Presentation on theme: "1 3. Data Protection and Privacy Reference: Discovering Computers 2003/2004 Course Technology, Thomson Learning Chapter 12 Note: The privacy laws in HK."— Presentation transcript:
1 3. Data Protection and Privacy Reference: Discovering Computers 2003/2004 Course Technology, Thomson Learning Chapter 12 Note: The privacy laws in HK differs from those in USA in textbook. Other reference: 香港私隱專員公署
2 Data Protection System Security S#3: Data protection in computer or network system Privacy S#8: Protection of personal data in 2 aspects:personal data Legal issue, Ethical issue
3 System Security to protect data on computer system and network
4 Security (1-a): Data protection on computer Protection by access control as a security measure that defines who can access a computer, in 2- phase process: (1) Identification by user login identity (2) Authentication by matching with the user password to to verify that you are a valid user by user-rights restriction: limit the actions that each user can perform Physical protection: by restricted room or door E.g., Biometric devices to check finger prints, voice,or access by smart card
5 Secure password: Should be a complicated combination of letters and numbers. Should of reasonable length Should not be related to personal information: such as birthday. Should not be with special meaning: such as a dictionary word like “school”
6 Security (1-b): Data protection on computer By prevention from system failure due to 1.Under-voltage (e.g., blackout) or over-voltage (e.g., spike) can cause permanent damage to hardware: Solution: use stand-by power supply 2.Virus attack that can harm both hardware and software: Solution: install anti-virus program with frequent update for new virus definition. By recovery from back-up: making duplicate copy of data file(s) to prevent loss of data on back-up media.
7 Backup Methods p Full Backup: Copies all of files. E.g., Differential Backup: Copies only the files that have changed since the last backup Incremental Backup: Copies only the contents of files that have changed since the last backup
9 Security (2-a): Internet and network Data Encryption ( 加密 ) : A message can be encrypted by applying a encryption key. Then, the encrypted message becomes unreadable. In order to be read again, the message must be decrypted with a matching key. Data encryption is used to provide secure data transmission over networks.
10 Security (2-a): Internet and network Many web browsers use data encryption (such as RSA public key encryption or 128-bit encryption p.12.23) Servers can use encryption techniques to secure its data transmission through: Digital certificate (used for online transactions): is a notice that guarantees a user or a web site is legitimate and hence secured. HTTPS: a security Hypertext Transfer Protocol / Hypertext Transfer Protocol on Secured Socket Layer
11 Security (2-b): Internet and network Secured include digital signature in encrypted code to verify the identity of the message sender. Firewall: is a security system consisting of hardware and software that prevents unauthorized access to a network. (More on network.ppt).
12 Privacy Personal information: name, home address, personal occupation, personal phone number... Information of personal activities: When and where for dining out, When to cross Tate Cairn Tunnel,... (especially in view of the fast flow of information using computers.) to protect personal data:
13 Protection on Personal Data the rights to keep personal information from misuse by data user. In general, the data subject (data owner) has the following rights: Right to consent for the use. Right to know the purpose of using the data. Right to access the data Right to correct the data. Illegal access (or use) of personal data is taken as a crime. Example at END
14 Data protection in Hong Kong Protection by Personal Data (Privacy) Ordinance that was brought into force in December 1996 based on 6 principles that elaborate the rights discussed in the previous slide. rights
15 Applying 4 basic rights Right to consent for use Right to know the purpose Right to access the data Right to correct the data To 6 principles of Ordinance To situational cases
16 1. Collection of personal data should be informed of the purpose if on obligatory basis. data subject should give consent for the purpose if on voluntary basis with the conditions that the data: collected only for lawful purpose not excessive: fair in the circumstances of the case Which basic right(s)?
17 2. Retention of personal data Personal data should be accurate Data that thought to be inaccurate should not be used without rectification Personal data shall not be kept longer than is necessary for the fulfillment of the purpose. Which basic right(s)?
18 3. (Other) Use of personal data Personal data shall not be used for other purpose(s) than those having been informed, without further consent from the data subject. Which basic right(s)?
19 4. Security of personal data To protect against unauthorized access, or processing, or erasure or other use by all practicable steps regarding physical location equipment storing the data persons handling the data transmission of data Which basic right(s)?
20 5. Information: to be generally available E.g. Census The data subject should be able to ascertain the data user’s policies and practices know the kind of data held know the main purposes for using the data Which basic right(s)?
21 6. Access to personal data A data subject shall be entitled to ascertain whether a data user is still holding the data; request to access or to rectify of data. Which basic right(s)?
22 The Ordinance Major Exemption: Personal data used for the social or public interest such as security, defense or detection of crime.
23 Examples: violate privacy Computer matching: to report mismatches between the profile created by computer program from some gathered data and the actual profile of suspect. Widely used in detecting crimes But, it may be legal under the exemption Computer monitoring: Data about certain activities are gathered and analyzed continuously by computers. E.g. to measure the performance of workers. But, it is legal if there is consent from the workers.
24 Privacy issue on Internet privacy issue from cookie: Cookie is a file sent from web server to user’s hard disk recording information about the user Crimes: Web server of each site can just access its own cookie file. Selling and buying information by extracting data from cookies without informing the data owner. Hacking into the cookie file from other web server.
25 More on cookie (a) Use of cookie by a web server Identify a user Customize a site accordingly Focus advertising accordingly Provide the choice of avoiding username and password
26 Example: Credit Card Application Data OwnerConsents Knows the purpose To access and To correct