MGT 6727 Spring Semester 2024 Privacy Chapter 3 PDF
Document Details
Uploaded by SparklingCedar
Georgia Tech
2024
Tags
Summary
This document discusses privacy issues related to monitoring, spyware, phishing, and location tracking in the context of the private sector. The chapter is part of a university course, MGT 6727, and focuses on different surveillance methods from monitoring internet usage to sophisticated malware and cross-device tracking.
Full Transcript
MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 3 – as of 01/15/2024 © IAPP Some systems enable persons in position of authority to monitor local networks. Such monitoring, as well as raising possible privacy issues, may be used to protect security and control behavior on the network, such a...
MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 3 – as of 01/15/2024 © IAPP Some systems enable persons in position of authority to monitor local networks. Such monitoring, as well as raising possible privacy issues, may be used to protect security and control behavior on the network, such as by blocking access to websites (sometimes called blacklisting) and other Internet activity considered inappropriate. As discussed in more detail in Chapter 12, employers in the United States are generally allowed to monitor their employees’ internet usage on the organization’s network or company-owned devices. Reasons given for such monitoring include maintaining security within the corporate network and ensuring appropriate behavior among employees. In addition to monitoring internet browsing, many companies scan emails, including to detect possible phishing attacks. The U.S. Children’s Internet Protection Act (CIPA) requires public schools and libraries to install filters to prevent children from viewing inappropriate content online. 29 Many schools also track students’ internet usage to prevent inappropriate and illegal behavior. Civil liberties organizations have long voiced concern about this practice on free speech and other grounds, but CIPA remains in place. Parents as well can monitor their children’s internet usage. Tools allow parents to limit the types of sites their children can visit, often by use of lists of restricted sites or keyword filters. Such tools enable parents to more closely supervise their children’s online activities. Privacy concerns can arise from any of the monitoring and control performed by persons in authority, such as employers, schools, or parents. What some may consider appropriate blocking of sites, others may see as a form of censorship. What some may consider standard security practice, such as monitoring emails, others may see as an intrusion on privacy. In addition, the context of monitoring can matter greatly – software considered appropriate to track a young child’s internet usage may be considered objectionable, and even criminal stalking, if one spouse surreptitiously uses the software to track the other spouse’s online activity. 30 In light of such privacy concerns, the mere technical ability to monitor internet usage should not automatically lead to the conclusion that such monitoring is legal or ethical. 3.4.1.4 Spyware and phishing Beyond monitoring the network connection, malicious software may surveil data before it even leaves the user’s own computer or other device. Spyware is malicious software that is covertly installed on a user’s computer, often by tricking the user to click on a link that results in downloading of the spyware. Once spyware is installed, it can monitor the user’s activities, and then send to the attacker sensitive personal information or other information of use to the attacker. One type of spyware is keylogging, which is malware that tracks all keystrokes performed by the user. Data about the keystrokes can then be sent back to the attacker. Other spyware can take control of the device’s camera or microphone, creating audio or video streams without the user’s knowledge. Spyware may be installed on a user’s device via a phishing attack. Phishing is a form of social engineering that uses a routine, trusted communication channel to fool the user into providing 10 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 3 – as of 01/15/2024 © IAPP unauthorized access to the user’s device or to sensitive personal information. 31 Phishing occurs commonly in email messages that appear to be authentic and encourage the user to click on a link or respond to the message by disclosing personal information, such as passwords or financial account numbers. For example, when a person clicks a link in an email sent to a work email account, the employee may be led to a website that collects information, or the link may result in installing spyware or other malicious software onto the user’s device. 32 Fraudsters have developed variations on phishing attacks: Spear phishing is a phishing attack that is tailored to the individual user, for example, when an email appears to be from the user’s boss instructing the user to provide information. Whaling is a specialized type of spear phishing that is targeted at C-suite executives, celebrities, and politicians. The aim is the same as spear phishing—to download malicious software or use an email or website to obtain personal and/or sensitive information from the victim. Smishing is phishing by use of SMS (text). Instead of the attack coming via email, the fraudulent link or request for information arrives via text message. Vishing is the use of a fraudulent voice message or phone call to trick an individual to provide sensitive personal information or take some other action. To protect against spyware downloads, technical measures may be able to limit an employee’s ability to download executable code (code that can run a computer program). For phishing, smishing, or similar attacks, a first line of defense can be software that filters incoming communications and then blocks or flags suspected phishing communications. For phishing messages that make it through such filters, the principal defense is training for employees and other individuals. Individuals should learn to be