INF529: Security and Privacy

In Informatics

Expectations of Privacy

Prof. Clifford Neuman

Lecture 58 February 2019OHE 100C

Course Identification

• INF 529– Information Privacy

– 4.0 units

– Website http://ccss.usc.edu/529

• Class meeting schedule– Noon to 3:20PM Friday’s

– Room OHE 100C

• Class communication– inf529@csclass.info

1

Course Outline

• What data is out there and how is it used

• Technical means of protection

• Identification, Authentication, Audit

• The right of or expectation of privacy

• Government and Policing access to data – Feruary15th

• Social Networks and the social contract – March 1st

• Criminal law, National Security, and Privacy – March 22nd

• Big data – Privacy Considerations – March 8th

• Civil law and privacy – March 29th (also Measuring Privacy)

• International law and conflict across jurisdictions – April 5th

• The Internet of Things – April 12th

• Technology – April 19th

• The future – What can we do – April 26th

Semester Project

All students are expected to prepare and present a 30 minute

lesson on a topic related to privacy that is of interest to them.– If on a topic that is already in the syllabus, your presentation will be made

in the week that the topic is covered in class. The next slide shows some

possible topics that align with lectures (your title should be more specific).

– If on a topic that is not already in the syllabus, I will assign a week from

your presentation, based on available time in lecture, and based on

relevance.– Please send me proposed topics for your class presentation by Thursday the

25th. You can suggest multiple topics if you like... if so let me know your order

of preference. All that you need is a short title and a one sentence description.

Topics may be chosen from among the topics listed in the syllabus for the

class, or you may propose topics around any particular problem domain (e.g.

type of system, type of business, type of activity) for which you will provide a

thorough discussion of privacy (or privacy invading) technology and policy.

Tentative – Social Networks – March 1

Social Networks

• Chloe Choe

• Nitya Mohini Harve

• Deepti Rajashekharaiah Siddagangappa

Tentative: Big Data, March 8th

Big Data

• Jacqueline Dobbas - Location Data

• Kavya Sethuraman

Monetization of PII

• Ahmed Qureshi

• Faris Almathami - Privacy vs. Marketers and

Advertisers

Tentative: March 22 - Policing, National Security

• Dewaine Redish – National Security and Privacy

• Andrew Carmer - History of Government Surveillance

Tentative – March 29 - Civil Law and Privacy

• Arjun Raman – CCPA and related

Also Measuring Privacy

• Sevanti Nag – Measurement of Pivacy in Social Media

Tentative: April 5th – International Privacy Regulations

Mindy Huang

Abdulla Alshabanan

Anupama Abhay Sakhalkar – International

legal issues

Tentative: April 12 Internet of Things

• Lance Aaron - Smart Assistants

• Brianna Tu

• Yulie Felice - Amazon Alexa Security

• Sophia Choi – RFID, USN, M2M

• Jairo Hernandez - Security and Privacy of

NFC

• Ann Bailleul - Implication of IoT on

Privacy

April 19th Medical IoT and Technology

Security, Privacy and Safety of Medical Devices and

technology.

• Fumiko Uehara

• Joseph Mehltretter

• Abdullah Altokhais

Facial Recognition and related technologies

• Louis Uuh – Facial Recognition

Security and Privacy in Messaging Technologies

• Aaron Howland

April 26th – The Future of Privacy

Technology, Training, Legislation

• Charlene Chen – Right to be Forgotten and the future of privacy

• Kate Glazko

Expectation of Privacy

4th amendment to US Constitution– The right of the people to be secure in their persons,

houses, papers, and effects, against unreasonablesearches and seizures, shall not be violated, and no

Warrants shall issue, but upon probable cause,

supported by Oath or affirmation, and particularly

describing the place to be searched, and the persons

or things to be seized.

