Information Technology and Ethics/The Privacy Chapter : Completed

Privacy, in just layman terms, means to keep a piece of information that is special to oneself and not disclose it willingly to anyone. In terms of information technology , this means protection of personal/sensitive information that is not accessible to anyone other than the individual self. There are various types of privacy in general. But the most relevant ones for this chapter are:

• Internet privacy- Privacy related to any activity being carried out online via internet.

• Informational privacy- privacy specifically related to an individual or companies information.

In the upcoming sections,for this chapter, internet privacy and informational privacy and the various spheres of business and human life it affects, will be discussed. Also, in this chapter , these are the specific parts of life and business where privacy is affected, has been elaborated in detail:

Privacy Policies and Principles

Social Networking Sites

Internet Of Things

Healthcare

Data Protection

In this section we will be covering the five core principles that the FTC(Federal Trade Commission) has established to be important in order to keep everyone’s right to privacy intact.

Notice/Awareness- Giving people notice and keeping people aware of what will happen to their data. Some major components to this principle include: identification of entity collecting data, identification of the uses to which the data will be put, identification of any potential recipients of the data, the nature of the data collected and the means by which it is collected if not obvious, whether the provision of the requested data is voluntary or required, and the consequences of a refusal to provide the requested information, and the steps taken by the data collector to ensure the confidentiality, integrity and quality of the data. ^[1]

Choice/Consent- Consent is necessary when it comes to collecting people’s personal data. Consumers need to have the choice if they want their personal data being collected. This could be as simple as having a checkbox asking the user if they consent to the multiplication of personal data.

Access/Participation- This principle wants to allow people to access their personal data that is collected and to give them the ability to contest the data if it is not accurate information. This principle is critical in today’s world since so much data is being collected just as important to have accurate data as it is to have mass amounts of data.

Integrity/Security- Security is so important to privacy, without a huge investment into security privacy falls out the window. You could follow all of the principles but not secure your data properly and it would all be for nothing. This includes sending,receiving, and storing the data.

Enforcement/Redress- This principle is in essence the simplest of the five to enforce all four of the principles above. This doesn’t mean it's any less important or impactful to privacy. Without enforcement of the four principles there is no point in having them.

That's all five policies that the FTC created for keeping personal privacy. The next section will cover some of the ways social media platforms went against some if not all of these principles.

Social media alludes to websites and applications that are designed to allow people to share content quickly, efficiently and in real-time. It can also be said that social media are apps on smartphones or tablets, but the truth is, this communication platform started with the use of internet in computers. It started with just being part of groups, and went on to online chat rooms to fully functional websites and apps that people use to share videos, pictures and thoughts, marketing, dating as well as influencing others.

So then arises the question of what is the difference between social media and social network? Social media means the content that one posts online. It could be a blog, slideshow, podcast etc. Whereas social networking site is the medium via which a person can create relationships, communities, followers etc. Furthermore, one can also say that social networking is just a subset of social media ^[2].

HistoryEdit

A look into the background can help widen the horizon for understanding how social media got so relevant in the first place. Backing up all the way to 1978, BBS was created which is Bulletin Board System accessible via dial up model and was used primarily for communities which had specific interests. Next came along CompuServe which became popular where people could share files, access new and other events. They could interact via email. AOL and Yahoo Groups in 1994 was the very first originator to social networking sites, where one could be part of communities and the members had a profile. Fast forwarding to 2002, where came Friendster, which encouraged people to bond with common interests. Also, in the same year, LinkedIn launched with an aim of career networking but did not gain much traction until 2010 ^[3].

In 2003, Myspace came into existence , where youngsters could see each other's activity as long as they were part of each other's networks. In 2004, came the biggest game changer and that is Facebook which connected people with their friends and a lot of other features that were enabled along with posting videos, pictures and content sharing among friends and also other people who could search you online. Then came in 2005, YouTube which was exclusively a video upload and sharing platform and still is the number 1. In 2006, Twitter came into existence which limited interactions in the form of comments and posting tweets. Instagram made its debut in 2010 with the focus of being the sole photo sharing/editing app and then came Snapchat in 2011 which allowed to share moments with friends ^[4].

As one can see this is how social media started gaining momentum and with different websites/apps offering unique features on their platform it became essential for every youngster/general public to become a part of this to keep up with the times and stay connected to everyone as much possible. Social networking sites which are the most popular today are Facebook, Messenger ,Instagram, Snapchat ,Twitter, Whatsapp and TikTok ^[5].

That being said, the advent of social networks brought on a host of various concerns and the biggest concern for social media is privacy. But for a long time, very few people were actually aware of privacy. In fact , since it was so new and the young generation as well as the older ones who got connected to a lot of acquaintance and new friends, they did not realize that their conversations in a lot of social network platforms could be viewed by other people as well. That is just the way the social network platform algorithms were built that allowed people outside of connections to view content and also follow/stalk other people including the activities of a person on that particular social networking site.

According to a 2014 survey, 91% of Americans “agree” or “strongly agree” that "people felt that they lost control over how personal information is collected and used by all kinds of institutions". 80% of social media users said they were uneasy about advertisers and organizations having a way to use the data that was posted on social media platforms and 64% were of the opinion that government should be more proactive on data handling,as this data was being used by marketers ^[6].

