your locations. In this case, data could be accessed by private investigators and others. The value is in the aggregation of the data, rather than in the localized snapshot of ones current location.
ICE Accesses a Massive Amount of License Plate Data. Will California Take Action?
Proposed legislation that would allow California residents to cover their license plates while parked, has been tabled under pressure from law enforcement groups.
California says no, you can’t cover your license plate
Facial Recognitionhttps://www.engadget.com/2006/02/28/biobouncer-facial-recognition-system-for-bars-clubs/
While we're aware of the occasional incident "in da club"
featuring a firearm-bearing-celebrity, we've been blissfully
ignorant of the fact that clubbing these days has apparently
gotten so dangerous that a market has sprung up for
nightlife-specific biometric security solutions.
Well Wired is reporting that besides the fingerprint
recognition system that a company called Food Service
Solutions is pitching to alcohol retailers, an even more
ambitious facial recognition system is about to be deployed
in U.S. bars and clubs by a 24-year-old entrepreneur named
Jeff Dussich. Dussich's company, JAD Communications and
Security, is promoting its BioBouncer package as a way for
communities to identify habitual troublemakers by using a
Vegas-like database of blacklisted individuals that is shared
among local establishments. BioBouncer costs $7,500 for
the initial hardware, software, and setup, and $6000 per
year for support, which presumably means access to the
networked "rogue's gallery." Not surprisingly, privacy groups
such as the EFF are opposed to BioBouncer and similar
systems,citing both their questionable accuracy and
potential for misuse.
From Whom is Information Private
Business Records• 3rd party doctrine tells us that we have no expectation
of privacy for records that are maintained in the normal
course of business (including things like call logs, etc).
• Specific legislation my dictate that certain kinds of
records not be disclosed.
• Privacy policies or contractual requirements may do the
same.
Expectation of Privacy implicationsNot that information can-not be obtained, but rather the
conditions under which it may be obtained.
by a business in their normal course of
Privacy of Electronic Mail
from the 2012 Version of FBI Domestic Investigations and Operations
Guide, which the ACLU got through a FOIA request:
In enacting the ECPA, Congress concluded that customers may not retain a
“reasonable expectation of privacy” in information sent to network providers. . . [I]f
the contents of an unopened message are kept beyond six months or stored on
behalf of the customer after the e-mail has been received or opened, it should
be treated the same as a business record in the hands of a third party, such as
an accountant or attorney. In that case, the government may subpoena the records
from the third party without running afoul of either the Fourth or Fifth Amendment.
Privacy of Electronic Mailhttps://www.wired.com/2017/02/trump-power-email-privacy-act-never-urgent/
New proposed legislation
changes this.
The email privacy act could
require government agencies to
obtain a warrant before seizing a
criminal suspect’s online
communications that are more
than 180 days old. Under the
ECPA’s existing logic, those older
communications are considered
abandoned, and thus not subject
to a reasonable expectation of
privacy. Amendment.
Overriding Expectations
For business records and other items without an “expectation” of
privacy, there is still criminal and civil procedure that must be applied to
obtain such records.
Three classes:What is truly considered public
Investigators ask witnesses, look at public records, or other
material considered public.Items like business records or information held by third parties
Investigators issue subpoenas or other forms of process for
specific records. Though arrangements have been entered into
for direct access. Such arrangements are troublesome.
Is there is an legislated or legal expectation of privacyInvestigators must obtain a search warrant, which has a
higher burden of probable cause than for subpoenas.
Can Public Tweets be used by LEhttps://www.engadget.com/2016/12/15/twitter-stops-dataminr-from-sharing-tweets-with-police-hubs/
Should Law Enforcement
and intelligence agencies
really be stopped from
using information that
is published to the rest
of the world.
Twitter thinks yes.
Electonic Communication Privacy Act (1986)
https://it.ojp.gov/PrivacyLiberty/authorities/statutes/1285
Title I of the ECPA, which is often referred to as the
Wiretap Act, prohibits the intentional actual or
attempted interception, use, disclosure, or
"procure[ment] [of] any other person to intercept or
endeavor to intercept any wire, oral, or electronic
communication." Title I also prohibits the use of
illegally obtained communications as evidence. 18
U.S.C. § 2515.
Many issues to be discussed.
CAL ECPAhttps://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201520160SB178
ARTICLE 8 – European Convention on Human Rights
Right to respect for private and family life
1. Everyone has the right to respect for his private and
family life, his home and his correspondence.
2. There shall be no interference by a public authority with
the exercise of this right except such as is in accordance
with the law and is necessary in a democratic society in the
interests of national security, public safety or the economic
well-being of the country, for the prevention of disorder or
crime, for the protection of health or morals, or for the
protection of the rights and freedoms of others.
