"We estimate the value of online privacy with a differentiated products model of the demand for Smartphone apps. We study the apps market because it is typically necessary for the consumer to
relinquish some personal information through “privacy permissions” to obtain the app and its benefits. Results show that the representative consumer is willing to make a one-time payment for each app of
$2.28 to conceal their browser history, $4.05 to conceal their list of contacts, $1.19 to conceal their location, $1.75 to conceal their phone’s identification number, and $3.58 to conceal the contents of
their text messages. The consumer is also willing to pay $2.12 to eliminate advertising. Valuations for concealing contact lists and text messages for “more experienced” consumers are also larger than
those for “less experienced” consumers. Given the typical app in the marketplace has advertising, requires the consumer to reveal their location and their phone’s identification number, the benefit from
consuming this app must be at least $5.06."
"On Tuesday, September 10th, 2013, the Future of Privacy Forum joined with the Center for Internet and Society at Stanford Law School to present a full-day workshop on questions surrounding
Big Data and privacy. The event was preceded by a call for papers discussing the legal, technological, social, and policy implications of Big Data. A selection of papers was published in a special issue
of the Stanford Law Review Online and others were presented at the workshop. This volume collects these papers and others in a single collection. These essays address the following questions: Does Big
Data present new challenges or is it simply the latest incarnation of the data regulation debate? Does Big Data create fundamentally novel opportunities that civil liberties concerns need to accommodate?
Can de-identification sufficiently minimize privacy risks? What roles should fundamental data privacy concepts such as consent, context, and data minimization play in a Big Data world? What lessons can be
applied from other fields?"
"One hot area of data privacy litigation over the past several years has been data breach class actions brought under the California Confidentiality of Medical Information Act (CMIA), which
provides that a person may recover $1,000 ‘nominal’ damages against a healthcare provider who has negligently ‘released’ the person’s medical information. Until recently, no California appellate court had
directly analyzed what constitutes a ‘release’ of medical information under the CMIA. The court in The University of California v. Superior Court (Platter) addressed this question for the first time in
2013 and held that the mere loss of possession of computer equipment containing medical information was not sufficient to constitute a release of the information itself. Instead, the court held, a
plaintiff must be able to plead, and ultimately prove, that an unauthorized person actually accessed the plaintiff’s medical information. The Platter decision will protect defendants from CMIA liability
in instances in which a computer or other device is lost or stolen and never recovered but where there is no evidence to suggest that anyone ever looked at the information contained on the device after
the loss or theft."
"Data classification has been used for decades to help large organizations such as Microsoft, governments, and military entities manage the integrity of their data. This paper provides readers
with an introduction to the fundamentals of data classification and highlights its value, specifically in the context of cloud computing. Organizations that are assessing cloud computing for future use or
organizations that are currently using cloud services and seeking ways to optimize data management will benefit most from this paper."
"Most developed countries have tried to restrain digital piracy by strengthening laws against copyright infringement. In 2009, France implemented the Hadopi law. Under this law individuals receive a warning the first two times they are detected illegally sharing content through peer to peer (P2P) networks. Legal action is only taken when a third violation is detected. We analyze the impact of this law on individual behavior. Our theoretical model of illegal behavior under a graduated response law predicts that the perceived probability of detection has no impact on the decision to initially engage in digital piracy, but may reduce the intensity of illegal file sharing by those who do pirate. We test the theory using survey data from French Internet users. Our econometric results indicate that the law has no substantial deterrent effect. In addition, we find evidence that individuals who are better informed about the law and piracy alternatives substitute away from monitored P2P networks and illegally access content through unmonitored channels."
"Late one evening in December 2010, an employee of a commercial blood bank left his office with four backup tapes to drive them to the company’s corporate headquarters, just 13 miles away.
According to reports, he temporarily parked his car and locked its doors, leaving the tapes inside. Shortly thereafter, he returned to find the car’s window broken and various items missing, including the
backup tapes, a company laptop, and an external hard drive. The unencrypted backup tapes contained customer names, contact information, Social Security numbers, credit card numbers, and checking account
numbers. The laptop and external hard drive, also unencrypted, contained passwords and other information that could facilitate an intruder’s access to the company’s network. The employee immediately filed
a police report. This was just the beginning of the company’s data breach saga."
"Data protection authorities (DPAs), the main actors protecting data protection rights, play a crucial role in processing the overwhelming majority of data protection complaints. Further
action is needed to ensure that access to DPAs is effective in practice. The independence of DPAs must be strengthened through a reform of EU legislation. They should have enhanced powers and competences,
supported by adequate financial and human resources, including diverse and qualified professionals, such as trained information technology specialists and qualified lawyers. […] To strengthen their
authority and credibility, DPAs should play an important role in the enforcement of the data protection system, by having the power to either issue sanctions, including fines, or procedures that can lead
to sanctions […] Data protection authorities are encouraged to be more transparent, as well as to communicate effectively with the general public, providing necessary information and easing access to
remedies in practice."