Individual privacy as a conceptEdit

In an independent study , according to CPO magazine it was found that the privacy cannot be completely possible as friends always make it a likelihood of sharing the user's information to other people outside the network as well. There is also something known as a concept of choice of individual privacy that is completely dependent on an individual as to how much information they want to share with the world^[7]. Looking at the above statement, an advocate of the individual privacy will say that one cannot completely obscure information from everybody. So, it is better to not put it online at all. Some who do not agree with it say that one should not expect privacy to be a big factor if they are sharing personal information on social media as they are doing it by choice and leave it to be viewed by friends and those who wish to see their information.

Privacy concernsEdit

Some of the major privacy concerns faced today are:

Privacy settings of major platforms - These settings are built in a way that if a user is not vigilant, they might end up sharing not only their personal data but also their activity unintentionally to companies and other third party who are always looking towards improving their own websites accessibility and marketing.

Location stealing - Enabling GPS location of the user's taking the data from the cell phone, this "can be used to build up a picture of your everyday movements. Location data can be coupled with other data and aggregated to create a very specific picture of an individual’s life and habits" ^[8].This also encourages stalking and can also be used for nefarious purposes other than the invasion of privacy.

Identity theft - Hacking can lead to stealing a user's identity and can also ruin a person's reputation and image in front of their friends and followers if wrong things are posted online and different kinds of malicious acts are committed from their accounts ,which include stealing credit card numbers, bank account numbers and login passwords.

Abuse - Creating fake profiles, trying to seduce younger teenagers and luring them out to physically abuse them or emotionally blackmail either them or the people that are known to each other can go on indefinitely until reported. Especially if intimate pictures/videos/audios are leaked online by the perpetrators.

Stalking - Not only the location can be tracked , if enabled on the phone by a potential stalker, they could be also keeping eyes on the target's move every time of the day. This helps the lurkers to actually judge and try to know the person based on their target's online activity and then maybe plan their own moves accordingly to harm their target or kidnap them or worse.

Data mining- A lot of personal information that is entered by users to create a profile is used by the social networking sites to sell those to third party agencies/websites for advertisement and marketing purposes thus creating a revenue for themselves. This is not fair to users as they do not know where and how their personal information is being used and to what extent.

Evolution of Privacy in Social Networking sitesEdit

In the upcoming paragraph taking a look at how Facebook and other companies took advantage of the non-existing privacy laws and why because of them new rules have been created.In a way they have definitely brought on change with the new times and also exposed the need to have stringent policies and laws in the first place.

This started first in 2006 ^[9]when there was a lot of noise regarding Facebook Newsfeed feature of the networking site and the concern that arose was that this endorsed stalking and also is an intrusion of privacy. The user had very little control over the information that they were sharing at the time, including changes in user's profile and other details related to them. This was resolved when Zuckerberg introduced privacy feature for the newsfeed and apologized for not taking into consideration the user's input when it came to privacy. Similarly, after three years and then consecutively since Facebook was the reigning social networking site at the time , they introduced a series of changes thus constantly targeting the privacy of users.

Some of the other major events include :

2007 to 2009 - Facebook launched 'Beacon' which let its users who shop at third party websites broadcast their purchases to their friends on it. Facebook receives this third-party information and shares it unless user opt-out during a brief pop-up window at the third-party site. This received a lot of backlash where some organizations like MoveOn.org demanded that Facebook allow explicit opt-out from sharing this information. Later on, they did modify the privacy features of Beacon, giving users limited opt-ins. By almost the end of 2008, Facebook launched 'Social Ads' which let "marketers create Facebook profiles and purchase advertising targeting other users profile information. Further, a user’s name and picture will be shown to their friends in promotion of a product after that user interacts with the marketer in some way”. European expert group issued a guidance on how the user's privacy should be maintained and the information related to them should be handled. “Topics included processing of sensitive data and images, advertising and direct marketing, and data retention" ^[9]. Facebook announced changes in their user privacy settings but did not address the concern of user's data being shared with third-party via targeted advertisements. Canadian Privacy Commissioner also recommends that Facebook should improve on their privacy ^[9].

2010 to 2012 - Twitter joined Gmail and Facebook to use "https" functionality by default for all users in order to secure data and protect privacy . Facebook timeline changed their user privacy setting again to "post archived user information, making old posts available under Facebook's current downgraded privacy settings"^[9]. It also came to light that DHS was using Facebook and Twitter for secret social network monitoring program. Maryland passed Bill that forbids employers from requesting Facebook information and California, Illinois followed suit as well. Myspace was caught engaging in deceptive practices and had to pay a settlement , since they were revealing personal information to third party despite promising to protect the same. Facebook also acquired Face.com which brought on a host of privacy concerns over biometric data of individuals.Towards the end of the year 2012,Facebook updated their privacy controls and removed profile safeguard from profiles. Instagram also released their changes around this time in terms of privacy policies which raised some more legal questions^[9].

2013 to 2015 - Snapchat was investigated as they were still accumulating PII despite claiming that users could delete their videos and pictures forever , WhatsApp were questioned and complaints were raised regarding Facebook acquisition of the same. Facebook starts tracking user across the web without consent after policy changes^[9].

