van den Hoven, Jeroen, Blaauw, Martijn, Pieters, Wolter and Warnier, Martijn, "Privacy and Information Technology", The Stanford Encyclopedia of Philosophy (Winter 2014 Edition), Edward N. Zalta (ed.), forthcoming URL = <http://plato.stanford.edu/archives/win2014/entries/it-privacy/>, First published Thu Nov 20, 2014
Managing your identity, tutorial 2: Protecting your Privacy- Internet Society, January 2013 - Before reading this tutorial you should think what are the important issues in online privacy from your point of view. Are they addressed by the tutorial?
Freedom and the Social Contract, Vinton G. Cerf, september 2013 Communications of the ACM 56(9) - a short reflection on the debate over preserving privacy and national security
A Primer on Metadata: Separating Fact from Fiction - Ann Cavoukian, Information and Privacy Commissioner Ontario, Canada July 2013 - "A Primer on Metadata: Separating Fact from Fiction, explains that metadata can actually be more revealing than accessing the content of our communications. The paper aims to provide a clear understanding of metadata and disputes popular claims that the information being captured is neither sensitive, nor privacy-invasive, since it does not access any content. Given the implications for privacy and freedom, it is critical that we all question the dated, but ever-so prevalent either/or, zero-sum mindset to privacy vs. security. Instead, what is needed are proactive measures designed to provide for both security and privacy, in an accountable and transparent manner."
Surveillance, Then and Now: Securing Privacy in Public Spaces - Ann Cavoukian, Information and Privacy Commissioner Ontario, Canada June 2013 - "Surveillance is growing, as are the technologies that extend its reach. But surveillance that facilitates the sustained monitoring of people engaged in everyday activities in public is, in Justice Gerard La Forest’s unforgettable words, “an unthinkable prospect in a free and open society such as ours.” The purpose of this paper is to assist law enforcement, lawmakers, and the broader public in understanding and protecting our fundamental right to privacy with respect to surveillance by the state of our activities in public spaces through the use of ever-growing new technologies. A proactive Privacy by Design approach is central to designing and implementing the regulatory framework needed to properly supervise state surveillance. It is our experience that, where the use of a particular surveillance technology is justified, proportionate, and effective at delivering public safety, a proactive positive-sum approach is available that will ensure that privacy, accountability, and transparency are embedded into the legal and technical design specifications of any proposed surveillance system. Whatever the future holds, we know that, in addition to privacy and freedom, people will require safety and security. We believe that now, and for the foreseeable future, it is essential that we strive to have both, in tandem. Freedom must be preserved from both terrorism and tyranny. While eternal vigilance will be required to secure our fundamental rights, including our right to privacy, we remain confident that we can have both public safety and personal privacy in public spaces. There is neither reason, nor need, to settle for anything less."
Two tales of privacy in online social networks. Seda Gürses and Claudia Diaz. In IEEE Security & Privacy Magazine Vol. 11(3):29-37, Special Issue on Social Networks, May/June 2013. "Privacy is one of the friction points that emerges when communications get mediated in Online Social Networks (OSNs). Different communities of computer science researchers have framed the ‘OSN privacy problem’ as one of surveillance, institutional or social privacy. In tackling these problems they have also treated them as if they were independent.We argue that the different privacy problems are entangled and that research on privacy in OSNs would benefit from a more holistic approach. In this article, we first provide an introduction to the surveillance and social privacy perspectives emphasizing the narratives that inform them, as well as their assumptions, goals and methods. We then juxtapose the differences between these two approaches in order to understand their complementarity, and to identify potential integration challenges as well as research questions that so far have been left unanswered."
Hero or Villain: The Data Controller in Privacy Law and Technologies. Claudia Diaz, Omer Tene, and Seda Gürses. To appear at the Ohio State Law Journal 74(6), 78 pages, 2013. "This Article demonstrates that an analysis of the assumptions and principles underlining privacy enhancing technologies (PETs) highlights the gap between the constitutional and information privacy frameworks. It argues that by embracing PETs, information privacy law can recalibrate to better protect individuals from surveillance and unwanted intrusions into their private lives."
