Case study #2 , 3-5 pages, APA format
BluSkyy757
10SecurityandEthicalChallenges.pdf
Security and Ethical Challenges Contributors: Kim Wandersee, Les Pang
Computer Security
Computer Security Goals
Computer security must be viewed in a holistic manner and provide an end-to-end protection as data moves through its lifecycle. Data originates from a user or sensor, passes over a network to reach a computing system that hosts software. This computer system has software and processes the data and stores in in a storage device. That data is backed up on a device and finally archived. The elements that handle the data need to be secure. Computer security pertains to all the means to protect the confidentiality, integrity, availability, authenticity, utility, and possession of data throughout its lifecycle.
Confidentiality: A security principle that works to ensure that data is not disclosed to unauthorized persons. Integrity: A security principle that makes sure that information and systems are not modified maliciously or accidentally. Availability: A security principle that assures reliable and timely access to data and resources by authorized individuals. Authenticity: A security principle that the data, transactions, communications or documents are genuine, valid, and not fraudulent. Utility: A security principle that addresses that the information is usable for its intended purpose. . Possession: A security principle that works to ensure that data remains under the control of the authorized individuals.
Figure 1. Parkerian Hexad (PH) security model.
The Parerian Hexad (PH) model expands on the Confidentiality, Integrity, and Availability (CIA)
triad that has been the basic model of Information Security for over 20 years. This framework is
used to list all aspects of security at a basic level. It provides a complete security framework to
provide the means for information owners to protect their information from any adversaries
and vulnerabilities. It adds Authenticity, Utility, and Possession to CIA triad security model. It
addresses security aspects for data throughout its lifecycle.
The Center for Internet Security has identified 20 controls necessary to protect an organization
from known cyber-attack. The first 5 controls will provide effective defense against the most
common cyber-attacks, approximately 85% of attacks. The 5 controls are:
1. Inventory of Authorized and Devices
2. Inventory of Authorized and Unauthorized Software
3. Secure Configurations for Hardware and Software
4. Continuous Vulnerability Assessment and Remediation
5. Controlled User of Administrative Privileges
A full explanation of all 20 controls is available at the Center for Internet Security website.
Search for CIS controls.
Security Standards and Regulations The National Institute of Standards and Technology (NIST), Computer Security Division, provides security standards in its Federal Information Processing Standards (FIPS) SP 800 series. These publications are used often by security professionals to ensure they are properly safeguarding information technology. NIST maintains a library of security-related publications. Individual industries are often guided by a Federal law to help ensure that the proper security and privacy controls are established. The following list provides examples of an industry and it associated Federal Law.
Health industry -- HIPAA Government - FISMA Education - FERPA
Responsibilities Computer Security's responsibility is to prevent an intrusion from occurring, detect a security breach if one occurs and recover from the security breach. Computer security generally involves the following practices:
General Staff Practices Physical Security Disaster Recovery Incident Management Monitoring and Auditing System and Network Management Authentication and Authorization Encryption
Once a security breach is detected, the following steps may be taken:
Identify the attack o Review event logs o Review variations from the baseline performance o Use Intrusion Detection Systems (IDS) o Research security resources to gather information o Look for common symptoms of a specific attack
Inform personnel o E-mail o Voice-mail broadcast
Contain the attack o Shut down affected servers o Remove affected computers from network o Remove network from the Internet o Preserve the evidence
Identify defensive strategies o External attacks
Block attack patterns with a perimeter IDS Restrict which protocols can enter the perimeter network and the private
network o Internal attacks
Block attack patterns with an endpoint IDS Remove infected computers from the network Rebuild affected computers and restore data from a recent clean backup
Implement preventative measures o Maintain service pack versions
Test and install latest service packs and hotfixes o Run intrusion detection systems
Network perimeter and local o Review event logs regularly
For example, account logon events Document the attack
o Collect and record attack details o Perform a postmortem meeting o Develop an action plan for future attacks o Modify the security policy and security plan as needed
Threats
Figure 2. Typical threats. Disasters
Disasters include natural and man-made disasters. These include: tornado, hurricane, earthquake, fire, bombings, and bioterrorism.
Humans
Human activity creates a number of threats to computer security.
