data privacy

  • Published on

  • View

  • Download

Embed Size (px)


lecture given at ESC Rennes


<ul><li> 1. DATA PRIVACY JacquesFolon PartnerEdgeConsulting Matredeconfrences UniversitdeLige Chargdecours ICHECBrussels Professeurinvit UniversitdeLorraine ESCRennes IACETunis IAMOUagadougou </li></ul><p> 2. All presentation and resources are available on WWW.FOLON.COM (cours) 3. Follow me on for the latest news on data privacy and security 4. 5. some recent facts &amp; figures 24 prsentation sur SOURCE 6. privacy ????? 12 7. Average number of Facebook friends in France: 170 30 8. 14 9. The person who took the photo is a real friend 15 10. privacy and graph search ? 11. 17 12. 18 13. 19 14. 20 15. From Big Brother to Big Other 16. Antonio Casili Importance of T&amp;C Everybody speaks mutual surveillance Lateral surveillance 17. geolocalisation 18. data collection 1 19. 27 20. Interactions controlled by citizens in the Information Society 21. Interactions NOT controlled by citizens in the Information Society 22. some definitions 23. 'personal data' shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity 24. 'processing of personal data' ('processing') shall mean any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction 25. personal data filing system' ('filing system') shall mean any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis 26. 121 controller shall mean the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or Community laws or regulations, the controller or the specific criteria for his nomination may be designated by national or Community law; 27. 36 'the data subject's consent' shall mean any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed 28. 37 Member States shall provide that personal data must be: (a) processed fairly and lawfully; (b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that Member States provide appropriate safeguards; (c) adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed; (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified; (e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. Member States shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use. 29. 38 Member States shall provide that personal data may be processed only if: (a) the data subject has unambiguously given his consent; or (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or (c) processing is necessary for compliance with a legal obligation to which the controller is subject; or (d) processing is necessary in order to protect the vital interests of the data subject; or (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed 30. 39 Member States shall prohibit the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life 31. 125 Member States shall provide that the controller or his representative must provide a data subject from whom data relating to himself are collected with at least the following information, except where he already has it: (a) the identity of the controller and of his representative, if any; (b) the purposes of the processing for which the data are intended; (c) any further information such as - the recipients or categories of recipients of the data, - whether replies to the questions are obligatory or voluntary, as well as the possible consequences of failure to reply, - the existence of the right of access to and the right to rectify the data concerning him in so far as such further information is necessary, having regard to the specific circumstances in which the data are collected, to guarantee fair processing in respect of the data subject 32. 41 Right of access Member States shall guarantee every data subject the right to obtain from the controller: (a) without constraint at reasonable intervals and without excessive delay or expense: - confirmation as to whether or not data relating to him are being processed and information at least as to the purposes of the processing, the categories of data concerned, and the recipients or categories of recipients to whom the data are disclosed, - communication to him in an intelligible form of the data undergoing processing and of any available information as to their source, - knowledge of the logic involved in any automatic processing of data concerning him at least in the case of the automated decisions referred to in Article 15 (1); (b) as appropriate the rectification, erasure or blocking of data the processing of which does not comply with the provisions of this Directive, in particular because of the incomplete or inaccurate nature of the data; (c) notification to third parties to whom the data have been disclosed of any rectification, erasure or blocking carried out in compliance with (b), unless this proves impossible or involves a disproportionate effort 33. OPT IN 34. 43 35. Coockies 36. international transfer 37. Sub contractor 38. Sub-contractor 129 The Member States shall provide that the controller must, where processing is carried out on his behalf, choose a processor providing sufficient guarantees in respect of the technical security measures and organizational measures governing the processing to be carried out, and must ensure compliance with those measures 39. 