Understanding the landscape of privacy technologies. Claudia Diaz and Seda Gürses. Extended abstract of invited talk in proceedings of the Information Security Summit, pp. 58-63, 2012 "In the last decades, much effort has been devoted to research on privacy across different subfields in computer science (e.g., security engineering, data mining, HCI), resulting in a broad range of solutions for addressing the “privacy problem”. Privacy is a multifaceted and complex concept that can be tackled from very different perspectives. Existing solutions rely on different definitions of privacy as well as on a variety of (often implicit) social and technical assumptions. As a result, it is hard for non-experts to understand the privacy research landscape and to put available technologies into context. In this paper we provide an overview of the landscape of privacy technologies following the classification in three privacy research paradigms proposed by Gürses [11,14]. For each of these paradigms we describe their conception of privacy and the types of privacy threats that the technologies are meant to address, present representative examples of technologies that have been proposed to address these threats, and discuss their distinguishing characteristics."
The Electronic Frontier Foundation’s Who has your back? Third Annual Report on Online Service Providers’ Privacy and Transparency Practices Regarding Government Access to User Data- April 30, 2013 UPDATE: May 13, 2013 - "When you use the Internet, you entrust your conversations, thoughts, experiences, locations, photos, and more to companies like Google, AT&T and Facebook. But what do these companies do when the government demands your private information? Do they stand with you? Do they let you know what’s going on? In this annual report, the Electronic Frontier Foundation examined the policies of major Internet companies — including ISPs, email providers, cloud storage providers, location based services, blogging platforms, and social networking sites — to assess whether they publicly commit to standing with users when the government seeks access to user data. The purpose of this report is to incentivize companies to be transparent about how data flows to the government and encourage them to take a stand for user privacy whenever it is possible to do so."
Why Privacy Matters Even if You Have 'Nothing to Hide' - The article is an excerpt from Daniel J. Solove's book, Nothing to Hide: The False Tradeoff Between Privacy and Security, Yale University Press 2011"Legal and policy solutions focus too much on the problems under the Orwellian metaphor—those of surveillance—and aren't adequately addressing the Kafkaesque problems—those of information processing. [...] Commentators often attempt to refute the nothing-to-hide argument by pointing to things people want to hide. [...] Surveillance, for example, can inhibit such lawful activities as free speech, free association, and other First Amendment rights essential for democracy. The deeper problem with the nothing-to-hide argument is that it myopically views privacy as a form of secrecy. In contrast, understanding privacy as a plurality of related issues demonstrates that the disclosure of bad things is just one among many difficulties caused by government security measures. [...] One such harm, for example, which I call aggregation, emerges from the fusion of small bits of seemingly innocuous data. [...] Another potential problem with the government's harvest of personal data is one I call exclusion. Exclusion occurs when people are prevented from having knowledge about how information about them is being used, and when they are barred from accessing and correcting errors in that data. [...] a kind of due-process problem[...]. A related problem involves secondary use. Secondary use is the exploitation of data obtained for one purpose for an unrelated purpose without the subject's consent. How long will personal data be stored? How will the information be used? What could it be used for in the future? The potential uses of any piece of personal information are vast. [...] Yet another problem with government gathering and use of personal data is distortion. [...] Privacy is often threatened not by a single egregious act but by the slow accretion of a series of relatively minor acts. In this respect, privacy problems resemble certain environmental harms, which occur over time through a series of small acts by different actors. Although society is more likely to respond to a major oil spill, gradual pollution by a multitude of actors often creates worse problems.
Finn, Rachel, David Wright and Michael Friedewald, “Seven Types of Privacy” in Serge Gutwirth, Yves Poullet et al. (eds.), European data protection: coming of age?, Springer, Dordrecht, 2013.