Not following company policy Not following security procedures such as changing default passwords Social engineering is an outside hacker's use of psychological tricks on legitimate users of a
computer system, in order to obtain information he needs to gain access to the system Lack of safe data-sharing policies with business partnerships Intrusion by outsiders (hackers)
Malicious Code
Malicious Code
Description
Virus A code fragment that copies itself into a larger program, modifying that program. It executes only when its host program begins to run. It can reproduce immediately or can be triggered by a particular event, such as a date.
Worm Typically an independent program and copies itself from one computer to another, usually over a network.
Trojan Horse A code fragment that hides inside a program and performs a disguised, unauthorized function.
Bomb A type of Trojan Horse, used to release a virus, a worm, or other system attack. It is planted by a system developer and is triggered when a particular date, time, or condition occurs.
Trap Door A mechanism that is built into a system by its designer or programmer. It provides the designer a way to circumvent the normal access to the application. Unfortunately these can be left in the system and allow unauthorized access to the system.
Spoof A program that tricks an unsuspecting user into giving away privileges.
Hoax A program that claims that it is malicious code, but does not do harm to the system. Instead, it wastes time while security engineers determine there is no threat.
Spyware A program that resides on your computer, captures all of your activities, and then sends the information to a company or hacker for their use.
Ransomware Malicious software that typically encrypts the victim’s file making them no longer accessible and demands a ransom to decrypt the files.
E-Commerce Dangers
Spoofing sites. Spoofing involves fraud, which refers to misrepresentation of identities or other facts in order to obtain something of value. With a proper security system in place, the consumer will be able positively to authenticate the identity of the e- commerce business and the business will be able to identify the consumer before performing the transaction. Identity theft constitutes a current, serious example of fraud perpetrated through unauthorized access to personal information on the Internet.
Theft of Data from Servers. Consider an electronic banking system. The financial transactions may be altered if one can modify the data during transit. Cryptographic message digests can indicate whether a message has been tampered with.
Denial of Service. The denial-of-service attack involves preventing one from accessing data by confusing or overloading the related computers or networking equipment. Transmission Control Protocol (TCP) is a communication protocol commonly used on the Internet for many kinds of communication. TCP SYN flooding attack is a threat that involves denial of service launched on the Internet. With TCP SYN flooding attack, hackers attempt to open so many TCP connections with a server that it results in denial
of additional incoming connections. Interactive Web technologies such as Java, JavaScript, and ActiveX increase the difficulty of preventing denial-of-service attacks. With these Web technologies, a denial-of-service can be easily embedded in programs.
Controls and Defenses Policy, Processes, and Procedures
A security policy:
Defines an organization's requirements for correct computer and network usage Includes procedures to detect, prevent, and respond to security incidents Provides a framework for implementing security plans and procedures
Data Backups and Hot Sites
Data backup protects not only against physical disasters but also against equipment failure, data theft, data modification and data corruption. Obviously the backup site must be remote from the primary database to avoid a common disaster. Backup media include tape, at lower cost, and disk, at higher cost. Backup frequency may be periodic, as in once a week, or continuous, as in a site that mirrors the primary site. Communication with the backup site may vary from physical transport to high-speed telecommunications links. The type of backup needs to be matched to the requirements of company or individual. Backup frequency depends on the acceptable data loss that might occur between the last recovery point and a failure. The speed and sophistication of recovery depends on the acceptable down time. The cost of the backup and recovery system should not greatly exceed the risk. Here, risk is taken to be the amount of the possible loss times the probability of its occurrence.
Access Control
Access control can take a variety of forms. "Firewall" or "proxy server" software provides access control for computers connected to the Internet. Access control can involve using transmission cables that cannot be tapped. Access control can also involve requiring authentication prior to allowing a computer to make known the content of certain data files.
Forms of the latter type of access control are the following:
Strong Passwords
Passwords are critical to preventing unauthorized access to the network and applications. Therefore, passwords should be difficult to guess. They should be eight or more characters and a combination of capital and small letters, numbers, and special characters. Passwords should
be changed regularly and frequently. Microsoft provides recommendations for creating and using strong passwords at the following URL. http://www.microsoft.com/protect/yourself/password/create.mspx Microsoft also provides a free password checker. To check the strength of your password, use the following URL: http://www.microsoft.com/protect/yourself/password/checker.mspx
Single Sign-On (SSO)
Many organizations are implementing Single Sign-On technology. This technology consolidates all user passwords into one. The user can access all applications with only one login to the network. Some organizations require two- or three-factor authentication when using single sign-on technology.
