Computers, Privacy and Data Protection: an Element of Choice

Preface

Contents

Contributors

About the Authors

Part I Building and Rebuilding Legal Concepts for Privacy and Data Protection

1 The German Constitutional Court Judgment on Data Retention: Proportionality Overrides Unlimited Surveillance (Doesnt It?)

1.1 Introduction

1.2 The 2 March 2010 Judgment

1.2.1 Background

1.2.2 The Main Findings: A Proportionality Check

1.2.3 The German Court on Access and Use and the Role of Private Companies

1.2.4 Other Important Findings

1.3 The German Constitutional Court Judgment and Europe

1.3.1 Fundamental Rights and Data Retention

1.3.2 Affinities and Differences Among Judgments

1.4 The Politics Around the Judgment of 2 March 2010

1.4.1 The Reactions to the German Judgment

1.4.2 From the EU Perspective

1.5 Provisional Conclusions

2 The Noise in the Archive: Oblivion in the Age of Total Recall

2.1 Introduction

2.2 Total Recall

2.3 Delete

2.4 Noisy Bits

2.4.1 Digital Decay

2.4.2 Can You Handle the Truth?

2.5 Conclusion

References

3 Property in Personal Data: Second Life of an Old Idea in the Age of Cloud Computing, Chain Informatisation, and Ambient Intelligence

3.1 Introduction

3.2 New Challenges for the Information Society

3.2.1 New Structure of Relationships

3.2.1.1 Chain Informatisation

3.2.1.2 Cloud Computing

3.2.1.3 Ambient Intelligence

3.2.1.4 The Challenges

3.2.2 Shortcomings of the Current Approach

3.3 Introduction into the Propertisation Debate

3.3.1 Agreeing on Terms

3.3.2 Possibility of Propertisation of Personal Data

3.3.2.1 Fluid Nature of the Concept of Property in Law

3.3.2.2 Possibility of the Common-Law Debate in Continental Europe

3.4 Property Rights As a Regulatory Framework for the Modern Data Flow

3.4.1 What Property Rights Have to Offer

3.4.2 Market vs Non-Market Meaning of Property: Rebuttal to One Objection Against Property in Personal Data

3.4.3 Limitations of Property: Necessity of Regulation

3.5 Conclusions

References

4 Right to Personal Identity: The Challenges of Ambient Intelligence and the Need for a New Legal Conceptualization

4.1 Introduction

4.2 The Right to Personal Identity

4.3 Personality Rights and the Right to Identity

4.4 Right to Personal Identity and Constitutional Law: Jurisprudential Creation and Doctrinal Innovation

4.5 Human Rights and the Right to Personal Identity

4.6 Ambient Intelligence and the Challenges to the Right to Personal Identity

4.7 Broadening the Scope of the Right to Personal Identity: Critical Analysis of the Italian Jurisprudence in Light of the AmI Scenario

4.8 The Right to Multiple Identities

4.9 The Right to Be Forgotten

4.10 Conclusion

References

Part II The Dark Side: Suspicions, Distrust and Surveillance

5 Frames from the Life and Death of Jean Charles de Menezes

5.1 Premise

5.2 Apparatus

5.3 Desubjectivation

5.4 Space

5.5 Body

5.6 Imago

5.7 Media

5.8 False Positives (Addendum)

References

6 Regulating Privacy: Vocabularies of Motive in Legislating Right of Access to Criminal Records in Sweden

6.1 Introduction

6.1.1 Regulating Privacy Through Opacity Tools and Transparency Tools

6.1.2 A Brief History of Swedish Crime Policy

6.2 Criminal Records Legislation and Subject Access, 19012009

6.2.1 1901: The Creation of a National Criminal Records Registry

6.2.1.1 A Protective Vocabulary

6.2.1.2 Creating Opacity

6.2.1.3 Subject Access

6.2.2 1963: Rehabilitation and Access Restrictions

6.2.2.1 The Rehabilitative Vocabulary

6.2.2.2 Subject Access

6.2.3 1987: Data Protection and Transparency

6.2.3.1 Subject Access

6.2.4 2009: A Mixture of Vocabularies

6.3 Concluding Remarks

References

7 Ubiquitous Computing, Privacy and Data Protection: Options and Limitations to Reconcile the Unprecedented Contradictions

7.1 Introduction

7.2 Challenges

7.2.1 Ubiquitous Surveillance

7.2.2 Increases in Data Quality

7.2.3 Persistent Data Storage

7.2.4 Re-personalization of Data

7.2.5 Increasing Information Asymmetry

7.2.6 Panoptic Society

7.3 Contradictions to the Current Fundaments of Privacy

7.3.1 Collection Limitation Principle

7.3.2 Data Quality Principle

7.3.3 Purpose Specification Principle

7.3.4 Use Limitation Principle

7.3.5 Procedural Principles

7.3.6 Automated Individual Decisions

7.4 Proposals to Overcome the Contradictions

7.4.1 Privacy Enhancing RFID Technologies

7.4.2 Identity Management

7.4.3 Privacy Respecting Ubiquitous Recording

7.4.4 Digital Rights Management

7.4.5 Legal Proposals

7.5 Concluding Reflections

References

8 EU PNR: European Flight Passengers Under General Suspicion The Envisaged European Model of Analyzing Flight Passenger Data