ENISA: Privacy and Data Protection by Design - This report contributes to bridging the gap between the legal framework and the available technolog-ical implementation measures by providing an inventory of existing approaches, privacy design strat-egies, and technical building blocks of various degrees of maturity from research and development. Starting from the privacy principles of the legislation, important elements are presented as a first step towards a design process for privacy-friendly systems and services.
ENISA: Roadmap for NIS education programmes in Europe - ENISA is one of the key stakeholders in Europe in the area of Network and Information Security (NIS). Given its positioning, ENISA is active in the area of education and awareness, using its knowledge to promote NIS skills and supporting the Commission in enhancing the skills and competence of professionals in this area. This document continues work from previous activities by suggesting training materials, scenarios and a way forward for implementing the EC roadmap for NIS education in Europe (1). In doing so, the Agency has recognised the heterogeneous landscape of Europe in this area.
Books:
The googlisation of everything
The new digital age
Program or be programmed
Datafication
General Awareness material:
This Facebook Privacy Simulator The game generates increasingly surreal supposed Facebook privacy settings -- which players must check, uncheck, opt into or opt out of before a timer ticks down. This is an alternative way to highlight the issue of digital privacy using humor and gaming.
Usability of Security: A Case Study. Alma Whitten and J.D. Tygar. Carnegie Mellon University School of Computer Science Technical Report CMU-CS-98-155, December 1998.
Europe vs. US personal information sharing habits infographic
This Pew Internet study September 2013 "Anonymity, Privacy, and Security Online" finds that most internet users would like to be anonymous online, but often feel it is not possible. "86% of internet users have taken steps online to remove or mask their digital footprints."
This EUROBAROMETER 2011report, Attitudes on Data Protection and Electronic Identity in the European Union, finds, amongst many others insights, that "74% of the Europeans see disclosing personal information as an increasing part of modern life; that Information considered as personal is, above all, financial information (75%), medical information (74%), and national identity numbers or cards and passports (73%); that only one-third of Europeans are aware of the existence of a national public authority responsible for protecting their rights regarding their personal data (33%) and that Just over a quarter of social network users (26%) and even fewer online shoppers (18%) feel in complete control.
MEASURES FOR THE PRIVACY RISK TREATMENT - CNIL (Commission Nationale de l’Informatique et des Libertés) june 2012 - "This document is a catalogue of good practices intended to treat risks that the processing of personal data may pose to the civil liberties and privacy of data subjects. It supplements the risk management method of the Commission Nationale de l’Informatique et des Libertés (CNIL, the French data protection authority) with regard to risks to civil liberties and privacy and helps to determine the measures proportionate to the risks identified using this method. It is not limited to technical considerations of computer systems, but applies to information systems comprehensively, from those systems to persons, paper documents, organization and premises."
The State of Privacy and Security - Our Antique Privacy Rules - Paul Rosenzweig - Statement before the Subcommittee on Oversight of Government Management, the Federal Workforce and the District of Columbia Committee on Homeland Security and Governmental Affairs United States Senate - July 31, 2012
Academic Literature
Privacy Papers for Policy Makers by the Future of Privacy Forum (this collection of short papers is earmarked for policy makers but it covers several general subjects)
Privacy issues with specific tools and practices
People search web sites - What The Internet Knows About You And How To Protect Yourself: A Chat With Sarah Downey"On February 13, Abine, Inc., a leader in online privacy solutions, announced that is had filed a Federal Trade Commission (FTC) complaint against the people search web site BeenVerified.com, one of the web’s largest background check web sites and data brokers, alleging deceptive and unfair trade practices. ". If you try to verify what BeenVerified.com knows (and sells) about you, you will get an email looking more or less like this. Also get a sense of how much information is online about you using people search engines. Some examples are: pipl, spock, 123people, peekyou, and obviously google. Things get more serious using pay services such as BeenVerified.com or intelius.