Three Factor Authentication
Authentication confirms that individuals are who they say they are.
As examples, three-factor authentication requires the use of a password (something you know), a token (something you have), and biometric data (something you are).
Figure 3. Authentication Factors
Trusted Transactions
Before the Internet, most security measures focused on Perimeter Security for an organization. Technologies included firewalls, anti-virus software, intrusion detection, and e- mail scanning. In the early 2000s, people hesitated to use the Internet for banking, on-line shopping and other transactions that involved sending financial or credit card information over the Internet. There was insufficient confidence in the technology that the data would reach its destination without being alter or intercepted. E-Commerce enabled by the Internet requires trusted transactions. E-Commerce has moved transactions away from the organization to integrated transactions between the customer, the business, the supplier and the payer. In order to do this, security measures had to be in place to create trust.
In other words, Internet transactions require
Confidentiality User authentication Non-repudiation Transaction integrity
Cryptography (or Encryption) Cryptography can satisfy many of the security requirements for trusted transactions. Cryptography involves the use of codes and ciphers in order to transmit information so that access is restricted to the intended recipient. The primary objective of cryptography is to allow two or more users to communicate securely over an insecure medium, for example, the Internet. The information to be transmitted, called plaintext, is encrypted using a predetermined key to generate the ciphertext. The ciphertext is transmitted over the insecure medium to the receiver, who recovers the plaintext using a cryptographic key and algorithm. Cryptosystems can be classified into two categories: (1) symmetric key cryptosystems and (2) public key cryptosystems.
1. Symmetric Key Cryptosystems. These have the same problem as unconditionally secure codes. The key to decode the message must be transported to the desired recipient without a chance of falling into the wrong hands.
2. Public Key Cryptosystems. These provide a means to move information in a secure fashion without the need to secretly transmit a decoding key. The disadvantage is that it requires a large amount of computing to code and decode a lengthy message.
Symmetric key and public key cryptography systems together possess the necessary characteristics to perform security for a wide variety of systems, including secure e-commerce, e-mail, and World Wide Web (WWW) interactivity. Today's secure Internet data movements are based on the following concepts:
A public key cryptosystem is used to safely deliver the key for a symmetric code with a reasonable amount of computing effort.
Subsequent transactions of large amount of data can proceed using the fast symmetric key system.
Commonly Encountered Symmetric Codes
Data Encryption Standard. In 1977, the National Institute of Standards and Technology (NIST) published the Data Encryption Standard (DES). DES is a block cipher algorithm. DES has 64-bit block size (ciphertext is 64 bits in length). The DES key is 56 bits in length. DES was last reviewed
in 1993 and was approved for unclassified applications until 1998. Although DES is widely used, it is no longer secure and must be replaced with more robust algorithm. Advanced Encryption Standard. The Advanced Encryption Standard (AES) algorithm succeeded DES. AES is a symmetric block cipher algorithm. AES has 128-bit block size. AES has variable key size (128, 192, or 256 bits). AES is more secure than DES. Rijndael (pronounced as Rhine-Doll) was selected as the algorithm. Conformance testing was done in the summer 2001. The standard will be reevaluated every five years.
Public Key Infrastructure (PKI)
PKI can be used for Internet e-business security, improve user confidence in using the Internet for transactions, and to implement trusted transactions. PKI ensures the following conditions.
Confidentiality: Is the data private? User authentication: Are you who you say you are? Non-repudiation: Are you the only one who could have made this transaction? Data integrity: Has the data been tampered with? PKI Technology includes the following features.
Digital Certificate Binds user's identity to public key in a digital form
Registration Authority (RA) Security Officers of PKI Administrator of PKI
Certificate Authority (CA) Establishes trust Issues digital certificates Validates owner's identity
Certificate Revocation List (CRL) List of all revoked certificates Time revocation Reason for revocation
Directories and X.500 Public repositories
Complete Public Key Infrastructure Automates the management of digital certificates, public keys, and private keys
Digital Certificates
Digital certificates provide a mechanism to connect the identity of a subject (an individual, company, or computer) to a public cryptographic key in a way that can be trusted and verified. To provide digital certificates, a certain entity called a trusted party is responsible for verifying a set of credentials in accordance with a predefined policy. If approved, the subject's public key and credentials are digitally coded and signed using the trusted party's private key to form a certificate. The certificate can then be distributed in a public manner, and the identity associated with a public key can be authenticated by decoding the certificate with the trusted
party's public key and verifying the signature on it. Digital certificates are issued by trusted parties called Certification Authorities (CA).