– This statement applies to actions by Government

Today’s discussion is not about the 4th amendment, but

rather the meaning of the term “Unreasonable”.And thus the topic is neither US, nor government centric

When do we not have an expectation

• 3rd Party Doctrine– Holds that people who voluntarily give information to

third parties are not protected by a reasonable

expectation of privacy

From Slide by Matthew Jackoski

Reasonable Expectation of Privacy

• To have a reasonable expectation of privacy you

need 2 things:

– Individual needs to exhibit an actual expectation of

privacy, meaning “he seeks to preserve something as

private” • “plain view test”

– Is the individual’s expectation of privacy one that

society is prepared to recognize as ‘reasonable’?

14

From Slide by Matthew Jackoski

3rd Party Doctrine

• Also known as the “Privacy Doctrine”

• Many court rulings uphold the idea that right to privacy is

waived when signing up for a service.

• Original purpose was to allow police to question gang

members without needing a warrant.

• Over time, the doctrine grew to allow warrantless

searches of telephone metadata and financial bank

records.

15

From Slide by Matthew Jackoski

Standing

• The right of an individual to contest the illegality

of a search and seizure

• Almost like a “catch 22”. – Only the person whose rights are being violated has

“standing”. Therefore, to challenge an alleged

governmental constitutional violation, you have to

claim ownership of the evidence being submitted.

16

From Slide by Matthew Jackoski

Katz v. United States (1967)

• Situation: – Government agents had intercepted the contents of a

telephone conversation of a man suspected of illegal

gambling

– This was done by installing a listening device on the

outside of a public telephone booth.

• Ruling: – Court rejected the argument that a “search” can occur

only when there has been a “physical intrusion” into a

“constitutionally protected area”

17

From Slide by Matthew Jackoski

Implications of Katz v United States

• Refined interpretation of the unreasonable search and

seizure clause of the 4th Amendment to include

immaterial intrusion with technology as a search.

• Extends the 4th Amendment right to “protect people, not

property”

18

From Slide by Matthew Jackoski

Smith v. Maryland (1979)

• Situation:– Man robbed a store and for a couple weeks after, the man would

call the owner of the store and threaten her.

– Police installed a pen register (device that records numbers that

a phone dials), this showed that the man suspected of robbing

the store was the one placing the phone calls

– This data led to a search warrant, where they found more

evidence in the man’s home.

– Smith wanted all evidence thrown out that was a result of the

pen register.

• Court Ruled: – The pen register was not a breach of “reasonable expectation to

privacy”, therefore the evidence remained

– This predated the ECPA

19

From Slide by Matthew Jackoski

Justification for Smith v. Maryland

• Activity in question: – Installing and using the pen register

• Who’s property? – Since the pen register was installed on the telephone

company’s property, the defendant cannot claim his

“property” was invaded or that police intruded.

• What about “protecting the person” not

“protecting the property”?

20

From Slide by Matthew Jackoski

Other Implications of Exposed Metadata

• Think of ISP and Social Media

• What could be determined from our metadata?

• What is being determined from our

metadata?

21

From Slide by Matthew Jackoski

United States v. Knotts (1983)

• Situation: – Officers followed a car containing a beeper, relying on

the beeper signal to determine the car’s final

destination.

• Ruling: – Court unanimously held that since the use of such a

device did not violate a legitimate expectation of

privacy; there was no search and seizure and thus

allowed without a warrant.

22

From Slide by Matthew Jackoski

Implications of United States v. Knotts

• A person traveling in public has no expectation

of privacy in one’s movements.

• Will Google Maps and Apple Maps be allowed to

work in tandem with the police force?

• Again, note that there have been recent laws

and ruling that limit this kind of collections.

23

From Slide by Matthew Jackoski

Bringing Things Up to Date

Real expectations vs legal fictionsNo expectation of privacy for actions performed in public

No expectation of privacy for material in plain sight

But technology changes to nature of the information

Expectation of Privacy from Whom4th amendment US Centric and applies to government.

What about industry, neighbors, etc.

Where else are there laws related to privacy

expectations

Actions Performed in Public

What are our expectations:When our actions can be observed

Then – Witnesses can describe what they saw

Now – ubiquitous surveillance cameras may record us(certain locations have privacy expectations)

We might be identified after the factOnes activities creates the motivation to obtain data

Our loss of privacy/anonymity occurs after the actAnd based on information we expect to be “public”

New Technologies

We are constantly identified and the stream of indivually

“public” data is now invasive.ALPR – Automatic License Pate Readers

Similarly, when location data is centralized, we can track

movement of individual vehicles.