cautious about clicking on links or opening attachments except from clearly trusted sources. Although the discussions of phishing and spyware are often intertwined, it is important to understand that the preliminary step of defining software as spyware is dependent in large part on the intent and knowledge of the user, and whether it is reasonable to believe the user wished to have the information transmitted back to the remote location. There is no simple distinction between illegal or inappropriate spyware and legitimate software that performs as intended. Spyware cannot be defined simply by the technical act of sending personal information from the user’s computer to a remote computer. For instance, a user might wish to have software that allows someone at a remote location to read what is on the screen. A common example is when a computer user receives technical help from a technician who can see the user’s screen or each keystroke. By contrast, the same ability to read the screen, without the knowledge or consent of the user, would in many contexts be considered spyware, 33 and in fact is used in spyware in what are called technical support scams. 3.4.2. Cookies and Other Tracking Used in Advertising 3.4.2.1 HTTP Cookies 11 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 3 – as of 01/15/2024 © IAPP Cookies are widely used on the internet to enable someone other than the user to link a computing device to previous web actions by the same device. The HTTP and HTTPS protocols are stateless, which means the protocols are not designed to remember past interactions with a particular user. For instance, a website should be able to remember if a user is logged in – it would be a bad user experience if the user were required to log into a website each time they clicked on a link or navigated to a new page. The basic function of an HTTP cookie is to maintain continuity for the user and website. Cookies can be set just for a particular visit to a website or for extended periods of time. Session cookies are stored only until the web browser is closed, and thus contain only the limited information about that session. Session cookies can be used, for instance, to keep a user loggedin during a session or to allow the user to fill a shopping cart on a particular visit to an ecommerce cite. Persistent cookies, by contrast, can be saved indefinitely – the website that sets the cookie determines how long the persistent cookie stays in place. Persistent cookies, for instance, can recognize a user who logged in on previous days, or keep a shopping cart filled until the purchase is completed on a later date. Web domains, such as an e-commerce site or advertising network, can only read and write cookies that they themselves have set – a cookie set by one company cannot be read by others. Multiple cookies can result, however, from a user’s visit to a webpage. For instance, an online news site might load cookies from its own internet domain, such as www.onlinenews.com. These sorts of cookies from the primary page that the user is visiting are known as first-party cookies. However, a user visiting that site often receives cookies from other entities, such as online advertising networks or a social network when the user is logged-in. Cookies set from any company other than the first-party website, whose URL is displayed in a browser, are known as third-party cookies. (The second party is understood to be the user who is surfing the web.) 3.4.2.2 First-party data collection Cookies are one important way, among others, that first parties collect information about a user’s web activities. In a growing number of jurisdictions, including California and the European Union, first parties provide notice before setting cookies on the user’s browser. The IAPP website, for example, has the following cookie notice: “When you visit our website, the site asks your browser to store a small piece of data (text file) called a cookie on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies, which are cookies from a domain different than the domain of the website you are visiting, for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes: strictly necessary cookies, performance cookies, marketing cookies, and third-party website cookies.” 34 As with the IAPP website, the user typically has a choice whether to accept all cookies (which may include cookies from third parties) or to refuse all cookies that are not necessary for the 12 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 3 – as of 01/15/2024 © IAPP site’s functioning. The latter may include, for instance, the ability to place items in a shopping cart during that particular user session. We briefly note some prominent forms of first-party data collection related to web activity. Cookies can enable personalization, such as where the site suggests music, books, or online shopping based on the user’s previous interactions with the site. In general, advertisers will pay a higher price per advertisement where detailed information exists about the user’s interests and likely economic activity. The personalization can be especially strong for search engines, where the user selects searches that may reveal the user’s current intentions. For instance, advertisers may pay a search engine especially high prices for advertisements where the search suggests the user’s intention to make major purchases, such as a search for “mortgage rates this week” or “auto sales this week.” Social networks and other websites often collect and retain user-generated content (“UGC”), such as where the user posts text, photos, or videos to the website. UGC can provide particularly granular information about a user’s interests and activities, including details about the user’s offline activities, such as attendance at a restaurant or concert. Social networks often do not sell the data to a third party; instead, the advertiser may pay, for instance, for 1000 advertisements to individuals that the social network knows have interest in a particular product. In such an advertising campaign, the advertiser may learn the identity only