Introduction to privacy

Privacy is a fundamental human right. It includes, among other things, the right to be let alone, informational self-determination, and the freedom to build one’s own identity without unreasonable restrictions. All of these are important when defining the boundaries of privacy and its role in society. The term data protection is used for these boundaries, and its regulation has already been extensively discussed in an earlier module, which deals with the European General Data Protection Regulation (GDPR).

Privacy, its definition, and its implementation can be difficult in technical systems. Privacy means different things to different people, and even to the same person in different contexts. For example, revealing a rare illness is not a problem when dealing with a doctor, but if the same information is revealed to an online retailer, it becomes a data protection issue. This is referred to as contextual integrity. It focuses in particular on the flow of information when there are differing data protection requirements depending on the parties exchanging the information or the environment in which the exchange takes place. When the requirements for data flow are clear, the system designer can apply the techniques described in this module.

Data breaches can cause physical or psychological harm. For example, thieves may exploit social media information about a person’s home address and holiday trips to choose a suitable time for a burglary. Advertising companies may build profiles and attempt to influence users. The leakage of private personal data can cause embarrassment or, for example, professional harm to individuals.

Privacy is one of the foundations of a democratic society because it enables citizens to participate freely or to abstain from participation, as well as to exercise freedom of opinion. Privacy enables close personal relationships in which there is no need to maintain a public role. On the other hand, privacy provides an opportunity to choose which aspects of oneself or one’s opinions to present within a community. Without privacy, people’s behaviour and thinking may narrow towards implementing what is “generally accepted”, which in turn hinders creativity and the development of society. Such far-reaching consequences of the loss of privacy mean that privacy cannot be treated merely as the protection of data, as a question of confidentiality. In addition to keeping data private, it is important to ensure that systems support freedom of expression and individuals’ self-determination.

Answer the questions.

Question 1

How can the leakage of a person’s private information, such as sexual orientation, cause them professional harm?

A feeling of shame prevents them from continuing in a service profession.

Finding employment may become more difficult.

A trade union or similar organisation expels them.

They lose the right to practise their profession, for example as a doctor.

They become a target of bullying at their workplace.

Question 2

In what way can weak protection of privacy cause serious harm to society as a whole?

Trade in personal data erodes normal business models.

Increased “herd mentality” weakens societal renewal.

The flow of information weakens as encryption technologies are used excessively and discussion forums, etc., consist of increasingly restricted groups.

“Brain drain” to countries with better data protection weakens industrial and scientific innovation.

Privacy in general

The concept of privacy is used very widely, yet its precise definition remains difficult. It can of course simply mean a person’s freedom from interference in personal matters or the right to be let alone (in peace). Such a definition can be found not only at the beginning of this page but also already in the 19th century, but what is personal or private, and can others nevertheless have certain rights in some situations? In cybersecurity, privacy refers to a person’s right or practical ability to determine the use of information concerning themselves.

In the work of a cybersecurity professional, privacy often arises in connection with electronic surveillance and the related investigation. Regulation in this field can be expected to continue developing rapidly in response to the fact that cloud services continuously enable new types of use cases.

Compared to the past, a citizen’s identity is now known to a very large number of parties—typically connected to some activity in which the information has been recorded. Data protection means that the data collector is not allowed to use the data in an arbitrary manner or for arbitrary purposes. Regardless of whether legislation applies, the following is one possible categorisation of information about a person that may end up in someone else’s possession. Only a small portion of all this can be combined by anyone other than the person themselves. However, threats can be considered, for example, by thinking about what the police might be able to uncover if the data had to be retrieved for some reason. Retrieval may also be based on traffic analysis and inference from metadata (see the next section), which both telecommunications and data processing outside one’s own devices leave behind in such large quantities that it is referred to as big data.

basic personal data: name, address, date of birth (+ personal identity code), etc.

related to most others

+ biometric data (measurements, image, voice…)

relationships

official (relatives, guardianship…)

others

property (fixed)

vehicles

apartments, real estate

valuables (via guarantees, insurance)

health data

illnesses, injuries

treatments

genetic data

participation in communications

correspondence

phone calls

browsing (addresses, search terms…)

online communities (social media…)

peer-to-peer networks

location

current (access control, mobile phones, surveillance cameras, traffic monitoring, navigation…)

travel (passenger lists, overnight stays, border crossings…)

activities in communities

education, degrees

work, publications

hobbies, sports results

memberships

appearances

media

subscriptions to newspapers and other media

following news media

library loans

financial data

purchasing behaviour, loyalty programmes

use of non-cash payments

debts, investments

tax records

legal processes

crimes and offences

interrogations, testimonies

etc.

It is easy to think of additions to the list. It can be equally interesting to think of everyday activities in which actions are anonymous. Even walking on the street is not anonymous everywhere. Cash has traditionally been anonymous, but it is being phased out. Telecommunications is one of the few items on the list where technical anonymisation is possible, and in financial matters cryptocurrencies aim to achieve this.

Select one or more options.

Question 1

Privacy

grants powers to the police.

is the ability to determine the use of information concerning oneself.

is the right to be left alone.

is a consequence of electronic surveillance.

defines when and under what conditions personal data may be processed.

Question 2

Data protection

grants powers to the police.

gives the ability to determine the use of information concerning oneself.

is the right to be left alone.

is a consequence of electronic surveillance.

defines when and under what conditions personal data may be processed.

Posting submission...