privacy and security 2

/in /by

cybersecurity and society

privacy and cybersecurity

Class activity: understanding the relationshipbetween privacy and security

In this interactive activity, we explore the close relationships among privacy, security, cybersecurity, and ethics. Our main goal today is to answer the question: How do privacy concerns inform cybersecurity measures and practice?

To answer this question, we first examine definitions for privacy, security, and cybersecurity. Here are the questions we will tackle for this activity:

  • What is privacy and why is it important?
  • What is security and why is it important?
  • What is cybersecurity, and how do efforts to achieve it address society’s privacy and security concerns?
  • What guidance can we expect from laws and professional codes of ethics?

Let’s begin! Form groups of three people, and give each person one of the following roles (or your instructor may assign groups/roles):

  • A facilitator, who asks the first question and keeps the group moving forward with the discussion.
  • A quality controller, who interjects questions throughout the discussion and ensures that everyone’s input has been received and that discussions and differences are handled in a principled way.
  • A recorder/reporter, who records group responses and responds to questions from outside the group.

what is privacy and why is it important?

It may be difficult to come to agreement on a definition for privacy, because different people and different cultures approach the idea of privacy in particular ways. So, we will get a little help from the experts. But before we do that, let’s think about why privacy is so hard to pin down.

  • Individual response: First let’s get very concrete and consider how important privacy is to each of us. List three things that you think should be, from a moral standpoint, kept private. Briefly justify your choices.
  • Group response:It is likely that your individual responses to #1 above fell into at least one of these categories:

a)

b)

c)

  • Intimacy issues such as personal relationships, physical contact, secrets (both personal and shared with others), or physical hygiene.
  • Knowledge of and treatment for personal medical conditions.
  • Biographical personal details regarding where you live(d), where you work(ed), where you attend(ed) school, your age, or your profession.
  • Demographics data such as your race or ethnic heritage, your religious affiliation, your political affiliation, or your income.
  • Financial transactions including bank accounts, loans, purchases, or credit cards.
  • Intimacy issues:
  • Medical data:
  • Biographical details:
  • Demographic data:
  • Financial transactions:

As a group, explain why privacy is important in each of these categories. I.e., explain why making this type of information public could result in problems for the people whose data is being shared:

  • To help us understand why privacy may be important, let’s take a look at some definitions of privacy and see what they mean to us today:
  • Given our current reality, if we want to address privacy concerns, we must recognize the following features of our interconnected digital world:
  • Privacy is control over the kind and amount of personal information you share with others; it enables you to have different kinds of relationships with different people. This idea comes from philosopher James Rachels and can be found in its original form at the link below. Think about the different kinds of information you share with others. It varies among people you know personally (co-workers, fellow students, teachers, parents, siblings, other relatives, friends, and bosses) or people you know distantly (doctors, lawyers, loan officers, salespeople, and clerks).
  • “Privacy is the right to be le(f)t alone”. The sentiment here is appreciating being le(f)t alone as a state of privacy. This is a direct quote from U.S. Supreme Court Justice Louis Brandeis, spoken in 1890.
  • Finally, let’s consider the notion of reputation.

[Rachels, J. (1975). Why Privacy is Important. Philosophy & Public Affairs, 4(4), 323-333]

Individual response:What do we mean today when we say TMI (“too much information”)? Consider the sharing of personal data in the context of the relationships we have.


Individual response: What does being “le(f)t alone” have to do with privacy? Consider physical, emotional, and electronic contexts.

Group response: How “alone” are we when we are online?

Individual response: What is revealed about you when your name is Googled or when your Facebook page (or any other social media account) is visited?

Group response:What should be revealed about us to provide an accurate picture of who we are? How can we control this online?

  • The scope of the Internet.
  • The vast amounts of data that can be collected, stored, and shared.
  • The ease with which anyone can collect, store, and share that data.
  • The speed at which anyone can collect, store, and share that data.

Group response: List an application in today’s networked world that has challenged personal privacy. Here’s an example:

Electronic medical records make medical data quickly and easily available to medical personnel and the patient.

This is great because the data is easily available to all who need to see it, thus avoiding problems of life-threatening drug interactions and providing time-sensitive data to those who need to know.

However, because this data exists, it must be protected. It is highly sensitive and personal. If it gets into the wrong hands, it can lead to discrimination in employment or housing, unwanted or fake marketing efforts for medicine, or embarrassment.