Facial recognitionWhen combined with central clearing of identification

Allows one to track the movements of individuals

Automatic License Plate Readers

ALPR devices are popping up all over the

place, from toll roads to parking garages,

to the entrances to the USC Campus.

Many private ALPR systems are managed

by organizations that aggregate the data

and sell it for commercial purposes such

as repossessions.

We are Part of the Problemhttps://www.eff.org/deeplinks/2015/10/license-plate-readers-exposed-how-public-safety-agencies-responded-massive

University of Southern CaliforniaUSC had far fewer ALPR cameras exposed than those in Louisiana—only four of what is likely a 60-plus camera network. However, these four cameras were even more vulnerable than the Louisiana cameras, since their controls were hosted on public university pages, with obvious URLs such as pipscam9.usc.edu.

Pipscam9 was particularly problematic. Located on “Fraternity Row” (see it here) and directly across from the Pi Kappa Phi house, the ALPR camera was completely unprotected. One could not only see the license plates passing down the street, but also watch a live video feed (below) of people crossing the street.

Texas ALPR to Collect Fineshttps://www.eff.org/deeplinks/2016/01/no-cost-license-plate-readers-are-turning-texas-police-mobile-debt-collectors-and

The problem with License Plate Readers is the aggregation of the data. While the location of our vehicle on a public street is visible and we have no expectation of privacy, when the information is collected over a period of time, it now exposes our transportation history, and we at least EXPECT some level of privacy regarding that.

Surveillance for Hirehttp://www.theblaze.com/news/2014/03/06/surveillance-for-hire-would-you-take-money-to-record-fellow-drivers/

Once again, we see the value to companies of data about your locations. In this case, data could be accessed by private investigators and others. The value is in the aggregation of the data, rather than in the localized snapshot of ones current location.

ICE Accesses a Massive Amount of License Plate Data. Will California Take Action?

Proposed legislation that would allow California residents to cover their license plates while parked, has been tabled under pressure from law enforcement groups.

California says no, you can’t cover your license plate

Facial Recognitionhttps://www.engadget.com/2006/02/28/biobouncer-facial-recognition-system-for-bars-clubs/

While we're aware of the occasional incident "in da club"

featuring a firearm-bearing-celebrity, we've been blissfully

ignorant of the fact that clubbing these days has apparently

gotten so dangerous that a market has sprung up for

nightlife-specific biometric security solutions.

Well Wired is reporting that besides the fingerprint

recognition system that a company called Food Service

Solutions is pitching to alcohol retailers, an even more

ambitious facial recognition system is about to be deployed

in U.S. bars and clubs by a 24-year-old entrepreneur named

Jeff Dussich. Dussich's company, JAD Communications and

Security, is promoting its BioBouncer package as a way for

communities to identify habitual troublemakers by using a

Vegas-like database of blacklisted individuals that is shared

among local establishments. BioBouncer costs $7,500 for

the initial hardware, software, and setup, and $6000 per

year for support, which presumably means access to the

networked "rogue's gallery." Not surprisingly, privacy groups

such as the EFF are opposed to BioBouncer and similar

systems,citing both their questionable accuracy and

potential for misuse.

From Whom is Information Private

Business Records• 3rd party doctrine tells us that we have no expectation

of privacy for records that are maintained in the normal

course of business (including things like call logs, etc).

• Specific legislation my dictate that certain kinds of

records not be disclosed.

• Privacy policies or contractual requirements may do the

same.

Expectation of Privacy implicationsNot that information can-not be obtained, but rather the

conditions under which it may be obtained.

by a business in their normal course of

Privacy of Electronic Mail

from the 2012 Version of FBI Domestic Investigations and Operations

Guide, which the ACLU got through a FOIA request:

In enacting the ECPA, Congress concluded that customers may not retain a

“reasonable expectation of privacy” in information sent to network providers. . . [I]f

the contents of an unopened message are kept beyond six months or stored on

behalf of the customer after the e-mail has been received or opened, it should

be treated the same as a business record in the hands of a third party, such as

an accountant or attorney. In that case, the government may subpoena the records

from the third party without running afoul of either the Fourth or Fifth Amendment.

