Privacy and data protection resources

Click the banner for the site map of NoticeBored.com, the information security awareness service

The US DOD has released an online training module about protecting PII (Personally Identifiable Information). The presentation format and style (simple graphics with a formal script spoken aloud) is rather stilted, dry and basic, but is presumably more effective at getting the awareness messages across to the intended audiences than alternative approaches. See what you make of it.

The Business Privacy Law Handbook (Charles H. Kennedy, 2008, ~US$119 from Amazon) is a survey of business privacy law in the US and the changes that field is undergoing, for business managers and those advising them. Despite occasional shortcomings in some areas, the book provides a detailed, up-to-date and quite comprehensive overview of American privacy law.

Privacy Protection and Computer Forensics (Michael A. Caloyannides, 2nd edition 2004, ~US$71 from Amazon) includes information on the vulnerabilities of devices such as PDAs, cellphones, smart cards, GPS devices, telephone calling cards, FAX machines and photocopiers. The author flips back and forth between forensics and privacy, alternately emphasizing how to find or hide evidence. The technology involved is the same but the shifts in viewpoint are jarring and the depth of technical detail varies. Despite the drawbacks, this book contains a wealth of information for both forensic examiners and computer users concerned with privacy.

Internet and Online Privacy: A Legal and Business Guide (Andrew Frackman, Rebecca C. Martin and Claudia Ray, 2002, ~US$35 from Amazon). Written by three Americans and published by American Lawyer Media, this book concentrates on American legislation. However, the analysis is so clearly written and so rooted in Common Law and general legal principles, that we have very little compunction in recommending this work to anyone interested in the legal aspects of privacy, regardless of jurisdiction. The book is concise, readable and valuable. There are some areas where one could hope for additional coverage and detail, but the concepts and basics are covered well. We recommend this book particularly to security professionals without an extensive legal background.

Protect Your Digital Privacy: Survival Skills for the Information Age (Glee Harrah Cady and Pat McGregor, 2002, ~US$4 from Amazon sellers). Other authors have attempted to provide a book about privacy for the masses. Cady and McGregor have managed to stick pretty close to the topic. They present a good deal of useful information.

Protect Your Privacy - How to Protect Your Identity as well as Your Financial, Personal, and Computer Records in an Age of Constant Surveillance (Outwitting) (Duncan Long, 2007, ~US$11 from Amazon) claims to offer “Everything you need to know about how to protect your computer security, financial privacy, telephone privacy, identification, freedom of movement, and more!”.

The Codebreakers - The Comprehensive History of Secret Communication from Ancient Times to the Internet (David Kahn, 1996, ~US$48 from Amazon). No work on cryptography is complete without some reference to Kahn's great historical reference, its pages filled with fascinating stories. Way back in 1967, the first edition was written well before the invention of DES (the Data Encryption Standard) or other now common symmetric block ciphers. All of modern cryptography came later. This is a work of solid historical scholarship, fascinating for anyone with the remotest interest in cryptology or cryptography. For anyone seriously working in the field it makes great reading and is a salient reminder of some important points that often get lost in the technology. Just don't plan to use it to craft your public key infrastructure.

Bruce Schneier wrote “Increasingly, you leave a trail of digital footprints throughout your day. Once you walked into a bookstore and bought a book with cash. Now you visit Amazon, and all of your browsing and purchases are recorded. You used to buy a train ticket with coins; now your electronic fare card is tied to your bank account. Your store affinity cards give you discounts; merchants use the data on them to reveal detailed purchasing patterns.” An excellent piece summarizing the privacy issues we face today.

Privacy International publishes an excellent summary of the state of privacy legislation around the world, with a fascinating map. Privacy International is a human rights pressure group that acts “as a watchdog on surveillance by governments and corporations”. They have a number of battle fronts including ID cards and wiretapping practices. PogoWasRight is a curiously-named blog with a high privacy content.

The City of Bozeman, Montana, brewed up a media storm by asking job candidates to supply their login credentials for all the social networking sites they frequent. “Please list any and all, current personal or business websites, web pages or memberships on any Internet-based chat rooms, social clubs or forums, to include, but not limited to: Facebook, Google, Yahoo, YouTube.com, MySpace, etc.,” the City form stated. After considerable outcry the city rescinded its mindless policy.

Forbes Magazine tells us that “More than 300 privacy-related laws are on the books, in both Washington, D .C. and state capitals. Privacy-related consulting services provided by law and accounting firms are a $500-million-a-year business and have been growing at double digits. Expenses inside companies for privacy compliance easily run into the billions; a growing number of firms, for instance, now have their own ‘chief privacy officer.’”

Biometrics offer a more reliable way to identify people than, say, mugshots and signatures, using physical characteristics such as fingerprints and iris patterns. However, the technology is not perfectly accurate and reliable, hence politicians who claim that biometrics will totally prevent identity theft are being ‘economical with the truth’. 100% security is a myth.

This academic paper, although rather abstract, is a good survey of the research into social network data gathering, as well as a particular de-anonymizing attack. It points out the dangers of data aggregation inherent to social networking.

Generation Y has a different perspective on privacy than older generations. “Don't think for a second that before a hire is made at a company that someone within the organization has not done a thorough Google search on a potential candidate's online footprint. From LinkedIn and Facebook to Twitter and Flickr, everyone has a growing story to tell” says the Vancouver Sun.