2018 - Facebook Cambridge Analytica scandal made huge news. Cambridge Analytica breached into the personal data of millions of people's Facebook profiles without their consent and used it for political advertising Facebook got a lot of flak for this scandal and Facebook had to take their privacy policies into new consideration to keep their company afloat and retain their consumers^[10].

Laws regarding social networksEdit

A lot of reforms have been done to address the privacy concerns including introducing laws to changing privacy policies of how social network platform should be maintaining to retain their customers. Below are the relevant laws related to social networking:

Privacy Act of 1974

"No agency shall disclose any record which is contained in a system of records by any means of communication to any person, or to another agency, except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains" , it also depends on 12 exceptions^[11] .This basically meant that companies at the time were not responsible for actually letting their consumers/any other agencies know that what kind of their personal information was being used until and unless there was a written request and or a written consent of the person, to disclose the same except under certain 12 conditions. Some of these included providing this information to government agencies , if requested via court orders, for the benefit of health or safety if deemed important for an individual , law enforcement agency, debt collector's office, for statistical research, Freedom of Information Act , to name a few. These exceptions in the later run did become points where companies like Facebook, Snapchat, Twitter could bypass and still use their user's profiles to target ads and sell their data to third party agencies as well as also become targets for stalking, abuse, social profiling and various other illegal acts.

Employee and Student Privacy Protection Act

This holds back employers and educational institutions which have particular power over employees and students from making such demands. It allows employees and students to preserve the privacy of their personal online accounts. It was approved by Uniform Law Commission and is yet to be adopted by several state educational institutions as well as a few employers in the states where it has not yet been adopted^[12].

GDPR

General data protection and regulation Act was introduced in April 2016 and adopted in May 2018. This Act forces companies to improve the protection of their users’ data and to make it easier to understand what kind of data is being collected and for what purposes. They can be fined up to 4% of their global revenue or 20 million euros which is a hefty fine. Also, since companies collect data from everyone globally and this is applicable to European Union citizens explicitly, companies get their privacy policies compliant to GDPR rules for everyone. This is a win for consumers as their personal data is liable to be protected, have more privacy and also be informed if their personal information has been involved in a data breach ^[10]. More details of GDPR can be found in the section of Privacy and Data Protection, in this chapter.

CCPA

California Consumer Privacy Act went into effect on Jan 1, 2020. This was created to curb the companies to collect personal information like birthday, phone numbers ,email addresses and other data. Social media giants like Facebook, LinkedIn, Twitter, Instagram, Snapchat and others have to comply with this and accordingly update their privacy policies to keep their consumers especially in California, notify them on what information is being used and possibly allow to opt-out from sharing the same to third party networks^[13]. More about CCPA is also mentioned in the section of Privacy and Data Protection, in this chapter.

How to stay awareEdit

One can stay aware and alert :

• By reading the terms of agreements and then accepting them, because they have a lot of details in them.
• Even if GPS is being used, maybe enable it for a particular amount of time and then switch it off so that no one can track a person for a long time
• Use privacy tools like on Facebook, to keep a check on which type of data is being used and where and then possibly not allow i.e. not give permission to share the data
• Opting out of accepting cookies as much possible when visiting websites and while altering privacy settings into individual profiles of social networking sites.
• Allow entry of genuine people into user's social network rather than fake names/profiles to avoid getting into trouble later.
• Staying away from the impulse of posting bad /demeaning photos and videos which can cause more harm than good in the long run.

Privacy in social media is still not completely achievable without the cooperation of social media giants and it’s on them, how well they mold their settings and policies according to the new laws and regulations. As consumers, individuals can raise a voice on this platform as without any users there will be no social networking site as powerful as the users can make it, no matter how many features are added. These both are codependent and since the times are changing and with the introduction of other more sophisticated technologies, privacy will still be an issue. This is an ongoing fight and can only be kept in check through stringent laws and policies and that also includes alert consumers willing to champion their own rights. In the next section, one can read about how privacy is impacted by Internet of Things.

In this chapter, we are discussing the concept of privacy and cybersecurity. In this section, we are focusing on a few technologies that have proven to introduce privacy concerns with the consumers. We are going to talk about privacy and the Internet of Things (IoT). The internet of things is a new technology that allows people to connect many of their devices together; it can make the user experience much more fulfilling, but it also can illustrate security and privacy issues.

We will discuss the background of IoT, which will include how it started? When did it start? Who is the creator/s of this technology? Why is it appealing to consumers? We also are going to mention a case where IoT became a security and privacy liability for the consumers. As mentioned before, this chapter focuses mainly on privacy issues with IoT, so you might find that we are focusing on privacy more than security in the upcoming sections.

Privacy in IoT DevicesEdit

Many different definitions try to explain: what is the Internet of Things (IoT)? I believe that companies try to explain their product that includes the capabilities of the Internet of Things which makes it harder for regular users to understand the fundamental or original meaning of the term. The most generic and yet descriptive definition of the term is one that can explain the concept to the consumer, so here is a definition: multiple devices that can communicate with each other via an established connection which can be WIFI, Bluetooth, the internet, and much more. These devices can range from wearables to smart-home systems, either way, the data collected by those devices are sent to a cloud service or program to be processed and logged. This service was created to make people’s usage data available and readable by the users themselves without having to communicate with a company to obtain the data.