IP and browser tracking
What The Internet Knows About You - This site is a resource for those looking to learn about technologies that can be used to improve online privacy
Real-world privacy breach cases occurred even though only non-PII data was released. See examples reported in the introductory section of this paper: Qi Zhao, Yi Zhang, and Lucian Vlad Lita. 2012. Have your cake and eat it too!: preserving privacy while achieving high behavioral targeting performance. In Proceedings of the Sixth International Workshop on Data Mining for Online Advertising and Internet Economy (ADKDD '12). ACM, New York, NY, USA, , Article 6 , 9 pages
The introduction of this paper gives you a sense of how useful for advertisers is to track overtime users' online behaviour. Jun Yan, Ning Liu, Gang Wang, Wen Zhang, Yun Jiang, and Zheng Chen. 2009. How much can behavioral targeting help online advertising?. In Proceedings of the 18th international conference on World wide web (WWW '09). ACM, New York, NY, USA, 261-270.
Position Paper on the Use of RFID in Schools (multiple signatories) - Discusses threats RFID tracking would pose against civil liberties ( dehumanization uses, violation of free speech and association, violation of conscience and religious freedom, unauthorized use, hidden placement/readers, dangerous misinformation, potential health risks, and conditioning to tracking and monitoring.) Though this paper focuses on the institution of schools, these violations can be applied to other RFID tracking
Computer use monitoring and privacy at work - Computer Law & Security Review, Volume 27, Issue 5, September 2011, Pages 516-523 Kathy Eivazi - "[...] However, electronic monitoring at work is not onesided and it is arguable that employers have legitimate reasons to justify their action. This paper aims to examine employers’ justification for conducting electronic monitoring by highlighting the potential risk of financial and legal liabilities that employers may incur as a result of employees’ misuse of online services at work" (based on Australian law)
November 2014: Autoalliance, the alliance of automobile manufacturer is an association of 12 vehicle manufacturer, has published a list of principles they are willing to embed in their systems to protect consumer data privacy and maintain the trust of the customers.
Will Privacy Concerns Associated with Future Transport Systems Restrict the Public's Freedom of Movement? Procedia - Social and Behavioral Sciences, Volume 48, 2012, Pages 941-950 Scott Cruickshanks, Ben Waterson "[...] This paper examines the methodology and results of a mail survey conducted in the UK. This survey seeks to ascertain whether in the eyes of the public the potential benefits of future transport systems will outweigh the loss of personal information. The results of the survey support the fears that the advent of some future ITS applications will cause some people to travel with less freedom. It also highlights several key groups that are the most likely to reject future ITS, with contributing factors being elderly, poorly educated, female, from an ethnic minority group and/or having little experience of using the latest transport technologies"
Smart spaces
Challenges in Retaining Privacy in Smart Spaces - Procedia Computer Science, Volume 19, 2013, Pages 556-564 Jimmy C. Chau, Thomas D.C. Little "[...] occupants. The privacy of the information manipulated by smart spaces quickly becomes a key barrier in realizing the full value of ambient systems and is the focus of this paper. We approach this challenge first by surveying current privacy definitions and mechanisms (access control, k-anonymity, and differential privacy) under the assumption of ambient sensors and networking found in smart spaces. We then identify how existing approaches are not suitable for smart spaces under major smart space privacy scenarios and propose adaptations with strong potential for addressing these scenarios."
Medical records:
ZocDoc Claims "ZocDoc takes your privacy seriously. We’ve made our policy as clear as possible so you can rest assured that you’re in good hands."Privacy Policy
Article CVS, the drugstore chain is expanding its ExtraCare rewards program for prescription drugs, but to join consumers must give up healthcare privacy protections under HIPAA
Privacy Rights Clearinghouse offers more in depth fact sheet of California prescription and privacy.