Privacy of Electronic Mailhttps://www.wired.com/2017/02/trump-power-email-privacy-act-never-urgent/

New proposed legislation

changes this.

The email privacy act could

require government agencies to

obtain a warrant before seizing a

criminal suspect’s online

communications that are more

than 180 days old. Under the

ECPA’s existing logic, those older

communications are considered

abandoned, and thus not subject

to a reasonable expectation of

privacy. Amendment.

Overriding Expectations

For business records and other items without an “expectation” of

privacy, there is still criminal and civil procedure that must be applied to

obtain such records.

Three classes:What is truly considered public

Investigators ask witnesses, look at public records, or other

material considered public.Items like business records or information held by third parties

Investigators issue subpoenas or other forms of process for

specific records. Though arrangements have been entered into

for direct access. Such arrangements are troublesome.

Is there is an legislated or legal expectation of privacyInvestigators must obtain a search warrant, which has a

higher burden of probable cause than for subpoenas.

Can Public Tweets be used by LEhttps://www.engadget.com/2016/12/15/twitter-stops-dataminr-from-sharing-tweets-with-police-hubs/

Should Law Enforcement

and intelligence agencies

really be stopped from

using information that

is published to the rest

of the world.

Twitter thinks yes.

Electonic Communication Privacy Act (1986)

https://it.ojp.gov/PrivacyLiberty/authorities/statutes/1285

Title I of the ECPA, which is often referred to as the

Wiretap Act, prohibits the intentional actual or

attempted interception, use, disclosure, or

"procure[ment] [of] any other person to intercept or

endeavor to intercept any wire, oral, or electronic

communication." Title I also prohibits the use of

illegally obtained communications as evidence. 18

U.S.C. § 2515.

Many issues to be discussed.

CAL ECPAhttps://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201520160SB178

ARTICLE 8 – European Convention on Human Rights

Right to respect for private and family life

1. Everyone has the right to respect for his private and

family life, his home and his correspondence.

2. There shall be no interference by a public authority with

the exercise of this right except such as is in accordance

with the law and is necessary in a democratic society in the

interests of national security, public safety or the economic

well-being of the country, for the prevention of disorder or

crime, for the protection of health or morals, or for the

protection of the rights and freedoms of others.

Europe’s GDPR

Extends privacy rights to corporate use of data.

Includes “Right to be Forgotten”

More on this later in the semester when we speak about

regulations.

Right to be Forgotten (before GDPR)

http://ec.europa.eu/justice/data-protection/files/factsheets/factsheet_data_protection_en.pdf

• In 2010 a Spanish citizen lodged a complaint against a Spanish newspaper

with the national Data Protection Agency and against Google Spain and

Google Inc. The citizen complained that an auction notice of his

repossessed home on Google’s search results infringed his privacy rights

because the proceedings concerning him had been fully resolved for a

number of years and hence the reference to these was entirely irrelevant.

He requested, first, that the newspaper be required either to remove or

alter the pages in question so that the personal data relating to him no

longer appeared; and second, that Google Spain or Google Inc. be

required to remove the personal data relating to him, so that it no longer

appeared in the search results

Current Events

A kids’ smartwatch was recalled by the EU over privacy concerns - The Verge 2/5/19

A smartwatch designed for children was recently recalled due to unencrypted communications between the

smartwatch companion app and a backend server. Hackers were able to read and modify the location history,

phone numbers, and serial numbers of the smartwatch while also being able to make calls to the child and find

their location. -- Aaron Howland

Children's smartwatch recalled over data fears - BBC News 02/05/2019

This story talks how the European Commission has ordered the recall of a children's smartwatch because it leaves

them open to being contacted and located by attackers due to the fact that data sent to and from the watch is

unencrypted allowing data to be easily taken and changed. - Nitya Harve

44

Current Events

3 Things Businesses Need to Know About Customer Privacy Expectations-TechRepublic-2/6/2019

According to a new RSA Security Report, 57% of consumers blame companies, not hackers, for a high-profile

breach. Many customers fail to understand how their data is being utilized and managed. Greater transparency of

how data is being used and protected would not only help companies understand the context of their consumers,

but improve personalization of services. -Jacqueline Dobbas

Cisco joins position supporting federal privacy law - Arstechnica.com -2/7/2019 –