of those individuals who subsequently come to advertiser’s website, to purchase the advertiser’s product. For first parties generally, the first party may learn greater details if the user is logged-in. The consent to cookies, as discussed in the example with IAPP’s website, is consent only to set the cookies. By contrast, a user who creates an account with a social media or other website typically agrees to a longer website policy, called its terms of use, terms of service, or terms and conditions. Such terms of use often state that the service provider will have additional rights to collect and process data as a condition of the user joining the service. Such rights may include common uses, such as to develop, test, and improve the product or service. They may also include privacy-relevant provisions, such as the right to track a user’s location or sell the user’s information to third parties. First parties may also purchase or otherwise gain access from other sources to the user’s personal information. First parties may append data from third parties, such as to fill in gaps, correct and update existing data, and gain other insights. 35 This third-party data may come from data brokers, which are businesses that obtain information from one or more sources, process it to cleanse it or otherwise increase its usefulness, and then license the data for use by the first party. 36 The Federal Trade Commission and other privacy regulators have often scrutinized data brokers due to privacy concerns. 37 Although definitions of what constitutes a data broker can vary, studies put the annual market annually at above $250 billion. 38 3.4.2.3. Third-party data collection 13 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 3 – as of 01/15/2024 © IAPP Until the early 2020’s, a large portion of online advertising was facilitated by third-party cookies – cookies set by other than the first-party website, whose URL is displayed in a browser. For instance, advertising networks would often set cookies on a user’s device when the user went to a first party, such as a news or E-commerce site. The advertising networks then could observe a user’s activity across multiple sites, and serve targeted ads to that user based on the interests revealed by the user’s web browsing. A variety of market and regulatory changes, however, are reducing the prevalence of third-party cookies. In the European Union, there have been multiple challenges to the legality of thirdparty cookies for advertising purposes. 39 The California Privacy Rights Act (CPRA), discussed further in Chapter 6, entered into effect at the beginning of 2023, and requires notice and an optout right for third-party cookies. As discussed in Chapter 11, major browsers have taken steps to block or make it more difficult for third-party cookies to operate. Edge, Firefox, and Safari had third-party cookie blocking by default by the end of 2022, with Chrome announcing it was in the process of blocking such cookies by default. 40 In light of these major changes concerning third-party cookies, there is now considerable uncertainty about what types of third-party data collection will continue at anything close to the previous scale. Advertisers have the incentive to create new technologies and market models for third-party data collection, but important regulators quite likely will seek to block approaches that they believe threaten privacy. Privacy professionals involved in advertising should be alert to the possibility of new technological, market, and regulatory developments. 3.4.2.4 Tracking email recipients Techniques used to track what websites are visited from a particular computer can also indicate whether an email has been opened or when a particular link in the email has been clicked upon. 41 Many email programs can display emails containing HTML code, the code used for websites, thus enabling functionality similar to web page tracking. One technique for tracking is to load a small image when a user opens an email. The image has a link or filename unique to the user, known and accessible to the sender of the email. To prevent such tracking, the user can disable HTML, and read the email in plain text. 3.4.2.5 Cross-device tracking Companies use both deterministic and probabilistic techniques to enable cross-device tracking, which is the ability to link a user to multiple devices, such as smartphones, tablets, and laptops. 42 Deterministic tracking is usually based on the user logging in, so that a company can observe the same log-in for the multiple devices. Probabilistic tracking relies on inferences that the same user may be using multiple devices. 43 The inferences can arise from sources including IP addresses, cookies, location data, and other behavioral data. Cross-device tracking can raise privacy issues, especially where users are not aware that their activities on different devices can be linked. It can assist users, such as when the user can access emails or content from different devices. Companies have an incentive to use cross-device tracking in order to increase their 14 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 3 – as of 01/15/2024 © IAPP ability to target advertisements or other content, but regulators have expressed increasing concern about the practice of cross-device tracking. 44 3.4.3. Location tracking The technical ability to track location has become pervasive for the first time in human history. In a 2000 survey, only 28 percent of U.S. respondents reported having a cell phone. 45 By 2021, 85 percent of American had a smartphone, and 97 percent owned a cellphone of some kind. 46 Cellphones necessarily reveal the phone’s location, if only because the service provider needs to know where to send the signal to make the phone ring. In addition to cellphones, an increasing number of other technical means exist to track a person’s location, including the cars we drive and the cameras that can recognize our faces when we are in public. Location information has important privacy implications. 