EU data protection applied to health data: http://www.healthdatanavigator.eu/data-management/data-protection
Tools to verify privacy (not all of these tools have been tested, the fact that they are listed here does not constitute a recommendation. In fact we recommend that you verify carefully who are the authors of these tools before using them)
Panopticlick tests your browser to see how unique it is based on the information it will share with sites it visits. Available from EFF
Use ShieldsUp to check if anybody can connect to your machine using the Universal Plug 'n Play (UPnP) facility. You may be interested also in the FAQ
showip.net shows your IP address and some of the associated information, another similar tool is pof
smartwhois provides information about domain names
Check browser headers using browserSpy.com or Andy Langton's checker - these tools show the information sent by your browser when you request a web page. BrowserSpy also gives suggestions on how to avoid providing private information
Realtime Privacy Monitoring on Smartphones: TaintDroid is a realtime monitoring service that analyses how private information is obtained and released by applications "downloaded" to consumer phones
Collusionis a nice-looking visualization tool to see who's tracking your browser activity in real time now evolved in lightbeam- it works in Firefox
When publishing an image you may want to check what Exif metadata is included. There are several tools to do this, for example ImgOps takes the URL of an image and provides all associated metadata information, Camera Summaryand Metapicz do the same thing but can be used both by giving an URL or uploading an image file
Tools for privacy protection (not all of these tools have been tested, the fact that they are listed here does not constitute a recommendation. In fact we recommend that you verify carefully who are the authors of these tools before using them)
A study of usage and geo-location of major anonymation systems - Bingdong Li, Esra Erdin, Mehmet Hadi Güneş, George Bebis, and Todd Shipley. 2011. An analysis of anonymity technology usage. In Proceedings of the Third international conference on Traffic monitoring and analysis (TMA'11), Jordi Domingo-Pascual, Yuval Shavitt, and Steve Uhlig (Eds.). Springer-Verlag, Berlin, Heidelberg, 108-121.
VPN - reference to be found
The TOR project - TOR offers protection at the TCP/IP (transport) level and offers protection against traffic analysis which can be used either to obtain identification information or for profiling or for information extraction."Instead of taking a direct route from source to destination, data packets on the Tor network take a random pathway through several relays that cover your tracks so no observer at any single point can tell where the data came from or where it's going. ". TOR is complex to use so end-user normally use it with an user interface called Vidalia. To ensure privacy at higher levels that transport (HTTP) on should use the TOR browser bundle.
JonDoFox - JonDoFox combined with JAP/JonDo orTor provides a comprehensive solution that covers all layers (TCP/IP, HTTP and application).
Blocking ads:
Adblock claims to block ads, not clear how well it works.
Network Advertising Initiative offers "Consumer" opt- out (note that this does not mean that ads will no longer be received, and as far as I can tell, not even that they will not be collecting your data, so read carefully)
Wickr is a free downloadable app that works on both android and iphones with a tagline of "The internet is forevor. Your private communications don't need to be." Claims to offer ("military-grade" encryption of text, picture, audio and video messages/ sender-based control over who can read mesaages, where and for how long.)
Manage privacy settings
My Permissions a social networking permission management app that allows you to manage all of your settings in one place
Privacyfix one dashboard for most used social networking privacy settings
Malwarebytes Anti-Malware Malwarebytes Anti-Malware is a tool for removing trojans, worms, and other malware from windows computers and android mobile devices. It is a google product that claims to off a "robust malware protection, but it goes further to protect your privacy from apps with overreaching permissions or other vulnerabilities."
Disconect claims to let you visualize & block the invisible websites that track you
Freedom box beta they say: "We're building software for smart devices whose engineered purpose is to work together to facilitate free communication among people, safely and securely, beyond the ambition of the strongest power to penetrate. They can make freedom of thought and information a permanent, ineradicable feature of the net that holds our souls."
Mask Me free service attempts to obscure your true e-mail address, phone number and credit card account numbers while conducting Web transactions.
Exif Scrubber Software offers a way to delete the Exif metadata from your image files that could be potentially revealing (such as device, unique device number, location/date/time of photo and more.)