Digital Signatures
Many public key algorithms can provide authentication, data integrity, and nonrepudiation. Since public key algorithms compute slowly, algorithms to obtain a summary or "fingerprint" of the plaintext are desirable. These algorithms are known as message digests or hash functions. A hash function processes an input of arbitrary length and produces a fixed size output. Secure message digests or hash functions possess three essential mathematical properties.
1. Every input bit influences every output bit. 2. If a single input bit is changed, every output bit has a 50 percent chance of changing. 3. Given an input and corresponding hash, it should be computationally unfeasible to find
another input with the same hash.
Common message hash functions include: MD2, MD4, MD5, MD6, SHA, SHA-1, SHA-2 and SHA- 3. MD2, MD4, and MD5 were developed by Ronald Rivest of RSA Data Security. These are 128- bit digests.
A digital signature may be created and sent along with a message to achieve authentication and to assure data integrity and nonrepudiation. The sender, say, Alice, applies a hash function H to her plaintext message m to create the message digest, represented symbolically by Hm. This means that H operates on m. Alice then operates on Hm with her certified private key A to produce the encrypted message digest AHm. She sends AHm to the recipient, say Bob, along with m. Bob recovers Hm by operating on AHm with Alice's certified public key A*. Symbolically, A*AHm = Hm, since A* just undoes A. Bob then separately operates on the received plaintext message m' with H to obtain Hm'. If Hm' = Hm, Bob is sure that (1) the message came from Alice and (2) it was not tampered with in transmission, and (3) Alice cannot disavow it.
Security Considerations
Privacy Although privacy and security are related, they are not identical. Privacy pertains to an individual's right to limit disclosure of personal information. It is an implied right, rather than an expressed one, flowing from the U.S. Constitution. Security pertains to data, which may contain information about individuals. If personal and consumer data are protected, so is personal and consumer privacy. Thus, businesses go to great lengths, on line and off, to guarantee the confidentiality of such data. However, to assure the security of a computer system, it may be necessary to observe the usage of it by individuals, thus infringing upon their complete privacy. It may be necessary to conduct a background check of prospective employees to assess their character and habits, again infringing upon their privacy. In a larger sense, the government
finds it necessary to conduct wiretaps under warrant and to perform other surveillance to provide national security. Intellectual Property One of the striking features of intellectual property—that is, creative works of writing and music—in digital form is its cost asymmetry. What this means is that the Beatles incurred a substantial cost to supply the first unit of intellectual property, say, the digital master of Sgt. Pepper's Lonely Hearts Club Band. Yet the marginal cost—the cost of producing and distributing one more copy of it—is trivial. Therein lies the root of our intellectual property problems. First, how can we pay for the first unit? Then how should we price the subsequent units? The record companies say that the subsequent units must be priced enough over their marginal cost to pay for the first unit. The users say that the subsequent units should be priced at their marginal cost, namely almost nothing. The record companies achieve their goal through their monopoly on production and distribution granted by the copyright law. But when the digital age makes copying and distribution almost free, the users face irresistible temptation to break the monopoly, as the original Napster did.
Such issues as this led to the concept of Digital Rights Management (DRM). Here producers used various methods of coding and encryption to restrict copying and distribution of intellectual property. Successful efforts to break the DRM codes led, among other reasons, to the rewrite of the copyright laws as the Digital Millennium Copyright Act of 1998 (DMCA). In one controversial provision, DMCA made it a crime to defeat DRM codes. About the best we can say here is that the issue still simmers. Nevertheless, producers and distributors are having some success in persuading users to pay a little for their music and videos. Apple's iTunes testifies to that.
