Presentation is loading. Please wait.

Presentation is loading. Please wait.

Privacy regulation and research Tuomas Aura CSE-C3400 Information security Aalto University, autumn 2014.

Similar presentations

Presentation on theme: "Privacy regulation and research Tuomas Aura CSE-C3400 Information security Aalto University, autumn 2014."— Presentation transcript:

1 Privacy regulation and research Tuomas Aura CSE-C3400 Information security Aalto University, autumn 2014

2 Outline 1.Privacy legislation 2.Examples of my own privacy research 2

3 3 Two aspects of privacy  Control over personal information – Emphasized in Europe – Gathering, disclosure and false representation of facts about someone’s personal life – Personally identifiable information (PII)  Right to be left alone – Emphasized in America – Interference, control, discrimination, censorship, also spam

4 4 Privacy legislation in Finland WARNING: I’m not a lawyer. The following slides contain highly simplified interpretations of the law.  Perustuslaki (constitution), 10 § – Protection of privacy, honor and home – Secrecy of letters, messages and telephone calls Also: – Obligation to protect personally identifiable information by law – Exceptions can be made in other laws

5 5 Crimes against privacy in Finland  Rikoslaki (criminal code), luku 24  Kotirauhan rikkominen, Rikoslaki, luku 24, 1–2, 11 § – Disturbing people in their home is a crime – Telephone and mobile phone are also protected area  Salakuuntelu ja salakatselu, Rikoslaki, luku 24, 5–7 § – Using technical equipment to listen or record people’s speech at home or in some other place when they don’t expect outsiders to hear is a crime – Using technical equipment to watch or record of pictures without permission at someone’s home (or equivalent place), fenced yard, toilet or dressing room is crime – Ok to eavesdrop voices and sounds without equipment – Ok to record sound when you are legitimately present, e.g. keep a microphone on your body or record telephone calls – Ok to photograph or record video in a public place

6 6 Publishing photos or video of others  The law is not clear – Photo could be harmful information about the subject’s private life – Photo could be personally identifiable, especially in the future  For use in advertisements, subject’s permission is required if the subject is identifiable (court decision)  School must ask parents’ permission to publish identifieable photos of children (privacy ombudsman)  TV, newspapers and online services often have guidelines about not showing identifiable photos or video without the subject’s permission  For portraits made to order, the subject’s or the state’s permission required (Tekijänoikeuslaki 8.7.1961/404, 27 §, copyright law)

7 7 Crimes against privacy in Finland  Yksityiselämää loukkaavan tiedon levittäminen, Rikoslaki, luku 24, 8 §§ – Publishing harmful information about an individual’s private life is a crime – Exceptions for politicians and other public figures  Kunnianloukkaus (libel), luku 24, 9–10§§ – Spreading harmful false information about an individual is a crime – E.g. posting warnings about suspicious people on Facebook

8 8 Crimes against privacy in Finland  Viestintäsalaisuuden loukkaus (breach of communications confidentiality), luku 38, 3–4 §§ – Opening a letter or closed or protected message addressed to someone else is a crime (e.g. by guessing webmail password) – Eavesdropping telecommunications networks is a crime; so is traffic analysis – Being a system admin or using hacking tools makes the offence especially serious – Communication metadata (e.g. called numbers) is also protected  Notes: – Communications confidentiality does not prevent the legitimate receiver of a message from sharing it further – Even opened emails in the mailbox are protected (so it seems), which is stronger protection than for paper letters

9 9 Personally identifiable information  Henkilötietolaki 22.4.1999/523  Law about personally identifiable information (PII) when it is either processed automatically or stored in a register – Does not apply to normal personal use of data, e.g. address book  Requirements for PII processing: – Following good data processing practices (includes security) – Defined purpose: the sources, uses and transfer of information must be defined beforehand; no new uses allowed – The person’s permission is required to process PII, except in some specific cases (e.g. employment or customer relationship) – The PII processing must be necessary and the processor is responsible for its correctness – The subject person must in informed  Rekisteriseloste: PII register holder must make a public declaration of what data is stored and for what purpose  Right to inspect your PII in the register (free once a year) and demand correction of incorrect information

10 10 Freedom of information legislation  Laki viranomaisten toiminnan julkisuudesta 21.5.1999/621  All official (government) documents are public, unless made secret by law – Includes both documents and data – No requirement to tell your identity or the reason for requesting the information – Applies also to universities and student unions (Yliopistolaki 30 §)  Long list of exceptions (24 §) to protect security, economy etc. For example, the following information is secret by default: – Research plans, thesis plans, exam questions, personal income, wealth, benefits, use of social services, health, disability and sexual orientation, private information about crime suspects and victims, psychological evaluations, exam answers and verbal (non-numerical) evaluations of students, secret telephone numbers, addresses and mobile-device location, private political views, way of life, membership in associations, hobbies, family life  Asianosaisjulkisuus (11–12 §) – Individuals have access to secret information about themselves, or if it is relevant to their rights and obligations (with exceptions)

11 11 Protection of electronic communication  Sähköisen viestinnän tietosuojalaki 16.6.2004/516 About telecom companies and subscriber organizations (yhteisötilaaja) – Message content, metadata and location information are confidential by default – If you learn about a message, you must not tell others and must not use the information for any purpose (happens to sysadmins) – Must not break technical protection or make tools for it (e.g. password cracking or cryptanalysis) – Organizations, mainly employers, have some rights to access communication metadata to prevent crime (“Lex Nokia”) – ISP, email service or Internet telephony service must store communication metadata for 12 months (for criminal investigations) – Right to forbid direct electronic marketing to yourself  Many other things…

12 12 Freedom of speech in public media  Laki sananvapauden käyttämisestä joukkoviestinnässä 13.6.2003/460 – The law applies to media with a responsible published or editor – The publisher has the right to protect the anonymity of messages (similar to the press) – If publishing the message breaks a law, the authorities can break the anonymity (e.g. copyright violation, libel or incitement to crime), — also based on requests from foreign authorities – Court can order takedown of illegal messages

13 13 Privacy and employment  Laki yksityisyyden suojasta työelämässä 13.8.2004/759,  Rules for what information employers may record and process about their employees  Detailed rules for – Processing of employee PII and health data – Drug tests – Camera surveillance at workplace – Opening work-related emails addressed to an absent employee

Download ppt "Privacy regulation and research Tuomas Aura CSE-C3400 Information security Aalto University, autumn 2014."

Similar presentations

Ads by Google