Information System 9- Protecting the Confidentiality and Privacy of Information

Learning Objectives

• Understand the various threats to information privacy
• Identify technologies and solutions used to protect the confidentiality and privacy of information
• Explain how information privacy is a component of the PAPA ethical framework
• Discuss the relationship between information privacy and information security

---

Introduction and Definitions

Privacy of information is the confidentiality of the information collected by organizations about the individuals using their services.

Example: friends post something about them on Facebook or Twitter without their prior approval. –> everyone has to be concerned not only about their own information privacy but also about the privacy of information of others.

Information Privacy Threats

• Data Collection

  • Faster, Easier, Hidden - Cookies (store information on your computer about you or your computer when you browse or enter information into certain website)
  • Usage Tracking – Clickstream (Looks at IP of the computer connecting to a site, identifying what page the computer connected from, what page it goes to after the current one, how often in connects to this sets, and whether actual purchases are made –> give marketers an indication of successful and unsuccessful online ads..)
  • Proliferation of Data Sources (leads to more data being available and to individuals being increasingly concerned about the privacy of their information)

• Secondary Use of Information (Data Sharing) – use of data for purposes other than those for which they were originally collected

  • Function Creep – It is another term used to refer to data being used for other functions beyond those purposes for which they were collected.
  • Opt-in vs. Opt-Out – When you opt in, you have to specifically state that you agree that your data can be used for other purposes, often to receive special deals or information from partner companies. When you opt out, you have to make sure you tell the company you do not want your data shared with others or used for other purposes.

Consequences of Privacy Violations

Individual Consequences: Identify Theft

• Using someone else’s personal information for your own personal gain (fraudulent activities)
• The best way for individuals to protect themselves from identity theft is to follow basic security guidelines and common sense.
  • Do not use your Social Security Number unless it is absolutely needed.
  • Shred everything that has any data about you.
  • Place outgoing mail at the post office or locked collection box.
  • Password protect financial accounts with strong passwords and two-factor authentication, if available.
  • Really check the statements you receive.
  • Request photo identification when someone asks for your information, and do not give it out over the phone, Internet, or mail unless you initiated the contact.
  • Destroy digital data by going beyond a simple delete.
  • Limit the information provided on your checks.
  • Request your annual credit report and check it.

Organizational Consequences: Company Reputation

If organizations fail to protect the privacy of their customers’ information, then their reputations can suffer.

The costs of privacy breaches can be enormous for the companies involved.

• First, they may lose current and future customers.
• Second, they have to repair the breaches.
• Third, they have to compensate customers for their potential identity theft issues.

Technologies and Solutions for Information Privacy

• Cookies and Cookie Managers
  • Delete unwanted or dangerous cookies
  • Can also use settings not to accept cookies – Google Chrome: “Settings”-> “Privacy and security”->”Cookies and other site data”
• Anonymous Browsing
  • Not allowing websites to track what you do online.
  • Use settings to block or delete cookies
  • Use settings to not send location information to websites
  • Use anonymous search engine (e.g., DuckDuckGo)
  • Turn off settings “personalizing” your searches
  • Use anonymous browsing (e.g., InPrivate browsing - IE Explorer; Incognito - Chrome; etc.)
  • Use a private browsers (e.g., Tor Browser (https://www.torproject.org/))
• Privacy Statement or Policy
  • Most serious companies who do business online have privacy policies.
  • A privacy policy is a statement that describes what the organization’s practices are with respect to the privacy of its customers.
• Privacy Seals
  • Privacy seals offer companies another attempt at self-regulation regarding privacy of consumers and a way to reassure consumers about transacting with them online.
  • These seals are also called reputation seals and are issued by such sites as TrustArc (previously called TRUSTe) (http://www.trustarc.com) and WebTrust.
  • Examples include those offered by VeriSign (http://www.verisign.com) and McAfee Secure (https://www.mcafeesecure.com/).

Government Information Privacy Regulations

Even though information privacy is largely our responsibility as individuals, there are specific situations where governments have created regulations to protect information privacy. In fact, there are actually many such regulations throughout the world.

• European Union – General Data Protection Regulation (GDPR)
• United States – Gramm-Leach-Bliley Financial Services Modernization Act of 1999 (GLBA)

Mobile Information Privacy

Information privacy is even more of an issue in mobile settings, such as in the use of your smartphone or tablet.

Issues in Mobile Environments:

• Collection without awareness
• Fewer regulations
• Enormous amounts of personal data on devices
• Downloading apps without evaluating them

Recommendations:

• Use only recognized app downloading location (Apple App Store, Google Play, etc.)
• Use settings that limit what apps have access to
• Install security apps on smartphone
• Secure lock screen with a PIN or password
• Use “Find My Phone” and “Remote Wipe”
• Don’t use public networks for anything important

IoT and Privacy

• The world of IoT provides huge amounts of personal data.
• The Internet Society (http://internetsociety.org) suggests:
  • Enhance user control regarding the data collected by IoT devices and services and how they are managed.
  • Improve transparency and notification by providing clear, accurate, relevant, and detailed information to users.
  • Privacy laws and policies should keep up with technology and include the use of IoT sensors and continuous monitoring.
  • Involve a broad variety of stakeholders in IoT privacy discussions to address the diversity of IoT risks and benefits

Privacy and Ethics

The increased use of information technologies would lead to four major concerns about the use of informaiton:

• Privacy
• Accuracy
• Property
• Accessibility

Ethical Decisions

PLUS Framework is a set of questions to help in making ethical decisions

• [P] is consistent with organizational policies, procedures and guidelines?
• [L] is acceptable under applicable laws and regulations?
• [U] conforms to universal values such as empathy, integrity, and justice?
• [S] satisfies your personal definition of what is good, right, and fair?

Relationship between Security and Privacy

• Security is the protection of information against threats such as unauthorized access to data, falsification of data, or denial of service.
• A company can provide every security protection possible against these threats to your information without necessarily having the intent of protecting the confidentiality of your information.