47 The details of an individual’s location reveal potentially sensitive information about numerous aspects of a person’s life, such as our friends and associates, the medical services we receive, and where we spend the night. Although location information can be useful in solving crimes, such as identifying all of those at the scene of a robbery, it can also be used by an authoritarian government to keep tabs on the political opposition and stifle dissent. The discussion here first addresses location-tracking technologies, and then turns to locationbased services. 3.4.3.1. Location tracking technologies Although others exist, we describe three location tracking technologies: cell tower and Wi-Fi triangulation; Global Positioning Satellites (GPS); and metadata. Cellular phones communicate with cellular towers that receive their signal and connect phones to a global network. Service providers can gain information about the phone’s locations from the time it takes messages from a particular cell phone tower to arrive to a phone, the strength of the signal from that tower, and the towers with which a phone can communicate. After determining the phone’s position relative to a handful of towers whose location are known by the cellular provider, the position of the phone can be determined geometrically through triangulation. 48 GPS satellites can enable the phone to determine location, specifically the device’s longitude, latitude, and altitude. As with triangulation, the GPS receiver can determine its location based on the differences in time it takes for messages from each satellite to reach the receiver. Devices do not automatically reveal their information when they receive information to determine their location. However, smartphones and other devices often subsequently, and automatically, share the GPS information with an app or the phone provider. 49 Location information can also be automatically stored in the metadata of content, such as photos. For photos taken with cellphone or other GPS-enabled devices, location is often automatically 15 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 3 – as of 01/15/2024 © IAPP stored in the camera metadata, sometimes without the user’s awareness. A user who accesses the photo can then often access the location (and often the time) when the photo was taken. 3.4.3.2 Location-based services Location-based services draw upon the data provided by location-tracking technologies. Modern smartphones and autos pervasively offer map-related functions, such as directions for walking, driving, or taking public transport. Apps often personalize an experience based on user location, such as weather reports or nearby restaurants or gas stations. Location also plays a role in many social media apps, such as finding one’s friends. Advertisers value location information, such as the ability to offer a coupon when an individual is near a store or restaurant. The location of individuals can be integrated with other databases, such as geographic information systems used widely for business purposes. Along with clearly positive uses, such as correctly arriving at a destination, location services also can enable tracking and intrusive surveillance. Parents can use location services to know where their children are (or at least where their phones are). Employers can use location services to keep track of their employees and assets, such as the location of a company truck. In the United States, when law enforcement are investigating a crime or attempting to prevent a terrorist attack, they can request location information from companies holding the data. The U.S. Supreme Court held in U.S. v. Carpenter that police need to get a warrant when doing long-term tracking of an individual’s movements. For shorter periods, the holders of location information may be able to respond voluntarily to police requests. In other countries, such as China, governments have established extensive systems for tracking individuals, without the need for prior judicial approval. 3.4.3.3. Preventing and Controlling Location Tracking The United States has historically had relatively few legal restrictions on businesses who collect and use location information. In recent years, as discussed in Chapter 6, the states that have enacted comprehensive privacy laws have often included location information in their definitions of sensitive data. 50 The Children’s Online Privacy Protection Act, discussed in Chapter 5, also specifically includes location data in its definition of personal data. 51 Both users and controllers of personal information, however, can take action to moderate the use of location information and address the privacy risks. On the user side, smartphones reveal location information to the cellular providers, and many streams of location data on smartphones are enabled by default. With that said, smartphone operating systems have provided more detailed user controls over time. Individuals today can often specify which apps may collect location information, how granular the collection will be, and whether the location information goes to the app continuously or only when the app is being used. 52 Users often have the ability to turn on and off the automatic metadata in photos taken by a smartphone or other smart camera. More generally, designers of consumer-facing technology face increasing pressure to enable user controls over location data, as good practice in the United States and under legal requirements in the European Union and other countries. 16 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 3 – as of 01/15/2024 © IAPP On the side of the data controller, location services often benefit from a privacy impact assessment, to understand both the benefits of collecting and using such data, and to become aware of privacy risks. Privacy risks can often be mitigated by limiting the retention period of location data, de-identifying the data, and limiting who has access to location data and for what purposes. Organizations should be aware that location data can also be combined with other databases, enabling more detailed profiling than would be possible based on one company’s location data alone. Although location data can enable maps and many other useful services, developers can benefit from the “friends and family test” – how would I feel about the use of location data if it applied to my family or friends? If there are scenarios the developer would not want for family members, then quite possibly greater privacy safeguards are worth considering. 