Equitable User Access Under the heading of equitable user access, the concept of the digital divide looms large. The more affluent individuals of this country and the world have access to personal computers and broadband that bring benefits of information and productivity. The less affluent individuals of this country and the world lack this access and these benefits. Clearly a positive feedback operates to enhance the skills and achievements of those with access, whereas that feedback is lacking for those without access. United States policy recognizes this problem in a limited way. The Federal Communications Commission administers a so-called Universal Service Fund. Telecommunications carriers must contribute a portion of their revenue to the fund. The fund's monies are then made available (1) to subsidize the price of telephone service to high cost areas (like rural or mountainous settlements),(2) to provide core telephone service to low income individuals, (3) to help schools and libraries pay for advanced telecommunications services, and (3) to help rural health care facilities pay for the same.
The International Telecommunication Union works to increase the penetration of telecommunications services to developing countries.
The MIT Media Lab has now achieved production of "One Laptop per Child," a bare bones computer costing only $100, operable even in regions without electric power. Intel and other organizations are following suit with competitive offerings. Beyond these efforts, little is really being addressed.
Net Neutrality Net neutrality has two sides -- those in favor and those against.
Those in favor of the principle argue that the genius of the Internet is its complete neutrality with respect to those who supply content, those who consume content, and the content itself. Because all the intelligence is "at the edges" of the network in the terminal devices, anyone can display his bright idea or videos of his trained seal; others can seize upon that idea and develop it or criticize it. In this way information and innovations are spread around with the result of raising the economic and cultural level of the nation.
Those against the principle argue that the nature of content has greatly expanded since the Internet's early days. Some content deserves more priority than others. Some content deserves more speed or reliability than others. Some users, such as Google and Yahoo, pump more volume into the Internet than others. To accommodate these diverse needs, new investment in the facilities and capabilities of the Internet are needed. Therefore, pricing for some content and some users should be higher to finance such investment.
Apart from these principles is the practical fact that some users—even individual users—and
some content use up more of Internet capacity than others. An example is file sharing of videos through the BitTorrent protocol. This recently became troublesome for Comcast, in that five percent of the users on its network consumed 70 percent of the capacity. Such lopsided use could degrade service for the other 95 percent of the users sharing the network, suggesting that Comcast should have the right to manage such traffic in the interests of its customers and its business. Fortunately, it was in the mutual interest of both Comcast and BitTorrent to agree on a traffic management solution that ameliorated the problem.
No legislative resolution of the issue has occurred to date, although the U.S. Congress is still concerned.
Regulatory Considerations
Some aspects of information technology are regulated. Historically the most important portion is the telephone industry, especially the local exchange. Accordingly, we volunteer a few salient points about regulation.
You run into regulations every day. When you drive your automobile to work, you follow a set of regulations for driving --observe the speed limit, stay right except to pass, and so forth. You have paid a tax for your tags, which you must have to drive your vehicle on the streets, and you have a driver's license, which you obtained by initially passing written and "behind-the-wheel" tests. You have probably renewed your license by taking an eye test, or perhaps another written test. You enter a restaurant knowing, at least subconsciously, that the meat you will eat was inspected by the Department of Agriculture, its weight measured on a scale calibrated by the division of weights and measures, and prepared in a kitchen inspected by the local department of health. Regulation permeates daily life.
Fundamentally, regulations are adopted to protect the public. These regulations are designed to help in a variety of circumstances. Some regulations go to safety, like those governing foods and drugs. Others go to economics, like those governing prices. For example, the market may not be efficient enough to prevent one competitor from holding enough market share to dictate prices to consumers. In such a case, the company may be said to have monopoly power. Regulation is developed to prevent an abuse of such market power, perhaps by setting rates, or at least by limiting them.
Markets in which there are many buyers and sellers characterize perfect competition. Each transaction in the marketplace has a relatively small bearing upon the overall market and each transaction is a small component of overall market volume. Products differ, and consumers may choose the characteristics of the products they want from among a wide range of suppliers. Consumers or purchasers will have a high degree of information on which to base choices. They may use product specifications, price, and other criteria to make their market choice. Choosing one supplier over another does not disadvantage them. When these conditions are met, supply and demand are in equilibrium and determine the market price.