Cisco joins the growing list of companies seeking federal government regulation. Many of these companies fear

the complications and additional cost associated with fragmented legislation across individual states and countries.

– Dewaine Reddish

45

Current EventsBounty Hunters Had Access to AT&T, T-Mobile, and Sprint Customer Location Data for Years - Motherboard 02/06/19

Location data, including real-time location data, of AT&T, T-Mobile and Sprint customers had accessed by more

than 200 hundreds and related businesses through a chain of companies. A company called CerCareOne,

operated between 2012 till late 2017, bought the data from a firm called LocationSmart, which the telecom sold the

data to, and sold it to beneficiaries by charging up to $1,100 per phone location. CerCareOne also provided A-

GPS, which gives more precise location, for its customers based on the fact that the telecom companies have

access to that type of location data. None of the telecom companies specifically denied selling A-GPS data. -

Abdullah Altokhais

US lawmakers furious (again) as mobile networks caught (again) selling your emergency location data

to bounty hunters (again) - The Register 2/7/19

Mobile network companies have been found in violation of selling A-GPS data (location data accurate to a few feet

of the user), which has specific privacy protections against sharing and only supposed to be used for emergency

services. Mobile phone network companies already sold location data to third parties in a very under-regulated

process, and a particular company was able to charge $1.1k per search for A-GPS data. Ajit Pai is accused of not

doing his job to investigate violations of the FCC guidelines, which supposedly emboldened the mobile network

companies to sell the protected A-GPS data.-- Charlene Chen

46

Current EventsNew Mac Malware Targets Cookies to Steal From Cryptocurrency Wallets - The Hacker News 02/01/2019

A newly discovered piece of malware “CookieMiner" attempts to withdraw funds from user's cryptocurrency

exchange accounts by stealing user’s Google Chrome and Apple Safari browser cookies, credentials and credit

card information saved in the Chrome web browser and iPhone's text messages of victims stored in iTunes

backups. CookieMiner also uses the EmPyre backdoor for post-exploitation control - Sevanti Nag

Beware Siri Shortcuts – 2/4/2019 SC Media

This story just warns about new ways users can unknowingly download malware on their iPhones. One of the new

features of the latest update includes being able to create shortcuts for tasks that can be called upon by voice

activation. Researchers are warning that these shortcuts that can be downloaded can also download instructions

to execute/download/install malware or malicious code. -Jairo Hernandez

iPhone Apps Secretly Screen Recording Users - Tech Crunch 2/07/2019 (no link)

Many apps that utilize Glassbox for analytics utilize session replays, which record and allow playback of a user’s

interaction within the app. This information is sent either to Glassbox’s cloud or directly to company servers. Issue

is that many of these apps do not mention this in their privacy policies and do not properly protect all of the data.

- Lance Aaron See

47

Current Events

Apple threatens to remove iPhone apps caught recording user activity without consent –

Apple caught on to a few applications such as Expedia, Air Canada and Hollister that were using a "session replay"

software from a company named Glassbox. This software allowed the companies record their sessions, taps,

swipes while using the application. The bad part is that these companies were doing it without the users consent.