3.4.4 Surveillance by audio, video, and other sensors In addition to tracking a device’s location, smartphones and other modern devices come equipped with audio (microphone), video (camera), and other sensors. We examine some scenarios where such sensors can raise privacy risks, and then discuss steps to mitigate such risks. Smartphones, laptops, and desktop computers are all typically connected to the Internet and potentially can have their microphones and cameras activated remotely without the knowledge of the user. Malware can be loaded onto these devices, such as when the user unsuspectingly clicks on a link that downloads the malware. These types of malware are often known as Remote Access Trojans (RATs). Malware, for instance, may turn on the webcam of a desktop or laptop, and even turn off the light that indicates the webcam is in use. Malware may also infect microphones, such as on a smartphone, a smart television, or the remote control used with a smart television or other device. In addition to malware, employers or others with lawful access to the device may activate the microphone or camera. Employers often have the technical ability to activate microphones or other sensors on work-issued devices, and police may get a warrant under the wiretap laws to listen to a criminal suspect. The decreasing cost of cameras, microphones, and other sensors also enables surveillance of individuals in public, from sources other than a user’s devices. There have been policy debates about the extent and use of closed-circuit television (CCTV), police body cameras, and other video surveillance, especially when paired with facial recognition software. 53 Use of such video surveillance systems by the government is generally legal in the United States, although not where the individual has a “reasonable expectation of privacy” (such as in a bathroom), 54 and not in some cities that have set limits on police and municipal agencies from using facial recognition. 55 Drones, called unmanned aerial vehicles by government agencies, often are equipped with video cameras, and may include infrared cameras, radar, or other sensors. 56 By contrast with the general legality of video surveillance, U.S. wiretap laws set limits on wiretapping and other secret audio surveillance. Audio, video, and other sensors increasingly exist in a user’s home or automobile. The term the Internet of Things (IoT) is used to apply to the broad range of sensors that increasingly are 17 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 3 – as of 01/15/2024 © IAPP linked to the Internet. The term “smart home” can apply to the increasing number of home devices are Internet-enabled, including thermostats, home security systems, and many more. The term “connected cars” focuses on the trend toward an increasing number of sensors in new cars, many of which send data to the cloud. The discussion above about managing the privacy risks of location tracking applies as well to audio, video, and other sensors. On the user side, designers of consumer-facing technology can enable greater user control over data collection. For example, designers of smart toys for children (and smart home devices generally) can set privacy defaults so data does not go outside of the home, or provide usable choice interfaces concerning data about the children. For many kinds of video and remote sensing, however, there is no effective notice or choice for users, such as for data collected by drones or security cameras. 57 Data controllers should consider the full lifecycle of personal data, discussed further in Chapter 4 on managing privacy risks, when deploying audio, video, and other sensors. Under the principle of data minimization, there may be ways to achieve an organization’s goals with more limited collection, processing, and dissemination of personal data. 3.5 Privacy Enhancing Technologies Just as new technology can enable greater privacy invasions, it can also enable new types of privacy protection. The concept of privacy by design has become more important over time, and that approach is now legally required in California and the European Union, among others. Privacy by design means to embed privacy principles in architectures, products and service from the onset. 58 In recent years, privacy engineering has emerged as an increasingly important role related to engineering requirements for privacy into systems. Privacy engineers have available a growing number of mathematically sophisticated tools that seek to preserve privacy while maintaining utility of the analyzed information. 59 The discussion here provides somewhat detailed explanation of issues relating to deidentification and re-identification of data. To the extent that data can indeed be de-identified, then privacy is preserved. We next turn to two important general tools for protecting privacy— encryption and hashing, and conclude with some broader observations. 3.5.1 Altering data (data de-identification) The word “anonymous” derives from the Greek “anonymos” or “without a name.” 60 Privacy laws and governance apply to “personally identifiable information” or “personal data.” When the data is no longer about a person, or is not identifiable, then privacy laws no longer apply. One important category of privacy-preserving technology, therefore, is any technique that can alter the data so that it is no longer identifiable. Although U.S. law provides few clear definitions, 61 privacy professionals should be aware of the difference between data that is either “anonymous” or “pseudonymous.” Useful definitions come from the Information Commissioner’s Office in the United Kingdom, which states that 18 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class.