48 The carrying out of processing by way of a processor must be governed by a contract or legal act binding the processor to the controller and stipulating in particular that: - the processor shall act only on instructions from the controller, - the obligations as defined by the law of the Member State in which the processor is established, shall also be incumbent on the processor 40. INTERNAL TRAININGS 41. SECURITY SOURCE DE LIMAGE: 42. Source : 43. Everything must be transparent 44. Article 16 Confidentiality of processing Any person acting under the authority of the controller or of the processor, including the processor himself, who has access to personal data must not process them except on instructions from the controller, unless he is required to do so by law 45. Member States shall provide that the controller must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected. 46. 86 SECURITY IS A LEGAL OBLIGATION 47. What your boss thinks... 48. Employees share (too) many information and also with third parties 49. Where do one steal data? Banks Hospitals Ministries Police Newspapers Telecoms ... Which devices are stolen? USB Laptops Hard disks Papers Binders Cars 50. 63 RESTITUTIONS 51. QUE SAVENT-ILS ?? 52. 63 53. 154 Source de limage : 54. LA LOI SUR LA PROTECTION DES DONNES PERSONNELLES IMPOSE UNE SECURITE INFORMATIQUE ! 55. 48 56. GOOD QUESTION ? 57. 4 By giving people the power to share, we're making the world more transparent. The question isn't, 'What do we want to know about people?', It's, 'What do people want to tell about themselves?' Data privacy is outdated ! Mark Zuckerberg If you have something that you dont want anyone to know, maybe you shouldnt be doing it in the rst place. Eric Schmidt 58. PRIVACYVS SOCIAL NETWORKS 59. 1 60. 1 Privacy statement confusion 53% of consumers consider that a privacy statement means that data will never be sell or give 43% only have read a privacy statement 45% only use different email addresses 33% changed passwords regularly 71% decide not to register or purchase due to a request of unneeded information 41% provide fake info 112 Source: TRUSTe survey 61. dont we read privacy policies 62. dont we read privacy policies 63. 80SOURCE: 64. 81 65. 82 66. 83 67. 84 68. 85 69. 86 70. 87 71. 88 72. Evaluation and Comparison of Privacy Policies-Accessibility/User-Friendliness Facebook Foursquare Google Buzz LinkedIn Twitter Number of words 5860 words 2,436 words 1,094 words 5,650 words 1,287 words Comparison to average Privacy Policy (based on 2,462 words) Above average Below average (but very close to the average) Below Average Above average Below average Amount of time it takes one to read (based on an average person reading speed--244 words /minute) Approx. 24 minutes Approx. 10 minutes Approx. 5 minutes Approx. 23 minutes Approx. 5 minutes Direct link to its actual privacy policy from the index page No Yes Yes Yes Yes Availability in languages other than English Yes Yes Yes Yes Yes Detailed explanation of privacy control/protection Yes Yes Yes No No Trust E-Verified Yes No No Yes No Linking and/or mentioning to U.S. Dept. of Commerce Safe Harbor Privacy Principles Yes No Yes Yes No Availability of contact information in case of questions Yes Yes No Yes Yes Coverage of kids privacy Yes Yes No Yes Yes Containing the clause that it reserves the right to change the privacy policy at any time Yes, but users will be notified Yes, but users will be notified http:// www.psl.cs.columbia .edu/classes/cs6125- Yes, but users will be notified of material changes Yes, but users will be notified of material changes dont we read privacy policies 73. Evaluation and Comparison of Privacy Policies Content Facebook Foursquare Google Buzz LinkedIn Twitter Allowance of an opt- out option Yes Yes Yes Yes Yes Allowance of third- party access to users information Yes/No, depending on a users sharing setting and the information shared Yes Yes Yes Yes Discussion of the usage of cookie or tracking tools Yes Yes Not specified; but Google states that it records users use of their products Yes Yes Explicit statement of what type of information they share with third- parties Yes Yes Yes Yes Yes Sharing of users location data Yes Yes Yes Unclear; not mentioned in the Privacy Policy Yes dont we read privacy policies 74. Evaluation and Comparison of Account Creation Process Facebook Foursquare Google Buzz LinkedIn Twitter Number of fields required during the initial account creation 9 10 Zero if you have a Gmail account 4 6 Details that are required for a user to create an account First name, last name, email, password, gender, birthday First name, last name, password, email, phone, location, gender, birthday, photo None if you have a Gmail account First name, last name, email, password First name, username, password, email, let others find me by my email, I want the inside scoop Availability of explanation on required information Yes Yes Information on how Google Buzz works is available No Yes, actually includes the entire Terms of Service in a Text area box dont we read privacy policies 75. DATA...</p>


View more >