– Louis Uuh

Apple fixes one privacy nightmare as another emerges (Updated) - mspoweruser 2/7/2019

An update on the Group FaceTime bug and how this bug sparked an interest in looking for other privacy scandals

in Apple's app store. Session replay is a technology used by some apps is now under investigation as it exposes

some sensitive information without proper consent. Apple issued a statement saying that they would take

immediate actions if no disclosure of session recording was provided. --Abdulla Alshabanah

48

Current EventsGoogle Warns Data Privacy Changes Could Hurt Its Business - Bloomberg 2/5/2019

Google parent Alphabet Inc. claimed they were adjusting to step up regulatory scrutiny and evolve consumer

attitudes toward online data and privacy. By doing so, there would be adverse effects on advertising, which could

lead to worse reputation and revenue decrease. Additionally, Alphabet also updated its warning about an

expansion into non-advertising businesses like cloud services and consumer hardware, aligned with its report of

thinner fourth-quarter profit margins as they spend heavily to expand its cloud and YouTube businesses.

-Mindy Huang

Jack'd gay dating app exposes millions of private photos - BBC 2/7/2019

A gay dating app that has been downloaded for more than five million times on Google Play app, has a security

flaw that exposes private pictures, location information, and user metadata. All of the pictures uploaded by users

can be found on an open web server. A researcher called Oliver Hough reported this issue a year ago and the

company did not respond, but after The Register reported the issue, the company's chief executive made a

comment that a fix would be implemented this Thursday, February 7, 2019. -- Yulie Felice

Ohio’s Recently-Enacted Data Protection Act Creates a Shield Against Data Breach Lawsuits LegalTech News - 2/6/19

The state of Ohio becomes the first state to pass a law, the Data Protection Act, that incentivizes businesses to

maintain and implement strong cybersecurity systems. In return, the government will provide a "safe harbor" for

these businesses against major data breaches. – Brianna Tu

Security vulnerabilities in video conferencing devices could be remotely exploited by hackers - ZDNet (02/07/19)

System commands can be run by hackers on video conferencing devices distributed by Lifesize because of a

security vulnerability, leading to spying and attacking of other devices. This could prove as a threat to companies

that currently use Lifesize software for meetings and video conferencing. - Chloe Choe

49

Current Eventshttps://www.cnbc.com/2019/02/07/privacy-policies-give-companies-lots-of-room-to-collect-share-data.html

It discusses how most users do not actually thoroughly read privacy statements of the services they utilize, if they

even read them at all. However, they are often written in a cryptic manner that would make them difficult for the

majority of users to understand if they tried. The article also brings up an interesting example of an innocent-

seeming device that collects a lot of information about users. -- Ann Bailleul

Most people just click and accept privacy policies without reading them — you might be surprised at what they allow

companies to do CNBC 02/07/2019

CNBC talked to three privacy professionals to get their take on privacy policies. These professionals said privacy

policies are not designed to be understood by the consumers and require at least some high school education and

sometimes advanced degrees. Many policies include some clauses that say that companies can change the policy

at any moment, potentially allowing them to collect a lot more data or do something with our data that wasn't

specified before. When you download something and accept the terms and conditions, if you aren't paying for it,

you are the product. --Anupama Sakhalkar

Biometric Privacy Update – Actual Harm Not Required The National Law Review 2/7/2019

In 2008, the state of Illinois passed the Biometric Information Privacy Act (BIPA) which has regulated the use of

biometric data by private organizations. The city of Chicago, along with other parts of IL, have been targeted by

tech companies for pilot testing of new biometric technologies. Therefore, there have been recent violations of

BIPA as its major compliance requirement is the retention of biometric data due to being unchangeable unique

identifiers - Faris Almathami

50

Current EventsUser consent is required to combine Facebook, whatsapp and Instagram accounts. The Guardian

Extract: Facebook which also owns Instagram and WhatsApp plans on combining all the 3 accounts which are

currently separate, into one account so that the users can send messages between them. But Germany’s anti-

monopoly regulator has ordered Facebook not to combine user data without consent from users. This is a result of

an investigation into potential privacy and competitive policies. But Facebook disagrees to the results and they

intend to appeal. But the crux of this is again user privacy where Facebook can collectively accumulate user

information and potential PI across different platforms and use it to sell and target ads better which could again

lead to breaches and misuses from external agencies. -- Kavya Sethuraman

German regulator orders Facebook to restrict data collection- theGuardian 02/07/2019

German Regulator declares that Facebook should possess user consent for integration of WhatsApp and

Instagram to its Messenger for that particular user. FB given 12 months to implement this in its data policies.