The opposite of competition is monopoly, such as existed formerly in many parts of the telephone industry. In a monopoly environment, choice is substantially reduced. There are fewer choices of suppliers, of products or services, and of criteria for choosing products. In a pure monopoly there is but a single supplier. That supplier could then control supply in such a way to maximize profit. It turns out that maximum profit occurs at a smaller supply and higher price than would occur under perfect competition. The monopoly supplier has no incentive to reduce costs in order to cut prices. In addition, there is a net transfer of wealth from consumer to supplier, much like a hidden tax. To prevent such abuses of their monopoly position, price regulation is imposed on firms that are necessarily monopolistic, like electrical power distribution and the local exchange telephone companies. The regulation seeks to set prices approximately equal to those that would occur under competition.
The more specific goals of economic regulation are to produce efficiency by limiting providers to prudent costs and investments, maintaining low prices for consumers, and curbing abuses of monopolistic or dominant firms. In addition, regulation meets certain social goals, such as nondiscrimination, consumer protection, and targeting of populations in need. Even in the "competitive market" provisions of the Telecommunications Act of 1996, there remain priorities for telecommunications development. Education and libraries, for example, are identified as priorities for investment and for government funding, even under this so-called "deregulatory" act. Another fundamental reason for economic regulation is to ensure fairness. Markets, as the more or less abstract and impersonal entities they are, can determine price but not equity. If you want a telephone, you must pay the going rate. If the supply of telephones is less than the demand, the price will likely go up. If the cost of doing business in, say, a rural area is greater than in an urban area because there are fewer customers for each mile of (expensive) copper wire laid to provide the service, there is a natural tendency to charge more because of the higher cost associated with this group of customers. So if the market fails to provide equity to rural subscriber, regulation is needed.
Beyond economic regulation, U.S. laws have been enacted to regulate disclosure of personal data, privacy of electronic communications, credit reporting, spam, and child pornography, among other topics. These laws, unfortunately, are having but moderate effect. To summarize, regulation is needed when there is market failure. Examples of market failure are safety risks, excessive price, low quality, limited choice, lack of innovation, and concentration of supply with consequent power to control the market and inhibit competition.
Conclusions Security must protect information in every state it is in, transmission, storage, and processing. Technical controls are one aspect of security and include firewalls, intrusion detection systems
or anti-virus software. It can be looked at in terms of people, process and technology. People must be trained and understand what to do in order to prevent security breaches. Policy and processes should be established to ensure a consistent, measurable, repeatable performance of good security behavior. The following graphic show the various aspects of a comprehensive security program.
Figure 4. Security Dimensions.
People should be considered in terms of, for example, adequate security clearances, proper hiring practices, the need for proper security training and others. Policy and Process should be examined in terms of disciplined patch management policies and procedures, a disaster recovery / business continuity plan, establishment of a security steering committee and a sound incident management system. Technology involves the tools and procedures to fend off any attacks -- both external and internal attacks. Insider threats are responsible for over 75% of the security breaches. Therefore, one should take a holistic view of security in order to protect information while at a particular facility, while it is mobile, and while it is in use from a remote location. Data must be protected in all states, transmission, storage, and processing. Security must address the human element to avoid against intentional or unintentional security breaches. A strong security program includes a combination of technology, policy and process, and people.