8.1 Introduction

8.2 Legal Background and Similarity Between the EU-PNR Proposal and the US-PNR System

8.3 Compliance of the EU-PNR Proposal with European Data Protection Rules

8.3.1 Reference Instruments and European Data Protection and Privacy Rules

8.3.2 General Principles of the ECtHR with Regard to Security-Related Data Processing

8.3.3 In Accordance with the Law and Foreseeability

8.3.4 Necessary in a Democratic Society

8.3.4.1 Purpose Limitation

8.3.4.2 Clear Definition of the Circumstances and the Limits of Processing

8.3.4.3 Limitation of the Individuals Subject to Surveillance

8.3.4.4 Time Limit

8.3.4.5 Risk of Stigmatization and Discrimination

8.3.4.6 Independent Control and Notification

8.3.4.7 Interim Findings

8.4 Applicable Law: From Private to Public Law

8.4.1 No Coherent Solution by the European Court of Justice

8.4.1.1 The Annulment of the Legal Basis of the First EU-US PNR Agreement

8.4.1.2 The Legal Basis of Data Retention

8.4.1.3 Two Cases, Two Different Solutions

8.4.2 Consequences for the EU-PNR Proposal

8.5 Conclusion and Improvement Suggestions

References

9 Options for Securing PCs Against Phishing and Espionage: A Report from the EU-Project Open Trusted Computing

9.1 Problems

9.2 Approaches

9.3 Progress

9.4 Conclusions

References

Part III Privacy Practices as Vectors of Reflection

10 Keeping Up Appearances: Audience Segregation in Social Network Sites

10.1 Introduction

10.2 Privacy Issues in Social Network Sites: Overview and Discussion

10.3 Privacy-Preserving Social Networking: Audience Segregation

10.3.1 Audience Segregation

10.3.2 Audience Segregation in Social Network Sites: Why?

10.4 A Note on Terminology

10.5 Transforming the Conceptual Framework into Practical Tools

10.5.1 Contact-Management: Collections

10.5.2 Setting Visibility Rights

10.5.3 Managing Multiple Faces in One Social Network Site: Tabs

10.6 Conclusion

References

11 Avatars Out of Control: Gazira Babeli, Pose Balls and Rape in Second Life

11.1 How to Relate to the Novel

11.2 Affordances and Constraints

11.3 An Imitation of Real Life Without Constraints or Simply with Different Constraints

11.4 Lost in Translation Between RL and SL

11.5 A Rough Wake-Up Call from the Illusion That the Metaverse Is a Place of Pure Freedom

11.6 The Art of Scripted Objects: Pose Balls and Virtual Role-Play Rape

11.7 Gazira Babeli: An SL Artist Who Is Truly Native

11.8 Naming the Offenses of the New World: Will We Make a Law for Enlightened Adults or for Minors

References

12 Privacy as a Practice: Exploring the Relational and Spatial Dynamics of HIV-Related Information Seeking

12.1 Introduction

12.2 Background and Context

12.3 On Method

12.4 Exploring the Relational and Spatial Dynamics of Privacy

12.4.1 Practices of Demarcating HIV and Non-HIV Places

12.4.2 The Difficulty of Moving Between HIV Places and Non-HIV Places

12.5 Privacy Practices and HIV-Related Internet Use

12.5.1 Putting the Internet in Its Place

12.5.2 Practices for Making Internet Use Private

12.5.3 Places and Spaces of Privacy Online

12.6 Conclusion

References

13 Rise and Phall: Lessons from the Phorm Saga

13.1 Behavioural Targeting

13.2 Webwise

13.3 Practical and Legal Implications

13.4 Data Protection and Sensitive Personal Data

13.5 The Rise and Fall of Phorm

13.5.1 BT''s ''Secret'' Trials

13.5.2 Phorm's Defence

13.5.3 European Involvement

13.5.4 Privacy Friendly?

13.5.5 Rise and Phall?

13.6 The Fall Out from Phorm

13.7 Phorm: Symbiotic Regulation in Practice

13.7.1 Facebook's Beacon and Google StreetView

13.7.2 Ramifications for Government and Business

13.8 Maintaining the Beneficial Symbiosis

References

14 Disclosing or Protecting Teenagers Online Self-Disclosure

14.1 Introduction

14.2 Policy Framework

14.2.1 Regulatory Policy Initiatives

14.2.2 Self- and Co-regulatory Initiatives

14.3 Teenagers Online Disclosure in Websites: A Literature Review

14.3.1 Types of Personal Data

14.3.2 Privacy Concern and Perceived Benefits

14.3.3 Parental Mediation

14.3.4 Other Variables: Gender, Age and ICT-Use

14.4 Survey Among Teenagers

14.4.1 Method

14.4.2 Results

14.4.2.1 Descriptive Findings

14.4.2.2 Regression Results

14.5 Conclusion

References

15 Why Adopting Privacy Enhancing Technologies (PETs) Takes so Much Time