Your application and what it does:

This is great because:

However, because this data exists (or is readily available), it must be protected because:

what is security and why is it important?

Generally, we have an easier time defining security than privacy, although we often approach security and privacy in similar spheres. Security is more concrete to us than privacy, because we connect a sense of security with a feeling.

  • Individual response: What do each of these mean to you?
  • Physical security
  • Financial security
  • Personal security
  • Group response: What do your individual responses have in common?
  • It is widely believed that security is a core value of all democratic societies.Without it, a society is unable to flourish and grow, because its members do not have the peace of mind to function, to be productive (to advance themselves and society), or to enjoy life.

a)One way to understand the privacy-security connection is to think of privacy as necessary for security to exist. For instance, if a marketing database developer values consumer security, that developer will take measures to protect consumers’ privacy by protecting their sensitive and vulnerable personal data.

Group response:List three specific privacy safeguards that a marketing database developer/administrator might put in place to ensure security.

i)

ii)

iii)

b)A very different way of viewing the privacy-security connection is to see privacy and security as conflicting concepts. This view promotes the idea that members of a society must be willing to give up some degree of personal privacy in exchange for security. A great example of this is the TSA security check that all airline passengers must undergo before boarding an airplane. Passengers sacrifice a degree of privacy for the sake of physical safety.

Group response: How is it possible to honor both interpretations of the privacy-security connection?

  • Suggest electronic and process safeguards for the airport security screening activity.

how does cybersecurity benefit from efforts to protect privacy?

We have just seen that a close connection exists between privacy and security and that a “sense of security” (e.g., personal, physical, financial) is important to most people and to society in general. With global reliance on cybertechnology expanding daily, we need to understand the social, the ethical, and even the legal importance of good cybersecurity; and we must understand the consequences of insecure cybersystems. So, what exactly do we mean by cybersecurity?

[C]ybersecurity [i]s a “computing-based discipline involving technology, people, information, and processes to enable assured operations in the context of adversaries. It involves the creation, operation, analysis, and testing of secure computer systems. It is an interdisciplinary course of study, including aspects of law, policy, human factors, ethics, and risk management.”

[Joint Task Force on Cybersecurity Education working definition updated August 8, 2016]

Some observations:

  • The rules governing a cybersecurity system must address interactions among hardware, software, data, and human beings.
  • Attention must be paid to security at every level of a system’s development, deployment, and maintenance.

Group responses:

  • What practical problems can effective cybersecurity address or prevent?
  • What ethical or societal problems can effective cybersecurity address or prevent?
  • Suppose you are given the job of designing privacy and security safeguards for an online children’s game.Describe some practical and ethical concerns you will address, and provide some remedies.
  • a)What are some public expectations (laws and public policy) regarding cybersecurity protections?

b)What are the full names of these acronyms and what does this class of laws attempt to address?

  • Education: FERPA
  • Healthcare: HIPAA
  • Finance: Sarbanes-Oxley
  • Domestic terrorism: U.S. Patriot Act
  • Child Online Protection: COPPA

homework questions (Individual work, Extra credit)

  • From p. 2: Reflect on the different things that you and your group members considered important to keep private. What do you think contributed to your differences in responses?
  • From pp. 5-7: Reflect on the three different approaches to interpreting privacy that have been presented in this unit. Specifically, consider:
  • Organizations’ privacy policies are intended to explain to users how the organization is protecting their personal privacy. They are often also “transactional” in that they tell the user what data they collect. How well are these privacy policies doing to set users’ minds at ease?
  • From p. 8: Choose another application or product, and perform an analysis similar to the one you completed with your group in class.
  • The ACM and IEEE each have codes of ethics for their members to follow.Visit each organization’s website and identify what guidance the codes give for privacy protection.Although they are not legally binding, professional codes of ethics serve both society and the profession.They are expected to work in concert with companies and organizational rules of conduct and practice.

a) Which one seemed the most practical or useful? Why?

b) Which one seemed the most ethical or just? Why?

a) Examine a privacy policy from each of these types of websites:

i) Commercial

ii) Governmental

iii) One intended for children

b) For each of the sites chosen, rate the privacy policy on:

i) Readability

ii) Length

iii) Credibility