Europe’s GDPR
Extends privacy rights to corporate use of data.
Includes “Right to be Forgotten”
More on this later in the semester when we speak about
regulations.
Right to be Forgotten (before GDPR)
http://ec.europa.eu/justice/data-protection/files/factsheets/factsheet_data_protection_en.pdf
• In 2010 a Spanish citizen lodged a complaint against a Spanish newspaper
with the national Data Protection Agency and against Google Spain and
Google Inc. The citizen complained that an auction notice of his
repossessed home on Google’s search results infringed his privacy rights
because the proceedings concerning him had been fully resolved for a
number of years and hence the reference to these was entirely irrelevant.
He requested, first, that the newspaper be required either to remove or
alter the pages in question so that the personal data relating to him no
longer appeared; and second, that Google Spain or Google Inc. be
required to remove the personal data relating to him, so that it no longer
appeared in the search results
Current Events
A kids’ smartwatch was recalled by the EU over privacy concerns - The Verge 2/5/19
A smartwatch designed for children was recently recalled due to unencrypted communications between the
smartwatch companion app and a backend server. Hackers were able to read and modify the location history,
phone numbers, and serial numbers of the smartwatch while also being able to make calls to the child and find
their location. -- Aaron Howland
Children's smartwatch recalled over data fears - BBC News 02/05/2019
This story talks how the European Commission has ordered the recall of a children's smartwatch because it leaves
them open to being contacted and located by attackers due to the fact that data sent to and from the watch is
unencrypted allowing data to be easily taken and changed. - Nitya Harve
44
Current Events
3 Things Businesses Need to Know About Customer Privacy Expectations-TechRepublic-2/6/2019
According to a new RSA Security Report, 57% of consumers blame companies, not hackers, for a high-profile
breach. Many customers fail to understand how their data is being utilized and managed. Greater transparency of
how data is being used and protected would not only help companies understand the context of their consumers,
but improve personalization of services. -Jacqueline Dobbas
Cisco joins position supporting federal privacy law - Arstechnica.com -2/7/2019 –
Cisco joins the growing list of companies seeking federal government regulation. Many of these companies fear
the complications and additional cost associated with fragmented legislation across individual states and countries.
– Dewaine Reddish
45
Current EventsBounty Hunters Had Access to AT&T, T-Mobile, and Sprint Customer Location Data for Years - Motherboard 02/06/19
Location data, including real-time location data, of AT&T, T-Mobile and Sprint customers had accessed by more
than 200 hundreds and related businesses through a chain of companies. A company called CerCareOne,
operated between 2012 till late 2017, bought the data from a firm called LocationSmart, which the telecom sold the
data to, and sold it to beneficiaries by charging up to $1,100 per phone location. CerCareOne also provided A-
GPS, which gives more precise location, for its customers based on the fact that the telecom companies have
access to that type of location data. None of the telecom companies specifically denied selling A-GPS data. -
Abdullah Altokhais
US lawmakers furious (again) as mobile networks caught (again) selling your emergency location data
to bounty hunters (again) - The Register 2/7/19
Mobile network companies have been found in violation of selling A-GPS data (location data accurate to a few feet
of the user), which has specific privacy protections against sharing and only supposed to be used for emergency
services. Mobile phone network companies already sold location data to third parties in a very under-regulated
process, and a particular company was able to charge $1.1k per search for A-GPS data. Ajit Pai is accused of not
doing his job to investigate violations of the FCC guidelines, which supposedly emboldened the mobile network
companies to sell the protected A-GPS data.-- Charlene Chen
46
Current EventsNew Mac Malware Targets Cookies to Steal From Cryptocurrency Wallets - The Hacker News 02/01/2019
A newly discovered piece of malware “CookieMiner" attempts to withdraw funds from user's cryptocurrency
exchange accounts by stealing user’s Google Chrome and Apple Safari browser cookies, credentials and credit
card information saved in the Chrome web browser and iPhone's text messages of victims stored in iTunes
backups. CookieMiner also uses the EmPyre backdoor for post-exploitation control - Sevanti Nag
Beware Siri Shortcuts – 2/4/2019 SC Media
This story just warns about new ways users can unknowingly download malware on their iPhones. One of the new
features of the latest update includes being able to create shortcuts for tasks that can be called upon by voice
activation. Researchers are warning that these shortcuts that can be downloaded can also download instructions
to execute/download/install malware or malicious code. -Jairo Hernandez
iPhone Apps Secretly Screen Recording Users - Tech Crunch 2/07/2019 (no link)
Many apps that utilize Glassbox for analytics utilize session replays, which record and allow playback of a user’s
interaction within the app. This information is sent either to Glassbox’s cloud or directly to company servers. Issue
is that many of these apps do not mention this in their privacy policies and do not properly protect all of the data.