15.1 About PETs and the Research Questions

15.2 Technological Innovations

15.3 Diffusion and Adoption of Technological Innovations

15.4 Factors of Organizational Adoption of Technological Innovations

15.5 Specific Characteristics

15.5.1 Innovation Characteristics

15.5.2 Organizational Characteristics

15.6 Encompassing Model

15.7 Interviews with Experts

15.8 Explanations of the Terms

15.8.1 Relative Benefit

15.8.2 Compatibility

15.8.3 Complexity

15.8.4 Costs

15.8.5 Testability

15.8.6 Role of Advisory Institutions

15.8.7 Social Recognition

15.8.8 PETs Woven into Business Processes

15.8.9 Top Management's Attitude Towards Change Caused by PETs

15.8.10 Structure and Size of the Organization

15.8.11 Complexity of Organizational Processes

15.8.12 Presence of Key Persons

15.8.13 Ties with Advisory Institutions

15.8.14 Perception and Level of Awareness of Privacy Regulations

15.8.15 Diversity of Information Systems

15.8.16 Type of Processed Data

15.8.17 Pressure by Privacy Laws

15.8.18 Complexity of Privacy Laws

15.8.19 Existing Offer of PETs Measures

15.8.20 Visibility

15.9 Summary of the Results

15.10 Identity and Access Management (Iam) Maturity Model

15.11 Changing the Negative Adoption Factor of Costs into a Positive One

15.12 Business Case for Pets Investments

15.13 Annual Loss Expectancy

15.14 Return on Investment (ROI)

15.15 Return on Security Investment (ROSI)

15.16 ROI for Privacy Protection

15.17 Ixquick

15.18 Net Present Value (NPV)

15.19 The Case of the National Victim Tracking and Tracing System (ViTTS)

15.20 Conclusion

References

Part IV Privacy and Data Protection in the Cloud

16 Can a Cloud Be Really Secure A Socratic Dialogue

16.1 Prologue

16.2 The Dialogue

16.3 Epilogue

References

17 Privacy Regulations for Cloud Computing: Compliance and Implementation in Theory and Practice

17.1 Introduction

17.2 Cloud Computing

17.3 Privacy Regulations

17.3.1 EU Directive 95/46/EC

17.3.2 The Safe Harbor Agreement

17.3.3 The FTC Fair Information Practice

17.3.4 Other Privacy Regulations

17.3.5 Common Principles in Privacy Regulations

17.4 Privacy Issues for Cloud Service Providers

17.4.1 The CSP and Privacy Regulations

17.5 Privacy Regulations in Theory and Practice

17.6 Conclusions

References

18 Data Protection in the Clouds

18.1 Introduction

18.1.1 Some Technical Aspects and Specific Risks Linked with Cloud Computing Services

18.1.1.1 A Brief History

18.1.1.2 Cloud Computing

18.1.2 Specific Risks Associated with Cloud Computing

18.2 Personal Data Flows Within Any Cloud Computing System

18.3 Domestic and Non Domestic Uses

18.4 The Protection of Legal Persons

18.5 Liability of the Actors

18.6 Transparency and Duties of Information Including in Case of Security Breaches

18.7 Security

18.7.1 Introduction

18.7.2 Specific Security Obligations

18.8 Transborder Data Flows and Applicable Law to the Processing of Personal Data

18.8.1 Applicability of the Existing Legal Framework of Additional Protocol 181

18.8.2 International Transfers of Personal Data/Storage of Personal Data and Law Enforcement Objectives

18.8.3 Limitations to Transborder Flows and Applicable Law to the Processing of Personal Data

18.9 Law Enforcements Agencies and Data Retention

18.10 Conclusions

References

19 Privacy-Preserving Data Mining from Outsourced Databases

19.1 Introduction

19.2 Related Work

19.3 Preliminaries: Pattern Mining

19.4 Privacy Model

19.5 Encryption/Decryption Scheme

19.5.1 Encryption

19.5.2 Decryption

19.6 Preliminary Experimental Results

19.7 Future Work

19.8 Summary

References

20 Access Control in Cloud-on-Grid Systems: The PerfCloud Case Study

20.1 Introduction

20.2 PerfCloud Architecture

20.3 Access Control in Cloud-on-grid Architectures

20.4 Access Control and Roles in PerfCloud

20.5 The Implementation of Access Control Mechanisms in PerfCloud

20.6 Related Work

20.7 Conclusions and Future Work

References

21 Security and Privacy in the Clouds: A Birds Eye View

21.1 Introduction

21.2 Cloud Computing

21.2.1 Foundations

21.2.2 Implementations

21.2.3 Security

21.3 The Ideal of Encrypted Processing

21.4 Putting Physical Limitations Back in Place

21.5 Outsourced Identity

21.6 Informational Precaution

21.7 Conclusions

References