The term “Internet of Things” started in 1999 when a supply chain optimization worker at Procter & Gamble wanted to intrigue the executives of the company with new technology. Kevin Ashton wanted to present the RFID technology to the senior executives at Procter & Gamble, however, titling his presentation “RFID” would be dull and more importantly, it would not attract the attention of a lot of people, so instead he titled his presentation “Internet of Things”. Ashton thought that because the Internet attracted huge attention in the 1900s then, to intrigue people he had to use the most discussed topic at that time which was the Internet; and since RFID mainly identifies and tracks tags attached to different objects, the “things” part of the title made sense to Ashton. ^[14].

However, the term was not recognized widely until the early 2000s, specifically in 2010, when people got the idea that Google was moving toward indexing the physical world because the company stored a large amount of data pertaining to people’s WIFI network usage. Also in 2010, the Chinese government announced that they are making the Internet of Things a strategic priority in their five-year plan for the future of the country. Afterward, many companies started to adopt the name and mention it in their lists of upcoming projects, workshops, and inventions. And finally, famous technological conferences including LeWeb and Consumer Electronics Show (CES) started adopting the theme of “Internet of Things” as they marketed for their events, which increased the overall curiosity and knowledge about the term.

We have mentioned before the definition of the term IoT and inside that definition, we said that the services provided by IoT were made to ease the process of obtaining the usage data by the clients who are using the services. However, these capabilities are also the reason that most, if not all, IoT devices have privacy issues. It is fair to assume that most of our current devices can be hacked because of the excessive use of the internet as well as the day to day development of technologies.

The IoT devices are not different from your computers, phones, cars, etc. all of these devices are made to enable people to communicate with each other using the internet or programs; the same thing applies to IoT devices. IoT devices include hardware, software, and communication capabilities which makes them as vulnerable as any of your other electronic devices. This begs the question: are IoT devices secure from outsiders? The simple answer is “No”. Here is why: because if you have access to the device settings it means that if the device was entered by an unauthorized person, they will have the same capabilities as you do, which in turn means that they can access the same video, audio, pictures, passwords, and any other information stored in the device or were generated by the device.

Demonstrations of IoT privacy IssuesEdit

Most users hear about phishing emails and links that can infect their phones when they are activated, but not many users are wary when it comes to their TVs. Smart TVs have been proven to be hackable ever since the CIA in 2014 gave their engineers documentation that included an exploit in Samsung F-series smart TVs. The specific exploit mentioned in the CIA documents explained that a person needs to have access to the smart TV in order to plug a USB drive to dump the information saved in the television, as well as, download a malicious code that includes, key-loggers, visual controls, and audio controls. The previously mentioned capabilities of the malicious codes can be used to spy on people very effectively, after all the largest screen and camera view in most houses is the television screen.

Years later in Defcon27, an independent security researcher named Pedro Cabrera illustrated a more advanced method to hack a smart TV. Cabrera used a drone that had an antenna attached to it and his laptop to hijack the TV network providers signal and make the smart television podcast whatever Cabrera wanted to podcast. According to Cabrera, as long as the signal podcasting from his drone antenna is stronger than the signal podcasting from the network provider, he can hijack the signal, therefore get access to the targeted smart television. One easy way to make the signal of the drone antenna stronger is placing the drone near the TV, by near the TV we mean on the rooftop or close to a window, either way, the signal from the drone antenna will be stronger because the drone is closer to the target’s house.

Also, in recent years, many users became aware that most devices and institutions do not ask for passwords over the phones or through emails. However, since most users purchase smart television because of the increased quality and not the advanced technological capabilities, they do not comprehend the idea that televisions should be treated with carefulness just like phones and laptops. Another hack that addresses this particular issue was also illustrated in Defcon27 when Cabrera showed that he can make a popping window appear on the TV asking the user to reenter the WIFI information because the network provider made an update. What makes this popping window look legitimate is the fact that the feed stops, and the user cannot continue watching unless they enter the information request by the hacker.

Note That..Edit

The Internet of Things is a very helpful technology, however, a few security and privacy concerns are accompanying this technology. The demonstration we talked about included smart televisions only, but there are many more. In general, all IoT devices have the same kinds of vulnerabilities. The fact that all IoT devices are vulnerable means that their adoption by the public will be slow because most people value their privacy and security. Having said that, there are ways to secure those devices and one of the most discussed solution is implementing blockchain technology into the Internet of Things device. Blockchain was implemented in cryptocurrency exchange which proved successful; the fact that blockchain was as successful as it is with cryptocurrency exchange makes many researchers and cyber specialists think that it will be beneficial as well with Internet of Things technologies.^{[15][16][17][18][19][20][21][22][23][24]}

Three significant ideas are regularly utilized in the assurance of healthcare data inside the United States medicinal services framework: classification, protection, and security. However, every one of these ideas has an alternate vital significance, and one of a kind job. The most important part of health care records is privacy. Health care records contain detailed information about the patient’s medical history to his data.
^[25]

The protection and security of patient’s health care data is a top need for patients and their families, medical insurance companies, and experts. Government laws require a significant number of the people and associations that can handle health care data and can also provide security, ensuring the privacy of patient’s health care data regardless of whether it is put away on paper or electronically.