However in a blogpost, Facebook responded to the ruling, saying: “We disagree with their conclusions and intend

to appeal.” -- Deepti Rajashekharaiah

Facebook Says It Needs to Collect All Your Data to Protect Against Terrorism and Child Abuse - Gizmodo 2/7/19

The article discusses how Facebook can no longer use data it collects from Instagram, Facebook, and WhatsApp

together without explicit permission from users in Germany. Facebook wants it to be an opt out policy rather than

an opt in policy and says that it is necessary to "protect against Terrorism and child abuse." Facebook has been

accused of using this data in anti-competitive ways due to their significant marketshare in Germany. Facebook also

claims that other companies are doing it and they should be allowed to do it also. ~Ahmed Qureshi

51

Current EventsOver 59,000 GDPR Infractions Reported in the Last Eight Months Computer Business Review 2/7/19

Since the European Union’s GDPR legislation came into force in May 2018, over 59,000 data breaches have been

reported to European data protection authorities So far only 91 fines have been imposed as part of the new GDPR

regulations as many of the fines issued over the last year relate to cyber incidents that occurred pre-GDPR. €50

million is the largest fine to date and was handed by the French data authority CNIL to Google in relation to how

their processed their users personal data.. – Gene Zakrzewski

EU Agrees to Link Fragmented Border Security Databases Computer Business Review 2/7/19

European policy makers have agreed to connect a sweeping array of currently siloed border security systems,

creating a common identity repository, a Europe-wide document search portal for border security and a biometric

matching system. Roll-out will create a European search portal that lets border guards and police carry out

simultaneous checks of identity documents against all EU information systems on a single screen, instead of

verifying documents against multiple databases. It will also create shared biometric matching service, which will

use fingerprints and facial images to search across existing information systems, and a common identity

repository, which will store biographical data of non-EU citizens. – Gene Zakrzewski

52

What is Civil Law

• Civil law is concerned with private relations

between parties rather than criminal complaints

by a government against an individual.– This is in contrast to criminal law.

– Includes contract law.

– Includes tort law.

• If a tort (wrong) is committed we may be able to

settle or litigate over actual, punitive, or

stipulated damages, for “specific performance”,

or injunctive relief.

Civil Law and Privacy

• Contracts and privacy and security– Privacy policy statement

• Discovery and Privacy

• Laws protecting privacy of consumers– HIPAA

– FERPA (Buckley Amendment)

– Fair Credit Reporting Act

– Others

– Regulations by FTC (and at one point FCC)

– Data Breach Notification Laws

Contracts and Privacy

We enter into contracts all the timeSigning contracts for services or good

Consenting to terms of use on websites

Installing software (EULAs)

Such agreements set the terms of our activityWe can give away some rights to privacy

They may spell out what our “expectations” are

They can limit the damages we can collect

They can determine how and where to litigate

Certain terms can still be found unenforceable for a

variety of reasons.

Enforcement of Contracts

Probably easier against the writer of such agreements, if

acceptance was “implied”.– But usually the terms with respect to privacy tend to disclaim

expectations of privacy, so no damages to demonstrate, and

other damages usually limited by the terms of the

agreements.

– Litigation can be initiated by injured parties, class actions, or

by government agencies in some cases (e.g. FTC).

– Terms of such agreements can’t allow either party to “break

the law” or violate other regulations, but they can change how

certain breaches are to be treated (e.g. opt-in)

– Deceptive trade practices…(can provide alternative remedy)

Discovery

When bringing suit (litigating) civil matters, all parties

have the right to compel disclosure of facts that may

benefit their case.– The process of forcing disclosure of such information is

called Discovery.

– If you are a party to the suit then you may be required to

produce “discoverable” information.• A good reason not to keep some things to begin with.

• A good reason to have a data retention/destruction policy– It is illegal to destroy the data after you have reason to believe that

it will become subject to discovery.

• Third party doctrine applies– Data about you may be obtained from third parties

– You may have an opportunity to object to such disclosure, but not

always.