"Because telephone calling records can reveal intimate details about a person’s life, particularly when aggregated with other information and subjected to sophisticated computer analysis, the government’s collection of a person’s entire telephone calling history has a significant and detrimental effect on individual privacy. The circumstances of a particular call can be highly suggestive of its content, such that the mere record of a call potentially offers a window into the caller’s private affairs. Moreover, when the government collects all of a person’s telephone records, storing them for five years in a government database that is subject to high-speed digital searching and analysis, the privacy implications go far beyond what can be revealed by the metadata of a single telephone call. Beyond such individual privacy intrusions, permitting the government to routinely collect the calling records of the entire nation fundamentally shifts the balance of power between the state and its citizens. With its powers of compulsion and criminal prosecution, the government poses unique threats to privacy when it collects data on its own citizens. Government collection of personal information on such a massive scale also courts the ever-present danger of ‘mission creep.’ An even more compelling danger is that personal information collected by the government will be misused to harass, blackmail, or intimidate, or to single out for scrutiny particular individuals or groups. To be clear, the Board has seen no evidence suggesting that anything of the sort is occurring at the NSA and the agency’s incidents of non-compliance with the rules approved by the FISC have generally involved unintentional misuse. Yet, while the danger of abuse may seem remote, given historical abuse of personal information by the government during the twentieth century, the risk is more than merely theoretical."
"Today, 40% approve of the government’s collection of telephone and internet data as part of anti-terrorism efforts, while 53% disapprove. In July, more Americans approved (50%) than
disapproved (44%) of the program. In addition, nearly half (48%) say there are not adequate limits on what telephone and internet data the government can collect; fewer (41%) say there are adequate limits
on the government’s data collection. About four-in-ten Republicans (39%) and independents (38%) – and about half of Democrats (48%) – think there are adequate limits on the information that the government
"Intelligence community officials have given two primary examples of the value or prospective value of Section 215 bulk phone records collection: the disrupted 2009 al-Qaeda plot targeting the
New York City subway and the case of Khalid al-Mihdhar, the 9/11 hijacker who was under surveillance by NSA and who, the government alleges, could have been found if NSA had Section 215 authorities before
the 9/11 attacks. Upon review of the facts of these two cases, neither is compelling. Bulk phone records collection would not have helped disrupt the 9/11 plot and did not make a significant contribution
to success against the 2009 plot."
"Innovations in technology and greater affordability of digital devices have presided over today’s Age of Big Data, an umbrella term for the explosion in the quantity and diversity of high
frequency digital data. These data hold the potential - as yet largely untapped - to allow decision makers to track development progress, improve social protection, and understand where existing policies
and programmes require adjustment. […] With the promise come questions about the analytical value and thus policy relevance of this data - including concerns over the relevance of the data in developing
country contexts, its representativeness, its reliability - as well as the overarching privacy issues of utilising personal data. This paper does not offer a grand theory of technology-driven social
change in the Big Data era. Rather it aims to delineate the main concerns and challenges raised by ‘Big Data for Development’ as concretely and openly as possible, and to suggest ways to address at least
a few aspects of each."
"Twelve U.S. businesses have agreed to settle Federal Trade Commission charges that they falsely claimed they were abiding by an international privacy framework known as the U.S.-EU Safe Harbor that enables U.S. companies to transfer consumer data from the European Union to the United States in compliance with EU law. The companies settling with the FTC represent a cross-section of industries, including retail, professional sports, laboratory science, data broker, debt collection, and information security. The companies handle a variety of consumer information, including in some instances sensitive data about health and employment."
"This report analyses the conditions under which online security and privacy seals (OSPS) can be deployed to support users to make an informed trust decision about Web services and their
providers with respect to the provided security and privacy. This report is motivated by the numerous policy documents, that mention marks, seals, logos, icons, (collectively referred as OSPS) as a mean
enabling users to judge on the trustworthiness of services offered on the Web. The field of OSPSs has also developed in maturity. Therefore, we aim at analysing the current situation and identified key
challenges for online signals in practise. Based on these challenges, this report identifies possible solutions and corresponding recommendations and next steps that ENISA and other stakeholders should
follow for enabling users in judging on the trustworthiness of services offered on the Web."
"Mr. Zhang is a client of Turnstyle Solutions Inc., a year-old local company that has placed sensors in about 200 businesses within a 0.7 mile radius in downtown Toronto to track shoppers as
they move in the city. The sensors, each about the size of a deck of cards, follow signals emitted from Wi-Fi-enabled smartphones. That allows them to create portraits of roughly 2 million people’s habits
as they have gone about their daily lives, traveling from yoga studios to restaurants, to coffee shops, sports stadiums, hotels, and nightclubs."
"The goal of this paper is to outline the laudable goals and ultimate failure of notice and choice to respect privacy online and suggest an alternative framework to manage and research
privacy. This paper suggests that the online environment is not conducive to rely on explicit agreements to respect privacy. Current privacy concerns online are framed as a temporary market failure
resolvable through two options: (a) ameliorating frictions within the current notice and choice governance structure or (b) focusing on brand name and reputation outside the current notice and choice
mechanism. The shift from focusing on notice and choice governing simple market exchanges to credible contracting where identity, repeated transactions, and trust govern the information exchange rewards
firms who build a reputation around respecting privacy expectations. Importantly for firms, the arguments herein shift the firm’s responsibility from adequate notice to identifying and managing the
privacy norms and expectations within a specific context."