In the USA, most now and again, “HIPAA” rings a bell when medical records security is concerned “The Health Insurance Portability and Accountability Act of 1996”. HIPAA is responsible for privacy, security, and breach notifications about health care data. The Privacy Rule gives rights regarding healthcare data. The HIPAA also allows patients to the constraint on how their healthcare data can be used, and the security rule offers patients the freedom to choose and know how their medical records must be kept secure with authoritative, specialized, and physical protections. The patients may have extra insurance and medical records rights under their State’s laws. There are likewise federal laws that secure health care records. ^[26]

Why privacy in health care is importantEdit

Health care research and security assurances both give significant advantages to society. Medical research is crucial to improving human health and medicinal services. Protecting patients engaged with the study and saving their privileges is a fundamental moral duty. The necessary legitimation for securing individual privacy is to ensure the interests of people in providing their data for research. Patients must provide their medical data for further study; it can drastically speed up the research process and will be very beneficial to society. Simultaneously, clinical research can profit people; for instance, it encourages access to new treatments, improved diagnostics, and increasingly compelling approaches to forestall disease.^[27]

What includes in privacyEdit

Securing data gathered with the consideration of the patient is a fundamental belief in social insurance. Protecting different structures is an essential key to trust. Enhanced privacy includes various angles, including personal space (physical security), individual information (enlightening protection), own decisions including social and strict affiliations (decisional protection), and personal associations with relatives and different lingerie (associational security).

Doctors must look to ensure privacy protection in all settings to the best degree conceivable and should:

• (a) Minimize outsider interruption in health care records.
• (b) Inform the patient if there has been a breach, which can affect the patient directly or indirectly.
• (c) Be careful that singular patients may have exceptional worries about security in any of these zones. ^[28]

Ways to Protect Health care informationEdit

• (a) Ensure the system

As hackers have an assortment of techniques for breaking to medicinal services associations’ networks, health care IT divisions need to utilize a variety of devices to attempt to keep them out. In many cases, most firms spend a lot on edge security, for example, firewalls and antivirus programming, while specialists caution, they ought likewise to be embracing advancements that limit the harm when assaults do happen.

• (b) Train staff individuals for security

Regardless of any ill will, the staff members are mostly involved in data breaches because of carelessness. Subsequently, all the IT security programs are dependable upon staff training, including Preparing on what does and doesn’t compromise a HIPAA infringement. Staff should be educated about phishing, social engineering, and different other attacks that target representatives, and also choose a very very very strong password.

• (c) Secure remote systems
  

Most of the Medical institutions are progressively depending on the remote operating system for their offices. Yet, sadly, those remote systems regularly present security to many vulnerabilities. Information can be taken by hacking into those systems, for instance, mainly if the association depends on obsolete technology, for example, if medical institutions utilize the very “Wired Equivalent Privacy (WEP) security standard.” Hacking these systems will be a piece of cake for hackers.

• (d) Erase pointless information

The more information that is held by an association the more there is for hackers to take. Medical institutions should remove the redundant data, which is, at this point, not required or useful. Moreover, it consumes more energy and resources to routinely review the data that is not useful, so the association realizes what’s there and can recognize what might be erased.

• (e) Improve physical security controls

Even as electronic health records become progressively typical, the medical institution may keep a great deal of sensitive information on paper. Thus, suppliers must ensure entryways and file organizers are locked and secured, and cameras and other physical security controls are utilized. Moreover, associations should make sure about IT hardware by locking server rooms and using link locks or different gadgets to keep PC and workstations joined to office furniture.

• (f) Incident Response plan

It is essential to get ready for the worst; there is very little probability that the associations can always forestall each conceivable IT security occurrence. That is the reason it’s essential to build up a game plan for when a break occurs.^[29]  

It is very clear from the above sections that most people want to protect their information; most of them want to live a very private life. Apart from it, there is a lot of data breach that happened in medical institutions, which leads patients to conceal compassionate information from doctors; as a consequence, they could not get a proper cure for their disease. So protecting health care information is not just about protecting the information from hackers. Keeping medical information secret encourages patients to provide detailed information about their medical condition. Protecting health information will also help patients to come forward and offer their medical records for further research, which can increase the standard of care in hospitals. By using the recommendation provided in this article, a lot of data breach attacks can be stopped from being successful. Patients want to provide their medical information, but due to a lack of privacy, they do not. If an exceptional level of privacy can be achieved in medical institutions, it can be very beneficial for the whole of humanity.

In this section, we are discussing privacy and data protection. We are focusing on a few laws and policies passed to protect a person’s privacy online, specifically concerning data protection. This is in response to the many technologies that have arisen with time. The problem is that with the rapid advances in technology that have arisen. These advances have caused many new avenues for nefarious people looking to obtain someone’s personal information. This has led to an increase in the need for data protection. In this specific section, we will discuss the background of Privacy, and why it has changed? How did this lead to a need for data protection? What are the technologies that were developed for Data Protection? What laws and policies were passed for Data Protection? As mentioned before, this chapter focuses mainly on privacy and the issues concerning data protection. This is so you might understand that no matter how privacy has advanced in many forms in our society, that there is a constant measure made to try and protect a person’s privacy and their personal information on the web.