How Unique Is Your Web Browser? Peter Fecklessly - Proceedings of the Privacy Enhancing Technologies Symposium (PETS 2010), Springer Lecture Notes in Computer Science
Ephemeral Data, Esther Shein, september 2013 Communications of the ACM 56(9), 20 - Do privacy issues evaporate when embarrassing content does likewise?
"Privacy by Design is a framework that was developed by the Information and Privacy Commissioner of Ontario, Canada, Dr. Ann Cavoukian. Privacy by Design advances the view that the future of privacy cannot be assured solely by compliance with legislation and regulatory frameworks; rather, privacy assurance must become an organization’s default mode of operation."
The Electronic Frontier Foundation (EFF) is a nonprofit civil liberties law and advocacy center: "From the Internet to the iPod, technologies are transforming our society and empowering us as speakers, citizens, creators, and consumers. When our freedoms in the networked world come under attack, the Electronic Frontier Foundation (EFF) is the first line of defense. EFF broke new ground when it was founded in 1990—well before the Internet was on most people's radar—and continues to confront cutting-edge issues defending free speech, privacy, innovation, and consumer rights today. From the beginning, EFF has championed the public interest in every critical battle affecting digital rights." Make sure you check out their privacy pages
Privacy International’s mission is to defend the right to privacy across the world, and to fight surveillance and other intrusions into private life by governments and corporations. Our vision is a world in which privacy is protected by governments, respected by corporations and cherished by individuals. PI was founded in 1990 and is the oldest international privacy organisation in the world.
"Nymity’s primary purpose is to help organizations attain, maintain, and demonstrate compliance – in any jurisdiction. Nymity specializes in privacy and data protection compliance solutions and is fully dedicated to privacy and data protection." - check out their privacy maps (if you prefer not registering, some of the maps are also available on the privacy by design site)
The Center for Democracy and Technology is a 501(c)(3) nonprofit public policy organization and the leading Internet freedom organization working at the critical edge of policy innovation. When the Internet was in its infancy, CDT shaped the first legislative choices and court decisions that allowed this technology of freedom to flourish. Today, we are committed to finding innovative, practical and balanced solutions to the tough policy challenges facing this rapidly evolving medium
The makers of the social media privacy management app Mypermissions has used their attempted "standardization" approach to develop a certification for other apps and developers. This is an example of an attempt to standardize privacy policies and act as a mediator between companies and users to the management of the complexities of privacy policies. Though this approach is moving in the right direction there are many questions about how how reliable this company is to be an authority on the subject as well as factors that may be influencing their decision making. For instance, they offer a free version, but also a paid version in which they offer a/b testing and "trend alerts."
Sleights of privacy: framing, disclosures, and the limits of transparency Idris Adjerid Alessandro Acquisti Laura Brandimarte George Loewenstein (2013) - In an effort to address persistent consumer privacy concerns, policy makers and the data industry seem to have found common grounds in proposals that aim at making online privacy more "transparent." Such self-regulatory approaches rely on, among other things, providing more and better information to users of Internet services about how their data is used. However, we illustrate in a series of experiments that even simple privacy notices do not consistently impact disclosure behavior, and may in fact be used to nudge individuals to disclose variable amounts of personal information. In a first experiment, we demonstrate that the impact of privacy notices on disclosure is sensitive to relative judgments, even when the objective risks of disclosure actually stay constant. In a second experiment, we show that the impact of privacy notices on disclosure can be muted by introducing simple misdirections that do not alter the objective risk of disclosure. These findings cast doubts on the likelihood of initiatives predicated around notices and transparency to address, by themselves, online privacy concerns.
Seminar: Attention automatisée et design d’interface : Eyes tracking, GoogleGlass et Quantified Self – Le design de l’attention: Création et Automatisation - Institut de recherche et d’innovation Centre Pompidou and Biennale internationale de design de Saint-Etienne 24 March 2014
AUP's Principal Scientist for the PRIPARE project (PReparing Industry to Privacy-by-design by supporting its Application in REsearch) launched October 1st 2013.