- Lance Aaron See
47
Current Events
Apple threatens to remove iPhone apps caught recording user activity without consent –
Apple caught on to a few applications such as Expedia, Air Canada and Hollister that were using a "session replay"
software from a company named Glassbox. This software allowed the companies record their sessions, taps,
swipes while using the application. The bad part is that these companies were doing it without the users consent.
– Louis Uuh
Apple fixes one privacy nightmare as another emerges (Updated) - mspoweruser 2/7/2019
An update on the Group FaceTime bug and how this bug sparked an interest in looking for other privacy scandals
in Apple's app store. Session replay is a technology used by some apps is now under investigation as it exposes
some sensitive information without proper consent. Apple issued a statement saying that they would take
immediate actions if no disclosure of session recording was provided. --Abdulla Alshabanah
48
Current EventsGoogle Warns Data Privacy Changes Could Hurt Its Business - Bloomberg 2/5/2019
Google parent Alphabet Inc. claimed they were adjusting to step up regulatory scrutiny and evolve consumer
attitudes toward online data and privacy. By doing so, there would be adverse effects on advertising, which could
lead to worse reputation and revenue decrease. Additionally, Alphabet also updated its warning about an
expansion into non-advertising businesses like cloud services and consumer hardware, aligned with its report of
thinner fourth-quarter profit margins as they spend heavily to expand its cloud and YouTube businesses.
-Mindy Huang
Jack'd gay dating app exposes millions of private photos - BBC 2/7/2019
A gay dating app that has been downloaded for more than five million times on Google Play app, has a security
flaw that exposes private pictures, location information, and user metadata. All of the pictures uploaded by users
can be found on an open web server. A researcher called Oliver Hough reported this issue a year ago and the
company did not respond, but after The Register reported the issue, the company's chief executive made a
comment that a fix would be implemented this Thursday, February 7, 2019. -- Yulie Felice
Ohio’s Recently-Enacted Data Protection Act Creates a Shield Against Data Breach Lawsuits LegalTech News - 2/6/19
The state of Ohio becomes the first state to pass a law, the Data Protection Act, that incentivizes businesses to
maintain and implement strong cybersecurity systems. In return, the government will provide a "safe harbor" for
these businesses against major data breaches. – Brianna Tu
Security vulnerabilities in video conferencing devices could be remotely exploited by hackers - ZDNet (02/07/19)
System commands can be run by hackers on video conferencing devices distributed by Lifesize because of a
security vulnerability, leading to spying and attacking of other devices. This could prove as a threat to companies
that currently use Lifesize software for meetings and video conferencing. - Chloe Choe
49
Current Eventshttps://www.cnbc.com/2019/02/07/privacy-policies-give-companies-lots-of-room-to-collect-share-data.html
It discusses how most users do not actually thoroughly read privacy statements of the services they utilize, if they
even read them at all. However, they are often written in a cryptic manner that would make them difficult for the
majority of users to understand if they tried. The article also brings up an interesting example of an innocent-
seeming device that collects a lot of information about users. -- Ann Bailleul
Most people just click and accept privacy policies without reading them — you might be surprised at what they allow
companies to do CNBC 02/07/2019
CNBC talked to three privacy professionals to get their take on privacy policies. These professionals said privacy
policies are not designed to be understood by the consumers and require at least some high school education and
sometimes advanced degrees. Many policies include some clauses that say that companies can change the policy
at any moment, potentially allowing them to collect a lot more data or do something with our data that wasn't
specified before. When you download something and accept the terms and conditions, if you aren't paying for it,
you are the product. --Anupama Sakhalkar
Biometric Privacy Update – Actual Harm Not Required The National Law Review 2/7/2019
In 2008, the state of Illinois passed the Biometric Information Privacy Act (BIPA) which has regulated the use of
biometric data by private organizations. The city of Chicago, along with other parts of IL, have been targeted by
tech companies for pilot testing of new biometric technologies. Therefore, there have been recent violations of
BIPA as its major compliance requirement is the retention of biometric data due to being unchangeable unique
identifiers - Faris Almathami
50
Current EventsUser consent is required to combine Facebook, whatsapp and Instagram accounts. The Guardian
Extract: Facebook which also owns Instagram and WhatsApp plans on combining all the 3 accounts which are
currently separate, into one account so that the users can send messages between them. But Germany’s anti-
monopoly regulator has ordered Facebook not to combine user data without consent from users. This is a result of
an investigation into potential privacy and competitive policies. But Facebook disagrees to the results and they
intend to appeal. But the crux of this is again user privacy where Facebook can collectively accumulate user
information and potential PI across different platforms and use it to sell and target ads better which could again
lead to breaches and misuses from external agencies. -- Kavya Sethuraman
German regulator orders Facebook to restrict data collection- theGuardian 02/07/2019
German Regulator declares that Facebook should possess user consent for integration of WhatsApp and
Instagram to its Messenger for that particular user. FB given 12 months to implement this in its data policies.