How has Privacy evolved?Edit

Privacy was created with a different mindset when the concept was introduced in our society. It has always been considered a basic human right and has always encompassed many areas in a person’s life. The right to the privacy of the home, the privacy to your possessions, the privacy of your information. It is usually the government that has to protect and make sure that every citizen has a right to privacy in their lives. It can be quite difficult clarifying though, as many times documents concerning privacy and the subjects it protects are vague. In the US specifically, the Fourth and Fifth Amendments are used as the main source for determining what violates a person’s privacy today. This is because the right to privacy is not explicitly clarified in the Constitution. There is a lack of documentation at times to help clarify privacy and thus has led to many having to look at whatever documentation they could and deciding if that is considered part of a person’s privacy. As well as protected by the government as well. As stated by Senator D. Brent Waltz “Even the most casual student of American Constitutional scholarship will note that the notion of “privacy” as a distinct legal construct is lacking in our founding documents.”(Waltz, 2014,p. 205). With the advancement of technology and the “Internet of things,” privacy has become a big topic when dealing with matters of information online.^[30]

What is Data Protection?Edit

Data protection can be described simply as measures or technologies used to make sure that a person’s data or information is protected. Specifically, it aims to protect 3 aspects of data that can be clarified more by what is known as the C.I.A triad.

C.I.A TriadEdit

The C.I.A triad has nothing to do with the CIA and is a model for organizations to look at certain aspects of information. It helps these organizations by making sure these aspects are covered. By managing these aspects well, they can create reliable cybersecurity policies and procedures to protect that information and allow for proper data protection. Where the CIA stands for Confidentiality, Integrity, and Availability.

ConfidentialityEdit

Data protection tries to protect the confidentiality of your information. It is the process of limiting access to information and data. It basically means that the information provided can only be seen by certain people, and making sure anyone unauthorized can not view or access the information. It is related to privacy, as it answers the question of who will use the data. People don't want their data to be seen or accessed by everyone. It can lead to damage to their assets or privacy. To achieve confidentiality of information, organizations use policies that educate employees on what they can view or not and tools such as data storage and cryptography to add security to the information. Examples of Confidentiality being breached are data dumps or disclosures of personal information on the internet.

IntegrityEdit

The next aspect of information in the C.I.A triad is an Integrity. It is the process of protecting data to make sure that it stays unchanged and in the original condition it was received. That means the information must not have been edited, modified, or deleted in any way unless authorized. The integrity of information can be at risk anytime it is being acquired, stored, or exchanged. This can be because of attacks from malware and viruses such as worms, trojans, logic bombs, or boot viruses. It also can be caused by buggy software or noise when transmitting data. To achieve integrity and maintain it, checksums and error-correcting are used to verify if bits or hashes were changed, and see if the integrity of the information was lost.

AvailabilityEdit

The last aspect of Information in the triad is Availability. This means that access to the information is always ready to be given to those that are authorized. To explain it, it is like a building with a keycard reader on the door. When you scan your card, you expect to be able to enter the building and use the resources inside. If the reader reads your card, but the door glitches and doesn’t open, you are denied Availability. This applies to information and data as well.^[31]

ESG Data Protection Family TreeEdit

Now how does Data Protection accomplish the aspects stated above? Well, Data Protection covers this by many activities. ^[32]

E-Discovery and Compliance:Edit

It is the gathering of knowledge and information in electronic forms. It is the process of locating, extracting, analyzing, and reviewing digital data such as images, files, emails, network traffic, and more. It helps to draw a picture or, allow for there guidelines for people in the field of E-Discovery that are tasked with locating essential information.

Archiving:Edit

Archiving is the process of securing information, especially inactive information for an unknown amount of time or a tremendous amount of time. the information can be brought out anytime and can be referenced but it is mostly not usable currently but still should be protected.

Backups:Edit

Backups are creating copies of the information. Basically creating a secure copy of them so that if the original data is tampered with or corrupted, that you can use the backup copy to restore the original data.

Snapshots:Edit

Snapshots are the process of recording the state of a machine at a specific time. Usually for storage devices, taking a snapshot is a good way to create a copy of data and information, similar to backups. Data and Information can be restored to that specific time of the snapshot.^[33]

Replication:Edit

Replication is a very costly part of data protection that is quite necessary for the disaster recovery process. Involves replicating and duplicating the data and then move it to an offsite location so that it is protected. This is more so for organizations to recover after attacks, natural disasters, and other incidents of great damage or harm to the data and information under them.^[34]

Availability:Edit

Availability is making sure that the data and information are accessible at times to whoever has access to it. To make sure it is not completely restricted and unattended to or unsupervised.

Disaster Recovery:Edit

Disaster Recovery is the process of an organization making sure to recover from disasters and look at the state of their data. Basically seeing what might have lost Confidentiality, Integrity, and Availability. This involves using the tools and processes above and also trying to find what caused the disaster and how to plan for it in the future so that they would be able to recover more effectively if it ever happens again.^[35]

Business Continuity:Edit

Business Continuity is the process of creating systems and tools to help with the recovery process and deal with threats in the future. Basically planning ahead, to secure themselves, and make sure that threats can be taken care of or avoided again.