A son traced his father through clever detective work using services and information available on the Internet - fair enough you might think, except that his father donated sperm anonymously.

Article 12 of the grandly-named Universal Declaration of Human Rights says “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honor and reputation.” Applies for rather small values of ‘universal’ perhaps.

Educational Security Incidents (ESI) is a blog listing (mostly privacy related) security incidents reported in the press. These are intended to be useful fodder for security awareness programs, although users would have to add their own analysis to draw out the learning points.

Two British policemen with jobs-on-the-side as private detectives were convicted of bugging phones and hacking into computers on behalf of wealthy clients.

The American Institute of Certified Public Accountants (AICPA)’s Generally Accepted Privacy Principles (GAPP) cover ten key privacy issues that bear a remarkably similarity to the EU’s data protection principles.

The personal information of “every police officer in Texas” was compromised through the theft of a laptop from a supplier.

Users of Google Street View get ground-level views of selected city streets. Some of the images may not be entirely appropriate for public viewing. Examples quoted in a NY Times piece [free access, requires registration] include bikini-clad women, a man scaling a gate, a man entering a porn shop and readable vehicle number plates. This is just one of many privacy concerns raised by Google’s services. Google’s desktop search utility was previously slammed for disclosing details of the contents of users’ C: drives on the Web and the European Community is deeply concerned about Google’s privacy policies. Other search engines raise privacy concerns too, of course, but Google is the biggest and hence is bound to make a large target in the firing line.

A Trojan uses two convincing Microsoft Windows Activation screens as the lure to steal victims’ credit card numbers. Kardphisher launches a blended phishing attack, combining social engineering and malware.

Case notes on children at risk in Essex, England, found their way on to eBay despite the secure data destruction processes that were supposed to prevent this kind of thing.

The Information Commissioner found 11 big-name UK financial institutions in breach of the Data Protection Act for dumping paperwork containing their valued customers’ personal details in outside waste bins.

The Australian Privacy Foundation maintains a list of privacy laws in about 30 countries and the Global Internet Liberty Campaign (GILC) periodically surveys privacy laws worldwide.

The UK Freedom of Information Act creates a tension between protection of personal data on one hand, and the need to disclose certain public information on the other. Public bodies have responsibilities to disclose all sorts of interesting information but there are rules to protect personal data.

The UK Information Commissioner is responsible for overseeing compliance with the Data Protection Act, such as advice on the data protection implications of CCTV. Carnegie Mellon University’s Data Privacy Lab ran the Surveillance of Surveillance (SOS) project to investigate the use of technology such as CCTV to track members of the public.

Webcams that allow parents to monitor their children’s kindergartens etc. (“kindycams”) are being challenged on privacy grounds. Some teachers evidently resent the intrusion into their classrooms, and the risk of images being viewed by pedophiles is considered significant. Mobile phones with integrated cameras raise numerous confidentiality and privacy issues such as their use in changing/rest rooms. Spies, pedophiles and peeping Toms like miniature wireless cameras for similar reasons.

Canada’s Privacy Act is monitored by the Privacy Commissioner. A Canadian bank that repeatedly sent internal FAXes containing confidential client information (supposedly “for your eyes only”) to a FAX machine belonging to a US scrapyard operator ended up in court.

A citizens’ guide to data protection in the European Union gives an overview of the legislation. Like most official EU documents, it is available in several languages.

Be careful what you mutter to yourself when you’re ‘on-hold’, especially if the telephone is being recorded. The article notes that third parties are increasingly being used to monitor calls, including overseas companies in places where privacy may be interpreted differently than at home.

US-CERT Cyber Security Tip on privacy.

Detailed ‘strategic overview’ (if that’s not a contradiction) on privacy.

Australian privacy guru Roger Clark defines privacy as “the interest that individuals have in sustaining a ‘personal space’, free from interference by other people and organisations” with several dimensions: privacy of the person, privacy of personal behavior, privacy of personal communications and privacy of personal data.

More than 25 years ago, the Council of Europe: Convention For the Protection of Individuals with Regard to Automatic Processing of Personal Data defined ‘personal data’ as ‘any information relating to an identified or identifiable individual (“data subject”)’. The convention was the precursor to European data protection legislation, although the definition subsequently evolved (in some European legislatures at least) to refer specifically to identifiable living individuals.

The Privacy Forum has a mailing list for discussion of personal privacy and related issues.

The need to protect confidentiality of personal medical information whilst allowing medical professionals legitimate access to the data, is gradually being enshrined in law. The US Health Insurance Portability and Accountability Act (1996) (HIPAA) and UK Data Protection Act (1998), for example, impose mandatory requirements on organizations gathering, processing and using medical data to protect the privacy of individuals whose data they hold.

Website privacy policies

The Direct Marketing Association offers a simple point-and-click method of generating a website privacy policy to suit your requirements. Here’s another. The resulting policy may not be sufficiently comprehensive or accurate (your legal people should review it, for example) but is an extremely easy way of creating something to start with.

See what Google’s privacy policy means in this video.

The Canadian Marketing Association website advises its members on privacy policies and principles they should adopt, based on the OECD guidelines.

Website privacy policies

Related NoticeBored links collections