However in a blogpost, Facebook responded to the ruling, saying: “We disagree with their conclusions and intend
to appeal.” -- Deepti Rajashekharaiah
Facebook Says It Needs to Collect All Your Data to Protect Against Terrorism and Child Abuse - Gizmodo 2/7/19
The article discusses how Facebook can no longer use data it collects from Instagram, Facebook, and WhatsApp
together without explicit permission from users in Germany. Facebook wants it to be an opt out policy rather than
an opt in policy and says that it is necessary to "protect against Terrorism and child abuse." Facebook has been
accused of using this data in anti-competitive ways due to their significant marketshare in Germany. Facebook also
claims that other companies are doing it and they should be allowed to do it also. ~Ahmed Qureshi
51
Current EventsOver 59,000 GDPR Infractions Reported in the Last Eight Months Computer Business Review 2/7/19
Since the European Union’s GDPR legislation came into force in May 2018, over 59,000 data breaches have been
reported to European data protection authorities So far only 91 fines have been imposed as part of the new GDPR
regulations as many of the fines issued over the last year relate to cyber incidents that occurred pre-GDPR. €50
million is the largest fine to date and was handed by the French data authority CNIL to Google in relation to how
their processed their users personal data.. – Gene Zakrzewski
EU Agrees to Link Fragmented Border Security Databases Computer Business Review 2/7/19
European policy makers have agreed to connect a sweeping array of currently siloed border security systems,
creating a common identity repository, a Europe-wide document search portal for border security and a biometric
matching system. Roll-out will create a European search portal that lets border guards and police carry out
simultaneous checks of identity documents against all EU information systems on a single screen, instead of
verifying documents against multiple databases. It will also create shared biometric matching service, which will
use fingerprints and facial images to search across existing information systems, and a common identity
repository, which will store biographical data of non-EU citizens. – Gene Zakrzewski
52
What is Civil Law
• Civil law is concerned with private relations
between parties rather than criminal complaints
by a government against an individual.– This is in contrast to criminal law.
– Includes contract law.
– Includes tort law.
• If a tort (wrong) is committed we may be able to
settle or litigate over actual, punitive, or
stipulated damages, for “specific performance”,
or injunctive relief.
Civil Law and Privacy
• Contracts and privacy and security– Privacy policy statement
• Discovery and Privacy
• Laws protecting privacy of consumers– HIPAA
– FERPA (Buckley Amendment)
– Fair Credit Reporting Act
– Others
– Regulations by FTC (and at one point FCC)
– Data Breach Notification Laws
Contracts and Privacy
We enter into contracts all the timeSigning contracts for services or good
Consenting to terms of use on websites
Installing software (EULAs)
Such agreements set the terms of our activityWe can give away some rights to privacy
They may spell out what our “expectations” are
They can limit the damages we can collect
They can determine how and where to litigate
Certain terms can still be found unenforceable for a
variety of reasons.
Enforcement of Contracts
Probably easier against the writer of such agreements, if
acceptance was “implied”.– But usually the terms with respect to privacy tend to disclaim
expectations of privacy, so no damages to demonstrate, and
other damages usually limited by the terms of the
agreements.
– Litigation can be initiated by injured parties, class actions, or
by government agencies in some cases (e.g. FTC).
– Terms of such agreements can’t allow either party to “break
the law” or violate other regulations, but they can change how
certain breaches are to be treated (e.g. opt-in)
– Deceptive trade practices…(can provide alternative remedy)
Discovery
When bringing suit (litigating) civil matters, all parties
have the right to compel disclosure of facts that may
benefit their case.– The process of forcing disclosure of such information is
called Discovery.
– If you are a party to the suit then you may be required to
produce “discoverable” information.• A good reason not to keep some things to begin with.
• A good reason to have a data retention/destruction policy– It is illegal to destroy the data after you have reason to believe that
it will become subject to discovery.
• Third party doctrine applies– Data about you may be obtained from third parties
– You may have an opportunity to object to such disclosure, but not
always.