General Data Protection Regulation (European Union)Edit

Yet there is more to ensure data protection than just tools and processes. There are many regulations, laws, and policies as well to help and ensure proper data protection. One of these regulations that are considered to be strongly accepted by many is the GDPR. Since 1995, Europe's data privacy has been regulated under the Directive 95/46/EC of the European Parliament along with the Council of 24 October 1995.^[36] The regulations would be on the protection of individuals with concern to the treatment of the data, 1995 O.J. (I. 281) (Directive).^[36] These regulations were viewed to be ineffective due to the rapid evolution of technology, they want to offer better protection and rights to EU citizens, and unification of data protection laws. This resulted in the creation of the “General Data Protection Regulation”(GDPR), which its final text was approved of in 2016.^[36] The GDPR came into implementation on May 25, 2018.

The GDPR's main goal is to hold companies more accountable to user’s data and strengthen the control of users on their personal data. It does this by having provisions that require a business to safeguard the personal data and privacy of EU citizens for every transaction that transpires within the EU. Exportation of personal data outside of the EU is also regulated by the GDPR.^[37]This legislation would force companies to have separated consent forms for the different types of data they collect along with the feasibility to retract consent. It would also prevent companies from the collection of data for children under 16 without a person that holds “parental responsibility”.^[38]Companies that have had their databases breach would have to release a notice to those affected within 72 hours.^[38] It will also give the consumer the ability to wipe out all data that has been collected on them by companies. Types of data that is protected by GDPR are basic identity information, web data, health and genetic data, biometric data, racial or ethnic data, political opinions, and sexual orientation.^[37] The GDPR defines roles within a company for who is responsible for ensuring compliance with the GDPR’s regulations. These would be the data controller, data processor, and the data protection officer (DPO).^[37] Any company that violates the rules of the GDPR would be subjected to a fine of up to 4 percent of annual global turnover or 20 million euros, whichever is larger.^[38]

GDPR Principles to process data ethicallyEdit

The GDPR states the principles in Articles (5-11) on how all the personal data should be processed.^[39] Data controllers are expected to process personal data in an ethical manner. The six principles that account for ethical data processing are:

1. Lawful, Fair and Transparent: Personal information of the data subject should be processed ethically, fairly and in a transparent manner. When in relation to the data subject, All the processes should be justifiable to the law.
2. Purpose Limitation: The processes involving personal data should only be limited to the original purpose for which it was collected from the data subject.
3. Data Minimisation: When collecting data, data controllers must ensure that only relevant information is collected in relation to the purposes.
4. Accuracy: Personal data of data subjects must be accurate and kept up to date. Inaccurate or outdated data should be deleted.
5. Storage limitation: The personal data collected must retain only when necessary. The data must be deleted when it is no longer needed for any legitimate purpose
6. Integrity and confidentiality: Company must take technical measures that ensure the protection of personal data that include unauthorized access or unethical processing and against accidental loss.^[40]

We live in a world with a lot of privacy concerns, concerning our information and leading to data breaches where it can be accessed by anyone. Whether Internet Privacy or Informational Privacy. Though privacy may not be possible due to many people sharing information online, the closest we can get to it must be what we strive for. Not many people when using the Internet of Things are aware of the dangers. This is why policies, regulations, and overall data protection is needed and used in many businesses today. I hope that Orange Team was able to help you understand privacy, the various Internet of Things that could affect it, along with the data protection practices, policies, and regulations that seek to try and provide as much privacy online as possible.