IT Ethics and Responsible Conduct
Ethical Use of Data
The U.S. Government, businesses, organizations, social media, and recent developments such as the Internet of Things are generating an increasing amount of data. There are new capabilities to gather, analyze, disseminate, and preserve large amounts of data that make it possible to learn more about an individual without their knowledge or consent. According to PCAST in May 2014, “the term privacy encompasses not only the famous 'right to be left alone' or keeping one’s personal matters and relationships secret, but also the ability to share information selectively but not publicly.” (P. 13.) As our ability to collect data, combine multiple data sources, and analyze the data to gain new knowledge expands, the ethical use of data collected must be a conscious decision made by anyone that owns and processes data. The concern for privacy as new technology becomes available is not new. In the late 90’s, the American Civil Liberties Union (ACLU) was concerned about the government assigning everyone a national ID. During that time, many databases were accessed by a key. A key is a unique identifier that allows information stored in a record to be directly accessed. Individuals were concerned that the government may use the national ID to link databases together and use the new information to limit personal freedom. In George Orwell’s book, 1984, he writes about the government monitoring your activities. The phrase “Big Brother is Watching You,” became a popular phrase to describe the invasion of one’s privacy by the government. A video, Ordering a Pizza in the Future, shows the privacy concerns of a national ID which could be used if systems were linked together. Today, 'right to privacy' concerns now include data collected by the government or other organizations. A national ID or a key to join related records is no longer needed. We have learned with Snowden’s exposure of the NSA monitoring how intrusive government monitoring can be. There are claims that our government reads the content of our emails, file transfers, and live chats from the social media we use in order to protect national security. Facebook performed a “social experiment” where it controlled content in individual Facebook pages to determine whether or not receiving negative content affected one’s mood. Facebook did not gain prior consent to perform this experiment. Data is being collected and stored in a manner that supports the ability for one to access the data and perform data analytics on a question or need that was not the original intent of the data collection. This can occur by over collection of data or by "data fusion." Over collection of data is caused by a design that intentionally or unintentionally collects information unrelated to its stated purpose. Data fusion occurs when different data sources are accessed through advanced analytics capability and pattern recognition to find a new meaning from the information other than the original intent of the data collection. Benefits can be gained from gleaning new information for the data. However, the proper use of data must be considered. Listed below are examples where information itself is beneficial but can be used in a way that is potentially harmful and something an unsuspecting individual may not like to be disclosed. Here are examples:
Research on disease could be associated with data from electronic health records and genomic information. This could lead to improved treatments for a disease, but it could also lead to disqualifications for insurance or jobs.
An example of potential misuse of information occurred at a company that requires certain employees to drive trucks. The company logo is marked on the trucks. This company has a strict zero tolerance policy regarding drinking while on the job. One particular driver showed up late to work. The company accessed the GPS located that was installed on the truck and discovered that the employee parked the truck behind a night club all night. The drive did not know the GPS device was installed on the truck. The company did not like the company image portrayed by their truck parked outside the night club. The company deduced that because the truck was parked outside a night club and the driver was late to work, that the driver must have been drinking. The driver was let go.
o Would you consider this an invasion of privacy or a company that was very prudent in ensuring the safety of its workers and reputation of the company? What might have been the original intent of putting GPS tracking devices on company vehicles? Prior to GPS technology, the company might never have known the whereabouts of the employee.
A personal example was when a grocery store sent me a coupon for the cat food I fed to my cat and thanked me for being a loyal customer. On the surface, this seems like a good idea. I get a discount on what I buy and the producer sells more products. But what if my purchases were something less benign than cat food? The retailer Target inferred that a teenage customer was pregnant and began sending her coupons intended to be useful for her. Unfortunately, her father saw the coupons and determined that his daughter was pregnant.
A controversial topic involves the police placing GPS-based tracking devices on vehicles without the driver's knowledge. Some argue that placing such a device on a vehicle constitutes a "search" under the Fourth Amendment which may be illegal if there is no probable cause.
Privacy concerns are caused by the increasing amount of data being collected and analyzed. Over collection of data and data fusion can provide the opportunity to learn unintended information from our data. This new knowledge and wisdom can both beneficial and harmful. As our ability to collect data, combine multiple data sources, and analyze the data to gain new knowledge expands, the ethical use of data collected must be a conscious decision made by anyone that owns and processes data.
References Cohn, Marjorie (2014). Beyond Orwell’s Worst Nightmare. Retrieved from
http://www.globalresearch.ca/big-brother-is-watching-you-beyond-orwells-worst- nightmare/5367023
Center for Internet Security. CIS Controls. Retrieved from. https://learn.cisecurity.org/20-controls- download
Ellenberg, Jordan (2014). Making (a Huge Number of Users (Very Slightly) Sad. Retrieved from: http://www.slate.com/articles/technology/do_the_math/2014/06/facebook_study_the_iffy_et hics_of_making_a_huge_number_of_people_very_very.html
Moghaddasi, H. (2015) Reasons on Support of Data Secirotu and Deata Security Management as Tow
Independent Concepts: A New Model. Retrieved from:
https://www.ncbi.nlm.nih.gov/pmc/articles/PMC5090776/
President’s Council of Advisors on Science and Technology (PCAST) (2014). Big Data and Privacy. A Technological Perspective. Retrieved from: http://www.whitehouse.gov/sites/default/files/microsites/ostp/PCAST/pcast_big_data_and_pri vacy_-_may_2014.pdf