1. ↑ FTC (2020). Retrieved 9 April 2020, from https://www.ftc.gov/sites/default/files/documents/reports/privacy-online-report-congress/priv-23a.pdf
2. ↑ Burke, F. (2013, December 2). Social Media vs. Social Networking. Retrieved from https://www.huffpost.com/entry/social-media-vs-social-ne_b_4017305
3. ↑ Shah, S. (2018, June 20). The History of Social Media. Retrieved from https://www.digitaltrends.com/features/the-history-of-social-networking/
4. ↑ Jones, M. (2015, June 16). The Complete History of Social Media: The Founding of the Online Networking. Retrieved from https://historycooperative.org/the-history-of-social-media/
5. ↑ The 10 most popular social media sites in 2020. (2020, March 5). Retrieved from https://www.toptenreviews-online.com/social-media-sites/
6. ↑ Rainie, L. (2018, March 27). How Americans feel about social media and privacy. Retrieved from https://www.pewresearch.org/fact-tank/2018/03/27/americans-complicated-feelings-about-social-media-in-an-era-of-privacy-concerns/
7. ↑ Lindsey, N. (2019, May 28). New Research Study Shows That Social Media Privacy Might Not Be Possible. Retrieved from https://www.cpomagazine.com/data-privacy/new-research-study-shows-that-social-media-privacy-might-not-be-possible/
8. ↑ Morrow, S. (2018, January 30). 5 Social Media Site Privacy Issues You Should Worry About. Retrieved from https://resources.infosecinstitute.com/5-social-media-site-privacy-issues-worry/#gref
9. ↑ ^{a b c d e f} EPIC - Social Networking Privacy. (n.d.). Retrieved from https://epic.org/privacy/socialnet/
10. ↑ ^{a b} Unbox Social. (2019, February 27). GDPR & Social Media-What The Updated Privacy Policies Mean. Retrieved from https://medium.com/@unboxsocial/gdpr-social-media-what-the-updated-privacy-policies-mean-69984844c43
11. ↑ 5 U.S.C. § 552a(b).[PDF]. Retrieved from https://www.govinfo.gov/content/pkg/USCODE-2018-title5/pdf/USCODE-2018-title5-partI-chap5-subchapII-sec552a.pdf
12. ↑ Greenberg, P. (2019, May 22). State Social Media Privacy Laws. Retrieved from https://www.ncsl.org/research/telecommunications-and-information-technology/state-laws-prohibiting-access-to-social-media-usernames-and-passwords.aspx
13. ↑ Wong, Q. (2020, January 3). CCPA: What California's new privacy law means for Facebook, Twitter users. Retrieved from https://www.cnet.com/news/ccpa-what-californias-new-privacy-law-means-for-facebook-twitter-users/
14. ↑ Knud Lasse Lueth, 2014
15. ↑ Baecker, O., & Jain, S. (2018, June 25). Can blockchain accelerate Internet of Things (IoT) adoption. Retrieved March 24
16. ↑ Cisomag. (2020, January 10). 10 IoT Security Incidents That Make You Feel Less Secure. Retrieved March 30, 2020
17. ↑ Greenberg, A. (2019, August 12). Watch a Drone Take Over a Nearby Smart TV. Retrieved March 30, 2020
18. ↑ Intelligence, I. (2020, January 6). The security and privacy issues that come with the Internet of Things. Retrieved March 30, 2020
19. ↑ Laidlaw, J., Williams, A., Szczys, M., & Hobson, J. (2017, April 26). smart tv hack. Retrieved February 20, 2020
20. ↑ Lueth, K. L. (2014, December 19). Why the Internet of Things is called Internet of Things: Definition, history, disambiguation. Retrieved March 29, 2020
21. ↑ Morrow, S. (2020, March 18). 5 Reasons Privacy and IoT Are Incompatible. Retrieved March 30, 2020
22. ↑ Pan, D. (2019, December 13). 75% of IoT Firms Want to Add Blockchain: Survey. Retrieved March 28, 2020
23. ↑ Pauw, C. (2019, February 14). How Significant Is Blockchain in Internet of Things? Retrieved March 20, 2020
24. ↑ PentaSECURITY. (2019, November 26). Top 5 Shocking IoT Security Breaches of 2019: Penta Security. Retrieved February 14, 2020
25. ↑ Health Information Privacy. Retrieved from https://www.hhs.gov/hipaa/for-professionals/privacy/index.html
26. ↑ Health Information Policy and Laws Retrieved from https://www.healthit.gov/topic/health-information-privacy-law-and-policy
27. ↑ Appari, A., & Johnson, M. E. Information Security, and Privacy in Healthcare.
28. ↑ Health Information Privacy. Retrieved from https://www.hhs.gov/hipaa/for-professionals/privacy/index.html
29. ↑ Moore, I., Leason, S., Miller, S. C., & Hickson, G. B. Confidentiality and privacy in health care from the patient's perspective: does HIPAA help?
30. ↑ Waltz, D. B. (2014). Privacy in the Digital Age. Ind. L. Rev., 48, 205.
31. ↑ Samonas, S., & Coss, D. (2014). THE CIA STRIKES BACK: REDEFINING CONFIDENTIALITY, INTEGRITY AND AVAILABILITY IN SECURITY. Journal of Information System Security, 10(3).
32. ↑ Pearlman, S. (n.d.). What is Data Processing? Definition and Stages - Talend Cloud Integration. Retrieved from https://www.talend.com/resources/what-is-data-processing/
33. ↑ Snapshot technology overview. (2006, April 26). Retrieved from https://www.ibm.com/developerworks/tivoli/library/t-snaptsm1/index.html
34. ↑ Data Replication – Backup Technology. (n.d.). Retrieved from https://www.delltechnologies.com/en-us/learn/data-protection/data-replication.htm
35. ↑ Schwab, J., Topping, K. C., Eadie, C. C., Deyle, R. E., & Smith, R. A. (1998). Planning for post-disaster recovery and reconstruction (pp. 483-484). Chicago, IL: American Planning Association.
36. ↑ ^{a b c} Petersen, K. (2018). GDPR: What (and Why) You Need to Know About EU Data Protection Law. [ebook] pp.12-16. Available at: https://www.kmclaw.com/media/article/247_July_Aug_2018_Peterson_Data_Protection.pdf
37. ↑ ^{a b c} Nadeau, M. (2018, April 23). General Data Protection Regulation (GDPR): What you need to know to stay compliant. Retrieved from CSO: https://www.csoonline.com/article/3202771/general-data-protection-regulation-gdpr-requirements-deadlines-and-facts.html
38. ↑ ^{a b c} Kharpal, A. (2018, May 25). Everything you need to know about a new EU data law that could shake up big US tech. Retrieved from CNBC: https://www.cnbc.com/2018/03/30/gdpr-everything-you-need-to-know.html
39. ↑ Bhatia, P. Understanding 6 key GDPR principles. Retrieved from EU GDPR Academy: https://advisera.com/eugdpracademy/knowledgebase/understanding-6-key-gdpr-principles/
40. ↑ Data Protection 2019: Laws and Regulations: USA: ICLG. (n.d.). Retrieved from https://iclg.com/practice-areas/data-protection-laws-and-regulations/usa